From sle-security-updates at lists.suse.com Tue May 5 06:04:54 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 5 May 2015 14:04:54 +0200 (CEST) Subject: SUSE-SU-2015:0817-1: moderate: Security update for mercurial Message-ID: <20150505120454.8A2BE3215D@maintenance.suse.de> SUSE Security Update: Security update for mercurial ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0817-1 Rating: moderate References: #923070 Cross-References: CVE-2014-9462 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: mercurial was updated to fix a potential command injection via sshpeer._validaterepo() (CVE-2014-9462) Security Issues: * CVE-2014-9462 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-mercurial=10521 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64): mercurial-2.3.2-0.9.2 References: https://www.suse.com/security/cve/CVE-2014-9462.html https://bugzilla.suse.com/923070 https://download.suse.com/patch/finder/?keywords=fa402eab9dea85010456610711d523a0 From sle-security-updates at lists.suse.com Thu May 7 12:04:52 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 7 May 2015 20:04:52 +0200 (CEST) Subject: SUSE-SU-2015:0832-1: important: Security update for kgraft-patch-SLE12_Update_1, kgraft-patch-SLE12_Update_2 Message-ID: <20150507180452.B24503215D@maintenance.suse.de> SUSE Security Update: Security update for kgraft-patch-SLE12_Update_1, kgraft-patch-SLE12_Update_2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0832-1 Rating: important References: #920633 #922004 Cross-References: CVE-2015-1421 Affected Products: SUSE Linux Enterprise Live Patching 12 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update supplies kgraft patches to fix one security vulnerability. CVE-2015-1421: A use-after-free vulnerability in the sctp_assoc_update function in net/sctp/associola.c in the Linux kernel allowed remote attackers to cause a denial of service (slab corruption and panic) or possibly have unspecified other impact by triggering an INIT collision that leads to improper handling of shared-key data. This patch supplies kgraft patches for the first kernel update and the second kernel update published for SUSE Linux Enterprise Server 12. The third kernel update contains the patch already. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Live Patching 12: zypper in -t patch SUSE-SLE-Live-Patching-12-2015-183=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Live Patching 12 (x86_64): kgraft-patch-3_12_32-33-default-2-3.1 kgraft-patch-3_12_32-33-xen-2-3.1 kgraft-patch-3_12_36-38-default-2-3.1 kgraft-patch-3_12_36-38-xen-2-3.1 References: https://www.suse.com/security/cve/CVE-2015-1421.html https://bugzilla.suse.com/920633 https://bugzilla.suse.com/922004 From sle-security-updates at lists.suse.com Thu May 7 13:04:53 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 7 May 2015 21:04:53 +0200 (CEST) Subject: SUSE-SU-2015:0833-1: critical: Security update for java-1_7_0-openjdk Message-ID: <20150507190453.329C73215D@maintenance.suse.de> SUSE Security Update: Security update for java-1_7_0-openjdk ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0833-1 Rating: critical References: #927591 Cross-References: CVE-2015-0458 CVE-2015-0459 CVE-2015-0460 CVE-2015-0469 CVE-2015-0477 CVE-2015-0478 CVE-2015-0480 CVE-2015-0484 CVE-2015-0488 CVE-2015-0491 CVE-2015-0492 Affected Products: SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes 11 vulnerabilities is now available. It includes one version update. Description: OpenJDK was updated to version 2.5.5 - OpenJDK 7u79 to fix security issues and bugs. The following vulnerabilities have been fixed: * CVE-2015-0458: Deployment: unauthenticated remote attackers could execute arbitrary code via multiple protocols. * CVE-2015-0459: 2D: unauthenticated remote attackers could execute arbitrary code via multiple protocols. * CVE-2015-0460: Hotspot: unauthenticated remote attackers could execute arbitrary code via multiple protocols. * CVE-2015-0469: 2D: unauthenticated remote attackers could execute arbitrary code via multiple protocols. * CVE-2015-0477: Beans: unauthenticated remote attackers could update, insert or delete some JAVA accessible data via multiple protocols * CVE-2015-0478: JCE: unauthenticated remote attackers could read some JAVA accessible data via multiple protocols * CVE-2015-0480: Tools: unauthenticated remote attackers could update, insert or delete some JAVA accessible data via multiple protocols and cause a partial denial of service (partial DOS) * CVE-2015-0484: JavaFX: unauthenticated remote attackers could read, update, insert or delete access some Java accessible data via multiple protocols and cause a partial denial of service (partial DOS). * CVE-2015-0488: JSSE: unauthenticated remote attackers could cause a partial denial of service (partial DOS). * CVE-2015-0491: 2D: unauthenticated remote attackers could execute arbitrary code via multiple protocols. * CVE-2015-0492: JavaFX: unauthenticated remote attackers could execute arbitrary code via multiple protocols. Security Issues: * CVE-2015-0458 * CVE-2015-0459 * CVE-2015-0460 * CVE-2015-0469 * CVE-2015-0477 * CVE-2015-0478 * CVE-2015-0480 * CVE-2015-0484 * CVE-2015-0488 * CVE-2015-0491 * CVE-2015-0492 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-java-1_7_0-openjdk=10621 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64) [New Version: 1.7.0.75]: java-1_7_0-openjdk-1.7.0.75-0.9.1 java-1_7_0-openjdk-demo-1.7.0.75-0.9.1 java-1_7_0-openjdk-devel-1.7.0.75-0.9.1 References: https://www.suse.com/security/cve/CVE-2015-0458.html https://www.suse.com/security/cve/CVE-2015-0459.html https://www.suse.com/security/cve/CVE-2015-0460.html https://www.suse.com/security/cve/CVE-2015-0469.html https://www.suse.com/security/cve/CVE-2015-0477.html https://www.suse.com/security/cve/CVE-2015-0478.html https://www.suse.com/security/cve/CVE-2015-0480.html https://www.suse.com/security/cve/CVE-2015-0484.html https://www.suse.com/security/cve/CVE-2015-0488.html https://www.suse.com/security/cve/CVE-2015-0491.html https://www.suse.com/security/cve/CVE-2015-0492.html https://bugzilla.suse.com/927591 https://download.suse.com/patch/finder/?keywords=2082b6af65787f83584579a0178ad27e From sle-security-updates at lists.suse.com Thu May 7 14:04:49 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 7 May 2015 22:04:49 +0200 (CEST) Subject: SUSE-SU-2015:0834-1: Security update for emacs Message-ID: <20150507200449.C96AB3215D@maintenance.suse.de> SUSE Security Update: Security update for emacs ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0834-1 Rating: low References: #854683 #876847 Cross-References: CVE-2014-3421 CVE-2014-3422 CVE-2014-3423 CVE-2014-3424 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: Emacs has been updated to fix the following issues: * Several cases of insecure usage of temporary files. (CVE-2014-3421, CVE-2014-3422, CVE-2014-3423, CVE-2014-3424) * Use of vc-annotate for renamed files when using Git. (bnc#854683) Security Issues: * CVE-2014-3421 * CVE-2014-3422 * CVE-2014-3423 * CVE-2014-3424 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-emacs=10519 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-emacs=10519 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-emacs=10519 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-emacs=10519 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 x86_64): emacs-nox-22.3-4.42.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): emacs-22.3-4.42.1 emacs-el-22.3-4.42.1 emacs-info-22.3-4.42.1 emacs-nox-22.3-4.42.1 emacs-x11-22.3-4.42.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): emacs-22.3-4.42.1 emacs-el-22.3-4.42.1 emacs-info-22.3-4.42.1 emacs-nox-22.3-4.42.1 emacs-x11-22.3-4.42.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): emacs-22.3-4.42.1 emacs-info-22.3-4.42.1 emacs-x11-22.3-4.42.1 References: https://www.suse.com/security/cve/CVE-2014-3421.html https://www.suse.com/security/cve/CVE-2014-3422.html https://www.suse.com/security/cve/CVE-2014-3423.html https://www.suse.com/security/cve/CVE-2014-3424.html https://bugzilla.suse.com/854683 https://bugzilla.suse.com/876847 https://download.suse.com/patch/finder/?keywords=20e3126f230d7a9c81b38579822ebebf From sle-security-updates at lists.suse.com Thu May 7 14:05:22 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 7 May 2015 22:05:22 +0200 (CEST) Subject: SUSE-SU-2015:0835-1: Security update for gd Message-ID: <20150507200522.6B09A3215D@maintenance.suse.de> SUSE Security Update: Security update for gd ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0835-1 Rating: low References: #923945 Cross-References: CVE-2014-9709 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: The graphics drawing library gd has been updated to fix one security issue: * possible buffer read overflow (CVE-2014-9709) Security Issues: * CVE-2014-9709 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-gd=10530 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-gd=10530 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-gd=10530 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-gd=10530 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64): gd-devel-2.0.36.RC1-52.20.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): gd-2.0.36.RC1-52.20.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): gd-2.0.36.RC1-52.20.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): gd-2.0.36.RC1-52.20.1 References: https://www.suse.com/security/cve/CVE-2014-9709.html https://bugzilla.suse.com/923945 https://download.suse.com/patch/finder/?keywords=f66cfcf1b5f869ab2fc28ffd776255a1 From sle-security-updates at lists.suse.com Fri May 8 03:04:58 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 8 May 2015 11:04:58 +0200 (CEST) Subject: SUSE-SU-2015:0836-1: moderate: Security update for mercurial Message-ID: <20150508090458.D61553215E@maintenance.suse.de> SUSE Security Update: Security update for mercurial ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0836-1 Rating: moderate References: #923070 Cross-References: CVE-2014-9462 Affected Products: SUSE Linux Enterprise Software Development Kit 12 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: Mercurial was updated to fix a command injection via sshpeer._validaterepo() (CVE-2014-9462, bnc#923070): Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2015-184=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): mercurial-2.8.2-3.1 mercurial-debuginfo-2.8.2-3.1 mercurial-debugsource-2.8.2-3.1 References: https://www.suse.com/security/cve/CVE-2014-9462.html https://bugzilla.suse.com/923070 From sle-security-updates at lists.suse.com Fri May 8 07:05:45 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 8 May 2015 15:05:45 +0200 (CEST) Subject: SUSE-SU-2015:0839-1: important: Security update for DirectFB Message-ID: <20150508130545.155943215E@maintenance.suse.de> SUSE Security Update: Security update for DirectFB ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0839-1 Rating: important References: #878345 #878349 Cross-References: CVE-2014-2977 CVE-2014-2978 Affected Products: SUSE Linux Enterprise Workstation Extension 12 SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: DirectFB was updated to fix two security issues. The following vulnerabilities were fixed: * CVE-2014-2977: Multiple integer signedness errors could allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the Voodoo interface, which triggers a stack-based buffer overflow. * CVE-2014-2978: Remote attackers could cause a denial of service (crash) and possibly execute arbitrary code via the Voodoo interface, which triggers an out-of-bounds write. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12: zypper in -t patch SUSE-SLE-WE-12-2015-185=1 - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2015-185=1 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-185=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-185=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Workstation Extension 12 (x86_64): libdirectfb-1_7-1-32bit-1.7.1-4.1 libdirectfb-1_7-1-debuginfo-32bit-1.7.1-4.1 - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): DirectFB-debuginfo-1.7.1-4.1 DirectFB-debugsource-1.7.1-4.1 DirectFB-devel-1.7.1-4.1 lib++dfb-devel-1.7.1-4.1 - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): DirectFB-1.7.1-4.1 DirectFB-debuginfo-1.7.1-4.1 DirectFB-debugsource-1.7.1-4.1 lib++dfb-1_7-1-1.7.1-4.1 lib++dfb-1_7-1-debuginfo-1.7.1-4.1 libdirectfb-1_7-1-1.7.1-4.1 libdirectfb-1_7-1-debuginfo-1.7.1-4.1 - SUSE Linux Enterprise Desktop 12 (x86_64): DirectFB-1.7.1-4.1 DirectFB-debuginfo-1.7.1-4.1 DirectFB-debugsource-1.7.1-4.1 lib++dfb-1_7-1-1.7.1-4.1 lib++dfb-1_7-1-debuginfo-1.7.1-4.1 libdirectfb-1_7-1-1.7.1-4.1 libdirectfb-1_7-1-32bit-1.7.1-4.1 libdirectfb-1_7-1-debuginfo-1.7.1-4.1 libdirectfb-1_7-1-debuginfo-32bit-1.7.1-4.1 References: https://www.suse.com/security/cve/CVE-2014-2977.html https://www.suse.com/security/cve/CVE-2014-2978.html https://bugzilla.suse.com/878345 https://bugzilla.suse.com/878349 From sle-security-updates at lists.suse.com Fri May 8 10:04:56 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 8 May 2015 18:04:56 +0200 (CEST) Subject: SUSE-SU-2015:0841-1: moderate: Security update for Mono Message-ID: <20150508160456.0B3223215E@maintenance.suse.de> SUSE Security Update: Security update for Mono ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0841-1 Rating: moderate References: #921312 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: Multiple SSL vulnerabilities were fixed in the Mono TLS implementation. * CVE-2015-2318: SKIP-TLS problem could be used to client impersonification. * CVE-2015-2319: A FREAK style SSL protocol downgrade problem was fixed. * CVE-2015-2320: The SSLv2 support was disabled. