From sle-security-updates at lists.suse.com Thu Sep 1 10:09:31 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 1 Sep 2016 18:09:31 +0200 (CEST) Subject: SUSE-SU-2016:2210-1: moderate: Security update for php53 Message-ID: <20160901160931.6CC2FF7C3@maintenance.suse.de> SUSE Security Update: Security update for php53 ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2210-1 Rating: moderate References: #987530 #991426 #991427 #991428 #991429 #991430 #991433 #991437 Cross-References: CVE-2014-3587 CVE-2016-3587 CVE-2016-5399 CVE-2016-6288 CVE-2016-6289 CVE-2016-6290 CVE-2016-6291 CVE-2016-6296 CVE-2016-6297 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes 9 vulnerabilities is now available. Description: This update for php53 fixes the following issues: - security update: * CVE-2014-3587: Integer overflow in the cdf_read_property_info affecting SLES11 SP3 [bsc#987530] * CVE-2016-6297: Stack-based buffer overflow vulnerability in php_stream_zip_opener [bsc#991426] * CVE-2016-6291: Out-of-bounds access in exif_process_IFD_in_MAKERNOTE [bsc#991427] * CVE-2016-6289: Integer overflow leads to buffer overflow in virtual_file_ex [bsc#991428] * CVE-2016-6290: Use after free in unserialize() with Unexpected Session Deserialization [bsc#991429] * CVE-2016-5399: Improper error handling in bzread() [bsc#991430] * CVE-2016-6288: Buffer over-read in php_url_parse_ex [bsc#991433] * CVE-2016-6296: Heap buffer overflow vulnerability in simplestring_addn in simplestring.c [bsc#991437] Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-php53-12724=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-php53-12724=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-php53-12724=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): php53-devel-5.3.17-79.2 php53-imap-5.3.17-79.2 php53-posix-5.3.17-79.2 php53-readline-5.3.17-79.2 php53-sockets-5.3.17-79.2 php53-sqlite-5.3.17-79.2 php53-tidy-5.3.17-79.2 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): apache2-mod_php53-5.3.17-79.2 php53-5.3.17-79.2 php53-bcmath-5.3.17-79.2 php53-bz2-5.3.17-79.2 php53-calendar-5.3.17-79.2 php53-ctype-5.3.17-79.2 php53-curl-5.3.17-79.2 php53-dba-5.3.17-79.2 php53-dom-5.3.17-79.2 php53-exif-5.3.17-79.2 php53-fastcgi-5.3.17-79.2 php53-fileinfo-5.3.17-79.2 php53-ftp-5.3.17-79.2 php53-gd-5.3.17-79.2 php53-gettext-5.3.17-79.2 php53-gmp-5.3.17-79.2 php53-iconv-5.3.17-79.2 php53-intl-5.3.17-79.2 php53-json-5.3.17-79.2 php53-ldap-5.3.17-79.2 php53-mbstring-5.3.17-79.2 php53-mcrypt-5.3.17-79.2 php53-mysql-5.3.17-79.2 php53-odbc-5.3.17-79.2 php53-openssl-5.3.17-79.2 php53-pcntl-5.3.17-79.2 php53-pdo-5.3.17-79.2 php53-pear-5.3.17-79.2 php53-pgsql-5.3.17-79.2 php53-pspell-5.3.17-79.2 php53-shmop-5.3.17-79.2 php53-snmp-5.3.17-79.2 php53-soap-5.3.17-79.2 php53-suhosin-5.3.17-79.2 php53-sysvmsg-5.3.17-79.2 php53-sysvsem-5.3.17-79.2 php53-sysvshm-5.3.17-79.2 php53-tokenizer-5.3.17-79.2 php53-wddx-5.3.17-79.2 php53-xmlreader-5.3.17-79.2 php53-xmlrpc-5.3.17-79.2 php53-xmlwriter-5.3.17-79.2 php53-xsl-5.3.17-79.2 php53-zip-5.3.17-79.2 php53-zlib-5.3.17-79.2 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): php53-debuginfo-5.3.17-79.2 php53-debugsource-5.3.17-79.2 References: https://www.suse.com/security/cve/CVE-2014-3587.html https://www.suse.com/security/cve/CVE-2016-3587.html https://www.suse.com/security/cve/CVE-2016-5399.html https://www.suse.com/security/cve/CVE-2016-6288.html https://www.suse.com/security/cve/CVE-2016-6289.html https://www.suse.com/security/cve/CVE-2016-6290.html https://www.suse.com/security/cve/CVE-2016-6291.html https://www.suse.com/security/cve/CVE-2016-6296.html https://www.suse.com/security/cve/CVE-2016-6297.html https://bugzilla.suse.com/987530 https://bugzilla.suse.com/991426 https://bugzilla.suse.com/991427 https://bugzilla.suse.com/991428 https://bugzilla.suse.com/991429 https://bugzilla.suse.com/991430 https://bugzilla.suse.com/991433 https://bugzilla.suse.com/991437 From sle-security-updates at lists.suse.com Fri Sep 2 04:09:12 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 2 Sep 2016 12:09:12 +0200 (CEST) Subject: SUSE-SU-2016:2211-1: moderate: Security update for cracklib Message-ID: <20160902100912.DC7BEF7C3@maintenance.suse.de> SUSE Security Update: Security update for cracklib ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2211-1 Rating: moderate References: #928923 #992966 Cross-References: CVE-2016-6318 Affected Products: SUSE Studio Onsite 1.3 SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for cracklib fixes a security issue and a bug: Security issue fixed: - Add patch to fix a stack buffer overflow in GECOS parser (bsc#992966 CVE-2016-6318) The following non security issue was fixed: - Call textdomain in cracklib-check main function so that program output is translated accordingly. (bsc#928923) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Studio Onsite 1.3: zypper in -t patch slestso13-cracklib-12726=1 - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-cracklib-12726=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-cracklib-12726=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-cracklib-12726=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Studio Onsite 1.3 (x86_64): cracklib-dict-small-2.8.12-56.13.1 - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): cracklib-devel-2.8.12-56.13.1 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): cracklib-2.8.12-56.13.1 - SUSE Linux Enterprise Server 11-SP4 (ppc64 s390x x86_64): cracklib-32bit-2.8.12-56.13.1 - SUSE Linux Enterprise Server 11-SP4 (ia64): cracklib-x86-2.8.12-56.13.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): cracklib-debuginfo-2.8.12-56.13.1 cracklib-debugsource-2.8.12-56.13.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (ppc64 s390x x86_64): cracklib-debuginfo-32bit-2.8.12-56.13.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (ia64): cracklib-debuginfo-x86-2.8.12-56.13.1 References: https://www.suse.com/security/cve/CVE-2016-6318.html https://bugzilla.suse.com/928923 https://bugzilla.suse.com/992966 From sle-security-updates at lists.suse.com Fri Sep 2 04:09:59 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 2 Sep 2016 12:09:59 +0200 (CEST) Subject: SUSE-SU-2016:2212-1: moderate: Security update for wireshark Message-ID: <20160902100959.6536EF7C3@maintenance.suse.de> SUSE Security Update: Security update for wireshark ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2212-1 Rating: moderate References: #983671 #991012 #991013 #991015 #991016 #991017 #991018 #991019 #991020 Cross-References: CVE-2016-5350 CVE-2016-5351 CVE-2016-5352 CVE-2016-5353 CVE-2016-5354 CVE-2016-5355 CVE-2016-5356 CVE-2016-5357 CVE-2016-5358 CVE-2016-5359 CVE-2016-6504 CVE-2016-6505 CVE-2016-6506 CVE-2016-6507 CVE-2016-6508 CVE-2016-6509 CVE-2016-6510 CVE-2016-6511 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes 18 vulnerabilities is now available. Description: This update to wireshark 1.12.13 fixes the following issues: - CVE-2016-6504: wireshark: NDS dissector crash (bsc#991012) - CVE-2016-6505: wireshark: PacketBB dissector could divide by zero (bsc#991013) - CVE-2016-6506: wireshark: WSP infinite loop (bsc#991015) - CVE-2016-6507: wireshark: MMSE infinite loop (bsc#991016) - CVE-2016-6508: wireshark: RLC long loop (bsc#991017) - CVE-2016-6509: wireshark: LDSS dissector crash (bsc#991018) - CVE-2016-6510: wireshark: RLC dissector crash (bsc#991019) - CVE-2016-6511: wireshark: OpenFlow long loop (bnc991020) - CVE-2016-5350: SPOOLS infinite loop (bsc#983671) - CVE-2016-5351: IEEE 802.11 dissector crash (bsc#983671) - CVE-2016-5352: IEEE 802.11 dissector crash, different from wpna-sec-2016-30 (bsc#983671) - CVE-2016-5353: UMTS FP crash (bsc#983671) - CVE-2016-5354: USB dissector crash (bsc#983671) - CVE-2016-5355: Toshiba file parser crash (bsc#983671) - CVE-2016-5356: CoSine file parser crash (bsc#983671) - CVE-2016-5357: NetScreen file parser crash (bsc#983671) - CVE-2016-5358: Ethernet dissector crash (bsc#983671) - CVE-2016-5359: WBXML infinite loop (bsc#983671) For more details please see: https://www.wireshark.org/docs/relnotes/wireshark-1.12.12.html https://www.wireshark.org/docs/relnotes/wireshark-1.12.13.html Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-wireshark-12725=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-wireshark-12725=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-wireshark-12725=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): wireshark-devel-1.12.13-0.23.1 - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 x86_64): wireshark-1.12.13-0.23.1 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): wireshark-1.12.13-0.23.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): wireshark-debuginfo-1.12.13-0.23.1 wireshark-debugsource-1.12.13-0.23.1 References: https://www.suse.com/security/cve/CVE-2016-5350.html https://www.suse.com/security/cve/CVE-2016-5351.html https://www.suse.com/security/cve/CVE-2016-5352.html https://www.suse.com/security/cve/CVE-2016-5353.html https://www.suse.com/security/cve/CVE-2016-5354.html https://www.suse.com/security/cve/CVE-2016-5355.html https://www.suse.com/security/cve/CVE-2016-5356.html https://www.suse.com/security/cve/CVE-2016-5357.html https://www.suse.com/security/cve/CVE-2016-5358.html https://www.suse.com/security/cve/CVE-2016-5359.html https://www.suse.com/security/cve/CVE-2016-6504.html https://www.suse.com/security/cve/CVE-2016-6505.html https://www.suse.com/security/cve/CVE-2016-6506.html https://www.suse.com/security/cve/CVE-2016-6507.html https://www.suse.com/security/cve/CVE-2016-6508.html https://www.suse.com/security/cve/CVE-2016-6509.html https://www.suse.com/security/cve/CVE-2016-6510.html https://www.suse.com/security/cve/CVE-2016-6511.html https://bugzilla.suse.com/983671 https://bugzilla.suse.com/991012 https://bugzilla.suse.com/991013 https://bugzilla.suse.com/991015 https://bugzilla.suse.com/991016 https://bugzilla.suse.com/991017 https://bugzilla.suse.com/991018 https://bugzilla.suse.com/991019 https://bugzilla.suse.com/991020 From sle-security-updates at lists.suse.com Fri Sep 2 07:09:59 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 2 Sep 2016 15:09:59 +0200 (CEST) Subject: SUSE-SU-2016:2217-1: moderate: Security update for kinit Message-ID: <20160902130959.0CE3BF7C3@maintenance.suse.de> SUSE Security Update: Security update for kinit ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2217-1 Rating: moderate References: #983926 Cross-References: CVE-2016-3100 Affected Products: SUSE Package Hub for SUSE Linux Enterprise 12 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: kinit was updated to fix one security issue. This security issue was fixed: - CVE-2016-3100: World readable Xauthority file exposed cookie credentials (boo#983926). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Package Hub for SUSE Linux Enterprise 12: zypper in -t patch 5270=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Package Hub for SUSE Linux Enterprise 12 (x86_64): kinit-5.20.0-6.1 kinit-debuginfo-5.20.0-6.1 kinit-debugsource-5.20.0-6.1 kinit-devel-5.20.0-6.1 - SUSE Package Hub for SUSE Linux Enterprise 12 (noarch): kinit-lang-5.20.0-6.1 References: https://www.suse.com/security/cve/CVE-2016-3100.html https://bugzilla.suse.com/983926 From sle-security-updates at lists.suse.com Fri Sep 2 07:10:27 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 2 Sep 2016 15:10:27 +0200 (CEST) Subject: SUSE-SU-2016:2218-1: moderate: Security update for mariadb Message-ID: <20160902131027.1C863F7C3@maintenance.suse.de> SUSE Security Update: Security update for mariadb ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2218-1 Rating: moderate References: #984858 #985217 #986251 #991616 Cross-References: CVE-2016-3477 CVE-2016-3521 CVE-2016-3615 CVE-2016-5440 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP1 SUSE Linux Enterprise Software Development Kit 12-SP1 SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Desktop 12-SP1 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for mariadb fixes the following issues: - CVE-2016-3477: Unspecified vulnerability in subcomponent parser [bsc#991616] - CVE-2016-3521: Unspecified vulnerability in subcomponent types [bsc#991616] - CVE-2016-3615: Unspecified vulnerability in subcomponent dml [bsc#991616] - CVE-2016-5440: Unspecified vulnerability in subcomponent rbr [bsc#991616] - mariadb failing test main.bootstrap [bsc#984858] - left over "openSUSE" comments in MariaDB on SLE12 GM and SP1 [bsc#985217] - remove unnecessary conditionals from specfile - add '--ignore-db-dir=lost+found' option to rc.mysql-multi in order not to misinterpret the lost+found directory as a database [bsc#986251] Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP1: zypper in -t patch SUSE-SLE-WE-12-SP1-2016-1308=1 - SUSE