From sle-security-updates at lists.suse.com Mon Nov 3 16:04:41 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 4 Nov 2014 00:04:41 +0100 (CET) Subject: SUSE-SU-2014:1352-1: Security update for nagios-plugins Message-ID: <20141103230441.7E5D63225D@maintenance.suse.de> SUSE Security Update: Security update for nagios-plugins ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1352-1 Rating: low References: #885205 #885207 Cross-References: CVE-2014-4701 CVE-2014-4702 Affected Products: SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This security update fixes the following issues: * Removed the requirement for root access from plugins-root/check_icmp.c and plugins-root/check_icmp.c. The necessary capabilities(7) were added to the README file. * Fixed array out of bounds issue in plugins-root/check_dhcp.c. Security Issues: * CVE-2014-4701 * CVE-2014-4702 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-nagios-plugins-9830 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-nagios-plugins-9830 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): nagios-plugins-1.4.16-0.13.1 nagios-plugins-extras-1.4.16-0.13.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): nagios-plugins-1.4.16-0.13.1 nagios-plugins-extras-1.4.16-0.13.1 References: http://support.novell.com/security/cve/CVE-2014-4701.html http://support.novell.com/security/cve/CVE-2014-4702.html https://bugzilla.suse.com/show_bug.cgi?id=885205 https://bugzilla.suse.com/show_bug.cgi?id=885207 http://download.suse.com/patch/finder/?keywords=b4db34880091dfd9e3b8fe0ef06e0b30 From sle-security-updates at lists.suse.com Tue Nov 4 14:04:41 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 4 Nov 2014 22:04:41 +0100 (CET) Subject: SUSE-SU-2014:1356-1: important: Security update for wpa_supplicant Message-ID: <20141104210441.B60CA3226B@maintenance.suse.de> SUSE Security Update: Security update for wpa_supplicant ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1356-1 Rating: important References: #868937 #900611 Cross-References: CVE-2014-3686 Affected Products: SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update fixes a remote code execution vulnerability in wpa_supplicant's wpa_cli and hostapd_cli tools. CVE-2014-3686 has been assigned to this issue. Additionally, password based authentication with PKCS#5v2 has been enabled. Security Issues: * CVE-2014-3686 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-wpa_supplicant-9894 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-wpa_supplicant-9894 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-wpa_supplicant-9894 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): wpa_supplicant-0.7.1-6.15.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): wpa_supplicant-0.7.1-6.15.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): wpa_supplicant-0.7.1-6.15.1 wpa_supplicant-gui-0.7.1-6.15.1 References: http://support.novell.com/security/cve/CVE-2014-3686.html https://bugzilla.suse.com/show_bug.cgi?id=868937 https://bugzilla.suse.com/show_bug.cgi?id=900611 http://download.suse.com/patch/finder/?keywords=9f3807d02ddf4d7bc2ece4eadc5e4618 From sle-security-updates at lists.suse.com Tue Nov 4 15:04:42 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 4 Nov 2014 23:04:42 +0100 (CET) Subject: SUSE-SU-2014:1357-1: important: Security update for openssl1 Message-ID: <20141104220442.2A4F33226B@maintenance.suse.de> SUSE Security Update: Security update for openssl1 ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1357-1 Rating: important References: #901223 #901277 Cross-References: CVE-2014-3513 CVE-2014-3566 CVE-2014-3567 CVE-2014-3568 Affected Products: SUSE Linux Enterprise Security Module 11 SP3 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This OpenSSL update fixes the following issues: * SRTP Memory Leak (CVE-2014-3513) * Session Ticket Memory Leak (CVE-2014-3567) * Build option no-ssl3 is incomplete (CVE-2014-3568) * Add support for TLS_FALLBACK_SCSV to mitigate CVE-2014-3566 (POODLE) Security Issues: * CVE-2014-3513 * CVE-2014-3567 * CVE-2014-3566 * CVE-2014-3568 Indications: Everybody should update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Security Module 11 SP3: zypper in -t patch secsp3-libopenssl1-devel-9904 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Security Module 11 SP3 (i586 ia64 ppc64 s390x x86_64): libopenssl1-devel-1.0.1g-0.22.1 libopenssl1_0_0-1.0.1g-0.22.1 openssl1-1.0.1g-0.22.1 openssl1-doc-1.0.1g-0.22.1 - SUSE Linux Enterprise Security Module 11 SP3 (ppc64 s390x x86_64): libopenssl1_0_0-32bit-1.0.1g-0.22.1 - SUSE Linux Enterprise Security Module 11 SP3 (ia64): libopenssl1_0_0-x86-1.0.1g-0.22.1 References: http://support.novell.com/security/cve/CVE-2014-3513.html http://support.novell.com/security/cve/CVE-2014-3566.html http://support.novell.com/security/cve/CVE-2014-3567.html http://support.novell.com/security/cve/CVE-2014-3568.html https://bugzilla.suse.com/show_bug.cgi?id=901223 https://bugzilla.suse.com/show_bug.cgi?id=901277 http://download.suse.com/patch/finder/?keywords=b73f6fe02c4bdbb47052a845f36d3df3 From sle-security-updates at lists.suse.com Wed Nov 5 11:04:46 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 5 Nov 2014 19:04:46 +0100 (CET) Subject: SUSE-SU-2014:1360-1: important: Security update for flash-player Message-ID: <20141105180446.DCEFB3226F@maintenance.suse.de> SUSE Security Update: Security update for flash-player ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1360-1 Rating: important References: #901334 Cross-References: CVE-2014-0558 CVE-2014-0564 CVE-2014-0569 Affected Products: SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. It includes one version update. Description: This update fixes multiple code execution vulnerabilities in flash-player (APSB14-22). CVE-2014-0564, CVE-2014-0558 and CVE-2014-0569 have been assigned to this issue. Security Issues: * CVE-2014-0569 * CVE-2014-0564 * CVE-2014-0558 Indications: Everybody should update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-flash-player-9898 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64) [New Version: 11.2.202.411]: flash-player-11.2.202.411-0.3.1 flash-player-gnome-11.2.202.411-0.3.1 flash-player-kde4-11.2.202.411-0.3.1 References: http://support.novell.com/security/cve/CVE-2014-0558.html http://support.novell.com/security/cve/CVE-2014-0564.html http://support.novell.com/security/cve/CVE-2014-0569.html https://bugzilla.suse.com/show_bug.cgi?id=901334 http://download.suse.com/patch/finder/?keywords=0b0fcd5f0c6d6239531808e458c92968 From sle-security-updates at lists.suse.com Wed Nov 5 15:04:43 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 5 Nov 2014 23:04:43 +0100 (CET) Subject: SUSE-SU-2014:1361-1: important: Security update for OpenSSL Message-ID: <20141105220443.C6EA53226F@maintenance.suse.de> SUSE Security Update: Security update for OpenSSL ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1361-1 Rating: important References: #892403 #901223 #901277 Cross-References: CVE-2014-3566 CVE-2014-3567 CVE-2014-3568 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This OpenSSL update fixes the following issues: * Session Ticket Memory Leak (CVE-2014-3567) * Build option no-ssl3 is incomplete (CVE-2014-3568) * Add support for TLS_FALLBACK_SCSV to mitigate CVE-2014-3566 (POODLE) Security Issues: * CVE-2014-3567 * CVE-2014-3566 * CVE-2014-3568 Indications: Everybody should update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-libopenssl-devel-9915 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-libopenssl-devel-9915 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-libopenssl-devel-9915 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-libopenssl-devel-9915 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64): libopenssl-devel-0.9.8j-0.66.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): libopenssl0_9_8-0.9.8j-0.66.1 libopenssl0_9_8-hmac-0.9.8j-0.66.1 openssl-0.9.8j-0.66.1 openssl-doc-0.9.8j-0.66.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64): libopenssl0_9_8-32bit-0.9.8j-0.66.1 libopenssl0_9_8-hmac-32bit-0.9.8j-0.66.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): libopenssl0_9_8-0.9.8j-0.66.1 libopenssl0_9_8-hmac-0.9.8j-0.66.1 openssl-0.9.8j-0.66.1 openssl-doc-0.9.8j-0.66.1 - SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64): libopenssl0_9_8-32bit-0.9.8j-0.66.1 libopenssl0_9_8-hmac-32bit-0.9.8j-0.66.1 - SUSE Linux Enterprise Server 11 SP3 (ia64): libopenssl0_9_8-x86-0.9.8j-0.66.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): libopenssl0_9_8-0.9.8j-0.66.1 openssl-0.9.8j-0.66.1 - SUSE Linux Enterprise Desktop 11 SP3 (x86_64): libopenssl0_9_8-32bit-0.9.8j-0.66.1 References: http://support.novell.com/security/cve/CVE-2014-3566.html http://support.novell.com/security/cve/CVE-2014-3567.html http://support.novell.com/security/cve/CVE-2014-3568.html https://bugzilla.suse.com/show_bug.cgi?id=892403 https://bugzilla.suse.com/show_bug.cgi?id=901223 https://bugzilla.suse.com/show_bug.cgi?id=901277 http://download.suse.com/patch/finder/?keywords=e15c3470343095d331f7120ec6953c18 From sle-security-updates at lists.suse.com Thu Nov 6 04:04:37 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 6 Nov 2014 12:04:37 +0100 (CET) Subject: SUSE-SU-2014:1365-1: Security update for openstack-keystone Message-ID: <20141106110437.CE5743226F@maintenance.suse.de> SUSE Security Update: Security update for openstack-keystone ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1365-1 Rating: low References: #895847 #897467 #897744 #897815 Cross-References: CVE-2014-3621 Affected Products: SUSE Cloud 4 ______________________________________________________________________________ An update that solves one vulnerability and has three fixes is now available. It includes one version update. Description: This update for openstack-keystone provides stability and security fixes from the upstream OpenStack project: * Adds a whitelist for endpoint catalog substitution (bnc#895847, CVE-2014-3621) * Avoid conversion of binary LDAP values (bnc#897467) * No longer allow listing users by email * Add alternative hybrid backends for assignment and identity (bnc#897744) * Add workaround to support tox 1.7.2. Security Issues: * CVE-2014-3621 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Cloud 4: zypper in -t patch sleclo40sp3-openstack-keystone-9803 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Cloud 4 (x86_64) [New Version: 2014.1.3.dev18.g878f12e]: openstack-keystone-2014.1.3.dev18.g878f12e-0.7.1 python-keystone-2014.1.3.dev18.g878f12e-0.7.1 - SUSE Cloud 4 (noarch) [New Version: 2014.1.3.dev18.g878f12e]: openstack-keystone-doc-2014.1.3.dev18.g878f12e-0.7.1 References: http://support.novell.com/security/cve/CVE-2014-3621.html https://bugzilla.suse.com/show_bug.cgi?id=895847 https://bugzilla.suse.com/show_bug.cgi?id=897467 https://bugzilla.suse.com/show_bug.cgi?id=897744 https://bugzilla.suse.com/show_bug.cgi?id=897815 http://download.suse.com/patch/finder/?keywords=06409b3a52776d0d0f35109f5c0ef16e From sle-security-updates at lists.suse.com Thu Nov 6 04:05:25 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 6 Nov 2014 12:05:25 +0100 (CET) Subject: SUSE-SU-2014:1366-1: important: Security update for wget Message-ID: <20141106110525.791873226F@maintenance.suse.de> SUSE Security Update: Security update for wget ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1366-1 Rating: important References: #885069 #901276 #902709 Cross-References: CVE-2014-4877 Affected Products: SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that solves one vulnerability and has two fixes is now available. Description: wget has been updated to fix one security issue and two non-security issues. This security issue has been fixed: * FTP symlink arbitrary filesystem access (CVE-2014-4877). These non-security issues have been fixed: * Fix displaying of download time (bnc#901276). * Fix 0 size FTP downloads after failure (bnc#885069). Security Issues: * CVE-2014-4877 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-wget-9933 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-wget-9933 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-wget-9933 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): wget-1.11.4-1.19.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): wget-1.11.4-1.19.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): wget-1.11.4-1.19.1 References: http://support.novell.com/security/cve/CVE-2014-4877.html https://bugzilla.suse.com/show_bug.cgi?id=885069 https://bugzilla.suse.com/show_bug.cgi?id=901276 https://bugzilla.suse.com/show_bug.cgi?id=902709 http://download.suse.com/patch/finder/?keywords=d96cdee826ff50cd0ca912a8870edafc From sle-security-updates at lists.suse.com Mon Nov 10 16:04:42 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 11 Nov 2014 00:04:42 +0100 (CET) Subject: SUSE-SU-2014:1385-1: important: Security update for MozillaFirefox Message-ID: <20141110230442.651DF3226F@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1385-1 Rating: important References: #900941 Cross-References: CVE-2014-1574 CVE-2014-1575 CVE-2014-1576 CVE-2014-1577 CVE-2014-1578 CVE-2014-1581 CVE-2014-1583 CVE-2014-1585 CVE-2014-1586 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP2 LTSS SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes 9 vulnerabilities is now available. It includes four new package versions. Description: This version update of Mozilla Firefox to 31.2.0ESR brings improvements, stability fixes and also security fixes for the following CVEs: CVE-2014-1574, CVE-2014-1575, CVE-2014-1576 ,CVE-2014-1577, CVE-2014-1578, CVE-2014-1581, CVE-2014-1583, CVE-2014-1585, CVE-2014-1586 It also disables SSLv3 by default to mitigate the protocol downgrade attack known as POODLE. Security Issues: * CVE-2014-1574 * CVE-2014-1575 * CVE-2014-1576 * CVE-2014-1577 * CVE-2014-1578 * CVE-2014-1581 * CVE-2014-1583 * CVE-2014-1585 * CVE-2014-1586 Indications: Everybody should update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-firefox31-201411-9935 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-firefox31-201411-9935 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-firefox31-201411-9935 - SUSE Linux Enterprise Server 11 SP2 LTSS: zypper in -t patch slessp2-firefox31-201411-9936 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-firefox31-201411-9935 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New Version: 3.17.2 and 4.10.7]: MozillaFirefox-devel-31.2.0esr-0.14.2 mozilla-nspr-devel-4.10.7-0.3.3 mozilla-nss-devel-3.17.2-0.8.