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-bytefx-data-mysql=10497 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-bytefx-data-mysql=10497 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-bytefx-data-mysql=10497 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-bytefx-data-mysql=10497 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc ppc64 s390x x86_64): bytefx-data-mysql-2.6.7-0.13.1 mono-data-firebird-2.6.7-0.13.1 mono-data-oracle-2.6.7-0.13.1 mono-data-sybase-2.6.7-0.13.1 mono-devel-2.6.7-0.13.1 mono-extras-2.6.7-0.13.1 mono-jscript-2.6.7-0.13.1 - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64): mono-wcf-2.6.7-0.13.1 mono-winfxcore-2.6.7-0.13.1 monodoc-core-2.6.7-0.13.1 - SUSE Linux Enterprise Software Development Kit 11 SP3 (ppc ppc64): mono-core-2.6.7-0.13.1 mono-data-2.6.7-0.13.1 mono-data-postgresql-2.6.7-0.13.1 mono-data-sqlite-2.6.7-0.13.1 mono-locale-extras-2.6.7-0.13.1 mono-nunit-2.6.7-0.13.1 mono-web-2.6.7-0.13.1 mono-winforms-2.6.7-0.13.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): mono-core-2.6.7-0.13.1 mono-data-2.6.7-0.13.1 mono-data-postgresql-2.6.7-0.13.1 mono-data-sqlite-2.6.7-0.13.1 mono-locale-extras-2.6.7-0.13.1 mono-nunit-2.6.7-0.13.1 mono-web-2.6.7-0.13.1 mono-winforms-2.6.7-0.13.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc ppc64 s390x x86_64): mono-core-2.6.7-0.13.1 mono-data-2.6.7-0.13.1 mono-data-postgresql-2.6.7-0.13.1 mono-data-sqlite-2.6.7-0.13.1 mono-locale-extras-2.6.7-0.13.1 mono-nunit-2.6.7-0.13.1 mono-web-2.6.7-0.13.1 mono-winforms-2.6.7-0.13.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): bytefx-data-mysql-2.6.7-0.13.1 ibm-data-db2-2.6.7-0.13.1 mono-core-2.6.7-0.13.1 mono-data-2.6.7-0.13.1 mono-data-firebird-2.6.7-0.13.1 mono-data-oracle-2.6.7-0.13.1 mono-data-postgresql-2.6.7-0.13.1 mono-data-sqlite-2.6.7-0.13.1 mono-data-sybase-2.6.7-0.13.1 mono-devel-2.6.7-0.13.1 mono-extras-2.6.7-0.13.1 mono-jscript-2.6.7-0.13.1 mono-locale-extras-2.6.7-0.13.1 mono-nunit-2.6.7-0.13.1 mono-wcf-2.6.7-0.13.1 mono-web-2.6.7-0.13.1 mono-winforms-2.6.7-0.13.1 monodoc-core-2.6.7-0.13.1 References: https://bugzilla.suse.com/921312 https://download.suse.com/patch/finder/?keywords=70a16347ac03d3f99ffeaf3fc2a6181a From sle-security-updates at lists.suse.com Tue May 12 11:05:52 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 12 May 2015 19:05:52 +0200 (CEST) Subject: SUSE-SU-2015:0863-1: Security update for SUSE Studio Message-ID: <20150512170552.6109832164@maintenance.suse.de> SUSE Security Update: Security update for SUSE Studio ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0863-1 Rating: low References: #852794 #876313 #880078 #887893 #904372 #904375 #912512 #914765 #918203 #918239 #918395 #919037 Cross-References: CVE-2014-7818 CVE-2014-7819 CVE-2014-7829 Affected Products: SUSE Studio Onsite 1.3 ______________________________________________________________________________ An update that solves three vulnerabilities and has 9 fixes is now available. It includes one version update. Description: This update provides SUSE Studio 1.3.10, including Amazon's EC2 support for SUSE Linux Enterprise 12 appliances. Additionally, the update includes fixes for the following issues: * #904372 - Arbitrary file existence disclosure in sprockets gem (CVE-2014-7819) * #904375 - Arbitrary file existence disclosure in Action Pack gem (CVE-2014-7818) * #918203 - Arbitrary file existence disclosure in Studio Onsite (CVE-2014-7829) * #852794 - SLES 11-SP3 templates fail to build x86_64 EC2 images * #914765 - Change of appliance name is not displayed in appliance's change log * #887893 - Change log not accessible via API * #918239 - Failure to create new appliances after upgrade to Studio Onsite 1.3.9 * #918395 - Remove 32bit as target for building EC2 appliances * #912512 - Studio doesn't allow duplicated repositories * #880078 - Studio packages contain files that get modified (by Studio) after installation. * #919037 - Can't open appliance on Gallery: undefined restructure_unsupportable_packages method. Security Issues: * CVE-2014-7819 * CVE-2014-7818 * CVE-2014-7829 Indications: Everybody should update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Studio Onsite 1.3: zypper in -t patch slestso13-susestudio-1310-201502=10411 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Studio Onsite 1.3 (x86_64) [New Version: 1.3.10]: Containment-Studio-SLE11_SP3-5.05.81-20150505234825 susestudio-1.3.10-0.17.45 susestudio-bundled-packages-1.3.10-0.17.45 susestudio-common-1.3.10-0.17.45 susestudio-runner-1.3.10-0.17.45 susestudio-sid-1.3.10-0.17.45 susestudio-ui-server-1.3.10-0.17.45 References: https://www.suse.com/security/cve/CVE-2014-7818.html https://www.suse.com/security/cve/CVE-2014-7819.html https://www.suse.com/security/cve/CVE-2014-7829.html https://bugzilla.suse.com/852794 https://bugzilla.suse.com/876313 https://bugzilla.suse.com/880078 https://bugzilla.suse.com/887893 https://bugzilla.suse.com/904372 https://bugzilla.suse.com/904375 https://bugzilla.suse.com/912512 https://bugzilla.suse.com/914765 https://bugzilla.suse.com/918203 https://bugzilla.suse.com/918239 https://bugzilla.suse.com/918395 https://bugzilla.suse.com/919037 https://download.suse.com/patch/finder/?keywords=47874d473d5972d4857f71d4a1d418be From sle-security-updates at lists.suse.com Wed May 13 07:04:58 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 13 May 2015 15:04:58 +0200 (CEST) Subject: SUSE-SU-2015:0865-1: moderate: Security update for ntp Message-ID: <20150513130458.728B232164@maintenance.suse.de> SUSE Security Update: Security update for ntp ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0865-1 Rating: moderate References: #918342 #924202 #928321 Cross-References: CVE-2015-1798 CVE-2015-1799 CVE-2015-3405 Affected Products: SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: ntp was updated to fix two security related flaws as well as "slew" mode handling for leap seconds. The following vulnerabilities were fixe: * ntpd could accept unauthenticated packets with symmetric key crypto. (CVE-2015-1798) * ntpd authentication did not protect symmetric associations against DoS attacks (CVE-2015-1799) * ntp-keygen may generate non-random symmetric keys on big-endian systems (bsc#928321, CVE-2015-3405). The following non-security issues were fixed: * Fix slew mode for leap seconds (bnc#918342). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-193=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-193=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): ntp-4.2.6p5-44.1 ntp-debuginfo-4.2.6p5-44.1 ntp-debugsource-4.2.6p5-44.1 ntp-doc-4.2.6p5-44.1 - SUSE Linux Enterprise Desktop 12 (x86_64): ntp-4.2.6p5-44.1 ntp-debuginfo-4.2.6p5-44.1 ntp-debugsource-4.2.6p5-44.1 ntp-doc-4.2.6p5-44.1 References: https://www.suse.com/security/cve/CVE-2015-1798.html https://www.suse.com/security/cve/CVE-2015-1799.html https://www.suse.com/security/cve/CVE-2015-3405.html https://bugzilla.suse.com/918342 https://bugzilla.suse.com/924202 https://bugzilla.suse.com/928321 From sle-security-updates at lists.suse.com Wed May 13 07:05:43 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 13 May 2015 15:05:43 +0200 (CEST) Subject: SUSE-SU-2015:0866-1: Security update for gd Message-ID: <20150513130543.AD47032164@maintenance.suse.de> SUSE Security Update: Security update for gd ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0866-1 Rating: low References: #923945 Cross-References: CVE-2014-9709 Affected Products: SUSE Linux Enterprise Workstation Extension 12 SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: The graphics drawing library gd was updated to fix one security issue. The following vulnerability was fixed: * possible buffer read overflow (CVE-2014-9709) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12: zypper in -t patch SUSE-SLE-WE-12-2015-194=1 - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2015-194=1 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-194=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-194=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Workstation Extension 12 (x86_64): gd-32bit-2.1.0-5.1 gd-debuginfo-32bit-2.1.0-5.1 - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): gd-debuginfo-2.1.0-5.1 gd-debugsource-2.1.0-5.1 gd-devel-2.1.0-5.1 - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): gd-2.1.0-5.1 gd-debuginfo-2.1.0-5.1 gd-debugsource-2.1.0-5.1 - SUSE Linux Enterprise Desktop 12 (x86_64): gd-2.1.0-5.1 gd-32bit-2.1.0-5.1 gd-debuginfo-2.1.0-5.1 gd-debuginfo-32bit-2.1.0-5.1 gd-debugsource-2.1.0-5.1 References: https://www.suse.com/security/cve/CVE-2014-9709.html https://bugzilla.suse.com/923945 From sle-security-updates at lists.suse.com Wed May 13 07:07:03 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 13 May 2015 15:07:03 +0200 (CEST) Subject: SUSE-SU-2015:0868-1: important: Security update for php5 Message-ID: <20150513130703.591EA32164@maintenance.suse.de> SUSE Security Update: Security update for php5 ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0868-1 Rating: important References: #922022 #922451 #922452 #923946 #924970 #924972 #925109 #928408 #928506 #928511 Cross-References: CVE-2014-9705 CVE-2014-9709 CVE-2015-2301 CVE-2015-2305 CVE-2015-2348 CVE-2015-2783 CVE-2015-2787 CVE-2015-3329 CVE-2015-3330 Affected Products: SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Module for Web Scripting 12 ______________________________________________________________________________ An update that solves 9 vulnerabilities and has one errata is now available. Description: PHP was updated to fix ten security issues. The following vulnerabilities were fixed: * CVE-2014-9709: A specially crafted GIF file could cause a buffer read overflow in php-gd (bnc#923946) * CVE-2015-2301: Memory was use after it was freed in PHAR (bnc#922022) * CVE-2015-2305: heap overflow vulnerability in regcomp.c (bnc#922452) * CVE-2014-9705: heap buffer overflow in Enchant (bnc#922451) * CVE-2015-2787: use-after-free vulnerability in the process_nested_data function (bnc#924972) * unserialize SoapClient type confusion (bnc#925109) * CVE-2015-2348: move_uploaded_file truncates a pathNAME upon encountering a x00 character (bnc#924970) * CVE-2015-3330: Specially crafted PHAR files could, when executed under Apache httpd 2.4 (apache2handler), allow arbitrary code execution (bnc#928506) * CVE-2015-3329: Specially crafted PHAR data could lead to disclosure of sensitive information due to a buffer overflow (bnc#928506) * CVE-2015-2783: Specially crafted PHAR data could lead to disclosure of sensitive information due to a buffer over-read (bnc#928511) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2015-192=1 - SUSE Linux Enterprise Module for Web Scripting 12: zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2015-192=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): php5-debuginfo-5.5.14-22.1 php5-debugsource-5.5.14-22.1 php5-devel-5.5.14-22.1 - SUSE Linux Enterprise Module for Web Scripting 12 (ppc64le s390x x86_64): apache2-mod_php5-5.5.14-22.1 apache2-mod_php5-debuginfo-5.5.14-22.1 php5-5.5.14-22.1 php5-bcmath-5.5.14-22.1 php5-bcmath-debuginfo-5.5.14-22.1 php5-bz2-5.5.14-22.1 php5-bz2-debuginfo-5.5.14-22.1 php5-calendar-5.5.14-22.1 php5-calendar-debuginfo-5.5.14-22.1 php5-ctype-5.5.14-22.1 php5-ctype-debuginfo-5.5.14-22.1 php5-curl-5.5.14-22.1 php5-curl-debuginfo-5.5.14-22.1 php5-dba-5.5.14-22.1 php5-dba-debuginfo-5.5.14-22.1 php5-debuginfo-5.5.14-22.1 php5-debugsource-5.5.14-22.1 php5-dom-5.5.14-22.1 php5-dom-debuginfo-5.5.14-22.1 php5-enchant-5.5.14-22.1 php5-enchant-debuginfo-5.5.14-22.1 php5-exif-5.5.14-22.1 php5-exif-debuginfo-5.5.14-22.1 php5-fastcgi-5.5.14-22.1 php5-fastcgi-debuginfo-5.5.14-22.1 php5-fileinfo-5.5.14-22.1 php5-fileinfo-debuginfo-5.5.14-22.1 php5-fpm-5.5.14-22.1 php5-fpm-debuginfo-5.5.14-22.1 php5-ftp-5.5.14-22.1 php5-ftp-debuginfo-5.5.14-22.1 php5-gd-5.5.14-22.1 php5-gd-debuginfo-5.5.14-22.1 php5-gettext-5.5.14-22.1 php5-gettext-debuginfo-5.5.14-22.1 php5-gmp-5.5.14-22.1 php5-gmp-debuginfo-5.5.14-22.1 php5-iconv-5.5.14-22.1 php5-iconv-debuginfo-5.5.14-22.1 php5-intl-5.5.14-22.1 php5-intl-debuginfo-5.5.14-22.1 php5-json-5.5.14-22.1 php5-json-debuginfo-5.5.14-22.1 php5-ldap-5.5.14-22.1 php5-ldap-debuginfo-5.5.14-22.1 php5-mbstring-5.5.14-22.1 php5-mbstring-debuginfo-5.5.14-22.1 php5-mcrypt-5.5.14-22.1 php5-mcrypt-debuginfo-5.5.14-22.1 php5-mysql-5.5.14-22.1 php5-mysql-debuginfo-5.5.14-22.1 php5-odbc-5.5.14-22.1 php5-odbc-debuginfo-5.5.14-22.1 php5-openssl-5.5.14-22.1 php5-openssl-debuginfo-5.5.14-22.1 php5-pcntl-5.5.14-22.1 php5-pcntl-debuginfo-5.5.14-22.1 php5-pdo-5.5.14-22.1 php5-pdo-debuginfo-5.5.14-22.1 php5-pgsql-5.5.14-22.1 php5-pgsql-debuginfo-5.5.14-22.1 php5-pspell-5.5.14-22.1 php5-pspell-debuginfo-5.5.14-22.1 php5-shmop-5.5.14-22.1 php5-shmop-debuginfo-5.5.14-22.1 php5-snmp-5.5.14-22.1 php5-snmp-debuginfo-5.5.14-22.1 php5-soap-5.5.14-22.1 php5-soap-debuginfo-5.5.14-22.1 php5-sockets-5.5.14-22.1 php5-sockets-debuginfo-5.5.14-22.1 php5-sqlite-5.5.14-22.1 php5-sqlite-debuginfo-5.5.14-22.1 php5-suhosin-5.5.14-22.1 php5-suhosin-debuginfo-5.5.14-22.1 php5-sysvmsg-5.5.14-22.1 php5-sysvmsg-debuginfo-5.5.14-22.1 php5-sysvsem-5.5.14-22.1 php5-sysvsem-debuginfo-5.5.14-22.1 php5-sysvshm-5.5.14-22.1 php5-sysvshm-debuginfo-5.5.14-22.1 php5-tokenizer-5.5.14-22.1 php5-tokenizer-debuginfo-5.5.14-22.1 php5-wddx-5.5.14-22.1 php5-wddx-debuginfo-5.5.14-22.1 php5-xmlreader-5.5.14-22.1 php5-xmlreader-debuginfo-5.5.14-22.1 php5-xmlrpc-5.5.14-22.1 php5-xmlrpc-debuginfo-5.5.14-22.1 php5-xmlwriter-5.5.14-22.1 php5-xmlwriter-debuginfo-5.5.14-22.1 php5-xsl-5.5.14-22.1 php5-xsl-debuginfo-5.5.14-22.1 php5-zip-5.5.14-22.1 php5-zip-debuginfo-5.5.14-22.1 php5-zlib-5.5.14-22.1 