Linux Enterprise Software Development Kit 12-SP1: zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1308=1 - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1308=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1308=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Workstation Extension 12-SP1 (x86_64): libmysqlclient_r18-10.0.26-9.2 libmysqlclient_r18-32bit-10.0.26-9.2 mariadb-debuginfo-10.0.26-9.2 mariadb-debugsource-10.0.26-9.2 - SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64): libmysqlclient-devel-10.0.26-9.2 libmysqlclient_r18-10.0.26-9.2 libmysqld-devel-10.0.26-9.2 libmysqld18-10.0.26-9.2 libmysqld18-debuginfo-10.0.26-9.2 mariadb-debuginfo-10.0.26-9.2 mariadb-debugsource-10.0.26-9.2 - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): libmysqlclient18-10.0.26-9.2 libmysqlclient18-debuginfo-10.0.26-9.2 mariadb-10.0.26-9.2 mariadb-client-10.0.26-9.2 mariadb-client-debuginfo-10.0.26-9.2 mariadb-debuginfo-10.0.26-9.2 mariadb-debugsource-10.0.26-9.2 mariadb-errormessages-10.0.26-9.2 mariadb-tools-10.0.26-9.2 mariadb-tools-debuginfo-10.0.26-9.2 - SUSE Linux Enterprise Server 12-SP1 (s390x x86_64): libmysqlclient18-32bit-10.0.26-9.2 libmysqlclient18-debuginfo-32bit-10.0.26-9.2 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): libmysqlclient18-10.0.26-9.2 libmysqlclient18-32bit-10.0.26-9.2 libmysqlclient18-debuginfo-10.0.26-9.2 libmysqlclient18-debuginfo-32bit-10.0.26-9.2 libmysqlclient_r18-10.0.26-9.2 libmysqlclient_r18-32bit-10.0.26-9.2 mariadb-10.0.26-9.2 mariadb-client-10.0.26-9.2 mariadb-client-debuginfo-10.0.26-9.2 mariadb-debuginfo-10.0.26-9.2 mariadb-debugsource-10.0.26-9.2 mariadb-errormessages-10.0.26-9.2 References: https://www.suse.com/security/cve/CVE-2016-3477.html https://www.suse.com/security/cve/CVE-2016-3521.html https://www.suse.com/security/cve/CVE-2016-3615.html https://www.suse.com/security/cve/CVE-2016-5440.html https://bugzilla.suse.com/984858 https://bugzilla.suse.com/985217 https://bugzilla.suse.com/986251 https://bugzilla.suse.com/991616 From sle-security-updates at lists.suse.com Fri Sep 2 09:08:52 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 2 Sep 2016 17:08:52 +0200 (CEST) Subject: SUSE-SU-2016:2226-1: moderate: Security update for wget Message-ID: <20160902150852.9B82DF7C5@maintenance.suse.de> SUSE Security Update: Security update for wget ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2226-1 Rating: moderate References: #937096 #958342 #984060 Cross-References: CVE-2015-2059 CVE-2016-4971 Affected Products: SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Desktop 12-SP1 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update for wget fixes the following issues: - Fix for HTTP to a FTP redirection file name confusion vulnerability (bsc#984060, CVE-2016-4971). - Work around a libidn vulnerability (bsc#937096, CVE-2015-2059). - Fix for wget fails with basicauth: Failed writing HTTP request: Bad file descriptor (bsc#958342) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1309=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1309=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): wget-1.14-10.3 wget-debuginfo-1.14-10.3 wget-debugsource-1.14-10.3 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): wget-1.14-10.3 wget-debuginfo-1.14-10.3 wget-debugsource-1.14-10.3 References: https://www.suse.com/security/cve/CVE-2015-2059.html https://www.suse.com/security/cve/CVE-2016-4971.html https://bugzilla.suse.com/937096 https://bugzilla.suse.com/958342 https://bugzilla.suse.com/984060 From sle-security-updates at lists.suse.com Fri Sep 2 13:08:29 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 2 Sep 2016 21:08:29 +0200 (CEST) Subject: SUSE-SU-2016:2229-1: moderate: Security update for tomcat6 Message-ID: <20160902190829.75FD0FC45@maintenance.suse.de> SUSE Security Update: Security update for tomcat6 ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2229-1 Rating: moderate References: #988489 Cross-References: CVE-2016-5388 Affected Products: SUSE Linux Enterprise Server 11-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for tomcat6 fixes the following issue: - CVE-2016-5388 Setting HTTP_PROXY environment variable via Proxy header (bsc#988489) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-tomcat-12727=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11-SP4 (noarch): tomcat6-6.0.45-0.53.2 tomcat6-admin-webapps-6.0.45-0.53.2 tomcat6-docs-webapp-6.0.45-0.53.2 tomcat6-javadoc-6.0.45-0.53.2 tomcat6-jsp-2_1-api-6.0.45-0.53.2 tomcat6-lib-6.0.45-0.53.2 tomcat6-servlet-2_5-api-6.0.45-0.53.2 tomcat6-webapps-6.0.45-0.53.2 References: https://www.suse.com/security/cve/CVE-2016-5388.html https://bugzilla.suse.com/988489 From sle-security-updates at lists.suse.com Fri Sep 2 13:08:58 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 2 Sep 2016 21:08:58 +0200 (CEST) Subject: SUSE-SU-2016:2230-1: important: Security update for Linux Kernel Live Patch 7 for SLE 12 SP1 Message-ID: <20160902190858.7961BFC44@maintenance.suse.de> SUSE Security Update: Security update for Linux Kernel Live Patch 7 for SLE 12 SP1 ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2230-1 Rating: important References: #991667 Cross-References: CVE-2016-6480 Affected Products: SUSE Linux Enterprise Live Patching 12 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for the Linux Kernel 3.12.62-60_62 fixes several issues. The following security bugs were fixed: - CVE-2016-6480: Race condition in the ioctl_send_fib function in drivers/scsi/aacraid/commctrl.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds access or system crash) by changing a certain size value, aka a "double fetch" vulnerability (bsc#991667). The following non-security bugs were fixed: Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Live Patching 12: zypper in -t patch SUSE-SLE-Live-Patching-12-2016-1311=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Live Patching 12 (x86_64): kgraft-patch-3_12_62-60_62-default-2-9.1 kgraft-patch-3_12_62-60_62-xen-2-9.1 References: https://www.suse.com/security/cve/CVE-2016-6480.html https://bugzilla.suse.com/991667 From sle-security-updates at lists.suse.com Tue Sep 6 07:08:54 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 6 Sep 2016 15:08:54 +0200 (CEST) Subject: SUSE-SU-2016:2245-1: important: Security update for the Linux Kernel Message-ID: <20160906130854.E3CA1FC41@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2245-1 Rating: important References: #839104 #866130 #919351 #944309 #950998 #960689 #962404 #963655 #963762 #966460 #969149 #970114 #971126 #971360 #971446 #971729 #971944 #974428 #975945 #978401 #978821 #978822 #979213 #979274 #979548 #979681 #979867 #979879 #980371 #980725 #980788 #980931 #981267 #983143 #983213 #983535 #984107 #984755 #986362 #986365 #986445 #986572 #987709 #988065 #989152 #989401 #991608 Cross-References: CVE-2013-4312 CVE-2015-7513 CVE-2015-7833 CVE-2016-0758 CVE-2016-1583 CVE-2016-2053 CVE-2016-2187 CVE-2016-3134 CVE-2016-3955 CVE-2016-4470 CVE-2016-4482 CVE-2016-4485 CVE-2016-4486 CVE-2016-4565 CVE-2016-4569 CVE-2016-4578 CVE-2016-4580 CVE-2016-4805 CVE-2016-4913 CVE-2016-4997 CVE-2016-4998 CVE-2016-5244 CVE-2016-5696 CVE-2016-5829 CVE-2016-6480 Affected Products: SUSE OpenStack Cloud 5 SUSE Manager Proxy 2.1 SUSE Manager 2.1 SUSE Linux Enterprise Server 11-SP3-LTSS SUSE Linux Enterprise Server 11-EXTRA SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that solves 25 vulnerabilities and has 22 fixes is now available. Description: The SUSE Linux Enterprise 11 SP3 LTSS kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2016-3955: The usbip_recv_xbuff function in drivers/usb/usbip/usbip_common.c in the Linux kernel allowed remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact via a crafted length value in a USB/IP packet (bnc#975945). - CVE-2016-4998: The IPT_SO_SET_REPLACE setsockopt implementation in the netfilter subsystem in the Linux kernel allowed local users to cause a denial of service (out-of-bounds read) or possibly obtain sensitive information from kernel heap memory by leveraging in-container root access to provide a crafted offset value that leads to crossing a ruleset blob boundary (bnc#986365). - CVE-2015-7513: arch/x86/kvm/x86.c in the Linux kernel did not reset the PIT counter values during state restoration, which allowed guest OS users to cause a denial of service (divide-by-zero error and host OS crash) via a zero value, related to the kvm_vm_ioctl_set_pit and kvm_vm_ioctl_set_pit2 functions (bnc#960689). - CVE-2013-4312: The Linux kernel allowed local users to bypass file-descriptor limits and cause a denial of service (memory consumption) by sending each descriptor over a UNIX socket before closing it, related to net/unix/af_unix.c and net/unix/garbage.c (bnc#839104). - CVE-2016-4997: The compat IPT_SO_SET_REPLACE setsockopt implementation in the netfilter subsystem in the Linux kernel allowed local users to gain privileges or cause a denial of service (memory corruption) by leveraging in-container root access to provide a crafted offset value that triggers an unintended decrement (bnc#986362). - CVE-2016-5829: Multiple heap-based buffer overflows in the hiddev_ioctl_usage function in drivers/hid/usbhid/hiddev.c in the Linux kernel allow local users to cause a denial of service or possibly have unspecified other impact via a crafted (1) HIDIOCGUSAGES or (2) HIDIOCSUSAGES ioctl call (bnc#986572). - CVE-2016-4470: The key_reject_and_link function in security/keys/key.c in the Linux kernel did not ensure that a certain data structure was initialized, which allowed local users to cause a denial of service (system crash) via vectors involving a crafted keyctl request2 command (bnc#984755). - CVE-2016-5244: The rds_inc_info_copy function in net/rds/recv.c in the Linux kernel did not initialize a certain structure member, which allowed remote attackers to obtain sensitive information from kernel stack memory by reading an RDS message (bnc#983213). - CVE-2016-1583: The ecryptfs_privileged_open function in fs/ecryptfs/kthread.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (stack memory consumption) via vectors involving crafted mmap calls for /proc pathnames, leading to recursive pagefault handling (bnc#983143). - CVE-2016-4913: The get_rock_ridge_filename function in fs/isofs/rock.c in the Linux kernel mishandled NM (aka alternate name) entries containing \0 characters, which allowed local users to obtain sensitive information from kernel memory or possibly have unspecified other impact via a crafted isofs filesystem (bnc#980725). - CVE-2016-4580: The x25_negotiate_facilities function in net/x25/x25_facilities.c in the Linux kernel did not properly initialize a certain data structure, which allowed attackers to obtain sensitive information from kernel stack memory via an X.25 Call Request (bnc#981267). - CVE-2016-4805: Use-after-free vulnerability in drivers/net/ppp/ppp_generic.c in the Linux kernel allowed local users to cause a denial of service (memory corruption and system crash, or spinlock) or possibly have unspecified other impact by removing a network namespace, related to the ppp_register_net_channel and ppp_unregister_channel functions (bnc#980371). - CVE-2016-0758: Integer overflow in lib/asn1_decoder.c in the Linux kernel allowed local users to gain privileges via crafted ASN.1 data (bnc#979867). - CVE-2015-7833: The usbvision driver in the Linux kernel allowed physically proximate attackers to cause a denial of service (panic) via a nonzero bInterfaceNumber value in a USB device descriptor (bnc#950998). - CVE-2016-2187: The gtco_probe function in drivers/input/tablet/gtco.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#971944). - CVE-2016-4482: The proc_connectinfo function in drivers/usb/core/devio.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted USBDEVFS_CONNECTINFO ioctl call (bnc#978401). - CVE-2016-4565: The InfiniBand (aka IB) stack in the Linux kernel incorrectly relies on the write system call, which allowed local users to cause a denial of service (kernel memory write operation) or possibly have unspecified other impact via a uAPI interface (bnc#979548). - CVE-2016-2053: The asn1_ber_decoder function in lib/asn1_decoder.c in the Linux kernel allowed attackers to cause a denial of service (panic) via an ASN.1 BER file that lacks a public key, leading to mishandling by the public_key_verify_signature function in crypto/asymmetric_keys/public_key.c (bnc#963762). - CVE-2016-4485: The llc_cmsg_rcv function in net/llc/af_llc.c in the Linux kernel did not initialize a certain data structure, which allowed attackers to obtain sensitive information from kernel stack memory by reading a message (bnc#978821). - CVE-2016-4578: sound/core/timer.c in the Linux kernel did not initialize certain r1 data structures, which allowed local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface, related to the (1) snd_timer_user_ccallback and (2) snd_timer_user_tinterrupt functions (bnc#979879). - CVE-2016-4569: The snd_timer_user_params function in sound/core/timer.