From sle-security-updates at lists.suse.com Mon Feb 2 02:05:19 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 2 Feb 2015 10:05:19 +0100 (CET) Subject: SUSE-SU-2015:0188-1: moderate: Security update for clamav Message-ID: <20150202090519.7D4273236B@maintenance.suse.de> SUSE Security Update: Security update for clamav ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0188-1 Rating: moderate References: #903489 #903719 #904207 #906077 #906770 #908731 #914505 Cross-References: CVE-2013-6497 CVE-2014-9050 Affected Products: SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that solves two vulnerabilities and has 5 fixes is now available. Description: Clamav was updated to version 0.98.5: * Support for the XDP file format and extracting, decoding, and scanning PDF files within XDP files. * Addition of shared library support for LLVM versions 3.1 - 3.5 for the purpose of just-in-time(JIT) compilation of ClamAV bytecode signatures. * Enhancements to the clambc command line utility to assist ClamAV bytecode signature authors by providing introspection into compiled bytecode programs. * Resolution of many of the warning messages from ClamAV compilation. * Improved detection of malicious PE files (bnc#906770, CVE-2014-9050) * Security fix for ClamAV crash when using 'clamscan -a'. * Security fix for ClamAV crash when scanning maliciously crafted yoda's crypter files (bnc#906077, CVE-2013-6497). * ClamAV 0.98.5 now works with OpenSSL in FIPS compliant mode (bnc#904207). * Fix server socket setup code in clamd (bnc#903489). - Change updateclamconf to prefer the state of the old config file even for commented-out options (bnc#903719) (bnc#908731). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-49 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-49 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): clamav-0.98.5-6.1 clamav-debuginfo-0.98.5-6.1 clamav-debugsource-0.98.5-6.1 - SUSE Linux Enterprise Desktop 12 (x86_64): clamav-0.98.5-6.1 clamav-debuginfo-0.98.5-6.1 clamav-debugsource-0.98.5-6.1 References: http://support.novell.com/security/cve/CVE-2013-6497.html http://support.novell.com/security/cve/CVE-2014-9050.html https://bugzilla.suse.com/show_bug.cgi?id=903489 https://bugzilla.suse.com/show_bug.cgi?id=903719 https://bugzilla.suse.com/show_bug.cgi?id=904207 https://bugzilla.suse.com/show_bug.cgi?id=906077 https://bugzilla.suse.com/show_bug.cgi?id=906770 https://bugzilla.suse.com/show_bug.cgi?id=908731 https://bugzilla.suse.com/show_bug.cgi?id=914505 From sle-security-updates at lists.suse.com Tue Feb 3 10:08:56 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 3 Feb 2015 18:08:56 +0100 (CET) Subject: SUSE-SU-2015:0205-1: moderate: Security update for openssl Message-ID: <20150203170856.6C1253236B@maintenance.suse.de> SUSE Security Update: Security update for openssl ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0205-1 Rating: moderate References: #855676 #895129 #901902 #906878 #908362 #908372 #912014 #912015 #912018 #912292 #912293 #912294 #912296 Cross-References: CVE-2014-3570 CVE-2014-3571 CVE-2014-3572 CVE-2014-8275 CVE-2015-0204 CVE-2015-0205 CVE-2015-0206 Affected Products: SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that solves 7 vulnerabilities and has 6 fixes is now available. Description: OpenSSL was updated to fix security issues and also provide FIPS compliance. Security issues fixed: CVE-2014-3570: Bignum squaring (BN_sqr) may have produced incorrect results on some platforms, including x86_64. CVE-2014-3571: Fixed crash in dtls1_get_record whilst in the listen state where you get two separate reads performed - one for the header and one for the body of the handshake record. CVE-2014-3572: No longer accept a handshake using an ephemeral ECDH ciphersuites with the server key exchange message omitted. CVE-2014-8275: Fixed various certificate fingerprint issues. CVE-2015-0204: Only allow ephemeral RSA keys in export ciphersuites. CVE-2015-0205: Fix to prevent use of DH client certificates without sending certificate verify message. CVE-2015-0206: A memory leak could have occured in dtls1_buffer_record. Bugfixes: - Do not advertise curves we don't support (bsc#906878) FIPS changes: - Make RSA2 key generation FIPS 186-4 compliant (bsc#901902) - X9.31 rand method is not allowed in FIPS mode. - Do not allow dynamic ENGINEs loading in FIPS mode. - Added a locking hack which prevents hangs in FIPS mode (bsc#895129) - In non-FIPS RSA key generation, mirror the maximum and minimum limiters from FIPS rsa generation to meet Common Criteria and BSI TR requirements on minimum and maximum distances between p and q. (bsc#908362) - Do constant reseeding from /dev/urandom; for every random byte pulled, seed with one byte from /dev/urandom, also change RAND_poll to pull the full state size of the SSLEAY DRBG to fulfil Common Criteria requirements. (bsc#908372) FIPS mode can be enabled by either using the environment variable OPENSSL_FORCE_FIPS_MODE=1 or supplying the "fips=1" parameter on the kernel boot commandline. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2015-52 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-52 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-52 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): libopenssl-devel-1.0.1i-17.1 openssl-debuginfo-1.0.1i-17.1 openssl-debugsource-1.0.1i-17.1 - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): libopenssl1_0_0-1.0.1i-17.1 libopenssl1_0_0-debuginfo-1.0.1i-17.1 libopenssl1_0_0-hmac-1.0.1i-17.1 openssl-1.0.1i-17.1 openssl-debuginfo-1.0.1i-17.1 openssl-debugsource-1.0.1i-17.1 - SUSE Linux Enterprise Server 12 (s390x x86_64): libopenssl1_0_0-32bit-1.0.1i-17.1 libopenssl1_0_0-debuginfo-32bit-1.0.1i-17.1 libopenssl1_0_0-hmac-32bit-1.0.1i-17.1 - SUSE Linux Enterprise Server 12 (noarch): openssl-doc-1.0.1i-17.1 - SUSE Linux Enterprise Desktop 12 (x86_64): libopenssl1_0_0-1.0.1i-17.1 libopenssl1_0_0-32bit-1.0.1i-17.1 libopenssl1_0_0-debuginfo-1.0.1i-17.1 libopenssl1_0_0-debuginfo-32bit-1.0.1i-17.1 openssl-1.0.1i-17.1 openssl-debuginfo-1.0.1i-17.1 openssl-debugsource-1.0.1i-17.1 References: http://support.novell.com/security/cve/CVE-2014-3570.html http://support.novell.com/security/cve/CVE-2014-3571.html http://support.novell.com/security/cve/CVE-2014-3572.html http://support.novell.com/security/cve/CVE-2014-8275.html http://support.novell.com/security/cve/CVE-2015-0204.html http://support.novell.com/security/cve/CVE-2015-0205.html http://support.novell.com/security/cve/CVE-2015-0206.html https://bugzilla.suse.com/show_bug.cgi?id=855676 https://bugzilla.suse.com/show_bug.cgi?id=895129 https://bugzilla.suse.com/show_bug.cgi?id=901902 https://bugzilla.suse.com/show_bug.cgi?id=906878 https://bugzilla.suse.com/show_bug.cgi?id=908362 https://bugzilla.suse.com/show_bug.cgi?id=908372 https://bugzilla.suse.com/show_bug.cgi?id=912014 https://bugzilla.suse.com/show_bug.cgi?id=912015 https://bugzilla.suse.com/show_bug.cgi?id=912018 https://bugzilla.suse.com/show_bug.cgi?id=912292 https://bugzilla.suse.com/show_bug.cgi?id=912293 https://bugzilla.suse.com/show_bug.cgi?id=912294 https://bugzilla.suse.com/show_bug.cgi?id=912296 From sle-security-updates at lists.suse.com Tue Feb 3 11:06:50 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 3 Feb 2015 19:06:50 +0100 (CET) Subject: SUSE-SU-2015:0207-1: moderate: Security update for libjasper Message-ID: <20150203180650.4FA7E3236B@maintenance.suse.de> SUSE Security Update: Security update for libjasper ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0207-1 Rating: moderate References: #906364 Cross-References: CVE-2014-9029 Affected Products: SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for libjasper fixes multiple off-by-one errors which could allow remote attackers to execute arbitrary code via a heap-based buffer overflow triggered by a crafted jp2 (JPEG 2000) file. (bsc#906364, CVE-2014-9029) Security Issues: * CVE-2014-9029 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-libjasper-10072 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-libjasper-10072 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-libjasper-10072 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): libjasper-1.900.1-134.13.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64): libjasper-32bit-1.900.1-134.13.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): libjasper-1.900.1-134.13.1 - SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64): libjasper-32bit-1.900.1-134.13.1 - SUSE Linux Enterprise Server 11 SP3 (ia64): libjasper-x86-1.900.1-134.13.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): libjasper-1.900.1-134.13.1 - SUSE Linux Enterprise Desktop 11 SP3 (x86_64): libjasper-32bit-1.900.1-134.13.1 References: http://support.novell.com/security/cve/CVE-2014-9029.html https://bugzilla.suse.com/show_bug.cgi?id=906364 http://download.suse.com/patch/finder/?keywords=484258c98edb7e8ca52664afed121f81 From sle-security-updates at lists.suse.com Wed Feb 4 03:04:49 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 4 Feb 2015 11:04:49 +0100 (CET) Subject: SUSE-SU-2015:0208-1: moderate: Security update for mpfr Message-ID: <20150204100449.C512C3236B@maintenance.suse.de> SUSE Security Update: Security update for mpfr ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0208-1 Rating: moderate References: #911812 Cross-References: CVE-2014-9474 Affected Products: SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update fixes the following security issue: - CVE-2014-9474: possible buffer overflow in mpfr_strtofr (bnc#911812) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2015-53 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-53 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-53 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): mpfr-debugsource-3.1.2-7.1 mpfr-devel-3.1.2-7.1 - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): libmpfr4-3.1.2-7.1 libmpfr4-debuginfo-3.1.2-7.1 mpfr-debugsource-3.1.2-7.1 - SUSE Linux Enterprise Server 12 (s390x x86_64): libmpfr4-32bit-3.1.2-7.1 libmpfr4-debuginfo-32bit-3.1.2-7.1 - SUSE Linux Enterprise Desktop 12 (x86_64): libmpfr4-3.1.2-7.1 libmpfr4-debuginfo-3.1.2-7.1 mpfr-debugsource-3.1.2-7.1 References: http://support.novell.com/security/cve/CVE-2014-9474.html https://bugzilla.suse.com/show_bug.cgi?id=911812 From sle-security-updates at lists.suse.com Wed Feb 4 17:04:43 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 5 Feb 2015 01:04:43 +0100 (CET) Subject: SUSE-SU-2015:0219-1: Security update for libmpfr Message-ID: <20150205000443.125D932369@maintenance.suse.de> SUSE Security Update: Security update for libmpfr ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0219-1 Rating: low References: #911812 Cross-References: CVE-2014-9474 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for libmpfr fixes a buffer overflow in mpfr_strtofr. (CVE-2014-9474) Security Issues: * CVE-2014-9474 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-libmpfr1-10212 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-libmpfr1-10212 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-libmpfr1-10212 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-libmpfr1-10212 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64): mpfr-devel-2.3.2-3.118.1 - SUSE Linux Enterprise Software Development Kit 11 SP3 (ppc64 s390x x86_64): mpfr-devel-32bit-2.3.2-3.118.1 - SUSE Linux Enterprise Software Development Kit 11 SP3 (x86_64): libmpfr1-32bit-2.3.2-3.118.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): libmpfr1-2.3.2-3.118.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64): libmpfr1-32bit-2.3.2-3.118.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): libmpfr1-2.3.2-3.118.1 - SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64): libmpfr1-32bit-2.3.2-3.118.1 - SUSE Linux Enterprise Server 11 SP3 (ia64): libmpfr1-x86-2.3.2-3.118.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): libmpfr1-2.3.2-3.118.1 References: http://support.novell.com/security/cve/CVE-2014-9474.html https://bugzilla.suse.com/show_bug.cgi?id=911812 http://download.suse.com/patch/finder/?keywords=b3636c02e7dfd8e676a5d86b23f1daff From sle-security-updates at lists.suse.com Wed Feb 4 17:08:31 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 5 Feb 2015 01:08:31 +0100 (CET) Subject: SUSE-SU-2015:0221-1: Security update for python-keystoneclient Message-ID: <20150205000831.13B2B32369@maintenance.suse.de> SUSE Security Update: Security update for python-keystoneclient ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0221-1 Rating: low References: #897103 #913692 Cross-References: CVE-2014-7144 Affected Products: SUSE Cloud 4 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for python-keystoneclient provides the following security-fix: * Fix the condition expression for ssl_insecure (bnc#897103, CVE-2014-7144) Security Issues: * CVE-2014-7144 Contraindications: Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Cloud 4: zypper in -t patch sleclo40sp3-python-keystoneclient-10190 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Cloud 4 (x86_64): python-keystoneclient-0.9.0-0.11.1 python-keystoneclient-doc-0.9.0-0.11.1 References: http://support.novell.com/security/cve/CVE-2014-7144.html https://bugzilla.suse.com/show_bug.cgi?id=897103 https://bugzilla.suse.com/show_bug.cgi?id=913692 http://download.suse.com/patch/finder/?keywords=f6d7f2b6ee52b6bd7eca74287f9f0b01 From sle-security-updates at lists.suse.com Fri Feb 6 10:05:28 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 6 Feb 2015 18:05:28 +0100 (CET) Subject: SUSE-SU-2015:0232-1: moderate: Security update for powerpc-utils Message-ID: <20150206170528.AD0163236B@maintenance.suse.de> SUSE Security Update: Security update for powerpc-utils ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0232-1 Rating: moderate References: #883174 #901216 Cross-References: CVE-2014-4040 Affected Products: SUSE Linux Enterprise Server 12 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: powerpc-utils was updated to fix one security issue. This security issue was fixed: - May expose passwords from fstab or yaboot.con (CVE-2014-4040). This additional fix was included: - LPAR crashes when drmgr attempts to offline last remaining cpu core (bnc#901216) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-57=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 12 (ppc64le): powerpc-utils-1.2.22-7.1 powerpc-utils-debuginfo-1.2.22-7.1 powerpc-utils-debugsource-1.2.22-7.1 References: http://support.novell.com/security/cve/CVE-2014-4040.html https://bugzilla.suse.com/show_bug.cgi?id=883174 https://bugzilla.suse.com/show_bug.cgi?id=901216 From sle-security-updates at lists.suse.com Sat Feb 7 02:04:44 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 7 Feb 2015 10:04:44 +0100 (CET) Subject: SUSE-SU-2015:0236-1: critical: Security update for flash-player Message-ID: <20150207090444.62DB53236B@maintenance.suse.de> SUSE Security Update: Security update for flash-player ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0236-1 Rating: critical References: #915918 Cross-References: CVE-2015-0313 CVE-2015-0314 CVE-2015-0315 CVE-2015-0316 CVE-2015-0317 CVE-2015-0318 CVE-2015-0319 CVE-2015-0320 CVE-2015-0321 CVE-2015-0322 CVE-2015-0323 CVE-2015-0324 CVE-2015-0325 CVE-2015-0326 CVE-2015-0327 CVE-2015-0328 CVE-2015-0329 CVE-2015-0330 Affected Products: SUSE Linux Enterprise Workstation Extension 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that fixes 18 vulnerabilities is now available. Description: flash-player was updated to version 11.2.202.442 to fix 18 security issues. These security issues were fixed: - Use-after-free vulnerabilities that could lead to code execution (CVE-2015-0313, CVE-2015-0315, CVE-2015-0320, CVE-2015-0322). - Memory corruption vulnerabilities that could lead to code execution (CVE-2015-0314, CVE-2015-0316, CVE-2015-0318, CVE-2015-0321, CVE-2015-0329, CVE-2015-0330). - Type confusion vulnerabilities that could lead to code execution (CVE-2015-0317, CVE-2015-0319). - Heap buffer overflow vulnerabilities that could lead to code execution (CVE-2015-0323, CVE-2015-0327). - Buffer overflow vulnerability that could lead to code execution (CVE-2015-0324). - Null pointer dereference issues (CVE-2015-0325, CVE-2015-0326, CVE-2015-0328). More information is available at https://helpx.adobe.com/security/products/flash-player/apsb15-04.html Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12: zypper in -t patch SUSE-SLE-WE-12-2015-58=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-58=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Workstation Extension 12 (i586 x86_64): flash-player-11.2.202.442-67.1 flash-player-gnome-11.2.202.442-67.1 - SUSE Linux Enterprise Desktop 12 (i586 x86_64): flash-player-11.2.202.442-67.1 flash-player-gnome-11.2.202.442-67.1 References: http://support.novell.com/security/cve/CVE-2015-0313.html http://support.novell.com/security/cve/CVE-2015-0314.html http://support.novell.com/security/cve/CVE-2015-0315.html http://support.novell.com/security/cve/CVE-2015-0316.html http://support.novell.com/security/cve/CVE-2015-0317.html http://support.novell.com/security/cve/CVE-2015-0318.html http://support.novell.com/security/cve/CVE-2015-0319.html http://support.novell.com/security/cve/CVE-2015-0320.html http://support.novell.com/security/cve/CVE-2015-0321.html http://support.novell.com/security/cve/CVE-2015-0322.html http://support.novell.com/security/cve/CVE-2015-0323.html http://support.novell.com/security/cve/CVE-2015-0324.html http://support.novell.com/security/cve/CVE-2015-0325.html http://support.novell.com/security/cve/CVE-2015-0326.html http://support.novell.com/security/cve/CVE-2015-0327.html http://support.novell.com/security/cve/CVE-2015-0328.html http://support.novell.com/security/cve/CVE-2015-0329.html http://support.novell.com/security/cve/CVE-2015-0330.html https://bugzilla.suse.com/show_bug.cgi?id=915918 From sle-security-updates at lists.suse.com Sat Feb 7 11:04:44 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 7 Feb 2015 19:04:44 +0100 (CET) Subject: SUSE-SU-2015:0239-1: critical: Security update for flash-player, flash-player-gnome, flash-player-kde4 Message-ID: <20150207180444.A9F5A3236B@maintenance.suse.de> SUSE Security Update: Security update for flash-player, flash-player-gnome, flash-player-kde4 ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0239-1 Rating: critical References: #915918 Cross-References: CVE-2015-0313 CVE-2015-0314 CVE-2015-0315 CVE-2015-0316 CVE-2015-0317 CVE-2015-0318 CVE-2015-0319 CVE-2015-0320 CVE-2015-0321 CVE-2015-0322 CVE-2015-0323 CVE-2015-0324 CVE-2015-0325 CVE-2015-0326 CVE-2015-0327 CVE-2015-0328 CVE-2015-0329 CVE-2015-0330 Affected Products: SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes 18 vulnerabilities is now available. It includes one version update. Description: flash-player was updated to version 11.2.202.442 to fix 18 security issues. These security issues were fixed: - Use-after-free vulnerabilities that could lead to code execution (CVE-2015-0313, CVE-2015-0315, CVE-2015-0320, CVE-2015-0322). - Memory corruption vulnerabilities that could lead to code execution (CVE-2015-0314, CVE-2015-0316, CVE-2015-0318, CVE-2015-0321, CVE-2015-0329, CVE-2015-0330). - Type confusion vulnerabilities that could lead to code execution (CVE-2015-0317, CVE-2015-0319). - Heap buffer overflow vulnerabilities that could lead to code execution (CVE-2015-0323, CVE-2015-0327). - Buffer overflow vulnerability that could lead to code execution (CVE-2015-0324). - Null pointer dereference issues (CVE-2015-0325, CVE-2015-0326, CVE-2015-0328). More information is available at https://helpx.adobe.com/security/products/flash-player/apsb15-04.html Security Issues: * CVE-2015-0313 * CVE-2015-0314 * CVE-2015-0315 * CVE-2015-0316 * CVE-2015-0317 * CVE-2015-0318 * CVE-2015-0319 * CVE-2015-0320 * CVE-2015-0321 * CVE-2015-0322 * CVE-2015-0323 * CVE-2015-0324 * CVE-2015-0325 * CVE-2015-0326 * CVE-2015-0327 * CVE-2015-0328 * CVE-2015-0329 * CVE-2015-0330 Contraindications: Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-flash-player=10287 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64) [New Version: 11.2.202.442]: flash-player-11.2.202.442-0.3.1 flash-player-gnome-11.2.202.442-0.3.1 flash-player-kde4-11.2.202.442-0.3.1 References: http://support.novell.com/security/cve/CVE-2015-0313.html http://support.novell.com/security/cve/CVE-2015-0314.html http://support.novell.com/security/cve/CVE-2015-0315.html http://support.novell.com/security/cve/CVE-2015-0316.html http://support.novell.com/security/cve/CVE-2015-0317.html http://support.novell.com/security/cve/CVE-2015-0318.html http://support.novell.com/security/cve/CVE-2015-0319.html http://support.novell.com/security/cve/CVE-2015-0320.html http://support.novell.com/security/cve/CVE-2015-0321.html http://support.novell.com/security/cve/CVE-2015-0322.html http://support.novell.com/security/cve/CVE-2015-0323.html http://support.novell.com/security/cve/CVE-2015-0324.html http://support.novell.com/security/cve/CVE-2015-0325.html http://support.novell.com/security/cve/CVE-2015-0326.html http://support.novell.com/security/cve/CVE-2015-0327.html http://support.novell.com/security/cve/CVE-2015-0328.html http://support.novell.com/security/cve/CVE-2015-0329.html http://support.novell.com/security/cve/CVE-2015-0330.html https://bugzilla.suse.com/show_bug.cgi?id=915918 http://download.suse.com/patch/finder/?keywords=7fb4ff1fae894ac722cc8e70ad37954c From sle-security-updates at lists.suse.com Mon Feb 9 08:05:06 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 9 Feb 2015 16:05:06 +0100 (CET) Subject: SUSE-SU-2015:0241-1: moderate: Security update for libvirt Message-ID: <20150209150506.D78013236B@maintenance.suse.de> SUSE Security Update: Security update for libvirt ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0241-1 Rating: moderate References: #891936 #899334 #899484 #900587 #902976 #903756 #904176 #904426 #904432 #909828 #910862 #911737 Cross-References: CVE-2014-3657 CVE-2014-7823 CVE-2014-8136 Affected Products: SUSE Linux Enterprise Workstation Extension 12 SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that solves three vulnerabilities and has 9 fixes is now available. Description: libvirt was updated to fix security issues and bugs. These security issues were fixed: - Fixed denial of service flaw in libvirt's virConnectListAllDomains() function (CVE-2014-3657). - Information leak with flag VIR_DOMAIN_XML_MIGRATABLE (CVE-2014-7823). - local denial of service in qemu driver (CVE-2014-8136) These non-security