From sle-security-updates at lists.suse.com Mon Nov 2 08:34:54 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 2 Nov 2015 16:34:54 +0100 (CET) Subject: SUSE-SU-2015:1874-1: important: Security update for java-1_7_0-openjdk Message-ID: <20151102153454.E3818320FF@maintenance.suse.de> SUSE Security Update: Security update for java-1_7_0-openjdk ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1874-1 Rating: important References: #951376 Cross-References: CVE-2015-4734 CVE-2015-4803 CVE-2015-4805 CVE-2015-4806 CVE-2015-4835 CVE-2015-4840 CVE-2015-4842 CVE-2015-4843 CVE-2015-4844 CVE-2015-4860 CVE-2015-4872 CVE-2015-4881 CVE-2015-4882 CVE-2015-4883 CVE-2015-4893 CVE-2015-4903 CVE-2015-4911 Affected Products: SUSE Linux Enterprise Server 12 ______________________________________________________________________________ An update that fixes 17 vulnerabilities is now available. Description: java-1_7_0-openjdk was updated to version 7u91 to fix 17 security issues. These security issues were fixed: - CVE-2015-4843: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries (bsc#951376). - CVE-2015-4842: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect confidentiality via vectors related to JAXP (bsc#951376). - CVE-2015-4840: Unspecified vulnerability in Oracle Java SE 7u85 and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect confidentiality via unknown vectors related to 2D (bsc#951376). - CVE-2015-4872: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote attackers to affect integrity via unknown vectors related to Security (bsc#951376). - CVE-2015-4860: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect confidentiality, integrity, and availability via vectors related to RMI, a different vulnerability than CVE-2015-4883 (bsc#951376). - CVE-2015-4844: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D (bsc#951376). - CVE-2015-4883: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect confidentiality, integrity, and availability via vectors related to RMI, a different vulnerability than CVE-2015-4860 (bsc#951376). - CVE-2015-4893: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote attackers to affect availability via vectors related to JAXP, a different vulnerability than CVE-2015-4803 and CVE-2015-4911 (bsc#951376). - CVE-2015-4911: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote attackers to affect availability via vectors related to JAXP, a different vulnerability than CVE-2015-4803 and CVE-2015-4893 (bsc#951376). - CVE-2015-4882: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect availability via vectors related to CORBA (bsc#951376). - CVE-2015-4881: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect confidentiality, integrity, and availability via vectors related to CORBA, a different vulnerability than CVE-2015-4835 (bsc#951376). - CVE-2015-4734: Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect confidentiality via vectors related to JGSS (bsc#951376). - CVE-2015-4806: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect confidentiality and integrity via unknown vectors related to Libraries (bsc#951376). - CVE-2015-4805: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Serialization (bsc#951376). - CVE-2015-4803: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote attackers to affect availability via vectors related to JAXP, a different vulnerability than CVE-2015-4893 and CVE-2015-4911 (bsc#951376). - CVE-2015-4835: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect confidentiality, integrity, and availability via vectors related to CORBA, a different vulnerability than CVE-2015-4881 (bsc#951376). - CVE-2015-4903: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect confidentiality via vectors related to RMI (bsc#951376). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-781=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 12 (ppc64le s390x): java-1_7_0-openjdk-1.7.0.91-21.2 java-1_7_0-openjdk-debuginfo-1.7.0.91-21.2 java-1_7_0-openjdk-debugsource-1.7.0.91-21.2 java-1_7_0-openjdk-demo-1.7.0.91-21.2 java-1_7_0-openjdk-demo-debuginfo-1.7.0.91-21.2 java-1_7_0-openjdk-devel-1.7.0.91-21.2 java-1_7_0-openjdk-devel-debuginfo-1.7.0.91-21.2 java-1_7_0-openjdk-headless-1.7.0.91-21.2 java-1_7_0-openjdk-headless-debuginfo-1.7.0.91-21.2 References: https://www.suse.com/security/cve/CVE-2015-4734.html https://www.suse.com/security/cve/CVE-2015-4803.html https://www.suse.com/security/cve/CVE-2015-4805.html https://www.suse.com/security/cve/CVE-2015-4806.html https://www.suse.com/security/cve/CVE-2015-4835.html https://www.suse.com/security/cve/CVE-2015-4840.html https://www.suse.com/security/cve/CVE-2015-4842.html https://www.suse.com/security/cve/CVE-2015-4843.html https://www.suse.com/security/cve/CVE-2015-4844.html https://www.suse.com/security/cve/CVE-2015-4860.html https://www.suse.com/security/cve/CVE-2015-4872.html https://www.suse.com/security/cve/CVE-2015-4881.html https://www.suse.com/security/cve/CVE-2015-4882.html https://www.suse.com/security/cve/CVE-2015-4883.html https://www.suse.com/security/cve/CVE-2015-4893.html https://www.suse.com/security/cve/CVE-2015-4903.html https://www.suse.com/security/cve/CVE-2015-4911.html https://bugzilla.suse.com/951376 From sle-security-updates at lists.suse.com Mon Nov 2 08:35:16 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 2 Nov 2015 16:35:16 +0100 (CET) Subject: SUSE-SU-2015:1875-1: important: Security update for java-1_7_0-openjdk Message-ID: <20151102153516.37A91320FF@maintenance.suse.de> SUSE Security Update: Security update for java-1_7_0-openjdk ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1875-1 Rating: important References: #951376 Cross-References: CVE-2015-4734 CVE-2015-4803 CVE-2015-4805 CVE-2015-4806 CVE-2015-4835 CVE-2015-4840 CVE-2015-4842 CVE-2015-4843 CVE-2015-4844 CVE-2015-4860 CVE-2015-4872 CVE-2015-4881 CVE-2015-4882 CVE-2015-4883 CVE-2015-4893 CVE-2015-4903 CVE-2015-4911 Affected Products: SUSE Linux Enterprise Desktop 11-SP4 SUSE Linux Enterprise Desktop 11-SP3 ______________________________________________________________________________ An update that fixes 17 vulnerabilities is now available. Description: java-1_7_0-openjdk was updated to version 7u91 to fix 17 security issues. These security issues were fixed: - CVE-2015-4843: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries (bsc#951376). - CVE-2015-4842: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect confidentiality via vectors related to JAXP (bsc#951376). - CVE-2015-4840: Unspecified vulnerability in Oracle Java SE 7u85 and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect confidentiality via unknown vectors related to 2D (bsc#951376). - CVE-2015-4872: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote attackers to affect integrity via unknown vectors related to Security (bsc#951376). - CVE-2015-4860: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect confidentiality, integrity, and availability via vectors related to RMI, a different vulnerability than CVE-2015-4883 (bsc#951376). - CVE-2015-4844: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D (bsc#951376). - CVE-2015-4883: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect confidentiality, integrity, and availability via vectors related to RMI, a different vulnerability than CVE-2015-4860 (bsc#951376). - CVE-2015-4893: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote attackers to affect availability via vectors related to JAXP, a different vulnerability than CVE-2015-4803 and CVE-2015-4911 (bsc#951376). - CVE-2015-4911: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote attackers to affect availability via vectors related to JAXP, a different vulnerability than CVE-2015-4803 and CVE-2015-4893 (bsc#951376). - CVE-2015-4882: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect availability via vectors related to CORBA (bsc#951376). - CVE-2015-4881: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect confidentiality, integrity, and availability via vectors related to CORBA, a different vulnerability than CVE-2015-4835 (bsc#951376). - CVE-2015-4734: Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect confidentiality via vectors related to JGSS (bsc#951376). - CVE-2015-4806: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect confidentiality and integrity via unknown vectors related to Libraries (bsc#951376). - CVE-2015-4805: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Serialization (bsc#951376). - CVE-2015-4803: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote attackers to affect availability via vectors related to JAXP, a different vulnerability than CVE-2015-4893 and CVE-2015-4911 (bsc#951376). - CVE-2015-4835: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect confidentiality, integrity, and availability via vectors related to CORBA, a different vulnerability than CVE-2015-4881 (bsc#951376). - CVE-2015-4903: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect confidentiality via vectors related to RMI (bsc#951376). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Desktop 11-SP4: zypper in -t patch sledsp4-java-1_7_0-openjdk-12179=1 - SUSE Linux Enterprise Desktop 11-SP3: zypper in -t patch sledsp3-java-1_7_0-openjdk-12179=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Desktop 11-SP4 (i586): java-1_7_0-openjdk-1.7.0.91-0.14.2 java-1_7_0-openjdk-demo-1.7.0.91-0.14.2 java-1_7_0-openjdk-devel-1.7.0.91-0.14.2 - SUSE Linux Enterprise Desktop 11-SP3 (i586): java-1_7_0-openjdk-1.7.0.91-0.14.2 java-1_7_0-openjdk-demo-1.7.0.91-0.14.2 java-1_7_0-openjdk-devel-1.7.0.91-0.14.2 References: https://www.suse.com/security/cve/CVE-2015-4734.html https://www.suse.com/security/cve/CVE-2015-4803.html https://www.suse.com/security/cve/CVE-2015-4805.html https://www.suse.com/security/cve/CVE-2015-4806.html https://www.suse.com/security/cve/CVE-2015-4835.html https://www.suse.com/security/cve/CVE-2015-4840.html https://www.suse.com/security/cve/CVE-2015-4842.html https://www.suse.com/security/cve/CVE-2015-4843.html https://www.suse.com/security/cve/CVE-2015-4844.html https://www.suse.com/security/cve/CVE-2015-4860.html https://www.suse.com/security/cve/CVE-2015-4872.html https://www.suse.com/security/cve/CVE-2015-4881.html https://www.suse.com/security/cve/CVE-2015-4882.html https://www.suse.com/security/cve/CVE-2015-4883.html https://www.suse.com/security/cve/CVE-2015-4893.html https://www.suse.com/security/cve/CVE-2015-4903.html https://www.suse.com/security/cve/CVE-2015-4911.html https://bugzilla.suse.com/951376 From sle-security-updates at lists.suse.com Mon Nov 2 08:40:11 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 2 Nov 2015 16:40:11 +0100 (CET) Subject: SUSE-SU-2015:1885-1: moderate: Security update for apache2 Message-ID: <20151102154011.5E5F6320B7@maintenance.suse.de> SUSE Security Update: Security update for apache2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1885-1 Rating: moderate References: #444878 #931002 #938728 #941676 Cross-References: CVE-2015-3183 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Software Development Kit 11-SP3 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Server 11-SP3 ______________________________________________________________________________ An update that solves one vulnerability and has three fixes is now available. Description: Apache was updated to fix one security vulnerability and two bugs. Following security issue was fixed. - Fix the chunked transfer coding implementation in the Apache (bsc#938728, CVE-2015-3183) Bugs fixed: - add SSLSessionTickets directive (bsc#941676) - hardcode modules %files (bsc#444878) - only enable the port 443 for TCP protocol, not UDP. (bsc#931002) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-apache2-12181=1 - SUSE Linux Enterprise Software Development Kit 11-SP3: zypper in -t patch sdksp3-apache2-12181=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-apache2-12181=1 - SUSE Linux Enterprise Server 11-SP3: zypper in -t patch slessp3-apache2-12181=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (ia64 ppc64): apache2-devel-2.2.12-59.1 - SUSE Linux Enterprise Software Development Kit 11-SP3 (ia64 ppc64): apache2-devel-2.2.12-59.1 - SUSE Linux Enterprise Server 11-SP4 (ia64 ppc64): apache2-2.2.12-59.1 apache2-doc-2.2.12-59.1 apache2-example-pages-2.2.12-59.1 apache2-prefork-2.2.12-59.1 apache2-utils-2.2.12-59.1 apache2-worker-2.2.12-59.1 - SUSE Linux Enterprise Server 11-SP3 (ia64 ppc64): apache2-2.2.12-59.1 apache2-doc-2.2.12-59.1 apache2-example-pages-2.2.12-59.1 apache2-prefork-2.2.12-59.1 apache2-utils-2.2.12-59.1 apache2-worker-2.2.12-59.1 References: https://www.suse.com/security/cve/CVE-2015-3183.html https://bugzilla.suse.com/444878 https://bugzilla.suse.com/931002 https://bugzilla.suse.com/938728 https://bugzilla.suse.com/941676 From sle-security-updates at lists.suse.com Mon Nov 2 09:11:02 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 2 Nov 2015 17:11:02 +0100 (CET) Subject: SUSE-SU-2015:1888-1: moderate: Security update for rubygem-rack Message-ID: <20151102161102.656D432139@maintenance.suse.de> SUSE Security Update: Security update for rubygem-rack ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1888-1 Rating: moderate References: #934797 Cross-References: CVE-2015-3225 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP3 SUSE Lifecycle Management Server 1.3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: rubygem-rack was updated to fix one security issue. This security issue was fixed: - CVE-2015-3225: Crafted requests could have caused a SystemStackError leading to Denial of Service (bsc#934797). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP3: zypper in -t patch sdksp3-rubygem-rack-12182=1 - SUSE Lifecycle Management Server 1.3: zypper in -t patch sleslms13-rubygem-rack-12182=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11-SP3 (i586 ia64 ppc64 s390x x86_64): rubygem-rack-1.1.6-0.11.2 - SUSE Lifecycle Management Server 1.3 (x86_64): rubygem-rack-1.1.6-0.11.2 References: https://www.suse.com/security/cve/CVE-2015-3225.html https://bugzilla.suse.com/934797 From sle-security-updates at lists.suse.com Mon Nov 2 09:11:25 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 2 Nov 2015 17:11:25 +0100 (CET) Subject: SUSE-SU-2015:1874-2: important: Security update for java-1_7_0-openjdk Message-ID: <20151102161125.8358332139@maintenance.suse.de> SUSE Security Update: Security update for java-1_7_0-openjdk ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1874-2 Rating: important References: #951376 Cross-References: CVE-2015-4734 CVE-2015-4803 CVE-2015-4805 CVE-2015-4806 CVE-2015-4835 CVE-2015-4840 CVE-2015-4842 CVE-2015-4843 CVE-2015-4844 CVE-2015-4860 CVE-2015-4872 CVE-2015-4881 CVE-2015-4882 CVE-2015-4883 CVE-2015-4893 CVE-2015-4903 CVE-2015-4911 Affected Products: SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that fixes 17 vulnerabilities is now available. Description: java-1_7_0-openjdk was updated to version 7u91 to fix 17 security issues. These security issues were fixed: - CVE-2015-4843: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries (bsc#951376). - CVE-2015-4842: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect confidentiality via vectors related to JAXP (bsc#951376). - CVE-2015-4840: Unspecified vulnerability in Oracle Java SE 7u85 and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect confidentiality via unknown vectors related to 2D (bsc#951376). - CVE-2015-4872: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote attackers to affect integrity via unknown vectors related to Security (bsc#951376). - CVE-2015-4860: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect confidentiality, integrity, and availability via vectors related to RMI, a different vulnerability than CVE-2015-4883 (bsc#951376). - CVE-2015-4844: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D (bsc#951376). - CVE-2015-4883: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect confidentiality, integrity, and availability via vectors related to RMI, a different vulnerability than CVE-2015-4860 (bsc#951376). - CVE-2015-4893: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote attackers to affect availability via vectors related to JAXP, a different vulnerability than CVE-2015-4803 and CVE-2015-4911 (bsc#951376). - CVE-2015-4911: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote attackers to affect availability via vectors related to JAXP, a different vulnerability than CVE-2015-4803 and CVE-2015-4893 (bsc#951376). - CVE-2015-4882: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect availability via vectors related to CORBA (bsc#951376). - CVE-2015-4881: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect confidentiality, integrity, and availability via vectors related to CORBA, a different vulnerability than CVE-2015-4835 (bsc#951376). - CVE-2015-4734: Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect confidentiality via vectors related to JGSS (bsc#951376). - CVE-2015-4806: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect confidentiality and integrity via unknown vectors related to Libraries (bsc#951376). - CVE-2015-4805: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Serialization (bsc#951376). - CVE-2015-4803: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote attackers to affect availability via vectors related to JAXP, a different vulnerability than CVE-2015-4893 and CVE-2015-4911 (bsc#951376). - CVE-2015-4835: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect confidentiality, integrity, and availability via vectors related to CORBA, a different vulnerability than CVE-2015-4881 (bsc#951376). - CVE-2015-4903: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect confidentiality via vectors related to RMI (bsc#951376). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-781=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-781=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 12 (x86_64): java-1_7_0-openjdk-1.7.0.91-21.2 java-1_7_0-openjdk-debuginfo-1.7.0.91-21.2 java-1_7_0-openjdk-debugsource-1.7.0.91-21.2 java-1_7_0-openjdk-demo-1.7.0.91-21.2 java-1_7_0-openjdk-demo-debuginfo-1.7.0.91-21.2 java-1_7_0-openjdk-devel-1.7.0.91-21.2 java-1_7_0-openjdk-devel-debuginfo-1.7.0.91-21.2 java-1_7_0-openjdk-headless-1.7.0.91-21.2 java-1_7_0-openjdk-headless-debuginfo-1.7.0.91-21.2 - SUSE Linux Enterprise Desktop 12 (x86_64): java-1_7_0-openjdk-1.7.0.91-21.2 java-1_7_0-openjdk-debuginfo-1.7.0.91-21.2 java-1_7_0-openjdk-debugsource-1.7.0.91-21.2 java-1_7_0-openjdk-headless-1.7.0.91-21.2 java-1_7_0-openjdk-headless-debuginfo-1.7.0.91-21.2 References: https://www.suse.com/security/cve/CVE-2015-4734.html https://www.suse.com/security/cve/CVE-2015-4803.html https://www.suse.com/security/cve/CVE-2015-4805.html https://www.suse.com/security/cve/CVE-2015-4806.html https://www.suse.com/security/cve/CVE-2015-4835.html https://www.suse.com/security/cve/CVE-2015-4840.html https://www.suse.com/security/cve/CVE-2015-4842.html https://www.suse.com/security/cve/CVE-2015-4843.html https://www.suse.com/security/cve/CVE-2015-4844.html https://www.suse.com/security/cve/CVE-2015-4860.html https://www.suse.com/security/cve/CVE-2015-4872.html https://www.suse.com/security/cve/CVE-2015-4881.html https://www.suse.com/security/cve/CVE-2015-4882.html https://www.suse.com/security/cve/CVE-2015-4883.html https://www.suse.com/security/cve/CVE-2015-4893.html https://www.suse.com/security/cve/CVE-2015-4903.html https://www.suse.com/security/cve/CVE-2015-4911.html https://bugzilla.suse.com/951376 From sle-security-updates at lists.suse.com Mon Nov 2 09:11:46 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 2 Nov 2015 17:11:46 +0100 (CET) Subject: SUSE-SU-2015:1875-2: important: Security update for java-1_7_0-openjdk Message-ID: <20151102161146.AE11C32139@maintenance.suse.de> SUSE Security Update: Security update for java-1_7_0-openjdk ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1875-2 Rating: important References: #951376 Cross-References: CVE-2015-4734 CVE-2015-4803 CVE-2015-4805 CVE-2015-4806 CVE-2015-4835 CVE-2015-4840 CVE-2015-4842 CVE-2015-4843 CVE-2015-4844 CVE-2015-4860 CVE-2015-4872 CVE-2015-4881 CVE-2015-4882 CVE-2015-4883 CVE-2015-4893 CVE-2015-4903 CVE-2015-4911 Affected Products: SUSE Linux Enterprise Desktop 11-SP4 SUSE Linux Enterprise Desktop 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that fixes 17 vulnerabilities is now available. Description: java-1_7_0-openjdk was updated to version 7u91 to fix 17 security issues. These security issues were fixed: - CVE-2015-4843: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries (bsc#951376). - CVE-2015-4842: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect confidentiality via vectors related to JAXP (bsc#951376). - CVE-2015-4840: Unspecified vulnerability in Oracle Java SE 7u85 and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect confidentiality via unknown vectors related to 2D (bsc#951376). - CVE-2015-4872: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote attackers to affect integrity via unknown vectors related to Security (bsc#951376). - CVE-2015-4860: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect confidentiality, integrity, and availability via vectors related to RMI, a different vulnerability than CVE-2015-4883 (bsc#951376). - CVE-2015-4844: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D (bsc#951376). - CVE-2015-4883: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect confidentiality, integrity, and availability via vectors related to RMI, a different vulnerability than CVE-2015-4860 (bsc#951376). - CVE-2015-4893: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote attackers to affect availability via vectors related to JAXP, a different vulnerability than CVE-2015-4803 and CVE-2015-4911 (bsc#951376). - CVE-2015-4911: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote attackers to affect availability via vectors related to JAXP, a different vulnerability than CVE-2015-4803 and CVE-2015-4893 (bsc#951376). - CVE-2015-4882: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect availability via vectors related to CORBA (bsc#951376). - CVE-2015-4881: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect confidentiality, integrity, and availability via vectors related to CORBA, a different vulnerability than CVE-2015-4835 (bsc#951376). - CVE-2015-4734: Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect confidentiality via vectors related to JGSS (bsc#951376). - CVE-2015-4806: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect confidentiality and integrity via unknown vectors related to Libraries (bsc#951376). - CVE-2015-4805: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Serialization (bsc#951376). - CVE-2015-4803: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote attackers to affect availability via vectors related to JAXP, a different vulnerability than CVE-2015-4893 and CVE-2015-4911 (bsc#951376). - CVE-2015-4835: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect confidentiality, integrity, and availability via vectors related to CORBA, a different vulnerability than CVE-2015-4881 (bsc#951376). - CVE-2015-4903: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect confidentiality via vectors related to RMI (bsc#951376). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Desktop 11-SP4: zypper in -t patch sledsp4-java-1_7_0-openjdk-12179=1 - SUSE Linux Enterprise Desktop 11-SP3: zypper in -t patch sledsp3-java-1_7_0-openjdk-12179=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-java-1_7_0-openjdk-12179=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-java-1_7_0-openjdk-12179=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Desktop 11-SP4 (x86_64): java-1_7_0-openjdk-1.7.0.91-0.14.2 java-1_7_0-openjdk-demo-1.7.0.91-0.14.2 java-1_7_0-openjdk-devel-1.7.0.91-0.14.2 - SUSE Linux Enterprise Desktop 11-SP3 (x86_64): java-1_7_0-openjdk-1.7.0.91-0.14.2 java-1_7_0-openjdk-demo-1.7.0.91-0.14.2 java-1_7_0-openjdk-devel-1.7.0.91-0.14.2 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 x86_64): java-1_7_0-openjdk-debuginfo-1.7.0.91-0.14.2 java-1_7_0-openjdk-debugsource-1.7.0.91-0.14.2 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 x86_64): java-1_7_0-openjdk-debuginfo-1.7.0.91-0.14.2 java-1_7_0-openjdk-debugsource-1.7.0.91-0.14.2 References: https://www.suse.com/security/cve/CVE-2015-4734.html https://www.suse.com/security/cve/CVE-2015-4803.html https://www.suse.com/security/cve/CVE-2015-4805.html https://www.suse.com/security/cve/CVE-2015-4806.html https://www.suse.com/security/cve/CVE-2015-4835.html https://www.suse.com/security/cve/CVE-2015-4840.html https://www.suse.com/security/cve/CVE-2015-4842.html https://www.suse.com/security/cve/CVE-2015-4843.html https://www.suse.com/security/cve/CVE-2015-4844.html https://www.suse.com/security/cve/CVE-2015-4860.html https://www.suse.com/security/cve/CVE-2015-4872.html https://www.suse.com/security/cve/CVE-2015-4881.html https://www.suse.com/security/cve/CVE-2015-4882.html https://www.suse.com/security/cve/CVE-2015-4883.html https://www.suse.com/security/cve/CVE-2015-4893.html https://www.suse.com/security/cve/CVE-2015-4903.html https://www.suse.com/security/cve/CVE-2015-4911.html https://bugzilla.suse.com/951376 From sle-security-updates at lists.suse.com Mon Nov 2 09:12:09 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 2 Nov 2015 17:12:09 +0100 (CET) Subject: SUSE-SU-2015:1889-1: moderate: Security update for ruby19 Message-ID: <20151102161209.37DEC32139@maintenance.suse.de> SUSE Security Update: Security update for ruby19 ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1889-1 Rating: moderate References: #926974 #939860 Cross-References: CVE-2009-5147 CVE-2015-1855 Affected Products: SUSE Studio Onsite 1.3 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: ruby19 was updated to fix two security issues. The following vulnerabilities were fixed: * CVE-2015-1855: Ruby OpenSSL hostname verification was too permissive (bsc#926974). * CVE-2009-5147: DL::dlopen could have loaded a library with tainted library name even if $SAFE > 0 (bsc#939860). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Studio Onsite 1.3: zypper in -t patch slestso13-ruby19-12180=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Studio Onsite 1.3 (x86_64): ruby19-1.9.3.p392-0.23.1 ruby19-devel-1.9.3.p392-0.23.1 ruby19-devel-extra-1.9.3.p392-0.23.1 References: https://www.suse.com/security/cve/CVE-2009-5147.html https://www.suse.com/security/cve/CVE-2015-1855.html https://bugzilla.suse.com/926974 https://bugzilla.suse.com/939860 From sle-security-updates at lists.suse.com Mon Nov 2 09:12:47 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 2 Nov 2015 17:12:47 +0100 (CET) Subject: SUSE-SU-2015:1885-2: moderate: Security update for apache2 Message-ID: <20151102161247.4E6EA32139@maintenance.suse.de> SUSE Security Update: Security update for apache2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1885-2 Rating: moderate References: #444878 #931002 #938728 #941676 Cross-References: CVE-2015-3183 Affected Products: SUSE Studio Onsite 1.3 SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Software Development Kit 11-SP3 SUSE Linux Enterprise Server for VMWare 11-SP3 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Server 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that solves one vulnerability and has three fixes is now available. Description: Apache was updated to fix one security vulnerability and two bugs. Following security issue was fixed. - Fix the chunked transfer coding implementation in the Apache (bsc#938728, CVE-2015-3183) Bugs fixed: - add SSLSessionTickets directive (bsc#941676) - hardcode modules %files (bsc#444878) - only enable the port 443 for TCP protocol, not UDP. (bsc#931002) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Studio Onsite 1.3: zypper in -t patch slestso13-apache2-12181=1 - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-apache2-12181=1 - SUSE Linux Enterprise Software Development Kit 11-SP3: zypper in -t patch sdksp3-apache2-12181=1 - SUSE Linux Enterprise Server for VMWare 11-SP3: zypper in -t patch slessp3-apache2-12181=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-apache2-12181=1 - SUSE Linux Enterprise Server 11-SP3: zypper in -t patch slessp3-apache2-12181=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-apache2-12181=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-apache2-12181=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Studio Onsite 1.3 (x86_64): apache2-devel-2.2.12-59.1 - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 s390x x86_64): apache2-devel-2.2.12-59.1 - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 x86_64): apache2-2.2.12-59.1 apache2-doc-2.2.12-59.1 apache2-example-pages-2.2.12-59.1 apache2-prefork-2.2.12-59.1 apache2-utils-2.2.12-59.1 apache2-worker-2.2.12-59.1 - SUSE Linux Enterprise Software Development Kit 11-SP3 (i586 s390x x86_64): apache2-devel-2.2.12-59.1 - SUSE Linux Enterprise Software Development Kit 11-SP3 (i586 x86_64): apache2-2.2.12-59.1 apache2-doc-2.2.12-59.1 apache2-example-pages-2.2.12-59.1 apache2-prefork-2.2.12-59.1 apache2-utils-2.2.12-59.1 apache2-worker-2.2.12-59.1 - SUSE Linux Enterprise Server for VMWare 11-SP3 (i586 x86_64): apache2-2.2.12-59.1 apache2-doc-2.2.12-59.1 apache2-example-pages-2.2.12-59.1 apache2-prefork-2.2.12-59.1 apache2-utils-2.2.12-59.1 apache2-worker-2.2.12-59.1 - SUSE Linux Enterprise Server 11-SP4 (i586 s390x x86_64): apache2-2.2.12-59.1 apache2-doc-2.2.12-59.1 apache2-example-pages-2.2.12-59.1 apache2-prefork-2.2.12-59.1 apache2-utils-2.2.12-59.1 apache2-worker-2.2.12-59.1 - SUSE Linux Enterprise Server 11-SP3 (i586 s390x x86_64): apache2-2.2.12-59.1 apache2-doc-2.2.12-59.1 apache2-example-pages-2.2.12-59.1 apache2-prefork-2.2.12-59.1 apache2-utils-2.2.12-59.1 apache2-worker-2.2.12-59.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): apache2-debuginfo-2.2.12-59.1 apache2-debugsource-2.2.12-59.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 ia64 ppc64 s390x x86_64): apache2-debuginfo-2.2.12-59.1 apache2-debugsource-2.2.12-59.1 References: https://www.suse.com/security/cve/CVE-2015-3183.html https://bugzilla.suse.com/444878 https://bugzilla.suse.com/931002 https://bugzilla.suse.com/938728 https://bugzilla.suse.com/941676 From sle-security-updates at lists.suse.com Mon Nov 2 10:10:57 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 2 Nov 2015 18:10:57 +0100 (CET) Subject: SUSE-SU-2015:1890-1: Security update for openstack-neutron and crowbar-barclamp-neutron Message-ID: <20151102171057.58FAB32139@maintenance.suse.de> SUSE Security Update: Security update for openstack-neutron and crowbar-barclamp-neutron ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1890-1 Rating: low References: #935263 #939691 #943648 #946882 #948704 Cross-References: CVE-2015-3221 CVE-2015-5240 Affected Products: SUSE OpenStack Cloud 5 ______________________________________________________________________________ An update that solves two vulnerabilities and has three fixes is now available. Description: This update provides security fixes and improvements for openstack-neutron and crowbar-barclamp-neutron. crowbar-barclamp-neutron: - Add infoblox support. - Add configurations required to support DHCP relay. - Create "floating" network as "flat" provider network. (bsc#946882) - Fix search for Nova instance. openstack-neutron: - Fix usage_audit to work with ML2. - Fix UDP offloading issue with virtio VMs. (bsc#948704) - Fix ipset can't be destroyed when last rule is deleted. - Add ARP spoofing protection for LinuxBridge agent. - Don't use ARP responder for IPv6 addresses in ovs. - Stop device_owner from being set to 'network:*'. (bsc#943648, CVE-2015-5240) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 5: zypper in -t patch sleclo50sp3-neutron-201510-12183=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE OpenStack Cloud 5 (x86_64): openstack-neutron-2014.2.4~a0~dev103-16.2 openstack-neutron-dhcp-agent-2014.2.4~a0~dev103-16.2 openstack-neutron-ha-tool-2014.2.4~a0~dev103-16.2 openstack-neutron-ibm-agent-2014.2.4~a0~dev103-16.2 openstack-neutron-l3-agent-2014.2.4~a0~dev103-16.2 openstack-neutron-lbaas-agent-2014.2.4~a0~dev103-16.2 openstack-neutron-linuxbridge-agent-2014.2.4~a0~dev103-16.2 openstack-neutron-metadata-agent-2014.2.4~a0~dev103-16.2 openstack-neutron-metering-agent-2014.2.4~a0~dev103-16.2 openstack-neutron-mlnx-agent-2014.2.4~a0~dev103-16.2 openstack-neutron-nec-agent-2014.2.4~a0~dev103-16.2 openstack-neutron-nvsd-agent-2014.2.4~a0~dev103-16.2 openstack-neutron-openvswitch-agent-2014.2.4~a0~dev103-16.2 openstack-neutron-plugin-cisco-2014.2.4~a0~dev103-16.2 openstack-neutron-restproxy-agent-2014.2.4~a0~dev103-16.2 openstack-neutron-ryu-agent-2014.2.4~a0~dev103-16.2 openstack-neutron-server-2014.2.4~a0~dev103-16.2 openstack-neutron-vpn-agent-2014.2.4~a0~dev103-16.2 python-neutron-2014.2.4~a0~dev103-16.2 - SUSE OpenStack Cloud 5 (noarch): crowbar-barclamp-neutron-1.9+git.1443859419.95e948a-12.2 openstack-neutron-doc-2014.2.4~a0~dev103-16.4 References: https://www.suse.com/security/cve/CVE-2015-3221.html https://www.suse.com/security/cve/CVE-2015-5240.html https://bugzilla.suse.com/935263 https://bugzilla.suse.com/939691 https://bugzilla.suse.com/943648 https://bugzilla.suse.com/946882 https://bugzilla.suse.com/948704 From sle-security-updates at lists.suse.com Tue Nov 3 03:10:56 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 3 Nov 2015 11:10:56 +0100 (CET) Subject: SUSE-SU-2015:1892-1: moderate: Security update for libvdpau Message-ID: <20151103101056.7E32232139@maintenance.suse.de> SUSE Security Update: Security update for libvdpau ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1892-1 Rating: moderate References: #943967 #943968 #943969 Cross-References: CVE-2015-5198 CVE-2015-5199 CVE-2015-5200 Affected Products: SUSE Linux Enterprise Workstation Extension 12 SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: libvdpau was updated to use secure_getenv() instead of getenv() for several variables so it can be more safely used in setuid applications. * CVE-2015-5198: libvdpau: incorrect check for security transition (bnc#943967) * CVE-2015-5199: libvdpau: directory traversal in dlopen (bnc#943968) * CVE-2015-5200: libvdpau: vulnerability in trace functionality (bnc#943969) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12: zypper in -t patch SUSE-SLE-WE-12-2015-788=1 - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2015-788=1 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-788=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-788=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Workstation Extension 12 (x86_64): libvdpau1-32bit-0.8-3.1 libvdpau1-debuginfo-32bit-0.8-3.1 - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): libvdpau-debugsource-0.8-3.1 libvdpau-devel-0.8-3.1 - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): libvdpau-debugsource-0.8-3.1 libvdpau1-0.8-3.1 libvdpau1-debuginfo-0.8-3.1 - SUSE Linux Enterprise Desktop 12 (x86_64): libvdpau-debugsource-0.8-3.1 libvdpau1-0.8-3.1 libvdpau1-32bit-0.8-3.1 libvdpau1-debuginfo-0.8-3.1 libvdpau1-debuginfo-32bit-0.8-3.1 References: https://www.suse.com/security/cve/CVE-2015-5198.html https://www.suse.com/security/cve/CVE-2015-5199.html https://www.suse.com/security/cve/CVE-2015-5200.html https://bugzilla.suse.com/943967 https://bugzilla.suse.com/943968 https://bugzilla.suse.com/943969 From sle-security-updates at lists.suse.com Tue Nov 3 03:12:05 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 3 Nov 2015 11:12:05 +0100 (CET) Subject: SUSE-SU-2015:1894-1: important: Security update for xen Message-ID: <20151103101205.6FFA732139@maintenance.suse.de> SUSE Security Update: Security update for xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1894-1 Rating: important References: #877642 #901488 #907514 #910258 #918984 #923967 #932267 #944463 #944697 #945167 #947165 #949138 #949549 #950367 #950703 #950705 #950706 Cross-References: CVE-2014-0222 CVE-2015-4037 CVE-2015-5239 CVE-2015-6815 CVE-2015-7311 CVE-2015-7835 CVE-2015-7969 CVE-2015-7971 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Desktop 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that solves 8 vulnerabilities and has 9 fixes is now available. Description: xen was updated to version 4.4.3 to fix nine security issues. These security issues were fixed: - CVE-2015-4037: The slirp_smb function in net/slirp.c created temporary files with predictable names, which allowed local users to cause a denial of service (instantiation failure) by creating /tmp/qemu-smb.*-* files before the program (bsc#932267). - CVE-2014-0222: Integer overflow in the qcow_open function allowed remote attackers to cause a denial of service (crash) via a large L2 table in a QCOW version 1 image (bsc#877642). - CVE-2015-7835: Uncontrolled creation of large page mappings by PV guests (bsc#950367). - CVE-2015-7311: libxl in Xen did not properly handle the readonly flag on disks when using the qemu-xen device model, which allowed local guest users to write to a read-only disk image (bsc#947165). - CVE-2015-5239: Integer overflow in vnc_client_read() and protocol_client_msg() (bsc#944463). - CVE-2015-6815: With e1000 NIC emulation support it was possible to enter an infinite loop (bsc#944697). - CVE-2015-7969: Leak of main per-domain vcpu pointer array leading to denial of service (bsc#950703). - CVE-2015-7969: Leak of per-domain profiling- related vcpu pointer array leading to denial of service (bsc#950705). - CVE-2015-7971: Some pmu and profiling hypercalls log without rate limiting (bsc#950706). These non-security issues were fixed: - bsc#907514: Bus fatal error: SLES 12 sudden reboot has been observed - bsc#910258: SLES12 Xen host crashes with FATAL NMI after shutdown of guest with VT-d NIC - bsc#918984: Bus fatal error: SLES11-SP4 sudden reboot has been observed - bsc#923967: Partner-L3: Bus fatal error: SLES11-SP3 sudden reboot has been observed - bnc#901488: Intel ixgbe driver assigns rx/tx queues per core resulting in irq problems on servers with a large amount of CPU cores - bsc#945167: Running command: xl pci-assignable-add 03:10.1 secondly show errors - bsc#949138: Setting vcpu affinity under Xen causes libvirtd abort - bsc#949549: xm create hangs when maxmen value is enclosed in quotes Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-xen-12184=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-xen-12184=1 - SUSE Linux Enterprise Desktop 11-SP4: zypper in -t patch sledsp4-xen-12184=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-xen-12184=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 x86_64): xen-devel-4.4.3_02-26.2 - SUSE Linux Enterprise Server 11-SP4 (i586 x86_64): xen-kmp-default-4.4.3_02_3.0.101_65-26.2 xen-libs-4.4.3_02-26.2 xen-tools-domU-4.4.3_02-26.2 - SUSE Linux Enterprise Server 11-SP4 (x86_64): xen-4.4.3_02-26.2 xen-doc-html-4.4.3_02-26.2 xen-libs-32bit-4.4.3_02-26.2 xen-tools-4.4.3_02-26.2 - SUSE Linux Enterprise Server 11-SP4 (i586): xen-kmp-pae-4.4.3_02_3.0.101_65-26.2 - SUSE Linux Enterprise Desktop 11-SP4 (i586 x86_64): xen-kmp-default-4.4.3_02_3.0.101_65-26.2 xen-libs-4.4.3_02-26.2 xen-tools-domU-4.4.3_02-26.2 - SUSE Linux Enterprise Desktop 11-SP4 (x86_64): xen-4.4.3_02-26.2 xen-doc-html-4.4.3_02-26.2 xen-libs-32bit-4.4.3_02-26.2 xen-tools-4.4.3_02-26.2 - SUSE Linux Enterprise Desktop 11-SP4 (i586): xen-kmp-pae-4.4.3_02_3.0.101_65-26.2 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 x86_64): xen-debuginfo-4.4.3_02-26.2 xen-debugsource-4.4.3_02-26.2 References: https://www.suse.com/security/cve/CVE-2014-0222.html https://www.suse.com/security/cve/CVE-2015-4037.html https://www.suse.com/security/cve/CVE-2015-5239.html https://www.suse.com/security/cve/CVE-2015-6815.html https://www.suse.com/security/cve/CVE-2015-7311.html https://www.suse.com/security/cve/CVE-2015-7835.html https://www.suse.com/security/cve/CVE-2015-7969.html https://www.suse.com/security/cve/CVE-2015-7971.html https://bugzilla.suse.com/877642 https://bugzilla.suse.com/901488 https://bugzilla.suse.com/907514 https://bugzilla.suse.com/910258 https://bugzilla.suse.com/918984 https://bugzilla.suse.com/923967 https://bugzilla.suse.com/932267 https://bugzilla.suse.com/944463 https://bugzilla.suse.com/944697 https://bugzilla.suse.com/945167 https://bugzilla.suse.com/947165 https://bugzilla.suse.com/949138 https://bugzilla.suse.com/949549 https://bugzilla.suse.com/950367 https://bugzilla.suse.com/950703 https://bugzilla.suse.com/950705 https://bugzilla.suse.com/950706 From sle-security-updates at lists.suse.com Wed Nov 4 02:11:30 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 4 Nov 2015 10:11:30 +0100 (CET) Subject: SUSE-SU-2015:1897-1: important: Security update for krb5 Message-ID: <20151104091130.7113F32139@maintenance.suse.de> SUSE Security Update: Security update for krb5 ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1897-1 Rating: important References: #948011 #952188 #952189 #952190 Cross-References: CVE-2015-2695 CVE-2015-2696 CVE-2015-2697 Affected Products: SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that solves three vulnerabilities and has one errata is now available. Description: krb5 was updated to fix three security issues. These security issues were fixed: - CVE-2015-2695: Applications which call gss_inquire_context() on a partially-established SPNEGO context could have caused the GSS-API library to read from a pointer using the wrong type, generally causing a process crash. (bsc#952188). - CVE-2015-2696: Applications which call gss_inquire_context() on a partially-established IAKERB context could have caused the GSS-API library to read from a pointer using the wrong type, generally causing a process crash. (bsc#952189). - CVE-2015-2697: Incorrect string handling in build_principal_va can lead to DOS (bsc#952190). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2015-792=1 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-792=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-792=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): krb5-debuginfo-1.12.1-19.1 krb5-debugsource-1.12.1-19.1 krb5-devel-1.12.1-19.1 - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): krb5-1.12.1-19.1 krb5-client-1.12.1-19.1 krb5-client-debuginfo-1.12.1-19.1 krb5-debuginfo-1.12.1-19.1 krb5-debugsource-1.12.1-19.1 krb5-doc-1.12.1-19.1 krb5-plugin-kdb-ldap-1.12.1-19.1 krb5-plugin-kdb-ldap-debuginfo-1.12.1-19.1 krb5-plugin-preauth-otp-1.12.1-19.1 krb5-plugin-preauth-otp-debuginfo-1.12.1-19.1 krb5-plugin-preauth-pkinit-1.12.1-19.1 krb5-plugin-preauth-pkinit-debuginfo-1.12.1-19.1 krb5-server-1.12.1-19.1 krb5-server-debuginfo-1.12.1-19.1 - SUSE Linux Enterprise Server 12 (s390x x86_64): krb5-32bit-1.12.1-19.1 krb5-debuginfo-32bit-1.12.1-19.1 - SUSE Linux Enterprise Desktop 12 (x86_64): krb5-1.12.1-19.1 krb5-32bit-1.12.1-19.1 krb5-client-1.12.1-19.1 krb5-client-debuginfo-1.12.1-19.1 krb5-debuginfo-1.12.1-19.1 krb5-debuginfo-32bit-1.12.1-19.1 krb5-debugsource-1.12.1-19.1 References: https://www.suse.com/security/cve/CVE-2015-2695.html https://www.suse.com/security/cve/CVE-2015-2696.html https://www.suse.com/security/cve/CVE-2015-2697.html https://bugzilla.suse.com/948011 https://bugzilla.suse.com/952188 https://bugzilla.suse.com/952189 https://bugzilla.suse.com/952190 From sle-security-updates at lists.suse.com Wed Nov 4 03:11:16 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 4 Nov 2015 11:11:16 +0100 (CET) Subject: SUSE-SU-2015:1898-1: important: Security update for krb5 Message-ID: <20151104101116.4E78C32139@maintenance.suse.de> SUSE Security Update: Security update for krb5 ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1898-1 Rating: important References: #952188 Cross-References: CVE-2015-2695 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Software Development Kit 11-SP3 SUSE Linux Enterprise Server for VMWare 11-SP3 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Server 11-SP3 SUSE Linux Enterprise Desktop 11-SP4 SUSE Linux Enterprise Desktop 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: krb5 was updated to fix one security issue. This security issue was fixed: - CVE-2015-2695: Applications which call gss_inquire_context() on a partially-established SPNEGO context could have caused the GSS-API library to read from a pointer using the wrong type, generally causing a process crash (bsc#952188). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-krb5-12185=1 - SUSE Linux Enterprise Software Development Kit 11-SP3: zypper in -t patch sdksp3-krb5-12185=1 - SUSE Linux Enterprise Server for VMWare 11-SP3: zypper in -t patch slessp3-krb5-12185=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-krb5-12185=1 - SUSE Linux Enterprise Server 11-SP3: zypper in -t patch slessp3-krb5-12185=1 - SUSE Linux Enterprise Desktop 11-SP4: zypper in -t patch sledsp4-krb5-12185=1 - SUSE Linux Enterprise Desktop 11-SP3: zypper in -t patch sledsp3-krb5-12185=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-krb5-12185=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): krb5-devel-1.6.3-133.49.97.1 - SUSE Linux Enterprise Software Development Kit 11-SP4 (ppc64 s390x x86_64): krb5-devel-32bit-1.6.3-133.49.97.1 - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 x86_64): krb5-server-1.6.3-133.49.97.1 - SUSE Linux Enterprise Software Development Kit 11-SP3 (i586 ia64 ppc64 s390x x86_64): krb5-devel-1.6.3-133.49.97.1 - SUSE Linux Enterprise Software Development Kit 11-SP3 (ppc64 s390x x86_64): krb5-devel-32bit-1.6.3-133.49.97.1 - SUSE Linux Enterprise Software Development Kit 11-SP3 (i586 x86_64): krb5-server-1.6.3-133.49.97.1 - SUSE Linux Enterprise Server for VMWare 11-SP3 (i586 x86_64): krb5-1.6.3-133.49.97.1 krb5-apps-clients-1.6.3-133.49.97.1 krb5-apps-servers-1.6.3-133.49.97.1 krb5-client-1.6.3-133.49.97.1 krb5-plugin-kdb-ldap-1.6.3-133.49.97.3 krb5-plugin-preauth-pkinit-1.6.3-133.49.97.3 krb5-server-1.6.3-133.49.97.1 - SUSE Linux Enterprise Server for VMWare 11-SP3 (x86_64): krb5-32bit-1.6.3-133.49.97.1 - SUSE Linux Enterprise Server for VMWare 11-SP3 (noarch): krb5-doc-1.6.3-133.49.97.3 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): krb5-1.6.3-133.49.97.1 krb5-apps-clients-1.6.3-133.49.97.1 krb5-apps-servers-1.6.3-133.49.97.1 krb5-client-1.6.3-133.49.97.1 krb5-plugin-kdb-ldap-1.6.3-133.49.97.3 krb5-plugin-preauth-pkinit-1.6.3-133.49.97.3 krb5-server-1.6.3-133.49.97.1 - SUSE Linux Enterprise Server 11-SP4 (ppc64 s390x x86_64): krb5-32bit-1.6.3-133.49.97.1 - SUSE Linux Enterprise Server 11-SP4 (noarch): krb5-doc-1.6.3-133.49.97.3 - SUSE Linux Enterprise Server 11-SP4 (ia64): krb5-x86-1.6.3-133.49.97.1 - SUSE Linux Enterprise Server 11-SP3 (i586 ia64 ppc64 s390x x86_64): krb5-1.6.3-133.49.97.1 krb5-apps-clients-1.6.3-133.49.97.1 krb5-apps-servers-1.6.3-133.49.97.1 krb5-client-1.6.3-133.49.97.1 krb5-plugin-kdb-ldap-1.6.3-133.49.97.3 krb5-plugin-preauth-pkinit-1.6.3-133.49.97.3 krb5-server-1.6.3-133.49.97.1 - SUSE Linux Enterprise Server 11-SP3 (ppc64 s390x x86_64): krb5-32bit-1.6.3-133.49.97.1 - SUSE Linux Enterprise Server 11-SP3 (noarch): krb5-doc-1.6.3-133.49.97.3 - SUSE Linux Enterprise Server 11-SP3 (ia64): krb5-x86-1.6.3-133.49.97.1 - SUSE Linux Enterprise Desktop 11-SP4 (i586 x86_64): krb5-1.6.3-133.49.97.1 krb5-client-1.6.3-133.49.97.1 - SUSE Linux Enterprise Desktop 11-SP4 (x86_64): krb5-32bit-1.6.3-133.49.97.1 - SUSE Linux Enterprise Desktop 11-SP3 (i586 x86_64): krb5-1.6.3-133.49.97.1 krb5-client-1.6.3-133.49.97.1 - SUSE Linux Enterprise Desktop 11-SP3 (x86_64): krb5-32bit-1.6.3-133.49.97.