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface (bnc#979213). - CVE-2016-4486: The rtnl_fill_link_ifmap function in net/core/rtnetlink.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory by reading a Netlink message (bnc#978822). - CVE-2016-3134: The netfilter subsystem in the Linux kernel did not validate certain offset fields, which allowed local users to gain privileges or cause a denial of service (heap memory corruption) via an IPT_SO_SET_REPLACE setsockopt call (bnc#971126). - CVE-2016-5696: net/ipv4/tcp_input.c in the Linux kernel did not properly determine the rate of challenge ACK segments, which made it easier for man-in-the-middle attackers to hijack TCP sessions via a blind in-window attack. (bsc#989152) - CVE-2016-6480: Race condition in the ioctl_send_fib function in drivers/scsi/aacraid/commctrl.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds access or system crash) by changing a certain size value, aka a "double fetch" vulnerability. (bsc#991608) The following non-security bugs were fixed: - Update patches.fixes/pci-determine-actual-vpd-size-on-first-access.patch (bsc#971729, bsc#974428). - Update PCI VPD size patch to upstream: * PCI: Determine actual VPD size on first access (bsc#971729). * PCI: Update VPD definitions (bsc#971729). (cherry picked from commit d2af5b7e0cd7ee2a54f02ad65ec300d16b3ad956) - Update patches.fixes/pci-update-vpd-definitions.patch (bsc#971729, bsc#974428). - cgroups: do not attach task to subsystem if migration failed (bnc#979274). - cgroups: more safe tasklist locking in cgroup_attach_proc (bnc#979274). - fs/cifs: Fix cifs_uniqueid_to_ino_t() function for s390x (bsc#944309) - fs/cifs: fix wrongly prefixed path to root (bsc#963655, bsc#979681) - hid: add ALWAYS_POLL quirk for a Logitech 0xc055 (bnc#962404). - hid: add HP OEM mouse to quirk ALWAYS_POLL (bsc#919351). - hid: add quirk for PIXART OEM mouse used by HP (bsc#919351). - hid-elo: kill not flush the work. - ipv4/fib: do not warn when primary address is missing if in_dev is dead (bsc#971360). - ipv4: fix ineffective source address selection (bsc#980788). - ipvs: count pre-established TCP states as active (bsc#970114). - kabi, unix: properly account for FDs passed over unix sockets (bnc#839104). - mm/hugetlb.c: correct missing private flag clearing (VM Functionality, bnc#971446). - mm/hugetlb: fix backport of upstream commit 07443a85ad (VM Functionality, bnc#971446). - mm: thp: fix SMP race condition between THP page fault and MADV_DONTNEED (VM Functionality, bnc#986445). - nfs: Do not attempt to decode missing directory entries (bsc#980931). - nfs: fix memory corruption rooted in get_ih_name pointer math (bsc#984107). - nfs: reduce access cache shrinker locking (bnc#866130). - ppp: defer netns reference release for ppp channel (bsc#980371). - s390/cio: collect format 1 channel-path description data (bsc#966460,LTC#136434). - s390/cio: ensure consistent measurement state (bsc#966460,LTC#136434). - s390/cio: fix measurement characteristics memleak (bsc#966460,LTC#136434). - s390/cio: update measurement characteristics (bsc#966460,LTC#136434). - usbhid: add device USB_DEVICE_ID_LOGITECH_C077 (bsc#919351). - usbhid: more mice with ALWAYS_POLL (bsc#919351). - usbhid: yet another mouse with ALWAYS_POLL (bsc#919351). - veth: do not modify ip_summed (bsc#969149). - virtio_scsi: Implement eh_timed_out callback. - vmxnet3: segCnt can be 1 for LRO packets (bsc#988065). - xfs: Avoid grabbing ilock when file size is not changed (bsc#983535). - xfs: avoid xfs_buf hang in lookup node directory corruption (bsc#989401). - xfs: only update the last_sync_lsn when a transaction completes (bsc#987709). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 5: zypper in -t patch sleclo50sp3-kernel-12730=1 - SUSE Manager Proxy 2.1: zypper in -t patch slemap21-kernel-12730=1 - SUSE Manager 2.1: zypper in -t patch sleman21-kernel-12730=1 - SUSE Linux Enterprise Server 11-SP3-LTSS: zypper in -t patch slessp3-kernel-12730=1 - SUSE Linux Enterprise Server 11-EXTRA: zypper in -t patch slexsp3-kernel-12730=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-kernel-12730=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-kernel-12730=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE OpenStack Cloud 5 (x86_64): kernel-bigsmp-3.0.101-0.47.86.1 kernel-bigsmp-base-3.0.101-0.47.86.1 kernel-bigsmp-devel-3.0.101-0.47.86.1 kernel-default-3.0.101-0.47.86.1 kernel-default-base-3.0.101-0.47.86.1 kernel-default-devel-3.0.101-0.47.86.1 kernel-ec2-3.0.101-0.47.86.1 kernel-ec2-base-3.0.101-0.47.86.1 kernel-ec2-devel-3.0.101-0.47.86.1 kernel-source-3.0.101-0.47.86.1 kernel-syms-3.0.101-0.47.86.1 kernel-trace-3.0.101-0.47.86.1 kernel-trace-base-3.0.101-0.47.86.1 kernel-trace-devel-3.0.101-0.47.86.1 kernel-xen-3.0.101-0.47.86.1 kernel-xen-base-3.0.101-0.47.86.1 kernel-xen-devel-3.0.101-0.47.86.1 - SUSE Manager Proxy 2.1 (x86_64): kernel-bigsmp-3.0.101-0.47.86.1 kernel-bigsmp-base-3.0.101-0.47.86.1 kernel-bigsmp-devel-3.0.101-0.47.86.1 kernel-default-3.0.101-0.47.86.1 kernel-default-base-3.0.101-0.47.86.1 kernel-default-devel-3.0.101-0.47.86.1 kernel-ec2-3.0.101-0.47.86.1 kernel-ec2-base-3.0.101-0.47.86.1 kernel-ec2-devel-3.0.101-0.47.86.1 kernel-source-3.0.101-0.47.86.1 kernel-syms-3.0.101-0.47.86.1 kernel-trace-3.0.101-0.47.86.1 kernel-trace-base-3.0.101-0.47.86.1 kernel-trace-devel-3.0.101-0.47.86.1 kernel-xen-3.0.101-0.47.86.1 kernel-xen-base-3.0.101-0.47.86.1 kernel-xen-devel-3.0.101-0.47.86.1 - SUSE Manager 2.1 (s390x x86_64): kernel-default-3.0.101-0.47.86.1 kernel-default-base-3.0.101-0.47.86.1 kernel-default-devel-3.0.101-0.47.86.1 kernel-source-3.0.101-0.47.86.1 kernel-syms-3.0.101-0.47.86.1 kernel-trace-3.0.101-0.47.86.1 kernel-trace-base-3.0.101-0.47.86.1 kernel-trace-devel-3.0.101-0.47.86.1 - SUSE Manager 2.1 (x86_64): kernel-bigsmp-3.0.101-0.47.86.1 kernel-bigsmp-base-3.0.101-0.47.86.1 kernel-bigsmp-devel-3.0.101-0.47.86.1 kernel-ec2-3.0.101-0.47.86.1 kernel-ec2-base-3.0.101-0.47.86.1 kernel-ec2-devel-3.0.101-0.47.86.1 kernel-xen-3.0.101-0.47.86.1 kernel-xen-base-3.0.101-0.47.86.1 kernel-xen-devel-3.0.101-0.47.86.1 - SUSE Manager 2.1 (s390x): kernel-default-man-3.0.101-0.47.86.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (i586 s390x x86_64): kernel-default-3.0.101-0.47.86.1 kernel-default-base-3.0.101-0.47.86.1 kernel-default-devel-3.0.101-0.47.86.1 kernel-source-3.0.101-0.47.86.1 kernel-syms-3.0.101-0.47.86.1 kernel-trace-3.0.101-0.47.86.1 kernel-trace-base-3.0.101-0.47.86.1 kernel-trace-devel-3.0.101-0.47.86.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (i586 x86_64): kernel-ec2-3.0.101-0.47.86.1 kernel-ec2-base-3.0.101-0.47.86.1 kernel-ec2-devel-3.0.101-0.47.86.1 kernel-xen-3.0.101-0.47.86.1 kernel-xen-base-3.0.101-0.47.86.1 kernel-xen-devel-3.0.101-0.47.86.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (x86_64): kernel-bigsmp-3.0.101-0.47.86.1 kernel-bigsmp-base-3.0.101-0.47.86.1 kernel-bigsmp-devel-3.0.101-0.47.86.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (s390x): kernel-default-man-3.0.101-0.47.86.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (i586): kernel-pae-3.0.101-0.47.86.1 kernel-pae-base-3.0.101-0.47.86.1 kernel-pae-devel-3.0.101-0.47.86.1 - SUSE Linux Enterprise Server 11-EXTRA (i586 ia64 ppc64 s390x x86_64): kernel-default-extra-3.0.101-0.47.86.1 - SUSE Linux Enterprise Server 11-EXTRA (i586 x86_64): kernel-xen-extra-3.0.101-0.47.86.1 - SUSE Linux Enterprise Server 11-EXTRA (x86_64): kernel-bigsmp-extra-3.0.101-0.47.86.1 kernel-trace-extra-3.0.101-0.47.86.1 - SUSE Linux Enterprise Server 11-EXTRA (ppc64): kernel-ppc64-extra-3.0.101-0.47.86.1 - SUSE Linux Enterprise Server 11-EXTRA (i586): kernel-pae-extra-3.0.101-0.47.86.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): kernel-default-3.0.101-0.47.86.1 kernel-default-base-3.0.101-0.47.86.1 kernel-default-devel-3.0.101-0.47.86.1 kernel-ec2-3.0.101-0.47.86.1 kernel-ec2-base-3.0.101-0.47.86.1 kernel-ec2-devel-3.0.101-0.47.86.1 kernel-pae-3.0.101-0.47.86.1 kernel-pae-base-3.0.101-0.47.86.1 kernel-pae-devel-3.0.101-0.47.86.1 kernel-source-3.0.101-0.47.86.1 kernel-syms-3.0.101-0.47.86.1 kernel-trace-3.0.101-0.47.86.1 kernel-trace-base-3.0.101-0.47.86.1 kernel-trace-devel-3.0.101-0.47.86.1 kernel-xen-3.0.101-0.47.86.1 kernel-xen-base-3.0.101-0.47.86.1 kernel-xen-devel-3.0.101-0.47.86.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): kernel-default-debuginfo-3.0.101-0.47.86.1 kernel-default-debugsource-3.0.101-0.47.86.1 kernel-trace-debuginfo-3.0.101-0.47.86.1 kernel-trace-debugsource-3.0.101-0.47.86.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 x86_64): kernel-ec2-debuginfo-3.0.101-0.47.86.1 kernel-ec2-debugsource-3.0.101-0.47.86.1 kernel-xen-debuginfo-3.0.101-0.47.86.1 kernel-xen-debugsource-3.0.101-0.47.86.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (x86_64): kernel-bigsmp-debuginfo-3.0.101-0.47.86.1 kernel-bigsmp-debugsource-3.0.101-0.47.86.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586): kernel-pae-debuginfo-3.0.101-0.47.86.1 kernel-pae-debugsource-3.0.101-0.47.86.1 References: https://www.suse.com/security/cve/CVE-2013-4312.html https://www.suse.com/security/cve/CVE-2015-7513.html https://www.suse.com/security/cve/CVE-2015-7833.html https://www.suse.com/security/cve/CVE-2016-0758.html https://www.suse.com/security/cve/CVE-2016-1583.html https://www.suse.com/security/cve/CVE-2016-2053.html https://www.suse.com/security/cve/CVE-2016-2187.html https://www.suse.com/security/cve/CVE-2016-3134.html https://www.suse.com/security/cve/CVE-2016-3955.html https://www.suse.com/security/cve/CVE-2016-4470.html https://www.suse.com/security/cve/CVE-2016-4482.html https://www.suse.com/security/cve/CVE-2016-4485.html https://www.suse.com/security/cve/CVE-2016-4486.html https://www.suse.com/security/cve/CVE-2016-4565.html https://www.suse.com/security/cve/CVE-2016-4569.html https://www.suse.com/security/cve/CVE-2016-4578.html https://www.suse.com/security/cve/CVE-2016-4580.html https://www.suse.com/security/cve/CVE-2016-4805.html https://www.suse.com/security/cve/CVE-2016-4913.html https://www.suse.com/security/cve/CVE-2016-4997.html https://www.suse.com/security/cve/CVE-2016-4998.html https://www.suse.com/security/cve/CVE-2016-5244.html https://www.suse.com/security/cve/CVE-2016-5696.html https://www.suse.com/security/cve/CVE-2016-5829.html https://www.suse.com/security/cve/CVE-2016-6480.html https://bugzilla.suse.com/839104 https://bugzilla.suse.com/866130 https://bugzilla.suse.com/919351 https://bugzilla.suse.com/944309 https://bugzilla.suse.com/950998 https://bugzilla.suse.com/960689 https://bugzilla.suse.com/962404 https://bugzilla.suse.com/963655 https://bugzilla.suse.com/963762 https://bugzilla.suse.com/966460 https://bugzilla.suse.com/969149 https://bugzilla.suse.com/970114 https://bugzilla.suse.com/971126 https://bugzilla.suse.com/971360 https://bugzilla.suse.com/971446 https://bugzilla.suse.com/971729 https://bugzilla.suse.com/971944 https://bugzilla.suse.com/974428 https://bugzilla.suse.com/975945 https://bugzilla.suse.com/978401 https://bugzilla.suse.com/978821 https://bugzilla.suse.com/978822 https://bugzilla.suse.com/979213 https://bugzilla.suse.com/979274 https://bugzilla.suse.com/979548 https://bugzilla.suse.com/979681 https://bugzilla.suse.com/979867 https://bugzilla.suse.com/979879 https://bugzilla.suse.com/980371 https://bugzilla.suse.com/980725 https://bugzilla.suse.com/980788 https://bugzilla.suse.com/980931 https://bugzilla.suse.com/981267 https://bugzilla.suse.com/983143 https://bugzilla.suse.com/983213 https://bugzilla.suse.com/983535 https://bugzilla.suse.com/984107 https://bugzilla.suse.com/984755 https://bugzilla.suse.com/986362 https://bugzilla.suse.com/986365 https://bugzilla.suse.com/986445 https://bugzilla.suse.com/986572 https://bugzilla.suse.com/987709 https://bugzilla.suse.com/988065 https://bugzilla.suse.com/989152 https://bugzilla.suse.com/989401 https://bugzilla.suse.com/991608 From sle-security-updates at lists.suse.com Tue Sep 6 07:20:31 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 6 Sep 2016 15:20:31 +0200 (CEST) Subject: SUSE-SU-2016:2246-1: moderate: Security update for perl Message-ID: <20160906132031.222D9FC41@maintenance.suse.de> SUSE Security Update: Security update for perl ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2246-1 Rating: moderate References: #929027 #967082 #987887 #988311 Cross-References: CVE-2015-8853 CVE-2016-1238 CVE-2016-2381 CVE-2016-6185 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for perl fixes the following issues: - CVE-2016-6185: xsloader looking at a "(eval)" directory [bsc#988311] - CVE-2016-1238: searching current directory for optional modules [bsc#987887] - CVE-2015-8853: regex engine hanging on bad utf8 [bnc976584] - CVE-2016-2381: environment dup handling bug [bsc#967082] - perl panic with utf8_mg_pos_cache_update [bsc#929027] Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-perl-12729=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-perl-12729=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-perl-12729=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (ppc64 s390x x86_64): perl-base-32bit-5.10.0-64.80.1 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): perl-5.10.0-64.80.1 perl-Module-Build-0.2808.01-0.80.1 perl-Test-Simple-0.72-0.80.1 perl-base-5.10.0-64.80.1 perl-doc-5.10.0-64.80.1 - SUSE Linux Enterprise Server 11-SP4 (ppc64 s390x x86_64): perl-32bit-5.10.0-64.80.1 - SUSE Linux Enterprise Server 11-SP4 (ia64): perl-x86-5.10.0-64.80.