issues were fixed: - Get /proc/sys/net/ipv[46] read-write for wicked to work in containers (bsc#904432). - libxl: Several migration improvements (bsc#903756). - libxl: allow libxl to find pygrub binary (bdo#770485). - Fix Qemu AppArmor abstraction (bsc#904426). - AppArmor confined kvm domains couldn't find the apparmor profile template (bnc#902976). - Backport commit c110cdb2 to fix non-raw storage format error (bnc#900587). - qemu: use systemd's TerminateMachine to kill all processes (bsc#899334). - Transformed Errors into warnings in detect_scsi_host_caps. - Fix a missing cleanup for lxc containers. - Adding network configuration to containers. bsc#904432 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12: zypper in -t patch SUSE-SLE-WE-12-2015-59=1 - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2015-59=1 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-59=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-59=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Workstation Extension 12 (x86_64): libvirt-client-32bit-1.2.5-21.1 libvirt-client-debuginfo-32bit-1.2.5-21.1 - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): libvirt-debugsource-1.2.5-21.1 libvirt-devel-1.2.5-21.1 - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): libvirt-1.2.5-21.1 libvirt-client-1.2.5-21.1 libvirt-client-debuginfo-1.2.5-21.1 libvirt-daemon-1.2.5-21.1 libvirt-daemon-config-network-1.2.5-21.1 libvirt-daemon-config-nwfilter-1.2.5-21.1 libvirt-daemon-debuginfo-1.2.5-21.1 libvirt-daemon-driver-interface-1.2.5-21.1 libvirt-daemon-driver-interface-debuginfo-1.2.5-21.1 libvirt-daemon-driver-lxc-1.2.5-21.1 libvirt-daemon-driver-lxc-debuginfo-1.2.5-21.1 libvirt-daemon-driver-network-1.2.5-21.1 libvirt-daemon-driver-network-debuginfo-1.2.5-21.1 libvirt-daemon-driver-nodedev-1.2.5-21.1 libvirt-daemon-driver-nodedev-debuginfo-1.2.5-21.1 libvirt-daemon-driver-nwfilter-1.2.5-21.1 libvirt-daemon-driver-nwfilter-debuginfo-1.2.5-21.1 libvirt-daemon-driver-qemu-1.2.5-21.1 libvirt-daemon-driver-qemu-debuginfo-1.2.5-21.1 libvirt-daemon-driver-secret-1.2.5-21.1 libvirt-daemon-driver-secret-debuginfo-1.2.5-21.1 libvirt-daemon-driver-storage-1.2.5-21.1 libvirt-daemon-driver-storage-debuginfo-1.2.5-21.1 libvirt-daemon-lxc-1.2.5-21.1 libvirt-daemon-qemu-1.2.5-21.1 libvirt-debugsource-1.2.5-21.1 libvirt-doc-1.2.5-21.1 libvirt-lock-sanlock-1.2.5-21.1 libvirt-lock-sanlock-debuginfo-1.2.5-21.1 - SUSE Linux Enterprise Server 12 (x86_64): libvirt-daemon-driver-libxl-1.2.5-21.1 libvirt-daemon-driver-libxl-debuginfo-1.2.5-21.1 libvirt-daemon-xen-1.2.5-21.1 - SUSE Linux Enterprise Desktop 12 (x86_64): libvirt-1.2.5-21.1 libvirt-client-1.2.5-21.1 libvirt-client-32bit-1.2.5-21.1 libvirt-client-debuginfo-1.2.5-21.1 libvirt-client-debuginfo-32bit-1.2.5-21.1 libvirt-daemon-1.2.5-21.1 libvirt-daemon-config-network-1.2.5-21.1 libvirt-daemon-config-nwfilter-1.2.5-21.1 libvirt-daemon-debuginfo-1.2.5-21.1 libvirt-daemon-driver-interface-1.2.5-21.1 libvirt-daemon-driver-interface-debuginfo-1.2.5-21.1 libvirt-daemon-driver-libxl-1.2.5-21.1 libvirt-daemon-driver-libxl-debuginfo-1.2.5-21.1 libvirt-daemon-driver-lxc-1.2.5-21.1 libvirt-daemon-driver-lxc-debuginfo-1.2.5-21.1 libvirt-daemon-driver-network-1.2.5-21.1 libvirt-daemon-driver-network-debuginfo-1.2.5-21.1 libvirt-daemon-driver-nodedev-1.2.5-21.1 libvirt-daemon-driver-nodedev-debuginfo-1.2.5-21.1 libvirt-daemon-driver-nwfilter-1.2.5-21.1 libvirt-daemon-driver-nwfilter-debuginfo-1.2.5-21.1 libvirt-daemon-driver-qemu-1.2.5-21.1 libvirt-daemon-driver-qemu-debuginfo-1.2.5-21.1 libvirt-daemon-driver-secret-1.2.5-21.1 libvirt-daemon-driver-secret-debuginfo-1.2.5-21.1 libvirt-daemon-driver-storage-1.2.5-21.1 libvirt-daemon-driver-storage-debuginfo-1.2.5-21.1 libvirt-daemon-lxc-1.2.5-21.1 libvirt-daemon-qemu-1.2.5-21.1 libvirt-daemon-xen-1.2.5-21.1 libvirt-debugsource-1.2.5-21.1 libvirt-doc-1.2.5-21.1 References: http://support.novell.com/security/cve/CVE-2014-3657.html http://support.novell.com/security/cve/CVE-2014-7823.html http://support.novell.com/security/cve/CVE-2014-8136.html https://bugzilla.suse.com/show_bug.cgi?id=891936 https://bugzilla.suse.com/show_bug.cgi?id=899334 https://bugzilla.suse.com/show_bug.cgi?id=899484 https://bugzilla.suse.com/show_bug.cgi?id=900587 https://bugzilla.suse.com/show_bug.cgi?id=902976 https://bugzilla.suse.com/show_bug.cgi?id=903756 https://bugzilla.suse.com/show_bug.cgi?id=904176 https://bugzilla.suse.com/show_bug.cgi?id=904426 https://bugzilla.suse.com/show_bug.cgi?id=904432 https://bugzilla.suse.com/show_bug.cgi?id=909828 https://bugzilla.suse.com/show_bug.cgi?id=910862 https://bugzilla.suse.com/show_bug.cgi?id=911737 From sle-security-updates at lists.suse.com Tue Feb 10 17:04:47 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 11 Feb 2015 01:04:47 +0100 (CET) Subject: SUSE-SU-2015:0253-1: moderate: Security update for glibc Message-ID: <20150211000447.CC9B83236B@maintenance.suse.de> SUSE Security Update: Security update for glibc ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0253-1 Rating: moderate References: #864081 #891843 #894553 #894556 #903288 #909053 Cross-References: CVE-2012-6656 CVE-2014-6040 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that solves two vulnerabilities and has four fixes is now available. Description: glibc has been updated to fix security issues and bugs: * Fix crashes on invalid input in IBM gconv modules. (CVE-2014-6040, CVE-2012-6656, bsc#894553, bsc#894556, GLIBC BZ #17325, GLIBC BZ #14134) * Avoid infinite loop in nss_dns getnetbyname. (CVE-2014-9402) * Don't touch user-controlled stdio locks in forked child. (bsc#864081, GLIBC BZ #12847) * Unlock mutex before going back to waiting for PI mutexes. (bsc#891843, GLIBC BZ #14417) * Implement x86 cpuid handling of leaf4 for cache information. (bsc#903288, GLIBC BZ #12587) * Fix infinite loop in check_pf. (bsc#909053, GLIBC BZ #12926) Security Issues: * CVE-2014-6040 * CVE-2012-6656 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-glibc=10259 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-glibc=10259 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-glibc=10259 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-glibc=10259 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 x86_64): glibc-html-2.11.3-17.80.3 glibc-info-2.11.3-17.80.3 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): glibc-2.11.3-17.80.3 glibc-devel-2.11.3-17.80.3 glibc-html-2.11.3-17.80.3 glibc-i18ndata-2.11.3-17.80.3 glibc-info-2.11.3-17.80.3 glibc-locale-2.11.3-17.80.3 glibc-profile-2.11.3-17.80.3 nscd-2.11.3-17.80.3 - SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64): glibc-32bit-2.11.3-17.80.3 glibc-devel-32bit-2.11.3-17.80.3 glibc-locale-32bit-2.11.3-17.80.3 glibc-profile-32bit-2.11.3-17.80.3 - SUSE Linux Enterprise Server 11 SP3 (i586 i686 ia64 ppc64 s390x x86_64): glibc-2.11.3-17.80.3 glibc-devel-2.11.3-17.80.3 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): glibc-html-2.11.3-17.80.3 glibc-i18ndata-2.11.3-17.80.3 glibc-info-2.11.3-17.80.3 glibc-locale-2.11.3-17.80.3 glibc-profile-2.11.3-17.80.3 nscd-2.11.3-17.80.3 - SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64): glibc-32bit-2.11.3-17.80.3 glibc-devel-32bit-2.11.3-17.80.3 glibc-locale-32bit-2.11.3-17.80.3 glibc-profile-32bit-2.11.3-17.80.3 - SUSE Linux Enterprise Server 11 SP3 (ia64): glibc-locale-x86-2.11.3-17.80.3 glibc-profile-x86-2.11.3-17.80.3 glibc-x86-2.11.3-17.80.3 - SUSE Linux Enterprise Desktop 11 SP3 (i586 i686 x86_64): glibc-2.11.3-17.80.3 glibc-devel-2.11.3-17.80.3 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): glibc-i18ndata-2.11.3-17.80.3 glibc-locale-2.11.3-17.80.3 nscd-2.11.3-17.80.3 - SUSE Linux Enterprise Desktop 11 SP3 (x86_64): glibc-32bit-2.11.3-17.80.3 glibc-devel-32bit-2.11.3-17.80.3 glibc-locale-32bit-2.11.3-17.80.3 References: http://support.novell.com/security/cve/CVE-2012-6656.html http://support.novell.com/security/cve/CVE-2014-6040.html https://bugzilla.suse.com/show_bug.cgi?id=864081 https://bugzilla.suse.com/show_bug.cgi?id=891843 https://bugzilla.suse.com/show_bug.cgi?id=894553 https://bugzilla.suse.com/show_bug.cgi?id=894556 https://bugzilla.suse.com/show_bug.cgi?id=903288 https://bugzilla.suse.com/show_bug.cgi?id=909053 http://download.suse.com/patch/finder/?keywords=76bf279b2ba02c13a549f81e2b2d2df4 From sle-security-updates at lists.suse.com Wed Feb 11 10:05:20 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 11 Feb 2015 18:05:20 +0100 (CET) Subject: SUSE-SU-2015:0257-1: important: Security update for krb5 Message-ID: <20150211170520.0A2223236F@maintenance.suse.de> SUSE Security Update: Security update for krb5 ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0257-1 Rating: important References: #872912 #906557 #912002 Cross-References: CVE-2014-5352 CVE-2014-9421 CVE-2014-9422 CVE-2014-9423 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: krb5 has been updated to fix four security issues: * CVE-2014-5352: gss_process_context_token() incorrectly frees context (bsc#912002) * CVE-2014-9421: kadmind doubly frees partial deserialization results (bsc#912002) * CVE-2014-9422: kadmind incorrectly validates server principal name (bsc#912002) * CVE-2014-9423: libgssrpc server applications leak uninitialized bytes (bsc#912002) Additionally, these non-security issues have been fixed: * Winbind process hangs indefinitely without DC. (bsc#872912) * Hanging winbind processes. (bsc#906557) Security Issues: * CVE-2014-5352 * CVE-2014-9421 * CVE-2014-9422 * CVE-2014-9423 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-krb5-20150206=10282 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-krb5-20150206=10282 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-krb5-20150206=10282 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-krb5-20150206=10282 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64): krb5-devel-1.6.3-133.49.66.1 - SUSE Linux Enterprise Software Development Kit 11 SP3 (ppc64 s390x x86_64): krb5-devel-32bit-1.6.3-133.49.66.1 - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 x86_64): krb5-server-1.6.3-133.49.66.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): krb5-1.6.3-133.49.66.1 krb5-apps-clients-1.6.3-133.49.66.1 krb5-apps-servers-1.6.3-133.49.66.1 krb5-client-1.6.3-133.49.66.1 krb5-plugin-kdb-ldap-1.6.3-133.49.66.1 krb5-plugin-preauth-pkinit-1.6.3-133.49.66.1 krb5-server-1.6.3-133.49.66.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64): krb5-32bit-1.6.3-133.49.66.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (noarch): krb5-doc-1.6.3-133.49.66.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): krb5-1.6.3-133.49.66.1 krb5-apps-clients-1.6.3-133.49.66.1 krb5-apps-servers-1.6.3-133.49.66.1 krb5-client-1.6.3-133.49.66.1 krb5-plugin-kdb-ldap-1.6.3-133.49.66.1 krb5-plugin-preauth-pkinit-1.6.3-133.49.66.1 krb5-server-1.6.3-133.49.66.1 - SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64): krb5-32bit-1.6.3-133.49.66.1 - SUSE Linux Enterprise Server 11 SP3 (noarch): krb5-doc-1.6.3-133.49.66.1 - SUSE Linux Enterprise Server 11 SP3 (ia64): krb5-x86-1.6.3-133.49.66.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): krb5-1.6.3-133.49.66.1 krb5-client-1.6.3-133.49.66.1 - SUSE Linux Enterprise Desktop 11 SP3 (x86_64): krb5-32bit-1.6.3-133.49.66.1 References: http://support.novell.com/security/cve/CVE-2014-5352.html http://support.novell.com/security/cve/CVE-2014-9421.html http://support.novell.com/security/cve/CVE-2014-9422.html http://support.novell.com/security/cve/CVE-2014-9423.html https://bugzilla.suse.com/show_bug.cgi?id=872912 https://bugzilla.suse.com/show_bug.cgi?id=906557 https://bugzilla.suse.com/show_bug.cgi?id=912002 http://download.suse.com/patch/finder/?keywords=127e426050f20989c3c73bc3d3cfcd23 From sle-security-updates at lists.suse.com Wed Feb 11 17:04:53 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 12 Feb 2015 01:04:53 +0100 (CET) Subject: SUSE-SU-2015:0258-1: moderate: Security update for jasper Message-ID: <20150212000454.016223236B@maintenance.suse.de> SUSE Security Update: Security update for jasper ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0258-1 Rating: moderate References: #909474 #909475 #911837 Cross-References: CVE-2014-8137 CVE-2014-8138 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update for jasper fixes the following security issues: * CVE-2014-8137: Double free in jas_iccattrval_destroy(). Double call to free() allowed attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. (bsc#909474) * CVE-2014-8138: Heap overflow in jas_decode(). This could be used to do an arbitrary write and could result in arbitrary code execution. (bsc#909475) * CVE-2014-8157: Off-by-one error in the jpc_dec_process_sot(). Could allow remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted JPEG 2000 image, which triggers a heap-based buffer overflow. (bsc#911837) * CVE-2014-8158: Multiple stack-based buffer overflows in jpc_qmfb.c. Could allow remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted JPEG 2000 image. (bsc#911837) Security Issues: * CVE-2014-8138 * CVE-2014-8137 * CVE-2014-8157 * CVE-2014-8158 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-jasper=10261 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-jasper=10261 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-jasper=10261 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-jasper=10261 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64): libjasper-devel-1.900.1-134.17.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): libjasper-1.900.1-134.17.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64): libjasper-32bit-1.900.1-134.17.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): libjasper-1.900.1-134.17.1 - SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64): libjasper-32bit-1.900.1-134.17.1 - SUSE Linux Enterprise Server 11 SP3 (ia64): libjasper-x86-1.900.1-134.17.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): libjasper-1.900.1-134.17.1 - SUSE Linux Enterprise Desktop 11 SP3 (x86_64): libjasper-32bit-1.900.1-134.17.1 References: http://support.novell.com/security/cve/CVE-2014-8137.html http://support.novell.com/security/cve/CVE-2014-8138.html https://bugzilla.suse.com/show_bug.cgi?id=909474 https://bugzilla.suse.com/show_bug.cgi?id=909475 https://bugzilla.suse.com/show_bug.cgi?id=911837 http://download.suse.com/patch/finder/?keywords=46bec989fa67ded3cad77ce44cf0ee0d From sle-security-updates at lists.suse.com Wed Feb 11 19:06:04 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 12 Feb 2015 03:06:04 +0100 (CET) Subject: SUSE-SU-2015:0259-1: important: Security update for ntp Message-ID: <20150212020604.1E5523236B@maintenance.suse.de> SUSE Security Update: Security update for ntp ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0259-1 Rating: important References: #910764 #911792 Cross-References: CVE-2014-9293 CVE-2014-9294 CVE-2014-9297 CVE-2014-9298 Affected Products: SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: ntp has been updated to fix four security issues: * CVE-2014-9294: ntp-keygen used a weak RNG seed, which made it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack. (bsc#910764) * CVE-2014-9293: The config_auth function, when an auth key is not configured, improperly generated a key, which made it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack. (bsc#910764) * CVE-2014-9298: ::1 can be spoofed on some operating systems, so ACLs based on IPv6 ::1 addresses could be bypassed. (bsc#910764) * CVE-2014-9297: vallen is not validated in several places in ntp_crypto.c, leading to potential information leak. (bsc#910764) Security Issues: * CVE-2014-9294 * CVE-2014-9293 * CVE-2014-9298 * CVE-2014-9297 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-ntp=10293 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-ntp=10293 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-ntp=10293 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): ntp-4.2.4p8-1.29.32.1 ntp-doc-4.2.4p8-1.29.32.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): ntp-4.2.4p8-1.29.32.1 ntp-doc-4.2.4p8-1.29.32.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): ntp-4.2.4p8-1.29.32.1 ntp-doc-4.2.4p8-1.29.32.1 References: http://support.novell.com/security/cve/CVE-2014-9293.html http://support.novell.com/security/cve/CVE-2014-9294.html http://support.novell.com/security/cve/CVE-2014-9297.html http://support.novell.com/security/cve/CVE-2014-9298.html https://bugzilla.suse.com/show_bug.cgi?id=910764 https://bugzilla.suse.com/show_bug.cgi?id=911792 http://download.suse.com/patch/finder/?keywords=3ac2fa202f513bac69fa58d8eb795c47 From sle-security-updates at lists.suse.com Thu Feb 12 07:04:54 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 12 Feb 2015 15:04:54 +0100 (CET) Subject: SUSE-SU-2015:0270-1: moderate: Security update for util-linux Message-ID: <20150212140454.061D532371@maintenance.suse.de> SUSE Security Update: Security update for util-linux ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0270-1 Rating: moderate References: #907434 #908742 Cross-References: CVE-2014-9114 Affected Products: SUSE Linux Enterprise Workstation Extension 12 SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: util-linux was updated to fix one security issue. This security issue was fixed: - CVE-2014-9114: Using crafted block devices (e.g. USB sticks) it was possibly to inject code via libblkid. libblkid was fixed to care about unsafe chars and possible buffer overflow in cache (bnc#907434) This non-security issue was fixed: - libblkid: Reset errno in blkid_probe_get_buffer() to prevent failing probes (e. g. for exFAT) (bnc#908742). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12: zypper in -t patch SUSE-SLE-WE-12-2015-67=1 - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2015-67=1 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-67=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-67=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Workstation Extension 12 (x86_64): libuuid-devel-2.25-10.1 util-linux-debuginfo-2.25-10.1 util-linux-debugsource-2.25-10.1 - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): libblkid-devel-2.25-10.1 libmount-devel-2.25-10.1 libsmartcols-devel-2.25-10.1 libuuid-devel-2.25-10.1 util-linux-debuginfo-2.25-10.1 util-linux-debugsource-2.25-10.1 - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): libblkid1-2.25-10.1 libblkid1-debuginfo-2.25-10.1 libmount1-2.25-10.1 libmount1-debuginfo-2.25-10.1 libsmartcols1-2.25-10.1 libsmartcols1-debuginfo-2.25-10.1 libuuid1-2.25-10.1 libuuid1-debuginfo-2.25-10.1 python-libmount-2.25-10.3 python-libmount-debuginfo-2.25-10.3 python-libmount-debugsource-2.25-10.3 util-linux-2.25-10.1 util-linux-debuginfo-2.25-10.1 util-linux-debugsource-2.25-10.1 util-linux-systemd-2.25-10.1 util-linux-systemd-debuginfo-2.25-10.1 util-linux-systemd-debugsource-2.25-10.1 uuidd-2.25-10.1 uuidd-debuginfo-2.25-10.1 - SUSE Linux Enterprise Server 12 (s390x x86_64): libblkid1-32bit-2.25-10.1 libblkid1-debuginfo-32bit-2.25-10.1 libmount1-32bit-2.25-10.1 libmount1-debuginfo-32bit-2.25-10.1 libuuid1-32bit-2.25-10.1 libuuid1-debuginfo-32bit-2.25-10.1 - SUSE Linux Enterprise Server 12 (noarch): util-linux-lang-2.25-10.1 - SUSE Linux Enterprise Desktop 12 (x86_64): libblkid1-2.25-10.1 libblkid1-32bit-2.25-10.1 libblkid1-debuginfo-2.25-10.1 libblkid1-debuginfo-32bit-2.25-10.1 libmount1-2.25-10.1 libmount1-32bit-2.25-10.1 libmount1-debuginfo-2.25-10.1 libmount1-debuginfo-32bit-2.25-10.1 libsmartcols1-2.25-10.1 libsmartcols1-debuginfo-2.25-10.1 libuuid-devel-2.25-10.1 libuuid1-2.25-10.1 libuuid1-32bit-2.25-10.1 libuuid1-debuginfo-2.25-10.1 libuuid1-debuginfo-32bit-2.25-10.1 python-libmount-2.25-10.3 python-libmount-debuginfo-2.25-10.3 python-libmount-debugsource-2.25-10.3 util-linux-2.25-10.1 util-linux-debuginfo-2.25-10.1 util-linux-debugsource-2.25-10.1 util-linux-systemd-2.25-10.1 util-linux-systemd-debuginfo-2.25-10.1 util-linux-systemd-debugsource-2.25-10.1 uuidd-2.25-10.1 uuidd-debuginfo-2.25-10.1 - SUSE Linux Enterprise Desktop 12 (noarch): util-linux-lang-2.25-10.1 References: http://support.novell.com/security/cve/CVE-2014-9114.html https://bugzilla.suse.com/show_bug.cgi?id=907434 https://bugzilla.suse.com/show_bug.cgi?id=908742 From sle-security-updates at lists.suse.com Thu Feb 12 07:05:23 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 12 Feb 2015 15:05:23 +0100 (CET) Subject: SUSE-SU-2015:0271-1: moderate: Security update for xdg-utils Message-ID: <20150212140523.58E213236A@maintenance.suse.de> SUSE Security Update: Security update for xdg-utils ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0271-1 Rating: moderate References: #906625 #913676 Cross-References: CVE-2014-9622 Affected Products: SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update of xdg-utils fixes a command injection security problem (CVE-2014-9622, bsc#913676) and a bug when opening files where multiple mime handlers existed (bsc#906625). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-68=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-68=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 12 (noarch): xdg-utils-20140630-5.1 - SUSE Linux Enterprise Desktop 12 (noarch): xdg-utils-20140630-5.1 References: http://support.novell.com/security/cve/CVE-2014-9622.html https://bugzilla.suse.com/show_bug.cgi?id=906625 https://bugzilla.suse.com/show_bug.cgi?id=913676 From sle-security-updates at lists.suse.com Thu Feb 12 13:04:53 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 12 Feb 2015 21:04:53 +0100 (CET) Subject: SUSE-SU-2015:0274-1: important: Security update for ntp Message-ID: <20150212200453.7F82232371@maintenance.suse.de> SUSE Security Update: Security update for ntp ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0274-1 Rating: important References: #910764 #911792 Cross-References: CVE-2014-9293 CVE-2014-9294 CVE-2014-9297 CVE-2014-9298 Affected Products: SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: ntp was updated to fix four security issues. These security issues were fixed: - CVE-2014-9294: util/ntp-keygen.c in ntp-keygen used a weak RNG seed, which made it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack (bnc#910764 911792). - CVE-2014-9293: The config_auth function in ntpd, when an auth key was not configured, improperly generated a key, which made it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack (bnc#910764 911792). - CVE-2014-9298: ::1 can be spoofed on some OSes, so ACLs based on IPv6 ::1 addresses could be bypassed (bnc#911792). - CVE-2014-9297: Information leak by not properly checking a length in several places in ntp_crypto.c (bnc#911792). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-70=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-70=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): ntp-4.2.6p5-37.2 ntp-debuginfo-4.2.6p5-37.2 ntp-debugsource-4.2.6p5-37.2 ntp-doc-4.2.6p5-37.2 - SUSE Linux Enterprise Desktop 12 (x86_64): ntp-4.2.6p5-37.2 ntp-debuginfo-4.2.6p5-37.2 ntp-debugsource-4.2.6p5-37.2 ntp-doc-4.2.6p5-37.2 References: http://support.novell.com/security/cve/CVE-2014-9293.html http://support.novell.com/security/cve/CVE-2014-9294.html http://support.novell.com/security/cve/CVE-2014-9297.html http://support.novell.com/security/cve/CVE-2014-9298.html https://bugzilla.suse.com/910764 https://bugzilla.suse.com/911792 From sle-security-updates at lists.suse.com Fri Feb 13 05:06:25 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 13 Feb 2015 13:06:25 +0100 (CET) Subject: SUSE-SU-2015:0281-1: moderate: Security update for strongswan Message-ID: <20150213120625.D344B32371@maintenance.suse.de> SUSE Security Update: Security update for strongswan ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0281-1 Rating: moderate References: #856322 #897048 #897512 #910491 Cross-References: CVE-2014-9221 Affected Products: SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that solves one vulnerability and has three fixes is now available. Description: This strongswan update fixes the following security and non security issues. - Disallow brainpool elliptic curve groups in fips mode (bnc#856322). - Applied an upstream fix for a denial-of-service vulnerability, which can be triggered by an IKEv2 Key Exchange payload, that contains the Diffie-Hellman group 1025 (bsc#910491,CVE-2014-9221). - Adjusted whilelist of approved algorithms in fips mode (bsc#856322). - Updated strongswan-hmac package description (bsc#856322). - Disabled explicit gpg validation; osc source_validator does it. - Guarded fipscheck and hmac package in the spec file for >13.1. - Added generation of fips hmac hash files using fipshmac utility and a _fipscheck script to verify binaries/libraries/plugings shipped in the strongswan-hmac package. With enabled fips in the kernel, the ipsec script will call it before any action or in a enforced/manual "ipsec _fipscheck" call. Added config file to load openssl and kernel af-alg plugins, but not all the other modules which provide further/alternative algs. Applied a filter disallowing non-approved algorithms in fips mode. (fate#316931,bnc#856322). - Fixed file list in the optional (disabled) strongswan-test package. - Fixed build of the strongswan built-in integrity checksum library and enabled building it only on architectures tested to work. - Fix to use bug number 897048 instead 856322 in last changes entry. - Applied an upstream patch reverting to store algorithms in the registration order again as ordering them by identifier caused weaker algorithms to be proposed first by default (bsc#897512). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-71=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-71=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): strongswan-5.1.3-9.2 strongswan-debugsource-5.1.3-9.2 strongswan-hmac-5.1.3-9.2 strongswan-ipsec-5.1.3-9.2 strongswan-ipsec-debuginfo-5.1.3-9.2 strongswan-libs0-5.1.3-9.2 strongswan-libs0-debuginfo-5.1.3-9.2 - SUSE Linux Enterprise Server 12 (noarch): strongswan-doc-5.1.3-9.2 - SUSE Linux Enterprise Desktop 12 (x86_64): strongswan-5.1.3-9.1 strongswan-debugsource-5.1.3-9.1 strongswan-ipsec-5.1.3-9.1 strongswan-ipsec-debuginfo-5.1.3-9.1 strongswan-libs0-5.1.3-9.1 strongswan-libs0-debuginfo-5.1.3-9.1 - SUSE Linux Enterprise Desktop 12 (noarch): strongswan-doc-5.1.3-9.1 References: http://support.novell.com/security/cve/CVE-2014-9221.html https://bugzilla.suse.com/856322 https://bugzilla.suse.com/897048 https://bugzilla.suse.com/897512 https://bugzilla.suse.com/910491 From sle-security-updates at lists.suse.com Fri Feb 13 11:04:49 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 13 Feb 2015 19:04:49 +0100 (CET) Subject: SUSE-SU-2015:0259-2: important: Security update for ntp Message-ID: <20150213180449.91AB132371@maintenance.suse.de> SUSE Security Update: Security update for ntp ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0259-2 Rating: important References: #910764 #911792 Cross-References: CVE-2014-9293 CVE-2014-9294 CVE-2014-9297 CVE-2014-9298 Affected Products: SUSE Linux Enterprise Server 11 SP2 LTSS ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: ntp has been updated to fix four security issues: * CVE-2014-9294: ntp-keygen used a weak RNG seed, which made it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack. (bsc#910764) * CVE-2014-9293: The config_auth function, when an auth key is not configured, improperly generated a key, which made it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack. (bsc#910764) * CVE-2014-9298: ::1 can be spoofed on some operating systems, so ACLs based on IPv6 ::1 addresses could be bypassed. (bsc#910764) * CVE-2014-9297: vallen is not validated in several places in ntp_crypto.c, leading to potential information leak. (bsc#910764) Security Issues: * CVE-2014-9294 * CVE-2014-9293 * CVE-2014-9298 * CVE-2014-9297 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP2 LTSS: zypper in -t patch slessp2-ntp=10308 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP2 LTSS (i586 s390x x86_64): ntp-4.2.4p8-1.29.32.1 ntp-doc-4.2.4p8-1.29.32.1 References: http://support.novell.com/security/cve/CVE-2014-9293.html http://support.novell.com/security/cve/CVE-2014-9294.html http://support.novell.com/security/cve/CVE-2014-9297.html http://support.novell.com/security/cve/CVE-2014-9298.html https://bugzilla.suse.com/910764 https://bugzilla.suse.com/911792 http://download.suse.com/patch/finder/?keywords=e5a9d59f9998dd1feedb5ea5b22cbae3 From sle-security-updates at lists.suse.com Mon Feb 16 06:05:05 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 16 Feb 2015 14:05:05 +0100 (CET) Subject: SUSE-SU-2015:0288-1: moderate: Security update for jasper Message-ID: <20150216130505.D36F732371@maintenance.suse.de> SUSE Security Update: Security update for jasper ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0288-1 Rating: moderate References: #911837 Cross-References: CVE-2014-8157 CVE-2014-8158 Affected Products: SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: jasper was updated to fix two security issues. These security issues were fixed: - CVE-2014-8157: Off-by-one error in the jpc_dec_process_sot function in JasPer 1.900.1 and earlier allowed remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted JPEG 2000 image, which triggers a heap-based buffer overflow (bnc#911837). CVE-2014-8158: Multiple stack-based buffer overflows in jpc_qmfb.c in JasPer 1.900.1 and earlier allowed remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted JPEG 2000 image (bnc#911837). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2015-73=1 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-73=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-73=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): jasper-debuginfo-1.900.1-170.1 jasper-debugsource-1.900.1-170.1 libjasper-devel-1.900.1-170.1 - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): jasper-debuginfo-1.900.1-170.1 jasper-debugsource-1.900.1-170.1 libjasper1-1.900.1-170.1 libjasper1-debuginfo-1.900.1-170.1 - SUSE Linux Enterprise Server 12 (s390x x86_64): libjasper1-32bit-1.900.1-170.1 libjasper1-debuginfo-32bit-1.900.1-170.1 - SUSE Linux Enterprise Desktop 12 (x86_64): jasper-debuginfo-1.900.1-170.1 jasper-debugsource-1.900.1-170.1 libjasper1-1.900.1-170.1 libjasper1-32bit-1.900.1-170.1 libjasper1-debuginfo-1.900.1-170.1 libjasper1-debuginfo-32bit-1.900.1-170.1 References: http://support.novell.com/security/cve/CVE-2014-8157.html http://support.novell.com/security/cve/CVE-2014-8158.html https://bugzilla.suse.com/911837 From sle-security-updates at lists.suse.com Mon Feb 16 06:05:47 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 16 Feb 2015 14:05:47 +0100 (CET) Subject: SUSE-SU-2015:0290-1: important: Security update for krb5 Message-ID: <20150216130547.1E14832371@maintenance.suse.de> SUSE Security Update: Security update for krb5 ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0290-1 Rating: important References: #897874 #898439 #912002 Cross-References: CVE-2014-5351 CVE-2014-5352 CVE-2014-9421 CVE-2014-9422 CVE-2014-9423 Affected Products: SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Build System Kit 12 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: MIT kerberos krb5 was updated to fix several security issues and bugs. Security issues fixed: CVE-2014-5351: The kadm5_randkey_principal_3 function in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka krb5) sent old keys in a response to a -randkey -keepold request, which allowed remote authenticated users to forge tickets by leveraging administrative access. CVE-2014-5352: In the MIT krb5 libgssapi_krb5 library, after gss_process_context_token() is used to process a valid context deletion token, the caller was left with a security context handle containing a dangling pointer. Further uses of this handle would have resulted in use-after-free and double-free memory access violations. libgssrpc server applications such as kadmind were vulnerable as they can be instructed to call gss_process_context_token(). CVE-2014-9421: If the MIT krb5 kadmind daemon receives invalid XDR data from an authenticated user, it may have performed use-after-free and double-free memory access violations while cleaning up the partial deserialization results. Other libgssrpc server applications might also been vulnerable if they contain insufficiently defensive XDR functions. CVE-2014-9422: The MIT krb5 kadmind daemon incorrectly accepted authentications to two-component server principals whose first component is a left substring of "kadmin" or whose realm is a left prefix of the default realm. CVE-2014-9423: libgssrpc applications including kadmind output four or eight bytes of uninitialized memory to the network as part of an unused "handle" field in replies to clients. Bugs fixed: - Work around replay cache creation race; (bnc#898439). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2015-74=1 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-74=1 - SUSE Linux Enterprise Build System Kit 12: zypper in -t patch SUSE-SLE-BSK-12-2015-74=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x): krb5-debuginfo-1.12.1-9.1 krb5-debugsource-1.12.1-9.1 krb5-devel-1.12.1-9.1 - SUSE Linux Enterprise Server 12 (ppc64le s390x): krb5-1.12.1-9.1 krb5-client-1.12.1-9.1 krb5-client-debuginfo-1.12.1-9.1 krb5-debuginfo-1.12.1-9.1 krb5-debugsource-1.12.1-9.1 krb5-doc-1.12.1-9.1 krb5-plugin-kdb-ldap-1.12.1-9.1 krb5-plugin-kdb-ldap-debuginfo-1.12.1-9.1 krb5-plugin-preauth-otp-1.12.1-9.1 krb5-plugin-preauth-otp-debuginfo-1.12.1-9.1 krb5-plugin-preauth-pkinit-1.12.1-9.1 krb5-plugin-preauth-pkinit-debuginfo-1.12.1-9.1 krb5-server-1.12.1-9.1 krb5-server-debuginfo-1.12.1-9.1 - SUSE Linux Enterprise Server 12 (s390x): krb5-32bit-1.12.1-9.1 krb5-debuginfo-32bit-1.12.1-9.1 - SUSE Linux Enterprise Build System Kit 12 (ppc64le s390x): krb5-mini-1.12.1-9.1 krb5-mini-debuginfo-1.12.1-9.1 krb5-mini-debugsource-1.12.1-9.1 krb5-mini-devel-1.12.1-9.1 References: http://support.novell.com/security/cve/CVE-2014-5351.html http://support.novell.com/security/cve/CVE-2014-5352.html http://support.novell.com/security/cve/CVE-2014-9421.html http://support.novell.com/security/cve/CVE-2014-9422.html http://support.novell.com/security/cve/CVE-2014-9423.html https://bugzilla.suse.com/897874 https://bugzilla.suse.com/898439 https://bugzilla.suse.com/912002 From sle-security-updates at lists.suse.com Mon Feb 16 07:04:56 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 16 Feb 2015 15:04:56 +0100 (CET) Subject: SUSE-SU-2015:0290-2: important: Security update for krb5 Message-ID: <20150216140456.EF51B3236F@maintenance.suse.de> SUSE Security Update: Security update for krb5 ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0290-2 Rating: important References: #897874 #898439 #912002 Cross-References: CVE-2014-5351 CVE-2014-5352 CVE-2014-9421 CVE-2014-9422 CVE-2014-9423 Affected Products: SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 SUSE Linux Enterprise Build System Kit 12 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: MIT kerberos krb5 was updated to fix several security issues and bugs. Security issues fixed: CVE-2014-5351: The kadm5_randkey_principal_3 function in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka krb5) sent old keys in a response to a -randkey -keepold request, which allowed remote authenticated users to forge tickets by leveraging administrative access. CVE-2014-5352: In the MIT krb5 libgssapi_krb5 library, after gss_process_context_token() is used to process a valid context deletion token, the caller was left with a security context handle containing a dangling pointer. Further uses of this handle would have resulted in use-after-free and double-free memory access violations. libgssrpc server applications such as kadmind were vulnerable as they can be instructed to call gss_process_context_token(). CVE-2014-9421: If the MIT krb5 kadmind daemon receives invalid XDR data from an authenticated user, it may have performed use-after-free and double-free memory access violations while cleaning up the partial deserialization results. Other libgssrpc server applications might also been vulnerable if they contain insufficiently defensive XDR functions. CVE-2014-9422: The MIT krb5 kadmind daemon incorrectly accepted authentications to two-component server principals whose first component is a left substring of "kadmin" or whose realm is a left prefix of the default realm. CVE-2014-9423: libgssrpc applications including kadmind output four or eight bytes of uninitialized memory to the network as part of an unused "handle" field in replies to clients. Bugs fixed: - Work around replay cache creation race; (bnc#898439). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2015-74=1 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-74=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-74=1 - SUSE Linux Enterprise Build System Kit 12: zypper in -t patch SUSE-SLE-BSK-12-2015-74=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12 (x86_64): krb5-debuginfo-1.12.1-9.1 krb5-debugsource-1.12.1-9.1 krb5-devel-1.12.1-9.1 - SUSE Linux Enterprise Server 12 (x86_64): krb5-1.12.1-9.1 krb5-32bit-1.12.1-9.1 krb5-client-1.12.1-9.1 krb5-client-debuginfo-1.12.1-9.1 krb5-debuginfo-1.12.1-9.1 krb5-debuginfo-32bit-1.12.1-9.1 krb5-debugsource-1.12.1-9.1 krb5-doc-1.12.1-9.1 krb5-plugin-kdb-ldap-1.12.1-9.1 krb5-plugin-kdb-ldap-debuginfo-1.12.1-9.1 krb5-plugin-preauth-otp-1.12.1-9.1 krb5-plugin-preauth-otp-debuginfo-1.12.1-9.1 krb5-plugin-preauth-pkinit-1.12.1-9.1 krb5-plugin-preauth-pkinit-debuginfo-1.12.1-9.1 krb5-server-1.12.1-9.1 krb5-server-debuginfo-1.12.1-9.1 - SUSE Linux Enterprise Desktop 12 (x86_64): krb5-1.12.1-9.1 krb5-32bit-1.12.1-9.1 krb5-client-1.12.1-9.1 krb5-client-debuginfo-1.12.1-9.1 krb5-debuginfo-1.12.1-9.1 krb5-debuginfo-32bit-1.12.1-9.1 krb5-debugsource-1.12.1-9.1 - SUSE Linux Enterprise Build System Kit 12 (x86_64): krb5-mini-1.12.1-9.1 krb5-mini-debuginfo-1.12.1-9.1 krb5-mini-debugsource-1.12.1-9.1 krb5-mini-devel-1.12.1-9.1 References: http://support.novell.com/security/cve/CVE-2014-5351.html http://support.novell.com/security/cve/CVE-2014-5352.html http://support.novell.com/security/cve/CVE-2014-9421.html http://support.novell.com/security/cve/CVE-2014-9422.html http://support.novell.com/security/cve/CVE-2014-9423.html https://bugzilla.suse.com/897874 https://bugzilla.suse.com/898439 https://bugzilla.suse.com/912002 From sle-security-updates at lists.suse.com Mon Feb 16 09:04:59 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 16 Feb 2015 17:04:59 +0100 (CET) Subject: SUSE-SU-2015:0291-1: moderate: Security update for clamav Message-ID: <20150216160459.8B8ED32371@maintenance.suse.de> SUSE Security Update: Security update for clamav ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0291-1 Rating: moderate References: #915512 #916214 #916215 #916217 Cross-References: CVE-2014-9328 CVE-2015-1461 CVE-2015-1462 CVE-2015-1463 Affected Products: SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: clamav was updated to version 0.98.6 to fix four security issues. These security issues were fixed: - CVE-2015-1462: ClamAV allowed remote attackers to have unspecified impact via a crafted upx packer file, related to a heap out of bounds condition (bnc#916214). - CVE-2015-1463: ClamAV allowed remote attackers to cause a denial of service (crash) via a crafted petite packer file, related to an incorrect compiler optimization (bnc#916215). - CVE-2014-9328: ClamAV allowed remote attackers to have unspecified impact via a crafted upack packer file, related to a heap out of bounds condition (bnc#915512). - CVE-2015-1461: ClamAV allowed remote attackers to have unspecified impact via a crafted (1) Yoda's crypter or (2) mew packer file, related to a heap out of bounds condition (bnc#916217). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-75=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-75=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): clamav-0.98.6-10.1 clamav-debuginfo-0.98.6-10.1 clamav-debugsource-0.98.6-10.1 - SUSE Linux Enterprise Desktop 12 (x86_64): clamav-0.98.6-10.1 clamav-debuginfo-0.98.6-10.1 clamav-debugsource-0.98.6-10.1 References: http://support.novell.com/security/cve/CVE-2014-9328.html http://support.novell.com/security/cve/CVE-2015-1461.html http://support.novell.com/security/cve/CVE-2015-1462.html http://support.novell.com/security/cve/CVE-2015-1463.html https://bugzilla.suse.com/915512 https://bugzilla.suse.com/916214 https://bugzilla.suse.com/916215 https://bugzilla.suse.com/916217 From sle-security-updates at lists.suse.com Mon Feb 16 10:04:57 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 16 Feb 2015 18:04:57 +0100 (CET) Subject: SUSE-SU-2015:0292-1: moderate: Security update for elfutils Message-ID: <20150216170457.540F832371@maintenance.suse.de> SUSE Security Update: Security update for elfutils ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0292-1 Rating: moderate References: #911662 Cross-References: CVE-2014-9447 Affected Products: SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: elfutils was updated to fix one security issue. This security issue was fixed: - Directory traversal vulnerability in the read_long_names function (CVE-2014-9447). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2015-76=1 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-76=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-76=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): elfutils-debuginfo-0.158-6.1 elfutils-debugsource-0.158-6.1 libasm-devel-0.158-6.1 libdw-devel-0.158-6.1 libebl-devel-0.158-6.1 libelf-devel-0.158-6.1 - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): elfutils-0.158-6.1 elfutils-debuginfo-0.158-6.1 elfutils-debugsource-0.158-6.1 libasm1-0.158-6.1 libasm1-debuginfo-0.158-6.1 libdw1-0.158-6.1 libdw1-debuginfo-0.158-6.1 libebl1-0.158-6.1 libebl1-debuginfo-0.158-6.1 libelf1-0.158-6.1 libelf1-debuginfo-0.158-6.1 - SUSE Linux Enterprise Server 12 (s390x x86_64): libasm1-32bit-0.158-6.1 libasm1-debuginfo-32bit-0.158-6.1 libdw1-32bit-0.158-6.1 libdw1-debuginfo-32bit-0.158-6.1 libebl1-32bit-0.158-6.1 libebl1-debuginfo-32bit-0.158-6.1 libelf1-32bit-0.158-6.1 libelf1-debuginfo-32bit-0.158-6.1 - SUSE Linux Enterprise Desktop 12 (x86_64): elfutils-0.158-6.1 elfutils-debuginfo-0.158-6.1 elfutils-debugsource-0.158-6.1 libasm1-0.158-6.1 libasm1-debuginfo-0.158-6.1 libdw1-0.158-6.1 libdw1-32bit-0.158-6.1 libdw1-debuginfo-0.158-6.1 libdw1-debuginfo-32bit-0.158-6.1 libebl1-0.158-6.1 libebl1-32bit-0.158-6.1 libebl1-debuginfo-0.158-6.1 libebl1-debuginfo-32bit-0.158-6.1 libelf1-0.158-6.1 libelf1-32bit-0.158-6.1 libelf1-debuginfo-0.158-6.1 libelf1-debuginfo-32bit-0.158-6.1 References: http://support.novell.com/security/cve/CVE-2014-9447.html https://bugzilla.suse.com/911662 From sle-security-updates at lists.suse.com Mon Feb 16 11:04:58 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 16 Feb 2015 19:04:58 +0100 (CET) Subject: SUSE-SU-2015:0011-2: important: Security update for bind Message-ID: <20150216180458.2720232371@maintenance.suse.de> SUSE Security Update: Security update for bind ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0011-2 Rating: important References: #743758 #882511 #908994 Cross-References: CVE-2014-8500 Affected Products: SUSE Linux Enterprise Server 11 SP2 LTSS ______________________________________________________________________________ An update that solves one vulnerability and has two fixes is now available. It includes one version update. Description: This update provides bind 9.9.6P1, which fixes a defect in delegation handling that could be exploited to crash named. (CVE-2014-8500, bsc#908994) Additionally, two non-security issues have been fixed: * Fix handling of TXT records in ldapdump. (bsc#743758) * Fix a multithread issue with IXFR. (bsc#882511) Security Issues: * CVE-2014-8500 Indications: Everybody should update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP2 LTSS: zypper in -t patch slessp2-bind=10203 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP2 LTSS (i586 s390x x86_64) [New Version: 9.9.6P1]: bind-9.9.6P1-0.5.5 bind-chrootenv-9.9.6P1-0.5.5 bind-devel-9.9.6P1-0.5.5 bind-doc-9.9.6P1-0.5.5 bind-libs-9.9.6P1-0.5.5 bind-utils-9.9.6P1-0.5.5 - SUSE Linux Enterprise Server 11 SP2 LTSS (s390x x86_64) [New Version: 9.9.6P1]: bind-libs-32bit-9.9.6P1-0.5.5 References: http://support.novell.com/security/cve/CVE-2014-8500.html https://bugzilla.suse.com/743758 https://bugzilla.suse.com/882511 https://bugzilla.suse.com/908994 http://download.suse.com/patch/finder/?keywords=93a0d67b3fb1cddabb9d852b78c4e9a4 From sle-security-updates at lists.suse.com Mon Feb 16 11:05:40 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 16 Feb 2015 19:05:40 +0100 (CET) Subject: SUSE-SU-2015:0259-3: important: Security update for ntp Message-ID: <20150216180540.30E8432371@maintenance.suse.de> SUSE Security Update: Security update for ntp ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0259-3 Rating: important References: #910764 #911792 Cross-References: CVE-2014-9293 CVE-2014-9294 CVE-2014-9297 CVE-2014-9298 Affected Products: SUSE Linux Enterprise Server 11 