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64) [New Version: 3.17.2,31.2.0esr and 4.10.7]: MozillaFirefox-31.2.0esr-0.14.2 MozillaFirefox-branding-SLES-for-VMware-31.0-0.3.1 MozillaFirefox-translations-31.2.0esr-0.14.2 libfreebl3-3.17.2-0.8.1 libsoftokn3-3.17.2-0.8.1 mozilla-nspr-4.10.7-0.3.3 mozilla-nss-3.17.2-0.8.1 mozilla-nss-tools-3.17.2-0.8.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64) [New Version: 3.17.2 and 4.10.7]: libfreebl3-32bit-3.17.2-0.8.1 libsoftokn3-32bit-3.17.2-0.8.1 mozilla-nspr-32bit-4.10.7-0.3.3 mozilla-nss-32bit-3.17.2-0.8.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New Version: 3.17.2,31.0,31.2.0esr and 4.10.7]: MozillaFirefox-31.2.0esr-0.14.2 MozillaFirefox-branding-SLED-31.0-0.8.1 MozillaFirefox-translations-31.2.0esr-0.14.2 libfreebl3-3.17.2-0.8.1 libsoftokn3-3.17.2-0.8.1 mozilla-nspr-4.10.7-0.3.3 mozilla-nss-3.17.2-0.8.1 mozilla-nss-tools-3.17.2-0.8.1 - SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64) [New Version: 3.17.2 and 4.10.7]: libfreebl3-32bit-3.17.2-0.8.1 libsoftokn3-32bit-3.17.2-0.8.1 mozilla-nspr-32bit-4.10.7-0.3.3 mozilla-nss-32bit-3.17.2-0.8.1 - SUSE Linux Enterprise Server 11 SP3 (ia64) [New Version: 3.17.2 and 4.10.7]: libfreebl3-x86-3.17.2-0.8.1 libsoftokn3-x86-3.17.2-0.8.1 mozilla-nspr-x86-4.10.7-0.3.3 mozilla-nss-x86-3.17.2-0.8.1 - SUSE Linux Enterprise Server 11 SP2 LTSS (i586 s390x x86_64) [New Version: 3.17.2,31.2.0esr and 4.10.7]: MozillaFirefox-31.2.0esr-0.9.1 MozillaFirefox-branding-SLED-31.0-0.3.1 MozillaFirefox-translations-31.2.0esr-0.9.1 libfreebl3-3.17.2-0.3.1 mozilla-nspr-4.10.7-0.3.3 mozilla-nspr-devel-4.10.7-0.3.3 mozilla-nss-3.17.2-0.3.1 mozilla-nss-devel-3.17.2-0.3.1 mozilla-nss-tools-3.17.2-0.3.1 - SUSE Linux Enterprise Server 11 SP2 LTSS (s390x x86_64) [New Version: 3.17.2 and 4.10.7]: libfreebl3-32bit-3.17.2-0.3.1 mozilla-nspr-32bit-4.10.7-0.3.3 mozilla-nss-32bit-3.17.2-0.3.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64) [New Version: 3.17.2,31.0,31.2.0esr and 4.10.7]: MozillaFirefox-31.2.0esr-0.14.2 MozillaFirefox-branding-SLED-31.0-0.8.1 MozillaFirefox-translations-31.2.0esr-0.14.2 libfreebl3-3.17.2-0.8.1 libsoftokn3-3.17.2-0.8.1 mozilla-nspr-4.10.7-0.3.3 mozilla-nss-3.17.2-0.8.1 mozilla-nss-tools-3.17.2-0.8.1 - SUSE Linux Enterprise Desktop 11 SP3 (x86_64) [New Version: 3.17.2 and 4.10.7]: libfreebl3-32bit-3.17.2-0.8.1 libsoftokn3-32bit-3.17.2-0.8.1 mozilla-nspr-32bit-4.10.7-0.3.3 mozilla-nss-32bit-3.17.2-0.8.1 References: http://support.novell.com/security/cve/CVE-2014-1574.html http://support.novell.com/security/cve/CVE-2014-1575.html http://support.novell.com/security/cve/CVE-2014-1576.html http://support.novell.com/security/cve/CVE-2014-1577.html http://support.novell.com/security/cve/CVE-2014-1578.html http://support.novell.com/security/cve/CVE-2014-1581.html http://support.novell.com/security/cve/CVE-2014-1583.html http://support.novell.com/security/cve/CVE-2014-1585.html http://support.novell.com/security/cve/CVE-2014-1586.html https://bugzilla.suse.com/show_bug.cgi?id=900941 http://download.suse.com/patch/finder/?keywords=c85655eb149a3d8c442f23351866e84d http://download.suse.com/patch/finder/?keywords=f05d011b7e46669b5d0ef6faf942028c From sle-security-updates at lists.suse.com Mon Nov 10 16:05:00 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 11 Nov 2014 00:05:00 +0100 (CET) Subject: SUSE-SU-2014:1386-1: important: Security update for OpenSSL Message-ID: <20141110230500.A20F13226F@maintenance.suse.de> SUSE Security Update: Security update for OpenSSL ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1386-1 Rating: important References: #892403 #901223 #901277 Cross-References: CVE-2014-3513 CVE-2014-3566 CVE-2014-3567 CVE-2014-3568 Affected Products: SUSE Linux Enterprise Server 11 SP2 LTSS SUSE Linux Enterprise Server 11 SP1 LTSS ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. It includes one version update. Description: This OpenSSL update fixes the following issues: * Session Ticket Memory Leak (CVE-2014-3567) * Build option no-ssl3 is incomplete ((CVE-2014-3568) * Add support for TLS_FALLBACK_SCSV to mitigate CVE-2014-3566 (POODLE) Security Issues: * CVE-2014-3513 * CVE-2014-3567 * CVE-2014-3566 * CVE-2014-3568 Indications: Everybody should update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP2 LTSS: zypper in -t patch slessp2-libopenssl-devel-9928 - SUSE Linux Enterprise Server 11 SP1 LTSS: zypper in -t patch slessp1-libopenssl-devel-9927 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP2 LTSS (i586 s390x x86_64): libopenssl-devel-0.9.8j-0.66.1 libopenssl0_9_8-0.9.8j-0.66.1 libopenssl0_9_8-hmac-0.9.8j-0.66.1 openssl-0.9.8j-0.66.1 openssl-doc-0.9.8j-0.66.1 - SUSE Linux Enterprise Server 11 SP2 LTSS (s390x x86_64): libopenssl0_9_8-32bit-0.9.8j-0.66.1 libopenssl0_9_8-hmac-32bit-0.9.8j-0.66.1 - SUSE Linux Enterprise Server 11 SP1 LTSS (i586 s390x x86_64) [New Version: 0.9.8j]: libopenssl-devel-0.9.8j-0.66.1 libopenssl0_9_8-0.9.8j-0.66.1 libopenssl0_9_8-hmac-0.9.8j-0.66.1 openssl-0.9.8j-0.66.1 openssl-doc-0.9.8j-0.66.1 - SUSE Linux Enterprise Server 11 SP1 LTSS (s390x x86_64) [New Version: 0.9.8j]: libopenssl0_9_8-32bit-0.9.8j-0.66.1 libopenssl0_9_8-hmac-32bit-0.9.8j-0.66.1 References: http://support.novell.com/security/cve/CVE-2014-3513.html http://support.novell.com/security/cve/CVE-2014-3566.html http://support.novell.com/security/cve/CVE-2014-3567.html http://support.novell.com/security/cve/CVE-2014-3568.html https://bugzilla.suse.com/show_bug.cgi?id=892403 https://bugzilla.suse.com/show_bug.cgi?id=901223 https://bugzilla.suse.com/show_bug.cgi?id=901277 http://download.suse.com/patch/finder/?keywords=842997f20dc51405dbd07abdc8071460 http://download.suse.com/patch/finder/?keywords=8b3e46d68e087bc1f9f9870abd2b6d0d From sle-security-updates at lists.suse.com Mon Nov 10 17:04:43 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 11 Nov 2014 01:04:43 +0100 (CET) Subject: SUSE-SU-2014:1387-1: important: Security update for OpenSSL Message-ID: <20141111000443.94A543226C@maintenance.suse.de> SUSE Security Update: Security update for OpenSSL ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1387-1 Rating: important References: #901223 #901277 Cross-References: CVE-2014-3566 CVE-2014-3567 CVE-2014-3568 Affected Products: SUSE Linux Enterprise Server 10 SP4 LTSS ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This OpenSSL update fixes the following issues: * Session Ticket Memory Leak (CVE-2014-3567) * Build option no-ssl3 is incomplete ((CVE-2014-3568) * Add support for TLS_FALLBACK_SCSV to mitigate CVE-2014-3566 (POODLE) Security Issues: * CVE-2014-3567 * CVE-2014-3566 * CVE-2014-3568 Indications: Everybody should update. Package List: - SUSE Linux Enterprise Server 10 SP4 LTSS (i586 s390x x86_64): openssl-0.9.8a-18.86.3 openssl-devel-0.9.8a-18.86.3 openssl-doc-0.9.8a-18.86.3 - SUSE Linux Enterprise Server 10 SP4 LTSS (s390x x86_64): openssl-32bit-0.9.8a-18.86.3 openssl-devel-32bit-0.9.8a-18.86.3 References: http://support.novell.com/security/cve/CVE-2014-3566.html http://support.novell.com/security/cve/CVE-2014-3567.html http://support.novell.com/security/cve/CVE-2014-3568.html https://bugzilla.suse.com/show_bug.cgi?id=901223 https://bugzilla.suse.com/show_bug.cgi?id=901277 http://download.suse.com/patch/finder/?keywords=1960c50f351e883d9bffe5194436ac38 From sle-security-updates at lists.suse.com Tue Nov 11 11:04:41 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 11 Nov 2014 19:04:41 +0100 (CET) Subject: SUSE-SU-2014:1392-1: moderate: Security update for Java OpenJDK Message-ID: <20141111180441.2EC2532270@maintenance.suse.de> SUSE Security Update: Security update for Java OpenJDK ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1392-1 Rating: moderate References: #901242 Cross-References: CVE-2014-4288 CVE-2014-6456 CVE-2014-6457 CVE-2014-6458 CVE-2014-6466 CVE-2014-6468 CVE-2014-6476 CVE-2014-6485 CVE-2014-6492 CVE-2014-6493 CVE-2014-6502 CVE-2014-6503 CVE-2014-6504 CVE-2014-6506 CVE-2014-6511 CVE-2014-6512 CVE-2014-6513 CVE-2014-6515 CVE-2014-6517 CVE-2014-6519 CVE-2014-6527 CVE-2014-6531 CVE-2014-6532 CVE-2014-6558 CVE-2014-6562 Affected Products: SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes 25 vulnerabilities is now available. It includes one version update. Description: Oracle Critical Patch Update Advisory - October 2014 Description: A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Find more information here: http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-java-1_7_0-openjdk-9906 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64) [New Version: 1.7.0.71]: java-1_7_0-openjdk-1.7.0.71-0.7.1 java-1_7_0-openjdk-demo-1.7.0.71-0.7.1 java-1_7_0-openjdk-devel-1.7.0.71-0.7.1 References: http://support.novell.com/security/cve/CVE-2014-4288.html http://support.novell.com/security/cve/CVE-2014-6456.html http://support.novell.com/security/cve/CVE-2014-6457.html http://support.novell.com/security/cve/CVE-2014-6458.html http://support.novell.com/security/cve/CVE-2014-6466.html http://support.novell.com/security/cve/CVE-2014-6468.html http://support.novell.com/security/cve/CVE-2014-6476.html http://support.novell.com/security/cve/CVE-2014-6485.html http://support.novell.com/security/cve/CVE-2014-6492.html http://support.novell.com/security/cve/CVE-2014-6493.html http://support.novell.com/security/cve/CVE-2014-6502.html http://support.novell.com/security/cve/CVE-2014-6503.html http://support.novell.com/security/cve/CVE-2014-6504.html http://support.novell.com/security/cve/CVE-2014-6506.html http://support.novell.com/security/cve/CVE-2014-6511.html http://support.novell.com/security/cve/CVE-2014-6512.html http://support.novell.com/security/cve/CVE-2014-6513.html http://support.novell.com/security/cve/CVE-2014-6515.html http://support.novell.com/security/cve/CVE-2014-6517.html http://support.novell.com/security/cve/CVE-2014-6519.html http://support.novell.com/security/cve/CVE-2014-6527.html http://support.novell.com/security/cve/CVE-2014-6531.html http://support.novell.com/security/cve/CVE-2014-6532.html http://support.novell.com/security/cve/CVE-2014-6558.html http://support.novell.com/security/cve/CVE-2014-6562.html https://bugzilla.suse.com/show_bug.cgi?id=901242 http://download.suse.com/patch/finder/?keywords=d791a31e855e716e966b1399509ccb6d From sle-security-updates at lists.suse.com Tue Nov 11 17:05:14 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 12 Nov 2014 01:05:14 +0100 (CET) Subject: SUSE-SU-2014:1394-1: important: Security update for spacewalk-branding Message-ID: <20141112000514.5CD733226D@maintenance.suse.de> SUSE Security Update: Security update for spacewalk-branding ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1394-1 Rating: important References: #899266 Affected Products: SUSE Manager 1.7 for SLE 11 SP2 ______________________________________________________________________________ An update that contains security fixes can now be installed. It includes one version update. Description: This update adds end-user documentation clarification for CVE Audit. Indications: Everybody should update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Manager 1.7 for SLE 11 SP2: zypper in -t patch sleman17sp2-spacewalk-branding-9917 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Manager 1.7 for SLE 11 SP2 (x86_64) [New Version: 1.7.1.12]: spacewalk-branding-1.7.1.12-0.5.1 References: https://bugzilla.suse.com/show_bug.cgi?id=899266 http://download.suse.com/patch/finder/?keywords=d1c110b6c74f0d593398af8fc7520525 From sle-security-updates at lists.suse.com Wed Nov 12 11:04:40 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 12 Nov 2014 19:04:40 +0100 (CET) Subject: SUSE-SU-2014:1408-1: important: Security update for wget Message-ID: <20141112180440.B803032270@maintenance.suse.de> SUSE Security Update: Security update for wget ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1408-1 Rating: important References: #902709 Cross-References: CVE-2014-4877 Affected Products: SUSE Linux Enterprise Server 10 SP4 LTSS ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: wget was updated to fix one security issue: * FTP symbolic link arbitrary filesystem access (CVE-2014-4877). Security Issues: * CVE-2014-4877 Package List: - SUSE Linux Enterprise Server 10 SP4 LTSS (i586 s390x x86_64): wget-1.10.2-15.14.5 References: http://support.novell.com/security/cve/CVE-2014-4877.html https://bugzilla.suse.com/show_bug.cgi?id=902709 http://download.suse.com/patch/finder/?keywords=c335014fcf83b00f5b1e62db97d8b59c From sle-security-updates at lists.suse.com Wed Nov 12 11:04:56 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 12 Nov 2014 19:04:56 +0100 (CET) Subject: SUSE-SU-2014:1409-1: important: Security update for OpenSSL Message-ID: <20141112180456.E79EA32270@maintenance.suse.de> SUSE Security Update: Security update for OpenSSL ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1409-1 Rating: important References: #901223 #901277 Cross-References: CVE-2014-3566 CVE-2014-3568 Affected Products: SLE CLIENT TOOLS 10 for x86_64 SLE CLIENT TOOLS 10 for s390x SLE CLIENT TOOLS 10 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This OpenSSL update fixes the following issues: * Build option no-ssl3 is incomplete (CVE-2014-3568) * Add support for TLS_FALLBACK_SCSV to mitigate CVE-2014-3566 (POODLE) Security Issues: * CVE-2014-3566 * CVE-2014-3568 Indications: Everybody should update. Package List: - SLE CLIENT TOOLS 10 for x86_64 (x86_64): openssl-0.9.8a-18.86.2 openssl-32bit-0.9.8a-18.86.2 - SLE CLIENT TOOLS 10 for s390x (s390x): openssl-0.9.8a-18.86.2 openssl-32bit-0.9.8a-18.86.2 - SLE CLIENT TOOLS 10 (i586): openssl-0.9.8a-18.86.2 References: http://support.novell.com/security/cve/CVE-2014-3566.html http://support.novell.com/security/cve/CVE-2014-3568.html https://bugzilla.suse.com/show_bug.cgi?id=901223 https://bugzilla.suse.com/show_bug.cgi?id=901277 http://download.suse.com/patch/finder/?keywords=a7e7c559a3525ff6c6964f0a67ea2bd8 From sle-security-updates at lists.suse.com Wed Nov 12 11:05:25 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 12 Nov 2014 19:05:25 +0100 (CET) Subject: SUSE-SU-2014:1366-2: important: Security update for wget Message-ID: <20141112180525.677D732270@maintenance.suse.de> SUSE Security