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): perl-debuginfo-5.10.0-64.80.1 perl-debugsource-5.10.0-64.80.1 References: https://www.suse.com/security/cve/CVE-2015-8853.html https://www.suse.com/security/cve/CVE-2016-1238.html https://www.suse.com/security/cve/CVE-2016-2381.html https://www.suse.com/security/cve/CVE-2016-6185.html https://bugzilla.suse.com/929027 https://bugzilla.suse.com/967082 https://bugzilla.suse.com/987887 https://bugzilla.suse.com/988311 From sle-security-updates at lists.suse.com Tue Sep 6 12:09:16 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 6 Sep 2016 20:09:16 +0200 (CEST) Subject: SUSE-SU-2016:2248-1: moderate: Security update for mariadb Message-ID: <20160906180916.54012FC45@maintenance.suse.de> SUSE Security Update: Security update for mariadb ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2248-1 Rating: moderate References: #984858 #985217 #986251 #991616 Cross-References: CVE-2016-3477 CVE-2016-3521 CVE-2016-3615 CVE-2016-5440 Affected Products: SUSE Linux Enterprise Server for SAP 12 SUSE Linux Enterprise Server 12-LTSS ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for mariadb fixes the following issues: - CVE-2016-3477: Unspecified vulnerability in subcomponent parser [bsc#991616] - CVE-2016-3521: Unspecified vulnerability in subcomponent types [bsc#991616] - CVE-2016-3615: Unspecified vulnerability in subcomponent dml [bsc#991616] - CVE-2016-5440: Unspecified vulnerability in subcomponent rbr [bsc#991616] - mariadb failing test main.bootstrap [bsc#984858] - left over "openSUSE" comments in MariaDB on SLE12 GM and SP1 [bsc#985217] - remove unnecessary conditionals from specfile - add '--ignore-db-dir=lost+found' option to rc.mysql-multi in order not to misinterpret the lost+found directory as a database [bsc#986251] Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12: zypper in -t patch SUSE-SLE-SAP-12-2016-1199=1 - SUSE Linux Enterprise Server 12-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-2016-1199=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server for SAP 12 (x86_64): libmysqlclient-devel-10.0.26-20.10.2 libmysqlclient18-10.0.26-20.10.2 libmysqlclient18-32bit-10.0.26-20.10.2 libmysqlclient18-debuginfo-10.0.26-20.10.2 libmysqlclient18-debuginfo-32bit-10.0.26-20.10.2 libmysqlclient_r18-10.0.26-20.10.2 libmysqld-devel-10.0.26-20.10.2 libmysqld18-10.0.26-20.10.2 libmysqld18-debuginfo-10.0.26-20.10.2 mariadb-10.0.26-20.10.2 mariadb-client-10.0.26-20.10.2 mariadb-client-debuginfo-10.0.26-20.10.2 mariadb-debuginfo-10.0.26-20.10.2 mariadb-debugsource-10.0.26-20.10.2 mariadb-errormessages-10.0.26-20.10.2 mariadb-tools-10.0.26-20.10.2 mariadb-tools-debuginfo-10.0.26-20.10.2 - SUSE Linux Enterprise Server 12-LTSS (ppc64le s390x x86_64): libmysqlclient-devel-10.0.26-20.10.2 libmysqlclient18-10.0.26-20.10.2 libmysqlclient18-debuginfo-10.0.26-20.10.2 libmysqlclient_r18-10.0.26-20.10.2 libmysqld-devel-10.0.26-20.10.2 libmysqld18-10.0.26-20.10.2 libmysqld18-debuginfo-10.0.26-20.10.2 mariadb-10.0.26-20.10.2 mariadb-client-10.0.26-20.10.2 mariadb-client-debuginfo-10.0.26-20.10.2 mariadb-debuginfo-10.0.26-20.10.2 mariadb-debugsource-10.0.26-20.10.2 mariadb-errormessages-10.0.26-20.10.2 mariadb-tools-10.0.26-20.10.2 mariadb-tools-debuginfo-10.0.26-20.10.2 - SUSE Linux Enterprise Server 12-LTSS (s390x x86_64): libmysqlclient18-32bit-10.0.26-20.10.2 libmysqlclient18-debuginfo-32bit-10.0.26-20.10.2 References: https://www.suse.com/security/cve/CVE-2016-3477.html https://www.suse.com/security/cve/CVE-2016-3521.html https://www.suse.com/security/cve/CVE-2016-3615.html https://www.suse.com/security/cve/CVE-2016-5440.html https://bugzilla.suse.com/984858 https://bugzilla.suse.com/985217 https://bugzilla.suse.com/986251 https://bugzilla.suse.com/991616 From sle-security-updates at lists.suse.com Tue Sep 6 12:10:05 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 6 Sep 2016 20:10:05 +0200 (CEST) Subject: SUSE-SU-2016:2249-1: moderate: Security update for hawk Message-ID: <20160906181005.27BD7FC41@maintenance.suse.de> SUSE Security Update: Security update for hawk ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2249-1 Rating: moderate References: #957369 #984619 Affected Products: SUSE Linux Enterprise High Availability Extension 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update for hawk fixes the following issues: - Set Content-Security-Policy to frame-ancestors 'self' (bsc#984619) - Colocation: Fix NameError when creating 2-resource constraints (bsc#957369) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise High Availability Extension 11-SP4: zypper in -t patch slehasp4-hawk-12731=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-hawk-12731=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise High Availability Extension 11-SP4 (i586 ia64 ppc64 s390x x86_64): hawk-0.7.0+git.1430140184.8e872c5-7.1 hawk-templates-0.7.0+git.1430140184.8e872c5-7.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): hawk-debuginfo-0.7.0+git.1430140184.8e872c5-7.1 hawk-debugsource-0.7.0+git.1430140184.8e872c5-7.1 References: https://bugzilla.suse.com/957369 https://bugzilla.suse.com/984619 From sle-security-updates at lists.suse.com Tue Sep 6 13:09:12 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 6 Sep 2016 21:09:12 +0200 (CEST) Subject: SUSE-SU-2016:2251-1: important: Security update for Chromium Message-ID: <20160906190912.4CF1CFC43@maintenance.suse.de> SUSE Security Update: Security update for Chromium ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2251-1 Rating: important References: #995932 #996032 #99606 #996648 Cross-References: CVE-2016-5147 CVE-2016-5148 CVE-2016-5149 CVE-2016-5150 CVE-2016-5151 CVE-2016-5152 CVE-2016-5153 CVE-2016-5154 CVE-2016-5155 CVE-2016-5156 CVE-2016-5157 CVE-2016-5158 CVE-2016-5159 CVE-2016-5160 CVE-2016-5161 CVE-2016-5162 CVE-2016-5163 CVE-2016-5164 CVE-2016-5165 CVE-2016-5166 Affected Products: SUSE Package Hub for SUSE Linux Enterprise 12 ______________________________________________________________________________ An update that fixes 20 vulnerabilities is now available. Description: Chromium was updated to 53.0.2785.89 to fix a number of security issues. The following vulnerabilities were fixed: (boo#996648) - CVE-2016-5147: Universal XSS in Blink. - CVE-2016-5148: Universal XSS in Blink. - CVE-2016-5149: Script injection in extensions. - CVE-2016-5150: Use after free in Blink. - CVE-2016-5151: Use after free in PDFium. - CVE-2016-5152: Heap overflow in PDFium. - CVE-2016-5153: Use after destruction in Blink. - CVE-2016-5154: Heap overflow in PDFium. - CVE-2016-5155: Address bar spoofing. - CVE-2016-5156: Use after free in event bindings. - CVE-2016-5157: Heap overflow in PDFium. - CVE-2016-5158: Heap overflow in PDFium. - CVE-2016-5159: Heap overflow in PDFium. - CVE-2016-5161: Type confusion in Blink. - CVE-2016-5162: Extensions web accessible resources bypass. - CVE-2016-5163: Address bar spoofing. - CVE-2016-5164: Universal XSS using DevTools. - CVE-2016-5165: Script injection in DevTools. - CVE-2016-5166: SMB Relay Attack via Save Page As. - CVE-2016-5160: Extensions web accessible resources bypass. A number of tracked build system fixes are included. (boo#996032, boo#99606, boo#995932) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Package Hub for SUSE Linux Enterprise 12: zypper in -t patch 5568=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Package Hub for SUSE Linux Enterprise 12 (x86_64): chromedriver-53.0.2785.89-96.1 chromedriver-debuginfo-53.0.2785.89-96.1 chromium-53.0.2785.89-96.1 chromium-debuginfo-53.0.2785.89-96.1 chromium-desktop-gnome-53.0.2785.89-96.1 chromium-desktop-kde-53.0.2785.89-96.1 chromium-ffmpegsumo-53.0.2785.89-96.1 chromium-ffmpegsumo-debuginfo-53.0.2785.89-96.1 References: https://www.suse.com/security/cve/CVE-2016-5147.html https://www.suse.com/security/cve/CVE-2016-5148.html https://www.suse.com/security/cve/CVE-2016-5149.html https://www.suse.com/security/cve/CVE-2016-5150.html https://www.suse.com/security/cve/CVE-2016-5151.html https://www.suse.com/security/cve/CVE-2016-5152.html https://www.suse.com/security/cve/CVE-2016-5153.html https://www.suse.com/security/cve/CVE-2016-5154.html https://www.suse.com/security/cve/CVE-2016-5155.html https://www.suse.com/security/cve/CVE-2016-5156.html https://www.suse.com/security/cve/CVE-2016-5157.html https://www.suse.com/security/cve/CVE-2016-5158.html https://www.suse.com/security/cve/CVE-2016-5159.html https://www.suse.com/security/cve/CVE-2016-5160.html https://www.suse.com/security/cve/CVE-2016-5161.html https://www.suse.com/security/cve/CVE-2016-5162.html https://www.suse.com/security/cve/CVE-2016-5163.html https://www.suse.com/security/cve/CVE-2016-5164.html https://www.suse.com/security/cve/CVE-2016-5165.html https://www.suse.com/security/cve/CVE-2016-5166.html https://bugzilla.suse.com/995932 https://bugzilla.suse.com/996032 https://bugzilla.suse.com/99606 https://bugzilla.suse.com/996648 From sle-security-updates at lists.suse.com Wed Sep 7 09:09:10 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 7 Sep 2016 17:09:10 +0200 (CEST) Subject: SUSE-SU-2016:2259-1: moderate: Security update for mysql-connector-java Message-ID: <20160907150910.E2BBAFC44@maintenance.suse.de> SUSE Security Update: Security update for mysql-connector-java ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2259-1 Rating: moderate References: #927981 Cross-References: CVE-2015-2575 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: mysql-connector-java was updated to 5.1.35, fixing multiple bugs and a security issues. - CVE-2015-2575: Unspecified vulnerability in the MySQL Connectors component in Oracle MySQL 5.1.34 and earlier allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Connector/J. (bnc#927981) Please see http://dev.mysql.com/doc/relnotes/connector-j/en/news-5-1.html Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP1: zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1322=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP1 (noarch): mysql-connector-java-5.1.35-3.1 References: https://www.suse.com/security/cve/CVE-2015-2575.html https://bugzilla.suse.com/927981 From sle-security-updates at lists.suse.com Wed Sep 7 12:09:15 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 7 Sep 2016 20:09:15 +0200 (CEST) Subject: SUSE-SU-2016:2261-1: important: Security update for java-1_7_1-ibm Message-ID: <20160907180915.846F6FC44@maintenance.suse.de> SUSE Security Update: Security update for java-1_7_1-ibm ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2261-1 Rating: important References: #992537 Cross-References: CVE-2016-3485 CVE-2016-3511 CVE-2016-3598 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: IBM Java 7.1 was updated to version 7.1-3.50 to fix the following security issues: CVE-2016-3485 CVE-2016-3511 CVE-2016-3598 Please see https://www.ibm.com/developerworks/java/jdk/alerts/ for more information. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-java-1_7_1_ibm-12733=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-java-1_7_1_ibm-12733=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ppc64 s390x x86_64): java-1_7_1-ibm-devel-1.7.1_sr3.50-16.1 - SUSE Linux Enterprise Server 11-SP4 (i586 ppc64 s390x x86_64): java-1_7_1-ibm-1.7.1_sr3.50-16.1 java-1_7_1-ibm-jdbc-1.7.1_sr3.50-16.1 - SUSE Linux Enterprise Server 11-SP4 (i586 x86_64): java-1_7_1-ibm-alsa-1.7.1_sr3.50-16.1 java-1_7_1-ibm-plugin-1.7.1_sr3.50-16.1 References: https://www.suse.com/security/cve/CVE-2016-3485.html https://www.suse.com/security/cve/CVE-2016-3511.html https://www.suse.com/security/cve/CVE-2016-3598.html https://bugzilla.suse.com/992537 From sle-security-updates at lists.suse.com Thu Sep 8 07:10:48 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 8 Sep 2016 15:10:48 +0200 (CEST) Subject: SUSE-SU-2016:2263-1: moderate: Security update for perl Message-ID: <20160908131048.31DB5FC44@maintenance.suse.de> SUSE Security Update: Security update for perl ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2263-1 Rating: moderate References: #928292 #932894 #967082 #984906 #987887 #988311 Cross-References: CVE-2015-8853 CVE-2016-1238 CVE-2016-2381 CVE-2016-6185 Affected Products: SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Desktop 12-SP1 ______________________________________________________________________________ An update that solves four vulnerabilities and has two fixes is now available. Description: This update for Perl fixes the following issues: - CVE-2016-6185: Xsloader looking at a "(eval)" directory. (bsc#988311) - CVE-2016-1238: Searching current directory for optional modules. (bsc#987887) - CVE-2015-8853: Regular expression engine hanging on bad utf8. (bsc) - CVE-2016-2381: Environment dup handling bug. (bsc#967082) - "Insecure dependency in require" error in taint mode. (bsc#984906) - Memory leak in 'use utf8' handling. (bsc#928292) - Missing lock prototype to the debugger. (bsc#932894) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1326=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1326=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): perl-5.18.2-11.1 perl-base-5.18.2-11.1 perl-base-debuginfo-5.18.2-11.1 perl-debuginfo-5.18.2-11.1 perl-debugsource-5.18.2-11.1 - SUSE Linux Enterprise Server 12-SP1 (s390x x86_64): perl-32bit-5.18.2-11.1 perl-debuginfo-32bit-5.18.2-11.1 - SUSE Linux Enterprise Server 12-SP1 (noarch): perl-doc-5.18.2-11.1 - SUSE Linux Enterprise Desktop 12-SP1 (noarch): perl-doc-5.18.2-11.1 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): perl-32bit-5.18.2-11.1 perl-5.18.2-11.1 perl-base-5.18.2-11.1 perl-base-debuginfo-5.18.2-11.1 perl-debuginfo-32bit-5.18.2-11.1 perl-debuginfo-5.18.2-11.1 perl-debugsource-5.18.2-11.1 References: https://www.suse.com/security/cve/CVE-2015-8853.html https://www.suse.com/security/cve/CVE-2016-1238.html https://www.suse.com/security/cve/CVE-2016-2381.html https://www.suse.com/security/cve/CVE-2016-6185.html https://bugzilla.suse.com/928292 https://bugzilla.suse.com/932894 https://bugzilla.suse.com/967082 https://bugzilla.suse.com/984906 https://bugzilla.suse.com/987887 https://bugzilla.suse.com/988311 From sle-security-updates at lists.suse.com Fri Sep 9 04:10:03 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 9 Sep 2016 12:10:03 +0200 (CEST) Subject: SUSE-SU-2016:2270-1: moderate: Security update for python Message-ID: <20160909101003.1BA84FC44@maintenance.suse.de> SUSE Security Update: Security update for python ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2270-1 Rating: moderate References: #984751 #985348 #989523 Cross-References: CVE-2016-0772 CVE-2016-1000110 CVE-2016-5699 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for python fixes the following issues: - CVE-2016-0772: smtplib vulnerability opens startTLS stripping attack (bsc#984751) - CVE-2016-5699: incorrect validation of HTTP headers allow header injection (bsc#985348) - CVE-2016-1000110: HTTPoxy vulnerability in urllib, fixed by disregarding HTTP_PROXY when REQUEST_METHOD is also set (bsc#989523) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-python-12735=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-python-12735=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-python-12735=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): python-devel-2.6.9-39.1 - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 x86_64): python-demo-2.6.9-39.1 python-gdbm-2.6.9-39.1 python-idle-2.6.9-39.1 python-tk-2.6.9-39.1 - SUSE Linux Enterprise Software Development Kit 11-SP4 (noarch): python-doc-2.6-8.39.1 python-doc-pdf-2.6-8.39.1 - SUSE Linux Enterprise Software Development Kit 11-SP4 (x86_64): python-32bit-2.6.9-39.1 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): libpython2_6-1_0-2.6.9-39.1 python-2.6.9-39.1 python-base-2.6.9-39.1 python-curses-2.6.9-39.1 python-demo-2.6.9-39.1 python-gdbm-2.6.9-39.1 python-idle-2.6.9-39.1 python-tk-2.6.9-39.1 python-xml-2.6.9-39.1 - SUSE Linux Enterprise Server 11-SP4 (ppc64 s390x x86_64): libpython2_6-1_0-32bit-2.6.9-39.1 python-32bit-2.6.9-39.1 python-base-32bit-2.6.9-39.1 - SUSE Linux Enterprise Server 11-SP4 (noarch): python-doc-2.6-8.39.1 python-doc-pdf-2.6-8.39.1 - SUSE Linux Enterprise Server 11-SP4 (ia64): libpython2_6-1_0-x86-2.6.9-39.1 python-base-x86-2.6.9-39.1 python-x86-2.6.9-39.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): python-base-debuginfo-2.6.9-39.1 python-base-debugsource-2.6.9-39.1 python-debuginfo-2.6.9-39.1 python-debugsource-2.6.9-39.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (ppc64 s390x x86_64): python-base-debuginfo-32bit-2.6.9-39.1 python-debuginfo-32bit-2.6.9-39.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (ia64): python-base-debuginfo-x86-2.6.9-39.1 python-debuginfo-x86-2.6.9-39.1 References: https://www.suse.com/security/cve/CVE-2016-0772.html https://www.suse.com/security/cve/CVE-2016-1000110.html https://www.suse.com/security/cve/CVE-2016-5699.html https://bugzilla.suse.com/984751 https://bugzilla.suse.com/985348 https://bugzilla.suse.com/989523 From sle-security-updates at lists.suse.com Fri Sep 9 04:10:57 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 9 Sep 2016 12:10:57 +0200 (CEST) Subject: SUSE-SU-2016:2271-1: moderate: Security update for tiff Message-ID: <20160909101057.BB807FC44@maintenance.suse.de> SUSE Security Update: Security update for tiff ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2271-1 Rating: moderate References: #964225 #973340 #984808 #984831 #984837 #984842 #987351 Cross-References: CVE-2015-8781 CVE-2015-8782 CVE-2015-8783 CVE-2016-3186 CVE-2016-5314 CVE-2016-5316 CVE-2016-5317 CVE-2016-5320 CVE-2016-5875 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP1 SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Desktop 12-SP1 ______________________________________________________________________________ An update that fixes 9 vulnerabilities is now available. Description: This update for tiff fixes the following issues: * CVE-2015-8781, CVE-2015-8782, CVE-2015-8783: Out-of-bounds writes for invalid images (bsc#964225) * CVE-2016-3186: Buffer overflow in gif2tiff (bnc#973340). * CVE-2016-5875: heap-based buffer overflow when using the PixarLog compressionformat (bsc#987351) * CVE-2016-5316: Out-of-bounds read in PixarLogCleanup() function in tif_pixarlog.c (bsc#984837) * CVE-2016-5314: Out-of-bounds write in PixarLogDecode() function (bsc#984831) * CVE-2016-5317: Out-of-bounds write in PixarLogDecode() function in libtiff.so (bsc#984842) * CVE-2016-5320: Out-of-bounds write in PixarLogDecode() function in tif_pixarlog.c (bsc#984808) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP1: zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1330=1 - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1330=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1330=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64): libtiff-devel-4.0.6-26.3 tiff-debuginfo-4.0.6-26.3 tiff-debugsource-4.0.6-26.3 - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): libtiff5-4.0.6-26.3 libtiff5-debuginfo-4.0.6-26.3 tiff-4.0.6-26.3 tiff-debuginfo-4.0.6-26.3 tiff-debugsource-4.0.6-26.3 - SUSE Linux Enterprise Server 12-SP1 (s390x x86_64): libtiff5-32bit-4.0.6-26.3 libtiff5-debuginfo-32bit-4.0.6-26.3 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): libtiff5-32bit-4.0.6-26.3 libtiff5-4.0.6-26.3 libtiff5-debuginfo-32bit-4.0.6-26.3 libtiff5-debuginfo-4.0.6-26.3 tiff-debuginfo-4.0.6-26.3 tiff-debugsource-4.0.6-26.3 References: https://www.suse.com/security/cve/CVE-2015-8781.html https://www.suse.com/security/cve/CVE-2015-8782.html https://www.suse.com/security/cve/CVE-2015-8783.html https://www.suse.com/security/cve/CVE-2016-3186.html https://www.suse.com/security/cve/CVE-2016-5314.html https://www.suse.com/security/cve/CVE-2016-5316.html https://www.suse.com/security/cve/CVE-2016-5317.html https://www.suse.com/security/cve/CVE-2016-5320.html https://www.suse.com/security/cve/CVE-2016-5875.html https://bugzilla.suse.com/964225 https://bugzilla.suse.com/973340 https://bugzilla.suse.com/984808 https://bugzilla.suse.com/984831 https://bugzilla.suse.com/984837 https://bugzilla.suse.com/984842 https://bugzilla.suse.com/987351 From sle-security-updates at lists.suse.com Fri Sep 9 11:09:24 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 9 Sep 2016 19:09:24 +0200 (CEST) Subject: SUSE-SU-2016:2280-1: moderate: Security update for openssh Message-ID: <20160909170924.1A3AAFC44@maintenance.suse.de> SUSE Security Update: Security update for openssh ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2280-1 Rating: moderate References: #948902 #981654 #989363 #992533 Cross-References: CVE-2016-6210 CVE-2016-6515 Affected Products: SUSE Linux Enterprise Server for SAP 12 SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Server 12-LTSS SUSE Linux Enterprise Desktop 12-SP1 ______________________________________________________________________________ An update that solves two vulnerabilities and has two fixes is now available. Description: This update for openssh fixes the following issues: - Prevent user enumeration through the timing of password processing (bsc#989363, CVE-2016-6210) [-prevent_timing_user_enumeration] - Allow lowering the DH groups parameter limit in server as well as when GSSAPI key exchange is used (bsc#948902) - limit accepted password length (prevents possible DoS) (bsc#992533, CVE-2016-6515) Bug fixes: - avoid complaining about unset DISPLAY variable (bsc#981654) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12: zypper in -t patch SUSE-SLE-SAP-12-2016-1332=1 - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1332=1 - SUSE Linux Enterprise Server 12-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-2016-1332=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1332=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server for SAP 12 (x86_64): openssh-6.6p1-52.1 openssh-askpass-gnome-6.6p1-52.1 openssh-askpass-gnome-debuginfo-6.6p1-52.1 openssh-debuginfo-6.6p1-52.1 openssh-debugsource-6.6p1-52.1 openssh-fips-6.6p1-52.1 openssh-helpers-6.6p1-52.1 openssh-helpers-debuginfo-6.6p1-52.1 - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): openssh-6.6p1-52.1 openssh-askpass-gnome-6.6p1-52.1 openssh-askpass-gnome-debuginfo-6.6p1-52.1 openssh-debuginfo-6.6p1-52.1 openssh-debugsource-6.6p1-52.1 openssh-fips-6.6p1-52.1 openssh-helpers-6.6p1-52.1 openssh-helpers-debuginfo-6.6p1-52.1 - SUSE Linux Enterprise Server 12-LTSS (ppc64le s390x x86_64): openssh-6.6p1-52.1 openssh-askpass-gnome-6.6p1-52.1 openssh-askpass-gnome-debuginfo-6.6p1-52.1 openssh-debuginfo-6.6p1-52.1 openssh-debugsource-6.6p1-52.1 openssh-fips-6.6p1-52.1 openssh-helpers-6.6p1-52.1 openssh-helpers-debuginfo-6.6p1-52.1 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): openssh-6.6p1-52.1 openssh-askpass-gnome-6.6p1-52.1 openssh-askpass-gnome-debuginfo-6.6p1-52.1 openssh-debuginfo-6.6p1-52.1 openssh-debugsource-6.6p1-52.1 openssh-helpers-6.6p1-52.1 openssh-helpers-debuginfo-6.6p1-52.1 References: https://www.suse.com/security/cve/CVE-2016-6210.html https://www.suse.com/security/cve/CVE-2016-6515.html https://bugzilla.suse.com/948902 https://bugzilla.suse.com/981654 https://bugzilla.suse.com/989363 https://bugzilla.suse.com/992533 From sle-security-updates at lists.suse.com Fri Sep 9 11:10:17 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 9 Sep 2016 19:10:17 +0200 (CEST) Subject: SUSE-SU-2016:2281-1: moderate: Security update for openssh Message-ID: <20160909171017.80AD0FC44@maintenance.suse.de> SUSE Security Update: Security update for openssh ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2281-1 Rating: moderate References: #948902 #981654 #989363 #992533 Cross-References: CVE-2016-6210 CVE-2016-6515 Affected Products: SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that solves two vulnerabilities and has two fixes is now available. Description: This update for openssh fixes the following issues: - CVE-2016-6210: Prevent user enumeration through the timing of password processing (bsc#989363) [-prevent_timing_user_enumeration] - Allow lowering the DH groups parameter limit in server as well as when GSSAPI key exchange is used (bsc#948902) - CVE-2016-6515: Limiting the accepted password length to prevent possible DoS (bsc#992533) Bug fixes: - avoid complaining about unset DISPLAY variable (bsc#981654) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-openssh-12736=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-openssh-12736=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): openssh-6.6p1-28.1 openssh-askpass-gnome-6.6p1-28.2 openssh-fips-6.6p1-28.1 openssh-helpers-6.6p1-28.