SP1 LTSS ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: ntp has been updated to fix four security issues: * CVE-2014-9294: ntp-keygen used a weak RNG seed, which made it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack. (bsc#910764) * CVE-2014-9293: The config_auth function, when an auth key is not configured, improperly generated a key, which made it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack. (bsc#910764) * CVE-2014-9298: ::1 can be spoofed on some operating systems, so ACLs based on IPv6 ::1 addresses could be bypassed. (bsc#910764) * CVE-2014-9297: vallen is not validated in several places in ntp_crypto.c, leading to potential information leak. (bsc#910764) Security Issues: * CVE-2014-9294 * CVE-2014-9293 * CVE-2014-9298 * CVE-2014-9297 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP1 LTSS: zypper in -t patch slessp1-ntp=10307 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP1 LTSS (i586 s390x x86_64): ntp-4.2.4p8-1.29.32.1 ntp-doc-4.2.4p8-1.29.32.1 References: http://support.novell.com/security/cve/CVE-2014-9293.html http://support.novell.com/security/cve/CVE-2014-9294.html http://support.novell.com/security/cve/CVE-2014-9297.html http://support.novell.com/security/cve/CVE-2014-9298.html https://bugzilla.suse.com/910764 https://bugzilla.suse.com/911792 http://download.suse.com/patch/finder/?keywords=900e7482290b4309d9dd461085b05471 From sle-security-updates at lists.suse.com Mon Feb 16 19:04:55 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 17 Feb 2015 03:04:55 +0100 (CET) Subject: SUSE-SU-2015:0298-1: important: Security update for clamav Message-ID: <20150217020455.C182B3236E@maintenance.suse.de> SUSE Security Update: Security update for clamav ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0298-1 Rating: important References: #915512 #916214 #916215 #916217 Cross-References: CVE-2014-9328 CVE-2015-1461 CVE-2015-1462 CVE-2015-1463 Affected Products: SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP2 LTSS SUSE Linux Enterprise Server 11 SP1 LTSS SUSE Linux Enterprise Server 10 SP4 LTSS SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. It includes one version update. Description: clamav was updated to version 0.98.6 to fix four security issues. These security issues have been fixed: * CVE-2015-1462: ClamAV allowed remote attackers to have unspecified impact via a crafted upx packer file, related to a heap out of bounds condition (bnc#916214). * CVE-2015-1463: ClamAV allowed remote attackers to cause a denial of service (crash) via a crafted petite packer file, related to an incorrect compiler optimization (bnc#916215). * CVE-2014-9328: ClamAV allowed remote attackers to have unspecified impact via a crafted upack packer file, related to a heap out of bounds condition (bnc#915512). * CVE-2015-1461: ClamAV allowed remote attackers to have unspecified impact via a crafted (1) Yoda's crypter or (2) mew packer file, related to a heap out of bounds condition (bnc#916217). Security Issues: * CVE-2015-1462 * CVE-2014-9328 * CVE-2015-1463 * CVE-2015-1461 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-clamav=10283 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-clamav=10283 - SUSE Linux Enterprise Server 11 SP2 LTSS: zypper in -t patch slessp2-clamav=10285 - SUSE Linux Enterprise Server 11 SP1 LTSS: zypper in -t patch slessp1-clamav=10284 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-clamav=10283 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64) [New Version: 0.98.6]: clamav-0.98.6-0.6.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New Version: 0.98.6]: clamav-0.98.6-0.6.1 - SUSE Linux Enterprise Server 11 SP2 LTSS (i586 s390x x86_64) [New Version: 0.98.6]: clamav-0.98.6-0.6.1 - SUSE Linux Enterprise Server 11 SP1 LTSS (i586 s390x x86_64) [New Version: 0.98.6]: clamav-0.98.6-0.6.1 - SUSE Linux Enterprise Server 10 SP4 LTSS (i586 s390x x86_64) [New Version: 0.98.6]: clamav-0.98.6-0.8.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64) [New Version: 0.98.6]: clamav-0.98.6-0.6.1 References: http://support.novell.com/security/cve/CVE-2014-9328.html http://support.novell.com/security/cve/CVE-2015-1461.html http://support.novell.com/security/cve/CVE-2015-1462.html http://support.novell.com/security/cve/CVE-2015-1463.html https://bugzilla.suse.com/915512 https://bugzilla.suse.com/916214 https://bugzilla.suse.com/916215 https://bugzilla.suse.com/916217 http://download.suse.com/patch/finder/?keywords=2f44be276ad7a4e53a81812520e256c5 http://download.suse.com/patch/finder/?keywords=b856018fc4dcd95c039167b1ea1c6e5d http://download.suse.com/patch/finder/?keywords=b857e6f07106efda6eeb4c842640e58f http://download.suse.com/patch/finder/?keywords=cabd1033f09ef394f7aad5c3fbd890a1 From sle-security-updates at lists.suse.com Tue Feb 17 08:04:57 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 17 Feb 2015 16:04:57 +0100 (CET) Subject: SUSE-SU-2015:0304-1: important: Security update for java-1_7_1-ibm Message-ID: <20150217150457.24A9F32371@maintenance.suse.de> SUSE Security Update: Security update for java-1_7_1-ibm ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0304-1 Rating: important References: #916265 #916266 Cross-References: CVE-2014-8891 CVE-2014-8892 Affected Products: SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: java-1_7_1-ibm was updated to fix two security issues. These security issues were fixed: - CVE-2014-8892: Unspecified vulnerability (bnc#916265). - CVE-2014-8891: Unspecified vulnerability (bnc#916266). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2015-80=1 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-80=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): java-1_7_1-ibm-devel-1.7.1_sr2.10-8.1 - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): java-1_7_1-ibm-1.7.1_sr2.10-8.1 java-1_7_1-ibm-jdbc-1.7.1_sr2.10-8.1 - SUSE Linux Enterprise Server 12 (x86_64): java-1_7_1-ibm-alsa-1.7.1_sr2.10-8.1 java-1_7_1-ibm-plugin-1.7.1_sr2.10-8.1 References: http://support.novell.com/security/cve/CVE-2014-8891.html http://support.novell.com/security/cve/CVE-2014-8892.html https://bugzilla.suse.com/916265 https://bugzilla.suse.com/916266 From sle-security-updates at lists.suse.com Tue Feb 17 08:05:26 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 17 Feb 2015 16:05:26 +0100 (CET) Subject: SUSE-SU-2015:0305-1: moderate: Security update for compat-openssl098 Message-ID: <20150217150526.2541E32371@maintenance.suse.de> SUSE Security Update: Security update for compat-openssl098 ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0305-1 Rating: moderate References: #892403 #912014 #912015 #912018 #912293 #912294 #912296 Cross-References: CVE-2014-0224 CVE-2014-3570 CVE-2014-3571 CVE-2014-3572 CVE-2014-8275 CVE-2015-0204 CVE-2015-0205 Affected Products: SUSE Linux Enterprise Module for Legacy Software 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that fixes 7 vulnerabilities is now available. Description: The openssl 0.9.8j compatibility package was updated to fix several security vulnerabilities: CVE-2014-3570: Bignum squaring (BN_sqr) may produce incorrect results on some platforms, including x86_64. CVE-2014-3571: Fix crash in dtls1_get_record whilst in the listen state where you get two separate reads performed - one for the header and one for the body of the handshake record. CVE-2014-3572: Do not accept a handshake using an ephemeral ECDH ciphersuites with the server key exchange message omitted. CVE-2014-8275: Fixed various certificate fingerprint issues CVE-2015-0204: Only allow ephemeral RSA keys in export ciphersuites CVE-2015-0205: OpenSSL 0.9.8j is NOT vulnerable to CVE-2015-0205 as it doesn't support DH certificates and this typo prohibits skipping of certificate verify message for sign only certificates anyway. (This patch only fixes the wrong condition) This update also fixes regression caused by CVE-2014-0224.patch (bnc#892403) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Legacy Software 12: zypper in -t patch SUSE-SLE-Module-Legacy-12-2015-78=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-78=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Module for Legacy Software 12 (s390x x86_64): compat-openssl098-debugsource-0.9.8j-70.2 libopenssl0_9_8-0.9.8j-70.2 libopenssl0_9_8-32bit-0.9.8j-70.2 libopenssl0_9_8-debuginfo-0.9.8j-70.2 libopenssl0_9_8-debuginfo-32bit-0.9.8j-70.2 - SUSE Linux Enterprise Desktop 12 (x86_64): compat-openssl098-debugsource-0.9.8j-70.2 libopenssl0_9_8-0.9.8j-70.2 libopenssl0_9_8-32bit-0.9.8j-70.2 libopenssl0_9_8-debuginfo-0.9.8j-70.2 libopenssl0_9_8-debuginfo-32bit-0.9.8j-70.2 References: http://support.novell.com/security/cve/CVE-2014-0224.html http://support.novell.com/security/cve/CVE-2014-3570.html http://support.novell.com/security/cve/CVE-2014-3571.html http://support.novell.com/security/cve/CVE-2014-3572.html http://support.novell.com/security/cve/CVE-2014-8275.html http://support.novell.com/security/cve/CVE-2015-0204.html http://support.novell.com/security/cve/CVE-2015-0205.html https://bugzilla.suse.com/892403 https://bugzilla.suse.com/912014 https://bugzilla.suse.com/912015 https://bugzilla.suse.com/912018 https://bugzilla.suse.com/912293 https://bugzilla.suse.com/912294 https://bugzilla.suse.com/912296 From sle-security-updates at lists.suse.com Tue Feb 17 08:06:52 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 17 Feb 2015 16:06:52 +0100 (CET) Subject: SUSE-SU-2015:0306-1: important: Security update for java-1_6_0-ibm Message-ID: <20150217150652.062B232371@maintenance.suse.de> SUSE Security Update: Security update for java-1_6_0-ibm ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0306-1 Rating: important References: #916265 #916266 Cross-References: CVE-2014-8891 CVE-2014-8892 Affected Products: SUSE Linux Enterprise Module for Legacy Software 12 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: java-1_6_0-ibm was updated to fix two security issues. These security issues were fixed: - CVE-2014-8892: Unspecified vulnerability (bnc#916265). - CVE-2014-8891: Unspecified vulnerability (bnc#916266). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Legacy Software 12: zypper in -t patch SUSE-SLE-Module-Legacy-12-2015-79=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Module for Legacy Software 12 (s390x x86_64): java-1_6_0-ibm-1.6.0_sr16.3-12.1 java-1_6_0-ibm-fonts-1.6.0_sr16.3-12.1 java-1_6_0-ibm-jdbc-1.6.0_sr16.3-12.1 - SUSE Linux Enterprise Module for Legacy Software 12 (x86_64): java-1_6_0-ibm-plugin-1.6.0_sr16.3-12.1 References: http://support.novell.com/security/cve/CVE-2014-8891.html http://support.novell.com/security/cve/CVE-2014-8892.html https://bugzilla.suse.com/916265 https://bugzilla.suse.com/916266 From sle-security-updates at lists.suse.com Wed Feb 18 02:04:57 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 18 Feb 2015 10:04:57 +0100 (CET) Subject: SUSE-SU-2015:0307-1: moderate: Security update for wireshark Message-ID: <20150218090457.358E432371@maintenance.suse.de> SUSE Security Update: Security update for wireshark ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0307-1 Rating: moderate References: #912365 #912368 #912369 #912370 #912372 Cross-References: CVE-2015-0559 CVE-2015-0560 CVE-2015-0561 CVE-2015-0562 CVE-2015-0563 CVE-2015-0564 Affected Products: SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that fixes 6 vulnerabilities is now available. Description: This update fixes the following security issues: - The following vulnerabilities allowed Wireshark to be crashed by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file. + The WCCP dissector could crash wnpa-sec-2015-01 CVE-2015-0559 CVE-2015-0560 [boo#912365] + The LPP dissector could crash. wnpa-sec-2015-02 CVE-2015-0561 [boo#912368] + The DEC DNA Routing Protocol dissector could crash. wnpa-sec-2015-03 CVE-2015-0562 [boo#912369] + The SMTP dissector could crash. wnpa-sec-2015-04 CVE-2015-0563 [boo#912370] + Wireshark could crash while decypting TLS/SSL sessions. wnpa-sec-2015-05 CVE-2015-0564 [boo#912372] Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2015-81=1 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-81=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-81=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): wireshark-debuginfo-1.10.12-4.1 wireshark-debugsource-1.10.12-4.1 wireshark-devel-1.10.12-4.1 - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): wireshark-1.10.12-4.1 wireshark-debuginfo-1.10.12-4.1 wireshark-debugsource-1.10.12-4.1 - SUSE Linux Enterprise Desktop 12 (x86_64): wireshark-1.10.12-4.1 wireshark-debuginfo-1.10.12-4.1 wireshark-debugsource-1.10.12-4.1 References: http://support.novell.com/security/cve/CVE-2015-0559.html http://support.novell.com/security/cve/CVE-2015-0560.html http://support.novell.com/security/cve/CVE-2015-0561.html http://support.novell.com/security/cve/CVE-2015-0562.html http://support.novell.com/security/cve/CVE-2015-0563.html http://support.novell.com/security/cve/CVE-2015-0564.html https://bugzilla.suse.com/912365 https://bugzilla.suse.com/912368 https://bugzilla.suse.com/912369 https://bugzilla.suse.com/912370 https://bugzilla.suse.com/912372 From sle-security-updates at lists.suse.com Wed Feb 18 04:07:37 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 18 Feb 2015 12:07:37 +0100 (CET) Subject: SUSE-SU-2015:0316-1: moderate: Security update for perl-Capture-Tiny Message-ID: <20150218110737.9473332371@maintenance.suse.de> SUSE Security Update: Security update for perl-Capture-Tiny ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0316-1 Rating: moderate References: #862743 Cross-References: CVE-2014-1875 Affected Products: SUSE Linux Enterprise Build System Kit 12 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: perl-Capture-Tiny was updated to fix one security issue. This security issue was fixed: - CVE-2014-1875: The Capture::Tiny module before 0.24 for Perl allowed local users to write to arbitrary files via a symlink attack on a temporary file (bnc#862743). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Build System Kit 12: zypper in -t patch SUSE-SLE-BSK-12-2015-82=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Build System Kit 12 (noarch): perl-Capture-Tiny-0.23-4.1 References: http://support.novell.com/security/cve/CVE-2014-1875.html https://bugzilla.suse.com/862743 From sle-security-updates at lists.suse.com Wed Feb 18 09:05:56 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 18 Feb 2015 17:05:56 +0100 (CET) Subject: SUSE-SU-2015:0320-1: moderate: Security update for hivex Message-ID: <20150218160556.4842132371@maintenance.suse.de> SUSE Security Update: Security update for hivex ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0320-1 Rating: moderate References: #908614 Cross-References: CVE-2014-9273 Affected Products: SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update fixes the following security issue: - CVE-2014-9273: Possible DOS because of missing size checks (bnc#908614) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2015-83=1 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-83=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): hivex-debuginfo-1.3.10-4.1 hivex-debugsource-1.3.10-4.1 hivex-devel-1.3.10-4.1 - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): hivex-debuginfo-1.3.10-4.1 hivex-debugsource-1.3.10-4.1 libhivex0-1.3.10-4.1 libhivex0-debuginfo-1.3.10-4.1 perl-Win-Hivex-1.3.10-4.1 perl-Win-Hivex-debuginfo-1.3.10-4.1 References: http://support.novell.com/security/cve/CVE-2014-9273.html https://bugzilla.suse.com/908614 From sle-security-updates at lists.suse.com Wed Feb 18 17:05:01 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 19 Feb 2015 01:05:01 +0100 (CET) Subject: SUSE-SU-2015:0322-1: important: Security update for xntp Message-ID: <20150219000501.9FF793236F@maintenance.suse.de> SUSE Security Update: Security update for xntp ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0322-1 Rating: important References: #911792 Cross-References: CVE-2014-9293 CVE-2014-9294 CVE-2014-9297 CVE-2014-9298 Affected Products: SUSE Linux Enterprise Server 10 SP4 LTSS ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: xntp has been updated to fix two security issues: * CVE-2014-9298: ::1 can be spoofed on some OSes, so ACLs based on IPv6 ::1 addresses can be bypassed (bnc#911792). * CVE-2014-9297: vallen is not validated in several places in ntp_crypto.c, leading to potential info leak (bnc#911792). Security Issues: * CVE-2014-9294 * CVE-2014-9293 * CVE-2014-9298 * CVE-2014-9297 Package List: - SUSE Linux Enterprise Server 10 SP4 LTSS (i586 s390x x86_64): xntp-4.2.4p3-48.27.1 xntp-doc-4.2.4p3-48.27.1 References: http://support.novell.com/security/cve/CVE-2014-9293.html http://support.novell.com/security/cve/CVE-2014-9294.html http://support.novell.com/security/cve/CVE-2014-9297.html http://support.novell.com/security/cve/CVE-2014-9298.html https://bugzilla.suse.com/911792 http://download.suse.com/patch/finder/?keywords=8c2302f77b01413a386c6a33bf81dd42 From sle-security-updates at lists.suse.com Wed Feb 18 20:08:24 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 19 Feb 2015 04:08:24 +0100 (CET) Subject: SUSE-SU-2015:0324-1: Security update for openstack-nova Message-ID: <20150219030824.9A4153236E@maintenance.suse.de> SUSE Security Update: Security update for openstack-nova ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0324-1 Rating: low References: #867922 #897815 #898371 #899190 #899199 #901087 #903013 Cross-References: CVE-2014-3608 CVE-2014-3708 CVE-2014-7230 CVE-2014-7231 CVE-2014-8750 Affected Products: SUSE Cloud 4 ______________________________________________________________________________ An update that solves 5 vulnerabilities and has two fixes is now available. It includes one version update. Description: This update for openstack-nova provides stability fixes from the upstream OpenStack project: * Add @retry_on_deadlock to _instance_update() * Fix nova-compute start issue after evacuate * Fix nova evacuate issues for RBD * Add _wrap_db_error() support to SessionTransaction.commit() * Fixes DoS issue in instance list ip filter (bnc#903013, CVE-2014-3708) * Make the block device mapping retries configurable * Retry on closing of luks encrypted volume in case device is busy * Nova api service doesn't handle SIGHUP properly * Fix XML UnicodeEncode serialization error * share neutron admin auth tokens * Fix CellStateManagerFile init to failure * postgresql: use postgres db instead of template1 * Fix instance cross AZ check when attaching volumes * Fixes missing ec2 api address disassociate error on failure * Ignore errors when deleting non-existing vifs * VMware: validate that VM exists on backend prior to deletion * VMWare: Fix VM leak when deletion of VM during resizing * Sync process utils from oslo * VMware: prevent race condition with VNC port allocation (bnc#901087, CVE-2014-8750) * Fixes Hyper-V volume mapping issue on reboot * Raise descriptive error for over volume quota * libvirt: Handle unsupported host capabilities * libvirt: Make fakelibvirt.libvirtError match * Adds tests for Hyper-V VM Utils * Removes unnecessary instructions in test_hypervapi * Fixes a Hyper-V list_instances localization issue * Adds list_instance_uuids to the Hyper-V driver * Add _wrap_db_error() support to Session.commit() * Sync process and str utils from oslo (bnc#899190 CVE-2014-7230 CVE-2014-7231) * Fixes Hyper-V agent force_hyperv_utils_v1 flag issue * Fix live-migration failure in FC multipath case * libvirt: Save device_path in connection_info when booting from volume * Fixes Hyper-V boot from volume root device issue * Catch missing Glance image attrs with None * Adds get_instance_disk_info to compute drivers * Include next link when default limit is reached * VM in rescue state must have a restricted set of actions to avoid leaking rescued images (bnc#899199, CVE-2014-3608) * libvirt: return the correct instance path while cleanup_resize * Fix nova image-show with queued image * _translate_from_glance() can cause an unnecessary HTTP request * Neutron: Atomic update of instance info cache * Ensure info cache updates don't overwhelm cells * remove test_multiprocess_api * Fixes Hyper-V resize down exception * libvirt: Use VIR_DOMAIN_AFFECT_LIVE for paused instances * Fix _parse_datetime in simple tenant usage extension * Avoid traceback logs from simple tenant usage extension * Made unassigned networks visible in flat networking * VMware: validate that VM exists on backend prior to deletion (bnc#898371) * Fix attaching config drive issue on Hyper-V when migrate instances * Do not fail cell's instance deletion, if it's missing info_cache * Fixes Hyper-V vm state issue * Update block_device_info to contain swap and ephemeral disks * Loosen import_exceptions to cover all of gettextutils * Fix instance boot when Ceph is used for ephemeral storage * VMware: do not cache image when root_gb is 0 * Delete image when backup operation failed on snapshot step * db: Add @_retry_on_deadlock to service_update() * Fix rootwrap for non openstack.org iqn's * Add Hyper-V driver in the "compute_driver" option description * Block sqlalchemy migrate 0.9.2 as it breaks all of nova * Move the error check for "brctl addif" * Add a retry_on_deadlock to reservations_expire * Add expire reservations in backport position * Make floatingip-ip-delete atomic with neutron * add repr for event objects * make lifecycle event logs more clear * Fix race condition with vif plugging in finish migrate * Delay STOPPED lifecycle event for Xen domains (bnc#867922) * Fix FloatingIP.save() passing FixedIP object to sqlalchemy * fix filelist * use %_rundir if available, otherwise /var/run * Fix expected error details from jsonschema * replace NovaException with VirtualInterfaceCreate when neutron fails * Fixes Hyper-V SCSI slot selection * libvirt: convert cpu features attribute from list to a set * Read deleted instances during lifecycle events * shelve doesn't work on nova-cells environment * Mask block_device_info auth_password in virt driver debug logs * only emit deprecation warnings once Security Issues: * CVE-2014-3708 * CVE-2014-3608 * CVE-2014-7230 * CVE-2014-7231 * CVE-2014-8750 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Cloud 4: zypper in -t patch sleclo40sp3-openstack-nova-0115=10199 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Cloud 4 (x86_64) [New Version: 2014.1.4.dev49]: openstack-nova-2014.1.4.dev49-0.7.1 openstack-nova-api-2014.1.4.dev49-0.7.1 openstack-nova-cells-2014.1.4.dev49-0.7.1 openstack-nova-cert-2014.1.4.dev49-0.7.1 openstack-nova-compute-2014.1.4.dev49-0.7.1 