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): krb5-debuginfo-1.6.3-133.49.97.1 krb5-debugsource-1.6.3-133.49.97.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (ppc64 s390x x86_64): krb5-debuginfo-32bit-1.6.3-133.49.97.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (ia64): krb5-debuginfo-x86-1.6.3-133.49.97.1 References: https://www.suse.com/security/cve/CVE-2015-2695.html https://bugzilla.suse.com/952188 From sle-security-updates at lists.suse.com Wed Nov 4 09:13:13 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 4 Nov 2015 17:13:13 +0100 (CET) Subject: SUSE-SU-2015:1908-1: important: Security update for xen Message-ID: <20151104161313.E5B0F32139@maintenance.suse.de> SUSE Security Update: Security update for xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1908-1 Rating: important References: #877642 #901488 #907514 #910258 #918984 #923967 #932267 #944463 #944697 #945167 #947165 #949138 #950367 #950703 #950705 #950706 Cross-References: CVE-2014-0222 CVE-2015-4037 CVE-2015-5239 CVE-2015-6815 CVE-2015-7311 CVE-2015-7835 CVE-2015-7969 CVE-2015-7971 Affected Products: SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that solves 8 vulnerabilities and has 8 fixes is now available. Description: xen was updated to version 4.4.3 to fix nine security issues. These security issues were fixed: - CVE-2015-4037: The slirp_smb function in net/slirp.c created temporary files with predictable names, which allowed local users to cause a denial of service (instantiation failure) by creating /tmp/qemu-smb.*-* files before the program (bsc#932267). - CVE-2014-0222: Integer overflow in the qcow_open function allowed remote attackers to cause a denial of service (crash) via a large L2 table in a QCOW version 1 image (bsc#877642). - CVE-2015-7835: Uncontrolled creation of large page mappings by PV guests (bsc#950367). - CVE-2015-7311: libxl in Xen did not properly handle the readonly flag on disks when using the qemu-xen device model, which allowed local guest users to write to a read-only disk image (bsc#947165). - CVE-2015-5239: Integer overflow in vnc_client_read() and protocol_client_msg() (bsc#944463). - CVE-2015-6815: With e1000 NIC emulation support it was possible to enter an infinite loop (bsc#944697). - CVE-2015-7969: Leak of main per-domain vcpu pointer array leading to denial of service (bsc#950703). - CVE-2015-7969: Leak of per-domain profiling- related vcpu pointer array leading to denial of service (bsc#950705). - CVE-2015-7971: Some pmu and profiling hypercalls log without rate limiting (bsc#950706). These non-security issues were fixed: - bsc#907514: Bus fatal error: SLES 12 sudden reboot has been observed - bsc#910258: SLES12 Xen host crashes with FATAL NMI after shutdown of guest with VT-d NIC - bsc#918984: Bus fatal error: SLES11-SP4 sudden reboot has been observed - bsc#923967: Partner-L3: Bus fatal error: SLES11-SP3 sudden reboot has been observed - bnc#901488: Intel ixgbe driver assigns rx/tx queues per core resulting in irq problems on servers with a large amount of CPU cores - bsc#945167: Running command: xl pci-assignable-add 03:10.1 secondly show errors - bsc#949138: Setting vcpu affinity under Xen causes libvirtd abort Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2015-795=1 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-795=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-795=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12 (x86_64): xen-debugsource-4.4.3_02-22.12.1 xen-devel-4.4.3_02-22.12.1 - SUSE Linux Enterprise Server 12 (x86_64): xen-4.4.3_02-22.12.1 xen-debugsource-4.4.3_02-22.12.1 xen-doc-html-4.4.3_02-22.12.1 xen-kmp-default-4.4.3_02_k3.12.48_52.27-22.12.1 xen-kmp-default-debuginfo-4.4.3_02_k3.12.48_52.27-22.12.1 xen-libs-32bit-4.4.3_02-22.12.1 xen-libs-4.4.3_02-22.12.1 xen-libs-debuginfo-32bit-4.4.3_02-22.12.1 xen-libs-debuginfo-4.4.3_02-22.12.1 xen-tools-4.4.3_02-22.12.1 xen-tools-debuginfo-4.4.3_02-22.12.1 xen-tools-domU-4.4.3_02-22.12.1 xen-tools-domU-debuginfo-4.4.3_02-22.12.1 - SUSE Linux Enterprise Desktop 12 (x86_64): xen-4.4.3_02-22.12.1 xen-debugsource-4.4.3_02-22.12.1 xen-kmp-default-4.4.3_02_k3.12.48_52.27-22.12.1 xen-kmp-default-debuginfo-4.4.3_02_k3.12.48_52.27-22.12.1 xen-libs-32bit-4.4.3_02-22.12.1 xen-libs-4.4.3_02-22.12.1 xen-libs-debuginfo-32bit-4.4.3_02-22.12.1 xen-libs-debuginfo-4.4.3_02-22.12.1 References: https://www.suse.com/security/cve/CVE-2014-0222.html https://www.suse.com/security/cve/CVE-2015-4037.html https://www.suse.com/security/cve/CVE-2015-5239.html https://www.suse.com/security/cve/CVE-2015-6815.html https://www.suse.com/security/cve/CVE-2015-7311.html https://www.suse.com/security/cve/CVE-2015-7835.html https://www.suse.com/security/cve/CVE-2015-7969.html https://www.suse.com/security/cve/CVE-2015-7971.html https://bugzilla.suse.com/877642 https://bugzilla.suse.com/901488 https://bugzilla.suse.com/907514 https://bugzilla.suse.com/910258 https://bugzilla.suse.com/918984 https://bugzilla.suse.com/923967 https://bugzilla.suse.com/932267 https://bugzilla.suse.com/944463 https://bugzilla.suse.com/944697 https://bugzilla.suse.com/945167 https://bugzilla.suse.com/947165 https://bugzilla.suse.com/949138 https://bugzilla.suse.com/950367 https://bugzilla.suse.com/950703 https://bugzilla.suse.com/950705 https://bugzilla.suse.com/950706 From sle-security-updates at lists.suse.com Thu Nov 5 01:11:06 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 5 Nov 2015 09:11:06 +0100 (CET) Subject: SUSE-SU-2015:1915-1: moderate: Recommended update for LibreOffice Message-ID: <20151105081106.07DFB32139@maintenance.suse.de> SUSE Security Update: Recommended update for LibreOffice ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1915-1 Rating: moderate References: #470073 #806250 #829430 #890735 #900186 #900877 #907966 #910805 #910806 #913042 #914911 #915996 #916181 #918852 #919409 #926375 #929793 #934423 #936188 #936190 #940838 #943075 #945692 Cross-References: CVE-2014-8146 CVE-2014-8147 CVE-2015-1774 CVE-2015-4551 CVE-2015-5212 CVE-2015-5213 CVE-2015-5214 Affected Products: SUSE Linux Enterprise Workstation Extension 12 SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that solves 7 vulnerabilities and has 16 fixes is now available. Description: This update brings LibreOffice to version 5.0.2, a major version update. It brings lots of new features, bugfixes and also security fixes. Features as seen on http://www.libreoffice.org/discover/new-features/ * LibreOffice 5.0 ships an impressive number of new features for its spreadsheet module, Calc: complex formulae image cropping, new functions, more powerful conditional formatting, table addressing and much more. Calc's blend of performance and features makes it an enterprise-ready, heavy duty spreadsheet application capable of handling all kinds of workload for an impressive range of use cases * New icons, major improvements to menus and sidebar : no other LibreOffice version has looked that good and helped you be creative and get things done the right way. In addition, style management is now more intuitive thanks to the visualization of styles right in the interface. * LibreOffice 5 ships with numerous improvements to document import and export filters for MS Office, PDF, RTF, and more. You can now timestamp PDF documents generated with LibreOffice and enjoy enhanced document conversion fidelity all around. The Pentaho Flow Reporting Engine is now added and used. Security issues fixed: * CVE-2014-8146: The resolveImplicitLevels function in common/ubidi.c in the Unicode Bidirectional Algorithm implementation in ICU4C in International Components for Unicode (ICU) before 55.1 did not properly track directionally isolated pieces of text, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly execute arbitrary code via crafted text. * CVE-2014-8147: The resolveImplicitLevels function in common/ubidi.c in the Unicode Bidirectional Algorithm implementation in ICU4C in International Components for Unicode (ICU) before 55.1 used an integer data type that is inconsistent with a header file, which allowed remote attackers to cause a denial of service (incorrect malloc followed by invalid free) or possibly execute arbitrary code via crafted text. * CVE-2015-4551: An arbitrary file disclosure vulnerability in Libreoffice and Openoffice Calc and Writer was fixed. * CVE-2015-1774: The HWP filter in LibreOffice allowed remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted HWP document, which triggered an out-of-bounds write. * CVE-2015-5212: A LibreOffice "PrinterSetup Length" integer underflow vulnerability could be used by attackers supplying documents to execute code as the user opening the document. * CVE-2015-5213: A LibreOffice "Piece Table Counter" invalid check design error vulnerability allowed attackers supplying documents to execute code as the user opening the document. * CVE-2015-5214: Multiple Vendor LibreOffice Bookmark Status Memory Corruption Vulnerability allowed attackers supplying documents to execute code as the user opening the document. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12: zypper in -t patch SUSE-SLE-WE-12-2015-797=1 - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2015-797=1 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-797=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-797=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Workstation Extension 12 (x86_64): cmis-client-debuginfo-0.5.0-5.1 cmis-client-debugsource-0.5.0-5.1 hyphen-debugsource-2.8.8-9.1 libabw-0_1-1-0.1.1-5.3 libabw-0_1-1-debuginfo-0.1.1-5.3 libabw-debugsource-0.1.1-5.3 libcdr-0_1-1-0.1.1-5.3 libcdr-0_1-1-debuginfo-0.1.1-5.3 libcdr-debugsource-0.1.1-5.3 libcmis-0_5-5-0.5.0-5.1 libcmis-0_5-5-debuginfo-0.5.0-5.1 libe-book-0_1-1-0.1.2-4.2 libe-book-0_1-1-debuginfo-0.1.2-4.2 libe-book-debugsource-0.1.2-4.2 libetonyek-0_1-1-0.1.3-3.5 libetonyek-0_1-1-debuginfo-0.1.3-3.5 libetonyek-debugsource-0.1.3-3.5 libfreehand-0_1-1-0.1.1-4.9 libfreehand-0_1-1-debuginfo-0.1.1-4.9 libfreehand-debugsource-0.1.1-4.9 libgltf-0_0-0-0.0.1-2.1 libgltf-0_0-0-debuginfo-0.0.1-2.1 libgltf-debugsource-0.0.1-2.1 libhyphen0-2.8.8-9.1 libhyphen0-debuginfo-2.8.8-9.1 libixion-0_10-0-0.9.1-3.1 libixion-0_10-0-debuginfo-0.9.1-3.1 libixion-debugsource-0.9.1-3.1 liblangtag-debugsource-0.5.7-3.1 liblangtag1-0.5.7-3.1 liblangtag1-debuginfo-0.5.7-3.1 libmspub-0_1-1-0.1.2-5.1 libmspub-0_1-1-debuginfo-0.1.2-5.1 libmspub-debugsource-0.1.2-5.1 libmwaw-0_3-3-0.3.6-3.3 libmwaw-0_3-3-debuginfo-0.3.6-3.3 libmwaw-debugsource-0.3.6-3.3 libodfgen-0_1-1-0.1.4-3.9 libodfgen-0_1-1-debuginfo-0.1.4-3.9 libodfgen-debugsource-0.1.4-3.9 liborcus-0_8-0-0.7.1-3.1 liborcus-0_8-0-debuginfo-0.7.1-3.1 liborcus-debugsource-0.7.1-3.1 libpagemaker-0_0-0-0.0.2-2.3 libpagemaker-0_0-0-debuginfo-0.0.2-2.3 libpagemaker-debugsource-0.0.2-2.3 libreoffice-5.0.2.2-13.14 libreoffice-base-5.0.2.2-13.14 libreoffice-base-debuginfo-5.0.2.2-13.14 libreoffice-base-drivers-mysql-5.0.2.2-13.14 libreoffice-base-drivers-mysql-debuginfo-5.0.2.2-13.14 libreoffice-base-drivers-postgresql-5.0.2.2-13.14 libreoffice-base-drivers-postgresql-debuginfo-5.0.2.2-13.14 libreoffice-calc-5.0.2.2-13.14 libreoffice-calc-debuginfo-5.0.2.2-13.14 libreoffice-calc-extensions-5.0.2.2-13.14 libreoffice-debuginfo-5.0.2.2-13.14 libreoffice-debugsource-5.0.2.2-13.14 libreoffice-draw-5.0.2.2-13.14 libreoffice-draw-debuginfo-5.0.2.2-13.14 libreoffice-filters-optional-5.0.2.2-13.14 libreoffice-gnome-5.0.2.2-13.14 libreoffice-gnome-debuginfo-5.0.2.2-13.14 libreoffice-impress-5.0.2.2-13.14 libreoffice-impress-debuginfo-5.0.2.2-13.14 libreoffice-mailmerge-5.0.2.2-13.14 libreoffice-math-5.0.2.2-13.14 libreoffice-math-debuginfo-5.0.2.2-13.14 libreoffice-officebean-5.0.2.2-13.14 libreoffice-officebean-debuginfo-5.0.2.2-13.14 libreoffice-pyuno-5.0.2.2-13.14 libreoffice-pyuno-debuginfo-5.0.2.2-13.14 libreoffice-voikko-4.1-6.3 libreoffice-voikko-debuginfo-4.1-6.3 libreoffice-writer-5.0.2.2-13.14 libreoffice-writer-debuginfo-5.0.2.2-13.14 libreoffice-writer-extensions-5.0.2.2-13.14 librevenge-0_0-0-0.0.2-4.1 librevenge-0_0-0-debuginfo-0.0.2-4.1 librevenge-debugsource-0.0.2-4.1 librevenge-stream-0_0-0-0.0.2-4.1 librevenge-stream-0_0-0-debuginfo-0.0.2-4.1 libvisio-0_1-1-0.1.3-4.3 libvisio-0_1-1-debuginfo-0.1.3-4.3 libvisio-debugsource-0.1.3-4.3 libvoikko-debugsource-3.7.1-3.1 libvoikko1-3.7.1-3.1 libvoikko1-debuginfo-3.7.1-3.1 libwps-0_4-4-0.4.1-3.1 libwps-0_4-4-debuginfo-0.4.1-3.1 libwps-debugsource-0.4.1-3.1 myspell-dictionaries-20150827-5.1 - SUSE Linux Enterprise Workstation Extension 12 (noarch): apache-commons-logging-1.1.3-7.1 flute-1.3.0-4.2 libbase-1.1.3-4.3 libfonts-1.1.3-4.9 libformula-1.1.3-4.3 liblayout-0.2.10-4.8 libloader-1.1.3-3.2 libreoffice-icon-theme-tango-5.0.2.2-13.14 libreoffice-l10n-af-5.0.2.2-13.14 libreoffice-l10n-ar-5.0.2.2-13.14 libreoffice-l10n-ca-5.0.2.2-13.14 libreoffice-l10n-cs-5.0.2.2-13.14 libreoffice-l10n-da-5.0.2.2-13.14 libreoffice-l10n-de-5.0.2.2-13.14 libreoffice-l10n-en-5.0.2.2-13.14 libreoffice-l10n-es-5.0.2.2-13.14 libreoffice-l10n-fi-5.0.2.2-13.14 libreoffice-l10n-fr-5.0.2.2-13.14 libreoffice-l10n-gu-5.0.2.2-13.14 libreoffice-l10n-hi-5.0.2.2-13.14 libreoffice-l10n-hu-5.0.2.2-13.14 libreoffice-l10n-it-5.0.2.2-13.14 libreoffice-l10n-ja-5.0.2.2-13.14 libreoffice-l10n-ko-5.0.2.2-13.14 libreoffice-l10n-nb-5.0.2.2-13.14 libreoffice-l10n-nl-5.0.2.2-13.14 libreoffice-l10n-nn-5.0.2.2-13.14 libreoffice-l10n-pl-5.0.2.2-13.14 libreoffice-l10n-pt-BR-5.0.2.2-13.14 libreoffice-l10n-pt-PT-5.0.2.2-13.14 libreoffice-l10n-ru-5.0.2.2-13.14 libreoffice-l10n-sk-5.0.2.2-13.14 libreoffice-l10n-sv-5.0.2.2-13.14 libreoffice-l10n-xh-5.0.2.2-13.14 libreoffice-l10n-zh-Hans-5.0.2.2-13.14 libreoffice-l10n-zh-Hant-5.0.2.2-13.14 libreoffice-l10n-zu-5.0.2.2-13.14 libreoffice-share-linker-1-2.1 librepository-1.1.3-4.3 libserializer-1.1.2-4.3 malaga-suomi-1.18-3.2 myspell-af_ZA-20150827-5.1 myspell-ar-20150827-5.1 myspell-be_BY-20150827-5.1 myspell-bg_BG-20150827-5.1 myspell-bn_BD-20150827-5.1 myspell-bs_BA-20150827-5.1 myspell-ca-20150827-5.1 myspell-cs_CZ-20150827-5.1 myspell-da_DK-20150827-5.1 myspell-de-20150827-5.1 myspell-el_GR-20150827-5.1 myspell-en-20150827-5.1 myspell-es-20150827-5.1 myspell-et_EE-20150827-5.1 myspell-fr_FR-20150827-5.1 myspell-gu_IN-20150827-5.1 myspell-he_IL-20150827-5.1 myspell-hi_IN-20150827-5.1 myspell-hr_HR-20150827-5.1 myspell-hu_HU-20150827-5.1 myspell-it_IT-20150827-5.1 myspell-lo_LA-20150827-5.1 myspell-lt_LT-20150827-5.1 myspell-lv_LV-20150827-5.1 myspell-nl_NL-20150827-5.1 myspell-no-20150827-5.1 myspell-pl_PL-20150827-5.1 myspell-pt_BR-20150827-5.1 myspell-pt_PT-20150827-5.1 myspell-ro-20150827-5.1 myspell-ru_RU-20150827-5.1 myspell-sk_SK-20150827-5.1 myspell-sl_SI-20150827-5.1 myspell-sr-20150827-5.1 myspell-sv_SE-20150827-5.1 myspell-te_IN-20150827-5.1 myspell-th_TH-20150827-5.1 myspell-vi-20150827-5.1 myspell-zu_ZA-20150827-5.1 pentaho-libxml-1.1.3-4.3 pentaho-reporting-flow-engine-0.9.4-4.5 sac-1.3-4.1 - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): cmis-client-debuginfo-0.5.0-5.1 cmis-client-debugsource-0.5.0-5.1 graphite2-debuginfo-1.3.1-3.1 graphite2-debugsource-1.3.1-3.1 graphite2-devel-1.3.1-3.1 hyphen-debugsource-2.8.8-9.1 hyphen-devel-2.8.8-9.1 libabw-debugsource-0.1.1-5.3 libabw-devel-0.1.1-5.3 libcdr-debugsource-0.1.1-5.3 libcdr-devel-0.1.1-5.3 libcmis-0_5-5-0.5.0-5.1 libcmis-0_5-5-debuginfo-0.5.0-5.1 libcmis-c-0_5-5-0.5.0-5.1 libcmis-c-0_5-5-debuginfo-0.5.0-5.1 libcmis-c-devel-0.5.0-5.1 libcmis-devel-0.5.0-5.1 libe-book-debugsource-0.1.2-4.2 libe-book-devel-0.1.2-4.2 libetonyek-debugsource-0.1.3-3.5 libetonyek-devel-0.1.3-3.5 libfreehand-debugsource-0.1.1-4.9 libfreehand-devel-0.1.1-4.9 libhyphen0-2.8.8-9.1 libhyphen0-debuginfo-2.8.8-9.1 libixion-0_10-0-0.9.1-3.1 libixion-0_10-0-debuginfo-0.9.1-3.1 libixion-debugsource-0.9.1-3.1 libixion-devel-0.9.1-3.1 liblangtag-debugsource-0.5.7-3.1 liblangtag-devel-0.5.7-3.1 liblangtag1-0.5.7-3.1 liblangtag1-debuginfo-0.5.7-3.1 libmspub-debugsource-0.1.2-5.1 libmspub-devel-0.1.2-5.1 libmwaw-debugsource-0.3.6-3.3 libmwaw-devel-0.3.6-3.3 libodfgen-debugsource-0.1.4-3.9 libodfgen-devel-0.1.4-3.9 liborcus-debugsource-0.7.1-3.1 liborcus-devel-0.7.1-3.1 librevenge-0_0-0-0.0.2-4.1 librevenge-0_0-0-debuginfo-0.0.2-4.1 librevenge-debugsource-0.0.2-4.1 librevenge-devel-0.0.2-4.1 librevenge-generators-0_0-0-0.0.2-4.1 librevenge-generators-0_0-0-debuginfo-0.0.2-4.1 librevenge-stream-0_0-0-0.0.2-4.1 librevenge-stream-0_0-0-debuginfo-0.0.2-4.1 libvisio-debugsource-0.1.3-4.3 libvisio-devel-0.1.3-4.3 libvoikko-debugsource-3.7.1-3.1 libvoikko-devel-3.7.1-3.1 libvoikko1-3.7.1-3.1 libvoikko1-debuginfo-3.7.1-3.1 libwps-debugsource-0.4.1-3.1 libwps-devel-0.4.1-3.1 - SUSE Linux Enterprise Software Development Kit 12 (noarch): libabw-devel-doc-0.1.1-5.3 libcdr-devel-doc-0.1.1-5.3 libe-book-devel-doc-0.1.2-4.2 libetonyek-devel-doc-0.1.3-3.5 libfreehand-devel-doc-0.1.1-4.9 libmspub-devel-doc-0.1.2-5.1 libmwaw-devel-doc-0.3.6-3.3 libodfgen-devel-doc-0.1.4-3.9 libvisio-devel-doc-0.1.3-4.3 malaga-suomi-1.18-3.2 - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): graphite2-debuginfo-1.3.1-3.1 graphite2-debugsource-1.3.1-3.1 libgraphite2-3-1.3.1-3.1 libgraphite2-3-debuginfo-1.3.1-3.1 - SUSE Linux Enterprise Server 12 (s390x x86_64): libgraphite2-3-32bit-1.3.1-3.1 libgraphite2-3-debuginfo-32bit-1.3.1-3.1 - SUSE Linux Enterprise Server 12 (noarch): apache-commons-logging-1.1.3-7.1 - SUSE Linux Enterprise Desktop 12 (x86_64): cmis-client-debuginfo-0.5.0-5.1 cmis-client-debugsource-0.5.0-5.1 graphite2-debuginfo-1.3.1-3.1 graphite2-debugsource-1.3.1-3.1 hyphen-debugsource-2.8.8-9.1 libabw-0_1-1-0.1.1-5.3 libabw-0_1-1-debuginfo-0.1.1-5.3 libabw-debugsource-0.1.1-5.3 libcdr-0_1-1-0.1.1-5.3 libcdr-0_1-1-debuginfo-0.1.1-5.3 libcdr-debugsource-0.1.1-5.3 libcmis-0_5-5-0.5.0-5.1 libcmis-0_5-5-debuginfo-0.5.0-5.1 libe-book-0_1-1-0.1.2-4.2 libe-book-0_1-1-debuginfo-0.1.2-4.2 libe-book-debugsource-0.1.2-4.2 libetonyek-0_1-1-0.1.3-3.5 libetonyek-0_1-1-debuginfo-0.1.3-3.5 libetonyek-debugsource-0.1.3-3.5 libfreehand-0_1-1-0.1.1-4.9 libfreehand-0_1-1-debuginfo-0.1.1-4.9 libfreehand-debugsource-0.1.1-4.9 libgltf-0_0-0-0.0.1-2.1 libgltf-0_0-0-debuginfo-0.0.1-2.1 libgltf-debugsource-0.0.1-2.1 libgraphite2-3-1.3.1-3.1 libgraphite2-3-32bit-1.3.1-3.1 libgraphite2-3-debuginfo-1.3.1-3.1 libgraphite2-3-debuginfo-32bit-1.3.1-3.1 libhyphen0-2.8.8-9.1 libhyphen0-debuginfo-2.8.8-9.1 libixion-0_10-0-0.9.1-3.1 libixion-0_10-0-debuginfo-0.9.1-3.1 libixion-debugsource-0.9.1-3.1 liblangtag-debugsource-0.5.7-3.1 liblangtag1-0.5.7-3.1 liblangtag1-debuginfo-0.5.7-3.1 libmspub-0_1-1-0.1.2-5.1 libmspub-0_1-1-debuginfo-0.1.2-5.1 libmspub-debugsource-0.1.2-5.1 libmwaw-0_3-3-0.3.6-3.3 libmwaw-0_3-3-debuginfo-0.3.6-3.3 libmwaw-debugsource-0.3.6-3.3 libodfgen-0_1-1-0.1.4-3.9 libodfgen-0_1-1-debuginfo-0.1.4-3.9 libodfgen-debugsource-0.1.4-3.9 liborcus-0_8-0-0.7.1-3.1 liborcus-0_8-0-debuginfo-0.7.1-3.1 liborcus-debugsource-0.7.1-3.1 libpagemaker-0_0-0-0.0.2-2.3 libpagemaker-0_0-0-debuginfo-0.0.2-2.3 libpagemaker-debugsource-0.0.2-2.3 libreoffice-5.0.2.2-13.14 libreoffice-base-5.0.2.2-13.14 libreoffice-base-debuginfo-5.0.2.2-13.14 libreoffice-base-drivers-mysql-5.0.2.2-13.14 libreoffice-base-drivers-mysql-debuginfo-5.0.2.2-13.14 libreoffice-base-drivers-postgresql-5.0.2.2-13.14 libreoffice-base-drivers-postgresql-debuginfo-5.0.2.2-13.14 libreoffice-calc-5.0.2.2-13.14 libreoffice-calc-debuginfo-5.0.2.2-13.14 libreoffice-calc-extensions-5.0.2.2-13.14 libreoffice-debuginfo-5.0.2.2-13.14 libreoffice-debugsource-5.0.2.2-13.14 libreoffice-draw-5.0.2.2-13.14 libreoffice-draw-debuginfo-5.0.2.2-13.14 libreoffice-filters-optional-5.0.2.2-13.14 libreoffice-gnome-5.0.2.2-13.14 libreoffice-gnome-debuginfo-5.0.2.2-13.14 libreoffice-impress-5.0.2.2-13.14 libreoffice-impress-debuginfo-5.0.2.2-13.14 libreoffice-mailmerge-5.0.2.2-13.14 libreoffice-math-5.0.2.2-13.14 libreoffice-math-debuginfo-5.0.2.2-13.14 libreoffice-officebean-5.0.2.2-13.14 libreoffice-officebean-debuginfo-5.0.2.2-13.14 libreoffice-pyuno-5.0.2.2-13.14 libreoffice-pyuno-debuginfo-5.0.2.2-13.14 libreoffice-voikko-4.1-6.3 libreoffice-voikko-debuginfo-4.1-6.3 libreoffice-writer-5.0.2.2-13.14 libreoffice-writer-debuginfo-5.0.2.2-13.14 libreoffice-writer-extensions-5.0.2.2-13.14 librevenge-0_0-0-0.0.2-4.1 librevenge-0_0-0-debuginfo-0.0.2-4.1 librevenge-debugsource-0.0.2-4.1 librevenge-stream-0_0-0-0.0.2-4.1 librevenge-stream-0_0-0-debuginfo-0.0.2-4.1 libvisio-0_1-1-0.1.3-4.3 libvisio-0_1-1-debuginfo-0.1.3-4.3 libvisio-debugsource-0.1.3-4.3 libvoikko-debugsource-3.7.1-3.1 libvoikko1-3.7.1-3.1 libvoikko1-debuginfo-3.7.1-3.1 libwps-0_4-4-0.4.1-3.1 libwps-0_4-4-debuginfo-0.4.1-3.1 libwps-debugsource-0.4.1-3.1 myspell-dictionaries-20150827-5.1 - SUSE Linux Enterprise Desktop 12 (noarch): apache-commons-logging-1.1.3-7.1 flute-1.3.0-4.2 libbase-1.1.3-4.3 libfonts-1.1.3-4.9 libformula-1.1.3-4.3 liblayout-0.2.10-4.8 libloader-1.1.3-3.2 libreoffice-icon-theme-tango-5.0.2.2-13.14 libreoffice-l10n-af-5.0.2.2-13.14 libreoffice-l10n-ar-5.0.2.2-13.14 libreoffice-l10n-ca-5.0.2.2-13.14 libreoffice-l10n-cs-5.0.2.2-13.14 libreoffice-l10n-da-5.0.2.2-13.14 libreoffice-l10n-de-5.0.2.2-13.14 libreoffice-l10n-en-5.0.2.2-13.14 libreoffice-l10n-es-5.0.2.2-13.14 libreoffice-l10n-fi-5.0.2.2-13.14 libreoffice-l10n-fr-5.0.2.2-13.14 libreoffice-l10n-gu-5.0.2.2-13.14 libreoffice-l10n-hi-5.0.2.2-13.14 libreoffice-l10n-hu-5.0.2.2-13.14 libreoffice-l10n-it-5.0.2.2-13.14 libreoffice-l10n-ja-5.0.2.2-13.14 libreoffice-l10n-ko-5.0.2.2-13.14 