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): openssh-askpass-gnome-debuginfo-6.6p1-28.2 openssh-debuginfo-6.6p1-28.1 openssh-debugsource-6.6p1-28.1 References: https://www.suse.com/security/cve/CVE-2016-6210.html https://www.suse.com/security/cve/CVE-2016-6515.html https://bugzilla.suse.com/948902 https://bugzilla.suse.com/981654 https://bugzilla.suse.com/989363 https://bugzilla.suse.com/992533 From sle-security-updates at lists.suse.com Sat Sep 10 08:08:49 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 10 Sep 2016 16:08:49 +0200 (CEST) Subject: SUSE-SU-2016:2285-1: moderate: Security update for apache2-mod_nss Message-ID: <20160910140849.2FF0CFC44@maintenance.suse.de> SUSE Security Update: Security update for apache2-mod_nss ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2285-1 Rating: moderate References: #972968 #975394 #979688 Cross-References: CVE-2013-4566 CVE-2014-3566 CVE-2015-5244 CVE-2016-3099 Affected Products: SUSE Linux Enterprise Server 12-SP1 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update provides apache2-mod_nss 1.0.14, which brings several fixes and enhancements: - Fix OpenSSL ciphers stopped parsing at +. (CVE-2016-3099) - Created valgrind suppression files to ease debugging. - Implement SSL_PPTYPE_FILTER to call executables to get the key password pins. - Improvements to migrate.pl. - Update default ciphers to something more modern and secure. - Check for host and netstat commands in gencert before trying to use them. - Add server support for DHE ciphers. - Extract SAN from server/client certificates into env - Fix memory leaks and other coding issues caught by clang analyzer. - Add support for Server Name Indication (SNI). - Add support for SNI for reverse proxy connections. - Add RenegBufferSize? option. - Add support for TLS Session Tickets (RFC 5077). - Fix logical AND support in OpenSSL cipher compatibility. - Correctly handle disabled ciphers. (CVE-2015-5244) - Implement a slew more OpenSSL cipher macros. - Fix a number of illegal memory accesses and memory leaks. - Support for SHA384 ciphers if they are available in NSS. - Add compatibility for mod_ssl-style cipher definitions. - Add TLSv1.2-specific ciphers. - Completely remove support for SSLv2. - Add support for sqlite NSS databases. - Compare subject CN and VS hostname during server start up. - Add support for enabling TLS v1.2. - Don't enable SSL 3 by default. (CVE-2014-3566) - Fix CVE-2013-4566. - Move nss_pcache to /usr/libexec. - Support httpd 2.4+. - Use apache2-systemd-ask-pass to prompt for a certificate passphrase. (bsc#972968, bsc#975394) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1335=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): apache2-mod_nss-1.0.14-18.3 apache2-mod_nss-debuginfo-1.0.14-18.3 apache2-mod_nss-debugsource-1.0.14-18.3 References: https://www.suse.com/security/cve/CVE-2013-4566.html https://www.suse.com/security/cve/CVE-2014-3566.html https://www.suse.com/security/cve/CVE-2015-5244.html https://www.suse.com/security/cve/CVE-2016-3099.html https://bugzilla.suse.com/972968 https://bugzilla.suse.com/975394 https://bugzilla.suse.com/979688 From sle-security-updates at lists.suse.com Sat Sep 10 08:09:41 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 10 Sep 2016 16:09:41 +0200 (CEST) Subject: SUSE-SU-2016:2286-1: important: Security update for java-1_7_0-ibm Message-ID: <20160910140941.46C8CFC44@maintenance.suse.de> SUSE Security Update: Security update for java-1_7_0-ibm ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2286-1 Rating: important References: #992537 Cross-References: CVE-2016-3485 CVE-2016-3511 CVE-2016-3598 Affected Products: SUSE OpenStack Cloud 5 SUSE Manager Proxy 2.1 SUSE Manager 2.1 SUSE Linux Enterprise Server 11-SP3-LTSS SUSE Linux Enterprise Server 11-SP2-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: IBM Java 7 was updated to 7.1-9.50, fixing bugs and security issues (bsc#992537). Security issues fixed: CVE-2016-3485 CVE-2016-3511 CVE-2016-3598 Please see https://www.ibm.com/developerworks/java/jdk/alerts/ for more information. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 5: zypper in -t patch sleclo50sp3-java-1_7_0-ibm-12737=1 - SUSE Manager Proxy 2.1: zypper in -t patch slemap21-java-1_7_0-ibm-12737=1 - SUSE Manager 2.1: zypper in -t patch sleman21-java-1_7_0-ibm-12737=1 - SUSE Linux Enterprise Server 11-SP3-LTSS: zypper in -t patch slessp3-java-1_7_0-ibm-12737=1 - SUSE Linux Enterprise Server 11-SP2-LTSS: zypper in -t patch slessp2-java-1_7_0-ibm-12737=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-java-1_7_0-ibm-12737=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE OpenStack Cloud 5 (x86_64): java-1_7_0-ibm-1.7.0_sr9.50-55.1 java-1_7_0-ibm-alsa-1.7.0_sr9.50-55.1 java-1_7_0-ibm-devel-1.7.0_sr9.50-55.1 java-1_7_0-ibm-jdbc-1.7.0_sr9.50-55.1 java-1_7_0-ibm-plugin-1.7.0_sr9.50-55.1 - SUSE Manager Proxy 2.1 (x86_64): java-1_7_0-ibm-1.7.0_sr9.50-55.1 java-1_7_0-ibm-alsa-1.7.0_sr9.50-55.1 java-1_7_0-ibm-devel-1.7.0_sr9.50-55.1 java-1_7_0-ibm-jdbc-1.7.0_sr9.50-55.1 java-1_7_0-ibm-plugin-1.7.0_sr9.50-55.1 - SUSE Manager 2.1 (s390x x86_64): java-1_7_0-ibm-1.7.0_sr9.50-55.1 java-1_7_0-ibm-devel-1.7.0_sr9.50-55.1 java-1_7_0-ibm-jdbc-1.7.0_sr9.50-55.1 - SUSE Manager 2.1 (x86_64): java-1_7_0-ibm-alsa-1.7.0_sr9.50-55.1 java-1_7_0-ibm-plugin-1.7.0_sr9.50-55.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (i586 s390x x86_64): java-1_7_0-ibm-1.7.0_sr9.50-55.1 java-1_7_0-ibm-devel-1.7.0_sr9.50-55.1 java-1_7_0-ibm-jdbc-1.7.0_sr9.50-55.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (i586 x86_64): java-1_7_0-ibm-alsa-1.7.0_sr9.50-55.1 java-1_7_0-ibm-plugin-1.7.0_sr9.50-55.1 - SUSE Linux Enterprise Server 11-SP2-LTSS (i586 s390x x86_64): java-1_7_0-ibm-1.7.0_sr9.50-55.1 java-1_7_0-ibm-devel-1.7.0_sr9.50-55.1 java-1_7_0-ibm-jdbc-1.7.0_sr9.50-55.1 - SUSE Linux Enterprise Server 11-SP2-LTSS (i586 x86_64): java-1_7_0-ibm-alsa-1.7.0_sr9.50-55.1 java-1_7_0-ibm-plugin-1.7.0_sr9.50-55.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): java-1_7_0-ibm-1.7.0_sr9.50-55.1 java-1_7_0-ibm-alsa-1.7.0_sr9.50-55.1 java-1_7_0-ibm-devel-1.7.0_sr9.50-55.1 java-1_7_0-ibm-jdbc-1.7.0_sr9.50-55.1 java-1_7_0-ibm-plugin-1.7.0_sr9.50-55.1 References: https://www.suse.com/security/cve/CVE-2016-3485.html https://www.suse.com/security/cve/CVE-2016-3511.html https://www.suse.com/security/cve/CVE-2016-3598.html https://bugzilla.suse.com/992537 From sle-security-updates at lists.suse.com Mon Sep 12 07:10:08 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 12 Sep 2016 15:10:08 +0200 (CEST) Subject: SUSE-SU-2016:2291-1: moderate: Security update for libidn Message-ID: <20160912131008.45DC2FC44@maintenance.suse.de> SUSE Security Update: Security update for libidn ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2291-1 Rating: moderate References: #923241 #990189 #990190 #990191 Cross-References: CVE-2015-2059 CVE-2015-8948 CVE-2016-6261 CVE-2016-6262 CVE-2016-6263 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: This update for libidn fixes the following issues: - CVE-2016-6262 and CVE-2015-8948: Out-of-bounds-read when reading one zero byte as input (bsc#990189) - CVE-2016-6261: Out-of-bounds stack read in idna_to_ascii_4i (bsc#990190) - CVE-2016-6263: stringprep_utf8_nfkc_normalize reject invalid UTF-8 (bsc#990191) - CVE-2015-2059: out-of-bounds read with stringprep on invalid UTF-8 (bsc#923241) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-libidn-12739=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-libidn-12739=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-libidn-12739=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): libidn-devel-1.10-6.1 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): libidn-1.10-6.1 - SUSE Linux Enterprise Server 11-SP4 (ppc64 s390x x86_64): libidn-32bit-1.10-6.1 - SUSE Linux Enterprise Server 11-SP4 (ia64): libidn-x86-1.10-6.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): libidn-debuginfo-1.10-6.1 libidn-debugsource-1.10-6.1 References: https://www.suse.com/security/cve/CVE-2015-2059.html https://www.suse.com/security/cve/CVE-2015-8948.html https://www.suse.com/security/cve/CVE-2016-6261.html https://www.suse.com/security/cve/CVE-2016-6262.html https://www.suse.com/security/cve/CVE-2016-6263.html https://bugzilla.suse.com/923241 https://bugzilla.suse.com/990189 https://bugzilla.suse.com/990190 https://bugzilla.suse.com/990191 From sle-security-updates at lists.suse.com Wed Sep 14 05:09:48 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 14 Sep 2016 13:09:48 +0200 (CEST) Subject: SUSE-SU-2016:2302-1: moderate: Security update for gd Message-ID: <20160914110948.2246AFC44@maintenance.suse.de> SUSE Security Update: Security update for gd ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2302-1 Rating: moderate References: #988032 Cross-References: CVE-2016-6161 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for gd fixes the following issues: - security update: * CVE-2016-6161: global out of bounds read when encoding gif from malformed input withgd2togif [bsc#988032] Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-gd-12743=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-gd-12743=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-gd-12743=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): gd-devel-2.0.36.RC1-52.22.1 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): gd-2.0.36.RC1-52.22.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): gd-debuginfo-2.0.36.RC1-52.22.1 gd-debugsource-2.0.36.RC1-52.22.1 References: https://www.suse.com/security/cve/CVE-2016-6161.html https://bugzilla.suse.com/988032 From sle-security-updates at lists.suse.com Wed Sep 14 05:10:18 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 14 Sep 2016 13:10:18 +0200 (CEST) Subject: SUSE-SU-2016:2303-1: moderate: Security update for gd Message-ID: <20160914111018.DDB0AFC44@maintenance.suse.de> SUSE Security Update: Security update for gd ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2303-1 Rating: moderate References: #982176 #987577 #988032 #991436 #991622 #991710 #995034 Cross-References: CVE-2016-5116 CVE-2016-6128 CVE-2016-6132 CVE-2016-6161 CVE-2016-6207 CVE-2016-6214 CVE-2016-6905 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP1 SUSE Linux Enterprise Software Development Kit 12-SP1 SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Desktop 12-SP1 ______________________________________________________________________________ An update that fixes 7 vulnerabilities is now available. Description: This update for gd fixes the following issues: * CVE-2016-6214: Buffer over-read issue when parsing crafted TGA file [bsc#991436] * CVE-2016-6132: read out-of-bands was found in the parsing of TGA files using libgd [bsc#987577] * CVE-2016-6128: Invalid color index not properly handled [bsc#991710] * CVE-2016-6207: Integer overflow error within _gdContributionsAlloc() [bsc#991622] * CVE-2016-6161: global out of bounds read when encoding gif from malformed input withgd2togif [bsc#988032] * CVE-2016-5116: avoid stack overflow (read) with large names [bsc#982176] * CVE-2016-6905: Out-of-bounds read in function read_image_tga in gd_tga.c [bsc#995034] Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP1: zypper in -t patch SUSE-SLE-WE-12-SP1-2016-1347=1 - SUSE Linux Enterprise Software Development Kit 12-SP1: zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1347=1 - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1347=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1347=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Workstation Extension 12-SP1 (x86_64): gd-32bit-2.1.0-12.1 gd-debuginfo-32bit-2.1.0-12.1 gd-debugsource-2.1.0-12.1 - SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64): gd-debuginfo-2.1.0-12.1 gd-debugsource-2.1.0-12.1 gd-devel-2.1.0-12.1 - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): gd-2.1.0-12.1 gd-debuginfo-2.1.0-12.1 gd-debugsource-2.1.0-12.1 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): gd-2.1.0-12.1 gd-32bit-2.1.0-12.1 gd-debuginfo-2.1.0-12.1 gd-debuginfo-32bit-2.1.0-12.1 gd-debugsource-2.1.0-12.1 References: https://www.suse.com/security/cve/CVE-2016-5116.html https://www.suse.com/security/cve/CVE-2016-6128.html https://www.suse.com/security/cve/CVE-2016-6132.html https://www.suse.com/security/cve/CVE-2016-6161.html https://www.suse.com/security/cve/CVE-2016-6207.html https://www.suse.com/security/cve/CVE-2016-6214.html https://www.suse.com/security/cve/CVE-2016-6905.html https://bugzilla.suse.com/982176 https://bugzilla.suse.com/987577 https://bugzilla.suse.com/988032 https://bugzilla.suse.com/991436 https://bugzilla.suse.com/991622 https://bugzilla.suse.com/991710 