openstack-nova-conductor-2014.1.4.dev49-0.7.1 openstack-nova-console-2014.1.4.dev49-0.7.1 openstack-nova-consoleauth-2014.1.4.dev49-0.7.1 openstack-nova-novncproxy-2014.1.4.dev49-0.7.1 openstack-nova-objectstore-2014.1.4.dev49-0.7.1 openstack-nova-scheduler-2014.1.4.dev49-0.7.1 openstack-nova-vncproxy-2014.1.4.dev49-0.7.1 python-nova-2014.1.4.dev49-0.7.1 - SUSE Cloud 4 (noarch) [New Version: 2014.1.4.dev49]: openstack-nova-doc-2014.1.4.dev49-0.7.1 References: http://support.novell.com/security/cve/CVE-2014-3608.html http://support.novell.com/security/cve/CVE-2014-3708.html http://support.novell.com/security/cve/CVE-2014-7230.html http://support.novell.com/security/cve/CVE-2014-7231.html http://support.novell.com/security/cve/CVE-2014-8750.html https://bugzilla.suse.com/867922 https://bugzilla.suse.com/897815 https://bugzilla.suse.com/898371 https://bugzilla.suse.com/899190 https://bugzilla.suse.com/899199 https://bugzilla.suse.com/901087 https://bugzilla.suse.com/903013 http://download.suse.com/patch/finder/?keywords=d140dcf28b797b3045a71f4e6cd6e0fc From sle-security-updates at lists.suse.com Thu Feb 19 16:04:56 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 20 Feb 2015 00:04:56 +0100 (CET) Subject: SUSE-SU-2015:0336-1: important: Security update for java-1_7_0-openjdk Message-ID: <20150219230456.58C863236E@maintenance.suse.de> SUSE Security Update: Security update for java-1_7_0-openjdk ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0336-1 Rating: important References: #914041 Cross-References: CVE-2014-3566 CVE-2014-6549 CVE-2014-6585 CVE-2014-6587 CVE-2014-6591 CVE-2014-6593 CVE-2014-6601 CVE-2015-0383 CVE-2015-0395 CVE-2015-0400 CVE-2015-0403 CVE-2015-0406 CVE-2015-0407 CVE-2015-0408 CVE-2015-0410 CVE-2015-0412 CVE-2015-0413 CVE-2015-0421 CVE-2015-0437 Affected Products: SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes 19 vulnerabilities is now available. It includes one version update. Description: java-1_7_0-openjdk was updated to fix 19 security issues. Details are available at http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html#A ppendixJAVA Security Issues: * CVE-2014-6601 * CVE-2015-0412 * CVE-2014-6549 * CVE-2015-0408 * CVE-2015-0395 * CVE-2015-0437 * CVE-2015-0403 * CVE-2015-0421 * CVE-2015-0406 * CVE-2015-0383 * CVE-2015-0400 * CVE-2015-0407 * CVE-2015-0410 * CVE-2014-6587 * CVE-2014-3566 * CVE-2014-6593 * CVE-2014-6585 * CVE-2014-6591 * CVE-2015-0413 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-java-1_7_0-openjdk=10286 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64) [New Version: 1.7.0.75]: java-1_7_0-openjdk-1.7.0.75-0.7.1 java-1_7_0-openjdk-demo-1.7.0.75-0.7.1 java-1_7_0-openjdk-devel-1.7.0.75-0.7.1 References: http://support.novell.com/security/cve/CVE-2014-3566.html http://support.novell.com/security/cve/CVE-2014-6549.html http://support.novell.com/security/cve/CVE-2014-6585.html http://support.novell.com/security/cve/CVE-2014-6587.html http://support.novell.com/security/cve/CVE-2014-6591.html http://support.novell.com/security/cve/CVE-2014-6593.html http://support.novell.com/security/cve/CVE-2014-6601.html http://support.novell.com/security/cve/CVE-2015-0383.html http://support.novell.com/security/cve/CVE-2015-0395.html http://support.novell.com/security/cve/CVE-2015-0400.html http://support.novell.com/security/cve/CVE-2015-0403.html http://support.novell.com/security/cve/CVE-2015-0406.html http://support.novell.com/security/cve/CVE-2015-0407.html http://support.novell.com/security/cve/CVE-2015-0408.html http://support.novell.com/security/cve/CVE-2015-0410.html http://support.novell.com/security/cve/CVE-2015-0412.html http://support.novell.com/security/cve/CVE-2015-0413.html http://support.novell.com/security/cve/CVE-2015-0421.html http://support.novell.com/security/cve/CVE-2015-0437.html https://bugzilla.suse.com/914041 http://download.suse.com/patch/finder/?keywords=8d9a18b0ce3289f724b64f4b4dccc67e From sle-security-updates at lists.suse.com Fri Feb 20 17:05:20 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 21 Feb 2015 01:05:20 +0100 (CET) Subject: SUSE-SU-2015:0343-1: important: Security update for java-1_7_0-ibm Message-ID: <20150221000520.289B63236E@maintenance.suse.de> SUSE Security Update: Security update for java-1_7_0-ibm ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0343-1 Rating: important References: #916265 #916266 Cross-References: CVE-2014-8891 CVE-2014-8892 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: java-1_7_0-ibm was updated to fix two security issues: * CVE-2014-8891: Unspecified vulnerability * CVE-2014-8892: Unspecified vulnerability Security Issues: * CVE-2014-8892 * CVE-2014-8891 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-java-1_6_0-ibm=10299 sdksp3-java-1_7_0-ibm=10300 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-java-1_6_0-ibm=10299 slessp3-java-1_7_0-ibm=10300 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-java-1_6_0-ibm=10299 slessp3-java-1_7_0-ibm=10300 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ppc64 s390x x86_64): java-1_6_0-ibm-devel-1.6.0_sr16.3-0.4.1 java-1_7_0-ibm-devel-1.7.0_sr8.10-0.6.1 - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 x86_64): java-1_6_0-ibm-1.6.0_sr16.3-0.4.1 java-1_6_0-ibm-fonts-1.6.0_sr16.3-0.4.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): java-1_6_0-ibm-1.6.0_sr16.3-0.4.1 java-1_6_0-ibm-fonts-1.6.0_sr16.3-0.4.1 java-1_6_0-ibm-jdbc-1.6.0_sr16.3-0.4.1 java-1_6_0-ibm-plugin-1.6.0_sr16.3-0.4.1 java-1_7_0-ibm-1.7.0_sr8.10-0.6.1 java-1_7_0-ibm-alsa-1.7.0_sr8.10-0.6.1 java-1_7_0-ibm-jdbc-1.7.0_sr8.10-0.6.1 java-1_7_0-ibm-plugin-1.7.0_sr8.10-0.6.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586): java-1_6_0-ibm-alsa-1.6.0_sr16.3-0.4.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ppc64 s390x x86_64): java-1_6_0-ibm-1.6.0_sr16.3-0.4.1 java-1_6_0-ibm-fonts-1.6.0_sr16.3-0.4.1 java-1_6_0-ibm-jdbc-1.6.0_sr16.3-0.4.1 java-1_7_0-ibm-1.7.0_sr8.10-0.6.1 java-1_7_0-ibm-jdbc-1.7.0_sr8.10-0.6.1 - SUSE Linux Enterprise Server 11 SP3 (i586 x86_64): java-1_6_0-ibm-plugin-1.6.0_sr16.3-0.4.1 java-1_7_0-ibm-alsa-1.7.0_sr8.10-0.6.1 java-1_7_0-ibm-plugin-1.7.0_sr8.10-0.6.1 - SUSE Linux Enterprise Server 11 SP3 (i586): java-1_6_0-ibm-alsa-1.6.0_sr16.3-0.4.1 References: http://support.novell.com/security/cve/CVE-2014-8891.html http://support.novell.com/security/cve/CVE-2014-8892.html https://bugzilla.suse.com/916265 https://bugzilla.suse.com/916266 http://download.suse.com/patch/finder/?keywords=d0fabcb64d4c31a5f5c8a2085498a9f2 http://download.suse.com/patch/finder/?keywords=dd24d5afde779e1651d8cfeb6cdfc2bc From sle-security-updates at lists.suse.com Fri Feb 20 17:05:45 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 21 Feb 2015 01:05:45 +0100 (CET) Subject: SUSE-SU-2015:0344-1: important: Security update for java-1_7_0-ibm Message-ID: <20150221000545.124763236E@maintenance.suse.de> SUSE Security Update: Security update for java-1_7_0-ibm ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0344-1 Rating: important References: #891701 #901223 #901239 #904889 #916265 #916266 Cross-References: CVE-2014-8891 CVE-2014-8892 Affected Products: SUSE Linux Enterprise Server 11 SP2 LTSS ______________________________________________________________________________ An update that solves two vulnerabilities and has four fixes is now available. Description: java-1_7_0-ibm was updated to version 1.7.0_sr7.3 to fix 37 security issues: * CVE-2014-8891: Unspecified vulnerability (bnc#916266) * CVE-2014-8892: Unspecified vulnerability (bnc#916265) * CVE-2014-3065: Unspecified vulnerability in IBM Java Runtime Environment (JRE) 7 R1 before SR2 (7.1.2.0), 7 before SR8 (7.0.8.0), 6 R1 before SR8 FP2 (6.1.8.2), 6 before SR16 FP2 (6.0.16.2), and before SR16 FP8 (5.0.16.8) allows local users to execute arbitrary code via vectors related to the shared classes cache (bnc#904889). * CVE-2014-3566: The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue (bnc#901223). * CVE-2014-6513: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT (bnc#901239). * CVE-2014-6456: Unspecified vulnerability in Oracle Java SE 7u67 and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors (bnc#901239). * CVE-2014-6503: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-4288, CVE-2014-6493, and CVE-2014-6532 (bnc#901239). * CVE-2014-6532: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-4288, CVE-2014-6493, and CVE-2014-6503 (bnc#901239). * CVE-2014-4288: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-6493, CVE-2014-6503, and CVE-2014-6532 (bnc#901239). * CVE-2014-6493: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-4288, CVE-2014-6503, and CVE-2014-6532 (bnc#901239). * CVE-2014-6492: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20, when running on Firefox, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment (bnc#901239). * CVE-2014-6458: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Deployment (bnc#901239). * CVE-2014-6466: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20, when running on Internet Explorer, allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Deployment (bnc#901239). * CVE-2014-6506: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries (bnc#901239). * CVE-2014-6476: Unspecified vulnerability in Oracle Java SE 7u67 and 8u20 allows remote attackers to affect integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2014-6527 (bnc#901239). * CVE-2014-6515: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect integrity via unknown vectors related to Deployment (bnc#901239). * CVE-2014-6511: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality via unknown vectors related to 2D (bnc#901239). * CVE-2014-6531: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect confidentiality via unknown vectors related to Libraries (bnc#901239). * CVE-2014-6512: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit R27.8.3 and R28.3.3 allows remote attackers to affect integrity via unknown vectors related to Libraries (bnc#901239). * CVE-2014-6457: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit R27.8.3, and R28.3.3 allows remote attackers to affect confidentiality and integrity via vectors related to JSSE (bnc#901239). * CVE-2014-6527: Unspecified vulnerability in Oracle Java SE 7u67 and 8u20 allows remote attackers to affect integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2014-6476 (bnc#901239). * CVE-2014-6502: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect integrity via unknown vectors related to Libraries (bnc#901239). * CVE-2014-6558: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit R27.8.3 and JRockit R28.3.3 allows remote attackers to affect integrity via unknown vectors related to Security (bnc#901239). * CVE-2014-4227: Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment (bnc#891701). * CVE-2014-4262: Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries (bnc#891701). * CVE-2014-4219: Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot (bnc#891701). * CVE-2014-4209: Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality and integrity via vectors related to JMX (bnc#891701). * CVE-2014-4220: Unspecified vulnerability in Oracle Java SE 7u60 and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2014-4208 (bnc#891701). * CVE-2014-4268: Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality via unknown vectors related to Swing (bnc#891701). * CVE-2014-4218: Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect integrity via unknown vectors related to Libraries (bnc#891701). * CVE-2014-4252: Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality via unknown vectors related to Security (bnc#891701). * CVE-2014-4266: Unspecified vulnerability in Oracle Java SE 7u60 and 8u5 allows remote attackers to affect integrity via unknown vectors related to Serviceability (bnc#891701). * CVE-2014-4265: Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment (bnc#891701). * CVE-2014-4221: Unspecified vulnerability in Oracle Java SE 7u60 and 8u5 allows remote attackers to affect confidentiality via unknown vectors related to Libraries (bnc#891701). * CVE-2014-4263: Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5, and JRockit R27.8.2 and R28.3.2, allows remote attackers to affect confidentiality and integrity via unknown vectors related to "Diffie-Hellman key agreement (bnc#891701). * CVE-2014-4244: Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5, and JRockit R27.8.2 and JRockit R28.3.2, allows remote attackers to affect confidentiality and integrity via unknown vectors related to Security (bnc#891701). * CVE-2014-4208: Unspecified vulnerability in the Java SE component in Oracle Java SE 7u60 and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2014-4220 (bnc#891701). Security Issues: * CVE-2014-8892 * CVE-2014-8891 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP2 LTSS: zypper in -t patch slessp2-java-1_7_0-ibm=10324 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP2 LTSS (i586 x86_64): java-1_7_0-ibm-1.7.0_sr8.10-0.6.4 java-1_7_0-ibm-alsa-1.7.0_sr8.10-0.6.4 java-1_7_0-ibm-devel-1.7.0_sr8.10-0.6.4 java-1_7_0-ibm-jdbc-1.7.0_sr8.10-0.6.4 java-1_7_0-ibm-plugin-1.7.0_sr8.10-0.6.4 - SUSE Linux Enterprise Server 11 SP2 LTSS (s390x): java-1_7_0-ibm-1.7.0_sr8.10-0.6.5 java-1_7_0-ibm-devel-1.7.0_sr8.10-0.6.5 java-1_7_0-ibm-jdbc-1.7.0_sr8.10-0.6.5 References: http://support.novell.com/security/cve/CVE-2014-8891.html http://support.novell.com/security/cve/CVE-2014-8892.html https://bugzilla.suse.com/891701 https://bugzilla.suse.com/901223 https://bugzilla.suse.com/901239 https://bugzilla.suse.com/904889 https://bugzilla.suse.com/916265 https://bugzilla.suse.com/916266 http://download.suse.com/patch/finder/?keywords=89dfde7681a3e8ac7832df50d44019ed From sle-security-updates at lists.suse.com Fri Feb 20 17:07:09 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 21 Feb 2015 01:07:09 +0100 (CET) Subject: SUSE-SU-2015:0345-1: important: Security update for java-1_6_0-ibm Message-ID: <20150221000709.6DE973236E@maintenance.suse.de> SUSE Security Update: Security update for java-1_6_0-ibm ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0345-1 Rating: important References: #901223 #901239 #904889 #916265 #916266 Cross-References: CVE-2014-8891 CVE-2014-8892 Affected Products: SUSE Linux Enterprise Server 10 SP4 LTSS ______________________________________________________________________________ An update that solves two vulnerabilities and has three fixes is now available. Description: java-1_6_0-ibm was updated to version 1.6.0_sr16.3 to fix 20 security issues: * CVE-2014-8891: Unspecified vulnerability (bnc#916266) * CVE-2014-8892: Unspecified vulnerability (bnc#916265) * CVE-2014-3065: Unspecified vulnerability in IBM Java Runtime Environment (JRE) 7 R1 before SR2 (7.1.2.0), 7 before SR8 (7.0.8.0), 6 R1 before SR8 FP2 (6.1.8.2), 6 before SR16 FP2 (6.0.16.2), and before SR16 FP8 (5.0.16.8) allows local users to execute arbitrary code via vectors related to the shared classes cache (bnc#904889). * CVE-2014-3566: The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue (bnc#901223). * CVE-2014-6513: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT (bnc#901239). * CVE-2014-6503: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-4288, CVE-2014-6493, and CVE-2014-6532 (bnc#901239). * CVE-2014-6532: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-4288, CVE-2014-6493, and CVE-2014-6503 (bnc#901239). * CVE-2014-4288: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-6493, CVE-2014-6503, and CVE-2014-6532 (bnc#901239). * CVE-2014-6493: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-4288, CVE-2014-6503, and CVE-2014-6532 (bnc#901239). * CVE-2014-6492: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20, when running on Firefox, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment (bnc#901239). * CVE-2014-6458: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Deployment (bnc#901239). * CVE-2014-6466: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20, when running on Internet Explorer, allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Deployment (bnc#901239). * CVE-2014-6506: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries (bnc#901239). * CVE-2014-6515: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect integrity via unknown vectors related to Deployment (bnc#901239). * CVE-2014-6511: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality via unknown vectors related to 2D (bnc#901239). * CVE-2014-6531: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect confidentiality via unknown vectors related to Libraries (bnc#901239). * CVE-2014-6512: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit R27.8.3 and R28.3.3 allows remote attackers to affect integrity via unknown vectors related to Libraries (bnc#901239). * CVE-2014-6457: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit R27.8.3, and R28.3.3 allows remote attackers to affect confidentiality and integrity via vectors related to JSSE (bnc#901239). * CVE-2014-6502: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect integrity via unknown vectors related to Libraries (bnc#901239). * CVE-2014-6558: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit R27.8.3 and JRockit R28.3.3 allows remote attackers to affect integrity via unknown vectors related to Security (bnc#901239). Security Issues: * CVE-2014-8892 * CVE-2014-8891 Package List: - SUSE Linux Enterprise Server 10 SP4 LTSS (i586 s390x x86_64): java-1_6_0-ibm-1.6.0_sr16.3-0.9.1 java-1_6_0-ibm-devel-1.6.0_sr16.3-0.9.1 java-1_6_0-ibm-fonts-1.6.0_sr16.3-0.9.1 java-1_6_0-ibm-jdbc-1.6.0_sr16.3-0.9.1 - SUSE Linux Enterprise Server 10 SP4 LTSS (s390x x86_64): java-1_6_0-ibm-32bit-1.6.0_sr16.3-0.9.1 java-1_6_0-ibm-devel-32bit-1.6.0_sr16.3-0.9.1 - SUSE Linux Enterprise Server 10 SP4 LTSS (i586 x86_64): java-1_6_0-ibm-plugin-1.6.0_sr16.3-0.9.1 - SUSE Linux Enterprise Server 10 SP4 LTSS (x86_64): java-1_6_0-ibm-alsa-32bit-1.6.0_sr16.3-0.9.1 java-1_6_0-ibm-plugin-32bit-1.6.0_sr16.3-0.9.1 - SUSE Linux Enterprise Server 10 SP4 LTSS (i586): java-1_6_0-ibm-alsa-1.6.0_sr16.3-0.9.1 References: http://support.novell.com/security/cve/CVE-2014-8891.html http://support.novell.com/security/cve/CVE-2014-8892.html https://bugzilla.suse.com/901223 https://bugzilla.suse.com/901239 https://bugzilla.suse.com/904889 https://bugzilla.suse.com/916265 https://bugzilla.suse.com/916266 http://download.suse.com/patch/finder/?keywords=a992e300008dd2cf884e0b1fa9206267 From sle-security-updates at lists.suse.com Mon Feb 23 02:04:56 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 23 Feb 2015 10:04:56 +0100 (CET) Subject: SUSE-SU-2015:0349-1: moderate: Security update for qemu Message-ID: <20150223090456.9763A32371@maintenance.suse.de> SUSE Security Update: Security update for qemu ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0349-1 Rating: moderate References: #905097 #907805 #908380 Cross-References: CVE-2014-7840 CVE-2014-8106 Affected Products: SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: QEMU was updated to fix various bugs and security issues. Following security issues were fixed: CVE-2014-8106: Heap-based buffer overflow in the Cirrus VGA emulator (hw/display/cirrus_vga.c) in QEMU allowed local guest users to execute arbitrary code via vectors related to blit regions. CVE-2014-7840: The host_from_stream_offset function in arch_init.c in QEMU, when loading RAM during migration, allowed remote attackers to execute arbitrary code via a crafted (1) offset or (2) length value in savevm data. Also a bug was fixed where qemu-img convert could occasionaly corrupt images. (bsc#908380) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-88=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-88=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): qemu-2.0.2-42.1 qemu-block-curl-2.0.2-42.1 qemu-block-curl-debuginfo-2.0.2-42.1 qemu-debugsource-2.0.2-42.1 qemu-guest-agent-2.0.2-42.1 qemu-guest-agent-debuginfo-2.0.2-42.1 qemu-lang-2.0.2-42.1 qemu-tools-2.0.2-42.1 qemu-tools-debuginfo-2.0.2-42.1 - SUSE Linux Enterprise Server 12 (s390x x86_64): qemu-kvm-2.0.2-42.1 - SUSE Linux Enterprise Server 12 (ppc64le): qemu-ppc-2.0.2-42.1 qemu-ppc-debuginfo-2.0.2-42.1 - SUSE Linux Enterprise Server 12 (noarch): qemu-ipxe-1.0.0-42.1 qemu-seabios-1.7.4-42.1 qemu-sgabios-8-42.1 qemu-vgabios-1.7.4-42.1 - SUSE Linux Enterprise Server 12 (x86_64): qemu-x86-2.0.2-42.1 qemu-x86-debuginfo-2.0.2-42.1 - SUSE Linux Enterprise Server 12 (s390x): qemu-s390-2.0.2-42.1 qemu-s390-debuginfo-2.0.2-42.1 - SUSE Linux Enterprise Desktop 12 (x86_64): qemu-2.0.2-42.1 qemu-block-curl-2.0.2-42.1 qemu-block-curl-debuginfo-2.0.2-42.1 qemu-debugsource-2.0.2-42.1 qemu-kvm-2.0.2-42.1 qemu-tools-2.0.2-42.1 qemu-tools-debuginfo-2.0.2-42.1 qemu-x86-2.0.2-42.1 qemu-x86-debuginfo-2.0.2-42.1 - SUSE Linux Enterprise Desktop 12 (noarch): qemu-ipxe-1.0.0-42.1 qemu-seabios-1.7.4-42.1 qemu-sgabios-8-42.1 qemu-vgabios-1.7.4-42.1 References: http://support.novell.com/security/cve/CVE-2014-7840.html http://support.novell.com/security/cve/CVE-2014-8106.html https://bugzilla.suse.com/905097 https://bugzilla.suse.com/907805 https://bugzilla.suse.com/908380 From sle-security-updates at lists.suse.com Mon Feb 23 08:05:04 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 23 Feb 2015 16:05:04 +0100 (CET) Subject: SUSE-SU-2015:0353-1: important: Security update for samba Message-ID: <20150223150504.B07253236E@maintenance.suse.de> SUSE Security Update: Security update for samba ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0353-1 Rating: important References: #872912 #873922 #876312 #889175 #898031 #908627 #913238 #917376 Cross-References: CVE-2015-0240 Affected Products: SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that solves one vulnerability and has 7 fixes is now available. Description: samba was updated to fix one security issue. This security issue was fixed: - CVE-2015-0240: Don't call talloc_free on an uninitialized pointer (bnc#917376). These non-security issues were fixed: - Fix vfs_snapper DBus string handling (bso#11055, bnc#913238). - Fix libsmbclient DFS referral handling. + Reuse connections derived from DFS referrals (bso#10123). + Set domain/workgroup based on authentication callback value (bso#11059). - pam_winbind: Fix warn_pwd_expire implementation (bso#9056). - nsswitch: Fix soname of linux nss_*.so.2 modules (bso#9299). - Fix profiles tool (bso#9629). - s3-lib: Do not require a password with --use-ccache (bso#10279). - s4:dsdb/rootdse: Expand extended dn values with the AS_SYSTEM control (bso#10949). - s4-rpc: dnsserver: Fix