Update: Security update for wget ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1366-2 Rating: important References: #885069 #901276 #902709 Cross-References: CVE-2014-4877 Affected Products: SUSE Linux Enterprise Server 11 SP2 LTSS SUSE Linux Enterprise Server 11 SP1 LTSS ______________________________________________________________________________ An update that solves one vulnerability and has two fixes is now available. Description: wget was updated to fix one security issue and two non-security issues: * FTP symbolic link arbitrary filesystem access (CVE-2014-4877). * Fix displaying of download time (bnc#901276). * Fix 0 size FTP downloads after failure (bnc#885069). Security Issues: * CVE-2014-4877 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP2 LTSS: zypper in -t patch slessp2-wget-9939 - SUSE Linux Enterprise Server 11 SP1 LTSS: zypper in -t patch slessp1-wget-9938 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP2 LTSS (i586 s390x x86_64): wget-1.11.4-1.19.1 - SUSE Linux Enterprise Server 11 SP1 LTSS (i586 s390x x86_64): wget-1.11.4-1.19.1 References: http://support.novell.com/security/cve/CVE-2014-4877.html https://bugzilla.suse.com/show_bug.cgi?id=885069 https://bugzilla.suse.com/show_bug.cgi?id=901276 https://bugzilla.suse.com/show_bug.cgi?id=902709 http://download.suse.com/patch/finder/?keywords=9277e45cf6c5fb998233535be0858220 http://download.suse.com/patch/finder/?keywords=f1920c8a49b895205a1c83cf5788aa2f From sle-security-updates at lists.suse.com Wed Nov 12 16:04:41 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 13 Nov 2014 00:04:41 +0100 (CET) Subject: SUSE-SU-2014:1410-1: Security update for krb5 Message-ID: <20141112230441.3A4AD32270@maintenance.suse.de> SUSE Security Update: Security update for krb5 ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1410-1 Rating: low References: #890623 #897874 Cross-References: CVE-2014-5351 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for krb5 fixes the following issues: * When randomizing the keys for a service principal, current keys could be returned. (CVE-2014-5351) * klist -s crashes when handling multiple referral entries. (bnc#890623) Security Issues: * CVE-2014-5351 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-krb5-201410-9827 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-krb5-201410-9827 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-krb5-201410-9827 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-krb5-201410-9827 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64): krb5-devel-1.6.3-133.49.64.1 - SUSE Linux Enterprise Software Development Kit 11 SP3 (ppc64 s390x x86_64): krb5-devel-32bit-1.6.3-133.49.64.1 - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 x86_64): krb5-server-1.6.3-133.49.64.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): krb5-1.6.3-133.49.64.1 krb5-apps-clients-1.6.3-133.49.64.1 krb5-apps-servers-1.6.3-133.49.64.1 krb5-client-1.6.3-133.49.64.1 krb5-plugin-kdb-ldap-1.6.3-133.49.64.1 krb5-plugin-preauth-pkinit-1.6.3-133.49.64.1 krb5-server-1.6.3-133.49.64.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64): krb5-32bit-1.6.3-133.49.64.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (noarch): krb5-doc-1.6.3-133.49.64.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): krb5-1.6.3-133.49.64.1 krb5-apps-clients-1.6.3-133.49.64.1 krb5-apps-servers-1.6.3-133.49.64.1 krb5-client-1.6.3-133.49.64.1 krb5-plugin-kdb-ldap-1.6.3-133.49.64.1 krb5-plugin-preauth-pkinit-1.6.3-133.49.64.1 krb5-server-1.6.3-133.49.64.1 - SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64): krb5-32bit-1.6.3-133.49.64.1 - SUSE Linux Enterprise Server 11 SP3 (noarch): krb5-doc-1.6.3-133.49.64.1 - SUSE Linux Enterprise Server 11 SP3 (ia64): krb5-x86-1.6.3-133.49.64.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): krb5-1.6.3-133.49.64.1 krb5-client-1.6.3-133.49.64.1 - SUSE Linux Enterprise Desktop 11 SP3 (x86_64): krb5-32bit-1.6.3-133.49.64.1 References: http://support.novell.com/security/cve/CVE-2014-5351.html https://bugzilla.suse.com/show_bug.cgi?id=890623 https://bugzilla.suse.com/show_bug.cgi?id=897874 http://download.suse.com/patch/finder/?keywords=7bafb9e790ade0d165a14affc8315035 From sle-security-updates at lists.suse.com Wed Nov 12 17:04:44 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 13 Nov 2014 01:04:44 +0100 (CET) Subject: SUSE-SU-2014:1387-2: important: Security update for OpenSSL Message-ID: <20141113000444.0B6563226D@maintenance.suse.de> SUSE Security Update: Security update for OpenSSL ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1387-2 Rating: important References: #901223 #901277 Cross-References: CVE-2014-3566 CVE-2014-3567 CVE-2014-3568 Affected Products: SUSE Studio Onsite 1.3 SUSE Manager 1.7 for SLE 11 SP2 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This OpenSSL update fixes the following issues: * Session Ticket Memory Leak (CVE-2014-3567) * Build option no-ssl3 is incomplete (CVE-2014-3568) * Add support for TLS_FALLBACK_SCSV to mitigate CVE-2014-3566 (POODLE) Security Issues: * CVE-2014-3567 * CVE-2014-3566 * CVE-2014-3568 Indications: Everybody should update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Studio Onsite 1.3: zypper in -t patch slestso13-libopenssl-devel-9908 - SUSE Manager 1.7 for SLE 11 SP2: zypper in -t patch sleman17sp2-libopenssl-devel-9908 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Studio Onsite 1.3 (x86_64): libopenssl-devel-0.9.8j-0.66.1 - SUSE Manager 1.7 for SLE 11 SP2 (x86_64): libopenssl0_9_8-0.9.8j-0.66.1 libopenssl0_9_8-32bit-0.9.8j-0.66.1 libopenssl0_9_8-hmac-0.9.8j-0.66.1 libopenssl0_9_8-hmac-32bit-0.9.8j-0.66.1 openssl-0.9.8j-0.66.1 openssl-doc-0.9.8j-0.66.1 References: http://support.novell.com/security/cve/CVE-2014-3566.html http://support.novell.com/security/cve/CVE-2014-3567.html http://support.novell.com/security/cve/CVE-2014-3568.html https://bugzilla.suse.com/show_bug.cgi?id=901223 https://bugzilla.suse.com/show_bug.cgi?id=901277 http://download.suse.com/patch/finder/?keywords=ea1bce59a09645696e580ca407c8cb20 From sle-security-updates at lists.suse.com Thu Nov 13 09:04:43 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 13 Nov 2014 17:04:43 +0100 (CET) Subject: SUSE-SU-2014:1422-1: important: Security update for java-1_7_0-openjdk Message-ID: <20141113160443.3306832270@maintenance.suse.de> SUSE Security Update: Security update for java-1_7_0-openjdk ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1422-1 Rating: important References: #901242 Cross-References: CVE-2014-6457 CVE-2014-6502 CVE-2014-6504 CVE-2014-6506 CVE-2014-6511 CVE-2014-6512 CVE-2014-6513 CVE-2014-6517 CVE-2014-6519 CVE-2014-6531 CVE-2014-6558 Affected Products: SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that fixes 11 vulnerabilities is now available. Description: OpenJDK was updated to icedtea 2.5.3 (OpenJDK 7u71) fixing security issues and bugs. * Security: - S8015256: Better class accessibility - S8022783, CVE-2014-6504: Optimize C2 optimizations - S8035162: Service printing service - S8035781: Improve equality for annotations - S8036805: Correct linker method lookup. - S8036810: Correct linker field lookup - S8036936: Use local locales - S8037066, CVE-2014-6457: Secure transport layer - S8037846, CVE-2014-6558: Ensure streaming of input cipher streams - S8038364: Use certificate exceptions correctly - S8038899: Safer safepoints - S8038903: More native monitor monitoring - S8038908: Make Signature more robust - S8038913: Bolster XML support - S8039509, CVE-2014-6512: Wrap sockets more thoroughly - S8039533, CVE-2014-6517: Higher resolution resolvers - S8041540, CVE-2014-6511: Better use of pages in font processing - S8041529: Better parameterization of parameter lists - S8041545: Better validation of generated rasters - S8041564, CVE-2014-6506: Improved management of logger resources - S8041717, CVE-2014-6519: Issue with class file parser - S8042609, CVE-2014-6513: Limit splashiness of splash images - S8042797, CVE-2014-6502: Avoid strawberries in LogRecord - S8044274, CVE-2014-6531: Proper property processing * Backports: - S4963723: Implement SHA-224 - S7044060: Need to support NSA Suite B Cryptography algorithms - S7122142: (ann) Race condition between isAnnotationPresent and getAnnotations - S7160837: DigestOutputStream does not turn off digest calculation when "close()" is called - S8006935: Need to take care of long secret keys in HMAC/PRF computation - S8012637: Adjust CipherInputStream class to work in AEAD/GCM mode - S8028192: Use of PKCS11-NSS provider in FIPS mode broken - S8038000: java.awt.image.RasterFormatException: Incorrect scanline stride - S8039396: NPE when writing a class descriptor object to a custom ObjectOutputStream - S8042603: 'SafepointPollOffset' was not declared in static member function 'static bool Arguments::check_vm_args_consistency()' - S8042850: Extra unused entries in ICU ScriptCodes enum - S8052162: REGRESSION: sun/java2d/cmm/ColorConvertOp tests fail since 7u71 b01 - S8053963: (dc) Use DatagramChannel.receive() instead of read() in connect() - S8055176: 7u71 l10n resource file translation update * Bugfixes: - PR1988: C++ Interpreter should no longer be used on ppc64 - PR1989: Make jdk_generic_profile.sh handle missing programs better and be more verbose - PR1992, RH735336: Support retrieving proxy settings on GNOME 3.12.2 - PR2000: Synchronise HEAD tarball paths with release branch paths - PR2002: Fix references to hotspot.map following PR2000 - PR2003: --disable-system-gtk option broken by refactoring in PR1736 - PR2009: Checksum of policy JAR files changes on every build - PR2014: Use version from hotspot.map to create tarball filename - PR2015: Update hotspot.map documentation in INSTALL - PR2025: LCMS_CFLAGS and LCMS_LIBS should not be used unless SYSTEM_LCMS is enabled - RH1015432: java-1.7.0-openjdk: Fails on PPC with StackOverflowError (revised comprehensive fix) * CACAO - PR2030, G453612, CA172: ARM hardfloat support for CACAO * AArch64 port - AArch64 C2 instruct for smull - Add frame anchor fences. - Add MacroAssembler::maybe_isb() - Add missing instruction synchronization barriers and cache flushes. - Add support for a few simple intrinsics - Add support for builtin crc32 instructions - Add support for Neon implementation of CRC32 - All address constants are 48 bits in size. - array load must only read 32 bits - Define uabs(). Use it everywhere an absolute value is wanted. - Fast string comparison - Fast String.equals() - Fix register usage in generate_verify_oop(). - Fix thinko in Atomic::xchg_ptr. - Fix typo in fsqrts - Improve C1 performance improvements in ic_cache checks - Performance improvement and ease of use changes pulled from upstream - Remove obsolete C1 patching code. - Replace hotspot jtreg test suite with tests from jdk7u - S8024648: 7141246 breaks Zero port - Save intermediate state before removing C1 patching code. - Unwind native AArch64 frames. - Use 2- and 3-instruction immediate form of movoop and mov_metadata in C2-generated code. - Various concurrency fixes. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2014-68 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2014-68 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): java-1_7_0-openjdk-1.7.0.71-6.2 java-1_7_0-openjdk-debuginfo-1.7.0.71-6.2 java-1_7_0-openjdk-debugsource-1.7.0.71-6.2 java-1_7_0-openjdk-demo-1.7.0.71-6.2 java-1_7_0-openjdk-demo-debuginfo-1.7.0.71-6.2 java-1_7_0-openjdk-devel-1.7.0.71-6.2 java-1_7_0-openjdk-devel-debuginfo-1.7.0.71-6.2 java-1_7_0-openjdk-headless-1.7.0.71-6.2 java-1_7_0-openjdk-headless-debuginfo-1.7.0.71-6.2 - SUSE Linux Enterprise Desktop 12 (x86_64): java-1_7_0-openjdk-1.7.0.71-6.2 java-1_7_0-openjdk-debuginfo-1.7.0.71-6.2 java-1_7_0-openjdk-debugsource-1.7.0.71-6.2 java-1_7_0-openjdk-headless-1.7.0.71-6.2 java-1_7_0-openjdk-headless-debuginfo-1.7.0.71-6.2 References: http://support.novell.com/security/cve/CVE-2014-6457.html http://support.novell.com/security/cve/CVE-2014-6502.html http://support.novell.com/security/cve/CVE-2014-6504.html http://support.novell.com/security/cve/CVE-2014-6506.html http://support.novell.com/security/cve/CVE-2014-6511.html http://support.novell.com/security/cve/CVE-2014-6512.html http://support.novell.com/security/cve/CVE-2014-6513.html http://support.novell.com/security/cve/CVE-2014-6517.html http://support.novell.com/security/cve/CVE-2014-6519.html http://support.novell.com/security/cve/CVE-2014-6531.html http://support.novell.com/security/cve/CVE-2014-6558.html https://bugzilla.suse.com/show_bug.cgi?id=901242 From sle-security-updates at lists.suse.com Thu Nov 13 09:05:00 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 13 Nov 2014 17:05:00 +0100 (CET) Subject: SUSE-SU-2014:1423-1: important: Security update for flash-player Message-ID: <20141113160500.343AD32270@maintenance.suse.de> SUSE Security Update: Security update for flash-player ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1423-1 Rating: important References: #901334 Cross-References: CVE-2014-0558 CVE-2014-0564 CVE-2014-0569 Affected Products: SUSE Linux Enterprise Workstation Extension 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: Adobe Flash Player was updated to 11.2.202.411, fixing security issues and bugs. For more information please read: http://helpx.adobe.com/security/products/flash-player/apsb14-22.html Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12: zypper in -t patch SUSE-SLE-WE-12-2014-67 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2014-67 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Workstation Extension 12 (i586 x86_64): flash-player-11.2.202.411-4.1 flash-player-gnome-11.2.202.411-4.1 - SUSE Linux Enterprise Desktop 12 (i586 x86_64): flash-player-11.2.202.411-4.1 flash-player-gnome-11.2.202.411-4.1 References: http://support.novell.com/security/cve/CVE-2014-0558.html http://support.novell.com/security/cve/CVE-2014-0564.html http://support.novell.com/security/cve/CVE-2014-0569.html https://bugzilla.suse.com/show_bug.cgi?id=901334 From sle-security-updates at lists.suse.com Mon Nov 17 07:04:47 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 17 Nov 2014 15:04:47 +0100 (CET) Subject: SUSE-SU-2014:1438-1: moderate: update for rsyslog Message-ID: <20141117140447.6623432274@maintenance.suse.de> SUSE Security Update: update for rsyslog ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1438-1 Rating: moderate