https://bugzilla.suse.com/995034 From sle-security-updates at lists.suse.com Wed Sep 14 11:09:40 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 14 Sep 2016 19:09:40 +0200 (CEST) Subject: SUSE-SU-2016:2305-1: moderate: Security update for wpa_supplicant Message-ID: <20160914170940.85052FC44@maintenance.suse.de> SUSE Security Update: Security update for wpa_supplicant ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2305-1 Rating: moderate References: #930077 #930078 #930079 #937419 #952254 Cross-References: CVE-2015-4141 CVE-2015-4142 CVE-2015-4143 CVE-2015-5310 CVE-2015-8041 Affected Products: SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Desktop 12-SP1 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: This update for wpa_supplicant fixes the following issues: - CVE-2015-4141: WPS UPnP vulnerability with HTTP chunked transfer encoding. (bnc#930077) - CVE-2015-4142: Integer underflow in AP mode WMM Action frame processing. (bnc#930078) - CVE-2015-4143: EAP-pwd missing payload length validation. (bnc#930079) - CVE-2015-5310: Ignore Key Data in WNM Sleep Mode Response frame if no PMF in use. (bsc#952254) - CVE-2015-8041: Fix payload length validation in NDEF record parser. (bsc#937419) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1351=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1351=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): wpa_supplicant-2.2-14.2 wpa_supplicant-debuginfo-2.2-14.2 wpa_supplicant-debugsource-2.2-14.2 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): wpa_supplicant-2.2-14.2 wpa_supplicant-debuginfo-2.2-14.2 wpa_supplicant-debugsource-2.2-14.2 References: https://www.suse.com/security/cve/CVE-2015-4141.html https://www.suse.com/security/cve/CVE-2015-4142.html https://www.suse.com/security/cve/CVE-2015-4143.html https://www.suse.com/security/cve/CVE-2015-5310.html https://www.suse.com/security/cve/CVE-2015-8041.html https://bugzilla.suse.com/930077 https://bugzilla.suse.com/930078 https://bugzilla.suse.com/930079 https://bugzilla.suse.com/937419 https://bugzilla.suse.com/952254 From sle-security-updates at lists.suse.com Wed Sep 14 11:10:53 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 14 Sep 2016 19:10:53 +0200 (CEST) Subject: SUSE-SU-2016:2306-1: moderate: Security update for samba Message-ID: <20160914171053.8020DFC44@maintenance.suse.de> SUSE Security Update: Security update for samba ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2306-1 Rating: moderate References: #969522 #975131 #981566 #986228 #986869 #991564 Cross-References: CVE-2016-2119 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP1 SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise High Availability 12-SP1 SUSE Linux Enterprise Desktop 12-SP1 ______________________________________________________________________________ An update that solves one vulnerability and has 5 fixes is now available. Description: This update for samba provides the following fixes: - CVE-2016-2119: Prevent client-side SMB2 signing downgrade. (bsc#986869) - Fix possible ctdb crash when opening sockets with htons(IPPROTO_RAW). (bsc#969522) - Honor smb.conf socket options in winbind. (bsc#975131) - Fix ntlm-auth segmentation fault with squid. (bsc#986228) - Implement new "--no-dns-updates" option in "net ads" command. (bsc#991564) - Fix population of ctdb sysconfig after source merge. (bsc#981566) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP1: zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1350=1 - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1350=1 - SUSE Linux Enterprise High Availability 12-SP1: zypper in -t patch SUSE-SLE-HA-12-SP1-2016-1350=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1350=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64): ctdb-debuginfo-4.2.4-26.2 ctdb-devel-4.2.4-26.2 libdcerpc-atsvc-devel-4.2.4-26.2 libdcerpc-atsvc0-4.2.4-26.2 libdcerpc-atsvc0-debuginfo-4.2.4-26.2 libdcerpc-devel-4.2.4-26.2 libdcerpc-samr-devel-4.2.4-26.2 libdcerpc-samr0-4.2.4-26.2 libdcerpc-samr0-debuginfo-4.2.4-26.2 libgensec-devel-4.2.4-26.2 libndr-devel-4.2.4-26.2 libndr-krb5pac-devel-4.2.4-26.2 libndr-nbt-devel-4.2.4-26.2 libndr-standard-devel-4.2.4-26.2 libnetapi-devel-4.2.4-26.2 libregistry-devel-4.2.4-26.2 libsamba-credentials-devel-4.2.4-26.2 libsamba-hostconfig-devel-4.2.4-26.2 libsamba-passdb-devel-4.2.4-26.2 libsamba-policy-devel-4.2.4-26.2 libsamba-policy0-4.2.4-26.2 libsamba-policy0-debuginfo-4.2.4-26.2 libsamba-util-devel-4.2.4-26.2 libsamdb-devel-4.2.4-26.2 libsmbclient-devel-4.2.4-26.2 libsmbclient-raw-devel-4.2.4-26.2 libsmbconf-devel-4.2.4-26.2 libsmbldap-devel-4.2.4-26.2 libtevent-util-devel-4.2.4-26.2 libwbclient-devel-4.2.4-26.2 samba-core-devel-4.2.4-26.2 samba-debuginfo-4.2.4-26.2 samba-debugsource-4.2.4-26.2 samba-test-devel-4.2.4-26.2 - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): libdcerpc-binding0-4.2.4-26.2 libdcerpc-binding0-debuginfo-4.2.4-26.2 libdcerpc0-4.2.4-26.2 libdcerpc0-debuginfo-4.2.4-26.2 libgensec0-4.2.4-26.2 libgensec0-debuginfo-4.2.4-26.2 libndr-krb5pac0-4.2.4-26.2 libndr-krb5pac0-debuginfo-4.2.4-26.2 libndr-nbt0-4.2.4-26.2 libndr-nbt0-debuginfo-4.2.4-26.2 libndr-standard0-4.2.4-26.2 libndr-standard0-debuginfo-4.2.4-26.2 libndr0-4.2.4-26.2 libndr0-debuginfo-4.2.4-26.2 libnetapi0-4.2.4-26.2 libnetapi0-debuginfo-4.2.4-26.2 libregistry0-4.2.4-26.2 libregistry0-debuginfo-4.2.4-26.2 libsamba-credentials0-4.2.4-26.2 libsamba-credentials0-debuginfo-4.2.4-26.2 libsamba-hostconfig0-4.2.4-26.2 libsamba-hostconfig0-debuginfo-4.2.4-26.2 libsamba-passdb0-4.2.4-26.2 libsamba-passdb0-debuginfo-4.2.4-26.2 libsamba-util0-4.2.4-26.2 libsamba-util0-debuginfo-4.2.4-26.2 libsamdb0-4.2.4-26.2 libsamdb0-debuginfo-4.2.4-26.2 libsmbclient-raw0-4.2.4-26.2 libsmbclient-raw0-debuginfo-4.2.4-26.2 libsmbclient0-4.2.4-26.2 libsmbclient0-debuginfo-4.2.4-26.2 libsmbconf0-4.2.4-26.2 libsmbconf0-debuginfo-4.2.4-26.2 libsmbldap0-4.2.4-26.2 libsmbldap0-debuginfo-4.2.4-26.2 libtevent-util0-4.2.4-26.2 libtevent-util0-debuginfo-4.2.4-26.2 libwbclient0-4.2.4-26.2 libwbclient0-debuginfo-4.2.4-26.2 samba-4.2.4-26.2 samba-client-4.2.4-26.2 samba-client-debuginfo-4.2.4-26.2 samba-debuginfo-4.2.4-26.2 samba-debugsource-4.2.4-26.2 samba-libs-4.2.4-26.2 samba-libs-debuginfo-4.2.4-26.2 samba-winbind-4.2.4-26.2 samba-winbind-debuginfo-4.2.4-26.2 - SUSE Linux Enterprise Server 12-SP1 (s390x x86_64): libdcerpc-binding0-32bit-4.2.4-26.2 libdcerpc-binding0-debuginfo-32bit-4.2.4-26.2 libdcerpc0-32bit-4.2.4-26.2 libdcerpc0-debuginfo-32bit-4.2.4-26.2 libgensec0-32bit-4.2.4-26.2 libgensec0-debuginfo-32bit-4.2.4-26.2 libndr-krb5pac0-32bit-4.2.4-26.2 libndr-krb5pac0-debuginfo-32bit-4.2.4-26.2 libndr-nbt0-32bit-4.2.4-26.2 libndr-nbt0-debuginfo-32bit-4.2.4-26.2 libndr-standard0-32bit-4.2.4-26.2 libndr-standard0-debuginfo-32bit-4.2.4-26.2 libndr0-32bit-4.2.4-26.2 libndr0-debuginfo-32bit-4.2.4-26.2 libnetapi0-32bit-4.2.4-26.2 libnetapi0-debuginfo-32bit-4.2.4-26.2 libsamba-credentials0-32bit-4.2.4-26.2 libsamba-credentials0-debuginfo-32bit-4.2.4-26.2 libsamba-hostconfig0-32bit-4.2.4-26.2 libsamba-hostconfig0-debuginfo-32bit-4.2.4-26.2 libsamba-passdb0-32bit-4.2.4-26.2 libsamba-passdb0-debuginfo-32bit-4.2.4-26.2 libsamba-util0-32bit-4.2.4-26.2 libsamba-util0-debuginfo-32bit-4.2.4-26.2 libsamdb0-32bit-4.2.4-26.2 libsamdb0-debuginfo-32bit-4.2.4-26.2 libsmbclient-raw0-32bit-4.2.4-26.2 libsmbclient-raw0-debuginfo-32bit-4.2.4-26.2 libsmbclient0-32bit-4.2.4-26.2 libsmbclient0-debuginfo-32bit-4.2.4-26.2 libsmbconf0-32bit-4.2.4-26.2 libsmbconf0-debuginfo-32bit-4.2.4-26.2 libsmbldap0-32bit-4.2.4-26.2 libsmbldap0-debuginfo-32bit-4.2.4-26.2 libtevent-util0-32bit-4.2.4-26.2 libtevent-util0-debuginfo-32bit-4.2.4-26.2 libwbclient0-32bit-4.2.4-26.2 libwbclient0-debuginfo-32bit-4.2.4-26.2 samba-32bit-4.2.4-26.2 samba-client-32bit-4.2.4-26.2 samba-client-debuginfo-32bit-4.2.4-26.2 samba-debuginfo-32bit-4.2.4-26.2 samba-libs-32bit-4.2.4-26.2 samba-libs-debuginfo-32bit-4.2.4-26.2 samba-winbind-32bit-4.2.4-26.2 samba-winbind-debuginfo-32bit-4.2.4-26.2 - SUSE Linux Enterprise Server 12-SP1 (noarch): samba-doc-4.2.4-26.2 - SUSE Linux Enterprise High Availability 12-SP1 (s390x x86_64): ctdb-4.2.4-26.2 ctdb-debuginfo-4.2.4-26.2 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): libdcerpc-binding0-32bit-4.2.4-26.2 libdcerpc-binding0-4.2.4-26.2 libdcerpc-binding0-debuginfo-32bit-4.2.4-26.2 libdcerpc-binding0-debuginfo-4.2.4-26.2 libdcerpc0-32bit-4.2.4-26.2 libdcerpc0-4.2.4-26.2 libdcerpc0-debuginfo-32bit-4.2.4-26.2 libdcerpc0-debuginfo-4.2.4-26.2 libgensec0-32bit-4.2.4-26.2 libgensec0-4.2.4-26.2 libgensec0-debuginfo-32bit-4.2.4-26.2 libgensec0-debuginfo-4.2.4-26.2 libndr-krb5pac0-32bit-4.2.4-26.2 libndr-krb5pac0-4.2.4-26.2 libndr-krb5pac0-debuginfo-32bit-4.2.4-26.2 libndr-krb5pac0-debuginfo-4.2.4-26.2 libndr-nbt0-32bit-4.2.4-26.2 libndr-nbt0-4.2.4-26.2 libndr-nbt0-debuginfo-32bit-4.2.4-26.2 libndr-nbt0-debuginfo-4.2.4-26.2 libndr-standard0-32bit-4.2.4-26.2 libndr-standard0-4.2.4-26.2 libndr-standard0-debuginfo-32bit-4.2.4-26.2 libndr-standard0-debuginfo-4.2.4-26.2 libndr0-32bit-4.2.4-26.2 libndr0-4.2.4-26.2 libndr0-debuginfo-32bit-4.2.4-26.2 libndr0-debuginfo-4.2.4-26.2 libnetapi0-32bit-4.2.4-26.2 libnetapi0-4.2.4-26.2 libnetapi0-debuginfo-32bit-4.2.4-26.2 libnetapi0-debuginfo-4.2.4-26.2 libregistry0-4.2.4-26.2 libregistry0-debuginfo-4.2.4-26.2 libsamba-credentials0-32bit-4.2.4-26.2 libsamba-credentials0-4.2.4-26.2 libsamba-credentials0-debuginfo-32bit-4.2.4-26.2 libsamba-credentials0-debuginfo-4.2.4-26.2 libsamba-hostconfig0-32bit-4.2.4-26.2 libsamba-hostconfig0-4.2.4-26.2 libsamba-hostconfig0-debuginfo-32bit-4.2.4-26.2 libsamba-hostconfig0-debuginfo-4.2.4-26.2 libsamba-passdb0-32bit-4.2.4-26.2 libsamba-passdb0-4.2.4-26.2 libsamba-passdb0-debuginfo-32bit-4.2.4-26.2 libsamba-passdb0-debuginfo-4.2.4-26.2 libsamba-util0-32bit-4.2.4-26.2 libsamba-util0-4.2.4-26.2 libsamba-util0-debuginfo-32bit-4.2.4-26.2 libsamba-util0-debuginfo-4.2.4-26.2 libsamdb0-32bit-4.2.4-26.2 libsamdb0-4.2.4-26.2 libsamdb0-debuginfo-32bit-4.2.4-26.2 libsamdb0-debuginfo-4.2.4-26.2 libsmbclient-raw0-32bit-4.2.4-26.2 libsmbclient-raw0-4.2.4-26.2 libsmbclient-raw0-debuginfo-32bit-4.2.4-26.2 libsmbclient-raw0-debuginfo-4.2.4-26.2 libsmbclient0-32bit-4.2.4-26.2 libsmbclient0-4.2.4-26.2 libsmbclient0-debuginfo-32bit-4.2.4-26.2 libsmbclient0-debuginfo-4.2.4-26.2 libsmbconf0-32bit-4.2.4-26.2 libsmbconf0-4.2.4-26.2 libsmbconf0-debuginfo-32bit-4.2.4-26.2 libsmbconf0-debuginfo-4.2.4-26.2 libsmbldap0-32bit-4.2.4-26.2 libsmbldap0-4.2.4-26.2 libsmbldap0-debuginfo-32bit-4.2.4-26.2 libsmbldap0-debuginfo-4.2.4-26.2 libtevent-util0-32bit-4.2.4-26.2 libtevent-util0-4.2.4-26.2 libtevent-util0-debuginfo-32bit-4.2.4-26.2 libtevent-util0-debuginfo-4.2.4-26.2 libwbclient0-32bit-4.2.4-26.2 libwbclient0-4.2.4-26.2 libwbclient0-debuginfo-32bit-4.2.4-26.2 libwbclient0-debuginfo-4.2.4-26.2 samba-32bit-4.2.4-26.2 samba-4.2.4-26.2 samba-client-32bit-4.2.4-26.2 samba-client-4.2.4-26.2 samba-client-debuginfo-32bit-4.2.4-26.2 samba-client-debuginfo-4.2.4-26.2 samba-debuginfo-32bit-4.2.4-26.2 samba-debuginfo-4.2.4-26.2 samba-debugsource-4.2.4-26.2 samba-libs-32bit-4.2.4-26.2 samba-libs-4.2.4-26.2 samba-libs-debuginfo-32bit-4.2.4-26.2 samba-libs-debuginfo-4.2.4-26.2 samba-winbind-32bit-4.2.4-26.2 samba-winbind-4.2.4-26.2 samba-winbind-debuginfo-32bit-4.2.4-26.2 samba-winbind-debuginfo-4.2.4-26.2 - SUSE Linux Enterprise Desktop 12-SP1 (noarch): samba-doc-4.2.4-26.2 References: https://www.suse.com/security/cve/CVE-2016-2119.html https://bugzilla.suse.com/969522 https://bugzilla.suse.com/975131 https://bugzilla.suse.com/981566 https://bugzilla.suse.com/986228 https://bugzilla.suse.com/986869 https://bugzilla.suse.com/991564 From sle-security-updates at lists.suse.com Thu Sep 15 06:11:34 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 15 Sep 2016 14:11:34 +0200 (CEST) Subject: SUSE-SU-2016:2312-1: important: Security update for flash-player Message-ID: <20160915121134.91B5DFC47@maintenance.suse.de> SUSE Security Update: Security update for flash-player ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2312-1 Rating: important References: #998589 Cross-References: CVE-2016-4182 CVE-2016-4237 CVE-2016-4238 CVE-2016-4271 CVE-2016-4272 CVE-2016-4274 CVE-2016-4275 CVE-2016-4276 CVE-2016-4277 CVE-2016-4278 CVE-2016-4279 CVE-2016-4280 CVE-2016-4281 CVE-2016-4282 CVE-2016-4283 CVE-2016-4284 CVE-2016-4285 CVE-2016-4287 CVE-2016-6921 CVE-2016-6922 CVE-2016-6923 CVE-2016-6924 CVE-2016-6925 CVE-2016-6926 CVE-2016-6927 CVE-2016-6929 CVE-2016-6930 CVE-2016-6931 CVE-2016-6932 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP1 SUSE Linux Enterprise Desktop 12-SP1 ______________________________________________________________________________ An update that fixes 29 vulnerabilities is now available. Description: This update for