enumeration of IPv4 and IPv6 addresses (bso#10952). - s3:smb2_server: Allow reauthentication without signing (bso#10958). - s3-smbclient: Return success if we listed the shares (bso#10960). - s3-smbstatus: Fix exit code of profile output (bso#10961). - libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does (bso#10966). - s3: smbd/modules: Fix *allocate* calls to follow POSIX error return convention (bso#10982). - Fix 'domain join' by adding 'drsuapi.DsBindInfoFallBack' attribute 'supported_extensions' (bso#11006). - idl:drsuapi: Manage all possible lengths of drsuapi_DsBindInfo (bso#11006). - winbind: Retry LogonControl RPC in ping-dc after session expiration (bso#11034). - yast2-samba-client should be able to specify osName and osVer on AD domain join (bnc#873922). - Lookup FSRVP share snums at runtime rather than storing them persistently (bnc#908627). - Specify soft dependency for network-online.target in Winbind systemd service file (bnc#889175). - Fix spoolss error response marshalling; (bso#10984). - pidl/wscript: Remove --with-perl-* options; revert buildtools/wafadmin/ Tools/perl.py back to upstream state (bso#10472). - s4-dns: Add support for BIND 9.10 (bso#10620). - nmbd fails to accept "--piddir" option; (bso#10711). - S3: source3/smbd/process.c::srv_send_smb() returns true on the error path (bso#10880). - vfs_glusterfs: Remove "integer fd" code and store the glfs pointers (bso#10889). - s3-nmbd: Fix netbios name truncation (bso#10896). - spoolss: Fix handling of bad EnumJobs levels (bso#10898). - spoolss: Fix jobid in level 3 EnumJobs response; (bso#10905). - s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). - s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). - pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). - s3-keytab: Fix keytab array NULL termination; (bso#10933). - Cleanup add_string_to_array and usage; (bso#10942). - Remove and cleanup shares and registry state associated with externally deleted snaphots exposed as shadow copies; (bnc#876312). - Use the upstream tar ball, as signature verification is now able to handle compressed archives. - Fix leak when closing file descriptor returned from dirfd; (bso#10918). - Fix spoolss EnumJobs and GetJob responses; (bso#10905); (bnc#898031). + Fix handling of bad EnumJobs levels; (bso#10898). - Remove dependency on gpg-offline as signature checking is implemented in the source validator. - s3-libnet: Add libnet_join_get_machine_spns(); (bso#9984). - s3-libnet: Make sure we do not overwrite precreated SPNs; (bso#9984). - s3-libads: Add all machine account principals to the keytab; (bso#9985). - s3: winbindd: Old NT Domain code sets struct winbind_domain->alt_name to be NULL. Ensure this is safe with modern AD-DCs; (bso#10717). - Fix unstrcpy; (bso#10735). - pthreadpool: Slightly serialize jobs; (bso#10779). - s3: smbd: streams - Ensure share mode validation ignores internal opens (op_mid == 0); (bso#10797). - s3: smbd:open_file: Open logic fix; Use a more natural check; (bso#10809). - vfs_media_harmony: Fix a crash bug; (bso#10813). - docs: Mention incompatibility between kernel oplocks and streams_xattr; (bso#10814). - nmbd: Send waiting status to systemd; (bso#10816). - libcli: Fix a segfault calling smbXcli_req_set_pending() on NULL; (bso#10817). - nsswitch: Skip groups we were not able to map; (bso#10824). - s3-winbindd: Use correct realm for trusted domains in idmap child; (bso#10826). - s3: nmbd: Ensure the main nmbd process doesn't create zombies; (bso#10830). - s3: lib: Signal handling - ensure smbrun and change password code save and restore existing SIGCHLD handlers; (bso#10831). - idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). - s3-winbindd: Do not use domain SID from LookupSids for Sids2UnixIDs call; (bso#10838). - s3: smb2cli: Query info return length check was reversed; (bso#10848). - registry: Don't leave dangling transactions; (bso#10860). - Prune idle or hung connections older than "winbind request timeout"; (bso#3204); (bnc#872912). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2015-91=1 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-91=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-91=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): libdcerpc-atsvc-devel-4.1.12-16.1 libdcerpc-atsvc0-4.1.12-16.1 libdcerpc-atsvc0-debuginfo-4.1.12-16.1 libdcerpc-devel-4.1.12-16.1 libdcerpc-samr-devel-4.1.12-16.1 libdcerpc-samr0-4.1.12-16.1 libdcerpc-samr0-debuginfo-4.1.12-16.1 libgensec-devel-4.1.12-16.1 libndr-devel-4.1.12-16.1 libndr-krb5pac-devel-4.1.12-16.1 libndr-nbt-devel-4.1.12-16.1 libndr-standard-devel-4.1.12-16.1 libnetapi-devel-4.1.12-16.1 libpdb-devel-4.1.12-16.1 libregistry-devel-4.1.12-16.1 libsamba-credentials-devel-4.1.12-16.1 libsamba-hostconfig-devel-4.1.12-16.1 libsamba-policy-devel-4.1.12-16.1 libsamba-policy0-4.1.12-16.1 libsamba-policy0-debuginfo-4.1.12-16.1 libsamba-util-devel-4.1.12-16.1 libsamdb-devel-4.1.12-16.1 libsmbclient-devel-4.1.12-16.1 libsmbclient-raw-devel-4.1.12-16.1 libsmbconf-devel-4.1.12-16.1 libsmbldap-devel-4.1.12-16.1 libsmbsharemodes-devel-4.1.12-16.1 libsmbsharemodes0-4.1.12-16.1 libsmbsharemodes0-debuginfo-4.1.12-16.1 libtevent-util-devel-4.1.12-16.1 libwbclient-devel-4.1.12-16.1 samba-core-devel-4.1.12-16.1 samba-debuginfo-4.1.12-16.1 samba-debugsource-4.1.12-16.1 samba-test-devel-4.1.12-16.1 - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): libdcerpc-binding0-4.1.12-16.1 libdcerpc-binding0-debuginfo-4.1.12-16.1 libdcerpc0-4.1.12-16.1 libdcerpc0-debuginfo-4.1.12-16.1 libgensec0-4.1.12-16.1 libgensec0-debuginfo-4.1.12-16.1 libndr-krb5pac0-4.1.12-16.1 libndr-krb5pac0-debuginfo-4.1.12-16.1 libndr-nbt0-4.1.12-16.1 libndr-nbt0-debuginfo-4.1.12-16.1 libndr-standard0-4.1.12-16.1 libndr-standard0-debuginfo-4.1.12-16.1 libndr0-4.1.12-16.1 libndr0-debuginfo-4.1.12-16.1 libnetapi0-4.1.12-16.1 libnetapi0-debuginfo-4.1.12-16.1 libpdb0-4.1.12-16.1 libpdb0-debuginfo-4.1.12-16.1 libregistry0-4.1.12-16.1 libregistry0-debuginfo-4.1.12-16.1 libsamba-credentials0-4.1.12-16.1 libsamba-credentials0-debuginfo-4.1.12-16.1 libsamba-hostconfig0-4.1.12-16.1 libsamba-hostconfig0-debuginfo-4.1.12-16.1 libsamba-util0-4.1.12-16.1 libsamba-util0-debuginfo-4.1.12-16.1 libsamdb0-4.1.12-16.1 libsamdb0-debuginfo-4.1.12-16.1 libsmbclient-raw0-4.1.12-16.1 libsmbclient-raw0-debuginfo-4.1.12-16.1 libsmbclient0-4.1.12-16.1 libsmbclient0-debuginfo-4.1.12-16.1 libsmbconf0-4.1.12-16.1 libsmbconf0-debuginfo-4.1.12-16.1 libsmbldap0-4.1.12-16.1 libsmbldap0-debuginfo-4.1.12-16.1 libtevent-util0-4.1.12-16.1 libtevent-util0-debuginfo-4.1.12-16.1 libwbclient0-4.1.12-16.1 libwbclient0-debuginfo-4.1.12-16.1 samba-4.1.12-16.1 samba-client-4.1.12-16.1 samba-client-debuginfo-4.1.12-16.1 samba-debuginfo-4.1.12-16.1 samba-debugsource-4.1.12-16.1 samba-libs-4.1.12-16.1 samba-libs-debuginfo-4.1.12-16.1 samba-winbind-4.1.12-16.1 samba-winbind-debuginfo-4.1.12-16.1 - SUSE Linux Enterprise Server 12 (s390x x86_64): libdcerpc-binding0-32bit-4.1.12-16.1 libdcerpc-binding0-debuginfo-32bit-4.1.12-16.1 libdcerpc0-32bit-4.1.12-16.1 libdcerpc0-debuginfo-32bit-4.1.12-16.1 libgensec0-32bit-4.1.12-16.1 libgensec0-debuginfo-32bit-4.1.12-16.1 libndr-krb5pac0-32bit-4.1.12-16.1 libndr-krb5pac0-debuginfo-32bit-4.1.12-16.1 libndr-nbt0-32bit-4.1.12-16.1 libndr-nbt0-debuginfo-32bit-4.1.12-16.1 libndr-standard0-32bit-4.1.12-16.1 libndr-standard0-debuginfo-32bit-4.1.12-16.1 libndr0-32bit-4.1.12-16.1 libndr0-debuginfo-32bit-4.1.12-16.1 libnetapi0-32bit-4.1.12-16.1 libnetapi0-debuginfo-32bit-4.1.12-16.1 libpdb0-32bit-4.1.12-16.1 libpdb0-debuginfo-32bit-4.1.12-16.1 libsamba-credentials0-32bit-4.1.12-16.1 libsamba-credentials0-debuginfo-32bit-4.1.12-16.1 libsamba-hostconfig0-32bit-4.1.12-16.1 libsamba-hostconfig0-debuginfo-32bit-4.1.12-16.1 libsamba-util0-32bit-4.1.12-16.1 libsamba-util0-debuginfo-32bit-4.1.12-16.1 libsamdb0-32bit-4.1.12-16.1 libsamdb0-debuginfo-32bit-4.1.12-16.1 libsmbclient-raw0-32bit-4.1.12-16.1 libsmbclient-raw0-debuginfo-32bit-4.1.12-16.1 libsmbclient0-32bit-4.1.12-16.1 libsmbclient0-debuginfo-32bit-4.1.12-16.1 libsmbconf0-32bit-4.1.12-16.1 libsmbconf0-debuginfo-32bit-4.1.12-16.1 libsmbldap0-32bit-4.1.12-16.1 libsmbldap0-debuginfo-32bit-4.1.12-16.1 libtevent-util0-32bit-4.1.12-16.1 libtevent-util0-debuginfo-32bit-4.1.12-16.1 libwbclient0-32bit-4.1.12-16.1 libwbclient0-debuginfo-32bit-4.1.12-16.1 samba-32bit-4.1.12-16.1 samba-client-32bit-4.1.12-16.1 samba-client-debuginfo-32bit-4.1.12-16.1 samba-debuginfo-32bit-4.1.12-16.1 samba-libs-32bit-4.1.12-16.1 samba-libs-debuginfo-32bit-4.1.12-16.1 samba-winbind-32bit-4.1.12-16.1 samba-winbind-debuginfo-32bit-4.1.12-16.1 - SUSE Linux Enterprise Server 12 (noarch): samba-doc-4.1.12-16.1 - SUSE Linux Enterprise Desktop 12 (x86_64): libdcerpc-binding0-32bit-4.1.12-16.1 libdcerpc-binding0-4.1.12-16.1 libdcerpc-binding0-debuginfo-32bit-4.1.12-16.1 libdcerpc-binding0-debuginfo-4.1.12-16.1 libdcerpc0-32bit-4.1.12-16.1 libdcerpc0-4.1.12-16.1 libdcerpc0-debuginfo-32bit-4.1.12-16.1 libdcerpc0-debuginfo-4.1.12-16.1 libgensec0-32bit-4.1.12-16.1 libgensec0-4.1.12-16.1 libgensec0-debuginfo-32bit-4.1.12-16.1 libgensec0-debuginfo-4.1.12-16.1 libndr-krb5pac0-32bit-4.1.12-16.1 libndr-krb5pac0-4.1.12-16.1 libndr-krb5pac0-debuginfo-32bit-4.1.12-16.1 libndr-krb5pac0-debuginfo-4.1.12-16.1 libndr-nbt0-32bit-4.1.12-16.1 libndr-nbt0-4.1.12-16.1 libndr-nbt0-debuginfo-32bit-4.1.12-16.1 libndr-nbt0-debuginfo-4.1.12-16.1 libndr-standard0-32bit-4.1.12-16.1 libndr-standard0-4.1.12-16.1 libndr-standard0-debuginfo-32bit-4.1.12-16.1 libndr-standard0-debuginfo-4.1.12-16.1 libndr0-32bit-4.1.12-16.1 libndr0-4.1.12-16.1 libndr0-debuginfo-32bit-4.1.12-16.1 libndr0-debuginfo-4.1.12-16.1 libnetapi0-32bit-4.1.12-16.1 libnetapi0-4.1.12-16.1 libnetapi0-debuginfo-32bit-4.1.12-16.1 libnetapi0-debuginfo-4.1.12-16.1 libpdb0-32bit-4.1.12-16.1 libpdb0-4.1.12-16.1 libpdb0-debuginfo-32bit-4.1.12-16.1 libpdb0-debuginfo-4.1.12-16.1 libregistry0-4.1.12-16.1 libregistry0-debuginfo-4.1.12-16.1 libsamba-credentials0-32bit-4.1.12-16.1 libsamba-credentials0-4.1.12-16.1 libsamba-credentials0-debuginfo-32bit-4.1.12-16.1 libsamba-credentials0-debuginfo-4.1.12-16.1 libsamba-hostconfig0-32bit-4.1.12-16.1 libsamba-hostconfig0-4.1.12-16.1 libsamba-hostconfig0-debuginfo-32bit-4.1.12-16.1 libsamba-hostconfig0-debuginfo-4.1.12-16.1 libsamba-util0-32bit-4.1.12-16.1 libsamba-util0-4.1.12-16.1 libsamba-util0-debuginfo-32bit-4.1.12-16.1 libsamba-util0-debuginfo-4.1.12-16.1 libsamdb0-32bit-4.1.12-16.1 libsamdb0-4.1.12-16.1 libsamdb0-debuginfo-32bit-4.1.12-16.1 libsamdb0-debuginfo-4.1.12-16.1 libsmbclient-raw0-32bit-4.1.12-16.1 libsmbclient-raw0-4.1.12-16.1 libsmbclient-raw0-debuginfo-32bit-4.1.12-16.1 libsmbclient-raw0-debuginfo-4.1.12-16.1 libsmbclient0-32bit-4.1.12-16.1 libsmbclient0-4.1.12-16.1 libsmbclient0-debuginfo-32bit-4.1.12-16.1 libsmbclient0-debuginfo-4.1.12-16.1 libsmbconf0-32bit-4.1.12-16.1 libsmbconf0-4.1.12-16.1 libsmbconf0-debuginfo-32bit-4.1.12-16.1 libsmbconf0-debuginfo-4.1.12-16.1 libsmbldap0-32bit-4.1.12-16.1 libsmbldap0-4.1.12-16.1 libsmbldap0-debuginfo-32bit-4.1.12-16.1 libsmbldap0-debuginfo-4.1.12-16.1 libtevent-util0-32bit-4.1.12-16.1 libtevent-util0-4.1.12-16.1 libtevent-util0-debuginfo-32bit-4.1.12-16.1 libtevent-util0-debuginfo-4.1.12-16.1 libwbclient0-32bit-4.1.12-16.1 libwbclient0-4.1.12-16.1 libwbclient0-debuginfo-32bit-4.1.12-16.1 libwbclient0-debuginfo-4.1.12-16.1 samba-32bit-4.1.12-16.1 samba-4.1.12-16.1 samba-client-32bit-4.1.12-16.1 samba-client-4.1.12-16.1 samba-client-debuginfo-32bit-4.1.12-16.1 samba-client-debuginfo-4.1.12-16.1 samba-debuginfo-32bit-4.1.12-16.1 samba-debuginfo-4.1.12-16.1 samba-debugsource-4.1.12-16.1 samba-libs-32bit-4.1.12-16.1 samba-libs-4.1.12-16.1 samba-libs-debuginfo-32bit-4.1.12-16.1 samba-libs-debuginfo-4.1.12-16.1 samba-winbind-32bit-4.1.12-16.1 samba-winbind-4.1.12-16.1 samba-winbind-debuginfo-32bit-4.1.12-16.1 samba-winbind-debuginfo-4.1.12-16.1 - SUSE Linux Enterprise Desktop 12 (noarch): samba-doc-4.1.12-16.1 References: http://support.novell.com/security/cve/CVE-2015-0240.html https://bugzilla.suse.com/872912 https://bugzilla.suse.com/873922 https://bugzilla.suse.com/876312 https://bugzilla.suse.com/889175 https://bugzilla.suse.com/898031 https://bugzilla.suse.com/908627 https://bugzilla.suse.com/913238 https://bugzilla.suse.com/917376 From sle-security-updates at lists.suse.com Mon Feb 23 10:04:59 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 23 Feb 2015 18:04:59 +0100 (CET) Subject: SUSE-SU-2015:0355-1: moderate: Security update for unzip Message-ID: <20150223170459.3407632371@maintenance.suse.de> SUSE Security Update: Security update for unzip ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0355-1 Rating: moderate References: #914442 Cross-References: CVE-2014-9636 Affected Products: SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: unzip was updated to fix one security issue. This security issue was fixed: - Out-of-bounds read/write in test_compr_eb() in extract.c (CVE-2014-9636). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-92=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-92=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): unzip-6.00-32.1 unzip-debuginfo-6.00-32.1 unzip-debugsource-6.00-32.1 - SUSE Linux Enterprise Desktop 12 (x86_64): unzip-6.00-32.1 unzip-debuginfo-6.00-32.1 unzip-debugsource-6.00-32.1 References: http://support.novell.com/security/cve/CVE-2014-9636.html https://bugzilla.suse.com/914442 From sle-security-updates at lists.suse.com Mon Feb 23 11:05:15 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 23 Feb 2015 19:05:15 +0100 (CET) Subject: SUSE-SU-2015:0182-2: moderate: Security update for compat-openssl097g Message-ID: <20150223180515.9BFB332371@maintenance.suse.de> SUSE Security Update: Security update for compat-openssl097g ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0182-2 Rating: moderate References: #912014 #912015 #912018 #912293 #912296 Cross-References: CVE-2014-3570 CVE-2014-3572 CVE-2014-8275 CVE-2015-0204 CVE-2015-0205 Affected Products: SUSE Linux Enterprise for SAP Applications 11 SP1 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: OpenSSL (compat-openssl097g) has been updated to fix various security issues. More information can be found in the OpenSSL advisory: http://openssl.org/news/secadv_20150108.txt . The following issues have been fixed: * CVE-2014-3570: Bignum squaring (BN_sqr) may have produced incorrect results on some platforms, including x86_64. (bsc#912296) * CVE-2014-3572: Don't accept a handshake using an ephemeral ECDH ciphersuites with the server key exchange message omitted. (bsc#912015) * CVE-2014-8275: Fixed various certificate fingerprint issues. (bsc#912018) * CVE-2015-0204: Only allow ephemeral RSA keys in export ciphersuites. (bsc#912014) * CVE-2015-0205: A fix was added to prevent use of DH client certificates without sending certificate verify message. Note that compat-openssl097g is not affected by this problem, a fix was however applied to the sources. (bsc#912293) Security Issues: * CVE-2014-3570 * CVE-2014-3572 * CVE-2014-8275 * CVE-2015-0204 * CVE-2015-0205 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise for SAP Applications 11 SP1: zypper in -t patch slesapp1-compat-openssl097g=10207 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise for SAP Applications 11 SP1 (x86_64): compat-openssl097g-0.9.7g-146.22.27.1 compat-openssl097g-32bit-0.9.7g-146.22.27.1 References: http://support.novell.com/security/cve/CVE-2014-3570.html http://support.novell.com/security/cve/CVE-2014-3572.html http://support.novell.com/security/cve/CVE-2014-8275.html http://support.novell.com/security/cve/CVE-2015-0204.html http://support.novell.com/security/cve/CVE-2015-0205.html https://bugzilla.suse.com/912014 https://bugzilla.suse.com/912015 https://bugzilla.suse.com/912018 https://bugzilla.suse.com/912293 https://bugzilla.suse.com/912296 http://download.suse.com/patch/finder/?keywords=09b85b8db8361973359d106ace9fe4b9 From sle-security-updates at lists.suse.com Mon Feb 23 16:06:14 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 24 Feb 2015 00:06:14 +0100 (CET) Subject: SUSE-SU-2015:0357-1: moderate: Security update for kvm and libvirt Message-ID: <20150223230615.010E532371@maintenance.suse.de> SUSE Security Update: Security update for kvm and libvirt ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0357-1 Rating: moderate References: #843074 #852397 #878350 #879665 #897654 #897783 #899144 #899484 #900084 #904176 #905097 #907805 #908381 #910145 #911742 Cross-References: CVE-2014-3633 CVE-2014-3640 CVE-2014-3657 CVE-2014-7823 CVE-2014-7840 CVE-2014-8106 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that solves 6 vulnerabilities and has 9 fixes is now available. It includes two new package versions. Description: This collective update for KVM and libvirt provides fixes for security and non-security issues. kvm: * Fix NULL pointer dereference because of uninitialized UDP socket. (bsc#897654, CVE-2014-3640) * Fix performance degradation after migration. (bsc#878350) * Fix potential image corruption due to missing FIEMAP_FLAG_SYNC flag in FS_IOC_FIEMAP ioctl. (bsc#908381) * Add validate hex properties for qdev. (bsc#852397) * Add boot option to do strict boot (bsc#900084) * Add query-command-line-options QMP command. (bsc#899144) * Fix incorrect return value of migrate_cancel. (bsc#843074) * Fix insufficient parameter validation during ram load. (bsc#905097, CVE-2014-7840) * Fix insufficient blit region checks in qemu/cirrus. (bsc#907805, CVE-2014-8106) libvirt: * Fix security hole with migratable flag in dumpxml. (bsc#904176, CVE-2014-7823) * Fix domain deadlock. (bsc#899484, CVE-2014-3657) * Use correct definition when looking up disk in qemu blkiotune. (bsc#897783, CVE-2014-3633) * Fix undefined symbol when starting virtlockd. (bsc#910145) * Add "-boot strict" to qemu's commandline whenever possible. (bsc#900084) * Add support for "reboot-timeout" in qemu. (bsc#899144) * Increase QEMU's monitor timeout to 30sec. (bsc#911742) * Allow setting QEMU's migration max downtime any time. (bsc#879665) Security Issues: * CVE-2014-7823 * CVE-2014-3657 * CVE-2014-3633 * CVE-2014-3640 * CVE-2014-7840 * CVE-2014-8106 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-kvm-libvirt-201412=10222 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-kvm-libvirt-201412=10222 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-kvm-libvirt-201412=10222 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ppc64 s390x x86_64) [New Version: 1.0.5.9]: libvirt-devel-1.0.5.9-0.19.3 - SUSE Linux Enterprise Software Development Kit 11 SP3 (x86_64) [New Version: 1.0.5.9]: libvirt-devel-32bit-1.0.5.9-0.19.3 - SUSE Linux Enterprise Software Development Kit 11 SP3 (ia64) [New Version: 1.0.5.9]: libvirt-devel-1.0.5.9-0.19.6 - SUSE Linux Enterprise Server 11 SP3 (i586 ppc64 s390x x86_64) [New Version: 1.0.5.9]: libvirt-1.0.5.9-0.19.3 libvirt-client-1.0.5.9-0.19.3 libvirt-doc-1.0.5.9-0.19.3 libvirt-lock-sanlock-1.0.5.9-0.19.3 libvirt-python-1.0.5.9-0.19.3 - SUSE Linux Enterprise Server 11 SP3 (ppc64 x86_64) [New Version: 1.0.5.9]: libvirt-client-32bit-1.0.5.9-0.19.3 - SUSE Linux Enterprise Server 11 SP3 (i586 x86_64) [New Version: 1.4.2]: kvm-1.4.2-0.21.4 - SUSE Linux Enterprise Server 11 SP3 (s390x) [New Version: 1.0.5.9 and 1.4.2]: kvm-1.4.2-0.21.5 libvirt-client-32bit-1.0.5.9-0.19.5 - SUSE Linux Enterprise Server 11 SP3 (ia64) [New Version: 1.0.5.9]: libvirt-1.0.5.9-0.19.6 libvirt-client-1.0.5.9-0.19.6 libvirt-doc-1.0.5.9-0.19.6 libvirt-lock-sanlock-1.0.5.9-0.19.6 libvirt-python-1.0.5.9-0.19.6 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64) [New Version: 1.0.5.9 and 1.4.2]: kvm-1.4.2-0.21.4 libvirt-1.0.5.9-0.19.3 libvirt-client-1.0.5.9-0.19.3 libvirt-doc-1.0.5.9-0.19.3 libvirt-python-1.0.5.9-0.19.3 - SUSE Linux Enterprise Desktop 11 SP3 (x86_64) [New Version: 1.0.5.9]: libvirt-client-32bit-1.0.5.9-0.19.3 References: http://support.novell.com/security/cve/CVE-2014-3633.html http://support.novell.com/security/cve/CVE-2014-3640.html http://support.novell.com/security/cve/CVE-2014-3657.html http://support.novell.com/security/cve/CVE-2014-7823.html http://support.novell.com/security/cve/CVE-2014-7840.html http://support.novell.com/security/cve/CVE-2014-8106.html https://bugzilla.suse.com/843074 https://bugzilla.suse.com/852397 https://bugzilla.suse.com/878350 https://bugzilla.suse.com/879665 https://bugzilla.suse.com/897654 https://bugzilla.suse.com/897783 https://bugzilla.suse.com/899144 https://bugzilla.suse.com/899484 https://bugzilla.suse.com/900084 https://bugzilla.suse.com/904176 https://bugzilla.suse.com/905097 https://bugzilla.suse.com/907805 https://bugzilla.suse.com/908381 https://bugzilla.suse.com/910145 https://bugzilla.suse.com/911742 http://download.suse.com/patch/finder/?keywords=d3b9c3ae67669c31312322f9448e4225 From sle-security-updates at lists.suse.com Tue Feb 24 03:05:35 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 24 Feb 2015 11:05:35 +0100 (CET) Subject: SUSE-SU-2015:0365-1: important: Security update for php5 Message-ID: <20150224100535.4F4F832371@maintenance.suse.de> SUSE Security Update: Security update for php5 ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0365-1 Rating: important References: #907519 #910659 #911664 #914690 Cross-References: CVE-2014-8142 CVE-2014-9427 CVE-2015-0231 CVE-2015-0232 Affected Products: SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Module for Web Scripting 12 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: php5 was updated to fix four security issues. These security issues were fixed: - CVE-2015-0231: Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allowed remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate numerical keys within the serialized properties of an object. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-8142 (bnc#910659). - CVE-2014-9427: sapi/cgi/cgi_main.c in the CGI component in PHP through 5.4.36, 5.5.x through 5.5.20, and 5.6.x through 5.6.4, when mmap is used to read a .php file, did not properly consider the mapping's length during processing of an invalid file that begins with a # character and lacks a newline character, which caused an out-of-bounds read and might (1) allow remote attackers to obtain sensitive information from php-cgi process memory by leveraging the ability to upload a .php file or (2) trigger unexpected code execution if a valid PHP script is present in memory locations adjacent to the mapping (bnc#911664). - CVE-2015-0232: The exif_process_unicode function in ext/exif/exif.c in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allowed remote attackers to execute arbitrary code or cause a denial of service (uninitialized pointer free and application crash) via crafted EXIF data in a JPEG image (bnc#914690). - CVE-2014-8142: Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allowed remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys within the serialized properties of an object, a different vulnerability than CVE-2004-1019 (bnc#910659). Additionally a fix was included that protects against a possible NULL pointer use (bnc#910659). This non-security issue was fixed: - php53 ignored default_socket_timeout on outgoing SSL connection (bnc#907519). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2015-94=1 - SUSE Linux Enterprise Module for Web Scripting 12: zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2015-94=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): php5-debuginfo-5.5.14-11.3 php5-debugsource-5.5.14-11.3 php5-devel-5.5.14-11.3 - SUSE Linux Enterprise Module for Web Scripting 12 (ppc64le s390x x86_64): apache2-mod_php5-5.5.14-11.3 apache2-mod_php5-debuginfo-5.5.14-11.3 php5-5.5.14-11.3 php5-bcmath-5.5.14-11.3 php5-bcmath-debuginfo-5.5.14-11.3 php5-bz2-5.5.14-11.3 php5-bz2-debuginfo-5.5.14-11.3 php5-calendar-5.5.14-11.3 php5-calendar-debuginfo-5.5.14-11.3 php5-ctype-5.5.14-11.3 php5-ctype-debuginfo-5.5.14-11.3 php5-curl-5.5.14-11.3 php5-curl-debuginfo-5.5.14-11.3 php5-dba-5.5.14-11.3 php5-dba-debuginfo-5.5.14-11.3 php5-debuginfo-5.5.14-11.3 php5-debugsource-5.5.14-11.3 php5-dom-5.5.14-11.3 php5-dom-debuginfo-5.5.14-11.3 php5-enchant-5.5.14-11.3 php5-enchant-debuginfo-5.5.14-11.3 php5-exif-5.5.14-11.3 php5-exif-debuginfo-5.5.14-11.3 php5-fastcgi-5.5.14-11.3 php5-fastcgi-debuginfo-5.5.14-11.3 php5-fileinfo-5.5.14-11.3 php5-fileinfo-debuginfo-5.5.14-11.3 php5-fpm-5.5.14-11.3 php5-fpm-debuginfo-5.5.14-11.3 php5-ftp-5.5.14-11.3 php5-ftp-debuginfo-5.5.14-11.3 php5-gd-5.5.14-11.3 php5-gd-debuginfo-5.5.14-11.3 php5-gettext-5.5.14-11.3 php5-gettext-debuginfo-5.5.14-11.3 php5-gmp-5.5.14-11.3 php5-gmp-debuginfo-5.5.14-11.3 php5-iconv-5.5.14-11.3 php5-iconv-debuginfo-5.5.14-11.3 php5-intl-5.5.14-11.3 php5-intl-debuginfo-5.5.14-11.3 php5-json-5.5.14-11.3 php5-json-debuginfo-5.5.14-11.3 php5-ldap-5.5.14-11.3 php5-ldap-debuginfo-5.5.14-11.3 php5-mbstring-5.5.14-11.3 php5-mbstring-debuginfo-5.5.14-11.3 php5-mcrypt-5.5.14-11.3 php5-mcrypt-debuginfo-5.5.14-11.3 php5-mysql-5.5.14-11.3 php5-mysql-debuginfo-5.5.14-11.3 php5-odbc-5.5.14-11.3 php5-odbc-debuginfo-5.5.14-11.3 php5-openssl-5.5.14-11.3 php5-openssl-debuginfo-5.5.14-11.3 php5-pcntl-5.5.14-11.3 php5-pcntl-debuginfo-5.5.14-11.3 php5-pdo-5.5.14-11.3 php5-pdo-debuginfo-5.5.14-11.3 php5-pgsql-5.5.14-11.3 php5-pgsql-debuginfo-5.5.14-11.3 php5-pspell-5.5.14-11.3 php5-pspell-debuginfo-5.5.14-11.3 php5-shmop-5.5.14-11.3 php5-shmop-debuginfo-5.5.14-11.3 php5-snmp-5.5.14-11.3 php5-snmp-debuginfo-5.5.14-11.3 php5-soap-5.5.14-11.3 php5-soap-debuginfo-5.5.14-11.3 php5-sockets-5.5.14-11.3 php5-sockets-debuginfo-5.5.14-11.3 php5-sqlite-5.5.14-11.3 php5-sqlite-debuginfo-5.5.14-11.3 php5-suhosin-5.5.14-11.3 php5-suhosin-debuginfo-5.5.14-11.3 php5-sysvmsg-5.5.14-11.3 php5-sysvmsg-debuginfo-5.5.14-11.3 php5-sysvsem-5.5.14-11.3 php5-sysvsem-debuginfo-5.5.14-11.3 php5-sysvshm-5.5.14-11.3 php5-sysvshm-debuginfo-5.5.14-11.3 php5-tokenizer-5.5.14-11.3 php5-tokenizer-debuginfo-5.5.14-11.3 php5-wddx-5.5.14-11.3 php5-wddx-debuginfo-5.5.14-11.3 php5-xmlreader-5.5.14-11.3 php5-xmlreader-debuginfo-5.5.14-11.3 php5-xmlrpc-5.5.14-11.3 php5-xmlrpc-debuginfo-5.5.14-11.3 php5-xmlwriter-5.5.14-11.3 php5-xmlwriter-debuginfo-5.5.14-11.3 php5-xsl-5.5.14-11.3 php5-xsl-debuginfo-5.5.14-11.3 php5-zip-5.5.14-11.3 php5-zip-debuginfo-5.5.14-11.3 php5-zlib-5.5.14-11.3 php5-zlib-debuginfo-5.5.14-11.3 - SUSE Linux Enterprise Module for Web Scripting 12 (noarch): php5-pear-5.5.14-11.3 References: http://support.novell.com/security/cve/CVE-2014-8142.html http://support.novell.com/security/cve/CVE-2014-9427.html http://support.novell.com/security/cve/CVE-2015-0231.html http://support.novell.com/security/cve/CVE-2015-0232.html https://bugzilla.suse.com/907519 https://bugzilla.suse.com/910659 https://bugzilla.suse.com/911664 https://bugzilla.suse.com/914690 From sle-security-updates at lists.suse.com Tue Feb 24 05:05:40 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 24 Feb 2015 13:05:40 +0100 (CET) Subject: SUSE-SU-2015:0366-1: moderate: Security update for libmspack Message-ID: <20150224120540.3583432371@maintenance.suse.de> SUSE Security Update: Security update for libmspack ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0366-1 Rating: moderate References: #912214 Cross-References: CVE-2014-9556 Affected Products: SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: libmspack was updated to fix one security issue. This security issue was fixed: - Possible DoS by infinite loop (bnc#912214, CVE-2014-9556) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2015-95=1 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-95=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-95=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): libmspack-debugsource-0.4-6.1 libmspack-devel-0.4-6.1 - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): libmspack-debugsource-0.4-6.1 libmspack0-0.4-6.1 libmspack0-debuginfo-0.4-6.1 - SUSE Linux Enterprise Desktop 12 (x86_64): libmspack-debugsource-0.4-6.1 libmspack0-0.4-6.1 libmspack0-debuginfo-0.4-6.1 References: http://support.novell.com/security/cve/CVE-2014-9556.html https://bugzilla.suse.com/912214 From sle-security-updates at lists.suse.com Tue Feb 24 10:05:04 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 24 Feb 2015 18:05:04 +0100 (CET) Subject: SUSE-SU-2015:0367-1: moderate: Security update for vorbis-tools Message-ID: <20150224170504.8E77232383@maintenance.suse.de> SUSE Security Update: Security update for vorbis-tools ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0367-1 Rating: moderate References: #914938 Cross-References: CVE-2014-9640 Affected Products: SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update fixes the following security issue: - A crafted raw file used as input could cause a segmentation fault (CVE-2014-9640, bsc#914938) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-96=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-96=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): vorbis-tools-1.4.0-19.1 vorbis-tools-debuginfo-1.4.0-19.1 vorbis-tools-debugsource-1.4.0-19.1 - SUSE Linux Enterprise Server 12 (noarch): vorbis-tools-lang-1.4.0-19.1 - SUSE Linux Enterprise Desktop 12 (x86_64): vorbis-tools-1.4.0-19.1 vorbis-tools-debuginfo-1.4.0-19.1 vorbis-tools-debugsource-1.4.0-19.1 - SUSE Linux Enterprise Desktop 12 (noarch): vorbis-tools-lang-1.4.0-19.1 References: http://support.novell.com/security/cve/CVE-2014-9640.html https://bugzilla.suse.com/914938 From sle-security-updates at lists.suse.com Wed Feb 25 00:08:12 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 25 Feb 2015 08:08:12 +0100 (CET) Subject: SUSE-SU-2015:0370-1: moderate: Security update for php53 Message-ID: <20150225070812.B8B1832373@maintenance.suse.de> SUSE Security Update: Security update for php53 ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0370-1 Rating: moderate References: #907519 #910659 #914690 Cross-References: CVE-2014-8142 CVE-2015-0231 CVE-2015-0232 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: PHP 5.3 was updated to fix three security issues: * CVE-2014-8142: Use-after-free vulnerability allowed remote attackers to execute arbitrary code via a crafted unserialize call that leveraged improper handling of duplicate keys within the serialized properties of an object (bnc#910659). * CVE-2015-0231: Use-after-free vulnerability allowed remote attackers to execute arbitrary code via a crafted unserialize call that leveraged improper handling of duplicate numerical keys within the serialized properties of an object. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-8142 (bnc#910659). * CVE-2015-0232: The exif_process_unicode function allowed remote attackers to execute arbitrary code or cause a denial of service (uninitialized pointer free and application crash) via crafted EXIF data in a JPEG image (bnc#914690). Additionally a fix was included that protects against a possible NULL pointer use (bnc#910659). This non-security issue has been fixed: * Don't ignore default_socket_timeout on outgoing SSL connection (bnc#907519) Security Issues: * CVE-2015-0232 * CVE-2015-0231 * CVE-2014-8142 Contraindications: Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-apache2-mod_php53=10313 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-apache2-mod_php53=10313 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-apache2-mod_php53=10313 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64): php53-devel-5.3.17-0.33.1 php53-imap-5.3.17-0.33.1 php53-posix-5.3.17-0.33.1 php53-readline-5.3.17-0.33.1 php53-sockets-5.3.17-0.33.1 php53-sqlite-5.3.17-0.33.1 php53-tidy-5.3.17-0.33.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): apache2-mod_php53-5.3.17-0.33.1 php53-5.3.17-0.33.1 php53-bcmath-5.3.17-0.33.1 php53-bz2-5.3.17-0.33.1 php53-calendar-5.3.17-0.33.1 php53-ctype-5.3.17-0.33.1 php53-curl-5.3.17-0.33.1 php53-dba-5.3.17-0.33.1 php53-dom-5.3.17-0.33.1 php53-exif-5.3.17-0.33.1 php53-fastcgi-5.3.17-0.33.1 php53-fileinfo-5.3.17-0.33.1 php53-ftp-5.3.17-0.33.1 php53-gd-5.3.17-0.33.1 php53-gettext-5.3.17-0.33.1 php53-gmp-5.3.17-0.33.1 php53-iconv-5.3.17-0.33.1 php53-intl-5.3.17-0.33.1 php53-json-5.3.17-0.33.1 php53-ldap-5.3.17-0.33.1 php53-mbstring-5.3.17-0.33.1 php53-mcrypt-5.3.17-0.33.1 php53-mysql-5.3.17-0.33.1 php53-odbc-5.3.17-0.33.1 php53-openssl-5.3.17-0.33.1 php53-pcntl-5.3.17-0.33.1 php53-pdo-5.3.17-0.33.1 php53-pear-5.3.17-0.33.1 php53-pgsql-5.3.17-0.33.1 php53-pspell-5.3.17-0.33.1 php53-shmop-5.3.17-0.33.1 php53-snmp-5.3.17-0.33.1 php53-soap-5.3.17-0.33.1 php53-suhosin-5.3.17-0.33.1 php53-sysvmsg-5.3.17-0.33.1 php53-sysvsem-5.3.17-0.33.1 php53-sysvshm-5.3.17-0.33.1 php53-tokenizer-5.3.17-0.33.1 php53-wddx-5.3.17-0.33.1 php53-xmlreader-5.3.17-0.33.1 php53-xmlrpc-5.3.17-0.33.1 php53-xmlwriter-5.3.17-0.33.1 php53-xsl-5.3.17-0.33.1 php53-zip-5.3.17-0.33.1 php53-zlib-5.3.17-0.33.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): apache2-mod_php53-5.3.17-0.33.1 php53-5.3.17-0.33.1 php53-bcmath-5.3.17-0.33.1 php53-bz2-5.3.17-0.33.1 php53-calendar-5.3.17-0.33.1 php53-ctype-5.3.17-0.33.1 php53-curl-5.3.17-0.33.1 php53-dba-5.3.17-0.33.1 php53-dom-5.3.17-0.33.1 php53-exif-5.3.17-0.33.1 php53-fastcgi-5.3.17-0.33.1 php53-fileinfo-5.3.17-0.33.1 php53-ftp-5.3.17-0.33.1 php53-gd-5.3.17-0.33.1 php53-gettext-5.3.17-0.33.1 php53-gmp-5.3.17-0.33.1 php53-iconv-5.3.17-0.33.1 php53-intl-5.3.17-0.33.1 php53-json-5.3.17-0.33.1 php53-ldap-5.3.17-0.33.1 php53-mbstring-5.3.17-0.33.1 php53-mcrypt-5.3.17-0.33.1 php53-mysql-5.3.17-0.33.1 php53-odbc-5.3.17-0.33.1 php53-openssl-5.3.17-0.33.1 php53-pcntl-5.3.17-0.33.1 php53-pdo-5.3.17-0.33.1 php53-pear-5.3.17-0.33.1 php53-pgsql-5.3.17-0.33.1 php53-pspell-5.3.17-0.33.1 php53-shmop-5.3.17-0.33.1 php53-snmp-5.3.17-0.33.1 php53-soap-5.3.17-0.33.1 php53-suhosin-5.3.17-0.33.1 php53-sysvmsg-5.3.17-0.33.1 php53-sysvsem-5.3.17-0.33.1 php53-sysvshm-5.3.17-0.33.1 php53-tokenizer-5.3.17-0.33.1 php53-wddx-5.3.17-0.33.1 php53-xmlreader-5.3.17-0.33.1 php53-xmlrpc-5.3.17-0.33.1 php53-xmlwriter-5.3.17-0.33.1 php53-xsl-5.3.17-0.33.1 php53-zip-5.3.17-0.33.1 php53-zlib-5.3.17-0.33.1 References: http://support.novell.com/security/cve/CVE-2014-8142.html http://support.novell.com/security/cve/CVE-2015-0231.html http://support.novell.com/security/cve/CVE-2015-0232.html https://bugzilla.suse.com/907519 https://bugzilla.suse.com/910659 https://bugzilla.suse.com/914690 http://download.suse.com/patch/finder/?keywords=d995557afd07f1b2263c5f7bf3e0ca0b From sle-security-updates at lists.suse.com Wed Feb 25 00:08:58 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 25 Feb 2015 08:08:58 +0100 (CET) Subject: SUSE-SU-2015:0371-1: important: Security update for Samba Message-ID: <20150225070858.86ABF32381@maintenance.suse.de> SUSE Security Update: Security update for Samba ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0371-1 Rating: important References: #872912 #898031 #899558 #913001 #917376 Cross-References: CVE-2015-0240 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that solves one vulnerability and has four fixes is now available. Description: Samba has been updated to fix one security issue: * CVE-2015-0240: Don't call talloc_free on an uninitialized pointer (bnc#917376). Additionally, these non-security issues have been fixed: * Realign the winbind request structure following require_membership_of field expansion (bnc#913001). * Reuse connections derived from DFS referrals (bso#10123, fate#316512). * Set domain/workgroup based on authentication callback value (bso#11059). * Fix spoolss error response marshalling (bso#10984). * Fix spoolss EnumJobs and GetJob responses (bso#10905, bnc#898031). * Fix handling of bad EnumJobs levels (bso#10898). * Fix small memory-leak in the background print process; (bnc#899558). * Prune idle or hung connections older than "winbind request timeout" (bso#3204, bnc#872912). Security Issues: * CVE-2015-0240 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-samba-20150217=10321 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-samba-20150217=10321 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-samba-20150217=10321 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-samba-20150217=10321 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64): libldb-devel-3.6.3-0.56.1 libnetapi-devel-3.6.3-0.56.1 libnetapi0-3.6.3-0.56.1 libsmbclient-devel-3.6.3-0.56.1 libsmbsharemodes-devel-3.6.3-0.56.1 libsmbsharemodes0-3.6.3-0.56.1 libtalloc-devel-3.6.3-0.56.1 libtdb-devel-3.6.3-0.56.1 libtevent-devel-3.6.3-0.56.1 libwbclient-devel-3.6.3-0.56.1 samba-devel-3.6.3-0.56.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): ldapsmb-1.34b-12.56.1 libldb1-3.6.3-0.56.1 libsmbclient0-3.6.3-0.56.1 libtalloc2-3.6.3-0.56.1 libtdb1-3.6.3-0.56.1 libtevent0-3.6.3-0.56.1 libwbclient0-3.6.3-0.56.1 samba-3.6.3-0.56.1 samba-client-3.6.3-0.56.1 samba-krb-printing-3.6.3-0.56.1 samba-winbind-3.6.3-0.56.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64): libsmbclient0-32bit-3.6.3-0.56.1 libtalloc2-32bit-3.6.3-0.56.1 libtdb1-32bit-3.6.3-0.56.1 libtevent0-32bit-3.6.3-0.56.1 libwbclient0-32bit-3.6.3-0.56.1 samba-32bit-3.6.3-0.56.1 samba-client-32bit-3.6.3-0.56.1 samba-winbind-32bit-3.6.3-0.56.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (noarch): samba-doc-3.6.3-0.56.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): ldapsmb-1.34b-12.56.1 libldb1-3.6.3-0.56.1 libsmbclient0-3.6.3-0.56.1 libtalloc2-3.6.3-0.56.1 libtdb1-3.6.3-0.56.1 libtevent0-3.6.3-0.56.1 libwbclient0-3.6.3-0.56.1 samba-3.6.3-0.56.1 samba-client-3.6.3-0.56.1 samba-krb-printing-3.6.3-0.56.1 samba-winbind-3.6.3-0.56.1 - SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64): libsmbclient0-32bit-3.6.3-0.56.1 libtalloc2-32bit-3.6.3-0.56.1 libtdb1-32bit-3.6.3-0.56.1 libtevent0-32bit-3.6.3-0.56.1 libwbclient0-32bit-3.6.3-0.56.1 samba-32bit-3.6.3-0.56.1 samba-client-32bit-3.6.3-0.56.1 samba-winbind-32bit-3.6.3-0.56.1 - SUSE Linux Enterprise Server 11 SP3 (noarch): samba-doc-3.6.3-0.56.1 - SUSE Linux Enterprise Server 11 SP3 (ia64): libsmbclient0-x86-3.6.3-0.56.1 libtalloc2-x86-3.6.3-0.56.1 libtdb1-x86-3.6.3-0.56.1 libwbclient0-x86-3.6.3-0.56.1 samba-client-x86-3.6.3-0.56.1 samba-winbind-x86-3.6.3-0.56.1 samba-x86-3.6.3-0.56.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): libldb1-3.6.3-0.56.1 libsmbclient0-3.6.3-0.56.1 libtalloc2-3.6.3-0.56.1 libtdb1-3.6.3-0.56.1 libtevent0-3.6.3-0.56.1 libwbclient0-3.6.3-0.56.1 samba-3.6.3-0.56.1 samba-client-3.6.3-0.56.1 samba-krb-printing-3.6.3-0.56.1 samba-winbind-3.6.3-0.56.1 - SUSE Linux Enterprise Desktop 11 SP3 (x86_64): libldb1-32bit-3.6.3-0.56.1 libsmbclient0-32bit-3.6.3-0.56.1 libtalloc2-32bit-3.6.3-0.56.1 libtdb1-32bit-3.6.3-0.56.1 libtevent0-32bit-3.6.3-0.56.1 libwbclient0-32bit-3.6.3-0.56.1 samba-32bit-3.6.3-0.56.1 samba-client-32bit-3.6.3-0.56.1 samba-winbind-32bit-3.6.3-0.56.1 - SUSE Linux Enterprise Desktop 11 SP3 (noarch): samba-doc-3.6.3-0.56.1 References: http://support.novell.com/security/cve/CVE-2015-0240.html https://bugzilla.suse.com/872912 https://bugzilla.suse.com/898031 https://bugzilla.suse.com/899558 https://bugzilla.suse.com/913001 https://bugzilla.suse.com/917376 http://download.suse.com/patch/finder/?keywords=ef17b59d6389957b18b3a77d2e9be3bc From sle-security-updates at lists.suse.com Wed Feb 25 11:05:02 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 25 Feb 2015 19:05:02 +0100 (CET) Subject: SUSE-SU-2015:0343-2: important: Security update for java-1_6_0-ibm Message-ID: <20150225180502.420A632381@maintenance.suse.de> SUSE Security Update: Security update for java-1_6_0-ibm ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0343-2 Rating: important References: #916265 #916266 Cross-References: CVE-2014-8891 CVE-2014-8892 Affected Products: SUSE Manager 1.7 for SLE 11 SP2 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: java-1_6_0-ibm has been updated to fix two security issues: * CVE-2014-8891: Unspecified vulnerability * CVE-2014-8892: Unspecified vulnerability Security Issues: * CVE-2014-8892 * CVE-2014-8891 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Manager 1.7 for SLE 11 SP2: zypper in -t patch sleman17sp2-java-1_6_0-ibm=10303 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Manager 1.7 for SLE 11 SP2 (x86_64): java-1_6_0-ibm-1.6.0_sr16.3-0.4.1 java-1_6_0-ibm-devel-1.6.0_sr16.3-0.4.1 java-1_6_0-ibm-fonts-1.6.0_sr16.3-0.4.1 java-1_6_0-ibm-jdbc-1.6.0_sr16.3-0.4.1 java-1_6_0-ibm-plugin-1.6.0_sr16.3-0.4.1 References: http://support.novell.com/security/cve/CVE-2014-8891.html http://support.novell.com/security/cve/CVE-2014-8892.html https://bugzilla.suse.com/916265 https://bugzilla.suse.com/916266 http://download.suse.com/patch/finder/?keywords=0b2166799c8f437f2e8b9f49922145fc From sle-security-updates at lists.suse.com Wed Feb 25 11:05:30 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 25 Feb 2015 19:05:30 +0100 (CET) Subject: SUSE-SU-2015:0376-1: important: Security update for java-1_5_0-ibm Message-ID: <20150225180530.B15A232381@maintenance.suse.de> SUSE Security Update: Security update for java-1_5_0-ibm ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0376-1 Rating: important References: #891699 #901223 #901239 #904889 #916265 #916266 Cross-References: CVE-2014-8891 CVE-2014-8892 Affected Products: SUSE Linux Enterprise Server 10 SP4 LTSS ______________________________________________________________________________ An update that solves two vulnerabilities and has four fixes is now available. Description: java-1_5_0-ibm has been updated to fix 19 security issues: * CVE-2014-8891: Unspecified vulnerability (bnc#916266). * CVE-2014-8892: Unspecified vulnerability (bnc#916265). * CVE-2014-3065: Unspecified vulnerability in IBM Java Runtime Environment (JRE) 7 R1 before SR2 (7.1.2.0), 7 before SR8 (7.0.8.0), 6 R1 before SR8 FP2 (6.1.8.2), 6 before SR16 FP2 (6.0.16.2), and before SR16 FP8 (5.0.16.8) allows local users to execute arbitrary code via vectors related to the shared classes cache (bnc#904889). * CVE-2014-3566: The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue (bnc#901223). * CVE-2014-6506: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries (bnc#901239). * CVE-2014-6511: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality via unknown vectors related to 2D (bnc#901239). * CVE-2014-6531: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect confidentiality via unknown vectors related to Libraries (bnc#901239). * CVE-2014-6512: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit R27.8.3 and R28.3.3 allows remote attackers to affect integrity via unknown vectors related to Libraries (bnc#901239). * CVE-2014-6457: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit R27.8.3, and R28.3.3 allows remote attackers to affect confidentiality and integrity via vectors related to JSSE (bnc#901239). * CVE-2014-6502: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect integrity via unknown vectors related to Libraries (bnc#901239). * CVE-2014-6558: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit R27.8.3 and JRockit R28.3.3 allows remote attackers to affect integrity via unknown vectors related to Security (bnc#901239). * CVE-2014-4262: Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries (bnc#891699). * CVE-2014-4219: Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot (bnc#891699). * CVE-2014-4209: Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality and integrity via vectors related to JMX (bnc#891699). * CVE-2014-4268: Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality via unknown vectors related to Swing (bnc#891699). * CVE-2014-4218: Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect integrity via unknown vectors related to Libraries (bnc#891699). * CVE-2014-4252: Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality via unknown vectors related to Security (bnc#891699). * CVE-2014-4263: Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5, and JRockit R27.8.2 and R28.3.2, allows remote attackers to affect confidentiality and integrity via unknown vectors related to "Diffie-Hellman key agreement (bnc#891699). * CVE-2014-4244: Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5, and JRockit R27.8.2 and JRockit R28.3.2, allows remote attackers to affect confidentiality and integrity via unknown vectors related to Security (bnc#891699). Security Issues: * CVE-2014-8892 * CVE-2014-8891 Package List: - SUSE Linux Enterprise Server 10 SP4 LTSS (i586 s390x x86_64): java-1_5_0-ibm-1.5.0_sr16.9-0.6.1 java-1_5_0-ibm-devel-1.5.0_sr16.9-0.6.1 java-1_5_0-ibm-fonts-1.5.0_sr16.9-0.6.1 - SUSE Linux Enterprise Server 10 SP4 LTSS (s390x x86_64): java-1_5_0-ibm-32bit-1.5.0_sr16.9-0.6.1 java-1_5_0-ibm-devel-32bit-1.5.0_sr16.9-0.6.1 - SUSE Linux Enterprise Server 10 SP4 LTSS (x86_64): java-1_5_0-ibm-alsa-32bit-1.5.0_sr16.9-0.6.1 - SUSE Linux Enterprise Server 10 SP4 LTSS (i586): java-1_5_0-ibm-alsa-1.5.0_sr16.9-0.6.1 java-1_5_0-ibm-jdbc-1.5.0_sr16.9-0.6.1 java-1_5_0-ibm-plugin-1.5.0_sr16.9-0.6.1 References: http://support.novell.com/security/cve/CVE-2014-8891.html http://support.novell.com/security/cve/CVE-2014-8892.html https://bugzilla.suse.com/891699 https://bugzilla.suse.com/901223 https://bugzilla.suse.com/901239 https://bugzilla.suse.com/904889 https://bugzilla.suse.com/916265 https://bugzilla.suse.com/916266 http://download.suse.com/patch/finder/?keywords=2c3b79e944e87fd633df27d6879fd0ea From sle-security-updates at lists.suse.com Wed Feb 25 15:04:55 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 25 Feb 2015 23:04:55 +0100 (CET) Subject: SUSE-SU-2015:0377-1: moderate: Security update for unzip Message-ID: <20150225220455.0587D32368@maintenance.suse.de> SUSE Security Update: Security update for unzip ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0377-1 Rating: moderate References: #909214 #914442 Cross-References: CVE-2014-8139 CVE-2014-9636 Affected Products: SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update fixes the following security issues: * CVE-2014-8139: input sanitization errors (bnc#909214) * CVE-2014-9636: out-of-bounds read/write in test_compr_eb() (bnc#914442) Security Issues: * CVE-2014-9636 * CVE-2014-8139 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-unzip=10344 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-unzip=10344 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-unzip=10344 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): unzip-6.00-11.13.