References: #890228 #899756 Cross-References: CVE-2014-3634 CVE-2014-3683 Affected Products: SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for rsyslog provides the following fixes: - Fixed remote PRI DoS vulnerability patch (CVE-2014-3683, bnc#899756) - Removed broken, unsupported and dropped by upstream zpipe utility from rsyslog-diag-tools package (bnc#890228) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2014-70 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2014-70 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): rsyslog-8.4.0-5.1 rsyslog-debuginfo-8.4.0-5.1 rsyslog-debugsource-8.4.0-5.1 rsyslog-diag-tools-8.4.0-5.1 rsyslog-diag-tools-debuginfo-8.4.0-5.1 rsyslog-doc-8.4.0-5.1 rsyslog-module-gssapi-8.4.0-5.1 rsyslog-module-gssapi-debuginfo-8.4.0-5.1 rsyslog-module-gtls-8.4.0-5.1 rsyslog-module-gtls-debuginfo-8.4.0-5.1 rsyslog-module-mysql-8.4.0-5.1 rsyslog-module-mysql-debuginfo-8.4.0-5.1 rsyslog-module-pgsql-8.4.0-5.1 rsyslog-module-pgsql-debuginfo-8.4.0-5.1 rsyslog-module-relp-8.4.0-5.1 rsyslog-module-relp-debuginfo-8.4.0-5.1 rsyslog-module-snmp-8.4.0-5.1 rsyslog-module-snmp-debuginfo-8.4.0-5.1 rsyslog-module-udpspoof-8.4.0-5.1 rsyslog-module-udpspoof-debuginfo-8.4.0-5.1 - SUSE Linux Enterprise Desktop 12 (x86_64): rsyslog-8.4.0-5.1 rsyslog-debuginfo-8.4.0-5.1 rsyslog-debugsource-8.4.0-5.1 References: http://support.novell.com/security/cve/CVE-2014-3634.html http://support.novell.com/security/cve/CVE-2014-3683.html https://bugzilla.suse.com/show_bug.cgi?id=890228 https://bugzilla.suse.com/show_bug.cgi?id=899756 From sle-security-updates at lists.suse.com Mon Nov 17 15:04:40 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 17 Nov 2014 23:04:40 +0100 (CET) Subject: SUSE-SU-2014:1440-1: moderate: Security update for libxml2 Message-ID: <20141117220440.0BD2532275@maintenance.suse.de> SUSE Security Update: Security update for libxml2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1440-1 Rating: moderate References: #901546 Cross-References: CVE-2014-3660 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update fixes a denial of service via recursive entity expansion. (CVE-2014-3660) Security Issues: * CVE-2014-3660 Indications: Everybody should update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-libxml2-9914 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-libxml2-9914 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-libxml2-9914 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-libxml2-9914 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64): libxml2-devel-2.7.6-0.31.1 - SUSE Linux Enterprise Software Development Kit 11 SP3 (ppc64 s390x x86_64): libxml2-devel-32bit-2.7.6-0.31.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): libxml2-2.7.6-0.31.1 libxml2-doc-2.7.6-0.31.1 libxml2-python-2.7.6-0.31.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64): libxml2-32bit-2.7.6-0.31.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): libxml2-2.7.6-0.31.1 libxml2-doc-2.7.6-0.31.1 libxml2-python-2.7.6-0.31.1 - SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64): libxml2-32bit-2.7.6-0.31.1 - SUSE Linux Enterprise Server 11 SP3 (ia64): libxml2-x86-2.7.6-0.31.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): libxml2-2.7.6-0.31.1 libxml2-python-2.7.6-0.31.1 - SUSE Linux Enterprise Desktop 11 SP3 (x86_64): libxml2-32bit-2.7.6-0.31.1 References: http://support.novell.com/security/cve/CVE-2014-3660.html https://bugzilla.suse.com/show_bug.cgi?id=901546 http://download.suse.com/patch/finder/?keywords=9961b2dfc7e8d8c212415af4aff1679b From sle-security-updates at lists.suse.com Mon Nov 17 17:04:43 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 18 Nov 2014 01:04:43 +0100 (CET) Subject: SUSE-SU-2014:1441-1: moderate: Security update for php53 Message-ID: <20141118000443.8D78B32273@maintenance.suse.de> SUSE Security Update: Security update for php53 ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1441-1 Rating: moderate References: #902357 #902360 #902368 Cross-References: CVE-2014-3668 CVE-2014-3669 CVE-2014-3670 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update fixes the following vulnerabilities in php: * Heap corruption issue in exif_thumbnail(). (CVE-2014-3670) * Integer overflow in unserialize(). (CVE-2014-3669) * Xmlrpc ISO8601 date format parsing out-of-bounds read in mkgmtime(). (CVE-2014-3668) Security Issues: * CVE-2014-3669 * CVE-2014-3670 * CVE-2014-3668 Indications: Everybody should update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-apache2-mod_php53-9916 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-apache2-mod_php53-9916 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-apache2-mod_php53-9916 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64): php53-devel-5.3.17-0.31.1 php53-imap-5.3.17-0.31.1 php53-posix-5.3.17-0.31.1 php53-readline-5.3.17-0.31.1 php53-sockets-5.3.17-0.31.1 php53-sqlite-5.3.17-0.31.1 php53-tidy-5.3.17-0.31.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): apache2-mod_php53-5.3.17-0.31.1 php53-5.3.17-0.31.1 php53-bcmath-5.3.17-0.31.1 php53-bz2-5.3.17-0.31.1 php53-calendar-5.3.17-0.31.1 php53-ctype-5.3.17-0.31.1 php53-curl-5.3.17-0.31.1 php53-dba-5.3.17-0.31.1 php53-dom-5.3.17-0.31.1 php53-exif-5.3.17-0.31.1 php53-fastcgi-5.3.17-0.31.1 php53-fileinfo-5.3.17-0.31.1 php53-ftp-5.3.17-0.31.1 php53-gd-5.3.17-0.31.1 php53-gettext-5.3.17-0.31.1 php53-gmp-5.3.17-0.31.1 php53-iconv-5.3.17-0.31.1 php53-intl-5.3.17-0.31.1 php53-json-5.3.17-0.31.1 php53-ldap-5.3.17-0.31.1 php53-mbstring-5.3.17-0.31.1 php53-mcrypt-5.3.17-0.31.1 php53-mysql-5.3.17-0.31.1 php53-odbc-5.3.17-0.31.1 php53-openssl-5.3.17-0.31.1 php53-pcntl-5.3.17-0.31.1 php53-pdo-5.3.17-0.31.1 php53-pear-5.3.17-0.31.1 php53-pgsql-5.3.17-0.31.1 php53-pspell-5.3.17-0.31.1 php53-shmop-5.3.17-0.31.1 php53-snmp-5.3.17-0.31.1 php53-soap-5.3.17-0.31.1 php53-suhosin-5.3.17-0.31.1 php53-sysvmsg-5.3.17-0.31.1 php53-sysvsem-5.3.17-0.31.1 php53-sysvshm-5.3.17-0.31.1 php53-tokenizer-5.3.17-0.31.1 php53-wddx-5.3.17-0.31.1 php53-xmlreader-5.3.17-0.31.1 php53-xmlrpc-5.3.17-0.31.1 php53-xmlwriter-5.3.17-0.31.1 php53-xsl-5.3.17-0.31.1 php53-zip-5.3.17-0.31.1 php53-zlib-5.3.17-0.31.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): apache2-mod_php53-5.3.17-0.31.1 php53-5.3.17-0.31.1 php53-bcmath-5.3.17-0.31.1 php53-bz2-5.3.17-0.31.1 php53-calendar-5.3.17-0.31.1 php53-ctype-5.3.17-0.31.1 php53-curl-5.3.17-0.31.1 php53-dba-5.3.17-0.31.1 php53-dom-5.3.17-0.31.1 php53-exif-5.3.17-0.31.1 php53-fastcgi-5.3.17-0.31.1 php53-fileinfo-5.3.17-0.31.1 php53-ftp-5.3.17-0.31.1 php53-gd-5.3.17-0.31.1 php53-gettext-5.3.17-0.31.1 php53-gmp-5.3.17-0.31.1 php53-iconv-5.3.17-0.31.1 php53-intl-5.3.17-0.31.1 php53-json-5.3.17-0.31.1 php53-ldap-5.3.17-0.31.1 php53-mbstring-5.3.17-0.31.1 php53-mcrypt-5.3.17-0.31.1 php53-mysql-5.3.17-0.31.1 php53-odbc-5.3.17-0.31.1 php53-openssl-5.3.17-0.31.1 php53-pcntl-5.3.17-0.31.1 php53-pdo-5.3.17-0.31.1 php53-pear-5.3.17-0.31.1 php53-pgsql-5.3.17-0.31.1 php53-pspell-5.3.17-0.31.1 php53-shmop-5.3.17-0.31.1 php53-snmp-5.3.17-0.31.1 php53-soap-5.3.17-0.31.1 php53-suhosin-5.3.17-0.31.1 php53-sysvmsg-5.3.17-0.31.1 php53-sysvsem-5.3.17-0.31.1 php53-sysvshm-5.3.17-0.31.1 php53-tokenizer-5.3.17-0.31.1 php53-wddx-5.3.17-0.31.1 php53-xmlreader-5.3.17-0.31.1 php53-xmlrpc-5.3.17-0.31.1 php53-xmlwriter-5.3.17-0.31.1 php53-xsl-5.3.17-0.31.1 php53-zip-5.3.17-0.31.1 php53-zlib-5.3.17-0.31.1 References: http://support.novell.com/security/cve/CVE-2014-3668.html http://support.novell.com/security/cve/CVE-2014-3669.html http://support.novell.com/security/cve/CVE-2014-3670.html https://bugzilla.suse.com/show_bug.cgi?id=902357 https://bugzilla.suse.com/show_bug.cgi?id=902360 https://bugzilla.suse.com/show_bug.cgi?id=902368 http://download.suse.com/patch/finder/?keywords=991707256096509383d233738d9325bb From sle-security-updates at lists.suse.com Mon Nov 17 17:05:24 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 18 Nov 2014 01:05:24 +0100 (CET) Subject: SUSE-SU-2014:1442-1: important: Security update for flash-player Message-ID: <20141118000524.B7F0F32273@maintenance.suse.de> SUSE Security Update: Security update for flash-player ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1442-1 Rating: important References: #905032 Cross-References: CVE-2014-0573 CVE-2014-0574 CVE-2014-0576 CVE-2014-0577 CVE-2014-0581 CVE-2014-0582 CVE-2014-0583 CVE-2014-0584 CVE-2014-0585 CVE-2014-0586 CVE-2014-0588 CVE-2014-0589 CVE-2014-0590 CVE-2014-8437 CVE-2014-8438 CVE-2014-8440 CVE-2014-8441 CVE-2014-8442 Affected Products: SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes 18 vulnerabilities is now available. It includes one version update. Description: flash-player was updated to version 11.2.202.418 to fix 18 security issues: * Memory corruption vulnerabilities that could lead to code execution (CVE-2014-0576, CVE-2014-0581, CVE-2014-8440, CVE-2014-8441). * Use-after-free vulnerabilities that could lead to code execution (CVE-2014-0573, CVE-2014-0588, CVE-2014-8438). * A double free vulnerability that could lead to code execution (CVE-2014-0574). * Type confusion vulnerabilities that could lead to code execution (CVE-2014-0577, CVE-2014-0584, CVE-2014-0585, CVE-2014-0586, CVE-2014-0590). * Heap buffer overflow vulnerabilities that could lead to code execution (CVE-2014-0582, CVE-2014-0589). * An information disclosure vulnerability that could be exploited to disclose session tokens (CVE-2014-8437). * A heap buffer overflow vulnerability that could be exploited to perform privilege escalation from low to medium integrity level (CVE-2014-0583). * A permission issue that could be exploited to perform privilege escalation from low to medium integrity level (CVE-2014-8442). Further information can be found at http://helpx.adobe.com/security/products/flash-player/apsb14-24.html . Security Issues: * CVE-2014-0576 * CVE-2014-0581 * CVE-2014-8440 * CVE-2014-8441 * CVE-2014-0573 * CVE-2014-0588 * CVE-2014-8438 * CVE-2014-0574 * CVE-2014-0577 * CVE-2014-0584 * CVE-2014-0585 * CVE-2014-0586 * CVE-2014-0590 * CVE-2014-0582 * CVE-2014-0589 * CVE-2014-8437 * CVE-2014-0583 * CVE-2014-8442 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-flash-player-9958 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64) [New Version: 11.2.202.418]: flash-player-11.2.202.418-0.3.1 flash-player-gnome-11.2.202.418-0.3.1 flash-player-kde4-11.2.202.418-0.3.1 References: http://support.novell.com/security/cve/CVE-2014-0573.html http://support.novell.com/security/cve/CVE-2014-0574.html http://support.novell.com/security/cve/CVE-2014-0576.html http://support.novell.com/security/cve/CVE-2014-0577.html http://support.novell.com/security/cve/CVE-2014-0581.html http://support.novell.com/security/cve/CVE-2014-0582.html http://support.novell.com/security/cve/CVE-2014-0583.html http://support.novell.com/security/cve/CVE-2014-0584.html http://support.novell.com/security/cve/CVE-2014-0585.html http://support.novell.com/security/cve/CVE-2014-0586.html http://support.novell.com/security/cve/CVE-2014-0588.html http://support.novell.com/security/cve/CVE-2014-0589.html http://support.novell.com/security/cve/CVE-2014-0590.html http://support.novell.com/security/cve/CVE-2014-8437.html http://support.novell.com/security/cve/CVE-2014-8438.html http://support.novell.com/security/cve/CVE-2014-8440.html http://support.novell.com/security/cve/CVE-2014-8441.html http://support.novell.com/security/cve/CVE-2014-8442.html https://bugzilla.suse.com/show_bug.cgi?id=905032 http://download.suse.com/patch/finder/?keywords=dbcb29ab8a2328939075a141810b2c4d From sle-security-updates at lists.suse.com Tue Nov 18 11:05:08 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 18 Nov 2014 19:05:08 +0100 (CET) Subject: SUSE-SU-2014:1447-1: moderate: Security update for openwsman Message-ID: <20141118180508.4E98E32275@maintenance.suse.de> SUSE Security Update: Security update for openwsman ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1447-1 Rating: moderate References: #901882 Cross-References: CVE-2014-3566 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update adds a configuration option to disable SSLv2 and SSLv3 in openwsman. This is required to mitigate CVE-2014-3566. To use the new option, edit /etc/openwsman/openwsman.conf and add the following line to the [server] section: ssl_disabled_protocols = SSLv2 SSLv3 Security Issues: * CVE-2014-3566 Indications: Everybody should update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-libwsman-devel-9902 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-libwsman-devel-9902 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-libwsman-devel-9902 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-libwsman-devel-9902 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64): libwsman-devel-2.2.3-0.8.1 openwsman-python-2.2.3-0.8.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): libwsman1-2.2.3-0.8.1 openwsman-client-2.2.3-0.8.1 openwsman-server-2.2.3-0.8.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): libwsman1-2.2.3-0.8.1 openwsman-client-2.2.3-0.8.1 openwsman-server-2.2.3-0.8.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): libwsman1-2.2.3-0.8.1 openwsman-client-2.2.3-0.8.1 openwsman-server-2.2.3-0.8.1 References: http://support.novell.com/security/cve/CVE-2014-3566.html https://bugzilla.suse.com/show_bug.cgi?id=901882 http://download.suse.com/patch/finder/?keywords=0f0bc1b01ad268f3f98cb87c3015cbb4 From sle-security-updates at lists.suse.com Wed Nov 19 17:04:49 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 20 Nov 2014 01:04:49 +0100 (CET) Subject: SUSE-SU-2014:1458-1: important: Security update for MozillaFirefox Message-ID: <20141120000449.98DBD32274@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1458-1 Rating: important References: #900941 #905056 #905528 Cross-References: CVE-2014-1574 CVE-2014-1575 CVE-2014-1576 CVE-2014-1577 CVE-2014-1578 CVE-2014-1581 CVE-2014-1583 CVE-2014-1585 CVE-2014-1586 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP1 LTSS SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes 9 vulnerabilities is now available. It includes four new package versions. Description: This version update of Mozilla Firefox to 31.2.0ESR brings improvements, stability fixes and also security fixes for the following CVEs: CVE-2014-1574, CVE-2014-1575, CVE-2014-1576 ,CVE-2014-1577, CVE-2014-1578, CVE-2014-1581, CVE-2014-1583, CVE-2014-1585, CVE-2014-1586 It also disables SSLv3 by default to mitigate the protocol downgrade attack known as POODLE. This update fixes some regressions introduced by the previously released update. Security Issues: * CVE-2014-1574 * CVE-2014-1575 * CVE-2014-1576 * CVE-2014-1577 * CVE-2014-1578 * CVE-2014-1581 * CVE-2014-1583 * CVE-2014-1585 * CVE-2014-1586 Indications: Everybody should update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-firefox31-201411-9972 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-firefox31-201411-9972 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-firefox31-201411-9972 - SUSE Linux Enterprise Server 11 SP1 LTSS: zypper in -t patch slessp1-firefox31-201411-9971 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-firefox31-201411-9972 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New Version: 3.17.2 and 4.10.7]: MozillaFirefox-devel-31.2.0esr-0.16.1 mozilla-nspr-devel-4.10.7-0.3.3 mozilla-nss-devel-3.17.2-0.8.