libreoffice-l10n-nb-5.0.2.2-13.14 libreoffice-l10n-nl-5.0.2.2-13.14 libreoffice-l10n-nn-5.0.2.2-13.14 libreoffice-l10n-pl-5.0.2.2-13.14 libreoffice-l10n-pt-BR-5.0.2.2-13.14 libreoffice-l10n-pt-PT-5.0.2.2-13.14 libreoffice-l10n-ru-5.0.2.2-13.14 libreoffice-l10n-sk-5.0.2.2-13.14 libreoffice-l10n-sv-5.0.2.2-13.14 libreoffice-l10n-xh-5.0.2.2-13.14 libreoffice-l10n-zh-Hans-5.0.2.2-13.14 libreoffice-l10n-zh-Hant-5.0.2.2-13.14 libreoffice-l10n-zu-5.0.2.2-13.14 libreoffice-share-linker-1-2.1 librepository-1.1.3-4.3 libserializer-1.1.2-4.3 malaga-suomi-1.18-3.2 myspell-af_ZA-20150827-5.1 myspell-ar-20150827-5.1 myspell-be_BY-20150827-5.1 myspell-bg_BG-20150827-5.1 myspell-bn_BD-20150827-5.1 myspell-bs_BA-20150827-5.1 myspell-ca-20150827-5.1 myspell-cs_CZ-20150827-5.1 myspell-da_DK-20150827-5.1 myspell-de-20150827-5.1 myspell-el_GR-20150827-5.1 myspell-en-20150827-5.1 myspell-es-20150827-5.1 myspell-et_EE-20150827-5.1 myspell-fr_FR-20150827-5.1 myspell-gu_IN-20150827-5.1 myspell-he_IL-20150827-5.1 myspell-hi_IN-20150827-5.1 myspell-hr_HR-20150827-5.1 myspell-hu_HU-20150827-5.1 myspell-it_IT-20150827-5.1 myspell-lo_LA-20150827-5.1 myspell-lt_LT-20150827-5.1 myspell-lv_LV-20150827-5.1 myspell-nl_NL-20150827-5.1 myspell-no-20150827-5.1 myspell-pl_PL-20150827-5.1 myspell-pt_BR-20150827-5.1 myspell-pt_PT-20150827-5.1 myspell-ro-20150827-5.1 myspell-ru_RU-20150827-5.1 myspell-sk_SK-20150827-5.1 myspell-sl_SI-20150827-5.1 myspell-sr-20150827-5.1 myspell-sv_SE-20150827-5.1 myspell-te_IN-20150827-5.1 myspell-th_TH-20150827-5.1 myspell-vi-20150827-5.1 myspell-zu_ZA-20150827-5.1 pentaho-libxml-1.1.3-4.3 pentaho-reporting-flow-engine-0.9.4-4.5 sac-1.3-4.1 References: https://www.suse.com/security/cve/CVE-2014-8146.html https://www.suse.com/security/cve/CVE-2014-8147.html https://www.suse.com/security/cve/CVE-2015-1774.html https://www.suse.com/security/cve/CVE-2015-4551.html https://www.suse.com/security/cve/CVE-2015-5212.html https://www.suse.com/security/cve/CVE-2015-5213.html https://www.suse.com/security/cve/CVE-2015-5214.html https://bugzilla.suse.com/470073 https://bugzilla.suse.com/806250 https://bugzilla.suse.com/829430 https://bugzilla.suse.com/890735 https://bugzilla.suse.com/900186 https://bugzilla.suse.com/900877 https://bugzilla.suse.com/907966 https://bugzilla.suse.com/910805 https://bugzilla.suse.com/910806 https://bugzilla.suse.com/913042 https://bugzilla.suse.com/914911 https://bugzilla.suse.com/915996 https://bugzilla.suse.com/916181 https://bugzilla.suse.com/918852 https://bugzilla.suse.com/919409 https://bugzilla.suse.com/926375 https://bugzilla.suse.com/929793 https://bugzilla.suse.com/934423 https://bugzilla.suse.com/936188 https://bugzilla.suse.com/936190 https://bugzilla.suse.com/940838 https://bugzilla.suse.com/943075 https://bugzilla.suse.com/945692 From sle-security-updates at lists.suse.com Fri Nov 6 07:12:03 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 6 Nov 2015 15:12:03 +0100 (CET) Subject: SUSE-SU-2015:1925-1: moderate: Security update for libvdpau Message-ID: <20151106141203.D466432139@maintenance.suse.de> SUSE Security Update: Security update for libvdpau ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1925-1 Rating: moderate References: #943967 #943968 #943969 Cross-References: CVE-2015-5198 CVE-2015-5199 CVE-2015-5200 Affected Products: SUSE Linux Enterprise Desktop 11-SP4 SUSE Linux Enterprise Desktop 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: libvdpau was updated to use secure_getenv() instead of getenv() for several variables so it can be more safely used in setuid applications. * CVE-2015-5198: libvdpau: incorrect check for security transition (bnc#943967) * CVE-2015-5199: libvdpau: directory traversal in dlopen (bnc#943968) * CVE-2015-5200: libvdpau: vulnerability in trace functionality (bnc#943969) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Desktop 11-SP4: zypper in -t patch sledsp4-libvdpau-12192=1 - SUSE Linux Enterprise Desktop 11-SP3: zypper in -t patch sledsp3-libvdpau-12192=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-libvdpau-12192=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-libvdpau-12192=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Desktop 11-SP4 (i586 x86_64): libvdpau1-0.4.1-16.20.2 - SUSE Linux Enterprise Desktop 11-SP4 (x86_64): libvdpau1-32bit-0.4.1-16.20.2 - SUSE Linux Enterprise Desktop 11-SP3 (i586 x86_64): libvdpau1-0.4.1-16.20.2 - SUSE Linux Enterprise Desktop 11-SP3 (x86_64): libvdpau1-32bit-0.4.1-16.20.2 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 x86_64): libvdpau-debuginfo-0.4.1-16.20.2 libvdpau-debugsource-0.4.1-16.20.2 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 x86_64): libvdpau-debuginfo-0.4.1-16.20.2 libvdpau-debugsource-0.4.1-16.20.2 References: https://www.suse.com/security/cve/CVE-2015-5198.html https://www.suse.com/security/cve/CVE-2015-5199.html https://www.suse.com/security/cve/CVE-2015-5200.html https://bugzilla.suse.com/943967 https://bugzilla.suse.com/943968 https://bugzilla.suse.com/943969 From sle-security-updates at lists.suse.com Fri Nov 6 09:11:15 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 6 Nov 2015 17:11:15 +0100 (CET) Subject: SUSE-SU-2015:1926-1: important: Security update for MozillaFirefox, mozilla-nspr, mozilla-nss Message-ID: <20151106161115.6591732139@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox, mozilla-nspr, mozilla-nss ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1926-1 Rating: important References: #908275 #952810 Cross-References: CVE-2015-4513 CVE-2015-7181 CVE-2015-7182 CVE-2015-7183 CVE-2015-7188 CVE-2015-7189 CVE-2015-7193 CVE-2015-7194 CVE-2015-7196 CVE-2015-7197 CVE-2015-7198 CVE-2015-7199 CVE-2015-7200 Affected Products: SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that fixes 13 vulnerabilities is now available. Description: This Mozilla Firefox, NSS and NSPR update fixes the following security and non security issues. - mozilla-nspr was updated to version 4.10.10 (bsc#952810) * MFSA 2015-133/CVE-2015-7183 (bmo#1205157) NSPR memory corruption issues - mozilla-nss was updated to 3.19.2.1 (bsc#952810) * MFSA 2015-133/CVE-2015-7181/CVE-2015-7182 (bmo#1192028, bmo#1202868) NSS and NSPR memory corruption issues - MozillaFirefox was updated to 38.4.0 ESR (bsc#952810) * MFSA 2015-116/CVE-2015-4513 (bmo#1107011, bmo#1191942, bmo#1193038, bmo#1204580, bmo#1204669, bmo#1204700, bmo#1205707, bmo#1206564, bmo#1208665, bmo#1209471, bmo#1213979) Miscellaneous memory safety hazards (rv:42.0 / rv:38.4) * MFSA 2015-122/CVE-2015-7188 (bmo#1199430) Trailing whitespace in IP address hostnames can bypass same-origin policy * MFSA 2015-123/CVE-2015-7189 (bmo#1205900) Buffer overflow during image interactions in canvas * MFSA 2015-127/CVE-2015-7193 (bmo#1210302) CORS preflight is bypassed when non-standard Content-Type headers are received * MFSA 2015-128/CVE-2015-7194 (bmo#1211262) Memory corruption in libjar through zip files * MFSA 2015-130/CVE-2015-7196 (bmo#1140616) JavaScript garbage collection crash with Java applet * MFSA 2015-131/CVE-2015-7198/CVE-2015-7199/CVE-2015-7200 (bmo#1204061, bmo#1188010, bmo#1204155) Vulnerabilities found through code inspection * MFSA 2015-132/CVE-2015-7197 (bmo#1204269) Mixed content WebSocket policy bypass through workers * MFSA 2015-133/CVE-2015-7181/CVE-2015-7182/CVE-2015-7183 (bmo#1202868, bmo#1192028, bmo#1205157) NSS and NSPR memory corruption issues - fix printing on landscape media (bsc#908275) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2015-807=1 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-807=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-807=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): MozillaFirefox-debuginfo-38.4.0esr-51.1 MozillaFirefox-debugsource-38.4.0esr-51.1 MozillaFirefox-devel-38.4.0esr-51.1 mozilla-nspr-debuginfo-4.10.10-9.1 mozilla-nspr-debugsource-4.10.10-9.1 mozilla-nspr-devel-4.10.10-9.1 mozilla-nss-debuginfo-3.19.2.1-29.1 mozilla-nss-debugsource-3.19.2.1-29.1 mozilla-nss-devel-3.19.2.1-29.1 - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): MozillaFirefox-38.4.0esr-51.1 MozillaFirefox-branding-SLE-31.0-17.1 MozillaFirefox-debuginfo-38.4.0esr-51.1 MozillaFirefox-debugsource-38.4.0esr-51.1 MozillaFirefox-translations-38.4.0esr-51.1 libfreebl3-3.19.2.1-29.1 libfreebl3-debuginfo-3.19.2.1-29.1 libfreebl3-hmac-3.19.2.1-29.1 libsoftokn3-3.19.2.1-29.1 libsoftokn3-debuginfo-3.19.2.1-29.1 libsoftokn3-hmac-3.19.2.1-29.1 mozilla-nspr-4.10.10-9.1 mozilla-nspr-debuginfo-4.10.10-9.1 mozilla-nspr-debugsource-4.10.10-9.1 mozilla-nss-3.19.2.1-29.1 mozilla-nss-certs-3.19.2.1-29.1 mozilla-nss-certs-debuginfo-3.19.2.1-29.1 mozilla-nss-debuginfo-3.19.2.1-29.1 mozilla-nss-debugsource-3.19.2.1-29.1 mozilla-nss-tools-3.19.2.1-29.1 mozilla-nss-tools-debuginfo-3.19.2.1-29.1 - SUSE Linux Enterprise Server 12 (s390x x86_64): libfreebl3-32bit-3.19.2.1-29.1 libfreebl3-debuginfo-32bit-3.19.2.1-29.1 libfreebl3-hmac-32bit-3.19.2.1-29.1 libsoftokn3-32bit-3.19.2.1-29.1 libsoftokn3-debuginfo-32bit-3.19.2.1-29.1 libsoftokn3-hmac-32bit-3.19.2.1-29.1 mozilla-nspr-32bit-4.10.10-9.1 mozilla-nspr-debuginfo-32bit-4.10.10-9.1 mozilla-nss-32bit-3.19.2.1-29.1 mozilla-nss-certs-32bit-3.19.2.1-29.1 mozilla-nss-certs-debuginfo-32bit-3.19.2.1-29.1 mozilla-nss-debuginfo-32bit-3.19.2.1-29.1 - SUSE Linux Enterprise Desktop 12 (x86_64): MozillaFirefox-38.4.0esr-51.1 MozillaFirefox-branding-SLE-31.0-17.1 MozillaFirefox-debuginfo-38.4.0esr-51.1 MozillaFirefox-debugsource-38.4.0esr-51.1 MozillaFirefox-translations-38.4.0esr-51.1 libfreebl3-3.19.2.1-29.1 libfreebl3-32bit-3.19.2.1-29.1 libfreebl3-debuginfo-3.19.2.1-29.1 libfreebl3-debuginfo-32bit-3.19.2.1-29.1 libsoftokn3-3.19.2.1-29.1 libsoftokn3-32bit-3.19.2.1-29.1 libsoftokn3-debuginfo-3.19.2.1-29.1 libsoftokn3-debuginfo-32bit-3.19.2.1-29.1 mozilla-nspr-32bit-4.10.10-9.1 mozilla-nspr-4.10.10-9.1 mozilla-nspr-debuginfo-32bit-4.10.10-9.1 mozilla-nspr-debuginfo-4.10.10-9.1 mozilla-nspr-debugsource-4.10.10-9.1 mozilla-nss-3.19.2.1-29.1 mozilla-nss-32bit-3.19.2.1-29.1 mozilla-nss-certs-3.19.2.1-29.1 mozilla-nss-certs-32bit-3.19.2.1-29.1 mozilla-nss-certs-debuginfo-3.19.2.1-29.1 mozilla-nss-certs-debuginfo-32bit-3.19.2.1-29.1 mozilla-nss-debuginfo-3.19.2.1-29.1 mozilla-nss-debuginfo-32bit-3.19.2.1-29.1 mozilla-nss-debugsource-3.19.2.1-29.1 mozilla-nss-tools-3.19.2.1-29.1 mozilla-nss-tools-debuginfo-3.19.2.1-29.1 References: https://www.suse.com/security/cve/CVE-2015-4513.html https://www.suse.com/security/cve/CVE-2015-7181.html https://www.suse.com/security/cve/CVE-2015-7182.html https://www.suse.com/security/cve/CVE-2015-7183.html https://www.suse.com/security/cve/CVE-2015-7188.html https://www.suse.com/security/cve/CVE-2015-7189.html https://www.suse.com/security/cve/CVE-2015-7193.html https://www.suse.com/security/cve/CVE-2015-7194.html https://www.suse.com/security/cve/CVE-2015-7196.html https://www.suse.com/security/cve/CVE-2015-7197.html https://www.suse.com/security/cve/CVE-2015-7198.html https://www.suse.com/security/cve/CVE-2015-7199.html https://www.suse.com/security/cve/CVE-2015-7200.html https://bugzilla.suse.com/908275 https://bugzilla.suse.com/952810 From sle-security-updates at lists.suse.com Tue Nov 10 10:10:09 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 10 Nov 2015 18:10:09 +0100 (CET) Subject: SUSE-SU-2015:1952-1: important: Security update for xen Message-ID: <20151110171010.00131320DF@maintenance.suse.de> SUSE Security Update: Security update for xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1952-1 Rating: important References: #877642 #932267 #944463 #944697 #950367 #950703 #950705 #950706 Cross-References: CVE-2014-0222 CVE-2015-4037 CVE-2015-5239 CVE-2015-6815 CVE-2015-7835 CVE-2015-7969 CVE-2015-7971 Affected Products: SUSE Linux Enterprise Server 11-SP2-LTSS SUSE Linux Enterprise Debuginfo 11-SP2 ______________________________________________________________________________ An update that solves 7 vulnerabilities and has one errata is now available. Description: xen was updated to fix eight security issues. These security issues were fixed: - CVE-2015-4037: The slirp_smb function in net/slirp.c created temporary files with predictable names, which allowed local users to cause a denial of service (instantiation failure) by creating /tmp/qemu-smb.*-* files before the program (bsc#932267). - CVE-2014-0222: Integer overflow in the qcow_open function allowed remote attackers to cause a denial of service (crash) via a large L2 table in a QCOW version 1 image (bsc#877642). - CVE-2015-7835: Uncontrolled creation of large page mappings by PV guests (bsc#950367). - CVE-2015-5239: Integer overflow in vnc_client_read() and protocol_client_msg() (bsc#944463). - CVE-2015-6815: With e1000 NIC emulation support it was possible to enter an infinite loop (bsc#944697). - CVE-2015-7969: Leak of main per-domain vcpu pointer array leading to denial of service (bsc#950703). - CVE-2015-7969: Leak of per-domain profiling- related vcpu pointer array leading to denial of service (bsc#950705). - CVE-2015-7971: Some pmu and profiling hypercalls log without rate limiting (bsc#950706). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP2-LTSS: zypper in -t patch slessp2-xen-12199=1 - SUSE Linux Enterprise Debuginfo 11-SP2: zypper in -t patch dbgsp2-xen-12199=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11-SP2-LTSS (i586 x86_64): xen-devel-4.1.6_08-20.1 xen-kmp-default-4.1.6_08_3.0.101_0.7.37-20.1 xen-kmp-trace-4.1.6_08_3.0.101_0.7.37-20.1 xen-libs-4.1.6_08-20.1 xen-tools-domU-4.1.6_08-20.1 - SUSE Linux Enterprise Server 11-SP2-LTSS (x86_64): xen-4.1.6_08-20.1 xen-doc-html-4.1.6_08-20.1 xen-doc-pdf-4.1.6_08-20.1 xen-libs-32bit-4.1.6_08-20.1 xen-tools-4.1.6_08-20.1 - SUSE Linux Enterprise Server 11-SP2-LTSS (i586): xen-kmp-pae-4.1.6_08_3.0.101_0.7.37-20.1 - SUSE Linux Enterprise Debuginfo 11-SP2 (i586 x86_64): xen-debuginfo-4.1.6_08-20.1 xen-debugsource-4.1.6_08-20.1 References: https://www.suse.com/security/cve/CVE-2014-0222.html https://www.suse.com/security/cve/CVE-2015-4037.html https://www.suse.com/security/cve/CVE-2015-5239.html https://www.suse.com/security/cve/CVE-2015-6815.html https://www.suse.com/security/cve/CVE-2015-7835.html https://www.suse.com/security/cve/CVE-2015-7969.html https://www.suse.com/security/cve/CVE-2015-7971.html https://bugzilla.suse.com/877642 https://bugzilla.suse.com/932267 https://bugzilla.suse.com/944463 https://bugzilla.suse.com/944697 https://bugzilla.suse.com/950367 https://bugzilla.suse.com/950703 https://bugzilla.suse.com/950705 https://bugzilla.suse.com/950706 From sle-security-updates at lists.suse.com Wed Nov 11 09:12:29 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 11 Nov 2015 17:12:29 +0100 (CET) Subject: SUSE-SU-2015:1958-1: moderate: Security update for flash-player Message-ID: <20151111161229.C7D7D32139@maintenance.suse.de> SUSE Security Update: Security update for flash-player ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1958-1 Rating: moderate References: #954512 Cross-References: CVE-2015-7651 CVE-2015-7652 CVE-2015-7653 CVE-2015-7654 CVE-2015-7655 CVE-2015-7656 CVE-2015-7657 CVE-2015-7658 CVE-2015-7659 CVE-2015-7660 CVE-2015-7661 CVE-2015-7662 CVE-2015-7663 CVE-2015-8042 CVE-2015-8043 CVE-2015-8044 CVE-2015-8046 Affected Products: SUSE Linux Enterprise Workstation Extension 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that fixes 17 vulnerabilities is now available. Description: The flash-player package was updated to fix the following security issues: - Security update to 11.2.202.548 (bsc#954512): * APSB15-28, CVE-2015-7651, CVE-2015-7652, CVE-2015-7653, CVE-2015-7654, CVE-2015-7655, CVE-2015-7656, CVE-2015-7657, CVE-2015-7658, CVE-2015-7659, CVE-2015-7660, CVE-2015-7661, CVE-2015-7662, CVE-2015-7663, CVE-2015-8042, CVE-2015-8043, CVE-2015-8044, CVE-2015-8046 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12: zypper in -t patch SUSE-SLE-WE-12-2015-824=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-824=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Workstation Extension 12 (x86_64): flash-player-11.2.202.548-111.1 flash-player-gnome-11.2.202.548-111.1 - SUSE Linux Enterprise Desktop 12 (x86_64): flash-player-11.2.202.548-111.1 flash-player-gnome-11.2.202.548-111.1 References: https://www.suse.com/security/cve/CVE-2015-7651.html https://www.suse.com/security/cve/CVE-2015-7652.html https://www.suse.com/security/cve/CVE-2015-7653.html https://www.suse.com/security/cve/CVE-2015-7654.html https://www.suse.com/security/cve/CVE-2015-7655.html https://www.suse.com/security/cve/CVE-2015-7656.html https://www.suse.com/security/cve/CVE-2015-7657.html https://www.suse.com/security/cve/CVE-2015-7658.html https://www.suse.com/security/cve/CVE-2015-7659.html https://www.suse.com/security/cve/CVE-2015-7660.html https://www.suse.com/security/cve/CVE-2015-7661.html https://www.suse.com/security/cve/CVE-2015-7662.html https://www.suse.com/security/cve/CVE-2015-7663.html https://www.suse.com/security/cve/CVE-2015-8042.html https://www.suse.com/security/cve/CVE-2015-8043.html https://www.suse.com/security/cve/CVE-2015-8044.html https://www.suse.com/security/cve/CVE-2015-8046.html https://bugzilla.suse.com/954512 From sle-security-updates at lists.suse.com Wed Nov 11 09:13:03 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 11 Nov 2015 17:13:03 +0100 (CET) Subject: SUSE-SU-2015:1960-1: moderate: Security update for flash-player Message-ID: <20151111161303.9F91932139@maintenance.suse.de> SUSE Security Update: Security update for flash-player ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1960-1 Rating: moderate References: #954512 Cross-References: CVE-2015-7651 CVE-2015-7652 CVE-2015-7653 CVE-2015-7654 CVE-2015-7655 CVE-2015-7656 CVE-2015-7657 CVE-2015-7658 CVE-2015-7659 CVE-2015-7660 CVE-2015-7661 CVE-2015-7662 CVE-2015-7663 CVE-2015-8042 CVE-2015-8043 CVE-2015-8044 CVE-2015-8046 Affected Products: SUSE Linux Enterprise Desktop 11-SP4 SUSE Linux Enterprise Desktop 11-SP3 ______________________________________________________________________________ An update that fixes 17 vulnerabilities is now available. Description: The flash-player package was updated to fix the following security issues: - Security update to 11.2.202.548 (bsc#954512): * APSB15-28, CVE-2015-7651, CVE-2015-7652, CVE-2015-7653, CVE-2015-7654, CVE-2015-7655, CVE-2015-7656, CVE-2015-7657, CVE-2015-7658, CVE-2015-7659, CVE-2015-7660, CVE-2015-7661, CVE-2015-7662, CVE-2015-7663, CVE-2015-8042, CVE-2015-8043, CVE-2015-8044, CVE-2015-8046 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Desktop 11-SP4: zypper in -t patch sledsp4-flash-player-12200=1 - SUSE Linux Enterprise Desktop 11-SP3: zypper in -t patch sledsp3-flash-player-12200=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Desktop 11-SP4 (i586 x86_64): flash-player-11.2.202.548-0.26.1 flash-player-gnome-11.2.202.548-0.26.1 flash-player-kde4-11.2.202.548-0.26.1 - SUSE Linux Enterprise Desktop 11-SP3 (i586 x86_64): flash-player-11.2.202.548-0.26.1 flash-player-gnome-11.2.202.548-0.26.1 flash-player-kde4-11.2.202.548-0.26.1 References: https://www.suse.com/security/cve/CVE-2015-7651.html https://www.suse.com/security/cve/CVE-2015-7652.html https://www.suse.com/security/cve/CVE-2015-7653.html https://www.suse.com/security/cve/CVE-2015-7654.html https://www.suse.com/security/cve/CVE-2015-7655.html https://www.suse.com/security/cve/CVE-2015-7656.html https://www.suse.com/security/cve/CVE-2015-7657.html https://www.suse.com/security/cve/CVE-2015-7658.html https://www.suse.com/security/cve/CVE-2015-7659.html https://www.suse.com/security/cve/CVE-2015-7660.html https://www.suse.com/security/cve/CVE-2015-7661.html https://www.suse.com/security/cve/CVE-2015-7662.html https://www.suse.com/security/cve/CVE-2015-7663.html https://www.suse.com/security/cve/CVE-2015-8042.html https://www.suse.com/security/cve/CVE-2015-8043.html https://www.suse.com/security/cve/CVE-2015-8044.html https://www.suse.com/security/cve/CVE-2015-8046.html https://bugzilla.suse.com/954512 From sle-security-updates at lists.suse.com Thu Nov 12 09:11:48 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 12 Nov 2015 17:11:48 +0100 (CET) Subject: SUSE-SU-2015:1978-1: important: Security update for MozillaFirefox, mozilla-nspr, mozilla-nss Message-ID: <20151112161148.C811032139@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox, mozilla-nspr, mozilla-nss ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1978-1 Rating: important References: #908275 #952810 Cross-References: CVE-2015-4513 CVE-2015-7181 CVE-2015-7182 CVE-2015-7183 CVE-2015-7188 CVE-2015-7189 CVE-2015-7193 CVE-2015-7194 CVE-2015-7196 CVE-2015-7197 CVE-2015-7198 CVE-2015-7199 CVE-2015-7200 Affected Products: SUSE Linux Enterprise Server 11-SP2-LTSS SUSE Linux Enterprise Debuginfo 11-SP2 ______________________________________________________________________________ An update that fixes 13 vulnerabilities is now available. Description: This Mozilla Firefox, NSS and NSPR update fixes the following security and non security issues. - mozilla-nspr was updated to version 4.10.10 (bsc#952810) * MFSA 2015-133/CVE-2015-7183 (bmo#1205157) NSPR memory corruption issues - mozilla-nss was updated to 3.19.2.1 (bsc#952810) * MFSA 2015-133/CVE-2015-7181/CVE-2015-7182 (bmo#1192028, bmo#1202868) NSS and NSPR memory corruption issues - MozillaFirefox was updated to 38.4.0 ESR (bsc#952810) * MFSA 2015-116/CVE-2015-4513 (bmo#1107011, bmo#1191942, bmo#1193038, bmo#1204580, bmo#1204669, bmo#1204700, bmo#1205707, bmo#1206564, bmo#1208665, bmo#1209471, bmo#1213979) Miscellaneous memory safety hazards (rv:42.0 / rv:38.4) * MFSA 2015-122/CVE-2015-7188 (bmo#1199430) Trailing whitespace in IP address hostnames can bypass same-origin policy * MFSA 2015-123/CVE-2015-7189 (bmo#1205900) Buffer overflow during image interactions in canvas * MFSA 2015-127/CVE-2015-7193 (bmo#1210302) CORS preflight is bypassed when non-standard Content-Type headers are received * MFSA 2015-128/CVE-2015-7194 (bmo#1211262) Memory corruption in libjar through zip files * MFSA 2015-130/CVE-2015-7196 (bmo#1140616) JavaScript garbage collection crash with Java applet * MFSA 2015-131/CVE-2015-7198/CVE-2015-7199/CVE-2015-7200 (bmo#1204061, bmo#1188010, bmo#1204155) Vulnerabilities found through code inspection * MFSA 2015-132/CVE-2015-7197 (bmo#1204269) Mixed content WebSocket policy bypass through workers * MFSA 2015-133/CVE-2015-7181/CVE-2015-7182/CVE-2015-7183 (bmo#1202868, bmo#1192028, bmo#1205157) NSS and NSPR memory corruption issues - fix printing on landscape media (bsc#908275) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP2-LTSS: zypper in -t patch slessp2-firefox-20151104-12203=1 - SUSE Linux Enterprise Debuginfo 11-SP2: zypper in -t patch dbgsp2-firefox-20151104-12203=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11-SP2-LTSS (i586 s390x x86_64): MozillaFirefox-38.4.0esr-25.3 MozillaFirefox-branding-SLED-38-12.19 MozillaFirefox-translations-38.4.0esr-25.3 libfreebl3-3.19.2.1-12.1 mozilla-nspr-4.10.10-16.1 mozilla-nspr-devel-4.10.10-16.1 mozilla-nss-3.19.2.1-12.1 mozilla-nss-devel-3.19.2.1-12.1 mozilla-nss-tools-3.19.2.1-12.1 - SUSE Linux Enterprise Server 11-SP2-LTSS (s390x x86_64): libfreebl3-32bit-3.19.2.1-12.1 mozilla-nspr-32bit-4.10.10-16.1 mozilla-nss-32bit-3.19.2.1-12.1 - SUSE Linux Enterprise Debuginfo 11-SP2 (i586 s390x x86_64): MozillaFirefox-debuginfo-38.4.0esr-25.3 MozillaFirefox-debugsource-38.4.0esr-25.3 mozilla-nspr-debuginfo-4.10.10-16.1 mozilla-nspr-debugsource-4.10.10-16.1 mozilla-nss-debuginfo-3.19.2.1-12.1 mozilla-nss-debugsource-3.19.2.1-12.1 - SUSE Linux Enterprise Debuginfo 11-SP2 (s390x x86_64): mozilla-nspr-debuginfo-32bit-4.10.10-16.1 mozilla-nss-debuginfo-32bit-3.19.2.1-12.1 References: https://www.suse.com/security/cve/CVE-2015-4513.html https://www.suse.com/security/cve/CVE-2015-7181.html https://www.suse.com/security/cve/CVE-2015-7182.html https://www.suse.com/security/cve/CVE-2015-7183.html https://www.suse.com/security/cve/CVE-2015-7188.html https://www.suse.com/security/cve/CVE-2015-7189.html https://www.suse.com/security/cve/CVE-2015-7193.html https://www.suse.com/security/cve/CVE-2015-7194.html https://www.suse.com/security/cve/CVE-2015-7196.html https://www.suse.com/security/cve/CVE-2015-7197.html https://www.suse.com/security/cve/CVE-2015-7198.html https://www.suse.com/security/cve/CVE-2015-7199.html https://www.suse.com/security/cve/CVE-2015-7200.html https://bugzilla.suse.com/908275 https://bugzilla.suse.com/952810 From sle-security-updates at lists.suse.com Thu Nov 12 09:12:35 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 12 Nov 2015 17:12:35 +0100 (CET) Subject: SUSE-SU-2015:1979-1: moderate: Security update for libsndfile Message-ID: <20151112161235.2C5C3320DF@maintenance.suse.de> SUSE Security Update: Security update for libsndfile ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1979-1 Rating: moderate References: #953516 #953521 Cross-References: CVE-2014-9756 CVE-2015-7805 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Software Development Kit 11-SP3 SUSE Linux Enterprise Server for VMWare 11-SP3 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Server 11-SP3 SUSE Linux Enterprise Desktop 11-SP4 SUSE Linux Enterprise Desktop 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: The libsndfile package was updated to fix the following security issue: - CVE-2014-9756: Fixed a divide by zero problem that can lead to a Denial of Service (DoS) (bsc#953521). - CVE-2015-7805: Fixed heap overflow issue (bsc#953516). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-libsndfile-12204=1 - SUSE Linux Enterprise Software Development Kit 11-SP3: zypper in -t patch sdksp3-libsndfile-12204=1 - SUSE Linux Enterprise Server for VMWare 11-SP3: zypper in -t patch slessp3-libsndfile-12204=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-libsndfile-12204=1 - SUSE Linux Enterprise Server 11-SP3: zypper in -t patch slessp3-libsndfile-12204=1 - SUSE Linux Enterprise Desktop 11-SP4: zypper in -t patch sledsp4-libsndfile-12204=1 - SUSE Linux Enterprise Desktop 11-SP3: zypper in -t patch sledsp3-libsndfile-12204=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-libsndfile-12204=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-libsndfile-12204=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): libsndfile-devel-1.0.20-2.10.2 - SUSE Linux Enterprise Software Development Kit 11-SP3 (i586 ia64 ppc64 s390x x86_64): libsndfile-devel-1.0.20-2.10.2 - SUSE Linux Enterprise Server for VMWare 11-SP3 (i586 x86_64): libsndfile-1.0.20-2.10.2 - SUSE Linux Enterprise Server for VMWare 11-SP3 (x86_64): libsndfile-32bit-1.0.20-2.10.2 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): libsndfile-1.0.20-2.10.2 - SUSE Linux Enterprise Server 11-SP4 (ppc64 s390x x86_64): libsndfile-32bit-1.0.20-2.10.2 - SUSE Linux Enterprise Server 11-SP4 (ia64): libsndfile-x86-1.0.20-2.10.2 - SUSE Linux Enterprise Server 11-SP3 (i586 ia64 ppc64 s390x x86_64): libsndfile-1.0.20-2.10.2 - SUSE Linux Enterprise Server 11-SP3 (ppc64 s390x x86_64): libsndfile-32bit-1.0.20-2.10.2 - SUSE Linux Enterprise Server 11-SP3 (ia64): libsndfile-x86-1.0.20-2.10.2 - SUSE Linux Enterprise Desktop 11-SP4 (i586 x86_64): libsndfile-1.0.20-2.10.2 - SUSE Linux Enterprise Desktop 11-SP4 (x86_64): libsndfile-32bit-1.0.20-2.10.2 - SUSE Linux Enterprise Desktop 11-SP3 (i586 x86_64): libsndfile-1.0.20-2.10.2 - SUSE Linux Enterprise Desktop 11-SP3 (x86_64): libsndfile-32bit-1.0.20-2.10.2 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): libsndfile-debuginfo-1.0.20-2.10.2 libsndfile-debugsource-1.0.20-2.10.2 - SUSE Linux Enterprise Debuginfo 11-SP4 (ppc64 s390x x86_64): libsndfile-debuginfo-32bit-1.0.20-2.10.2 - SUSE Linux Enterprise Debuginfo 11-SP4 (ia64): libsndfile-debuginfo-x86-1.0.20-2.10.2 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 ia64 ppc64 s390x x86_64): libsndfile-debuginfo-1.0.20-2.10.2 libsndfile-debugsource-1.0.20-2.10.2 - SUSE Linux Enterprise Debuginfo 11-SP3 (ppc64 s390x x86_64): libsndfile-debuginfo-32bit-1.0.20-2.10.2 - SUSE Linux Enterprise Debuginfo 11-SP3 (ia64): libsndfile-debuginfo-x86-1.0.20-2.10.2 References: https://www.suse.com/security/cve/CVE-2014-9756.html https://www.suse.com/security/cve/CVE-2015-7805.html https://bugzilla.suse.com/953516 https://bugzilla.suse.com/953521 From sle-security-updates at lists.suse.com Thu Nov 12 12:10:38 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 12 Nov 2015 20:10:38 +0100 (CET) Subject: SUSE-SU-2015:1981-1: important: Security update for MozillaFirefox, mozilla-nspr, mozilla-nss Message-ID: <20151112191038.4EE0732139@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox, mozilla-nspr, mozilla-nss ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1981-1 Rating: important References: #908275 #952810 Cross-References: CVE-2015-4513 CVE-2015-7181 CVE-2015-7182 CVE-2015-7183 CVE-2015-7188 CVE-2015-7189 CVE-2015-7193 CVE-2015-7194 CVE-2015-7196 CVE-2015-7197 CVE-2015-7198 CVE-2015-7199 CVE-2015-7200 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Software Development Kit 11-SP3 SUSE Linux Enterprise Server for VMWare 11-SP3 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Server 11-SP3 SUSE Linux Enterprise Desktop 11-SP4 SUSE Linux Enterprise Desktop 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that fixes 13 vulnerabilities is now available. Description: This Mozilla Firefox, NSS and NSPR update fixes the following security and non security issues. - mozilla-nspr was updated to version 4.10.10 (bsc#952810) * MFSA 2015-133/CVE-2015-7183 (bmo#1205157) NSPR memory corruption issues - mozilla-nss was updated to 3.19.2.1 (bsc#952810) * MFSA 2015-133/CVE-2015-7181/CVE-2015-7182 (bmo#1192028, bmo#1202868) NSS and NSPR memory corruption issues - MozillaFirefox was updated to 38.4.0 ESR (bsc#952810) * MFSA 2015-116/CVE-2015-4513 (bmo#1107011, bmo#1191942, bmo#1193038, bmo#1204580, bmo#1204669, bmo#1204700, bmo#1205707, bmo#1206564, bmo#1208665, bmo#1209471, bmo#1213979) Miscellaneous memory safety hazards (rv:42.0 / rv:38.4) * MFSA 2015-122/CVE-2015-7188 (bmo#1199430) Trailing whitespace in IP address hostnames can bypass same-origin policy * MFSA 2015-123/CVE-2015-7189 (bmo#1205900) Buffer overflow during image interactions in canvas * MFSA 2015-127/CVE-2015-7193 (bmo#1210302) CORS preflight is bypassed when non-standard Content-Type headers are received * MFSA 2015-128/CVE-2015-7194 (bmo#1211262) Memory corruption in libjar through zip files * MFSA 2015-130/CVE-2015-7196 (bmo#1140616) JavaScript garbage collection crash with Java applet * MFSA 2015-131/CVE-2015-7198/CVE-2015-7199/CVE-2015-7200 (bmo#1204061, bmo#1188010, bmo#1204155) Vulnerabilities found through code inspection * MFSA 2015-132/CVE-2015-7197 (bmo#1204269) Mixed content WebSocket policy bypass through workers * MFSA 2015-133/CVE-2015-7181/CVE-2015-7182/CVE-2015-7183 (bmo#1202868, bmo#1192028, bmo#1205157) NSS and NSPR memory corruption issues - fix printing on landscape media (bsc#908275) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-firefox-20151105-12205=1 - SUSE Linux Enterprise Software Development Kit 11-SP3: zypper in -t patch sdksp3-firefox-20151105-12205=1 - SUSE Linux Enterprise Server for VMWare 11-SP3: zypper in -t patch slessp3-firefox-20151105-12205=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-firefox-20151105-12205=1 - SUSE Linux Enterprise Server 11-SP3: zypper in -t patch slessp3-firefox-20151105-12205=1 - SUSE Linux Enterprise Desktop 11-SP4: zypper in -t patch sledsp4-firefox-20151105-12205=1 - SUSE Linux Enterprise Desktop 11-SP3: zypper in -t patch sledsp3-firefox-20151105-12205=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-firefox-20151105-12205=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-firefox-20151105-12205=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): MozillaFirefox-devel-38.4.0esr-25.6 mozilla-nspr-devel-4.10.10-16.1 mozilla-nss-devel-3.19.2.1-19.3 - SUSE Linux Enterprise Software Development Kit 11-SP3 (i586 ia64 ppc64 s390x x86_64): MozillaFirefox-devel-38.4.0esr-25.6 mozilla-nspr-devel-4.10.10-16.1 mozilla-nss-devel-3.19.2.1-19.3 - SUSE Linux Enterprise Server for VMWare 11-SP3 (i586 x86_64): MozillaFirefox-38.4.0esr-25.6 MozillaFirefox-branding-SLES-for-VMware-38-10.27 MozillaFirefox-translations-38.4.0esr-25.6 libfreebl3-3.19.2.1-19.3 libsoftokn3-3.19.2.1-19.3 mozilla-nspr-4.10.10-16.1 mozilla-nss-3.19.2.1-19.3 mozilla-nss-tools-3.19.2.1-19.3 - SUSE Linux Enterprise Server for VMWare 11-SP3 (x86_64): libfreebl3-32bit-3.19.2.1-19.3 libsoftokn3-32bit-3.19.2.1-19.3 mozilla-nspr-32bit-4.10.10-16.1 mozilla-nss-32bit-3.19.2.1-19.3 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): MozillaFirefox-38.4.0esr-25.6 MozillaFirefox-branding-SLED-38-15.31 MozillaFirefox-translations-38.4.0esr-25.6 libfreebl3-3.19.2.1-19.3 libsoftokn3-3.19.2.1-19.3 mozilla-nspr-4.10.10-16.1 mozilla-nss-3.19.2.1-19.3 mozilla-nss-tools-3.19.2.1-19.3 - SUSE Linux Enterprise Server 11-SP4 (ppc64 s390x x86_64): libfreebl3-32bit-3.19.2.1-19.3 libsoftokn3-32bit-3.19.2.1-19.3 mozilla-nspr-32bit-4.10.10-16.1 mozilla-nss-32bit-3.19.2.1-19.3 - SUSE Linux Enterprise Server 11-SP4 (ia64): libfreebl3-x86-3.19.2.1-19.3 libsoftokn3-x86-3.19.2.1-19.3 mozilla-nspr-x86-4.10.10-16.1 mozilla-nss-x86-3.19.2.1-19.3 - SUSE Linux Enterprise Server 11-SP3 (i586 ia64 ppc64 s390x x86_64): MozillaFirefox-38.4.0esr-25.6 MozillaFirefox-branding-SLED-38-15.31 MozillaFirefox-translations-38.4.0esr-25.6 libfreebl3-3.19.2.1-19.3 libsoftokn3-3.19.2.1-19.3 mozilla-nspr-4.10.10-16.1 mozilla-nss-3.19.2.1-19.3 mozilla-nss-tools-3.19.2.1-19.3 - SUSE Linux Enterprise Server 11-SP3 (ppc64 s390x x86_64): libfreebl3-32bit-3.19.2.1-19.3 libsoftokn3-32bit-3.19.2.1-19.3 mozilla-nspr-32bit-4.10.10-16.1 mozilla-nss-32bit-3.19.2.1-19.3 - SUSE Linux Enterprise Server 11-SP3 (ia64): libfreebl3-x86-3.19.2.1-19.3 libsoftokn3-x86-3.19.2.1-19.3 mozilla-nspr-x86-4.10.10-16.1 mozilla-nss-x86-3.19.2.1-19.3 - SUSE Linux Enterprise Desktop 11-SP4 (i586 x86_64): MozillaFirefox-38.4.0esr-25.6 MozillaFirefox-branding-SLED-38-15.31 MozillaFirefox-translations-38.4.0esr-25.6 libfreebl3-3.19.2.1-19.3 libsoftokn3-3.19.2.1-19.3 mozilla-nspr-4.10.10-16.1 mozilla-nss-3.19.2.1-19.3 mozilla-nss-tools-3.19.2.1-19.3 - SUSE Linux Enterprise Desktop 11-SP4 (x86_64): libfreebl3-32bit-3.19.2.1-19.3 libsoftokn3-32bit-3.19.2.1-19.3 mozilla-nspr-32bit-4.10.10-16.1 mozilla-nss-32bit-3.19.2.1-19.3 - SUSE Linux Enterprise Desktop 11-SP3 (i586 x86_64): MozillaFirefox-38.4.0esr-25.6 MozillaFirefox-branding-SLED-38-15.31 MozillaFirefox-translations-38.4.0esr-25.6 libfreebl3-3.19.2.1-19.3 libsoftokn3-3.19.2.1-19.3 mozilla-nspr-4.10.10-16.1 mozilla-nss-3.19.2.1-19.3 mozilla-nss-tools-3.19.2.1-19.3 - SUSE Linux Enterprise Desktop 11-SP3 (x86_64): libfreebl3-32bit-3.19.2.1-19.3 libsoftokn3-32bit-3.19.2.1-19.3 mozilla-nspr-32bit-4.10.10-16.1 mozilla-nss-32bit-3.19.2.1-19.3 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): MozillaFirefox-debuginfo-38.4.0esr-25.6 MozillaFirefox-debugsource-38.4.0esr-25.6 mozilla-nspr-debuginfo-4.10.10-16.1 mozilla-nspr-debugsource-4.10.10-16.1 mozilla-nss-debuginfo-3.19.2.1-19.3 mozilla-nss-debugsource-3.19.2.1-19.3 - SUSE Linux Enterprise Debuginfo 11-SP4 (ppc64 s390x x86_64): mozilla-nspr-debuginfo-32bit-4.10.10-16.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (ia64): mozilla-nspr-debuginfo-x86-4.10.10-16.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 ia64 ppc64 s390x x86_64): MozillaFirefox-debuginfo-38.4.0esr-25.6 MozillaFirefox-debugsource-38.4.0esr-25.6 mozilla-nspr-debuginfo-4.10.10-16.1 mozilla-nspr-debugsource-4.10.10-16.1 mozilla-nss-debuginfo-3.19.2.1-19.3 mozilla-nss-debugsource-3.19.2.1-19.3 - SUSE Linux Enterprise Debuginfo 11-SP3 (ppc64 s390x x86_64): mozilla-nspr-debuginfo-32bit-4.10.10-16.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (ia64): mozilla-nspr-debuginfo-x86-4.10.10-16.1 References: https://www.suse.com/security/cve/CVE-2015-4513.html https://www.suse.com/security/cve/CVE-2015-7181.html https://www.suse.com/security/cve/CVE-2015-7182.html https://www.suse.com/security/cve/CVE-2015-7183.html https://www.suse.com/security/cve/CVE-2015-7188.html https://www.suse.com/security/cve/CVE-2015-7189.html https://www.suse.com/security/cve/CVE-2015-7193.html https://www.suse.com/security/cve/CVE-2015-7194.html https://www.suse.com/security/cve/CVE-2015-7196.html https://www.suse.com/security/cve/CVE-2015-7197.html https://www.suse.com/security/cve/CVE-2015-7198.html https://www.suse.com/security/cve/CVE-2015-7199.html https://www.suse.com/security/cve/CVE-2015-7200.html https://bugzilla.suse.com/908275 https://bugzilla.suse.com/952810 From sle-security-updates at lists.suse.com Fri Nov 13 05:10:47 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 13 Nov 2015 13:10:47 +0100 (CET) Subject: SUSE-SU-2015:1983-1: moderate: Security update for squid Message-ID: <20151113121047.8750632139@maintenance.suse.de> SUSE Security Update: Security update for squid ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1983-1 Rating: moderate References: #895773 #949942 Cross-References: CVE-2014-6270 CVE-2014-9749 Affected Products: SUSE Linux Enterprise Server for VMWare 11-SP3 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Server 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: squid was updated to fix two security issues. These security issues were fixed: - CVE-2014-6270: Fixed an off by one in snmp subsystem (bsc#895773). - CVE-2014-9749: Fixed a nonce replay vulnerability in Digest authentication (bsc#949942). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for VMWare 11-SP3: zypper in -t patch slessp3-squid-12206=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-squid-12206=1 - SUSE Linux Enterprise Server 11-SP3: zypper in -t patch slessp3-squid-12206=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-squid-12206=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-squid-12206=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server for VMWare 11-SP3 (i586 x86_64): squid-2.7.STABLE5-2.12.24.2 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): squid-2.7.STABLE5-2.12.24.2 - SUSE Linux Enterprise Server 11-SP3 (i586 ia64 ppc64 s390x x86_64): squid-2.7.STABLE5-2.12.24.2 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): squid-debuginfo-2.7.STABLE5-2.12.24.2 squid-debugsource-2.7.STABLE5-2.12.24.2 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 ia64 ppc64 s390x x86_64): squid-debuginfo-2.7.STABLE5-2.12.24.2 squid-debugsource-2.7.STABLE5-2.12.24.2 References: https://www.suse.com/security/cve/CVE-2014-6270.html https://www.suse.com/security/cve/CVE-2014-9749.html https://bugzilla.suse.com/895773 https://bugzilla.suse.com/949942 From sle-security-updates at lists.suse.com Mon Nov 16 04:11:09 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 16 Nov 2015 12:11:09 +0100 (CET) Subject: SUSE-SU-2015:2000-1: moderate: Security update for libsndfile Message-ID: <20151116111109.E9A0B32139@maintenance.suse.de> SUSE Security Update: Security update for libsndfile ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:2000-1 Rating: moderate References: #953516 #953519 #953521 Cross-References: CVE-2014-9756 CVE-2015-7805 CVE-2015-8075 Affected Products: SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: The libsndfile package was updated to fix the following security issue: - CVE-2014-9756: Fixed a divide by zero problem that can lead to a Denial of Service (DoS) (bsc#953521). - CVE-2015-7805: Fixed heap overflow issue (bsc#953516). - CVE-2015-8075: Fixed heap overflow issue (bsc#953519). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2015-846=1 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-846=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-846=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): libsndfile-debugsource-1.0.25-24.1 libsndfile-devel-1.0.25-24.1 - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): libsndfile-debugsource-1.0.25-24.1 libsndfile1-1.0.25-24.1 libsndfile1-debuginfo-1.0.25-24.1 - SUSE Linux Enterprise Server 12 (s390x x86_64): libsndfile1-32bit-1.0.25-24.1 libsndfile1-debuginfo-32bit-1.0.25-24.1 - SUSE Linux Enterprise Desktop 12 (x86_64): libsndfile-debugsource-1.0.25-24.1 libsndfile1-1.0.25-24.1 libsndfile1-32bit-1.0.25-24.1 libsndfile1-debuginfo-1.0.25-24.1 libsndfile1-debuginfo-32bit-1.0.25-24.1 References: https://www.suse.com/security/cve/CVE-2014-9756.html https://www.suse.com/security/cve/CVE-2015-7805.html https://www.suse.com/security/cve/CVE-2015-8075.html https://bugzilla.suse.com/953516 https://bugzilla.suse.com/953519 https://bugzilla.suse.com/953521 From sle-security-updates at lists.suse.com Tue Nov 17 03:16:40 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 17 Nov 2015 11:16:40 +0100 (CET) Subject: SUSE-SU-2015:1898-2: important: Security update for krb5 Message-ID: <20151117101640.569F3320B7@maintenance.suse.de> SUSE Security Update: Security update for krb5 ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1898-2 Rating: important References: #952188 Cross-References: CVE-2015-2695 Affected Products: SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: krb5 was updated to fix one security issue. This security issue was fixed: - CVE-2015-2695: Applications which call gss_inquire_context() on a partially-established SPNEGO context could have caused the GSS-API library to read from a pointer using the wrong type, generally causing a process crash (bsc#952188). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-krb5-12185=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 ia64 ppc64 s390x x86_64): krb5-debuginfo-1.6.3-133.49.97.1 krb5-debugsource-1.6.3-133.49.97.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (ppc64 s390x x86_64): krb5-debuginfo-32bit-1.6.3-133.49.97.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (ia64): krb5-debuginfo-x86-1.6.3-133.49.97.1 References: https://www.suse.com/security/cve/CVE-2015-2695.html https://bugzilla.suse.com/952188 From sle-security-updates at lists.suse.com Wed Nov 18 06:11:30 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 18 Nov 2015 14:11:30 +0100 (CET) Subject: SUSE-SU-2015:2013-1: moderate: Security update for libpng16 Message-ID: <20151118131130.B96C43213B@maintenance.suse.de> SUSE Security Update: Security update for libpng16 ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:2013-1 Rating: moderate References: #954980 Cross-References: CVE-2015-8126 Affected Products: SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: The libpng16 package was updated to fix the following security issue: - CVE-2015-8126: Fixed a buffer overflow vulnerabilities in png_get_PLTE/png_set_PLTE functions (bsc#954980). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2015-855=1 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-855=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-855=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): libpng16-compat-devel-1.6.8-8.1 libpng16-debugsource-1.6.8-8.1 libpng16-devel-1.6.8-8.1 - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): libpng16-16-1.6.8-8.1 libpng16-16-debuginfo-1.6.8-8.1 libpng16-debugsource-1.6.8-8.1 - SUSE Linux Enterprise Server 12 (s390x x86_64): libpng16-16-32bit-1.6.8-8.1 libpng16-16-debuginfo-32bit-1.6.8-8.1 - SUSE Linux Enterprise Desktop 12 (x86_64): libpng16-16-1.6.8-8.1 libpng16-16-32bit-1.6.8-8.1 libpng16-16-debuginfo-1.6.8-8.1 libpng16-16-debuginfo-32bit-1.6.8-8.1 libpng16-debugsource-1.6.8-8.1 References: https://www.suse.com/security/cve/CVE-2015-8126.html https://bugzilla.suse.com/954980 From sle-security-updates at lists.suse.com Wed Nov 18 06:12:54 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 18 Nov 2015 14:12:54 +0100 (CET) Subject: SUSE-SU-2015:2017-1: moderate: Security update for libpng12-0 Message-ID: <20151118131254.D927D3213B@maintenance.suse.de> SUSE Security Update: Security update for libpng12-0 ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:2017-1 Rating: moderate References: #952051 #954980 Cross-References: CVE-2015-7981 CVE-2015-8126 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Software Development Kit 11-SP3 SUSE Linux Enterprise Server for VMWare 11-SP3 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Server 11-SP3 SUSE Linux Enterprise Desktop 11-SP4 SUSE Linux Enterprise Desktop 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: The libpng12-0 package was updated to fix the following security issues: - CVE-2015-8126: Fixed a buffer overflow vulnerabilities in png_get_PLTE/png_set_PLTE functions (bsc#954980). - CVE-2015-7981: Fixed an out-of-bound read (bsc#952051). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-libpng12-0-12214=1 - SUSE Linux Enterprise Software Development Kit 11-SP3: zypper in -t patch sdksp3-libpng12-0-12214=1 - SUSE Linux Enterprise Server for VMWare 11-SP3: zypper in -t patch slessp3-libpng12-0-12214=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-libpng12-0-12214=1 - SUSE Linux Enterprise Server 11-SP3: zypper in -t patch slessp3-libpng12-0-12214=1 - SUSE Linux Enterprise Desktop 11-SP4: zypper in -t patch sledsp4-libpng12-0-12214=1 - SUSE Linux Enterprise Desktop 11-SP3: zypper in -t patch sledsp3-libpng12-0-12214=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-libpng12-0-12214=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-libpng12-0-12214=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): libpng-devel-1.2.31-5.35.1 - SUSE Linux Enterprise Software Development Kit 11-SP4 (ppc64 s390x x86_64): libpng-devel-32bit-1.2.31-5.35.1 - SUSE Linux Enterprise Software Development Kit 11-SP3 (i586 ia64 ppc64 s390x x86_64): libpng-devel-1.2.31-5.35.1 - SUSE Linux Enterprise Software Development Kit 11-SP3 (ppc64 s390x x86_64): libpng-devel-32bit-1.2.31-5.35.1 - SUSE Linux Enterprise Server for VMWare 11-SP3 (i586 x86_64): libpng12-0-1.2.31-5.35.1 - SUSE Linux Enterprise Server for VMWare 11-SP3 (x86_64): libpng12-0-32bit-1.2.31-5.35.1 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): libpng12-0-1.2.31-5.35.1 - SUSE Linux Enterprise Server 11-SP4 (ppc64 s390x x86_64): libpng12-0-32bit-1.2.31-5.35.1 - SUSE Linux Enterprise Server 11-SP4 (ia64): libpng12-0-x86-1.2.31-5.35.1 - SUSE Linux Enterprise Server 11-SP3 (i586 ia64 ppc64 s390x x86_64): libpng12-0-1.2.31-5.35.1 - SUSE Linux Enterprise Server 11-SP3 (ppc64 s390x x86_64): libpng12-0-32bit-1.2.31-5.35.1 - SUSE Linux Enterprise Server 11-SP3 (ia64): libpng12-0-x86-1.2.31-5.35.1 - SUSE Linux Enterprise Desktop 11-SP4 (i586 x86_64): libpng12-0-1.2.31-5.35.1 - SUSE Linux Enterprise Desktop 11-SP4 (x86_64): libpng12-0-32bit-1.2.31-5.35.1 - SUSE Linux Enterprise Desktop 11-SP3 (i586 x86_64): libpng12-0-1.2.31-5.35.1 - SUSE Linux Enterprise Desktop 11-SP3 (x86_64): libpng12-0-32bit-1.2.31-5.35.