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): unzip-6.00-11.13.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): unzip-6.00-11.13.1 References: http://support.novell.com/security/cve/CVE-2014-8139.html http://support.novell.com/security/cve/CVE-2014-9636.html https://bugzilla.suse.com/909214 https://bugzilla.suse.com/914442 http://download.suse.com/patch/finder/?keywords=3091ac8b6f0e6e6309d36acc106755ec From sle-security-updates at lists.suse.com Fri Feb 27 03:04:54 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 27 Feb 2015 11:04:54 +0100 (CET) Subject: SUSE-SU-2015:0386-1: important: Security update for Samba Message-ID: <20150227100454.6A1DC3238E@maintenance.suse.de> SUSE Security Update: Security update for Samba ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0386-1 Rating: important References: #872912 #882356 #883870 #886193 #898031 #899558 #913001 #917376 Cross-References: CVE-2015-0240 Affected Products: SUSE Linux Enterprise Server 11 SP2 LTSS ______________________________________________________________________________ An update that solves one vulnerability and has 7 fixes is now available. Description: Samba has been updated to fix one security issue: * CVE-2015-0240: Don't call talloc_free on an uninitialized pointer (bnc#917376). Additionally, these non-security issues have been fixed: * Realign the winbind request structure following require_membership_of field expansion (bnc#913001). * Reuse connections derived from DFS referrals (bso#10123, fate#316512). * Set domain/workgroup based on authentication callback value (bso#11059). * Fix spoolss error response marshalling (bso#10984). * Fix spoolss EnumJobs and GetJob responses (bso#10905, bnc#898031). * Fix handling of bad EnumJobs levels (bso#10898). * Fix small memory-leak in the background print process (bnc#899558). * Prune idle or hung connections older than "winbind request timeout" (bso#3204, bnc#872912). * Build: disable mmap on s390 systems (bnc#886193, bnc#882356). * Only update the printer share inventory when needed (bnc#883870). * Avoid double-free in get_print_db_byname (bso#10699). Security Issues: * CVE-2015-0240 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP2 LTSS: zypper in -t patch slessp2-cifs-mount=10346 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP2 LTSS (i586 s390x x86_64): ldapsmb-1.34b-12.33.43.1 libldb1-3.6.3-0.33.43.1 libsmbclient0-3.6.3-0.33.43.1 libtalloc1-3.4.3-1.54.39 libtalloc2-3.6.3-0.33.43.1 libtdb1-3.6.3-0.33.43.1 libtevent0-3.6.3-0.33.43.1 libwbclient0-3.6.3-0.33.43.1 samba-3.6.3-0.33.43.1 samba-client-3.6.3-0.33.43.1 samba-krb-printing-3.6.3-0.33.43.1 samba-winbind-3.6.3-0.33.43.1 - SUSE Linux Enterprise Server 11 SP2 LTSS (s390x x86_64): libsmbclient0-32bit-3.6.3-0.33.43.1 libtalloc1-32bit-3.4.3-1.54.39 libtalloc2-32bit-3.6.3-0.33.43.1 libtdb1-32bit-3.6.3-0.33.43.1 libtevent0-32bit-3.6.3-0.33.43.1 libwbclient0-32bit-3.6.3-0.33.43.1 samba-32bit-3.6.3-0.33.43.1 samba-client-32bit-3.6.3-0.33.43.1 samba-winbind-32bit-3.6.3-0.33.43.1 - SUSE Linux Enterprise Server 11 SP2 LTSS (noarch): samba-doc-3.6.3-0.33.43.1 References: http://support.novell.com/security/cve/CVE-2015-0240.html https://bugzilla.suse.com/872912 https://bugzilla.suse.com/882356 https://bugzilla.suse.com/883870 https://bugzilla.suse.com/886193 https://bugzilla.suse.com/898031 https://bugzilla.suse.com/899558 https://bugzilla.suse.com/913001 https://bugzilla.suse.com/917376 http://download.suse.com/patch/finder/?keywords=d8d66713b0b31cf585ddfd4a751c7eec From sle-security-updates at lists.suse.com Fri Feb 27 11:05:33 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 27 Feb 2015 19:05:33 +0100 (CET) Subject: SUSE-SU-2015:0392-1: important: Security update for java-1_6_0-ibm Message-ID: <20150227180533.99F9932390@maintenance.suse.de> SUSE Security Update: Security update for java-1_6_0-ibm ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0392-1 Rating: important References: #592934 #891700 #901223 #904889 #916265 #916266 Cross-References: CVE-2014-8891 CVE-2014-8892 Affected Products: SUSE Linux Enterprise Server 11 SP2 LTSS SUSE Linux Enterprise Server 11 SP1 LTSS ______________________________________________________________________________ An update that solves two vulnerabilities and has four fixes is now available. Description: java-1_6_0-ibm has been updated to version 1.6.0_sr16.3 to fix 30 security issues: * CVE-2014-8891: Unspecified vulnerability (bnc#916266) * CVE-2014-8892: Unspecified vulnerability (bnc#916265) * CVE-2014-3065: Unspecified vulnerability in IBM Java Runtime Environment (JRE) 7 R1 before SR2 (7.1.2.0), 7 before SR8 (7.0.8.0), 6 R1 before SR8 FP2 (6.1.8.2), 6 before SR16 FP2 (6.0.16.2), and before SR16 FP8 (5.0.16.8) allowed local users to execute arbitrary code via vectors related to the shared classes cache (bnc#904889). * CVE-2014-3566: The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, used nondeterministic CBC padding, which made it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue (bnc#901223). * CVE-2014-6513: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allowed remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT (bnc#904889). * CVE-2014-6503: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allowed remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-4288, CVE-2014-6493, and CVE-2014-6532 (bnc#904889). * CVE-2014-6532: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allowed remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-4288, CVE-2014-6493, and CVE-2014-6503 (bnc#904889). * CVE-2014-4288: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allowed remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-6493, CVE-2014-6503, and CVE-2014-6532 (bnc#904889). * CVE-2014-6493: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allowed remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-4288, CVE-2014-6503, and CVE-2014-6532 (bnc#904889). * CVE-2014-6492: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20, when running on Firefox, allowed remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment (bnc#904889). * CVE-2014-6458: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allowed local users to affect confidentiality, integrity, and availability via unknown vectors related to Deployment (bnc#904889). * CVE-2014-6466: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20, when running on Internet Explorer, allowed local users to affect confidentiality, integrity, and availability via unknown vectors related to Deployment (bnc#904889). * CVE-2014-6506: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allowed remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries (bnc#904889). * CVE-2014-6515: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allowed remote attackers to affect integrity via unknown vectors related to Deployment (bnc#904889). * CVE-2014-6511: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20 allowed remote attackers to affect confidentiality via unknown vectors related to 2D (bnc#904889). * CVE-2014-6531: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allowed remote attackers to affect confidentiality via unknown vectors related to Libraries (bnc#904889). * CVE-2014-6512: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit R27.8.3 and R28.3.3 allowed remote attackers to affect integrity via unknown vectors related to Libraries (bnc#904889). * CVE-2014-6457: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit R27.8.3, and R28.3.3 allowed remote attackers to affect confidentiality and integrity via vectors related to JSSE (bnc#904889). * CVE-2014-6502: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allowed remote attackers to affect integrity via unknown vectors related to Libraries (bnc#904889). * CVE-2014-6558: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit R27.8.3 and JRockit R28.3.3 allowed remote attackers to affect integrity via unknown vectors related to Security (bnc#904889). * CVE-2014-4227: Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allowed remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment (bnc#891700). * CVE-2014-4262: Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allowed remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries (bnc#891700). * CVE-2014-4219: Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allowed remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot (bnc#891700). * CVE-2014-4209: Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allowed remote attackers to affect confidentiality and integrity via vectors related to JMX (bnc#891700). * CVE-2014-4268: Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allowed remote attackers to affect confidentiality via unknown vectors related to Swing (bnc#891700). * CVE-2014-4218: Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allowed remote attackers to affect integrity via unknown vectors related to Libraries (bnc#891700). * CVE-2014-4252: Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allowed remote attackers to affect confidentiality via unknown vectors related to Security (bnc#891700). * CVE-2014-4265: Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allowed remote attackers to affect integrity via unknown vectors related to Deployment (bnc#891700). * CVE-2014-4263: Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5, and JRockit R27.8.2 and R28.3.2, allowed remote attackers to affect confidentiality and integrity via unknown vectors related to "Diffie-Hellman key agreement (bnc#891700). * CVE-2014-4244: Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5, and JRockit R27.8.2 and JRockit R28.3.2, allowed remote attackers to affect confidentiality and integrity via unknown vectors related to Security (bnc#891700). This non-security bug has also been fixed: * Fix update-alternatives list (bnc#592934) Security Issues: * CVE-2014-8892 * CVE-2014-8891 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP2 LTSS: zypper in -t patch slessp2-java-1_6_0-ibm=10353 - SUSE Linux Enterprise Server 11 SP1 LTSS: zypper in -t patch slessp1-java-1_6_0-ibm=10354 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP2 LTSS (i586 s390x x86_64): java-1_6_0-ibm-1.6.0_sr16.3-0.4.5 java-1_6_0-ibm-devel-1.6.0_sr16.3-0.4.5 java-1_6_0-ibm-fonts-1.6.0_sr16.3-0.4.5 java-1_6_0-ibm-jdbc-1.6.0_sr16.3-0.4.5 - SUSE Linux Enterprise Server 11 SP2 LTSS (i586 x86_64): java-1_6_0-ibm-plugin-1.6.0_sr16.3-0.4.5 - SUSE Linux Enterprise Server 11 SP2 LTSS (i586): java-1_6_0-ibm-alsa-1.6.0_sr16.3-0.4.5 - SUSE Linux Enterprise Server 11 SP1 LTSS (i586 s390x x86_64): java-1_6_0-ibm-1.6.0_sr16.3-0.4.5 java-1_6_0-ibm-fonts-1.6.0_sr16.3-0.4.5 java-1_6_0-ibm-jdbc-1.6.0_sr16.3-0.4.5 - SUSE Linux Enterprise Server 11 SP1 LTSS (i586 x86_64): java-1_6_0-ibm-plugin-1.6.0_sr16.3-0.4.5 - SUSE Linux Enterprise Server 11 SP1 LTSS (i586): java-1_6_0-ibm-alsa-1.6.0_sr16.3-0.4.5 References: http://support.novell.com/security/cve/CVE-2014-8891.html http://support.novell.com/security/cve/CVE-2014-8892.html https://bugzilla.suse.com/592934 https://bugzilla.suse.com/891700 https://bugzilla.suse.com/901223 https://bugzilla.suse.com/904889 https://bugzilla.suse.com/916265 https://bugzilla.suse.com/916266 http://download.suse.com/patch/finder/?keywords=96da2c614827c23087d5b86b253f5d98 http://download.suse.com/patch/finder/?keywords=cfef74a50dd3fd4a378c3d05db361851 From sle-security-updates at lists.suse.com Sat Feb 28 04:46:52 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 28 Feb 2015 12:46:52 +0100 (CET) Subject: SUSE-SU-2015:0402-1: moderate: Security update for xorg-x11-server Message-ID: <20150228114652.6ADAA3239B@maintenance.suse.de> SUSE Security Update: Security update for xorg-x11-server ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0402-1 Rating: moderate References: #915810 Cross-References: CVE-2015-0255 Affected Products: SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: xorg-x11-server was updated to fix one security issue. This security issue was fixed: - CVE-2015-0255: Check string lenghts in XkbSetGeometry request (bnc#915810) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2015-102=1 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-102=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-102=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): xorg-x11-server-debuginfo-7.6_1.15.2-21.1 xorg-x11-server-debugsource-7.6_1.15.2-21.1 xorg-x11-server-sdk-7.6_1.15.2-21.1 - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): xorg-x11-server-7.6_1.15.2-21.1 xorg-x11-server-debuginfo-7.6_1.15.2-21.1 xorg-x11-server-debugsource-7.6_1.15.2-21.1 xorg-x11-server-extra-7.6_1.15.2-21.1 xorg-x11-server-extra-debuginfo-7.6_1.15.2-21.1 - SUSE Linux Enterprise Desktop 12 (x86_64): xorg-x11-server-7.6_1.15.2-21.1 xorg-x11-server-debuginfo-7.6_1.15.2-21.1 xorg-x11-server-debugsource-7.6_1.15.2-21.1 xorg-x11-server-extra-7.6_1.15.2-21.1 xorg-x11-server-extra-debuginfo-7.6_1.15.2-21.1 References: http://support.novell.com/security/cve/CVE-2015-0255.html https://bugzilla.suse.com/915810 From sle-security-updates at lists.suse.com Sat Feb 28 04:46:52 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 28 Feb 2015 12:46:52 +0100 (CET) Subject: SUSE-SU-2015:0401-1: moderate: Security update for xorg-x11-server Message-ID: <20150228114652.6E71F323A1@maintenance.suse.de> SUSE Security Update: Security update for xorg-x11-server ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0401-1 Rating: moderate References: #915810 Cross-References: CVE-2015-0255 Affected Products: SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: xorg-x11-server was updated to fix one security issue. This security issue was fixed: - CVE-2015-0255: Check string lenghts in XkbSetGeometry request (bnc#915810) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2015-102=1 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-102=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-102=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): xorg-x11-server-debuginfo-7.6_1.15.2-21.1 xorg-x11-server-debugsource-7.6_1.15.2-21.1 xorg-x11-server-sdk-7.6_1.15.2-21.1 - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): xorg-x11-server-7.6_1.15.2-21.1 xorg-x11-server-debuginfo-7.6_1.15.2-21.1 xorg-x11-server-debugsource-7.6_1.15.2-21.1 xorg-x11-server-extra-7.6_1.15.2-21.1 xorg-x11-server-extra-debuginfo-7.6_1.15.2-21.1 - SUSE Linux Enterprise Desktop 12 (x86_64): xorg-x11-server-7.6_1.15.2-21.1 xorg-x11-server-debuginfo-7.6_1.15.2-21.1 xorg-x11-server-debugsource-7.6_1.15.2-21.1 xorg-x11-server-extra-7.6_1.15.2-21.1 xorg-x11-server-extra-debuginfo-7.6_1.15.2-21.1 References: http://support.novell.com/security/cve/CVE-2015-0255.html https://bugzilla.suse.com/915810 From sle-security-updates at lists.suse.com Sat Feb 28 04:46:52 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 28 Feb 2015 12:46:52 +0100 (CET) Subject: SUSE-SU-2015:0400-1: moderate: Security update for xorg-x11-server Message-ID: <20150228114652.64110323A2@maintenance.suse.de> SUSE Security Update: Security update for xorg-x11-server ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0400-1 Rating: moderate References: #915810 Cross-References: CVE-2015-0255 Affected Products: SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: xorg-x11-server was updated to fix one security issue. This security issue was fixed: - CVE-2015-0255: Check string lenghts in XkbSetGeometry request (bnc#915810) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2015-102=1 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-102=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-102=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): xorg-x11-server-debuginfo-7.6_1.15.2-21.1 xorg-x11-server-debugsource-7.6_1.15.2-21.1 xorg-x11-server-sdk-7.6_1.15.2-21.1 - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): xorg-x11-server-7.6_1.15.2-21.1 xorg-x11-server-debuginfo-7.6_1.15.2-21.1 xorg-x11-server-debugsource-7.6_1.15.2-21.1 xorg-x11-server-extra-7.6_1.15.2-21.1 xorg-x11-server-extra-debuginfo-7.6_1.15.2-21.1 - SUSE Linux Enterprise Desktop 12 (x86_64): xorg-x11-server-7.6_1.15.2-21.1 xorg-x11-server-debuginfo-7.6_1.15.2-21.1 xorg-x11-server-debugsource-7.6_1.15.2-21.1 xorg-x11-server-extra-7.6_1.15.2-21.1 xorg-x11-server-extra-debuginfo-7.6_1.15.2-21.1 References: http://support.novell.com/security/cve/CVE-2015-0255.html https://bugzilla.suse.com/915810 From sle-security-updates at lists.suse.com Sat Feb 28 04:46:52 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 28 Feb 2015 12:46:52 +0100 (CET) Subject: SUSE-SU-2015:0403-1: moderate: Security update for xorg-x11-server Message-ID: <20150228114652.74A1B323A0@maintenance.suse.de> SUSE Security Update: Security update for xorg-x11-server ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0403-1 Rating: moderate References: #915810 Cross-References: CVE-2015-0255 Affected Products: SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: xorg-x11-server was updated to fix one security issue. This security issue was fixed: - CVE-2015-0255: Check string lenghts in XkbSetGeometry request (bnc#915810) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2015-102=1 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-102=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-102=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): xorg-x11-server-debuginfo-7.6_1.15.2-21.1 xorg-x11-server-debugsource-7.6_1.15.2-21.1 xorg-x11-server-sdk-7.6_1.15.2-21.1 - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): xorg-x11-server-7.6_1.15.2-21.1 xorg-x11-server-debuginfo-7.6_1.15.2-21.1 xorg-x11-server-debugsource-7.6_1.15.2-21.1 xorg-x11-server-extra-7.6_1.15.2-21.1 xorg-x11-server-extra-debuginfo-7.6_1.15.2-21.1 - SUSE Linux Enterprise Desktop 12 (x86_64): xorg-x11-server-7.6_1.15.2-21.1 xorg-x11-server-debuginfo-7.6_1.15.2-21.1 xorg-x11-server-debugsource-7.6_1.15.2-21.1 xorg-x11-server-extra-7.6_1.15.2-21.1 xorg-x11-server-extra-debuginfo-7.6_1.15.2-21.1 References: http://support.novell.com/security/cve/CVE-2015-0255.html https://bugzilla.suse.com/915810 From sle-security-updates at lists.suse.com Sat Feb 28 04:46:52 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 28 Feb 2015 12:46:52 +0100 (CET) Subject: SUSE-SU-2015:0398-1: moderate: Security update for xorg-x11-server Message-ID: <20150228114652.7A59F323A5@maintenance.suse.de> SUSE Security Update: Security update for xorg-x11-server ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0398-1 Rating: moderate References: #915810 Cross-References: CVE-2015-0255 Affected Products: SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: xorg-x11-server was updated to fix one security issue. This security issue was fixed: - CVE-2015-0255: Check string lenghts in XkbSetGeometry request (bnc#915810) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2015-102=1 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-102=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-102=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): xorg-x11-server-debuginfo-7.6_1.15.2-21.1 xorg-x11-server-debugsource-7.6_1.15.2-21.1 xorg-x11-server-sdk-7.6_1.15.2-21.1 - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): xorg-x11-server-7.6_1.15.2-21.1 xorg-x11-server-debuginfo-7.6_1.15.2-21.1 xorg-x11-server-debugsource-7.6_1.15.2-21.1 xorg-x11-server-extra-7.6_1.15.2-21.1 xorg-x11-server-extra-debuginfo-7.6_1.15.2-21.1 - SUSE Linux Enterprise Desktop 12 (x86_64): xorg-x11-server-7.6_1.15.2-21.1 xorg-x11-server-debuginfo-7.6_1.15.2-21.1 xorg-x11-server-debugsource-7.6_1.15.2-21.1 xorg-x11-server-extra-7.6_1.15.2-21.1 xorg-x11-server-extra-debuginfo-7.6_1.15.2-21.1 References: http://support.novell.com/security/cve/CVE-2015-0255.html https://bugzilla.suse.com/915810 From sle-security-updates at lists.suse.com Sat Feb 28 04:46:52 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 28 Feb 2015 12:46:52 +0100 (CET) Subject: SUSE-SU-2015:0399-1: moderate: Security update for xorg-x11-server Message-ID: <20150228114652.99007323A6@maintenance.suse.de> SUSE Security Update: Security update for xorg-x11-server ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0399-1 Rating: moderate References: #915810 Cross-References: CVE-2015-0255 Affected Products: SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: xorg-x11-server was updated to fix one security issue. This security issue was fixed: - CVE-2015-0255: Check string lenghts in XkbSetGeometry request (bnc#915810) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2015-102=1 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-102=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-102=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): xorg-x11-server-debuginfo-7.6_1.15.2-21.1 xorg-x11-server-debugsource-7.6_1.15.2-21.1 xorg-x11-server-sdk-7.6_1.15.2-21.1 - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): xorg-x11-server-7.6_1.15.2-21.1 xorg-x11-server-debuginfo-7.6_1.15.2-21.1 xorg-x11-server-debugsource-7.6_1.15.2-21.1 xorg-x11-server-extra-7.6_1.15.2-21.1 xorg-x11-server-extra-debuginfo-7.6_1.15.2-21.1 - SUSE Linux Enterprise Desktop 12 (x86_64): xorg-x11-server-7.6_1.15.2-21.1 xorg-x11-server-debuginfo-7.6_1.15.2-21.1 xorg-x11-server-debugsource-7.6_1.15.2-21.1 xorg-x11-server-extra-7.6_1.15.2-21.1 xorg-x11-server-extra-debuginfo-7.6_1.15.2-21.1 References: http://support.novell.com/security/cve/CVE-2015-0255.html https://bugzilla.suse.com/915810