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64) [New Version: 3.17.2,31.2.0esr and 4.10.7]: MozillaFirefox-31.2.0esr-0.16.1 MozillaFirefox-branding-SLES-for-VMware-31.0-0.5.1 MozillaFirefox-translations-31.2.0esr-0.16.1 libfreebl3-3.17.2-0.8.1 libsoftokn3-3.17.2-0.8.1 mozilla-nspr-4.10.7-0.3.3 mozilla-nss-3.17.2-0.8.1 mozilla-nss-tools-3.17.2-0.8.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64) [New Version: 3.17.2 and 4.10.7]: libfreebl3-32bit-3.17.2-0.8.1 libsoftokn3-32bit-3.17.2-0.8.1 mozilla-nspr-32bit-4.10.7-0.3.3 mozilla-nss-32bit-3.17.2-0.8.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New Version: 3.17.2,31.2.0esr and 4.10.7]: MozillaFirefox-31.2.0esr-0.16.1 MozillaFirefox-branding-SLED-31.0-0.10.1 MozillaFirefox-translations-31.2.0esr-0.16.1 libfreebl3-3.17.2-0.8.1 libsoftokn3-3.17.2-0.8.1 mozilla-nspr-4.10.7-0.3.3 mozilla-nss-3.17.2-0.8.1 mozilla-nss-tools-3.17.2-0.8.1 - SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64) [New Version: 3.17.2 and 4.10.7]: libfreebl3-32bit-3.17.2-0.8.1 libsoftokn3-32bit-3.17.2-0.8.1 mozilla-nspr-32bit-4.10.7-0.3.3 mozilla-nss-32bit-3.17.2-0.8.1 - SUSE Linux Enterprise Server 11 SP3 (ia64) [New Version: 3.17.2 and 4.10.7]: libfreebl3-x86-3.17.2-0.8.1 libsoftokn3-x86-3.17.2-0.8.1 mozilla-nspr-x86-4.10.7-0.3.3 mozilla-nss-x86-3.17.2-0.8.1 - SUSE Linux Enterprise Server 11 SP1 LTSS (i586 s390x x86_64) [New Version: 3.17.2,31.0,31.2.0esr and 4.10.7]: MozillaFirefox-31.2.0esr-0.11.11.1 MozillaFirefox-branding-SLED-31.0-0.5.5.1 MozillaFirefox-translations-31.2.0esr-0.11.11.1 libfreebl3-3.17.2-0.3.1 mozilla-nspr-4.10.7-0.3.3 mozilla-nss-3.17.2-0.3.1 mozilla-nss-tools-3.17.2-0.3.1 - SUSE Linux Enterprise Server 11 SP1 LTSS (s390x x86_64) [New Version: 3.17.2 and 4.10.7]: libfreebl3-32bit-3.17.2-0.3.1 mozilla-nspr-32bit-4.10.7-0.3.3 mozilla-nss-32bit-3.17.2-0.3.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64) [New Version: 3.17.2,31.2.0esr and 4.10.7]: MozillaFirefox-31.2.0esr-0.16.1 MozillaFirefox-branding-SLED-31.0-0.10.1 MozillaFirefox-translations-31.2.0esr-0.16.1 libfreebl3-3.17.2-0.8.1 libsoftokn3-3.17.2-0.8.1 mozilla-nspr-4.10.7-0.3.3 mozilla-nss-3.17.2-0.8.1 mozilla-nss-tools-3.17.2-0.8.1 - SUSE Linux Enterprise Desktop 11 SP3 (x86_64) [New Version: 3.17.2 and 4.10.7]: libfreebl3-32bit-3.17.2-0.8.1 libsoftokn3-32bit-3.17.2-0.8.1 mozilla-nspr-32bit-4.10.7-0.3.3 mozilla-nss-32bit-3.17.2-0.8.1 References: http://support.novell.com/security/cve/CVE-2014-1574.html http://support.novell.com/security/cve/CVE-2014-1575.html http://support.novell.com/security/cve/CVE-2014-1576.html http://support.novell.com/security/cve/CVE-2014-1577.html http://support.novell.com/security/cve/CVE-2014-1578.html http://support.novell.com/security/cve/CVE-2014-1581.html http://support.novell.com/security/cve/CVE-2014-1583.html http://support.novell.com/security/cve/CVE-2014-1585.html http://support.novell.com/security/cve/CVE-2014-1586.html https://bugzilla.suse.com/show_bug.cgi?id=900941 https://bugzilla.suse.com/show_bug.cgi?id=905056 https://bugzilla.suse.com/show_bug.cgi?id=905528 http://download.suse.com/patch/finder/?keywords=29ed5e7e0df0d224aa13f77da0665ca3 http://download.suse.com/patch/finder/?keywords=7d581038b5bc4e233d15b95636b1b8eb From sle-security-updates at lists.suse.com Thu Nov 20 08:04:45 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 20 Nov 2014 16:04:45 +0100 (CET) Subject: SUSE-SU-2014:1464-1: moderate: Security update for wget Message-ID: <20141120150445.A867B32276@maintenance.suse.de> SUSE Security Update: Security update for wget ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1464-1 Rating: moderate References: #902709 Cross-References: CVE-2014-4877 Affected Products: SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: wget was updated to fix one security issue. This security issue was fixed: - FTP symlink arbitrary filesystem access (CVE-2014-4877). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2014-76 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2014-76 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): wget-1.14-7.1 wget-debuginfo-1.14-7.1 wget-debugsource-1.14-7.1 - SUSE Linux Enterprise Desktop 12 (x86_64): wget-1.14-7.1 wget-debuginfo-1.14-7.1 wget-debugsource-1.14-7.1 References: http://support.novell.com/security/cve/CVE-2014-4877.html https://bugzilla.suse.com/show_bug.cgi?id=902709 From sle-security-updates at lists.suse.com Thu Nov 20 08:05:05 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 20 Nov 2014 16:05:05 +0100 (CET) Subject: SUSE-SU-2014:1465-1: moderate: Security update for flash-player Message-ID: <20141120150505.2C90232276@maintenance.suse.de> SUSE Security Update: Security update for flash-player ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1465-1 Rating: moderate References: #905032 Cross-References: CVE-2014-0573 CVE-2014-0574 CVE-2014-0576 CVE-2014-0577 CVE-2014-0581 CVE-2014-0582 CVE-2014-0583 CVE-2014-0584 CVE-2014-0585 CVE-2014-0586 CVE-2014-0588 CVE-2014-0589 CVE-2014-0590 CVE-2014-8437 CVE-2014-8438 CVE-2014-8440 CVE-2014-8441 CVE-2014-8442 Affected Products: SUSE Linux Enterprise Workstation Extension 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that fixes 18 vulnerabilities is now available. Description: flash-player was updated to version 11.2.202.418 to fix 18 security issues. These security issues were fixed: - Memory corruption vulnerabilities that could lead to code execution (CVE-2014-0576, CVE-2014-0581, CVE-2014-8440, CVE-2014-8441). - Use-after-free vulnerabilities that could lead to code execution (CVE-2014-0573, CVE-2014-0588, CVE-2014-8438). - A double free vulnerability that could lead to code execution (CVE-2014-0574). - Type confusion vulnerabilities that could lead to code execution (CVE-2014-0577, CVE-2014-0584, CVE-2014-0585, CVE-2014-0586, CVE-2014-0590). - Heap buffer overflow vulnerabilities that could lead to code execution (CVE-2014-0582, CVE-2014-0589). - An information disclosure vulnerability that could be exploited to disclose session tokens (CVE-2014-8437). - A heap buffer overflow vulnerability that could be exploited to perform privilege escalation from low to medium integrity level (CVE-2014-0583). - A permission issue that could be exploited to perform privilege escalation from low to medium integrity level (CVE-2014-8442). More information can be found at http://helpx.adobe.com/security/products/flash-player/apsb14-24.html Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12: zypper in -t patch SUSE-SLE-WE-12-2014-77 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2014-77 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Workstation Extension 12 (x86_64): flash-player-11.2.202.418-11.1 flash-player-gnome-11.2.202.418-11.1 - SUSE Linux Enterprise Desktop 12 (x86_64): flash-player-11.2.202.418-11.1 flash-player-gnome-11.2.202.418-11.1 References: http://support.novell.com/security/cve/CVE-2014-0573.html http://support.novell.com/security/cve/CVE-2014-0574.html http://support.novell.com/security/cve/CVE-2014-0576.html http://support.novell.com/security/cve/CVE-2014-0577.html http://support.novell.com/security/cve/CVE-2014-0581.html http://support.novell.com/security/cve/CVE-2014-0582.html http://support.novell.com/security/cve/CVE-2014-0583.html http://support.novell.com/security/cve/CVE-2014-0584.html http://support.novell.com/security/cve/CVE-2014-0585.html http://support.novell.com/security/cve/CVE-2014-0586.html http://support.novell.com/security/cve/CVE-2014-0588.html http://support.novell.com/security/cve/CVE-2014-0589.html http://support.novell.com/security/cve/CVE-2014-0590.html http://support.novell.com/security/cve/CVE-2014-8437.html http://support.novell.com/security/cve/CVE-2014-8438.html http://support.novell.com/security/cve/CVE-2014-8440.html http://support.novell.com/security/cve/CVE-2014-8441.html http://support.novell.com/security/cve/CVE-2014-8442.html https://bugzilla.suse.com/show_bug.cgi?id=905032 From sle-security-updates at lists.suse.com Thu Nov 20 11:05:08 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 20 Nov 2014 19:05:08 +0100 (CET) Subject: SUSE-SU-2014:1467-1: Security update for openstack-cinder Message-ID: <20141120180508.A308832277@maintenance.suse.de> SUSE Security Update: Security update for openstack-cinder ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1467-1 Rating: low References: #883950 #894055 #897815 #899190 #899198 Cross-References: CVE-2014-3641 CVE-2014-7230 CVE-2014-7231 Affected Products: SUSE Cloud 4 ______________________________________________________________________________ An update that solves three vulnerabilities and has two fixes is now available. It includes one version update. Description: This update for openstack-cinder provides the following recommended and security fixes: * Refuse invalid qcow2 backing files to avoid host data leak to VM instance (bnc#899198, CVE-2014-3641) * Sync latest process and str utils from oslo (bnc#899190 CVE-2014-7230 CVE-2014-7231) * Fix the iSER transport protocol when using LVMISERDriver * NetApp fix for controller preferred path * NetApp fix for default host type in eseries * NetApp fix eseries concurrent vol map failure * Cinder api service doesn't handle SIGHUP properly * Sync latest strutils from oslo-incubator for mask_password fix * Fix possible race condition for accept transfer * Cinder override all method add _wrap_db_error support for PostgreSQL (bnc#883950) * Fix terminate_connection live migration issue * Prevent tenant viewing volumes owned by another * NetApp NFS: Do not reference dst_img_local before assignment * Fix KeyError exception in NetApp CDOT iscsi driver volume create * Don't clear _mounted_shares list in remoteFS while updating * Add retry_on_deadlock to db update methods * Add fix for reservation index to icehouse * Fix performance issues with Brocade zone driver * VMware: Disable suds caching * Add eternus dx volumedriver 1.1.0 (bnc#894055) * Cache snapshots in request for extension * VMware: Force chunked transfer for upload-to-image * Avoid using the disk cache on volume initialization and remove multipath device correctly (bnc#894055) Security Issues: * CVE-2014-3641 * CVE-2014-7230 * CVE-2014-7231 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Cloud 4: zypper in -t patch sleclo40sp3-cinder-1114-9960 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Cloud 4 (x86_64) [New Version: 2014.1.4.dev19.g80c0054]: openstack-cinder-2014.1.4.dev19.g80c0054-0.7.1 openstack-cinder-api-2014.1.4.dev19.g80c0054-0.7.1 openstack-cinder-backup-2014.1.4.dev19.g80c0054-0.7.1 openstack-cinder-scheduler-2014.1.4.dev19.g80c0054-0.7.1 openstack-cinder-volume-2014.1.4.dev19.g80c0054-0.7.1 python-cinder-2014.1.4.dev19.g80c0054-0.7.1 - SUSE Cloud 4 (noarch) [New Version: 2014.1.4.dev19.g80c0054]: openstack-cinder-doc-2014.1.4.dev19.g80c0054-0.7.1 References: http://support.novell.com/security/cve/CVE-2014-3641.html http://support.novell.com/security/cve/CVE-2014-7230.html http://support.novell.com/security/cve/CVE-2014-7231.html https://bugzilla.suse.com/show_bug.cgi?id=883950 https://bugzilla.suse.com/show_bug.cgi?id=894055 https://bugzilla.suse.com/show_bug.cgi?id=897815 https://bugzilla.suse.com/show_bug.cgi?id=899190 https://bugzilla.suse.com/show_bug.cgi?id=899198 http://download.suse.com/patch/finder/?keywords=a39845befed7d7674be8c6540ec59a65 From sle-security-updates at lists.suse.com Fri Nov 21 11:05:00 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 21 Nov 2014 19:05:00 +0100 (CET) Subject: SUSE-SU-2014:1458-2: important: Security update for MozillaFirefox Message-ID: <20141121180500.DC00432294@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1458-2 Rating: important References: #900941 #905056 #905528 Cross-References: CVE-2014-1574 CVE-2014-1575 CVE-2014-1576 CVE-2014-1577 CVE-2014-1578 CVE-2014-1581 CVE-2014-1583 CVE-2014-1585 CVE-2014-1586 Affected Products: SUSE Linux Enterprise Server 11 SP2 LTSS ______________________________________________________________________________ An update that fixes 9 vulnerabilities is now available. It includes three new package versions. Description: This version update of Mozilla Firefox to 31.2.0ESR brings improvements, stability fixes and also security fixes for the following CVEs: CVE-2014-1574, CVE-2014-1575, CVE-2014-1576 ,CVE-2014-1577, CVE-2014-1578, CVE-2014-1581, CVE-2014-1583, CVE-2014-1585, CVE-2014-1586 It also disables SSLv3 by default to mitigate the protocol downgrade attack known as POODLE. This update fixes some regressions introduced by the previously released update. Security Issues: * CVE-2014-1574 * CVE-2014-1575 * CVE-2014-1576 * CVE-2014-1577 * CVE-2014-1578 * CVE-2014-1581 * CVE-2014-1583 * CVE-2014-1585 * CVE-2014-1586 Indications: Everybody should update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP2 LTSS: zypper in -t patch slessp2-firefox31-201411-9973 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP2 LTSS (i586 s390x x86_64) [New Version: 3.17.2,31.2.0esr and 4.10.7]: MozillaFirefox-31.2.0esr-0.11.11.1 MozillaFirefox-branding-SLED-31.0-0.5.5.1 MozillaFirefox-translations-31.2.0esr-0.11.11.1 libfreebl3-3.17.2-0.3.1 mozilla-nspr-4.10.7-0.3.3 mozilla-nspr-devel-4.10.7-0.3.3 mozilla-nss-3.17.2-0.3.1 mozilla-nss-devel-3.17.2-0.3.1 mozilla-nss-tools-3.17.2-0.3.1 - SUSE Linux Enterprise Server 11 SP2 LTSS (s390x x86_64) [New Version: 3.17.2 and 4.10.7]: libfreebl3-32bit-3.17.2-0.3.1 mozilla-nspr-32bit-4.10.7-0.3.3 mozilla-nss-32bit-3.17.2-0.3.1 References: http://support.novell.com/security/cve/CVE-2014-1574.html http://support.novell.com/security/cve/CVE-2014-1575.html http://support.novell.com/security/cve/CVE-2014-1576.html http://support.novell.com/security/cve/CVE-2014-1577.html http://support.novell.com/security/cve/CVE-2014-1578.html http://support.novell.com/security/cve/CVE-2014-1581.html http://support.novell.com/security/cve/CVE-2014-1583.html http://support.novell.com/security/cve/CVE-2014-1585.html http://support.novell.com/security/cve/CVE-2014-1586.html https://bugzilla.suse.com/show_bug.cgi?id=900941 https://bugzilla.suse.com/show_bug.cgi?id=905056 https://bugzilla.suse.com/show_bug.cgi?id=905528 http://download.suse.com/patch/finder/?keywords=8991d7c7c8912dadb27442e31693b8a0 From sle-security-updates at lists.suse.com Fri Nov 21 11:05:37 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 21 Nov 2014 19:05:37 +0100 (CET) Subject: SUSE-SU-2014:1473-1: moderate: Security update for file Message-ID: <20141121180537.E7B1F32294@maintenance.suse.de> SUSE Security Update: Security update for file ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1473-1 Rating: moderate References: #902367 Cross-References: CVE-2014-3710 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: file was updated to fix one security issue. * An out-of-bounds read flaw file's donote() function. This could possibly lead to file executable crash (CVE-2014-3710). Security Issues: * CVE-2014-3710 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-file-9982 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-file-9982 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-file-9982 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-file-9982 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64): file-devel-4.24-43.27.1 python-magic-4.24-43.27.