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): libpng12-0-debuginfo-1.2.31-5.35.1 libpng12-0-debugsource-1.2.31-5.35.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 ia64 ppc64 s390x x86_64): libpng12-0-debuginfo-1.2.31-5.35.1 libpng12-0-debugsource-1.2.31-5.35.1 References: https://www.suse.com/security/cve/CVE-2015-7981.html https://www.suse.com/security/cve/CVE-2015-8126.html https://bugzilla.suse.com/952051 https://bugzilla.suse.com/954980 From sle-security-updates at lists.suse.com Wed Nov 18 06:17:10 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 18 Nov 2015 14:17:10 +0100 (CET) Subject: SUSE-SU-2015:2024-1: moderate: Security update for libpng12 Message-ID: <20151118131710.085E43213B@maintenance.suse.de> SUSE Security Update: Security update for libpng12 ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:2024-1 Rating: moderate References: #952051 #954980 Cross-References: CVE-2015-7981 CVE-2015-8126 Affected Products: SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: The libpng12 package was updated to fix the following security issues: - CVE-2015-8126: Fixed a buffer overflow vulnerabilities in png_get_PLTE/png_set_PLTE functions (bsc#954980). - CVE-2015-7981: Fixed an out-of-bound read (bsc#952051). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2015-854=1 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-854=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-854=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): libpng12-compat-devel-1.2.50-10.1 libpng12-debugsource-1.2.50-10.1 libpng12-devel-1.2.50-10.1 - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): libpng12-0-1.2.50-10.1 libpng12-0-debuginfo-1.2.50-10.1 libpng12-debugsource-1.2.50-10.1 - SUSE Linux Enterprise Server 12 (s390x x86_64): libpng12-0-32bit-1.2.50-10.1 libpng12-0-debuginfo-32bit-1.2.50-10.1 - SUSE Linux Enterprise Desktop 12 (x86_64): libpng12-0-1.2.50-10.1 libpng12-0-32bit-1.2.50-10.1 libpng12-0-debuginfo-1.2.50-10.1 libpng12-0-debuginfo-32bit-1.2.50-10.1 libpng12-debugsource-1.2.50-10.1 References: https://www.suse.com/security/cve/CVE-2015-7981.html https://www.suse.com/security/cve/CVE-2015-8126.html https://bugzilla.suse.com/952051 https://bugzilla.suse.com/954980 From sle-security-updates at lists.suse.com Wed Nov 18 08:10:56 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 18 Nov 2015 16:10:56 +0100 (CET) Subject: SUSE-SU-2015:2025-1: moderate: Recommended update for git Message-ID: <20151118151056.09C703213B@maintenance.suse.de> SUSE Security Update: Recommended update for git ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:2025-1 Rating: moderate References: #948969 Affected Products: SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: The git package was updated to fix the following security issue: - Fix remote code execution with recursive fetch of submodules (bsc#948969). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2015-857=1 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-857=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): git-1.8.5.6-14.3 git-arch-1.8.5.6-14.3 git-core-1.8.5.6-14.3 git-core-debuginfo-1.8.5.6-14.3 git-cvs-1.8.5.6-14.3 git-daemon-1.8.5.6-14.3 git-daemon-debuginfo-1.8.5.6-14.3 git-debugsource-1.8.5.6-14.3 git-email-1.8.5.6-14.3 git-gui-1.8.5.6-14.3 git-svn-1.8.5.6-14.3 git-svn-debuginfo-1.8.5.6-14.3 git-web-1.8.5.6-14.3 gitk-1.8.5.6-14.3 - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): git-core-1.8.5.6-14.3 git-core-debuginfo-1.8.5.6-14.3 git-debugsource-1.8.5.6-14.3 References: https://bugzilla.suse.com/948969 From sle-security-updates at lists.suse.com Fri Nov 20 03:10:39 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 20 Nov 2015 11:10:39 +0100 (CET) Subject: SUSE-SU-2015:2053-1: moderate: Security update for xscreensaver Message-ID: <20151120101039.6216432139@maintenance.suse.de> SUSE Security Update: Security update for xscreensaver ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:2053-1 Rating: moderate References: #952062 Cross-References: CVE-2015-8025 Affected Products: SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: The xscreensaver package was updated to fix the following security issue: - CVE-2015-8025: Fixed a crash when hot-swapping monitors while locked (bsc#952062). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-870=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-870=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): xscreensaver-5.22-6.1 xscreensaver-data-5.22-6.1 xscreensaver-data-debuginfo-5.22-6.1 xscreensaver-debuginfo-5.22-6.1 xscreensaver-debugsource-5.22-6.1 - SUSE Linux Enterprise Desktop 12 (x86_64): xscreensaver-5.22-6.1 xscreensaver-data-5.22-6.1 xscreensaver-data-debuginfo-5.22-6.1 xscreensaver-debuginfo-5.22-6.1 xscreensaver-debugsource-5.22-6.1 References: https://www.suse.com/security/cve/CVE-2015-8025.html https://bugzilla.suse.com/952062 From sle-security-updates at lists.suse.com Fri Nov 20 03:11:06 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 20 Nov 2015 11:11:06 +0100 (CET) Subject: SUSE-SU-2015:2054-1: moderate: Security update for xscreensaver Message-ID: <20151120101107.00FE93213B@maintenance.suse.de> SUSE Security Update: Security update for xscreensaver ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:2054-1 Rating: moderate References: #952062 Cross-References: CVE-2015-8025 Affected Products: SUSE Linux Enterprise Server for VMWare 11-SP3 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Server 11-SP3 SUSE Linux Enterprise Desktop 11-SP4 SUSE Linux Enterprise Desktop 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: The xscreensaver package was updated to fix the following security and non security issues: - CVE-2015-8025: Fixed a crash when hot-swapping monitors while locked (bsc#952062). - Added xscreensaver-in_signal_handler_p.patch needed for fix of signal handling. - Refresh xscreensaver-stars.patch. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for VMWare 11-SP3: zypper in -t patch slessp3-xscreensaver-12217=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-xscreensaver-12217=1 - SUSE Linux Enterprise Server 11-SP3: zypper in -t patch slessp3-xscreensaver-12217=1 - SUSE Linux Enterprise Desktop 11-SP4: zypper in -t patch sledsp4-xscreensaver-12217=1 - SUSE Linux Enterprise Desktop 11-SP3: zypper in -t patch sledsp3-xscreensaver-12217=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-xscreensaver-12217=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-xscreensaver-12217=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server for VMWare 11-SP3 (i586 x86_64): xscreensaver-5.07-6.36.1 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): xscreensaver-5.07-6.36.1 - SUSE Linux Enterprise Server 11-SP3 (i586 ia64 ppc64 s390x x86_64): xscreensaver-5.07-6.36.1 - SUSE Linux Enterprise Desktop 11-SP4 (i586 x86_64): xscreensaver-5.07-6.36.1 - SUSE Linux Enterprise Desktop 11-SP3 (i586 x86_64): xscreensaver-5.07-6.36.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): xscreensaver-debuginfo-5.07-6.36.1 xscreensaver-debugsource-5.07-6.36.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 ia64 ppc64 s390x x86_64): xscreensaver-debuginfo-5.07-6.36.1 xscreensaver-debugsource-5.07-6.36.1 References: https://www.suse.com/security/cve/CVE-2015-8025.html https://bugzilla.suse.com/952062 From sle-security-updates at lists.suse.com Fri Nov 20 03:11:53 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 20 Nov 2015 11:11:53 +0100 (CET) Subject: SUSE-SU-2015:2056-1: moderate: Recommended update for libksba Message-ID: <20151120101153.E8CEB3213B@maintenance.suse.de> SUSE Security Update: Recommended update for libksba ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:2056-1 Rating: moderate References: #926826 Affected Products: SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: The libksba package was updated to fix the following security issues: - Fixed an integer overflow, an out of bounds read and a stack overflow issues (bsc#926826). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2015-869=1 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-869=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-869=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): libksba-debugsource-1.3.0-12.1 libksba-devel-1.3.0-12.1 - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): libksba-debugsource-1.3.0-12.1 libksba8-1.3.0-12.1 libksba8-debuginfo-1.3.0-12.1 - SUSE Linux Enterprise Desktop 12 (x86_64): libksba-debugsource-1.3.0-12.1 libksba8-1.3.0-12.1 libksba8-debuginfo-1.3.0-12.1 References: https://bugzilla.suse.com/926826 From sle-security-updates at lists.suse.com Fri Nov 20 06:11:03 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 20 Nov 2015 14:11:03 +0100 (CET) Subject: SUSE-SU-2015:2058-1: moderate: Security update for ntp Message-ID: <20151120131103.73DFD3213B@maintenance.suse.de> SUSE Security Update: Security update for ntp ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:2058-1 Rating: moderate References: #905885 #910063 #936327 #942441 #942587 #944300 #951608 Cross-References: CVE-2015-7691 CVE-2015-7692 CVE-2015-7701 CVE-2015-7702 CVE-2015-7703 CVE-2015-7704 CVE-2015-7705 CVE-2015-7848 CVE-2015-7849 CVE-2015-7850 CVE-2015-7851 CVE-2015-7852 CVE-2015-7853 CVE-2015-7854 CVE-2015-7855 CVE-2015-7871 Affected Products: SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Desktop 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes 16 vulnerabilities is now available. Description: This ntp update provides the following security and non security fixes: - Update to 4.2.8p4 to fix several security issues (bsc#951608): * CVE-2015-7871: NAK to the Future: Symmetric association authentication bypass via crypto-NAK * CVE-2015-7855: decodenetnum() will ASSERT botch instead of returning FAIL on some bogus values * CVE-2015-7854: Password Length Memory Corruption Vulnerability * CVE-2015-7853: Invalid length data provided by a custom refclock driver could cause a buffer overflow * CVE-2015-7852 ntpq atoascii() Memory Corruption Vulnerability * CVE-2015-7851 saveconfig Directory Traversal Vulnerability * CVE-2015-7850 remote config logfile-keyfile * CVE-2015-7849 trusted key use-after-free * CVE-2015-7848 mode 7 loop counter underrun * CVE-2015-7701 Slow memory leak in CRYPTO_ASSOC * CVE-2015-7703 configuration directives "pidfile" and "driftfile" should only be allowed locally * CVE-2015-7704, CVE-2015-7705 Clients that receive a KoD should validate the origin timestamp field * CVE-2015-7691, CVE-2015-7692, CVE-2015-7702 Incomplete autokey data packet length checks - Use ntpq instead of deprecated ntpdc in start-ntpd (bnc#936327). - Add a controlkey to ntp.conf to make the above work. - Improve runtime configuration: * Read keytype from ntp.conf * Don't write ntp keys to syslog. - Don't let "keysdir" lines in ntp.conf trigger the "keys" parser. - Fix the comment regarding addserver in ntp.conf (bnc#910063). - Remove ntp.1.gz, it wasn't installed anymore. - Remove ntp-4.2.7-rh-manpages.tar.gz and only keep ntptime.8.gz. The rest is partially irrelevant, partially redundant and potentially outdated (bsc#942587). - Remove "kod" from the restrict line in ntp.conf (bsc#944300). - Use SHA1 instead of MD5 for symmetric keys (bsc#905885). - Require perl-Socket6 (bsc#942441). - Fix incomplete backporting of "rcntp ntptimemset". Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-ntp-12218=1 - SUSE Linux Enterprise Desktop 11-SP4: zypper in -t patch sledsp4-ntp-12218=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-ntp-12218=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): ntp-4.2.8p4-5.1 ntp-doc-4.2.8p4-5.1 - SUSE Linux Enterprise Desktop 11-SP4 (i586 x86_64): ntp-4.2.8p4-5.1 ntp-doc-4.2.8p4-5.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): ntp-debuginfo-4.2.8p4-5.1 ntp-debugsource-4.2.8p4-5.1 References: https://www.suse.com/security/cve/CVE-2015-7691.html https://www.suse.com/security/cve/CVE-2015-7692.html https://www.suse.com/security/cve/CVE-2015-7701.html https://www.suse.com/security/cve/CVE-2015-7702.html https://www.suse.com/security/cve/CVE-2015-7703.html https://www.suse.com/security/cve/CVE-2015-7704.html https://www.suse.com/security/cve/CVE-2015-7705.html https://www.suse.com/security/cve/CVE-2015-7848.html https://www.suse.com/security/cve/CVE-2015-7849.html https://www.suse.com/security/cve/CVE-2015-7850.html https://www.suse.com/security/cve/CVE-2015-7851.html https://www.suse.com/security/cve/CVE-2015-7852.html https://www.suse.com/security/cve/CVE-2015-7853.html https://www.suse.com/security/cve/CVE-2015-7854.html https://www.suse.com/security/cve/CVE-2015-7855.html https://www.suse.com/security/cve/CVE-2015-7871.html https://bugzilla.suse.com/905885 https://bugzilla.suse.com/910063 https://bugzilla.suse.com/936327 https://bugzilla.suse.com/942441 https://bugzilla.suse.com/942587 https://bugzilla.suse.com/944300 https://bugzilla.suse.com/951608 From sle-security-updates at lists.suse.com Fri Nov 20 09:13:13 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 20 Nov 2015 17:13:13 +0100 (CET) Subject: SUSE-SU-2015:2064-1: moderate: Security update for openstack-dashboard Message-ID: <20151120161313.87C1C3213B@maintenance.suse.de> SUSE Security Update: Security update for openstack-dashboard ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:2064-1 Rating: moderate References: #928891 #931437 #933607 #933722 #935442 #936059 #936368 #945052 #945515 Cross-References: CVE-2015-3219 CVE-2015-3988 Affected Products: SUSE OpenStack Cloud 5 ______________________________________________________________________________ An update that solves two vulnerabilities and has 7 fixes is now available. Description: This update provides fixes and enhancements for openstack-dashboard, crowbar-barclamp-nova_dashboard and python-django_openstack_auth. openstack-dashboard: - Reset flavors for other than "Boot from Image" source type. (bsc#945515) - Add deactivated status for glance image. - Fix TemplateSyntaxError at hypervisors view. - Fix addition of plugin panel to panel group. - Remove admin role name 'admin' hardcode. (bsc#935442) - Escape the description param from heat template. (bsc#933722, CVE-2015-3219) - Enhance policy rules to workflow actions and identity project. - Sanitation of metadata passed from Django to avoid persistent XSS. (bsc#931437, CVE-2015-3988) - Fix Terminate Instance on network topology page. - Show ports from shared nets in floating IP assoc. - Fix incorrect ca arguments for calling ceilometer client. - Fix dynamic select layout when help block is displayed. - Pass correct project ID to get tenant_usages. (bsc#928891) crowbar-barclamp-nova_dashboard: - Allow switching on multidomain support. (bsc#945052) - Fix quoting of supported_provider_types. (bsc#936368) - Enable the POLICY_FILES setting configuration. - Fix attribute being fetched from wrong node. (bsc#936059) python-django_openstack_auth: - Remove admin role name 'admin' hardcode in User.is_superuser(). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 5: zypper in -t patch sleclo50sp3-openstack-crowbar-dashboard-201510-12220=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE OpenStack Cloud 5 (x86_64): openstack-dashboard-2014.2.4~a0~dev12-13.2 python-django_openstack_auth-1.1.7-11.3 python-horizon-2014.2.4~a0~dev12-13.2 - SUSE OpenStack Cloud 5 (noarch): crowbar-barclamp-nova_dashboard-1.9+git.1443622531.b2b2939-9.3 References: https://www.suse.com/security/cve/CVE-2015-3219.html https://www.suse.com/security/cve/CVE-2015-3988.html https://bugzilla.suse.com/928891 https://bugzilla.suse.com/931437 https://bugzilla.suse.com/933607 https://bugzilla.suse.com/933722 https://bugzilla.suse.com/935442 https://bugzilla.suse.com/936059 https://bugzilla.suse.com/936368 https://bugzilla.suse.com/945052 https://bugzilla.suse.com/945515 From sle-security-updates at lists.suse.com Fri Nov 20 10:10:17 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 20 Nov 2015 18:10:17 +0100 (CET) Subject: SUSE-SU-2015:2065-1: moderate: Security update for dracut Message-ID: <20151120171017.923D63213B@maintenance.suse.de> SUSE Security Update: Security update for dracut ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:2065-1 Rating: moderate References: #935338 #935993 #947518 #952491 Cross-References: CVE-2015-0794 Affected Products: SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that solves one vulnerability and has three fixes is now available. Description: The dracut package was updated to fix the following security and non-security issues: - CVE-2015-0794: Use mktemp instead of hardcoded filenames, possible vulnerability (bsc#935338). - Always install mdraid modules (bsc#935993). - Add notice when dracut failed to install modules (bsc#952491). - Always install dm-snaphost module if lvm dracut module is needed, even if dm-snapshot is not loaded on the host yet (bsc#947518). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-877=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-877=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): dracut-037-51.17.3 dracut-debuginfo-037-51.17.3 dracut-debugsource-037-51.17.3 dracut-fips-037-51.17.3 - SUSE Linux Enterprise Desktop 12 (x86_64): dracut-037-51.17.3 dracut-debuginfo-037-51.17.3 dracut-debugsource-037-51.17.3 References: https://www.suse.com/security/cve/CVE-2015-0794.html https://bugzilla.suse.com/935338 https://bugzilla.suse.com/935993 https://bugzilla.suse.com/947518 https://bugzilla.suse.com/952491 From sle-security-updates at lists.suse.com Mon Nov 23 14:10:11 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 23 Nov 2015 22:10:11 +0100 (CET) Subject: SUSE-SU-2015:2081-1: important: Security update for Mozilla Firefox Message-ID: <20151123211011.D5A7E320DF@maintenance.suse.de> SUSE Security Update: Security update for Mozilla Firefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:2081-1 Rating: important References: #908275 #940806 #943557 #943558 #943608 #947003 #952810 Cross-References: CVE-2015-4473 CVE-2015-4474 CVE-2015-4475 CVE-2015-4478 CVE-2015-4479 CVE-2015-4484 CVE-2015-4485 CVE-2015-4486 CVE-2015-4487 CVE-2015-4488 CVE-2015-4489 CVE-2015-4491 CVE-2015-4492 CVE-2015-4497 CVE-2015-4498 CVE-2015-4500 CVE-2015-4501 CVE-2015-4506 CVE-2015-4509 CVE-2015-4511 CVE-2015-4513 CVE-2015-4517 CVE-2015-4519 CVE-2015-4520 CVE-2015-4521 CVE-2015-4522 CVE-2015-7174 CVE-2015-7175 CVE-2015-7176 CVE-2015-7177 CVE-2015-7180 CVE-2015-7181 CVE-2015-7182 CVE-2015-7183 CVE-2015-7188 CVE-2015-7189 CVE-2015-7193 CVE-2015-7194 CVE-2015-7196 CVE-2015-7197 CVE-2015-7198 CVE-2015-7199 CVE-2015-7200 Affected Products: SUSE Linux Enterprise Server 10 SP4 LTSS ______________________________________________________________________________ An update that fixes 43 vulnerabilities is now available. It includes three new package versions. Description: MozillaFirefox ESR was updated to version 38.4.0ESR to fix multiple security issues. * MFSA 2015-116/CVE-2015-4513 Miscellaneous memory safety hazards (rv:42.0 / rv:38.4) * MFSA 2015-122/CVE-2015-7188 Trailing whitespace in IP address hostnames can bypass same-origin policy * MFSA 2015-123/CVE-2015-7189 Buffer overflow during image interactions in canvas * MFSA 2015-127/CVE-2015-7193 CORS preflight is bypassed when non-standard Content-Type headers are received * MFSA 2015-128/CVE-2015-7194 Memory corruption in libjar through zip files * MFSA 2015-130/CVE-2015-7196 JavaScript garbage collection crash with Java applet * MFSA 2015-131/CVE-2015-7198/CVE-2015-7199/CVE-2015-7200 Vulnerabilities found through code inspection * MFSA 2015-132/CVE-2015-7197 Mixed content WebSocket policy bypass through workers * MFSA 2015-133/CVE-2015-7181/CVE-2015-7182/CVE-2015-7183 NSS and NSPR memory corruption issues It also includes fixes from 38.3.0ESR: * MFSA 2015-96/CVE-2015-4500/CVE-2015-4501 Miscellaneous memory safety hazards (rv:41.0 / rv:38.3) * MFSA 2015-101/CVE-2015-4506 Buffer overflow in libvpx while parsing vp9 format video * MFSA 2015-105/CVE-2015-4511 Buffer overflow while decoding WebM video * MFSA 2015-106/CVE-2015-4509 Use-after-free while manipulating HTML media content * MFSA 2015-110/CVE-2015-4519 Dragging and dropping images exposes final URL after redirects * MFSA 2015-111/CVE-2015-4520 Errors in the handling of CORS preflight request headers * MFSA 2015-112/CVE-2015-4517/CVE-2015-4521/CVE-2015-4522 CVE-2015-7174/CVE-2015-7175/CVE-2015-7176/CVE-2015-7177 CVE-2015-7180 Vulnerabilities found through code inspection It also includes fixes from the Firefox 38.2.1ESR release: * MFSA 2015-94/CVE-2015-4497 (bsc#943557) Use-after-free when resizing canvas element during restyling * MFSA 2015-95/CVE-2015-4498 (bsc#943558) Add-on notification bypass through data URLs It also includes fixes from the Firefox 38.2.0ESR release: * MFSA 2015-79/CVE-2015-4473/CVE-2015-4474 Miscellaneous memory safety hazards (rv:40.0 / rv:38.2) * MFSA 2015-80/CVE-2015-4475 Out-of-bounds read with malformed MP3 file * MFSA 2015-82/CVE-2015-4478 Redefinition of non-configurable JavaScript object properties * MFSA 2015-83/CVE-2015-4479 Overflow issues in libstagefright * MFSA 2015-87/CVE-2015-4484 Crash when using shared memory in JavaScript * MFSA 2015-88/CVE-2015-4491 Heap overflow in gdk-pixbuf when scaling bitmap images * MFSA 2015-89/CVE-2015-4485/CVE-2015-4486 Buffer overflows on Libvpx when decoding WebM video * MFSA 2015-90/CVE-2015-4487/CVE-2015-4488/CVE-2015-4489 Vulnerabilities found through code inspection * MFSA 2015-92/CVE-2015-4492 Use-after-free in XMLHttpRequest with shared workers Security Issues: * CVE-2015-4473 * CVE-2015-4474 * CVE-2015-4475 * CVE-2015-4478 * CVE-2015-4479 * CVE-2015-4484 * CVE-2015-4485 * CVE-2015-4486 * CVE-2015-4487 * CVE-2015-4488 * CVE-2015-4489 * CVE-2015-4491 * CVE-2015-4492 * CVE-2015-4497 * CVE-2015-4498 * CVE-2015-4500 * CVE-2015-4501 * CVE-2015-4506 * CVE-2015-4509 * CVE-2015-4511 * CVE-2015-4513 * CVE-2015-4517 * CVE-2015-4519 * CVE-2015-4520 * CVE-2015-4521 * CVE-2015-4522 * CVE-2015-7174 * CVE-2015-7175 * CVE-2015-7176 * CVE-2015-7177 * CVE-2015-7180 * CVE-2015-7181 * CVE-2015-7182 * CVE-2015-7183 * CVE-2015-7188 * CVE-2015-7189 * CVE-2015-7193 * CVE-2015-7194 * CVE-2015-7196 * CVE-2015-7197 * CVE-2015-7198 * CVE-2015-7199 * CVE-2015-7200 Package List: - SUSE Linux Enterprise Server 10 SP4 LTSS (i586 s390x x86_64) [New Version: 3.19.2.1 and 4.10.10]: mozilla-nspr-4.10.10-0.5.1 mozilla-nspr-devel-4.10.10-0.5.1 mozilla-nss-3.19.2.1-0.5.1 mozilla-nss-devel-3.19.2.1-0.5.1 mozilla-nss-tools-3.19.2.1-0.5.1 - SUSE Linux Enterprise Server 10 SP4 LTSS (s390x x86_64) [New Version: 3.19.2.1 and 4.10.10]: mozilla-nspr-32bit-4.10.10-0.5.1 mozilla-nss-32bit-3.19.2.1-0.5.1 - SUSE Linux Enterprise Server 10 SP4 LTSS (i586 s390x) [New Version: 38]: MozillaFirefox-38.4.0esr-0.7.1 MozillaFirefox-branding-SLED-38-0.5.3 MozillaFirefox-translations-38.4.0esr-0.7.1 References: https://www.suse.com/security/cve/CVE-2015-4473.html https://www.suse.com/security/cve/CVE-2015-4474.html https://www.suse.com/security/cve/CVE-2015-4475.html https://www.suse.com/security/cve/CVE-2015-4478.html https://www.suse.com/security/cve/CVE-2015-4479.html https://www.suse.com/security/cve/CVE-2015-4484.html https://www.suse.com/security/cve/CVE-2015-4485.html https://www.suse.com/security/cve/CVE-2015-4486.html https://www.suse.com/security/cve/CVE-2015-4487.html https://www.suse.com/security/cve/CVE-2015-4488.html https://www.suse.com/security/cve/CVE-2015-4489.html https://www.suse.com/security/cve/CVE-2015-4491.html https://www.suse.com/security/cve/CVE-2015-4492.html https://www.suse.com/security/cve/CVE-2015-4497.html https://www.suse.com/security/cve/CVE-2015-4498.html https://www.suse.com/security/cve/CVE-2015-4500.html https://www.suse.com/security/cve/CVE-2015-4501.html https://www.suse.com/security/cve/CVE-2015-4506.html https://www.suse.com/security/cve/CVE-2015-4509.html https://www.suse.com/security/cve/CVE-2015-4511.html https://www.suse.com/security/cve/CVE-2015-4513.html https://www.suse.com/security/cve/CVE-2015-4517.html https://www.suse.com/security/cve/CVE-2015-4519.html https://www.suse.com/security/cve/CVE-2015-4520.html https://www.suse.com/security/cve/CVE-2015-4521.html https://www.suse.com/security/cve/CVE-2015-4522.html https://www.suse.com/security/cve/CVE-2015-7174.html https://www.suse.com/security/cve/CVE-2015-7175.html https://www.suse.com/security/cve/CVE-2015-7176.html https://www.suse.com/security/cve/CVE-2015-7177.html https://www.suse.com/security/cve/CVE-2015-7180.html https://www.suse.com/security/cve/CVE-2015-7181.html https://www.suse.com/security/cve/CVE-2015-7182.html https://www.suse.com/security/cve/CVE-2015-7183.html https://www.suse.com/security/cve/CVE-2015-7188.html https://www.suse.com/security/cve/CVE-2015-7189.html https://www.suse.com/security/cve/CVE-2015-7193.html https://www.suse.com/security/cve/CVE-2015-7194.html https://www.suse.com/security/cve/CVE-2015-7196.html https://www.suse.com/security/cve/CVE-2015-7197.html https://www.suse.com/security/cve/CVE-2015-7198.html https://www.suse.com/security/cve/CVE-2015-7199.html https://www.suse.com/security/cve/CVE-2015-7200.html https://bugzilla.suse.com/908275 https://bugzilla.suse.com/940806 https://bugzilla.suse.com/943557 https://bugzilla.suse.com/943558 https://bugzilla.suse.com/943608 https://bugzilla.suse.com/947003 https://bugzilla.suse.com/952810 https://download.suse.com/patch/finder/?keywords=bb006e2ed6738badb2b7f4f52e5c1b2a From sle-security-updates at lists.suse.com Tue Nov 24 11:10:24 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 24 Nov 2015 19:10:24 +0100 (CET) Subject: SUSE-SU-2015:2084-1: important: Security update for Linux Kernel Live Patch 5 Message-ID: <20151124181024.8522E320DF@maintenance.suse.de> SUSE Security Update: Security update for Linux Kernel Live Patch 5 ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:2084-1 Rating: important References: #940338 #940342 #948536 #948701 Cross-References: CVE-2015-5707 CVE-2015-7613 Affected Products: SUSE Linux Enterprise Live Patching 12 ______________________________________________________________________________ An update that solves two vulnerabilities and has two fixes is now available. Description: This kernel live patch for Linux Kernel 3.12.43-52.6.1 fixes two security issues: - CVE-2015-7613: A race condition in the IPC object implementation in the Linux kernel allowed local users to gain privileges by triggering an ipc_addid call that leads to uid and gid comparisons against uninitialized data, related to msg.c, shm.c, and util.c. (bsc#948701 bsc#948536) - CVE-2015-5707: Integer overflow in the sg_start_req function in drivers/scsi/sg.c in the Linux kernel allowed local users to cause a denial of service or possibly have unspecified other impact via a large iov_count value in a write request. (bsc#940342 bsc#940338) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Live Patching 12: zypper in -t patch SUSE-SLE-Live-Patching-12-2015-887=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Live Patching 12 (x86_64): kgraft-patch-3_12_43-52_6-default-3-2.1 kgraft-patch-3_12_43-52_6-xen-3-2.1 References: https://www.suse.com/security/cve/CVE-2015-5707.html https://www.suse.com/security/cve/CVE-2015-7613.html https://bugzilla.suse.com/940338 https://bugzilla.suse.com/940342 https://bugzilla.suse.com/948536 https://bugzilla.suse.com/948701 From sle-security-updates at lists.suse.com Tue Nov 24 11:11:20 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 24 Nov 2015 19:11:20 +0100 (CET) Subject: SUSE-SU-2015:2085-1: important: Security update for Linux Kernel Live Patch 4 Message-ID: <20151124181120.0D7553213B@maintenance.suse.de> SUSE Security Update: Security update for Linux Kernel Live Patch 4 ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:2085-1 Rating: important References: #940338 #940342 #948536 #948701 Cross-References: CVE-2015-5707 CVE-2015-7613 Affected Products: SUSE Linux Enterprise Live Patching 12 ______________________________________________________________________________ An update that solves two vulnerabilities and has two fixes is now available. Description: This kernel live patch for Linux Kernel 3.12.39-47.1 fixes two security issues: - CVE-2015-7613: A race condition in the IPC object implementation in the Linux kernel allowed local users to gain privileges by triggering an ipc_addid call that leads to uid and gid comparisons against uninitialized data, related to msg.c, shm.c, and util.c. (bsc#948701 bsc#948536) - CVE-2015-5707: Integer overflow in the sg_start_req function in drivers/scsi/sg.c in the Linux kernel allowed local users to cause a denial of service or possibly have unspecified other impact via a large iov_count value in a write request. (bsc#940342 bsc#940338) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Live Patching 12: zypper in -t patch SUSE-SLE-Live-Patching-12-2015-886=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Live Patching 12 (x86_64): kgraft-patch-3_12_39-47-default-3-2.1 kgraft-patch-3_12_39-47-xen-3-2.1 References: https://www.suse.com/security/cve/CVE-2015-5707.html https://www.suse.com/security/cve/CVE-2015-7613.html https://bugzilla.suse.com/940338 https://bugzilla.suse.com/940342 https://bugzilla.suse.com/948536 https://bugzilla.suse.com/948701 From sle-security-updates at lists.suse.com Tue Nov 24 11:12:16 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 24 Nov 2015 19:12:16 +0100 (CET) Subject: SUSE-SU-2015:2086-1: important: Security update for Linux Kernel Live Patch 7 Message-ID: <20151124181216.472B7320DF@maintenance.suse.de> SUSE Security Update: Security update for Linux Kernel Live Patch 7 ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:2086-1 Rating: important References: #940338 #940342 #948536 #948701 Cross-References: CVE-2015-5707 CVE-2015-7613 Affected Products: SUSE Linux Enterprise Live Patching 12 ______________________________________________________________________________ An update that solves two vulnerabilities and has two fixes is now available. Description: This kernel live patch for Linux Kernel 3.12.44-52.18.1 fixes two security issues: - CVE-2015-7613: A race condition in the IPC object implementation in the Linux kernel allowed local users to gain privileges by triggering an ipc_addid call that leads to uid and gid comparisons against uninitialized data, related to msg.c, shm.c, and util.c. (bsc#948701 bsc#948536) - CVE-2015-5707: Integer overflow in the sg_start_req function in drivers/scsi/sg.c in the Linux kernel allowed local users to cause a denial of service or possibly have unspecified other impact via a large iov_count value in a write request. (bsc#940342 bsc#940338) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Live Patching 12: zypper in -t patch SUSE-SLE-Live-Patching-12-2015-889=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Live Patching 12 (x86_64): kgraft-patch-3_12_44-52_18-default-2-4.1 kgraft-patch-3_12_44-52_18-xen-2-4.1 References: https://www.suse.com/security/cve/CVE-2015-5707.html https://www.suse.com/security/cve/CVE-2015-7613.html https://bugzilla.suse.com/940338 https://bugzilla.suse.com/940342 https://bugzilla.suse.com/948536 https://bugzilla.suse.com/948701 From sle-security-updates at lists.suse.com Tue Nov 24 11:13:08 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 24 Nov 2015 19:13:08 +0100 (CET) Subject: SUSE-SU-2015:2087-1: important: Security update for Linux Kernel Live Patch 6 Message-ID: <20151124181308.D13FC3213B@maintenance.suse.de> SUSE Security Update: Security update for Linux Kernel Live Patch 6 ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:2087-1 Rating: important References: #940338 #940342 #948536 #948701 Cross-References: CVE-2015-5707 CVE-2015-7613 Affected Products: SUSE Linux Enterprise Live Patching 12 ______________________________________________________________________________ An update that solves two vulnerabilities and has two fixes is now available. Description: This kernel live patch for Linux Kernel 3.12.44-52.10.1 fixes two security issues: - CVE-2015-7613: A race condition in the IPC object implementation in the Linux kernel allowed local users to gain privileges by triggering an ipc_addid call that leads to uid and gid comparisons against uninitialized data, related to msg.c, shm.c, and util.c. (bsc#948701 bsc#948536) - CVE-2015-5707: Integer overflow in the sg_start_req function in drivers/scsi/sg.c in the Linux kernel allowed local users to cause a denial of service or possibly have unspecified other impact via a large iov_count value in a write request. (bsc#940342 bsc#940338) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Live Patching 12: zypper in -t patch SUSE-SLE-Live-Patching-12-2015-888=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Live Patching 12 (x86_64): kgraft-patch-3_12_44-52_10-default-2-2.1 kgraft-patch-3_12_44-52_10-xen-2-2.1 References: https://www.suse.com/security/cve/CVE-2015-5707.html https://www.suse.com/security/cve/CVE-2015-7613.html https://bugzilla.suse.com/940338 https://bugzilla.suse.com/940342 https://bugzilla.suse.com/948536 https://bugzilla.suse.com/948701 From sle-security-updates at lists.suse.com Tue Nov 24 11:14:04 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 24 Nov 2015 19:14:04 +0100 (CET) Subject: SUSE-SU-2015:2088-1: moderate: Security update for LibVNCServer Message-ID: <20151124181404.7B0DD3213B@maintenance.suse.de> SUSE Security Update: Security update for LibVNCServer ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:2088-1 Rating: moderate References: #854151 #897031 Cross-References: CVE-2014-6051 CVE-2014-6052 CVE-2014-6053 CVE-2014-6054 CVE-2014-6055 Affected Products: SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: The LibVNCServer package was updated to fix the following security issues: - bsc#897031: fix several security issues: * CVE-2014-6051: Integer overflow in MallocFrameBuffer() on client side. * CVE-2014-6052: Lack of malloc() return value checking on client side. * CVE-2014-6053: Server crash on a very large ClientCutText message. * CVE-2014-6054: Server crash when scaling factor is set to zero. * CVE-2014-6055: Multiple stack overflows in File Transfer feature. - bsc#854151: Restrict the SSL cipher suite. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2015-890=1 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-890=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-890=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): LibVNCServer-debugsource-0.9.9-15.1 LibVNCServer-devel-0.9.9-15.1 - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): LibVNCServer-debugsource-0.9.9-15.1 libvncclient0-0.9.9-15.1 libvncclient0-debuginfo-0.9.9-15.1 libvncserver0-0.9.9-15.1 libvncserver0-debuginfo-0.9.9-15.1 - SUSE Linux Enterprise Desktop 12 (x86_64): LibVNCServer-debugsource-0.9.9-15.1 libvncclient0-0.9.9-15.1 libvncclient0-debuginfo-0.9.9-15.1 libvncserver0-0.9.9-15.1 libvncserver0-debuginfo-0.9.9-15.1 References: https://www.suse.com/security/cve/CVE-2014-6051.html https://www.suse.com/security/cve/CVE-2014-6052.html https://www.suse.com/security/cve/CVE-2014-6053.html https://www.suse.com/security/cve/CVE-2014-6054.html https://www.suse.com/security/cve/CVE-2014-6055.html https://bugzilla.suse.com/854151 https://bugzilla.suse.com/897031 From sle-security-updates at lists.suse.com Tue Nov 24 11:14:37 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 24 Nov 2015 19:14:37 +0100 (CET) Subject: SUSE-SU-2015:2089-1: important: Security update for Linux Kernel Live Patch 1 Message-ID: <20151124181437.B92B23213B@maintenance.suse.de> SUSE Security Update: Security update for Linux Kernel Live Patch 1 ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:2089-1 Rating: important References: #940338 #940342 #948536 #948701 Cross-References: CVE-2015-5707 CVE-2015-7613 Affected Products: SUSE Linux Enterprise Live Patching 12 ______________________________________________________________________________ An update that solves two vulnerabilities and has two fixes is now available. Description: This kernel live patch for Linux Kernel 3.12.32-33.1 fixes two security issues: - CVE-2015-7613: A race condition in the IPC object implementation in the Linux kernel allowed local users to gain privileges by triggering an ipc_addid call that leads to uid and gid comparisons against uninitialized data, related to msg.c, shm.c, and util.c. (bsc#948701 bsc#948536) - CVE-2015-5707: Integer overflow in the sg_start_req function in drivers/scsi/sg.c in the Linux kernel allowed local users to cause a denial of service or possibly have unspecified other impact via a large iov_count value in a write request. (bsc#940342 bsc#940338) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Live Patching 12: zypper in -t patch SUSE-SLE-Live-Patching-12-2015-883=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Live Patching 12 (x86_64): kgraft-patch-3_12_32-33-default-4-2.3 kgraft-patch-3_12_32-33-xen-4-2.3 References: https://www.suse.com/security/cve/CVE-2015-5707.html https://www.suse.com/security/cve/CVE-2015-7613.html https://bugzilla.suse.com/940338 https://bugzilla.suse.com/940342 https://bugzilla.suse.com/948536 https://bugzilla.suse.com/948701 From sle-security-updates at lists.suse.com Tue Nov 24 11:15:27 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 24 Nov 2015 19:15:27 +0100 (CET) Subject: SUSE-SU-2015:2090-1: important: Security update for Linux Kernel Live Patch 3 Message-ID: <20151124181527.F260B3213B@maintenance.suse.de> SUSE Security Update: Security update for Linux Kernel Live Patch 3 ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:2090-1 Rating: important References: #940338 #940342 #948536 #948701 Cross-References: CVE-2015-5707 CVE-2015-7613 Affected Products: SUSE Linux Enterprise Live Patching 12 ______________________________________________________________________________ An update that solves two vulnerabilities and has two fixes is now available. Description: This kernel live patch for Linux Kernel 3.12.38-44.1 fixes two security issues: - CVE-2015-7613: A race condition in the IPC object implementation in the Linux kernel allowed local users to gain privileges by triggering an ipc_addid call that leads to uid and gid comparisons against uninitialized data, related to msg.c, shm.c, and util.c. (bsc#948701 bsc#948536) - CVE-2015-5707: Integer overflow in the sg_start_req function in drivers/scsi/sg.c in the Linux kernel allowed local users to cause a denial of service or possibly have unspecified other impact via a large iov_count value in a write request. (bsc#940342 bsc#940338) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Live Patching 12: zypper in -t patch SUSE-SLE-Live-Patching-12-2015-885=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Live Patching 12 (x86_64): kgraft-patch-3_12_38-44-default-3-2.1 kgraft-patch-3_12_38-44-xen-3-2.1 References: https://www.suse.com/security/cve/CVE-2015-5707.html https://www.suse.com/security/cve/CVE-2015-7613.html https://bugzilla.suse.com/940338 https://bugzilla.suse.com/940342 https://bugzilla.suse.com/948536 https://bugzilla.suse.com/948701 From sle-security-updates at lists.suse.com Tue Nov 24 11:16:18 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 24 Nov 2015 19:16:18 +0100 (CET) Subject: SUSE-SU-2015:2091-1: important: Security update for Linux Kernel Live Patch 2 Message-ID: <20151124181618.CD3B43213B@maintenance.suse.de> SUSE Security Update: Security update for Linux Kernel Live Patch 2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:2091-1 Rating: important References: #940338 #940342 #948536 #948701 Cross-References: CVE-2015-5707 CVE-2015-7613 Affected Products: SUSE Linux Enterprise Live Patching 12 ______________________________________________________________________________ An update that solves two vulnerabilities and has two fixes is now available. Description: This kernel live patch for Linux Kernel 3.12.36-38.1 fixes two security issues: - CVE-2015-7613: A race condition in the IPC object implementation in the Linux kernel allowed local users to gain privileges by triggering an ipc_addid call that leads to uid and gid comparisons against uninitialized data, related to msg.c, shm.c, and util.c. (bsc#948701 bsc#948536) - CVE-2015-5707: Integer overflow in the sg_start_req function in drivers/scsi/sg.c in the Linux kernel allowed local users to cause a denial of service or possibly have unspecified other impact via a large iov_count value in a write request. (bsc#940342 bsc#940338) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Live Patching 12: zypper in -t patch SUSE-SLE-Live-Patching-12-2015-884=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Live Patching 12 (x86_64): kgraft-patch-3_12_36-38-default-4-2.3 kgraft-patch-3_12_36-38-xen-4-2.3 References: https://www.suse.com/security/cve/CVE-2015-5707.html https://www.suse.com/security/cve/CVE-2015-7613.html https://bugzilla.suse.com/940338 https://bugzilla.suse.com/940342 https://bugzilla.suse.com/948536 https://bugzilla.suse.com/948701 From sle-security-updates at lists.suse.com Thu Nov 26 05:10:55 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 26 Nov 2015 13:10:55 +0100 (CET) Subject: SUSE-SU-2015:2108-1: important: Security update for the Linux Kernel Message-ID: <20151126121055.225A53213B@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:2108-1 Rating: important References: #777565 #814440 #900610 #904348 #904965 #920016 #923002 #926007 #926709 #926774 #930145 #930788 #932350 #932805 #933721 #935053 #935757 #936118 #938706 #939826 #939926 #939955 #940017 #940925 #941202 #942204 #942305 #942367 #942605 #942688 #942938 #943786 #944296 #944831 #944837 #944989 #944993 #945691 #945825 #945827 #946078 #946309 #947957 #948330 #948347 #948521 #949100 #949298 #949502 #949706 #949744 #949981 #951440 #952084 #952384 #952579 #953527 #953980 #954404 Cross-References: CVE-2015-0272 CVE-2015-5157 CVE-2015-5307 CVE-2015-6252 CVE-2015-6937 CVE-2015-7872 CVE-2015-7990 CVE-2015-8104 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP3 SUSE Linux Enterprise Server for VMWare 11-SP3 SUSE Linux Enterprise Server 11-SP3 SUSE Linux Enterprise Server 11-EXTRA SUSE Linux Enterprise Desktop 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that solves 8 vulnerabilities and has 51 fixes is now available. Description: The SUSE Linux Enterprise 11 Service Pack 3 kernel was updated to receive various security and bugfixes. Following security bugs were fixed: - CVE-2015-8104: Prevent guest to host DoS caused by infinite loop in microcode via #DB exception (bsc#954404). - CVE-2015-5307: Prevent guest to host DoS caused by infinite loop in microcode via #AC exception (bsc#953527). - CVE-2015-7990: RDS: Verify the underlying transport exists before creating a connection, preventing possible DoS (bsc#952384). - CVE-2015-5157: arch/x86/entry/entry_64.S in the Linux kernel on the x86_64 platform mishandled IRET faults in processing NMIs that occurred during userspace execution, which might have allowed local users to gain privileges by triggering an NMI (bsc#938706). - CVE-2015-7872: Possible crash when trying to garbage collect an uninstantiated keyring (bsc#951440). - CVE-2015-0272: Prevent remote DoS using IPv6 RA with bogus MTU by validating before applying it (bsc#944296). - CVE-2015-6937: The __rds_conn_create function in net/rds/connection.