php5-zlib-debuginfo-5.5.14-22.1 - SUSE Linux Enterprise Module for Web Scripting 12 (noarch): php5-pear-5.5.14-22.1 References: https://www.suse.com/security/cve/CVE-2014-9705.html https://www.suse.com/security/cve/CVE-2014-9709.html https://www.suse.com/security/cve/CVE-2015-2301.html https://www.suse.com/security/cve/CVE-2015-2305.html https://www.suse.com/security/cve/CVE-2015-2348.html https://www.suse.com/security/cve/CVE-2015-2783.html https://www.suse.com/security/cve/CVE-2015-2787.html https://www.suse.com/security/cve/CVE-2015-3329.html https://www.suse.com/security/cve/CVE-2015-3330.html https://bugzilla.suse.com/922022 https://bugzilla.suse.com/922451 https://bugzilla.suse.com/922452 https://bugzilla.suse.com/923946 https://bugzilla.suse.com/924970 https://bugzilla.suse.com/924972 https://bugzilla.suse.com/925109 https://bugzilla.suse.com/928408 https://bugzilla.suse.com/928506 https://bugzilla.suse.com/928511 From sle-security-updates at lists.suse.com Wed May 13 14:04:48 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 13 May 2015 22:04:48 +0200 (CEST) Subject: SUSE-SU-2015:0870-1: important: Security update for kvm Message-ID: <20150513200448.D604C32164@maintenance.suse.de> SUSE Security Update: Security update for kvm ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0870-1 Rating: important References: #920571 #924018 Cross-References: CVE-2015-1779 Affected Products: SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. It includes one version update. Description: This update for KVM fixes an issue in the virtio-blk driver which could result in incorrectly setting its WCE configuration. Under some circumstances, this misconfiguration could cause severe file system corruption, because cache flushes were not generated as they ought to have been. The update also addresses one security vulnerability: * CVE-2015-1779: Insufficient resource limiting in VNC websockets decoder. (bsc#924018) Security Issues: * CVE-2015-1779 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-kvm=10645 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-kvm=10645 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP3 (i586 s390x x86_64) [New Version: 1.4.2]: kvm-1.4.2-0.22.25.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64) [New Version: 1.4.2]: kvm-1.4.2-0.22.25.1 References: https://www.suse.com/security/cve/CVE-2015-1779.html https://bugzilla.suse.com/920571 https://bugzilla.suse.com/924018 https://download.suse.com/patch/finder/?keywords=5ce7157b96103bdd850e596ab6dff1ba From sle-security-updates at lists.suse.com Wed May 13 14:05:18 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 13 May 2015 22:05:18 +0200 (CEST) Subject: SUSE-SU-2015:0871-1: moderate: Security update for clamav Message-ID: <20150513200518.4ACBB32164@maintenance.suse.de> SUSE Security Update: Security update for clamav ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0871-1 Rating: moderate References: #929192 Cross-References: CVE-2015-2170 CVE-2015-2221 CVE-2015-2222 CVE-2015-2305 CVE-2015-2668 Affected Products: SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. It includes one version update. Description: The ClamAV antivirus engine was updated to version 0.98.7 to fix several security issues: * CVE-2015-2170: Fix crash in upx decoder with crafted file. Discovered and patch supplied by Sebastian Andrzej Siewior. * CVE-2015-2221: Fix infinite loop condition on crafted y0da cryptor file. Identified and patch suggested by Sebastian Andrzej Siewior. * CVE-2015-2222: Fix crash on crafted petite packed file. Reported and patch supplied by Sebastian Andrzej Siewior. * CVE-2015-2668: Fix an infinite loop condition on a crafted "xz" archive file. This was reported by Dimitri Kirchner and Goulven Guiheux. * CVE-2015-2305: Apply upstream patch for possible heap overflow in Henry Spencer's regex library. Security Issues: * CVE-2015-2170 * CVE-2015-2221 * CVE-2015-2222 * CVE-2015-2668 * CVE-2015-2305 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-clamav=10664 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-clamav=10664 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-clamav=10664 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64) [New Version: 0.98.7]: clamav-0.98.7-0.3.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New Version: 0.98.7]: clamav-0.98.7-0.3.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64) [New Version: 0.98.7]: clamav-0.98.7-0.3.1 References: https://www.suse.com/security/cve/CVE-2015-2170.html https://www.suse.com/security/cve/CVE-2015-2221.html https://www.suse.com/security/cve/CVE-2015-2222.html https://www.suse.com/security/cve/CVE-2015-2305.html https://www.suse.com/security/cve/CVE-2015-2668.html https://bugzilla.suse.com/929192 https://download.suse.com/patch/finder/?keywords=6f6828dce478f4baf653977c4fb6fce3 From sle-security-updates at lists.suse.com Thu May 14 12:04:54 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 14 May 2015 20:04:54 +0200 (CEST) Subject: SUSE-SU-2015:0878-1: important: Security update for flash-player Message-ID: <20150514180454.D0C5C32164@maintenance.suse.de> SUSE Security Update: Security update for flash-player ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0878-1 Rating: important References: #930677 Cross-References: CVE-2015-3044 CVE-2015-3077 CVE-2015-3078 CVE-2015-3079 CVE-2015-3080 CVE-2015-3081 CVE-2015-3082 CVE-2015-3083 CVE-2015-3084 CVE-2015-3085 CVE-2015-3086 CVE-2015-3087 CVE-2015-3088 CVE-2015-3089 CVE-2015-3090 CVE-2015-3091 CVE-2015-3092 CVE-2015-3093 Affected Products: SUSE Linux Enterprise Workstation Extension 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that fixes 18 vulnerabilities is now available. Description: The Adobe flash-player package was updated to version 11.2.202.460 to fix several security issues. The following vulnerabilities were fixed (bsc#930677): * APSB15-09, CVE-2015-3044, CVE-2015-3077, CVE-2015-3078, CVE-2015-3079, CVE-2015-3080, CVE-2015-3081, CVE-2015-3082, CVE-2015-3083, CVE-2015-3084, CVE-2015-3085, CVE-2015-3086, CVE-2015-3087, CVE-2015-3088, CVE-2015-3089, CVE-2015-3090, CVE-2015-3091, CVE-2015-3092, CVE-2015-3093 More information can be found at the Adobe Security Bulletin APSB15-09: https://helpx.adobe.com/security/products/flash-player/apsb15-09.html Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12: zypper in -t patch SUSE-SLE-WE-12-2015-197=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-197=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Workstation Extension 12 (i586 x86_64): flash-player-11.2.202.460-83.1 flash-player-gnome-11.2.202.460-83.1 - SUSE Linux Enterprise Desktop 12 (i586 x86_64): flash-player-11.2.202.460-83.1 flash-player-gnome-11.2.202.460-83.1 References: https://www.suse.com/security/cve/CVE-2015-3044.html https://www.suse.com/security/cve/CVE-2015-3077.html https://www.suse.com/security/cve/CVE-2015-3078.html https://www.suse.com/security/cve/CVE-2015-3079.html https://www.suse.com/security/cve/CVE-2015-3080.html https://www.suse.com/security/cve/CVE-2015-3081.html https://www.suse.com/security/cve/CVE-2015-3082.html https://www.suse.com/security/cve/CVE-2015-3083.html https://www.suse.com/security/cve/CVE-2015-3084.html https://www.suse.com/security/cve/CVE-2015-3085.html https://www.suse.com/security/cve/CVE-2015-3086.html https://www.suse.com/security/cve/CVE-2015-3087.html https://www.suse.com/security/cve/CVE-2015-3088.html https://www.suse.com/security/cve/CVE-2015-3089.html https://www.suse.com/security/cve/CVE-2015-3090.html https://www.suse.com/security/cve/CVE-2015-3091.html https://www.suse.com/security/cve/CVE-2015-3092.html https://www.suse.com/security/cve/CVE-2015-3093.html https://bugzilla.suse.com/930677 From sle-security-updates at lists.suse.com Thu May 14 16:04:53 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 15 May 2015 00:04:53 +0200 (CEST) Subject: SUSE-SU-2015:0880-1: moderate: Security update for flash-player Message-ID: <20150514220453.DE4AB32164@maintenance.suse.de> SUSE Security Update: Security update for flash-player ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0880-1 Rating: moderate References: #930677 Cross-References: CVE-2015-3044 CVE-2015-3077 CVE-2015-3078 CVE-2015-3079 CVE-2015-3080 CVE-2015-3081 CVE-2015-3082 CVE-2015-3083 CVE-2015-3084 CVE-2015-3085 CVE-2015-3086 CVE-2015-3087 CVE-2015-3088 CVE-2015-3089 CVE-2015-3090 CVE-2015-3091 CVE-2015-3092 CVE-2015-3093 Affected Products: SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes 18 vulnerabilities is now available. It includes one version update. Description: The Adobe flash-player package was updated to version 11.2.202.460 to fix several security issues: APSB15-09, CVE-2015-3044, CVE-2015-3077, CVE-2015-3078, CVE-2015-3079, CVE-2015-3080, CVE-2015-3081, CVE-2015-3082, CVE-2015-3083, CVE-2015-3084, CVE-2015-3085, CVE-2015-3086, CVE-2015-3087, CVE-2015-3088, CVE-2015-3089, CVE-2015-3090, CVE-2015-3091, CVE-2015-3092, CVE-2015-3093. More information can be found at the Adobe Security Bulletin APSB15-09: https://helpx.adobe.com/security/products/flash-player/apsb15-09.html . Security Issues: * CVE-2015-3044 * CVE-2015-3077 * CVE-2015-3078 * CVE-2015-3079 * CVE-2015-3080 * CVE-2015-3081 * CVE-2015-3082 * CVE-2015-3083 * CVE-2015-3084 * CVE-2015-3085 * CVE-2015-3086 * CVE-2015-3087 * CVE-2015-3088 * CVE-2015-3089 * CVE-2015-3090 * CVE-2015-3091 * CVE-2015-3092 * CVE-2015-3093 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-flash-player=10680 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64) [New Version: 11.2.202.460]: flash-player-11.2.202.460-0.3.1 flash-player-gnome-11.2.202.460-0.3.1 flash-player-kde4-11.2.202.460-0.3.1 References: https://www.suse.com/security/cve/CVE-2015-3044.html https://www.suse.com/security/cve/CVE-2015-3077.html https://www.suse.com/security/cve/CVE-2015-3078.html https://www.suse.com/security/cve/CVE-2015-3079.html https://www.suse.com/security/cve/CVE-2015-3080.html https://www.suse.com/security/cve/CVE-2015-3081.html https://www.suse.com/security/cve/CVE-2015-3082.html https://www.suse.com/security/cve/CVE-2015-3083.html https://www.suse.com/security/cve/CVE-2015-3084.html https://www.suse.com/security/cve/CVE-2015-3085.html https://www.suse.com/security/cve/CVE-2015-3086.html https://www.suse.com/security/cve/CVE-2015-3087.html https://www.suse.com/security/cve/CVE-2015-3088.html https://www.suse.com/security/cve/CVE-2015-3089.html https://www.suse.com/security/cve/CVE-2015-3090.html https://www.suse.com/security/cve/CVE-2015-3091.html https://www.suse.com/security/cve/CVE-2015-3092.html https://www.suse.com/security/cve/CVE-2015-3093.html https://bugzilla.suse.com/930677 https://download.suse.com/patch/finder/?keywords=7d7013992fb3ccd36d13c089427c8daa From sle-security-updates at lists.suse.com Fri May 15 04:05:20 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 15 May 2015 12:05:20 +0200 (CEST) Subject: SUSE-SU-2015:0882-1: moderate: Security update for clamav Message-ID: <20150515100520.E396632159@maintenance.suse.de> SUSE Security Update: Security update for clamav ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0882-1 Rating: moderate References: #929192 Cross-References: CVE-2015-2170 CVE-2015-2221 CVE-2015-2222 CVE-2015-2305 CVE-2015-2668 Affected Products: SUSE Linux Enterprise Server 12 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: The ClamAV antivirus engine was updated to version 0.98.7 to fix several security and non security issues. The following vulnerabilities were fixed (bsc#929192): * CVE-2015-2170: Fix crash in upx decoder with crafted file. Discovered and patch supplied by Sebastian Andrzej Siewior. * CVE-2015-2221: Fix infinite loop condition on crafted y0da cryptor file. Identified and patch suggested by Sebastian Andrzej Siewior. * CVE-2015-2222: Fix crash on crafted petite packed file. Reported and patch supplied by Sebastian Andrzej Siewior. * CVE-2015-2668: Fix an infinite loop condition on a crafted "xz" archive file. This was reported by Dimitri Kirchner and Goulven Guiheux. * CVE-2015-2305: Apply upstream patch for possible heap overflow in Henry Spencer's regex library. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-198=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 12 (ppc64le s390x): clamav-0.98.7-13.1 clamav-debuginfo-0.98.7-13.1 clamav-debugsource-0.98.7-13.1 References: https://www.suse.com/security/cve/CVE-2015-2170.html https://www.suse.com/security/cve/CVE-2015-2221.html https://www.suse.com/security/cve/CVE-2015-2222.html https://www.suse.com/security/cve/CVE-2015-2305.html https://www.suse.com/security/cve/CVE-2015-2668.html https://bugzilla.suse.com/929192 From sle-security-updates at lists.suse.com Fri May 15 09:05:06 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 15 May 2015 17:05:06 +0200 (CEST) Subject: SUSE-SU-2015:0882-2: moderate: Security update for clamav Message-ID: <20150515150506.3CDC832164@maintenance.suse.de> SUSE Security Update: Security update for clamav ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0882-2 Rating: moderate References: #929192 Cross-References: CVE-2015-2170 CVE-2015-2221 CVE-2015-2222 CVE-2015-2305 CVE-2015-2668 Affected Products: SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: The ClamAV antivirus engine was updated to version 0.98.7 to fix several security and non security issues. The following vulnerabilities were fixed (bsc#929192): * CVE-2015-2170: Fix crash in upx decoder with crafted file. Discovered and patch supplied by Sebastian Andrzej Siewior. * CVE-2015-2221: Fix infinite loop condition on crafted y0da cryptor file. Identified and patch suggested by Sebastian Andrzej Siewior. * CVE-2015-2222: Fix crash on crafted petite packed file. Reported and patch supplied by Sebastian Andrzej Siewior. * CVE-2015-2668: Fix an infinite loop condition on a crafted "xz" archive file. This was reported by Dimitri Kirchner and Goulven Guiheux. * CVE-2015-2305: Apply upstream patch for possible heap overflow in Henry Spencer's regex library. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-198=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-198=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 12 (x86_64): clamav-0.98.7-13.1 clamav-debuginfo-0.98.7-13.1 clamav-debugsource-0.98.7-13.1 - SUSE Linux Enterprise Desktop 12 (x86_64): clamav-0.98.7-13.1 clamav-debuginfo-0.98.7-13.1 clamav-debugsource-0.98.7-13.1 References: https://www.suse.com/security/cve/CVE-2015-2170.html https://www.suse.com/security/cve/CVE-2015-2221.html https://www.suse.com/security/cve/CVE-2015-2222.html https://www.suse.com/security/cve/CVE-2015-2305.html https://www.suse.com/security/cve/CVE-2015-2668.html https://bugzilla.suse.com/929192 From sle-security-updates at lists.suse.com Fri May 15 10:04:55 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 15 May 2015 18:04:55 +0200 (CEST) Subject: SUSE-SU-2015:0884-1: important: Security update for spice Message-ID: <20150515160455.7885032164@maintenance.suse.de> SUSE Security Update: Security update for spice ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0884-1 Rating: important References: #848279 Cross-References: CVE-2013-4282 Affected Products: SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: The remote desktop software SPICE was updated to address one security issue. The following vulnerabilitiy was fixed: * A stack-based buffer overflow in the password handling code allowed remote attackers to cause a denial of service (crash) via a long password in a SPICE ticket. (bsc#848279, CVE-2013-4282) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-199=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-199=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 12 (x86_64): libspice-server1-0.12.4-6.1 libspice-server1-debuginfo-0.12.4-6.1 spice-debugsource-0.12.4-6.1 - SUSE Linux Enterprise Desktop 12 (x86_64): libspice-server1-0.12.4-6.1 libspice-server1-debuginfo-0.12.4-6.1 spice-debugsource-0.12.4-6.1 References: https://www.suse.com/security/cve/CVE-2013-4282.html https://bugzilla.suse.com/848279 From sle-security-updates at lists.suse.com Fri May 15 14:04:51 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 15 May 2015 22:04:51 +0200 (CEST) Subject: SUSE-SU-2015:0886-1: moderate: Security update for struts Message-ID: <20150515200451.1576132164@maintenance.suse.de> SUSE Security Update: Security update for struts ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0886-1 Rating: moderate References: #924887 Cross-References: CVE-2015-0899 Affected Products: SUSE Manager Server SUSE Manager 1.7 for SLE 11 SP2 SUSE Linux Enterprise Software Development Kit 11 SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: Apache Struts was updated to fix one security issue: * The input validation could be bypassed in MultiPageValidator. (bnc#924887, CVE-2015-0899) Security Issues: * CVE-2015-0899 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Manager Server: zypper in -t patch sleman21-struts=10679 - SUSE Manager 1.7 for SLE 11 SP2: zypper in -t patch sleman17sp2-struts=10678 - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-struts=10679 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Manager Server (noarch): struts-1.2.9-162.37.1 - SUSE Manager 1.7 for SLE 11 SP2 (noarch): struts-1.2.9-162.37.1 - SUSE Linux Enterprise Software Development Kit 11 SP3 (noarch): struts-1.2.9-162.37.1 struts-javadoc-1.2.9-162.37.1 struts-manual-1.2.9-162.37.1 References: https://www.suse.com/security/cve/CVE-2015-0899.html https://bugzilla.suse.com/924887 https://download.suse.com/patch/finder/?keywords=9790bac0758b865888f6d56ab5241b01 https://download.suse.com/patch/finder/?keywords=d687ee32a48a395f483c9124673424df From sle-security-updates at lists.suse.com Fri May 15 14:05:09 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 15 May 2015 22:05:09 +0200 (CEST) Subject: SUSE-SU-2015:0887-1: moderate: Security update for openldap2 Message-ID: <20150515200509.5499F32164@maintenance.suse.de> SUSE Security Update: Security update for openldap2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0887-1 Rating: moderate References: #846389 #905959 #916897 #916914 Cross-References: CVE-2013-4449 CVE-2015-1545 CVE-2015-1546 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Security Module 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that solves three vulnerabilities and has one errata is now available. Description: openldap2 was updated to fix three security issues and one non-security bug. The following vulnerabilities were fixed: * A remote attacker could cause a denial of service (slapd crash) by unbinding immediately after a search request. (bnc#846389, CVE-2013-4449) * A remote attacker could cause a denial of service through a NULL pointer dereference and crash via an empty attribute list in a deref control in a search request. (bnc#916897, CVE-2015-1545) * A remote attacker could cause a denial of service (crash) via a crafted search query with a matched values control. (bnc#916914, CVE-2015-1546) The following non-security bug was fixed: * Prevent connection-0 (internal connection) from showing up in the monitor back-end. (bnc#905959) Security Issues: * CVE-2015-1546 * CVE-2015-1545 * CVE-2013-4449 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-openldap2-20150423=10635 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-openldap2-20150423=10635 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-openldap2-20150423=10635 - SUSE Linux Enterprise Security Module 11 SP3: zypper in -t patch secsp3-openldap2-20150423=10635 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-openldap2-20150423=10635 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64): openldap2-back-perl-2.4.26-0.30.1 openldap2-devel-2.4.26-0.30.1 - SUSE Linux Enterprise Software Development Kit 11 SP3 (ppc64 s390x x86_64): openldap2-devel-32bit-2.4.26-0.30.1 - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 x86_64): openldap2-2.4.26-0.30.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): compat-libldap-2_3-0-2.3.37-2.30.1 libldap-2_4-2-2.4.26-0.30.1 openldap2-2.4.26-0.30.1 openldap2-back-meta-2.4.26-0.30.1 openldap2-client-2.4.26-0.30.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64): libldap-2_4-2-32bit-2.4.26-0.30.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): compat-libldap-2_3-0-2.3.37-2.30.1 libldap-2_4-2-2.4.26-0.30.1 openldap2-2.4.26-0.30.1 openldap2-back-meta-2.4.26-0.30.1 openldap2-client-2.4.26-0.30.1 - SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64): libldap-2_4-2-32bit-2.4.26-0.30.1 - SUSE Linux Enterprise Server 11 SP3 (ia64): libldap-2_4-2-x86-2.4.26-0.30.1 - SUSE Linux Enterprise Security Module 11 SP3 (i586 ia64 ppc64 s390x x86_64): libldap-openssl1-2_4-2-2.4.26-0.30.2 - SUSE Linux Enterprise Security Module 11 SP3 (ppc64 s390x x86_64): libldap-openssl1-2_4-2-32bit-2.4.26-0.30.2 - SUSE Linux Enterprise Security Module 11 SP3 (ia64): libldap-openssl1-2_4-2-x86-2.4.26-0.30.2 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): libldap-2_4-2-2.4.26-0.30.1 openldap2-client-2.4.26-0.30.1 - SUSE Linux Enterprise Desktop 11 SP3 (x86_64): libldap-2_4-2-32bit-2.4.26-0.30.1 References: https://www.suse.com/security/cve/CVE-2013-4449.html https://www.suse.com/security/cve/CVE-2015-1545.html https://www.suse.com/security/cve/CVE-2015-1546.html https://bugzilla.suse.com/846389 https://bugzilla.suse.com/905959 https://bugzilla.suse.com/916897 https://bugzilla.suse.com/916914 https://download.suse.com/patch/finder/?keywords=0928f5c9a167750a8d91b2beccf9a178 From sle-security-updates at lists.suse.com Fri May 15 16:04:48 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 16 May 2015 00:04:48 +0200 (CEST) Subject: SUSE-SU-2015:0889-1: important: Security update for KVM Message-ID: <20150515220448.ACFB432164@maintenance.suse.de> SUSE Security Update: Security update for KVM ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0889-1 Rating: important References: #929339 Cross-References: CVE-2015-3456 Affected Products: SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. It includes one version update. Description: KVM was updated to fix a buffer overflow in the floppy drive emulation, which could be used to carry out denial of service attacks or potential code execution against the host. This vulnerability is also known as VENOM. (CVE-2015-3456) Security Issues: * CVE-2015-3456 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-kvm=10672 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-kvm=10672 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP3 (i586 s390x x86_64) [New Version: 1.4.2]: kvm-1.4.2-0.22.27.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64) [New Version: 1.4.2]: kvm-1.4.2-0.22.27.1 References: https://www.suse.com/security/cve/CVE-2015-3456.html https://bugzilla.suse.com/929339 https://download.suse.com/patch/finder/?keywords=0004a1b76b4d8709b2022934a3603519 From sle-security-updates at lists.suse.com Fri May 15 17:04:52 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 16 May 2015 01:04:52 +0200 (CEST) Subject: SUSE-SU-2015:0884-2: important: Security update for spice Message-ID: <20150515230452.EE84F32161@maintenance.suse.de> SUSE Security Update: Security update for spice ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0884-2 Rating: important References: #848279 Cross-References: CVE-2013-4282 Affected Products: SUSE Linux Enterprise Software Development Kit 12 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: The remote desktop software SPICE was updated to address one security issue. The following vulnerabilitiy was fixed: * A stack-based buffer overflow in the password handling code allowed remote attackers to cause a denial of service (crash) via a long password in a SPICE ticket. (bsc#848279, CVE-2013-4282) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2015-199=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12 (x86_64): libspice-server-devel-0.12.4-6.1 spice-debugsource-0.12.4-6.1 References: https://www.suse.com/security/cve/CVE-2013-4282.html https://bugzilla.suse.com/848279 From sle-security-updates at lists.suse.com Mon May 18 09:05:00 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 18 May 2015 17:05:00 +0200 (CEST) Subject: SUSE-SU-2015:0896-1: important: Security update for qemu Message-ID: <20150518150500.B171A32164@maintenance.suse.de> SUSE Security Update: Security update for qemu ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0896-1 Rating: important References: #886378 #924018 #929339 Cross-References: CVE-2015-1779 CVE-2015-3456 Affected Products: SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: qemu / kvm was updated to fix a security issue and some bugs. Security issue fixed: * CVE-2015-3456: Fixed a buffer overflow in the floppy drive emulation, which could be used to denial of service attacks or potential code execution against the host. * CVE-2015-1779: Fixed insufficient resource limiting in the VNC websockets decoder. Bugs fixed: - qemu truncates vhd images in virt-rescue (bsc#886378) - Update kvm-supported.txt with the current rbd support status. - enable rbd build on x86_64 (qemu-block-rbd package) (FATE#318349) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-200=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-200=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): qemu-2.0.2-46.1 qemu-block-curl-2.0.2-46.1 qemu-block-curl-debuginfo-2.0.2-46.1 qemu-debugsource-2.0.2-46.1 qemu-guest-agent-2.0.2-46.1 qemu-guest-agent-debuginfo-2.0.2-46.1 qemu-lang-2.0.2-46.1 qemu-tools-2.0.2-46.1 qemu-tools-debuginfo-2.0.2-46.1 - SUSE Linux Enterprise Server 12 (s390x x86_64): qemu-kvm-2.0.2-46.1 - SUSE Linux Enterprise Server 12 (ppc64le): qemu-ppc-2.0.2-46.1 qemu-ppc-debuginfo-2.0.2-46.1 - SUSE Linux Enterprise Server 12 (noarch): qemu-ipxe-1.0.0-46.1 qemu-seabios-1.7.4-46.1 qemu-sgabios-8-46.1 qemu-vgabios-1.7.4-46.1 - SUSE Linux Enterprise Server 12 (x86_64): qemu-block-rbd-2.0.2-46.1 qemu-block-rbd-debuginfo-2.0.2-46.1 qemu-x86-2.0.2-46.1 qemu-x86-debuginfo-2.0.2-46.1 - SUSE Linux Enterprise Server 12 (s390x): qemu-s390-2.0.2-46.1 qemu-s390-debuginfo-2.0.2-46.1 - SUSE Linux Enterprise Desktop 12 (x86_64): qemu-2.0.2-46.1 qemu-block-curl-2.0.2-46.1 qemu-block-curl-debuginfo-2.0.2-46.1 qemu-debugsource-2.0.2-46.1 qemu-kvm-2.0.2-46.1 qemu-tools-2.0.2-46.1 qemu-tools-debuginfo-2.0.2-46.1 qemu-x86-2.0.2-46.1 qemu-x86-debuginfo-2.0.2-46.1 - SUSE Linux Enterprise Desktop 12 (noarch): qemu-ipxe-1.0.0-46.1 qemu-seabios-1.7.4-46.1 qemu-sgabios-8-46.1 qemu-vgabios-1.7.4-46.1 References: https://www.suse.com/security/cve/CVE-2015-1779.html https://www.suse.com/security/cve/CVE-2015-3456.html https://bugzilla.suse.com/886378 https://bugzilla.suse.com/924018 https://bugzilla.suse.com/929339 From sle-security-updates at lists.suse.com Mon May 18 11:12:09 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 18 May 2015 19:12:09 +0200 (CEST) Subject: SUSE-SU-2015:0901-1: moderate: Security update for libtasn1 Message-ID: <20150518171209.4D22032164@maintenance.suse.de> SUSE Security Update: Security update for libtasn1 ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0901-1 Rating: moderate References: #924828 Cross-References: CVE-2015-2806 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: The ASN.1 parsing library libtasn1 was updated to fix one memory handling issue: * CVE-2015-2806: A stack-based buffer overflow in libtasn1 allowed remote attackers to have unspecified impact via unknown vectors. Security Issues: * CVE-2015-2806 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-libtasn1=10659 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-libtasn1=10659 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-libtasn1=10659 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-libtasn1=10659 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64): libtasn1-devel-1.5-1.30.