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): file-4.24-43.27.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64): file-32bit-4.24-43.27.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): file-4.24-43.27.1 - SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64): file-32bit-4.24-43.27.1 - SUSE Linux Enterprise Server 11 SP3 (ia64): file-x86-4.24-43.27.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): file-4.24-43.27.1 - SUSE Linux Enterprise Desktop 11 SP3 (x86_64): file-32bit-4.24-43.27.1 References: http://support.novell.com/security/cve/CVE-2014-3710.html https://bugzilla.suse.com/show_bug.cgi?id=902367 http://download.suse.com/patch/finder/?keywords=b86426298bc3070eb200ec58c3e31b8a From sle-security-updates at lists.suse.com Mon Nov 24 11:05:33 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 24 Nov 2014 19:05:33 +0100 (CET) Subject: SUSE-SU-2014:1458-3: important: Security update for MozillaFirefox Message-ID: <20141124180533.DC98E32298@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1458-3 Rating: important References: #900941 #905056 #905528 Cross-References: CVE-2014-1574 CVE-2014-1575 CVE-2014-1576 CVE-2014-1577 CVE-2014-1578 CVE-2014-1581 CVE-2014-1583 CVE-2014-1585 CVE-2014-1586 Affected Products: SUSE Linux Enterprise Server 10 SP4 LTSS ______________________________________________________________________________ An update that fixes 9 vulnerabilities is now available. It includes three new package versions. Description: This version update of Mozilla Firefox to 31.2.0ESR brings improvements, stability fixes and also security fixes for the following CVEs: CVE-2014-1574, CVE-2014-1575, CVE-2014-1576 ,CVE-2014-1577, CVE-2014-1578, CVE-2014-1581, CVE-2014-1583, CVE-2014-1585, CVE-2014-1586 It also disables SSLv3 by default to mitigate the protocol downgrade attack known as POODLE. Security Issues: * CVE-2014-1574 * CVE-2014-1575 * CVE-2014-1576 * CVE-2014-1577 * CVE-2014-1578 * CVE-2014-1581 * CVE-2014-1583 * CVE-2014-1585 * CVE-2014-1586 Indications: Everybody should update. Package List: - SUSE Linux Enterprise Server 10 SP4 LTSS (i586 s390x x86_64) [New Version: 3.17.2 and 4.10.7]: mozilla-nspr-4.10.7-0.5.4 mozilla-nspr-devel-4.10.7-0.5.4 mozilla-nss-3.17.2-0.5.1 mozilla-nss-devel-3.17.2-0.5.1 mozilla-nss-tools-3.17.2-0.5.1 - SUSE Linux Enterprise Server 10 SP4 LTSS (s390x x86_64) [New Version: 3.17.2 and 4.10.7]: mozilla-nspr-32bit-4.10.7-0.5.4 mozilla-nss-32bit-3.17.2-0.5.1 - SUSE Linux Enterprise Server 10 SP4 LTSS (i586 s390x) [New Version: 31.0]: MozillaFirefox-31.2.0esr-0.11.1 MozillaFirefox-branding-SLED-31.0-0.7.1 MozillaFirefox-translations-31.2.0esr-0.11.1 References: http://support.novell.com/security/cve/CVE-2014-1574.html http://support.novell.com/security/cve/CVE-2014-1575.html http://support.novell.com/security/cve/CVE-2014-1576.html http://support.novell.com/security/cve/CVE-2014-1577.html http://support.novell.com/security/cve/CVE-2014-1578.html http://support.novell.com/security/cve/CVE-2014-1581.html http://support.novell.com/security/cve/CVE-2014-1583.html http://support.novell.com/security/cve/CVE-2014-1585.html http://support.novell.com/security/cve/CVE-2014-1586.html https://bugzilla.suse.com/show_bug.cgi?id=900941 https://bugzilla.suse.com/show_bug.cgi?id=905056 https://bugzilla.suse.com/show_bug.cgi?id=905528 http://download.suse.com/patch/finder/?keywords=caf12701f26397664ab064794563a9cc From sle-security-updates at lists.suse.com Tue Nov 25 06:04:42 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 25 Nov 2014 14:04:42 +0100 (CET) Subject: SUSE-SU-2014:1494-1: moderate: Security update for libreoffice Message-ID: <20141125130442.D8A9132299@maintenance.suse.de> SUSE Security Update: Security update for libreoffice ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1494-1 Rating: moderate References: #900214 #900218 Cross-References: CVE-2014-3693 Affected Products: SUSE Linux Enterprise Workstation Extension 12 SUSE Linux Enterprise Desktop 12 SUSE Linux Enterprise Build System Kit 12 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: libreoffice was updated to version 4.3.3.2 to fix two security issues: These security issues were fixed: - "Document as E-mail" vulnerability (bnc#900218). - Impress remote control use-after-free vulnerability (CVE-2014-3693). Various other fixes are included in the update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12: zypper in -t patch SUSE-SLE-WE-12-2014-78 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2014-78 - SUSE Linux Enterprise Build System Kit 12: zypper in -t patch SUSE-SLE-BSK-12-2014-78 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Workstation Extension 12 (x86_64): libreoffice-4.3.3.2-6.1 libreoffice-base-4.3.3.2-6.1 libreoffice-base-debuginfo-4.3.3.2-6.1 libreoffice-base-drivers-mysql-4.3.3.2-6.1 libreoffice-base-drivers-mysql-debuginfo-4.3.3.2-6.1 libreoffice-base-drivers-postgresql-4.3.3.2-6.1 libreoffice-base-drivers-postgresql-debuginfo-4.3.3.2-6.1 libreoffice-calc-4.3.3.2-6.1 libreoffice-calc-debuginfo-4.3.3.2-6.1 libreoffice-calc-extensions-4.3.3.2-6.1 libreoffice-debuginfo-4.3.3.2-6.1 libreoffice-debugsource-4.3.3.2-6.1 libreoffice-draw-4.3.3.2-6.1 libreoffice-draw-debuginfo-4.3.3.2-6.1 libreoffice-filters-optional-4.3.3.2-6.1 libreoffice-gnome-4.3.3.2-6.1 libreoffice-gnome-debuginfo-4.3.3.2-6.1 libreoffice-impress-4.3.3.2-6.1 libreoffice-impress-debuginfo-4.3.3.2-6.1 libreoffice-mailmerge-4.3.3.2-6.1 libreoffice-math-4.3.3.2-6.1 libreoffice-math-debuginfo-4.3.3.2-6.1 libreoffice-officebean-4.3.3.2-6.1 libreoffice-officebean-debuginfo-4.3.3.2-6.1 libreoffice-pyuno-4.3.3.2-6.1 libreoffice-pyuno-debuginfo-4.3.3.2-6.1 libreoffice-writer-4.3.3.2-6.1 libreoffice-writer-debuginfo-4.3.3.2-6.1 libreoffice-writer-extensions-4.3.3.2-6.1 - SUSE Linux Enterprise Workstation Extension 12 (noarch): libreoffice-icon-theme-tango-4.3.3.2-6.1 libreoffice-l10n-af-4.3.3.2-6.1 libreoffice-l10n-ar-4.3.3.2-6.1 libreoffice-l10n-ca-4.3.3.2-6.1 libreoffice-l10n-cs-4.3.3.2-6.1 libreoffice-l10n-da-4.3.3.2-6.1 libreoffice-l10n-de-4.3.3.2-6.1 libreoffice-l10n-en-4.3.3.2-6.1 libreoffice-l10n-es-4.3.3.2-6.1 libreoffice-l10n-fi-4.3.3.2-6.1 libreoffice-l10n-fr-4.3.3.2-6.1 libreoffice-l10n-gu-4.3.3.2-6.1 libreoffice-l10n-hi-4.3.3.2-6.1 libreoffice-l10n-hu-4.3.3.2-6.1 libreoffice-l10n-it-4.3.3.2-6.1 libreoffice-l10n-ja-4.3.3.2-6.1 libreoffice-l10n-ko-4.3.3.2-6.1 libreoffice-l10n-nb-4.3.3.2-6.1 libreoffice-l10n-nl-4.3.3.2-6.1 libreoffice-l10n-nn-4.3.3.2-6.1 libreoffice-l10n-pl-4.3.3.2-6.1 libreoffice-l10n-pt-BR-4.3.3.2-6.1 libreoffice-l10n-pt-PT-4.3.3.2-6.1 libreoffice-l10n-ru-4.3.3.2-6.1 libreoffice-l10n-sk-4.3.3.2-6.1 libreoffice-l10n-sv-4.3.3.2-6.1 libreoffice-l10n-xh-4.3.3.2-6.1 libreoffice-l10n-zh-Hans-4.3.3.2-6.1 libreoffice-l10n-zh-Hant-4.3.3.2-6.1 libreoffice-l10n-zu-4.3.3.2-6.1 - SUSE Linux Enterprise Desktop 12 (x86_64): libreoffice-4.3.3.2-6.1 libreoffice-base-4.3.3.2-6.1 libreoffice-base-debuginfo-4.3.3.2-6.1 libreoffice-base-drivers-mysql-4.3.3.2-6.1 libreoffice-base-drivers-mysql-debuginfo-4.3.3.2-6.1 libreoffice-base-drivers-postgresql-4.3.3.2-6.1 libreoffice-base-drivers-postgresql-debuginfo-4.3.3.2-6.1 libreoffice-calc-4.3.3.2-6.1 libreoffice-calc-debuginfo-4.3.3.2-6.1 libreoffice-calc-extensions-4.3.3.2-6.1 libreoffice-debuginfo-4.3.3.2-6.1 libreoffice-debugsource-4.3.3.2-6.1 libreoffice-draw-4.3.3.2-6.1 libreoffice-draw-debuginfo-4.3.3.2-6.1 libreoffice-filters-optional-4.3.3.2-6.1 libreoffice-gnome-4.3.3.2-6.1 libreoffice-gnome-debuginfo-4.3.3.2-6.1 libreoffice-impress-4.3.3.2-6.1 libreoffice-impress-debuginfo-4.3.3.2-6.1 libreoffice-mailmerge-4.3.3.2-6.1 libreoffice-math-4.3.3.2-6.1 libreoffice-math-debuginfo-4.3.3.2-6.1 libreoffice-officebean-4.3.3.2-6.1 libreoffice-officebean-debuginfo-4.3.3.2-6.1 libreoffice-pyuno-4.3.3.2-6.1 libreoffice-pyuno-debuginfo-4.3.3.2-6.1 libreoffice-writer-4.3.3.2-6.1 libreoffice-writer-debuginfo-4.3.3.2-6.1 libreoffice-writer-extensions-4.3.3.2-6.1 - SUSE Linux Enterprise Desktop 12 (noarch): libreoffice-icon-theme-tango-4.3.3.2-6.1 libreoffice-l10n-af-4.3.3.2-6.1 libreoffice-l10n-ar-4.3.3.2-6.1 libreoffice-l10n-ca-4.3.3.2-6.1 libreoffice-l10n-cs-4.3.3.2-6.1 libreoffice-l10n-da-4.3.3.2-6.1 libreoffice-l10n-de-4.3.3.2-6.1 libreoffice-l10n-en-4.3.3.2-6.1 libreoffice-l10n-es-4.3.3.2-6.1 libreoffice-l10n-fi-4.3.3.2-6.1 libreoffice-l10n-fr-4.3.3.2-6.1 libreoffice-l10n-gu-4.3.3.2-6.1 libreoffice-l10n-hi-4.3.3.2-6.1 libreoffice-l10n-hu-4.3.3.2-6.1 libreoffice-l10n-it-4.3.3.2-6.1 libreoffice-l10n-ja-4.3.3.2-6.1 libreoffice-l10n-ko-4.3.3.2-6.1 libreoffice-l10n-nb-4.3.3.2-6.1 libreoffice-l10n-nl-4.3.3.2-6.1 libreoffice-l10n-nn-4.3.3.2-6.1 libreoffice-l10n-pl-4.3.3.2-6.1 libreoffice-l10n-pt-BR-4.3.3.2-6.1 libreoffice-l10n-pt-PT-4.3.3.2-6.1 libreoffice-l10n-ru-4.3.3.2-6.1 libreoffice-l10n-sk-4.3.3.2-6.1 libreoffice-l10n-sv-4.3.3.2-6.1 libreoffice-l10n-xh-4.3.3.2-6.1 libreoffice-l10n-zh-Hans-4.3.3.2-6.1 libreoffice-l10n-zh-Hant-4.3.3.2-6.1 libreoffice-l10n-zu-4.3.3.2-6.1 - SUSE Linux Enterprise Build System Kit 12 (x86_64): libreoffice-debuginfo-4.3.3.2-6.1 libreoffice-debugsource-4.3.3.2-6.1 libreoffice-sdk-4.3.3.2-6.1 libreoffice-sdk-debuginfo-4.3.3.2-6.1 References: http://support.novell.com/security/cve/CVE-2014-3693.html https://bugzilla.suse.com/show_bug.cgi?id=900214 https://bugzilla.suse.com/show_bug.cgi?id=900218 From sle-security-updates at lists.suse.com Tue Nov 25 07:05:00 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 25 Nov 2014 15:05:00 +0100 (CET) Subject: SUSE-SU-2014:1497-1: moderate: Security update for php5 Message-ID: <20141125140500.D2AAA32299@maintenance.suse.de> SUSE Security Update: Security update for php5 ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1497-1 Rating: moderate References: #902357 #902360 #902368 Cross-References: CVE-2014-3668 CVE-2014-3669 CVE-2014-3670 Affected Products: SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Module for Web Scripting 12 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: php5 was updated to fix three security issues. The following security issues were fixed: - xmlrpc ISO8601 date format parsing out-of-bounds read in mkgmtime() (CVE-2014-3668). - integer overflow in unserialize() (CVE-2014-3669). - heap corruption issue in exif_thumbnail() (CVE-2014-3670). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2014-80 - SUSE Linux Enterprise Module for Web Scripting 12: zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2014-80 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): php5-debuginfo-5.5.14-7.1 php5-debugsource-5.5.14-7.1 php5-devel-5.5.14-7.1 - SUSE Linux Enterprise Module for Web Scripting 12 (ppc64le s390x x86_64): apache2-mod_php5-5.5.14-7.1 apache2-mod_php5-debuginfo-5.5.14-7.1 php5-5.5.14-7.1 php5-bcmath-5.5.14-7.1 php5-bcmath-debuginfo-5.5.14-7.1 php5-bz2-5.5.14-7.1 php5-bz2-debuginfo-5.5.14-7.1 php5-calendar-5.5.14-7.1 php5-calendar-debuginfo-5.5.14-7.1 php5-ctype-5.5.14-7.1 php5-ctype-debuginfo-5.5.14-7.1 php5-curl-5.5.14-7.1 php5-curl-debuginfo-5.5.14-7.1 php5-dba-5.5.14-7.1 php5-dba-debuginfo-5.5.14-7.1 php5-debuginfo-5.5.14-7.1 php5-debugsource-5.5.14-7.1 php5-dom-5.5.14-7.1 php5-dom-debuginfo-5.5.14-7.1 php5-enchant-5.5.14-7.1 php5-enchant-debuginfo-5.5.14-7.1 php5-exif-5.5.14-7.1 php5-exif-debuginfo-5.5.14-7.1 php5-fastcgi-5.5.14-7.1 php5-fastcgi-debuginfo-5.5.14-7.1 php5-fileinfo-5.5.14-7.1 php5-fileinfo-debuginfo-5.5.14-7.1 php5-fpm-5.5.14-7.1 php5-fpm-debuginfo-5.5.14-7.1 php5-ftp-5.5.14-7.1 php5-ftp-debuginfo-5.5.14-7.1 php5-gd-5.5.14-7.1 php5-gd-debuginfo-5.5.14-7.1 php5-gettext-5.5.14-7.1 php5-gettext-debuginfo-5.5.14-7.1 php5-gmp-5.5.14-7.1 php5-gmp-debuginfo-5.5.14-7.1 php5-iconv-5.5.14-7.1 php5-iconv-debuginfo-5.5.14-7.1 php5-intl-5.5.14-7.1 php5-intl-debuginfo-5.5.14-7.1 php5-json-5.5.14-7.1 php5-json-debuginfo-5.5.14-7.1 php5-ldap-5.5.14-7.1 php5-ldap-debuginfo-5.5.14-7.1 php5-mbstring-5.5.14-7.1 php5-mbstring-debuginfo-5.5.14-7.1 php5-mcrypt-5.5.14-7.1 php5-mcrypt-debuginfo-5.5.14-7.1 php5-mysql-5.5.14-7.1 php5-mysql-debuginfo-5.5.14-7.1 php5-odbc-5.5.14-7.1 php5-odbc-debuginfo-5.5.14-7.1 php5-openssl-5.5.14-7.1 php5-openssl-debuginfo-5.5.14-7.1 php5-pcntl-5.5.14-7.1 php5-pcntl-debuginfo-5.5.14-7.1 php5-pdo-5.5.14-7.1 php5-pdo-debuginfo-5.5.14-7.1 php5-pgsql-5.5.14-7.1 php5-pgsql-debuginfo-5.5.14-7.1 php5-pspell-5.5.14-7.1 php5-pspell-debuginfo-5.5.14-7.1 php5-shmop-5.5.14-7.1 php5-shmop-debuginfo-5.5.14-7.1 php5-snmp-5.5.14-7.1 php5-snmp-debuginfo-5.5.14-7.1 php5-soap-5.5.14-7.1 php5-soap-debuginfo-5.5.14-7.1 php5-sockets-5.5.14-7.1 php5-sockets-debuginfo-5.5.14-7.1 