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by using a socket that was not properly bound (bsc#945825). - CVE-2015-6252: The vhost_dev_ioctl function in drivers/vhost/vhost.c in the Linux kernel allowed local users to cause a denial of service (memory consumption) via a VHOST_SET_LOG_FD ioctl call that triggered permanent file-descriptor allocation (bsc#942367). The following non-security bugs were fixed: - alsa: hda - Disable 64bit address for Creative HDA controllers (bsc#814440). - btrfs: fix hang when failing to submit bio of directIO (bsc#942688). - btrfs: fix memory corruption on failure to submit bio for direct IO (bsc#942688). - btrfs: fix put dio bio twice when we submit dio bio fail (bsc#942688). - dm sysfs: introduce ability to add writable attributes (bsc#904348). - dm-snap: avoid deadock on s->lock when a read is split (bsc#939826). - dm: do not start current request if it would have merged with the previous (bsc#904348). - dm: impose configurable deadline for dm_request_fn merge heuristic (bsc#904348). - drm/i915: (re)init HPD interrupt storm statistics (bsc#942938). - drm/i915: Add HPD IRQ storm detection (v5) (bsc#942938). - drm/i915: Add Reenable Timer to turn Hotplug Detection back on (v4) (bsc#942938). - drm/i915: Add bit field to record which pins have received HPD events (v3) (bsc#942938). - drm/i915: Add enum hpd_pin to intel_encoder (bsc#942938). - drm/i915: Add messages useful for HPD storm detection debugging (v2) (bsc#942938). - drm/i915: Avoid race of intel_crt_detect_hotplug() with HPD interrupt (bsc#942938). - drm/i915: Convert HPD interrupts to make use of HPD pin assignment in encoders (v2) (bsc#942938). - drm/i915: Disable HPD interrupt on pin when irq storm is detected (v3) (bsc#942938). - drm/i915: Do not WARN nor handle unexpected hpd interrupts on gmch platforms (bsc#942938). - drm/i915: Enable hotplug interrupts after querying hw capabilities (bsc#942938). - drm/i915: Fix DDC probe for passive adapters (bsc#900610, fdo#85924). - drm/i915: Fix hotplug interrupt enabling for SDVOC (bsc#942938). - drm/i915: Fix up sdvo hpd pins for i965g/gm (bsc#942938). - drm/i915: Get rid if the "^A" in struct drm_i915_private (bsc#942938). - drm/i915: Make hpd arrays big enough to avoid out of bounds access (bsc#942938). - drm/i915: Mask out the HPD irq bits before setting them individually (bsc#942938). - drm/i915: Only print hotplug event message when hotplug bit is set (bsc#942938). - drm/i915: Only reprobe display on encoder which has received an HPD event (v2) (bsc#942938). - drm/i915: Queue reenable timer also when enable_hotplug_processing is false (bsc#942938). - drm/i915: Remove i965_hpd_irq_setup (bsc#942938). - drm/i915: Remove pch_rq_mask from struct drm_i915_private (bsc#942938). - drm/i915: Remove valleyview_hpd_irq_setup (bsc#942938). - drm/i915: Use an interrupt save spinlock in intel_hpd_irq_handler() (bsc#942938). - drm/i915: WARN_ONCE() about unexpected interrupts for all chipsets (bsc#942938). - drm/i915: add hotplug activation period to hotplug update mask (bsc#953980). - drm/i915: assert_spin_locked for pipestat interrupt enable/disable (bsc#942938). - drm/i915: clear crt hotplug compare voltage field before setting (bsc#942938). - drm/i915: close tiny race in the ilk pcu even interrupt setup (bsc#942938). - drm/i915: fix hotplug event bit tracking (bsc#942938). - drm/i915: fix hpd interrupt register locking (bsc#942938). - drm/i915: fix hpd work vs. flush_work in the pageflip code deadlock (bsc#942938). - drm/i915: fix locking around ironlake_enable|disable_display_irq (bsc#942938). - drm/i915: fold the hpd_irq_setup call into intel_hpd_irq_handler (bsc#942938). - drm/i915: fold the no-irq check into intel_hpd_irq_handler (bsc#942938). - drm/i915: fold the queue_work into intel_hpd_irq_handler (bsc#942938). - drm/i915: implement ibx_hpd_irq_setup (bsc#942938). - drm/i915: s/hotplug_irq_storm_detect/intel_hpd_irq_handler/ (bsc#942938). - ehci-pci: enable interrupt on BayTrail (bnc926007). - fix lpfc_send_rscn_event allocation size claims bsc#935757 - hugetlb: simplify migrate_huge_page() (bsc#947957, VM Functionality). - hwpoison, hugetlb: lock_page/unlock_page does not match for handling a free hugepage (bsc#947957). - ib/iser: Add Discovery support (bsc#923002). - ib/iser: Move informational messages from error to info level (bsc#923002). - ib/srp: Avoid skipping srp_reset_host() after a transport error (bsc#904965). - ib/srp: Fix a sporadic crash triggered by cable pulling (bsc#904965). - inotify: Fix nested sleeps in inotify_read() (bsc#940925). - ipv6: fix tunnel error handling (bsc#952579). - ipv6: probe routes asynchronous in rt6_probe (bsc#936118). - ipvs: Fix reuse connection if real server is dead (bsc#945827). - ipvs: drop first packet to dead server (bsc#946078). - keys: Fix race between key destruction and finding a keyring by name (bsc#951440). - ktime: add ktime_after and ktime_before helpe (bsc#904348). - lib/string.c: introduce memchr_inv() (bsc#930788). - libiscsi: Exporting new attrs for iscsi session and connection in sysfs (bsc#923002). - macvlan: Support bonding events bsc#948521 - make sure XPRT_CONNECTING gets cleared when needed (bsc#946309). - memory-failure: do code refactor of soft_offline_page() (bsc#947957). - memory-failure: fix an error of mce_bad_pages statistics (bsc#947957). - memory-failure: use num_poisoned_pages instead of mce_bad_pages (bsc#947957). - memory-hotplug: update mce_bad_pages when removing the memory (bsc#947957). - mm/memory-failure.c: fix wrong num_poisoned_pages in handling memory error on thp (bsc#947957). - mm/memory-failure.c: recheck PageHuge() after hugetlb page migrate successfully (bsc#947957). - mm/migrate.c: pair unlock_page() and lock_page() when migrating huge pages (bsc#947957). - mm: exclude reserved pages from dirtyable memory 32b fix (bsc#940017, bsc#949298). - mm: make page pfmemalloc check more robust (bsc#920016). - netfilter: nf_conntrack_proto_sctp: minimal multihoming support (bsc#932350). - pci: Add VPD function 0 quirk for Intel Ethernet devices (bsc#943786). - pci: Add dev_flags bit to access VPD through function 0 (bsc#943786). - pci: Add flag indicating device has been assigned by KVM (bsc#777565). - pci: Clear NumVFs when disabling SR-IOV in sriov_init() (bsc#952084). - pci: Refresh First VF Offset and VF Stride when updating NumVFs (bsc#952084). - pci: Update NumVFs register when disabling SR-IOV (bsc#952084). - pci: delay configuration of SRIOV capability (bsc#952084). - pci: set pci sriov page size before reading SRIOV BAR (bsc#952084). - pktgen: clean up ktime_t helpers (bsc#904348). - qla2xxx: Do not reset adapter if SRB handle is in range (bsc#944993). - qla2xxx: Remove decrement of sp reference count in abort handler (bsc#944993). - qla2xxx: do not clear slot in outstanding cmd array (bsc#944993). - r8169: remember WOL preferences on driver load (bsc#942305). - rcu: Eliminate deadlock between CPU hotplug and expedited grace periods (bsc#949706). - rtc: cmos: Cancel alarm timer if alarm time is equal to now+1 seconds (bsc#930145). - sched/core: Fix task and run queue sched_info::run_delay inconsistencies (bsc#949100). - scsi: fix scsi_error_handler vs. scsi_host_dev_release race (bsc#942204). - scsi: hosts: update to use ida_simple for host_no (bsc#939926) - scsi: kabi: allow iscsi disocvery session support (bsc#923002). - scsi_transport_iscsi: Exporting new attrs for iscsi session and connection in sysfs (bsc#923002). - sg: fix read() error reporting (bsc#926774). - usb: xhci: Prefer endpoint context dequeue pointer over stopped_trb (bsc#933721). - usb: xhci: Reset a halted endpoint immediately when we encounter a stall (bsc#933721). - usb: xhci: apply XHCI_AVOID_BEI quirk to all Intel xHCI controllers (bsc#944989). - usb: xhci: do not start a halted endpoint before its new dequeue is set (bsc#933721). - usb: xhci: handle Config Error Change (CEC) in xhci driver (bsc#933721). - x86/tsc: Change Fast TSC calibration failed from error to info (bsc#942605). - x86: mm: drop TLB flush from ptep_set_access_flags (bsc#948330). - x86: mm: only do a local tlb flush in ptep_set_access_flags() (bsc#948330). - xfs: Fix lost direct IO write in the last block (bsc#949744). - xfs: Fix softlockup in xfs_inode_ag_walk() (bsc#948347). - xfs: add EOFBLOCKS inode tagging/untagging (bsc#930788). - xfs: add XFS_IOC_FREE_EOFBLOCKS ioctl (bsc#930788). - xfs: add background scanning to clear eofblocks inodes (bsc#930788). - xfs: add inode id filtering to eofblocks scan (bsc#930788). - xfs: add minimum file size filtering to eofblocks scan (bsc#930788). - xfs: create function to scan and clear EOFBLOCKS inodes (bsc#930788). - xfs: create helper to check whether to free eofblocks on inode (bsc#930788). - xfs: introduce a common helper xfs_icluster_size_fsb (bsc#932805). - xfs: make xfs_free_eofblocks() non-static, return EAGAIN on trylock failure (bsc#930788). - xfs: support a tag-based inode_ag_iterator (bsc#930788). - xfs: support multiple inode id filtering in eofblocks scan (bsc#930788). - xfs: use xfs_icluster_size_fsb in xfs_bulkstat (bsc#932805). - xfs: use xfs_icluster_size_fsb in xfs_ialloc_inode_init (bsc#932805). - xfs: use xfs_icluster_size_fsb in xfs_ifree_cluster (bsc#932805). - xfs: use xfs_icluster_size_fsb in xfs_imap (bsc#932805). - xhci: Add spurious wakeup quirk for LynxPoint-LP controllers (bsc#949981). - xhci: Allocate correct amount of scratchpad buffers (bsc#933721). - xhci: Calculate old endpoints correctly on device reset (bsc#944831). - xhci: Do not enable/disable RWE on bus suspend/resume (bsc#933721). - xhci: For streams the css flag most be read from the stream-ctx on ep stop (bsc#945691). - xhci: Solve full event ring by increasing TRBS_PER_SEGMENT to 256 (bsc#933721). - xhci: Treat not finding the event_seg on COMP_STOP the same as COMP_STOP_INVAL (bsc#933721). - xhci: Workaround for PME stuck issues in Intel xhci (bsc#933721). - xhci: change xhci 1.0 only restrictions to support xhci 1.1 (bsc#949502). - xhci: do not report PLC when link is in internal resume state (bsc#933721). - xhci: fix isoc endpoint dequeue from advancing too far on transaction error (bsc#944837). - xhci: fix reporting of 0-sized URBs in control endpoint (bsc#933721). - xhci: report U3 when link is in resume state (bsc#933721). - xhci: rework cycle bit checking for new dequeue pointers (bsc#933721). - xhci: use uninterruptible sleep for waiting for internal operations (bsc#939955). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP3: zypper in -t patch sdksp3-kernel-source-12226=1 - SUSE Linux Enterprise Server for VMWare 11-SP3: zypper in -t patch slessp3-kernel-source-12226=1 - SUSE Linux Enterprise Server 11-SP3: zypper in -t patch slessp3-kernel-source-12226=1 - SUSE Linux Enterprise Server 11-EXTRA: zypper in -t patch slexsp3-kernel-source-12226=1 - SUSE Linux Enterprise Desktop 11-SP3: zypper in -t patch sledsp3-kernel-source-12226=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-kernel-source-12226=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11-SP3 (noarch): kernel-docs-3.0.101-0.47.71.3 - SUSE Linux Enterprise Server for VMWare 11-SP3 (i586 x86_64): kernel-default-3.0.101-0.47.71.1 kernel-default-base-3.0.101-0.47.71.1 kernel-default-devel-3.0.101-0.47.71.1 kernel-source-3.0.101-0.47.71.1 kernel-syms-3.0.101-0.47.71.1 kernel-trace-3.0.101-0.47.71.1 kernel-trace-base-3.0.101-0.47.71.1 kernel-trace-devel-3.0.101-0.47.71.1 kernel-xen-devel-3.0.101-0.47.71.1 - SUSE Linux Enterprise Server for VMWare 11-SP3 (x86_64): kernel-bigsmp-devel-3.0.101-0.47.71.1 - SUSE Linux Enterprise Server for VMWare 11-SP3 (i586): kernel-pae-3.0.101-0.47.71.1 kernel-pae-base-3.0.101-0.47.71.1 kernel-pae-devel-3.0.101-0.47.71.1 - SUSE Linux Enterprise Server 11-SP3 (i586 ia64 ppc64 s390x x86_64): kernel-default-3.0.101-0.47.71.1 kernel-default-base-3.0.101-0.47.71.1 kernel-default-devel-3.0.101-0.47.71.1 kernel-source-3.0.101-0.47.71.1 kernel-syms-3.0.101-0.47.71.1 kernel-trace-3.0.101-0.47.71.1 kernel-trace-base-3.0.101-0.47.71.1 kernel-trace-devel-3.0.101-0.47.71.1 - SUSE Linux Enterprise Server 11-SP3 (i586 x86_64): kernel-ec2-3.0.101-0.47.71.1 kernel-ec2-base-3.0.101-0.47.71.1 kernel-ec2-devel-3.0.101-0.47.71.1 kernel-xen-3.0.101-0.47.71.1 kernel-xen-base-3.0.101-0.47.71.1 kernel-xen-devel-3.0.101-0.47.71.1 - SUSE Linux Enterprise Server 11-SP3 (x86_64): kernel-bigsmp-3.0.101-0.47.71.1 kernel-bigsmp-base-3.0.101-0.47.71.1 kernel-bigsmp-devel-3.0.101-0.47.71.1 - SUSE Linux Enterprise Server 11-SP3 (s390x): kernel-default-man-3.0.101-0.47.71.1 - SUSE Linux Enterprise Server 11-SP3 (ppc64): kernel-ppc64-3.0.101-0.47.71.1 kernel-ppc64-base-3.0.101-0.47.71.1 kernel-ppc64-devel-3.0.101-0.47.71.1 - SUSE Linux Enterprise Server 11-SP3 (i586): kernel-pae-3.0.101-0.47.71.1 kernel-pae-base-3.0.101-0.47.71.1 kernel-pae-devel-3.0.101-0.47.71.1 - SUSE Linux Enterprise Server 11-EXTRA (i586 ia64 ppc64 s390x x86_64): kernel-default-extra-3.0.101-0.47.71.1 - SUSE Linux Enterprise Server 11-EXTRA (i586 x86_64): kernel-xen-extra-3.0.101-0.47.71.1 - SUSE Linux Enterprise Server 11-EXTRA (x86_64): kernel-bigsmp-extra-3.0.101-0.47.71.1 kernel-trace-extra-3.0.101-0.47.71.1 - SUSE Linux Enterprise Server 11-EXTRA (ppc64): kernel-ppc64-extra-3.0.101-0.47.71.1 - SUSE Linux Enterprise Server 11-EXTRA (i586): kernel-pae-extra-3.0.101-0.47.71.1 - SUSE Linux Enterprise Desktop 11-SP3 (i586 x86_64): kernel-default-3.0.101-0.47.71.1 kernel-default-base-3.0.101-0.47.71.1 kernel-default-devel-3.0.101-0.47.71.1 kernel-default-extra-3.0.101-0.47.71.1 kernel-source-3.0.101-0.47.71.1 kernel-syms-3.0.101-0.47.71.1 kernel-trace-devel-3.0.101-0.47.71.1 kernel-xen-3.0.101-0.47.71.1 kernel-xen-base-3.0.101-0.47.71.1 kernel-xen-devel-3.0.101-0.47.71.1 kernel-xen-extra-3.0.101-0.47.71.1 - SUSE Linux Enterprise Desktop 11-SP3 (x86_64): kernel-bigsmp-devel-3.0.101-0.47.71.1 - SUSE Linux Enterprise Desktop 11-SP3 (i586): kernel-pae-3.0.101-0.47.71.1 kernel-pae-base-3.0.101-0.47.71.1 kernel-pae-devel-3.0.101-0.47.71.1 kernel-pae-extra-3.0.101-0.47.71.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 ia64 ppc64 s390x x86_64): kernel-default-debuginfo-3.0.101-0.47.71.1 kernel-default-debugsource-3.0.101-0.47.71.1 kernel-trace-debuginfo-3.0.101-0.47.71.1 kernel-trace-debugsource-3.0.101-0.47.71.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 x86_64): kernel-ec2-debuginfo-3.0.101-0.47.71.1 kernel-ec2-debugsource-3.0.101-0.47.71.1 kernel-xen-debuginfo-3.0.101-0.47.71.1 kernel-xen-debugsource-3.0.101-0.47.71.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (x86_64): kernel-bigsmp-debuginfo-3.0.101-0.47.71.1 kernel-bigsmp-debugsource-3.0.101-0.47.71.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (ppc64): kernel-ppc64-debuginfo-3.0.101-0.47.71.1 kernel-ppc64-debugsource-3.0.101-0.47.71.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586): kernel-pae-debuginfo-3.0.101-0.47.71.1 kernel-pae-debugsource-3.0.101-0.47.71.1 References: https://www.suse.com/security/cve/CVE-2015-0272.html https://www.suse.com/security/cve/CVE-2015-5157.html https://www.suse.com/security/cve/CVE-2015-5307.html https://www.suse.com/security/cve/CVE-2015-6252.html https://www.suse.com/security/cve/CVE-2015-6937.html https://www.suse.com/security/cve/CVE-2015-7872.html https://www.suse.com/security/cve/CVE-2015-7990.html https://www.suse.com/security/cve/CVE-2015-8104.html https://bugzilla.suse.com/777565 https://bugzilla.suse.com/814440 https://bugzilla.suse.com/900610 https://bugzilla.suse.com/904348 https://bugzilla.suse.com/904965 https://bugzilla.suse.com/920016 https://bugzilla.suse.com/923002 https://bugzilla.suse.com/926007 https://bugzilla.suse.com/926709 https://bugzilla.suse.com/926774 https://bugzilla.suse.com/930145 https://bugzilla.suse.com/930788 https://bugzilla.suse.com/932350 https://bugzilla.suse.com/932805 https://bugzilla.suse.com/933721 https://bugzilla.suse.com/935053 https://bugzilla.suse.com/935757 https://bugzilla.suse.com/936118 https://bugzilla.suse.com/938706 https://bugzilla.suse.com/939826 https://bugzilla.suse.com/939926 https://bugzilla.suse.com/939955 https://bugzilla.suse.com/940017 https://bugzilla.suse.com/940925 https://bugzilla.suse.com/941202 https://bugzilla.suse.com/942204 https://bugzilla.suse.com/942305 https://bugzilla.suse.com/942367 https://bugzilla.suse.com/942605 https://bugzilla.suse.com/942688 https://bugzilla.suse.com/942938 https://bugzilla.suse.com/943786 https://bugzilla.suse.com/944296 https://bugzilla.suse.com/944831 https://bugzilla.suse.com/944837 https://bugzilla.suse.com/944989 https://bugzilla.suse.com/944993 https://bugzilla.suse.com/945691 https://bugzilla.suse.com/945825 https://bugzilla.suse.com/945827 https://bugzilla.suse.com/946078 https://bugzilla.suse.com/946309 https://bugzilla.suse.com/947957 https://bugzilla.suse.com/948330 https://bugzilla.suse.com/948347 https://bugzilla.suse.com/948521 https://bugzilla.suse.com/949100 https://bugzilla.suse.com/949298 https://bugzilla.suse.com/949502 https://bugzilla.suse.com/949706 https://bugzilla.suse.com/949744 https://bugzilla.suse.com/949981 https://bugzilla.suse.com/951440 https://bugzilla.suse.com/952084 https://bugzilla.suse.com/952384 https://bugzilla.suse.com/952579 https://bugzilla.suse.com/953527 https://bugzilla.suse.com/953980 https://bugzilla.suse.com/954404 From sle-security-updates at lists.suse.com Thu Nov 26 07:11:30 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 26 Nov 2015 15:11:30 +0100 (CET) Subject: SUSE-SU-2015:2110-1: moderate: Security update for LibVNCServer Message-ID: <20151126141130.098DC3213B@maintenance.suse.de> SUSE Security Update: Security update for LibVNCServer ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:2110-1 Rating: moderate References: #897031 Cross-References: CVE-2014-6051 CVE-2014-6052 CVE-2014-6053 CVE-2014-6054 CVE-2014-6055 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Software Development Kit 11-SP3 SUSE Linux Enterprise Server for VMWare 11-SP3 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Server 11-SP3 SUSE Linux Enterprise Desktop 11-SP4 SUSE Linux Enterprise Desktop 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: The libvncserver package was updated to fix the following security issues: - bsc#897031: fix several security issues: * CVE-2014-6051: Integer overflow in MallocFrameBuffer() on client side. * CVE-2014-6052: Lack of malloc() return value checking on client side. * CVE-2014-6053: Server crash on a very large ClientCutText message. * CVE-2014-6054: Server crash when scaling factor is set to zero. * CVE-2014-6055: Multiple stack overflows in File Transfer feature. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-libvncserver-12227=1 - SUSE Linux Enterprise Software Development Kit 11-SP3: zypper in -t patch sdksp3-libvncserver-12227=1 - SUSE Linux Enterprise Server for VMWare 11-SP3: zypper in -t patch slessp3-libvncserver-12227=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-libvncserver-12227=1 - SUSE Linux Enterprise Server 11-SP3: zypper in -t patch slessp3-libvncserver-12227=1 - SUSE Linux Enterprise Desktop 11-SP4: zypper in -t patch sledsp4-libvncserver-12227=1 - SUSE Linux Enterprise Desktop 11-SP3: zypper in -t patch sledsp3-libvncserver-12227=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-libvncserver-12227=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-libvncserver-12227=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): LibVNCServer-devel-0.9.1-156.1 - SUSE Linux Enterprise Software Development Kit 11-SP3 (i586 ia64 ppc64 s390x x86_64): LibVNCServer-devel-0.9.1-156.1 - SUSE Linux Enterprise Server for VMWare 11-SP3 (i586 x86_64): LibVNCServer-0.9.1-156.1 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): LibVNCServer-0.9.1-156.1 - SUSE Linux Enterprise Server 11-SP3 (i586 ia64 ppc64 s390x x86_64): LibVNCServer-0.9.1-156.1 - SUSE Linux Enterprise Desktop 11-SP4 (i586 x86_64): LibVNCServer-0.9.1-156.1 - SUSE Linux Enterprise Desktop 11-SP3 (i586 x86_64): LibVNCServer-0.9.1-156.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): LibVNCServer-debuginfo-0.9.1-156.1 LibVNCServer-debugsource-0.9.1-156.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 ia64 ppc64 s390x x86_64): LibVNCServer-debuginfo-0.9.1-156.1 LibVNCServer-debugsource-0.9.1-156.1 References: https://www.suse.com/security/cve/CVE-2014-6051.html https://www.suse.com/security/cve/CVE-2014-6052.html https://www.suse.com/security/cve/CVE-2014-6053.html https://www.suse.com/security/cve/CVE-2014-6054.html https://www.suse.com/security/cve/CVE-2014-6055.html https://bugzilla.suse.com/897031 From sle-security-updates at lists.suse.com Fri Nov 27 05:10:20 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 27 Nov 2015 13:10:20 +0100 (CET) Subject: SUSE-SU-2015:2116-1: moderate: Security update for sblim-sfcb Message-ID: <20151127121020.449B532139@maintenance.suse.de> SUSE Security Update: Security update for sblim-sfcb ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:2116-1 Rating: moderate References: #942628 Cross-References: CVE-2015-5185 Affected Products: SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update of sblim-sfcb fixes a potential NULL pointer crash in lookupProviders() (CVE-2015-5185). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-904=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-904=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): sblim-sfcb-1.4.8-5.3.3 sblim-sfcb-debuginfo-1.4.8-5.3.3 sblim-sfcb-debugsource-1.4.8-5.3.3 - SUSE Linux Enterprise Desktop 12 (x86_64): sblim-sfcb-1.4.8-5.3.3 sblim-sfcb-debuginfo-1.4.8-5.3.3 sblim-sfcb-debugsource-1.4.8-5.3.3 References: https://www.suse.com/security/cve/CVE-2015-5185.html https://bugzilla.suse.com/942628 From sle-security-updates at lists.suse.com Fri Nov 27 09:16:54 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 27 Nov 2015 17:16:54 +0100 (CET) Subject: SUSE-SU-2015:2131-1: moderate: Security update for cabextract Message-ID: <20151127161654.BE0D232139@maintenance.suse.de> SUSE Security Update: Security update for cabextract ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:2131-1 Rating: moderate References: #934524 #934527 #934528 Cross-References: CVE-2014-9556 CVE-2014-9732 CVE-2015-4470 CVE-2015-4471 Affected Products: SUSE Linux Enterprise Desktop 11-SP4 SUSE Linux Enterprise Desktop 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This security update fixes the following issues: - Fix possible infinite loop caused DoS (bsc919283, CVE-2014-9556) - Fix zero dereference (bsc#934524, CVE-2014-9732) - Fix off by one (bsc#934527, CVE-2015-4470) - Fix buffer under-read crash (bsc#934528, CVE-2015-4471) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Desktop 11-SP4: zypper in -t patch sledsp4-cabextract-12233=1 - SUSE Linux Enterprise Desktop 11-SP3: zypper in -t patch sledsp3-cabextract-12233=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-cabextract-12233=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-cabextract-12233=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Desktop 11-SP4 (i586 x86_64): cabextract-1.2-2.12.1 - SUSE Linux Enterprise Desktop 11-SP3 (i586 x86_64): cabextract-1.2-2.12.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 x86_64): cabextract-debuginfo-1.2-2.12.1 cabextract-debugsource-1.2-2.12.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 x86_64): cabextract-debuginfo-1.2-2.12.1 cabextract-debugsource-1.2-2.12.1 References: https://www.suse.com/security/cve/CVE-2014-9556.html https://www.suse.com/security/cve/CVE-2014-9732.html https://www.suse.com/security/cve/CVE-2015-4470.html https://www.suse.com/security/cve/CVE-2015-4471.html https://bugzilla.suse.com/934524 https://bugzilla.suse.com/934527 https://bugzilla.suse.com/934528 From sle-security-updates at lists.suse.com Mon Nov 30 07:10:19 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 30 Nov 2015 15:10:19 +0100 (CET) Subject: SUSE-SU-2015:2156-1: moderate: Security update for python-requests Message-ID: <20151130141019.E1CE332139@maintenance.suse.de> SUSE Security Update: Security update for python-requests ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:2156-1 Rating: moderate References: #922448 #935252 Cross-References: CVE-2015-2296 Affected Products: SUSE OpenStack Cloud 5 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: python-requests was updated to fix one security issue. This security issue was fixed: - CVE-2015-2296: The resolve_redirects function in sessions.py allowed remote attackers to conduct session fixation attacks via a cookie without a host value in a redirect. (bsc#922448) This non-security issue was fixed: - Don't use the hardcoded path for certificates. (bsc#935252) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 5: zypper in -t patch sleclo50sp3-python-requests-12235=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE OpenStack Cloud 5 (x86_64): python-requests-2.3.0-9.2 References: https://www.suse.com/security/cve/CVE-2015-2296.html https://bugzilla.suse.com/922448 https://bugzilla.suse.com/935252