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): libtasn1-1.5-1.30.1 libtasn1-3-1.5-1.30.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64): libtasn1-3-32bit-1.5-1.30.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): libtasn1-1.5-1.30.1 libtasn1-3-1.5-1.30.1 - SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64): libtasn1-3-32bit-1.5-1.30.1 - SUSE Linux Enterprise Server 11 SP3 (ia64): libtasn1-3-x86-1.5-1.30.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): libtasn1-1.5-1.30.1 libtasn1-3-1.5-1.30.1 - SUSE Linux Enterprise Desktop 11 SP3 (x86_64): libtasn1-3-32bit-1.5-1.30.1 References: https://www.suse.com/security/cve/CVE-2015-2806.html https://bugzilla.suse.com/924828 https://download.suse.com/patch/finder/?keywords=a6116d09000e5a9dea5b5ce0264d3dce From sle-security-updates at lists.suse.com Tue May 19 03:05:10 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 19 May 2015 11:05:10 +0200 (CEST) Subject: SUSE-SU-2015:0904-1: Security update for libtasn1 Message-ID: <20150519090510.0AB9732164@maintenance.suse.de> SUSE Security Update: Security update for libtasn1 ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0904-1 Rating: low References: #924828 Cross-References: CVE-2015-2806 Affected Products: SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: The ASN.1 parsing library libtasn1 was updated to fix one memory handling issue. The following vulnerability was fixed: * CVE-2015-2806: A stack-based buffer overflow in libtasn1 allowed remote attackers to have unspecified impact via unknown vectors. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2015-204=1 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-204=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-204=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): libtasn1-debuginfo-3.7-4.1 libtasn1-debugsource-3.7-4.1 libtasn1-devel-3.7-4.1 - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): libtasn1-3.7-4.1 libtasn1-6-3.7-4.1 libtasn1-6-debuginfo-3.7-4.1 libtasn1-debuginfo-3.7-4.1 libtasn1-debugsource-3.7-4.1 - SUSE Linux Enterprise Server 12 (s390x x86_64): libtasn1-6-32bit-3.7-4.1 libtasn1-6-debuginfo-32bit-3.7-4.1 - SUSE Linux Enterprise Desktop 12 (x86_64): libtasn1-3.7-4.1 libtasn1-6-3.7-4.1 libtasn1-6-32bit-3.7-4.1 libtasn1-6-debuginfo-3.7-4.1 libtasn1-6-debuginfo-32bit-3.7-4.1 libtasn1-debuginfo-3.7-4.1 libtasn1-debugsource-3.7-4.1 References: https://www.suse.com/security/cve/CVE-2015-2806.html https://bugzilla.suse.com/924828 From sle-security-updates at lists.suse.com Tue May 19 06:04:56 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 19 May 2015 14:04:56 +0200 (CEST) Subject: SUSE-SU-2015:0907-1: moderate: Security update for oracle-update Message-ID: <20150519120456.BC34232161@maintenance.suse.de> SUSE Security Update: Security update for oracle-update ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0907-1 Rating: moderate References: #927281 Cross-References: CVE-2015-0455 CVE-2015-0457 CVE-2015-0479 CVE-2015-0483 Affected Products: SUSE Manager Server SUSE Manager 1.7 for SLE 11 SP2 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: The embedded Oracle database was updated to fix four security issues: * CVE-2015-0455: The XDB - XML Database component of Oracle Database Server could allow remote authenticated users unauthorized read access to arbitrary operating system files. * CVE-2015-0457: The Java VM component of Oracle Database Server could allow remote authenticated users with Create Session privileges to execute arbitrary code. * CVE-2015-0479: The XDK and XDB - XML Database component of Oracle Database Server could allow remote authenticated users with Create Session privileges to cause a partial denial of service (partial DOS) of XDK and XDB - XML Database. * CVE-2015-0483: Remote authenticated users with Create Session privileges could update, insert or delete Core RDBMS accessible data. Security Issues: * CVE-2015-0457 * CVE-2015-0455 * CVE-2015-0483 * CVE-2015-0479 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Manager Server: zypper in -t patch sleman21-oracle-update=10626 - SUSE Manager 1.7 for SLE 11 SP2: zypper in -t patch sleman17sp2-oracle-update=10625 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Manager Server (x86_64): oracle-update-1.7-0.31.1 - SUSE Manager 1.7 for SLE 11 SP2 (x86_64): oracle-update-1.7-0.31.1 References: https://www.suse.com/security/cve/CVE-2015-0455.html https://www.suse.com/security/cve/CVE-2015-0457.html https://www.suse.com/security/cve/CVE-2015-0479.html https://www.suse.com/security/cve/CVE-2015-0483.html https://bugzilla.suse.com/927281 https://download.suse.com/patch/finder/?keywords=e4e431aad0cdac971cd12987f82a71e0 https://download.suse.com/patch/finder/?keywords=ff6d4e47f771462926466be1acb8b95c From sle-security-updates at lists.suse.com Wed May 20 11:04:52 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 20 May 2015 19:04:52 +0200 (CEST) Subject: SUSE-SU-2015:0921-1: important: Security update for gstreamer-0_10-plugins-bad Message-ID: <20150520170452.4270D32166@maintenance.suse.de> SUSE Security Update: Security update for gstreamer-0_10-plugins-bad ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0921-1 Rating: important References: #927559 Cross-References: CVE-2015-0797 Affected Products: SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: gstreamer-0_10-plugins-bad was updated to fix a security issue, a buffer overflow in mp4 parsing (bnc#927559 CVE-2015-0797). Security Issues: * CVE-2015-0797 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-gstreamer-0_10-plugins-bad=10643 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): gstreamer-0_10-plugins-bad-0.10.22-7.11.1 gstreamer-0_10-plugins-bad-lang-0.10.22-7.11.1 libgstbasecamerabinsrc-0_10-0-0.10.22-7.11.1 libgstbasevideo-0_10-0-0.10.22-7.11.1 libgstphotography-0_10-0-0.10.22-7.11.1 libgstsignalprocessor-0_10-0-0.10.22-7.11.1 libgstvdp-0_10-0-0.10.22-7.11.1 - SUSE Linux Enterprise Desktop 11 SP3 (x86_64): libgstbasecamerabinsrc-0_10-0-32bit-0.10.22-7.11.1 libgstbasevideo-0_10-0-32bit-0.10.22-7.11.1 libgstphotography-0_10-0-32bit-0.10.22-7.11.1 libgstsignalprocessor-0_10-0-32bit-0.10.22-7.11.1 libgstvdp-0_10-0-32bit-0.10.22-7.11.1 References: https://www.suse.com/security/cve/CVE-2015-0797.html https://bugzilla.suse.com/927559 https://download.suse.com/patch/finder/?keywords=f7ccd0598b1d14e206c07e76854611ef From sle-security-updates at lists.suse.com Wed May 20 14:04:48 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 20 May 2015 22:04:48 +0200 (CEST) Subject: SUSE-SU-2015:0922-1: Security update for OpenSLP Message-ID: <20150520200448.1248232166@maintenance.suse.de> SUSE Security Update: Security update for OpenSLP ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0922-1 Rating: low References: #778508 #855385 Cross-References: CVE-2012-4428 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for OpenSLP fixes a bug in SLPIntersectStringList that could lead to an out-of-bounds read (CVE-2012-4428). Additionally, the SLP daemon now always use localtime(3) when writing to log files to avoid having timestamps with different timezones. Security Issues: * CVE-2012-4428 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-openslp=10654 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-openslp=10654 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-openslp=10654 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-openslp=10654 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64): openslp-devel-1.2.0-172.24.1 - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 x86_64): openslp-server-1.2.0-172.24.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): openslp-1.2.0-172.24.1 openslp-server-1.2.0-172.24.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64): openslp-32bit-1.2.0-172.24.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): openslp-1.2.0-172.24.1 openslp-server-1.2.0-172.24.1 - SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64): openslp-32bit-1.2.0-172.24.1 - SUSE Linux Enterprise Server 11 SP3 (ia64): openslp-x86-1.2.0-172.24.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): openslp-1.2.0-172.24.1 - SUSE Linux Enterprise Desktop 11 SP3 (x86_64): openslp-32bit-1.2.0-172.24.1 References: https://www.suse.com/security/cve/CVE-2012-4428.html https://bugzilla.suse.com/778508 https://bugzilla.suse.com/855385 https://download.suse.com/patch/finder/?keywords=ff6cb64881ceac3b2f3c581c50088fa7 From sle-security-updates at lists.suse.com Thu May 21 01:04:51 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 21 May 2015 09:04:51 +0200 (CEST) Subject: SUSE-SU-2015:0923-1: important: Security update for xen Message-ID: <20150521070452.062553215E@maintenance.suse.de> SUSE Security Update: Security update for xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0923-1 Rating: important References: #922705 #922709 #927967 #929339 Cross-References: CVE-2015-2751 CVE-2015-2752 CVE-2015-3340 CVE-2015-3456 Affected Products: SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: XEN was updated to fix two security issues and bugs. Security issues fixed: * CVE-2015-3340: Xen did not initialize certain fields, which allowed certain remote service domains to obtain sensitive information from memory via a (1) XEN_DOMCTL_gettscinfo or (2) XEN_SYSCTL_getdomaininfolist request. * CVE-2015-2751: Xen, when using toolstack disaggregation, allowed remote domains with partial management control to cause a denial of service (host lock) via unspecified domctl operations. * CVE-2015-2752: The XEN_DOMCTL_memory_mapping hypercall in Xen, when using a PCI passthrough device, was not preemptable, which allowed local x86 HVM domain users to cause a denial of service (host CPU consumption) via a crafted request to the device model (qemu-dm). * CVE-2015-3456: Fixed a buffer overflow in the floppy drive emulation, which could be used to denial of service attacks or potential code execution against the host. Bugs fixed: - xentop: Fix memory leak on read failure Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2015-206=1 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-206=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-206=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12 (x86_64): xen-debugsource-4.4.2_04-18.1 xen-devel-4.4.2_04-18.1 - SUSE Linux Enterprise Server 12 (x86_64): xen-4.4.2_04-18.1 xen-debugsource-4.4.2_04-18.1 xen-doc-html-4.4.2_04-18.1 xen-kmp-default-4.4.2_04_k3.12.39_47-18.1 xen-kmp-default-debuginfo-4.4.2_04_k3.12.39_47-18.1 xen-libs-32bit-4.4.2_04-18.1 xen-libs-4.4.2_04-18.1 xen-libs-debuginfo-32bit-4.4.2_04-18.1 xen-libs-debuginfo-4.4.2_04-18.1 xen-tools-4.4.2_04-18.1 xen-tools-debuginfo-4.4.2_04-18.1 xen-tools-domU-4.4.2_04-18.1 xen-tools-domU-debuginfo-4.4.2_04-18.1 - SUSE Linux Enterprise Desktop 12 (x86_64): xen-4.4.2_04-18.1 xen-debugsource-4.4.2_04-18.1 xen-kmp-default-4.4.2_04_k3.12.39_47-18.1 xen-kmp-default-debuginfo-4.4.2_04_k3.12.39_47-18.1 xen-libs-32bit-4.4.2_04-18.1 xen-libs-4.4.2_04-18.1 xen-libs-debuginfo-32bit-4.4.2_04-18.1 xen-libs-debuginfo-4.4.2_04-18.1 References: https://www.suse.com/security/cve/CVE-2015-2751.html https://www.suse.com/security/cve/CVE-2015-2752.html https://www.suse.com/security/cve/CVE-2015-3340.html https://www.suse.com/security/cve/CVE-2015-3456.html https://bugzilla.suse.com/922705 https://bugzilla.suse.com/922709 https://bugzilla.suse.com/927967 https://bugzilla.suse.com/929339 From sle-security-updates at lists.suse.com Thu May 21 12:04:54 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 21 May 2015 20:04:54 +0200 (CEST) Subject: SUSE-SU-2015:0925-1: moderate: Security update for python-PyYAML Message-ID: <20150521180454.205A427FF4@maintenance.suse.de> SUSE Security Update: Security update for python-PyYAML ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0925-1 Rating: moderate References: #921588 Cross-References: CVE-2014-9130 Affected Products: SUSE Linux Enterprise Module for Public Cloud 12 SUSE Linux Enterprise High Availability 12 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: python-PyYAML was updated to fix one security issue which could have allowed an attacker to cause a denial of service by supplying specially crafted strings The following issue was fixed: - #921588: python-PyYAML: assert failure when processing wrapped strings (equivalent to CVE-2014-9130 in LibYAML) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Public Cloud 12: zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2015-208=1 - SUSE Linux Enterprise High Availability 12: zypper in -t patch SUSE-SLE-HA-12-2015-208=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Module for Public Cloud 12 (ppc64le s390x x86_64): python-PyYAML-3.10-15.1 python-PyYAML-debuginfo-3.10-15.1 python-PyYAML-debugsource-3.10-15.1 - SUSE Linux Enterprise High Availability 12 (s390x x86_64): python-PyYAML-3.10-15.1 python-PyYAML-debuginfo-3.10-15.1 python-PyYAML-debugsource-3.10-15.1 References: https://www.suse.com/security/cve/CVE-2014-9130.html https://bugzilla.suse.com/921588 From sle-security-updates at lists.suse.com Thu May 21 16:04:45 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 22 May 2015 00:04:45 +0200 (CEST) Subject: SUSE-SU-2015:0927-1: important: Security update for Xen Message-ID: <20150521220446.0077827FF4@maintenance.suse.de> SUSE Security Update: Security update for Xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0927-1 Rating: important References: #910441 #927967 #929339 Cross-References: CVE-2015-3456 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that solves one vulnerability and has two fixes is now available. Description: Xen was updated to fix two security issues and a bug: * CVE-2015-3456: A buffer overflow in the floppy drive emulation, which could be used to carry out denial of service attacks or potential code execution against the host. This vulnerability is also known as VENOM. * CVE-2015-3340: Xen did not initialize certain fields, which allowed certain remote service domains to obtain sensitive information from memory via a (1) XEN_DOMCTL_gettscinfo or (2) XEN_SYSCTL_getdomaininfolist request. * An exception in setCPUAffinity when restoring guests. (bsc#910441) Security Issues: * CVE-2015-3456 * CVE-2015-3340 Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-xen=10673 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-xen=10673 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-xen=10673 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 x86_64): xen-devel-4.2.5_06-0.7.1 - SUSE Linux Enterprise Server 11 SP3 (i586 x86_64): xen-kmp-default-4.2.5_06_3.0.101_0.47.52-0.7.1 xen-libs-4.2.5_06-0.7.1 xen-tools-domU-4.2.5_06-0.7.1 - SUSE Linux Enterprise Server 11 SP3 (x86_64): xen-4.2.5_06-0.7.1 xen-doc-html-4.2.5_06-0.7.1 xen-doc-pdf-4.2.5_06-0.7.1 xen-libs-32bit-4.2.5_06-0.7.1 xen-tools-4.2.5_06-0.7.1 - SUSE Linux Enterprise Server 11 SP3 (i586): xen-kmp-pae-4.2.5_06_3.0.101_0.47.52-0.7.