php5-sqlite-5.5.14-7.1 php5-sqlite-debuginfo-5.5.14-7.1 php5-suhosin-5.5.14-7.1 php5-suhosin-debuginfo-5.5.14-7.1 php5-sysvmsg-5.5.14-7.1 php5-sysvmsg-debuginfo-5.5.14-7.1 php5-sysvsem-5.5.14-7.1 php5-sysvsem-debuginfo-5.5.14-7.1 php5-sysvshm-5.5.14-7.1 php5-sysvshm-debuginfo-5.5.14-7.1 php5-tokenizer-5.5.14-7.1 php5-tokenizer-debuginfo-5.5.14-7.1 php5-wddx-5.5.14-7.1 php5-wddx-debuginfo-5.5.14-7.1 php5-xmlreader-5.5.14-7.1 php5-xmlreader-debuginfo-5.5.14-7.1 php5-xmlrpc-5.5.14-7.1 php5-xmlrpc-debuginfo-5.5.14-7.1 php5-xmlwriter-5.5.14-7.1 php5-xmlwriter-debuginfo-5.5.14-7.1 php5-xsl-5.5.14-7.1 php5-xsl-debuginfo-5.5.14-7.1 php5-zip-5.5.14-7.1 php5-zip-debuginfo-5.5.14-7.1 php5-zlib-5.5.14-7.1 php5-zlib-debuginfo-5.5.14-7.1 - SUSE Linux Enterprise Module for Web Scripting 12 (noarch): php5-pear-5.5.14-7.1 References: http://support.novell.com/security/cve/CVE-2014-3668.html http://support.novell.com/security/cve/CVE-2014-3669.html http://support.novell.com/security/cve/CVE-2014-3670.html https://bugzilla.suse.com/show_bug.cgi?id=902357 https://bugzilla.suse.com/show_bug.cgi?id=902360 https://bugzilla.suse.com/show_bug.cgi?id=902368 From sle-security-updates at lists.suse.com Thu Nov 27 02:04:49 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 27 Nov 2014 10:04:49 +0100 (CET) Subject: SUSE-SU-2014:1510-1: moderate: Security update for MozillaFirefox and mozilla-nss Message-ID: <20141127090449.0CCF932299@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox and mozilla-nss ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1510-1 Rating: moderate References: #897890 #900941 Cross-References: CVE-2014-1568 CVE-2014-1574 CVE-2014-1575 CVE-2014-1576 CVE-2014-1577 CVE-2014-1578 CVE-2014-1581 CVE-2014-1583 CVE-2014-1585 CVE-2014-1586 Affected Products: SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that fixes 10 vulnerabilities is now available. Description: - update to Firefox 31.2.0 ESR (bnc#900941) * MFSA 2014-74/CVE-2014-1574/CVE-2014-1575 (bmo#1001994, bmo#1011354, bmo#1018916, bmo#1020034, bmo#1023035, bmo#1032208, bmo#1033020, bmo#1034230, bmo#1061214, bmo#1061600, bmo#1064346, bmo#1072044, bmo#1072174) Miscellaneous memory safety hazards (rv:33.0/rv:31.2) * MFSA 2014-75/CVE-2014-1576 (bmo#1041512) Buffer overflow during CSS manipulation * MFSA 2014-76/CVE-2014-1577 (bmo#1012609) Web Audio memory corruption issues with custom waveforms * MFSA 2014-77/CVE-2014-1578 (bmo#1063327) Out-of-bounds write with WebM video * MFSA 2014-79/CVE-2014-1581 (bmo#1068218) Use-after-free interacting with text directionality * MFSA 2014-81/CVE-2014-1585/CVE-2014-1586 (bmo#1062876, bmo#1062981) Inconsistent video sharing within iframe * MFSA 2014-82/CVE-2014-1583 (bmo#1015540) Accessing cross-origin objects via the Alarms API - SSLv3 is disabled by default. See README.POODLE for more detailed information. - disable call home features - update to 3.17.2 (bnc#900941) Bugfix release * bmo#1049435 - Importing an RSA private key fails if p < q * bmo#1057161 - NSS hangs with 100% CPU on invalid EC key * bmo#1078669 - certutil crashes when using the --certVersion parameter - changes from earlier version of the 3.17 branch: update to 3.17.1 (bnc#897890) * MFSA 2014-73/CVE-2014-1568 (bmo#1064636, bmo#1069405) RSA Signature Forgery in NSS * Change library's signature algorithm default to SHA256 * Add support for draft-ietf-tls-downgrade-scsv * Add clang-cl support to the NSS build system * Implement TLS 1.3: * Part 1. Negotiate TLS 1.3 * Part 2. Remove deprecated cipher suites andcompression. * Add support for little-endian powerpc64 update to 3.17 * required for Firefox 33 New functionality: * When using ECDHE, the TLS server code may be configured to generate a fresh ephemeral ECDH key for each handshake, by setting the SSL_REUSE_SERVER_ECDHE_KEY socket option to PR_FALSE. The SSL_REUSE_SERVER_ECDHE_KEY option defaults to PR_TRUE, which means the server's ephemeral ECDH key is reused for multiple handshakes. This option does not affect the TLS client code, which always generates a fresh ephemeral ECDH key for each handshake. New Macros * SSL_REUSE_SERVER_ECDHE_KEY Notable Changes: * The manual pages for the certutil and pp tools have been updated to document the new parameters that had been added in NSS 3.16.2. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2014-81 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2014-81 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2014-81 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): MozillaFirefox-debuginfo-31.2.0esr-6.4 MozillaFirefox-debugsource-31.2.0esr-6.4 MozillaFirefox-devel-31.2.0esr-6.4 mozilla-nss-debuginfo-3.17.2-8.2 mozilla-nss-debugsource-3.17.2-8.2 mozilla-nss-devel-3.17.2-8.2 - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): MozillaFirefox-31.2.0esr-6.4 MozillaFirefox-branding-SLE-31-4.1 MozillaFirefox-debuginfo-31.2.0esr-6.4 MozillaFirefox-debugsource-31.2.0esr-6.4 MozillaFirefox-translations-31.2.0esr-6.4 libfreebl3-3.17.2-8.2 libfreebl3-debuginfo-3.17.2-8.2 libfreebl3-hmac-3.17.2-8.2 libsoftokn3-3.17.2-8.2 libsoftokn3-debuginfo-3.17.2-8.2 libsoftokn3-hmac-3.17.2-8.2 mozilla-nss-3.17.2-8.2 mozilla-nss-certs-3.17.2-8.2 mozilla-nss-certs-debuginfo-3.17.2-8.2 mozilla-nss-debuginfo-3.17.2-8.2 mozilla-nss-debugsource-3.17.2-8.2 mozilla-nss-tools-3.17.2-8.2 mozilla-nss-tools-debuginfo-3.17.2-8.2 - SUSE Linux Enterprise Desktop 12 (x86_64): MozillaFirefox-31.2.0esr-6.4 MozillaFirefox-branding-SLE-31-4.1 MozillaFirefox-debuginfo-31.2.0esr-6.4 MozillaFirefox-debugsource-31.2.0esr-6.4 MozillaFirefox-translations-31.2.0esr-6.4 libfreebl3-3.17.2-8.2 libfreebl3-debuginfo-3.17.2-8.2 libsoftokn3-3.17.2-8.2 libsoftokn3-debuginfo-3.17.2-8.2 mozilla-nss-3.17.2-8.2 mozilla-nss-certs-3.17.2-8.2 mozilla-nss-certs-debuginfo-3.17.2-8.2 mozilla-nss-debuginfo-3.17.2-8.2 mozilla-nss-debugsource-3.17.2-8.2 mozilla-nss-tools-3.17.2-8.2 mozilla-nss-tools-debuginfo-3.17.2-8.2 References: http://support.novell.com/security/cve/CVE-2014-1568.html http://support.novell.com/security/cve/CVE-2014-1574.html http://support.novell.com/security/cve/CVE-2014-1575.html http://support.novell.com/security/cve/CVE-2014-1576.html http://support.novell.com/security/cve/CVE-2014-1577.html http://support.novell.com/security/cve/CVE-2014-1578.html http://support.novell.com/security/cve/CVE-2014-1581.html http://support.novell.com/security/cve/CVE-2014-1583.html http://support.novell.com/security/cve/CVE-2014-1585.html http://support.novell.com/security/cve/CVE-2014-1586.html https://bugzilla.suse.com/show_bug.cgi?id=897890 https://bugzilla.suse.com/show_bug.cgi?id=900941 From sle-security-updates at lists.suse.com Thu Nov 27 02:05:21 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 27 Nov 2014 10:05:21 +0100 (CET) Subject: SUSE-SU-2014:1511-1: moderate: Security update for python, python-base, python-doc Message-ID: <20141127090521.AB53532299@maintenance.suse.de> SUSE Security Update: Security update for python, python-base, python-doc ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1511-1 Rating: moderate References: #898572 Cross-References: CVE-2014-7185 Affected Products: SUSE Linux Enterprise Workstation Extension 12 SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: python, python-base, python-doc was updated to fix one security issue. This security issue was fixed: - Fixed potential buffer overflow in buffer() (CVE-2014-7185). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12: zypper in -t patch SUSE-SLE-WE-12-2014-82 - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2014-82 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2014-82 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2014-82 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Workstation Extension 12 (x86_64): python-base-debuginfo-2.7.7-5.2 python-base-debugsource-2.7.7-5.2 python-devel-2.7.7-5.2 - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): python-base-debuginfo-2.7.7-5.2 python-base-debugsource-2.7.7-5.2 python-devel-2.7.7-5.2 - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): libpython2_7-1_0-2.7.7-5.2 libpython2_7-1_0-debuginfo-2.7.7-5.2 python-2.7.7-5.1 python-base-2.7.7-5.2 python-base-debuginfo-2.7.7-5.2 python-base-debugsource-2.7.7-5.2 python-curses-2.7.7-5.1 python-curses-debuginfo-2.7.7-5.1 python-debuginfo-2.7.7-5.1 python-debugsource-2.7.7-5.1 python-demo-2.7.7-5.1 python-gdbm-2.7.7-5.1 python-gdbm-debuginfo-2.7.7-5.1 python-idle-2.7.7-5.1 python-tk-2.7.7-5.1 python-tk-debuginfo-2.7.7-5.1 python-xml-2.7.7-5.2 python-xml-debuginfo-2.7.7-5.2 - SUSE Linux Enterprise Server 12 (noarch): python-doc-2.7.7-5.1 python-doc-pdf-2.7.7-5.1 - SUSE Linux Enterprise Desktop 12 (x86_64): libpython2_7-1_0-2.7.7-5.2 libpython2_7-1_0-debuginfo-2.7.7-5.2 python-2.7.7-5.1 python-base-2.7.7-5.2 python-base-debuginfo-2.7.7-5.2 python-base-debugsource-2.7.7-5.2 python-curses-2.7.7-5.1 python-curses-debuginfo-2.7.7-5.1 python-debuginfo-2.7.7-5.1 python-debugsource-2.7.7-5.1 python-devel-2.7.7-5.2 python-tk-2.7.7-5.1 python-tk-debuginfo-2.7.7-5.1 python-xml-2.7.7-5.2 python-xml-debuginfo-2.7.7-5.2 References: http://support.novell.com/security/cve/CVE-2014-7185.html https://bugzilla.suse.com/show_bug.cgi?id=898572 From sle-security-updates at lists.suse.com Thu Nov 27 02:05:38 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 27 Nov 2014 10:05:38 +0100 (CET) Subject: SUSE-SU-2014:1512-1: moderate: Security update for compat-openssl098 Message-ID: <20141127090538.5C50332299@maintenance.suse.de> SUSE Security Update: Security update for compat-openssl098 ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1512-1 Rating: moderate References: #901223 #901277 Cross-References: CVE-2014-3566 CVE-2014-3567 CVE-2014-3568 Affected Products: SUSE Linux Enterprise Module for Legacy Software 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: compat-openssl098 was updated to fix three security issues. NOTE: this update alone DOESN'T FIX the POODLE SSL protocol vulnerability. OpenSSL only adds downgrade detection support for client applications. See https://www.suse.com/support/kb/doc.php?id=7015773 for mitigations. These security issues were fixed: - Session ticket memory leak (CVE-2014-3567). - Fixed build option no-ssl3 (CVE-2014-3568). - Added support for TLS_FALLBACK_SCSV (CVE-2014-3566). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Legacy Software 12: zypper in -t patch SUSE-SLE-Module-Legacy-12-2014-83 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2014-83 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Module for Legacy Software 12 (s390x x86_64): compat-openssl098-debugsource-0.9.8j-62.1 libopenssl0_9_8-0.9.8j-62.1 libopenssl0_9_8-debuginfo-0.9.8j-62.1 - SUSE Linux Enterprise Desktop 12 (x86_64): compat-openssl098-debugsource-0.9.8j-62.1 libopenssl0_9_8-0.9.8j-62.1 libopenssl0_9_8-debuginfo-0.9.8j-62.1 References: http://support.novell.com/security/cve/CVE-2014-3566.html http://support.novell.com/security/cve/CVE-2014-3567.html http://support.novell.com/security/cve/CVE-2014-3568.html https://bugzilla.suse.com/show_bug.cgi?id=901223 https://bugzilla.suse.com/show_bug.cgi?id=901277 From sle-security-updates at lists.suse.com Thu Nov 27 19:04:43 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 28 Nov 2014 03:04:43 +0100 (CET) Subject: SUSE-SU-2014:1518-1: moderate: Security update for Python Message-ID: <20141128020443.A8B5832298@maintenance.suse.de> SUSE Security Update: Security update for Python ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1518-1 Rating: moderate References: #898572 #901715 Cross-References: CVE-2014-7185 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. It includes one version update. Description: Python was updated to fix one security issue: * Potential wraparound/overflow in buffer() (CVE-2014-7185) As an additional hardening measure SSLv2 has been disabled (bnc#901715). Security Issues: * CVE-2014-7185 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-python-2014-11-19-9996 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-python-2014-11-19-9996 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-python-2014-11-19-9996 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-python-2014-11-19-9996 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New Version: 2.6.9]: python-devel-2.6.9-0.33.1 - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 x86_64) [New Version: 2.6.9]: python-demo-2.6.9-0.33.1 python-gdbm-2.6.9-0.33.1 python-idle-2.6.9-0.33.1 python-tk-2.6.9-0.33.1 - SUSE Linux Enterprise Software Development Kit 11 SP3 (x86_64) [New Version: 2.6.9]: python-32bit-2.6.9-0.33.1 - SUSE Linux Enterprise Software Development Kit 11 SP3 (noarch): python-doc-2.6-8.33.1 python-doc-pdf-2.6-8.33.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64) [New Version: 2.6.9]: libpython2_6-1_0-2.6.9-0.33.1 python-2.6.9-0.33.1 python-base-2.6.9-0.33.1 python-curses-2.6.9-0.33.1 python-demo-2.6.9-0.33.1 python-gdbm-2.6.9-0.33.1 python-idle-2.6.9-0.33.1 python-tk-2.6.9-0.33.1 python-xml-2.6.9-0.33.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64) [New Version: 2.6.9]: libpython2_6-1_0-32bit-2.6.9-0.33.1 python-32bit-2.6.9-0.33.1 python-base-32bit-2.6.9-0.33.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (noarch): python-doc-2.6-8.33.1 python-doc-pdf-2.6-8.33.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New Version: 2.6.9]: libpython2_6-1_0-2.6.9-0.33.1 python-2.6.9-0.33.1 python-base-2.6.9-0.33.1 python-curses-2.6.9-0.33.1 python-demo-2.6.9-0.33.1 python-gdbm-2.6.9-0.33.1 python-idle-2.6.9-0.33.1 python-tk-2.6.9-0.33.1 python-xml-2.6.9-0.33.1 - SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64) [New Version: 2.6.9]: libpython2_6-1_0-32bit-2.6.9-0.33.1 python-32bit-2.6.9-0.33.1 python-base-32bit-2.6.9-0.33.1 - SUSE Linux Enterprise Server 11 SP3 (noarch): python-doc-2.6-8.33.1 python-doc-pdf-2.6-8.33.1 - SUSE Linux Enterprise Server 11 SP3 (ia64) [New Version: 2.6.9]: libpython2_6-1_0-x86-2.6.9-0.33.1 python-base-x86-2.6.9-0.33.1 python-x86-2.6.9-0.33.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64) [New Version: 2.6.9]: libpython2_6-1_0-2.6.9-0.33.1 python-2.6.9-0.33.1 python-base-2.6.9-0.33.1 python-curses-2.6.9-0.33.1 python-devel-2.6.9-0.33.1 python-tk-2.6.9-0.33.1 python-xml-2.6.9-0.33.1 - SUSE Linux Enterprise Desktop 11 SP3 (x86_64) [New Version: 2.6.9]: libpython2_6-1_0-32bit-2.6.9-0.33.1 python-base-32bit-2.6.9-0.33.1 References: http://support.novell.com/security/cve/CVE-2014-7185.html https://bugzilla.suse.com/show_bug.cgi?id=898572 https://bugzilla.suse.com/show_bug.cgi?id=901715 http://download.suse.com/patch/finder/?keywords=c5b0994dea1693becfd8d76b2b716f87 From sle-security-updates at lists.suse.com Thu Nov 27 22:05:41 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 28 Nov 2014 06:05:41 +0100 (CET) Subject: SUSE-SU-2014:1519-1: moderate: Security update for evolution-data-server Message-ID: <20141128050541.B121F3229F@maintenance.suse.de> SUSE Security Update: Security update for evolution-data-server ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1519-1 Rating: moderate References: #901553 Cross-References: CVE-2014-3566 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: evolution-data-server has been updated to disable support for SSLv3. This security issues has been fixed: * SSLv3 POODLE attack (CVE-2014-3566) Security Issues: * CVE-2014-3566 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-evolution-data-server-9969 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-evolution-data-server-9969 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-evolution-data-server-9969 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-evolution-data-server-9969 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64): evolution-data-server-devel-2.28.2-0.32.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): evolution-data-server-2.28.2-0.32.1 evolution-data-server-lang-2.28.2-0.32.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64): evolution-data-server-32bit-2.28.2-0.32.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): evolution-data-server-2.28.2-0.32.1 evolution-data-server-lang-2.28.2-0.32.1 - SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64): evolution-data-server-32bit-2.28.2-0.32.1 - SUSE Linux Enterprise Server 11 SP3 (ia64): evolution-data-server-x86-2.28.2-0.32.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): evolution-data-server-2.28.2-0.32.1 evolution-data-server-lang-2.28.2-0.32.1 - SUSE Linux Enterprise Desktop 11 SP3 (x86_64): evolution-data-server-32bit-2.28.2-0.32.1 References: http://support.novell.com/security/cve/CVE-2014-3566.html https://bugzilla.suse.com/show_bug.cgi?id=901553 http://download.suse.com/patch/finder/?keywords=d055797f8ab348539e157aa0f7d403c6 From sle-security-updates at lists.suse.com Thu Nov 27 23:04:40 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 28 Nov 2014 07:04:40 +0100 (CET) Subject: SUSE-SU-2014:1520-1: moderate: Security update for wireshark Message-ID: <20141128060440.0B8D23229F@maintenance.suse.de> SUSE Security Update: Security update for wireshark ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1520-1 Rating: moderate References: #899303 #905245 #905246 #905247 #905248 Cross-References: CVE-2014-8710 CVE-2014-8711 CVE-2014-8712 CVE-2014-8713 CVE-2014-8714 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. It includes one version update. Description: wireshark has been updated to version 1.10.11 to fix five security issues. These security issues have been fixed: * SigComp UDVM buffer overflow (CVE-2014-8710). * AMQP dissector crash (CVE-2014-8711). * NCP dissector crashes (CVE-2014-8712, CVE-2014-8713). * TN5250 infinite loops (CVE-2014-8714). This non-security issue has been fixed: * enable zlib (bnc#899303). Further bug fixes and updated protocol support as listed in: https://www.wireshark.org/docs/relnotes/wireshark-1.10.11.html Security Issues: * CVE-2014-8711 * CVE-2014-8710 * CVE-2014-8714 * CVE-2014-8712 * CVE-2014-8713 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-wireshark-9968 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-wireshark-9968 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-wireshark-9968 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-wireshark-9968 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New Version: 1.10.11]: wireshark-devel-1.10.11-0.2.1 - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 x86_64) [New Version: 1.10.11]: wireshark-1.10.11-0.2.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64) [New Version: 1.10.11]: wireshark-1.10.11-0.2.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New Version: 1.10.11]: wireshark-1.10.11-0.2.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64) [New Version: 1.10.11]: wireshark-1.10.11-0.2.1 References: http://support.novell.com/security/cve/CVE-2014-8710.html http://support.novell.com/security/cve/CVE-2014-8711.html http://support.novell.com/security/cve/CVE-2014-8712.html http://support.novell.com/security/cve/CVE-2014-8713.html http://support.novell.com/security/cve/CVE-2014-8714.html https://bugzilla.suse.com/show_bug.cgi?id=899303 https://bugzilla.suse.com/show_bug.cgi?id=905245 https://bugzilla.suse.com/show_bug.cgi?id=905246 https://bugzilla.suse.com/show_bug.cgi?id=905247 https://bugzilla.suse.com/show_bug.cgi?id=905248 http://download.suse.com/patch/finder/?keywords=3492e3c53fb11fb448076c7c42a49659 From sle-security-updates at lists.suse.com Fri Nov 28 03:06:06 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 28 Nov 2014 11:06:06 +0100 (CET) Subject: SUSE-SU-2014:1524-1: moderate: Security update for openssl Message-ID: <20141128100606.3C1A2322A0@maintenance.suse.de> SUSE Security Update: Security update for openssl ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1524-1 Rating: moderate References: #901223 #901277 Cross-References: CVE-2014-3513 CVE-2014-3566 CVE-2014-3567 CVE-2014-3568 Affected Products: SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: openssl was updated to fix four security issues. These security issues were fixed: - SRTP Memory Leak (CVE-2014-3513). - Session Ticket Memory Leak (CVE-2014-3567). - Fixed incomplete no-ssl3 build option (CVE-2014-3568). - Add support for TLS_FALLBACK_SCSV (CVE-2014-3566). NOTE: This update alone DOESN'T FIX the POODLE SSL protocol vulnerability. OpenSSL only adds downgrade detection support for client applications. See https://www.suse.com/support/kb/doc.php?id=7015773 for mitigations. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2014-84 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2014-84 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2014-84 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): libopenssl-devel-1.0.1i-5.1 openssl-debuginfo-1.0.1i-5.1 openssl-debugsource-1.0.1i-5.1 - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): libopenssl1_0_0-1.0.1i-5.1 libopenssl1_0_0-debuginfo-1.0.1i-5.1 libopenssl1_0_0-hmac-1.0.1i-5.1 openssl-1.0.1i-5.1 openssl-debuginfo-1.0.1i-5.1 openssl-debugsource-1.0.1i-5.1 - SUSE Linux Enterprise Server 12 (noarch): openssl-doc-1.0.1i-5.1 - SUSE Linux Enterprise Desktop 12 (x86_64): libopenssl1_0_0-1.0.1i-5.1 libopenssl1_0_0-debuginfo-1.0.1i-5.1 openssl-1.0.1i-5.1 openssl-debuginfo-1.0.1i-5.1 openssl-debugsource-1.0.1i-5.1 References: http://support.novell.com/security/cve/CVE-2014-3513.html http://support.novell.com/security/cve/CVE-2014-3566.html http://support.novell.com/security/cve/CVE-2014-3567.html http://support.novell.com/security/cve/CVE-2014-3568.html https://bugzilla.suse.com/show_bug.cgi?id=901223 https://bugzilla.suse.com/show_bug.cgi?id=901277 From sle-security-updates at lists.suse.com Fri Nov 28 11:05:38 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 28 Nov 2014 19:05:38 +0100 (CET) Subject: SUSE-SU-2014:1526-1: important: Security update for IBM Java Message-ID: <20141128180538.37CC032336@maintenance.suse.de> SUSE Security Update: Security update for IBM Java ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1526-1 Rating: important References: #904889 Cross-References: CVE-2014-3065 CVE-2014-3566 CVE-2014-4288 CVE-2014-6456 CVE-2014-6457 CVE-2014-6458 CVE-2014-6466 CVE-2014-6476 CVE-2014-6492 CVE-2014-6493 CVE-2014-6502 CVE-2014-6503 CVE-2014-6506 CVE-2014-6511 CVE-2014-6512 CVE-2014-6513 CVE-2014-6515 CVE-2014-6527 CVE-2014-6531 CVE-2014-6532 CVE-2014-6558 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 ______________________________________________________________________________ An update that fixes 21 vulnerabilities is now available. Description: java-1_7_0-ibm has been updated to version 1.7.0_sr7.2 to fix 21 security issues. These security issues have been fixed: * Unspecified vulnerability (CVE-2014-3065). * The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue (CVE-2014-3566). * Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT (CVE-2014-6513). * Unspecified vulnerability in Oracle Java SE 7u67 and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors (CVE-2014-6456). * Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-4288, CVE-2014-6493, and CVE-2014-6532 (CVE-2014-6503). * Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-4288, CVE-2014-6493, and CVE-2014-6503 (CVE-2014-6532). * Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-6493, CVE-2014-6503, and CVE-2014-6532 (CVE-2014-4288). * Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-4288, CVE-2014-6503, and CVE-2014-6532 (CVE-2014-6493). * Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20, when running on Firefox, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment (CVE-2014-6492). * Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Deployment (CVE-2014-6458). * Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20, when running on Internet Explorer, allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Deployment (CVE-2014-6466). * Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries (CVE-2014-6506). * Unspecified vulnerability in Oracle Java SE 7u67 and 8u20 allows remote attackers to affect integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2014-6527 (CVE-2014-6476). * Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect integrity via unknown vectors related to Deployment (CVE-2014-6515). * Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality via unknown vectors related to 2D (CVE-2014-6511). * Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect confidentiality via unknown vectors related to Libraries (CVE-2014-6531). * Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit R27.8.3 and R28.3.3 allows remote attackers to affect integrity via unknown vectors related to Libraries (CVE-2014-6512). * Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit R27.8.3, and R28.3.3 allows remote attackers to affect confidentiality and integrity via vectors related to JSSE (CVE-2014-6457). * Unspecified vulnerability in Oracle Java SE 7u67 and 8u20 allows remote attackers to affect integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2014-6476 (CVE-2014-6527). * Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect integrity via unknown vectors related to Libraries (CVE-2014-6502). * Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit R27.8.3 and JRockit R28.3.3 allows remote attackers to affect integrity via unknown vectors related to Security (CVE-2014-6558). More information can be found at http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_Nove mber_2014 Security Issues: * CVE-2014-3065 * CVE-2014-3566 * CVE-2014-6506 * CVE-2014-6511 * CVE-2014-6531 * CVE-2014-6512 * CVE-2014-6457 * CVE-2014-6502 * CVE-2014-6558 * CVE-2014-6513 * CVE-2014-6503 * CVE-2014-4288 * CVE-2014-6493 * CVE-2014-6532 * CVE-2014-6492 * CVE-2014-6458 * CVE-2014-6466 * CVE-2014-6515 * CVE-2014-6456 * CVE-2014-6476 * CVE-2014-6527 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-java-1_6_0-ibm-9992 sdksp3-java-1_7_0-ibm-9999 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-java-1_6_0-ibm-9992 slessp3-java-1_7_0-ibm-9999 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-java-1_6_0-ibm-9992 slessp3-java-1_7_0-ibm-9999 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ppc64 s390x x86_64): java-1_6_0-ibm-devel-1.6.0_sr16.2-0.3.1 java-1_7_0-ibm-devel-1.7.0_sr8.0-0.5.1 - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 x86_64): java-1_6_0-ibm-1.6.0_sr16.2-0.3.1 java-1_6_0-ibm-fonts-1.6.0_sr16.2-0.3.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): java-1_6_0-ibm-1.6.0_sr16.2-0.3.1 java-1_6_0-ibm-fonts-1.6.0_sr16.2-0.3.1 java-1_6_0-ibm-jdbc-1.6.0_sr16.2-0.3.1 java-1_6_0-ibm-plugin-1.6.0_sr16.2-0.3.1 java-1_7_0-ibm-1.7.0_sr8.0-0.5.1 java-1_7_0-ibm-alsa-1.7.0_sr8.0-0.5.1 java-1_7_0-ibm-jdbc-1.7.0_sr8.0-0.5.1 java-1_7_0-ibm-plugin-1.7.0_sr8.0-0.5.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586): java-1_6_0-ibm-alsa-1.6.0_sr16.2-0.3.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ppc64 s390x x86_64): java-1_6_0-ibm-1.6.0_sr16.2-0.3.1 java-1_6_0-ibm-fonts-1.6.0_sr16.2-0.3.1 java-1_6_0-ibm-jdbc-1.6.0_sr16.2-0.3.1 java-1_7_0-ibm-1.7.0_sr8.0-0.5.1 java-1_7_0-ibm-jdbc-1.7.0_sr8.0-0.5.1 - SUSE Linux Enterprise Server 11 SP3 (i586 x86_64): java-1_6_0-ibm-plugin-1.6.0_sr16.2-0.3.1 java-1_7_0-ibm-alsa-1.7.0_sr8.0-0.5.1 java-1_7_0-ibm-plugin-1.7.0_sr8.0-0.5.1 - SUSE Linux Enterprise Server 11 SP3 (i586): java-1_6_0-ibm-alsa-1.6.0_sr16.2-0.3.1 References: http://support.novell.com/security/cve/CVE-2014-3065.html http://support.novell.com/security/cve/CVE-2014-3566.html http://support.novell.com/security/cve/CVE-2014-4288.html http://support.novell.com/security/cve/CVE-2014-6456.html http://support.novell.com/security/cve/CVE-2014-6457.html http://support.novell.com/security/cve/CVE-2014-6458.html http://support.novell.com/security/cve/CVE-2014-6466.html http://support.novell.com/security/cve/CVE-2014-6476.html http://support.novell.com/security/cve/CVE-2014-6492.html http://support.novell.com/security/cve/CVE-2014-6493.html http://support.novell.com/security/cve/CVE-2014-6502.html http://support.novell.com/security/cve/CVE-2014-6503.html http://support.novell.com/security/cve/CVE-2014-6506.html http://support.novell.com/security/cve/CVE-2014-6511.html http://support.novell.com/security/cve/CVE-2014-6512.html http://support.novell.com/security/cve/CVE-2014-6513.html http://support.novell.com/security/cve/CVE-2014-6515.html http://support.novell.com/security/cve/CVE-2014-6527.html http://support.novell.com/security/cve/CVE-2014-6531.html http://support.novell.com/security/cve/CVE-2014-6532.html http://support.novell.com/security/cve/CVE-2014-6558.html https://bugzilla.suse.com/show_bug.cgi?id=904889 http://download.suse.com/patch/finder/?keywords=47835bf177c54f65a9963dc0f95bf5a8 http://download.suse.com/patch/finder/?keywords=7276d3e6b69f3806941401a132b58c6b