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): xen-kmp-default-4.2.5_06_3.0.101_0.47.52-0.7.1 xen-libs-4.2.5_06-0.7.1 xen-tools-domU-4.2.5_06-0.7.1 - SUSE Linux Enterprise Desktop 11 SP3 (x86_64): xen-4.2.5_06-0.7.1 xen-doc-html-4.2.5_06-0.7.1 xen-doc-pdf-4.2.5_06-0.7.1 xen-libs-32bit-4.2.5_06-0.7.1 xen-tools-4.2.5_06-0.7.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586): xen-kmp-pae-4.2.5_06_3.0.101_0.47.52-0.7.1 References: https://www.suse.com/security/cve/CVE-2015-3456.html https://bugzilla.suse.com/910441 https://bugzilla.suse.com/927967 https://bugzilla.suse.com/929339 https://download.suse.com/patch/finder/?keywords=beaa1b0c2d4c1d543469208fc416ea1e From sle-security-updates at lists.suse.com Thu May 21 16:05:32 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 22 May 2015 00:05:32 +0200 (CEST) Subject: SUSE-SU-2015:0928-1: important: Security update for SUSE Manager Server 1.7 Message-ID: <20150521220532.1458027FF4@maintenance.suse.de> SUSE Security Update: Security update for SUSE Manager Server 1.7 ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0928-1 Rating: important References: #799068 #809927 #814954 #864246 #870159 #879904 #881111 #896238 #896244 #898426 #900956 #901108 #902915 #903723 #906850 #912886 #922525 Cross-References: CVE-2014-7811 CVE-2014-7812 CVE-2014-8162 Affected Products: SUSE Manager 1.7 for SLE 11 SP2 ______________________________________________________________________________ An update that solves three vulnerabilities and has 14 fixes is now available. It includes 9 new package versions. Description: This collective update for SUSE Manager 1.7 provides several fixes and enhancements. smdba: * Space reclamation caused ORA-00942 (table or view does not exist). (bsc#906850) * Optimized space reclamation for Oracle. * Implement fully hot operations for PostgreSQL. * System check breaks backup and other configuration. * Implement rotating PostgreSQL backup feature. (bsc#896244) * Set PostgreSQL max connections to the same value as for Oracle. sm-ncc-sync-data: * Add ATI and nVidia channels for SLED11-SP3. (bsc#901108) spacecmd: * Fix call to setCustomOptions(). (bsc#879904) spacewalk-backend: * Fix encoding of submit message. * Trigger generation of metadata if the repository contains no packages. (bsc#870159) spacewalk-branding: * Update default Spacewalk entitlement certificate. spacewalk-java: * Introduce improved parser for xmlrpc. (CVE-2014-8162, bsc#922525) * Fix more cross-site scripting bugs. (CVE-2014-7811, bsc#902915) * Ffix CVE audit in case of multiversion package installed and patch in multi channels. (bsc#903723) * Fix automatic configuration file deployment via snippet. (bsc#898426) * Download CSV button does not export all columns ("Base Channel" missing). (bsc#896238) * Fix cross-site scripting in system-group. (CVE-2014-7812, bsc#912886) spacewalk-setup: * Fix XML RPC API External Entities file disclosure. (CVE-2014-8162, bsc#922525) * No activation if db population should be skipped. (bsc#900956) susemanager-schema: * Fix evr_t schema upgrade. (bsc#881111) susemanager: * Add tool to update the spacewalk public cert in the DB. * Fix the test for the mirror credentials. (bsc#864246) How to apply this update: 1. Log in as root user to the SUSE Manager server. 2. Stop the Spacewalk service: spacewalk-service stop 3. Apply the patch using either zypper patch or YaST Online Update. 4. Upgrade the database schema with spacewalk-schema-upgrade 5. Start the Spacewalk service: spacewalk-service start Security Issues: * CVE-2014-7811 * CVE-2014-7812 * CVE-2014-8162 Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Manager 1.7 for SLE 11 SP2: zypper in -t patch sleman17sp2-sm-ncc-sync-data=10671 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Manager 1.7 for SLE 11 SP2 (x86_64) [New Version: 1.5,1.7.1.13,1.7.30,1.7.38.34 and 1.7.7.12]: smdba-1.5-0.6.2.1 spacecmd-1.7.7.12-0.5.1 spacewalk-backend-1.7.38.34-0.5.1 spacewalk-backend-app-1.7.38.34-0.5.1 spacewalk-backend-applet-1.7.38.34-0.5.1 spacewalk-backend-config-files-1.7.38.34-0.5.1 spacewalk-backend-config-files-common-1.7.38.34-0.5.1 spacewalk-backend-config-files-tool-1.7.38.34-0.5.1 spacewalk-backend-iss-1.7.38.34-0.5.1 spacewalk-backend-iss-export-1.7.38.34-0.5.1 spacewalk-backend-libs-1.7.38.34-0.5.1 spacewalk-backend-package-push-server-1.7.38.34-0.5.1 spacewalk-backend-server-1.7.38.34-0.5.1 spacewalk-backend-sql-1.7.38.34-0.5.1 spacewalk-backend-sql-oracle-1.7.38.34-0.5.1 spacewalk-backend-sql-postgresql-1.7.38.34-0.5.1 spacewalk-backend-tools-1.7.38.34-0.5.1 spacewalk-backend-xml-export-libs-1.7.38.34-0.5.1 spacewalk-backend-xmlrpc-1.7.38.34-0.5.1 spacewalk-backend-xp-1.7.38.34-0.5.1 spacewalk-branding-1.7.1.13-0.5.1 susemanager-1.7.30-0.5.2 susemanager-tools-1.7.30-0.5.2 - SUSE Manager 1.7 for SLE 11 SP2 (noarch) [New Version: 1.7.21,1.7.54.34,1.7.56.24 and 1.7.9.12]: sm-ncc-sync-data-1.7.21-0.5.1 spacewalk-java-1.7.54.34-0.5.1 spacewalk-java-config-1.7.54.34-0.5.1 spacewalk-java-lib-1.7.54.34-0.5.1 spacewalk-java-oracle-1.7.54.34-0.5.1 spacewalk-java-postgresql-1.7.54.34-0.5.1 spacewalk-setup-1.7.9.12-0.5.1 spacewalk-taskomatic-1.7.54.34-0.5.1 susemanager-schema-1.7.56.24-0.7.1 References: https://www.suse.com/security/cve/CVE-2014-7811.html https://www.suse.com/security/cve/CVE-2014-7812.html https://www.suse.com/security/cve/CVE-2014-8162.html https://bugzilla.suse.com/799068 https://bugzilla.suse.com/809927 https://bugzilla.suse.com/814954 https://bugzilla.suse.com/864246 https://bugzilla.suse.com/870159 https://bugzilla.suse.com/879904 https://bugzilla.suse.com/881111 https://bugzilla.suse.com/896238 https://bugzilla.suse.com/896244 https://bugzilla.suse.com/898426 https://bugzilla.suse.com/900956 https://bugzilla.suse.com/901108 https://bugzilla.suse.com/902915 https://bugzilla.suse.com/903723 https://bugzilla.suse.com/906850 https://bugzilla.suse.com/912886 https://bugzilla.suse.com/922525 https://download.suse.com/patch/finder/?keywords=8028a25587947641ad45132e4992e11d From sle-security-updates at lists.suse.com Thu May 21 16:08:51 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 22 May 2015 00:08:51 +0200 (CEST) Subject: SUSE-SU-2015:0929-1: important: Security update for KVM Message-ID: <20150521220851.5361D27FF4@maintenance.suse.de> SUSE Security Update: Security update for KVM ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0929-1 Rating: important References: #877642 #877645 #929339 Cross-References: CVE-2014-0222 CVE-2014-0223 CVE-2015-3456 Affected Products: SUSE Linux Enterprise Server 11 SP1 LTSS ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. It includes one version update. Description: KVM was updated to fix the following security issues: * CVE-2015-3456: Buffer overflow in the floppy drive emulation, which could be used to carry out denial of service attacks or potential code execution against the host. This vulnerability is also known as VENOM. * CVE-2014-0222: Integer overflow in the qcow_open function in block/qcow.c in QEMU allowed remote attackers to cause a denial of service (crash) via a large L2 table in a QCOW version 1 image. * CVE-2014-0223: Integer overflow in the qcow_open function in block/qcow.c in QEMU allowed local users to cause a denial of service (crash) and possibly execute arbitrary code via a large image size, which triggers a buffer overflow or out-of-bounds read. Security Issues: * CVE-2015-3456 * CVE-2014-0222 * CVE-2014-0223 Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP1 LTSS: zypper in -t patch slessp1-kvm=10683 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP1 LTSS (i586 x86_64) [New Version: 0.12.5]: kvm-0.12.5-1.26.1 References: https://www.suse.com/security/cve/CVE-2014-0222.html https://www.suse.com/security/cve/CVE-2014-0223.html https://www.suse.com/security/cve/CVE-2015-3456.html https://bugzilla.suse.com/877642 https://bugzilla.suse.com/877645 https://bugzilla.suse.com/929339 https://download.suse.com/patch/finder/?keywords=a793805e5c8b31d54aefde03808c673c From sle-security-updates at lists.suse.com Tue May 26 03:04:56 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 26 May 2015 11:04:56 +0200 (CEST) Subject: SUSE-SU-2015:0939-1: moderate: Security update for tigervnc, fltk Message-ID: <20150526090456.763FD32168@maintenance.suse.de> SUSE Security Update: Security update for tigervnc, fltk ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0939-1 Rating: moderate References: #908738 #911577 #915782 #915810 #920969 Cross-References: CVE-2015-0255 Affected Products: SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that solves one vulnerability and has four fixes is now available. Description: tigervnc and fltk were updated to fix security issues and non-security bugs. This security issue was fixed: - CVE-2015-0255: Information leak in the XkbSetGeometry request of X servers (bnc#915810). These non-security issues were fixed: - vncviewer-tigervnc does not display mouse cursor shape changes (bnc#908738). - vnc module for Xorg fails to load on startup, module mismatch (bnc#911577). - An Xvnc session may become unusable when user logs out (bnc#920969) fltk was updated to fix one non-security issue: - vncviewer-tigervnc does not display mouse cursor shape changes (bnc#908738). Additionally tigervnc was updated to 1.4.1, the contained X server was updated to to 1.15.2. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2015-210=1 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-210=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-210=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): fltk-debugsource-1.3.2-10.2 fltk-devel-1.3.2-10.2 fltk-devel-debuginfo-1.3.2-10.2 fltk-devel-static-1.3.2-10.2 - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): fltk-debugsource-1.3.2-10.2 libfltk1-1.3.2-10.2 libfltk1-debuginfo-1.3.2-10.2 tigervnc-1.4.1-32.1 tigervnc-debuginfo-1.4.1-32.1 tigervnc-debugsource-1.4.1-32.1 xorg-x11-Xvnc-1.4.1-32.1 xorg-x11-Xvnc-debuginfo-1.4.1-32.1 - SUSE Linux Enterprise Desktop 12 (x86_64): fltk-debugsource-1.3.2-10.2 libfltk1-1.3.2-10.2 libfltk1-debuginfo-1.3.2-10.2 tigervnc-1.4.1-32.1 tigervnc-debuginfo-1.4.1-32.1 tigervnc-debugsource-1.4.1-32.1 xorg-x11-Xvnc-1.4.1-32.1 xorg-x11-Xvnc-debuginfo-1.4.1-32.1 References: https://www.suse.com/security/cve/CVE-2015-0255.html https://bugzilla.suse.com/908738 https://bugzilla.suse.com/911577 https://bugzilla.suse.com/915782 https://bugzilla.suse.com/915810 https://bugzilla.suse.com/920969 From sle-security-updates at lists.suse.com Tue May 26 06:04:55 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 26 May 2015 14:04:55 +0200 (CEST) Subject: SUSE-SU-2015:0940-1: important: Security update for Xen Message-ID: <20150526120455.E1A1127FF4@maintenance.suse.de> SUSE Security Update: Security update for Xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0940-1 Rating: important References: #927967 #929339 Cross-References: CVE-2015-3340 CVE-2015-3456 Affected Products: SUSE Linux Enterprise Server 11 SP1 LTSS ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: Xen was updated to fix two security issues: * CVE-2015-3456: A buffer overflow in the floppy drive emulation, which could be used to carry out denial of service attacks or potential code execution against the host. This vulnerability is also known as VENOM. * CVE-2015-3340: An information leak through XEN_DOMCTL_gettscinfo(). (XSA-132) Security Issues: * CVE-2015-3456 * CVE-2015-3340 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP1 LTSS: zypper in -t patch slessp1-xen=10684 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP1 LTSS (i586 x86_64): xen-4.0.3_21548_18-0.21.1 xen-doc-html-4.0.3_21548_18-0.21.1 xen-doc-pdf-4.0.3_21548_18-0.21.1 xen-kmp-default-4.0.3_21548_18_2.6.32.59_0.19-0.21.1 xen-kmp-trace-4.0.3_21548_18_2.6.32.59_0.19-0.21.1 xen-libs-4.0.3_21548_18-0.21.1 xen-tools-4.0.3_21548_18-0.21.1 xen-tools-domU-4.0.3_21548_18-0.21.1 - SUSE Linux Enterprise Server 11 SP1 LTSS (i586): xen-kmp-pae-4.0.3_21548_18_2.6.32.59_0.19-0.21.1 References: https://www.suse.com/security/cve/CVE-2015-3340.html https://www.suse.com/security/cve/CVE-2015-3456.html https://bugzilla.suse.com/927967 https://bugzilla.suse.com/929339 https://download.suse.com/patch/finder/?keywords=aee7c643a4c4513e4350b80ada2e9e6f From sle-security-updates at lists.suse.com Tue May 26 06:06:30 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 26 May 2015 14:06:30 +0200 (CEST) Subject: SUSE-SU-2015:0942-1: moderate: Security update for gstreamer-0_10-plugins-bad Message-ID: <20150526120630.2926827FF4@maintenance.suse.de> SUSE Security Update: Security update for gstreamer-0_10-plugins-bad ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0942-1 Rating: moderate References: #927559 Cross-References: CVE-2015-0797 Affected Products: SUSE Linux Enterprise Workstation Extension 12 SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: gstreamer-0_10-plugins-bad was updated to fix a security issue, a buffer overflow in mp4 parsing (bnc#927559 CVE-2015-0797). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12: zypper in -t patch SUSE-SLE-WE-12-2015-211=1 - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2015-211=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-211=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Workstation Extension 12 (x86_64): gstreamer-0_10-plugins-bad-0.10.23-17.1 gstreamer-0_10-plugins-bad-debuginfo-0.10.23-17.1 gstreamer-0_10-plugins-bad-debuginfo-32bit-0.10.23-17.1 gstreamer-0_10-plugins-bad-debugsource-0.10.23-17.1 libgstbasecamerabinsrc-0_10-23-0.10.23-17.1 libgstbasecamerabinsrc-0_10-23-32bit-0.10.23-17.1 libgstbasecamerabinsrc-0_10-23-debuginfo-0.10.23-17.1 libgstbasecamerabinsrc-0_10-23-debuginfo-32bit-0.10.23-17.1 libgstbasevideo-0_10-23-0.10.23-17.1 libgstbasevideo-0_10-23-32bit-0.10.23-17.1 libgstbasevideo-0_10-23-debuginfo-0.10.23-17.1 libgstbasevideo-0_10-23-debuginfo-32bit-0.10.23-17.1 libgstcodecparsers-0_10-23-0.10.23-17.1 libgstcodecparsers-0_10-23-debuginfo-0.10.23-17.1 libgstphotography-0_10-23-0.10.23-17.1 libgstphotography-0_10-23-32bit-0.10.23-17.1 libgstphotography-0_10-23-debuginfo-0.10.23-17.1 libgstphotography-0_10-23-debuginfo-32bit-0.10.23-17.1 libgstsignalprocessor-0_10-23-0.10.23-17.1 libgstsignalprocessor-0_10-23-32bit-0.10.23-17.1 libgstsignalprocessor-0_10-23-debuginfo-0.10.23-17.1 libgstsignalprocessor-0_10-23-debuginfo-32bit-0.10.23-17.1 libgstvdp-0_10-23-0.10.23-17.1 libgstvdp-0_10-23-32bit-0.10.23-17.1 libgstvdp-0_10-23-debuginfo-0.10.23-17.1 libgstvdp-0_10-23-debuginfo-32bit-0.10.23-17.1 - SUSE Linux Enterprise Workstation Extension 12 (noarch): gstreamer-0_10-plugins-bad-lang-0.10.23-17.1 - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): gstreamer-0_10-plugins-bad-debuginfo-0.10.23-17.1 gstreamer-0_10-plugins-bad-debugsource-0.10.23-17.1 gstreamer-0_10-plugins-bad-devel-0.10.23-17.1 libgstbasecamerabinsrc-0_10-23-0.10.23-17.1 libgstbasecamerabinsrc-0_10-23-debuginfo-0.10.23-17.1 libgstbasevideo-0_10-23-0.10.23-17.1 libgstbasevideo-0_10-23-debuginfo-0.10.23-17.1 libgstcodecparsers-0_10-23-0.10.23-17.1 libgstcodecparsers-0_10-23-debuginfo-0.10.23-17.1 libgstphotography-0_10-23-0.10.23-17.1 libgstphotography-0_10-23-debuginfo-0.10.23-17.1 libgstsignalprocessor-0_10-23-0.10.23-17.1 libgstsignalprocessor-0_10-23-debuginfo-0.10.23-17.1 libgstvdp-0_10-23-0.10.23-17.1 libgstvdp-0_10-23-debuginfo-0.10.23-17.1 - SUSE Linux Enterprise Desktop 12 (x86_64): gstreamer-0_10-plugins-bad-0.10.23-17.1 gstreamer-0_10-plugins-bad-debuginfo-0.10.23-17.1 gstreamer-0_10-plugins-bad-debuginfo-32bit-0.10.23-17.1 gstreamer-0_10-plugins-bad-debugsource-0.10.23-17.1 libgstbasecamerabinsrc-0_10-23-0.10.23-17.1 libgstbasecamerabinsrc-0_10-23-32bit-0.10.23-17.1 libgstbasecamerabinsrc-0_10-23-debuginfo-0.10.23-17.1 libgstbasecamerabinsrc-0_10-23-debuginfo-32bit-0.10.23-17.1 libgstbasevideo-0_10-23-0.10.23-17.1 libgstbasevideo-0_10-23-32bit-0.10.23-17.1 libgstbasevideo-0_10-23-debuginfo-0.10.23-17.1 libgstbasevideo-0_10-23-debuginfo-32bit-0.10.23-17.1 libgstcodecparsers-0_10-23-0.10.23-17.1 libgstcodecparsers-0_10-23-debuginfo-0.10.23-17.1 libgstphotography-0_10-23-0.10.23-17.1 libgstphotography-0_10-23-32bit-0.10.23-17.1 libgstphotography-0_10-23-debuginfo-0.10.23-17.1 libgstphotography-0_10-23-debuginfo-32bit-0.10.23-17.1 libgstsignalprocessor-0_10-23-0.10.23-17.1 libgstsignalprocessor-0_10-23-32bit-0.10.23-17.1 libgstsignalprocessor-0_10-23-debuginfo-0.10.23-17.1 libgstsignalprocessor-0_10-23-debuginfo-32bit-0.10.23-17.1 libgstvdp-0_10-23-0.10.23-17.1 libgstvdp-0_10-23-32bit-0.10.23-17.1 libgstvdp-0_10-23-debuginfo-0.10.23-17.1 libgstvdp-0_10-23-debuginfo-32bit-0.10.23-17.1 - SUSE Linux Enterprise Desktop 12 (noarch): gstreamer-0_10-plugins-bad-lang-0.10.23-17.1 References: https://www.suse.com/security/cve/CVE-2015-0797.html https://bugzilla.suse.com/927559 From sle-security-updates at lists.suse.com Tue May 26 06:06:50 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 26 May 2015 14:06:50 +0200 (CEST) Subject: SUSE-SU-2015:0889-2: important: Security update for Xen Message-ID: <20150526120650.C94DB27FF4@maintenance.suse.de> SUSE Security Update: Security update for Xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0889-2 Rating: important References: #929339 Cross-References: CVE-2015-3456 Affected Products: SUSE Linux Enterprise Server 10 SP4 LTSS ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: Xen was updated to fix a buffer overflow in the floppy drive emulation, which could be used to carry out denial of service attacks or potential code execution against the host. This vulnerability is also known as VENOM. (CVE-2015-3456) Security Issues: * CVE-2015-3456 Package List: - SUSE Linux Enterprise Server 10 SP4 LTSS (i586 x86_64): xen-3.2.3_17040_46-0.15.1 xen-devel-3.2.3_17040_46-0.15.1 xen-doc-html-3.2.3_17040_46-0.15.1 xen-doc-pdf-3.2.3_17040_46-0.15.1 xen-doc-ps-3.2.3_17040_46-0.15.1 xen-kmp-debug-3.2.3_17040_46_2.6.16.60_0.132.1-0.15.1 xen-kmp-default-3.2.3_17040_46_2.6.16.60_0.132.1-0.15.1 xen-kmp-kdump-3.2.3_17040_46_2.6.16.60_0.132.1-0.15.1 xen-kmp-smp-3.2.3_17040_46_2.6.16.60_0.132.1-0.15.1 xen-libs-3.2.3_17040_46-0.15.1 xen-tools-3.2.3_17040_46-0.15.1 xen-tools-domU-3.2.3_17040_46-0.15.1 xen-tools-ioemu-3.2.3_17040_46-0.15.1 - SUSE Linux Enterprise Server 10 SP4 LTSS (x86_64): xen-libs-32bit-3.2.3_17040_46-0.15.1 - SUSE Linux Enterprise Server 10 SP4 LTSS (i586): xen-kmp-bigsmp-3.2.3_17040_46_2.6.16.60_0.132.1-0.15.1 xen-kmp-kdumppae-3.2.3_17040_46_2.6.16.60_0.132.1-0.15.1 xen-kmp-vmi-3.2.3_17040_46_2.6.16.60_0.132.1-0.15.1 xen-kmp-vmipae-3.2.3_17040_46_2.6.16.60_0.132.1-0.15.1 References: https://www.suse.com/security/cve/CVE-2015-3456.html https://bugzilla.suse.com/929339 https://download.suse.com/patch/finder/?keywords=114b7cce479b39879add5cf1937e0e2d From sle-security-updates at lists.suse.com Tue May 26 06:07:12 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 26 May 2015 14:07:12 +0200 (CEST) Subject: SUSE-SU-2015:0943-1: important: Security update for KVM Message-ID: <20150526120712.7465F27FF4@maintenance.suse.de> SUSE Security Update: Security update for KVM ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0943-1 Rating: important References: #834196 #929339 Cross-References: CVE-2015-3456 Affected Products: SUSE Linux Enterprise Server 11 SP2 LTSS ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: KVM was updated to fix the following issues: * CVE-2015-3456: A buffer overflow in the floppy drive emulation, which could be used to carry out denial of service attacks or potential code execution against the host. This vulnerability is also known as VENOM. * Validate VMDK4 version field so we don't process versions we know nothing about. (bsc#834196) Security Issues: * CVE-2015-3456 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP2 LTSS: zypper in -t patch slessp2-kvm=10682 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP2 LTSS (i586 x86_64): kvm-0.15.1-0.29.1 References: https://www.suse.com/security/cve/CVE-2015-3456.html https://bugzilla.suse.com/834196 https://bugzilla.suse.com/929339 https://download.suse.com/patch/finder/?keywords=8fa4cd2e0df2fbbbef8a56f2725a253f From sle-security-updates at lists.suse.com Tue May 26 06:07:44 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 26 May 2015 14:07:44 +0200 (CEST) Subject: SUSE-SU-2015:0944-1: important: Security update for Xen Message-ID: <20150526120744.1C32D27FF4@maintenance.suse.de> SUSE Security Update: Security update for Xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0944-1 Rating: important References: #910441 #927967 #929339 Cross-References: CVE-2015-3340 CVE-2015-3456 Affected Products: SUSE Linux Enterprise Server 11 SP2 LTSS ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: Xen was updated to fix two security issues and a bug: * CVE-2015-3456: A buffer overflow in the floppy drive emulation, which could be used to carry out denial of service attacks or potential code execution against the host. This vulnerability is also known as VENOM. * CVE-2015-3340: Xen did not initialize certain fields, which allowed certain remote service domains to obtain sensitive information from memory via a (1) XEN_DOMCTL_gettscinfo or (2) XEN_SYSCTL_getdomaininfolist request. * An exception in setCPUAffinity when restoring guests. (bsc#910441) Security Issues: * CVE-2015-3456 * CVE-2015-3340 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP2 LTSS: zypper in -t patch slessp2-xen=10685 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP2 LTSS (i586 x86_64): xen-devel-4.1.6_08-0.11.1 xen-kmp-default-4.1.6_08_3.0.101_0.7.29-0.11.1 xen-kmp-trace-4.1.6_08_3.0.101_0.7.29-0.11.1 xen-libs-4.1.6_08-0.11.1 xen-tools-domU-4.1.6_08-0.11.1 - SUSE Linux Enterprise Server 11 SP2 LTSS (x86_64): xen-4.1.6_08-0.11.1 xen-doc-html-4.1.6_08-0.11.1 xen-doc-pdf-4.1.6_08-0.11.1 xen-libs-32bit-4.1.6_08-0.11.1 xen-tools-4.1.6_08-0.11.1 - SUSE Linux Enterprise Server 11 SP2 LTSS (i586): xen-kmp-pae-4.1.6_08_3.0.101_0.7.29-0.11.1 References: https://www.suse.com/security/cve/CVE-2015-3340.html https://www.suse.com/security/cve/CVE-2015-3456.html https://bugzilla.suse.com/910441 https://bugzilla.suse.com/927967 https://bugzilla.suse.com/929339 https://download.suse.com/patch/finder/?keywords=8be2bb05e7093a3facd3bc07a934547b From sle-security-updates at lists.suse.com Tue May 26 06:08:38 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 26 May 2015 14:08:38 +0200 (CEST) Subject: SUSE-SU-2015:0945-1: moderate: Security update for spacewalk-java, spacewalk-setup Message-ID: <20150526120839.00F9627FF4@maintenance.suse.de> SUSE Security Update: Security update for spacewalk-java, spacewalk-setup ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0945-1 Rating: moderate References: #922525 Cross-References: CVE-2014-8162 Affected Products: SUSE Manager Server ______________________________________________________________________________ An update that fixes one vulnerability is now available. It includes two new package versions. Description: The spacewalk-java and spacewalk-setup packages were updated to fix one security issue: * CVE-2014-8162: RPC API XML External Entities file disclosure. (bsc#922525) Security Issues: * CVE-2014-8162 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Manager Server: zypper in -t patch sleman21-suse-manager-21-201505=10670 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Manager Server (noarch) [New Version: 2.1.14.11 and 2.1.165.16.1]: spacewalk-java-2.1.165.16.1-0.8.1 spacewalk-java-config-2.1.165.16.1-0.8.1 spacewalk-java-lib-2.1.165.16.1-0.8.1 spacewalk-java-oracle-2.1.165.16.1-0.8.1 spacewalk-java-postgresql-2.1.165.16.1-0.8.1 spacewalk-setup-2.1.14.11-0.9.1 spacewalk-taskomatic-2.1.165.16.1-0.8.1 References: https://www.suse.com/security/cve/CVE-2014-8162.html https://bugzilla.suse.com/922525 https://download.suse.com/patch/finder/?keywords=6dcea76dbded139373ed78a4502ca5bc From sle-security-updates at lists.suse.com Tue May 26 07:04:52 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 26 May 2015 15:04:52 +0200 (CEST) Subject: SUSE-SU-2015:0946-1: important: Security update for MySQL Message-ID: <20150526130453.0054727FF4@maintenance.suse.de> SUSE Security Update: Security update for MySQL ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0946-1 Rating: important References: #922043 #927623 Cross-References: CVE-2014-3569 CVE-2014-3570 CVE-2014-3571 CVE-2014-3572 CVE-2014-8275 CVE-2015-0204 CVE-2015-0205 CVE-2015-0206 CVE-2015-0405 CVE-2015-0423 CVE-2015-0433 CVE-2015-0438 CVE-2015-0439 CVE-2015-0441 CVE-2015-0498 CVE-2015-0499 CVE-2015-0500 CVE-2015-0501 CVE-2015-0503 CVE-2015-0505 CVE-2015-0506 CVE-2015-0507 CVE-2015-0508 CVE-2015-0511 CVE-2015-2305 CVE-2015-2566 CVE-2015-2567 CVE-2015-2568 CVE-2015-2571 CVE-2015-2573 CVE-2015-2576 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes 31 vulnerabilities is now available. It includes one version update. Description: MySQL was updated to version 5.5.43 to fix several security and non security issues: * CVEs fixed: CVE-2014-3569, CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204, CVE-2015-0205, CVE-2015-0206, CVE-2015-0405, CVE-2015-0423, CVE-2015-0433, CVE-2015-0438, CVE-2015-0439, CVE-2015-0441, CVE-2015-0498, CVE-2015-0499, CVE-2015-0500, CVE-2015-0501, CVE-2015-0503, CVE-2015-0505, CVE-2015-0506, CVE-2015-0507, CVE-2015-0508, CVE-2015-0511, CVE-2015-2566, CVE-2015-2567, CVE-2015-2568, CVE-2015-2571, CVE-2015-2573, CVE-2015-2576. * Fix integer overflow in regcomp (Henry Spencer's regex library) for excessively long pattern strings. (bnc#922043, CVE-2015-2305) For a comprehensive list of changes, refer to http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-43.html . Security Issues: * CVE-2014-3569 * CVE-2014-3570 * CVE-2014-3571 * CVE-2014-3572 * CVE-2014-8275 * CVE-2015-0204 * CVE-2015-0205 * CVE-2015-0206 * CVE-2015-0405 * CVE-2015-0423 * CVE-2015-0433 * CVE-2015-0438 * CVE-2015-0439 * CVE-2015-0441 * CVE-2015-0498 * CVE-2015-0499 * CVE-2015-0500 * CVE-2015-0501 * CVE-2015-0503 * CVE-2015-0505 * CVE-2015-0506 * CVE-2015-0507 * CVE-2015-0508 * CVE-2015-0511 * CVE-2015-2566 * CVE-2015-2567 * CVE-2015-2568 * CVE-2015-2571 * CVE-2015-2573 * CVE-2015-2576 * CVE-2015-2305 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-libmysql55client18=10661 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-libmysql55client18=10661 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-libmysql55client18=10661 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-libmysql55client18=10661 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (ppc64 s390x x86_64): libmysql55client_r18-32bit-5.5.43-0.7.3 libmysqlclient_r15-32bit-5.0.96-0.6.20 - SUSE Linux Enterprise Software Development Kit 11 SP3 (ia64): libmysql55client_r18-x86-5.5.43-0.7.3 libmysqlclient_r15-x86-5.0.96-0.6.20 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64) [New Version: 5.5.43]: libmysql55client18-5.5.43-0.7.3 libmysql55client_r18-5.5.43-0.7.3 libmysqlclient15-5.0.96-0.6.20 libmysqlclient_r15-5.0.96-0.6.20 mysql-5.5.43-0.7.3 mysql-client-5.5.43-0.7.3 mysql-tools-5.5.43-0.7.3 - SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64) [New Version: 5.5.43]: libmysql55client18-32bit-5.5.43-0.7.3 libmysqlclient15-32bit-5.0.96-0.6.20 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New Version: 5.5.43]: libmysql55client18-5.5.43-0.7.3 libmysql55client_r18-5.5.43-0.7.3 libmysqlclient15-5.0.96-0.6.20 libmysqlclient_r15-5.0.96-0.6.20 mysql-5.5.43-0.7.3 mysql-client-5.5.43-0.7.3 mysql-tools-5.5.43-0.7.3 - SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64) [New Version: 5.5.43]: libmysql55client18-32bit-5.5.43-0.7.3 libmysqlclient15-32bit-5.0.96-0.6.20 - SUSE Linux Enterprise Server 11 SP3 (ia64) [New Version: 5.5.43]: libmysql55client18-x86-5.5.43-0.7.3 libmysqlclient15-x86-5.0.96-0.6.20 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64) [New Version: 5.5.43]: libmysql55client18-5.5.43-0.7.3 libmysql55client_r18-5.5.43-0.7.3 libmysqlclient15-5.0.96-0.6.20 libmysqlclient_r15-5.0.96-0.6.20 mysql-5.5.43-0.7.3 mysql-client-5.5.43-0.7.3 - SUSE Linux Enterprise Desktop 11 SP3 (x86_64) [New Version: 5.5.43]: libmysql55client18-32bit-5.5.43-0.7.3 libmysql55client_r18-32bit-5.5.43-0.7.3 libmysqlclient15-32bit-5.0.96-0.6.20 libmysqlclient_r15-32bit-5.0.96-0.6.20 References: https://www.suse.com/security/cve/CVE-2014-3569.html https://www.suse.com/security/cve/CVE-2014-3570.html https://www.suse.com/security/cve/CVE-2014-3571.html https://www.suse.com/security/cve/CVE-2014-3572.html https://www.suse.com/security/cve/CVE-2014-8275.html https://www.suse.com/security/cve/CVE-2015-0204.html https://www.suse.com/security/cve/CVE-2015-0205.html https://www.suse.com/security/cve/CVE-2015-0206.html https://www.suse.com/security/cve/CVE-2015-0405.html https://www.suse.com/security/cve/CVE-2015-0423.html https://www.suse.com/security/cve/CVE-2015-0433.html https://www.suse.com/security/cve/CVE-2015-0438.html https://www.suse.com/security/cve/CVE-2015-0439.html https://www.suse.com/security/cve/CVE-2015-0441.html https://www.suse.com/security/cve/CVE-2015-0498.html https://www.suse.com/security/cve/CVE-2015-0499.html https://www.suse.com/security/cve/CVE-2015-0500.html https://www.suse.com/security/cve/CVE-2015-0501.html https://www.suse.com/security/cve/CVE-2015-0503.html https://www.suse.com/security/cve/CVE-2015-0505.html https://www.suse.com/security/cve/CVE-2015-0506.html https://www.suse.com/security/cve/CVE-2015-0507.html https://www.suse.com/security/cve/CVE-2015-0508.html https://www.suse.com/security/cve/CVE-2015-0511.html https://www.suse.com/security/cve/CVE-2015-2305.html https://www.suse.com/security/cve/CVE-2015-2566.html https://www.suse.com/security/cve/CVE-2015-2567.html https://www.suse.com/security/cve/CVE-2015-2568.html https://www.suse.com/security/cve/CVE-2015-2571.html https://www.suse.com/security/cve/CVE-2015-2573.html https://www.suse.com/security/cve/CVE-2015-2576.html https://bugzilla.suse.com/922043 https://bugzilla.suse.com/927623 https://download.suse.com/patch/finder/?keywords=bf7ed7fc98aa76bac61b9bec767d2098 From sle-security-updates at lists.suse.com Wed May 27 09:05:36 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 27 May 2015 17:05:36 +0200 (CEST) Subject: SUSE-SU-2015:0953-1: moderate: Security update for perl-YAML-LibYAML Message-ID: <20150527150536.ABE4032049@maintenance.suse.de> SUSE Security Update: Security update for perl-YAML-LibYAML ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0953-1 Rating: moderate References: #860617 #868944 #907809 #911782 Cross-References: CVE-2013-6393 CVE-2014-2525 CVE-2014-9130 Affected Products: SUSE Linux Enterprise Server 12 ______________________________________________________________________________ An update that solves three vulnerabilities and has one errata is now available. Description: perl-YAML-LibYAML was updated to fix three security issues. These security issues were fixed: - CVE-2013-6393: The yaml_parser_scan_tag_uri function in scanner.c in LibYAML before 0.1.5 performed an incorrect cast, which allowed remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted tags in a YAML document, which triggered a heap-based buffer overflow (bnc#860617, bnc#911782). - CVE-2014-9130: scanner.c in LibYAML 0.1.5 and 0.1.6, as used in the YAML-LibYAML (aka YAML-XS) module for Perl, allowed context-dependent attackers to cause a denial of service (assertion failure and crash) via vectors involving line-wrapping (bnc#907809, bnc#911782). - CVE-2014-2525: Heap-based buffer overflow in the yaml_parser_scan_uri_escapes function in LibYAML before 0.1.6 allowed context-dependent attackers to execute arbitrary code via a long sequence of percent-encoded characters in a URI in a YAML file (bnc#868944, bnc#911782). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-215=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 12 (ppc64le s390x): perl-YAML-LibYAML-0.38-10.1 perl-YAML-LibYAML-debuginfo-0.38-10.1 perl-YAML-LibYAML-debugsource-0.38-10.1 References: https://www.suse.com/security/cve/CVE-2013-6393.html https://www.suse.com/security/cve/CVE-2014-2525.html https://www.suse.com/security/cve/CVE-2014-9130.html https://bugzilla.suse.com/860617 https://bugzilla.suse.com/868944 https://bugzilla.suse.com/907809 https://bugzilla.suse.com/911782 From sle-security-updates at lists.suse.com Wed May 27 10:05:15 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 27 May 2015 18:05:15 +0200 (CEST) Subject: SUSE-SU-2015:0953-2: moderate: Security update for perl-YAML-LibYAML Message-ID: <20150527160515.DDE7C32049@maintenance.suse.de> SUSE Security Update: Security update for perl-YAML-LibYAML ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0953-2 Rating: moderate References: #860617 #868944 #907809 #911782 Cross-References: CVE-2013-6393 CVE-2014-2525 CVE-2014-9130 Affected Products: SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that solves three vulnerabilities and has one errata is now available. Description: perl-YAML-LibYAML was updated to fix three security issues. These security issues were fixed: - CVE-2013-6393: The yaml_parser_scan_tag_uri function in scanner.c in LibYAML before 0.1.5 performed an incorrect cast, which allowed remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted tags in a YAML document, which triggered a heap-based buffer overflow (bnc#860617, bnc#911782). - CVE-2014-9130: scanner.c in LibYAML 0.1.5 and 0.1.6, as used in the YAML-LibYAML (aka YAML-XS) module for Perl, allowed context-dependent attackers to cause a denial of service (assertion failure and crash) via vectors involving line-wrapping (bnc#907809, bnc#911782). - CVE-2014-2525: Heap-based buffer overflow in the yaml_parser_scan_uri_escapes function in LibYAML before 0.1.6 allowed context-dependent attackers to execute arbitrary code via a long sequence of percent-encoded characters in a URI in a YAML file (bnc#868944, bnc#911782). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-215=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-215=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 12 (x86_64): perl-YAML-LibYAML-0.38-10.1 perl-YAML-LibYAML-debuginfo-0.38-10.1 perl-YAML-LibYAML-debugsource-0.38-10.1 - SUSE Linux Enterprise Desktop 12 (x86_64): perl-YAML-LibYAML-0.38-10.1 perl-YAML-LibYAML-debuginfo-0.38-10.1 perl-YAML-LibYAML-debugsource-0.38-10.1 References: https://www.suse.com/security/cve/CVE-2013-6393.html https://www.suse.com/security/cve/CVE-2014-2525.html https://www.suse.com/security/cve/CVE-2014-9130.html https://bugzilla.suse.com/860617 https://bugzilla.suse.com/868944 https://bugzilla.suse.com/907809 https://bugzilla.suse.com/911782 From sle-security-updates at lists.suse.com Thu May 28 04:05:01 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 28 May 2015 12:05:01 +0200 (CEST) Subject: SUSE-SU-2015:0960-1: important: Security update for MozillaFirefox Message-ID: <20150528100501.3713332063@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0960-1 Rating: important References: #930622 Cross-References: CVE-2015-0797 CVE-2015-2708 CVE-2015-2709 CVE-2015-2710 CVE-2015-2713 CVE-2015-2716 Affected Products: SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that fixes 6 vulnerabilities is now available. Description: This update to Firefox 31.7.0 ESR (bsc#930622) fixes the following issues: * MFSA 2015-46/CVE-2015-2708/CVE-2015-2709 (bmo#1120655, bmo#1143299, bmo#1151139, bmo#1152177, bmo#1111251, bmo#1117977, bmo#1128064, bmo#1135066, bmo#1143194, bmo#1146101, bmo#1149526, bmo#1153688, bmo#1155474) Miscellaneous memory safety hazards (rv:38.0 / rv:31.7) * MFSA 2015-47/CVE-2015-0797 (bmo#1080995) Buffer overflow parsing H.264 video with Linux Gstreamer * MFSA 2015-48/CVE-2015-2710 (bmo#1149542) Buffer overflow with SVG content and CSS * MFSA 2015-51/CVE-2015-2713 (bmo#1153478) Use-after-free during text processing with vertical text enabled * MFSA 2015-54/CVE-2015-2716 (bmo#1140537) Buffer overflow when parsing compressed XML Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2015-217=1 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-217=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-217=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): MozillaFirefox-debuginfo-31.7.0esr-34.1 MozillaFirefox-debugsource-31.7.0esr-34.1 MozillaFirefox-devel-31.7.0esr-34.1 - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): MozillaFirefox-31.7.0esr-34.1 MozillaFirefox-debuginfo-31.7.0esr-34.1 MozillaFirefox-debugsource-31.7.0esr-34.1 MozillaFirefox-translations-31.7.0esr-34.1 - SUSE Linux Enterprise Desktop 12 (x86_64): MozillaFirefox-31.7.0esr-34.1 MozillaFirefox-debuginfo-31.7.0esr-34.1 MozillaFirefox-debugsource-31.7.0esr-34.1 MozillaFirefox-translations-31.7.0esr-34.1 References: https://www.suse.com/security/cve/CVE-2015-0797.html https://www.suse.com/security/cve/CVE-2015-2708.html https://www.suse.com/security/cve/CVE-2015-2709.html https://www.suse.com/security/cve/CVE-2015-2710.html https://www.suse.com/security/cve/CVE-2015-2713.html https://www.suse.com/security/cve/CVE-2015-2716.html https://bugzilla.suse.com/930622 From sle-security-updates at lists.suse.com Thu May 28 08:04:57 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 28 May 2015 16:04:57 +0200 (CEST) Subject: SUSE-SU-2015:0962-1: moderate: Security update for curl Message-ID: <20150528140457.3942B32063@maintenance.suse.de> SUSE Security Update: Security update for curl ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0962-1 Rating: moderate References: #927174 #927556 #927746 #928533 Cross-References: CVE-2015-3143 CVE-2015-3148 CVE-2015-3153 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that solves three vulnerabilities and has one errata is now available. Description: The curl tool and libcurl4 library have been updated to fix several security and non-security issues. The following vulnerabilities have been fixed: * CVE-2015-3143: Re-using authenticated connection when unauthenticated. (bsc#927556) * CVE-2015-3148: Negotiate not treated as connection-oriented. (bsc#927746) * CVE-2015-3153: Sensitive HTTP server headers also sent to proxies. (bsc#928533) The following non-security issue has been fixed: * git fails to clone from https repository. (bsc#927174) Security Issues: * CVE-2015-3143 * CVE-2015-3148 * CVE-2015-3153 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-curl=10660 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-curl=10660 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-curl=10660 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-curl=10660 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64): libcurl-devel-7.19.7-1.42.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): curl-7.19.7-1.42.1 libcurl4-7.19.7-1.42.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64): libcurl4-32bit-7.19.7-1.42.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): curl-7.19.7-1.42.1 libcurl4-7.19.7-1.42.1 - SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64): libcurl4-32bit-7.19.7-1.42.1 - SUSE Linux Enterprise Server 11 SP3 (ia64): libcurl4-x86-7.19.7-1.42.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): curl-7.19.7-1.42.1 libcurl4-7.19.7-1.42.1 - SUSE Linux Enterprise Desktop 11 SP3 (x86_64): libcurl4-32bit-7.19.7-1.42.1 References: https://www.suse.com/security/cve/CVE-2015-3143.html https://www.suse.com/security/cve/CVE-2015-3148.html https://www.suse.com/security/cve/CVE-2015-3153.html https://bugzilla.suse.com/927174 https://bugzilla.suse.com/927556 https://bugzilla.suse.com/927746 https://bugzilla.suse.com/928533 https://download.suse.com/patch/finder/?keywords=15283cac05d947363283c7ddcb466af0