flash-player fixes the following security issues (APSB16-29, boo#998589): - integer overflow vulnerability that could lead to code execution (CVE-2016-4287). - use-after-free vulnerabilities that could lead to code execution (CVE-2016-4272, CVE-2016-4279, CVE-2016-6921, CVE-2016-6923, CVE-2016-6925, CVE-2016-6926, CVE-2016-6927, CVE-2016-6929, CVE-2016-6930, CVE-2016-6931, CVE-2016-6932) - security bypass vulnerabilities that could lead to information disclosure (CVE-2016-4271, CVE-2016-4277, CVE-2016-4278) - memory corruption vulnerabilities that could lead to code execution (CVE-2016-4182, CVE-2016-4237, CVE-2016-4238, CVE-2016-4274, CVE-2016-4275, CVE-2016-4276, CVE-2016-4280, CVE-2016-4281, CVE-2016-4282, CVE-2016-4283, CVE-2016-4284, CVE-2016-4285, CVE-2016-6922, CVE-2016-6924) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP1: zypper in -t patch SUSE-SLE-WE-12-SP1-2016-1353=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1353=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Workstation Extension 12-SP1 (x86_64): flash-player-11.2.202.635-140.1 flash-player-gnome-11.2.202.635-140.1 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): flash-player-11.2.202.635-140.1 flash-player-gnome-11.2.202.635-140.1 References: https://www.suse.com/security/cve/CVE-2016-4182.html https://www.suse.com/security/cve/CVE-2016-4237.html https://www.suse.com/security/cve/CVE-2016-4238.html https://www.suse.com/security/cve/CVE-2016-4271.html https://www.suse.com/security/cve/CVE-2016-4272.html https://www.suse.com/security/cve/CVE-2016-4274.html https://www.suse.com/security/cve/CVE-2016-4275.html https://www.suse.com/security/cve/CVE-2016-4276.html https://www.suse.com/security/cve/CVE-2016-4277.html https://www.suse.com/security/cve/CVE-2016-4278.html https://www.suse.com/security/cve/CVE-2016-4279.html https://www.suse.com/security/cve/CVE-2016-4280.html https://www.suse.com/security/cve/CVE-2016-4281.html https://www.suse.com/security/cve/CVE-2016-4282.html https://www.suse.com/security/cve/CVE-2016-4283.html https://www.suse.com/security/cve/CVE-2016-4284.html https://www.suse.com/security/cve/CVE-2016-4285.html https://www.suse.com/security/cve/CVE-2016-4287.html https://www.suse.com/security/cve/CVE-2016-6921.html https://www.suse.com/security/cve/CVE-2016-6922.html https://www.suse.com/security/cve/CVE-2016-6923.html https://www.suse.com/security/cve/CVE-2016-6924.html https://www.suse.com/security/cve/CVE-2016-6925.html https://www.suse.com/security/cve/CVE-2016-6926.html https://www.suse.com/security/cve/CVE-2016-6927.html https://www.suse.com/security/cve/CVE-2016-6929.html https://www.suse.com/security/cve/CVE-2016-6930.html https://www.suse.com/security/cve/CVE-2016-6931.html https://www.suse.com/security/cve/CVE-2016-6932.html https://bugzilla.suse.com/998589 From sle-security-updates at lists.suse.com Fri Sep 16 10:11:01 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 16 Sep 2016 18:11:01 +0200 (CEST) Subject: SUSE-SU-2016:2325-1: moderate: Security update for openstack-keystone, openstack-nova, and openstack-swift Message-ID: <20160916161101.04E9FFC45@maintenance.suse.de> SUSE Security Update: Security update for openstack-keystone, openstack-nova, and openstack-swift ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2325-1 Rating: moderate References: #929628 #960015 #960601 #967356 Cross-References: CVE-2015-3646 CVE-2015-7548 Affected Products: SUSE OpenStack Cloud 5 ______________________________________________________________________________ An update that solves two vulnerabilities and has two fixes is now available. Description: This update for openstack-keystone, openstack-nova, and openstack-swift fixes the following issues: - Fix hybrid backend from keystone v3 (bsc#967356) - Fix cleanup when block migration fails (bsc#960015) - Avoid host data leak (bsc#960601, CVE-2015-7548) - Fix init script for openstack-swift-object-expirer - Mark backend_argument as secret (bsc#929628, CVE-2015-3646) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 5: zypper in -t patch sleclo50sp3-openstack-keystone-12748=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE OpenStack Cloud 5 (noarch): openstack-keystone-doc-2014.2.4.juno-17.2 openstack-nova-doc-2014.2.4.juno-29.1 openstack-swift-doc-2.1.0-14.1 - SUSE OpenStack Cloud 5 (x86_64): openstack-keystone-2014.2.4.juno-17.1 openstack-nova-2014.2.4.juno-29.1 openstack-nova-api-2014.2.4.juno-29.1 openstack-nova-cells-2014.2.4.juno-29.1 openstack-nova-cert-2014.2.4.juno-29.1 openstack-nova-compute-2014.2.4.juno-29.1 openstack-nova-conductor-2014.2.4.juno-29.1 openstack-nova-console-2014.2.4.juno-29.1 openstack-nova-consoleauth-2014.2.4.juno-29.1 openstack-nova-novncproxy-2014.2.4.juno-29.1 openstack-nova-objectstore-2014.2.4.juno-29.1 openstack-nova-scheduler-2014.2.4.juno-29.1 openstack-nova-serialproxy-2014.2.4.juno-29.1 openstack-nova-vncproxy-2014.2.4.juno-29.1 openstack-swift-2.1.0-14.1 openstack-swift-account-2.1.0-14.1 openstack-swift-container-2.1.0-14.1 openstack-swift-object-2.1.0-14.1 openstack-swift-proxy-2.1.0-14.1 python-keystone-2014.2.4.juno-17.1 python-nova-2014.2.4.juno-29.1 python-swift-2.1.0-14.1 References: https://www.suse.com/security/cve/CVE-2015-3646.html https://www.suse.com/security/cve/CVE-2015-7548.html https://bugzilla.suse.com/929628 https://bugzilla.suse.com/960015 https://bugzilla.suse.com/960601 https://bugzilla.suse.com/967356 From sle-security-updates at lists.suse.com Fri Sep 16 13:09:08 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 16 Sep 2016 21:09:08 +0200 (CEST) Subject: SUSE-SU-2016:2328-1: important: Security update for php53 Message-ID: <20160916190908.E6FEDFC44@maintenance.suse.de> SUSE Security Update: Security update for php53 ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2328-1 Rating: important References: #987530 #991426 #991427 #991428 #991429 #991430 #991433 #991437 #997206 #997207 #997208 #997210 #997211 #997220 #997225 #997230 #997257 Cross-References: CVE-2014-3587 CVE-2016-3587 CVE-2016-5399 CVE-2016-6288 CVE-2016-6289 CVE-2016-6290 CVE-2016-6291 CVE-2016-6296 CVE-2016-6297 CVE-2016-7124 CVE-2016-7125 CVE-2016-7126 CVE-2016-7127 CVE-2016-7128 CVE-2016-7129 CVE-2016-7130 CVE-2016-7131 CVE-2016-7132 Affected Products: SUSE Linux Enterprise Server 11-SP2-LTSS SUSE Linux Enterprise Debuginfo 11-SP2 ______________________________________________________________________________ An update that fixes 18 vulnerabilities is now available. Description: This update for php53 fixes the following security issues: * CVE-2014-3587: Integer overflow in the cdf_read_property_info affecting SLES11 SP3 [bsc#987530] * CVE-2016-6297: Stack-based buffer overflow vulnerability in php_stream_zip_opener [bsc#991426] * CVE-2016-6291: Out-of-bounds access in exif_process_IFD_in_MAKERNOTE [bsc#991427] * CVE-2016-6289: Integer overflow leads to buffer overflow in virtual_file_ex [bsc#991428] * CVE-2016-6290: Use after free in unserialize() with Unexpected Session Deserialization [bsc#991429] * CVE-2016-5399: Improper error handling in bzread() [bsc#991430] * CVE-2016-6288: Buffer over-read in php_url_parse_ex [bsc#991433] * CVE-2016-6296: Heap buffer overflow vulnerability in simplestring_addn in simplestring.c [bsc#991437] * CVE-2016-7124: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization * CVE-2016-7125: PHP Session Data Injection Vulnerability * CVE-2016-7126: select_colors write out-of-bounds * CVE-2016-7127: imagegammacorrect allowed arbitrary write access * CVE-2016-7128: Memory Leakage In exif_process_IFD_in_TIFF * CVE-2016-7129: wddx_deserialize allows illegal memory access * CVE-2016-7130: wddx_deserialize null dereference * CVE-2016-7131: wddx_deserialize null dereference with invalid xml * CVE-2016-7132: wddx_deserialize null dereference in php_wddx_pop_element Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP2-LTSS: zypper in -t patch slessp2-php53-12750=1 - SUSE Linux Enterprise Debuginfo 11-SP2: zypper in -t patch dbgsp2-php53-12750=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11-SP2-LTSS (i586 s390x x86_64): apache2-mod_php53-5.3.17-55.1 php53-5.3.17-55.1 php53-bcmath-5.3.17-55.1 php53-bz2-5.3.17-55.1 php53-calendar-5.3.17-55.1 php53-ctype-5.3.17-55.1 php53-curl-5.3.17-55.1 php53-dba-5.3.17-55.1 php53-dom-5.3.17-55.1 php53-exif-5.3.17-55.1 php53-fastcgi-5.3.17-55.1 php53-fileinfo-5.3.17-55.1 php53-ftp-5.3.17-55.1 php53-gd-5.3.17-55.1 php53-gettext-5.3.17-55.1 php53-gmp-5.3.17-55.1 php53-iconv-5.3.17-55.1 php53-intl-5.3.17-55.1 php53-json-5.3.17-55.1 php53-ldap-5.3.17-55.1 php53-mbstring-5.3.17-55.1 php53-mcrypt-5.3.17-55.1 php53-mysql-5.3.17-55.1 php53-odbc-5.3.17-55.1 php53-openssl-5.3.17-55.1 php53-pcntl-5.3.17-55.1 php53-pdo-5.3.17-55.1 php53-pear-5.3.17-55.1 php53-pgsql-5.3.17-55.1 php53-pspell-5.3.17-55.1 php53-shmop-5.3.17-55.1 php53-snmp-5.3.17-55.1 php53-soap-5.3.17-55.1 php53-suhosin-5.3.17-55.1 php53-sysvmsg-5.3.17-55.1 php53-sysvsem-5.3.17-55.1 php53-sysvshm-5.3.17-55.1 php53-tokenizer-5.3.17-55.1 php53-wddx-5.3.17-55.1 php53-xmlreader-5.3.17-55.1 php53-xmlrpc-5.3.17-55.1 php53-xmlwriter-5.3.17-55.1 php53-xsl-5.3.17-55.1 php53-zip-5.3.17-55.1 php53-zlib-5.3.17-55.1 - SUSE Linux Enterprise Debuginfo 11-SP2 (i586 s390x x86_64): php53-debuginfo-5.3.17-55.1 php53-debugsource-5.3.17-55.1 References: https://www.suse.com/security/cve/CVE-2014-3587.html https://www.suse.com/security/cve/CVE-2016-3587.html https://www.suse.com/security/cve/CVE-2016-5399.html https://www.suse.com/security/cve/CVE-2016-6288.html https://www.suse.com/security/cve/CVE-2016-6289.html https://www.suse.com/security/cve/CVE-2016-6290.html https://www.suse.com/security/cve/CVE-2016-6291.html https://www.suse.com/security/cve/CVE-2016-6296.html https://www.suse.com/security/cve/CVE-2016-6297.html https://www.suse.com/security/cve/CVE-2016-7124.html https://www.suse.com/security/cve/CVE-2016-7125.html https://www.suse.com/security/cve/CVE-2016-7126.html https://www.suse.com/security/cve/CVE-2016-7127.html https://www.suse.com/security/cve/CVE-2016-7128.html https://www.suse.com/security/cve/CVE-2016-7129.html https://www.suse.com/security/cve/CVE-2016-7130.html https://www.suse.com/security/cve/CVE-2016-7131.html https://www.suse.com/security/cve/CVE-2016-7132.html https://bugzilla.suse.com/987530 https://bugzilla.suse.com/991426 https://bugzilla.suse.com/991427 https://bugzilla.suse.com/991428 https://bugzilla.suse.com/991429 https://bugzilla.suse.com/991430 https://bugzilla.suse.com/991433 https://bugzilla.suse.com/991437 https://bugzilla.suse.com/997206 https://bugzilla.suse.com/997207 https://bugzilla.suse.com/997208 https://bugzilla.suse.com/997210 https://bugzilla.suse.com/997211 https://bugzilla.suse.com/997220 https://bugzilla.suse.com/997225 https://bugzilla.suse.com/997230 https://bugzilla.suse.com/997257 From sle-security-updates at lists.suse.com Fri Sep 16 13:12:41 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 16 Sep 2016 21:12:41 +0200 (CEST) Subject: SUSE-SU-2016:2329-1: moderate: Security update for apache2-mod_nss Message-ID: <20160916191241.8C738FC44@maintenance.suse.de> SUSE Security Update: Security update for apache2-mod_nss ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2329-1 Rating: moderate References: #975394 #979688 Cross-References: CVE-2013-4566 CVE-2014-3566 Affected Products: SUSE OpenStack Cloud 5 SUSE Manager Proxy 2.1 SUSE Manager 2.1 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Server 11-SP3-LTSS SUSE Linux Enterprise Server 11-SP2-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP2 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update provides apache2-mod_nss 1.0.14, which brings several fixes and enhancements: - SHA256 cipher names change spelling from *_sha256 to *_sha_256. - Drop mod_nss_migrate.pl and use upstream migrate script instead. - Check for Apache user owner/group read permissions of NSS database at startup. - Update default ciphers to something more modern and secure. - Check for host and netstat commands in gencert before trying to use them. - Don't ignore NSSProtocol when NSSFIPS is enabled. - Use proper shell syntax to avoid creating /0 in gencert. - Add server support for DHE ciphers. - Extract SAN from server/client certificates into env. - Fix memory leaks and other coding issues caught by clang analyzer. - Add support for Server Name Indication (SNI) - Add support for SNI for reverse proxy connections. - Add RenegBufferSize? option. - Add support for TLS Session Tickets (RFC 5077). - Implement a slew more OpenSSL cipher macros. - Fix a number of illegal memory accesses and memory leaks. - Support for SHA384 ciphers if they are available in the version of NSS mod_nss is built against. - Add the SECURE_RENEG environment variable. - Add some hints when NSS database cannot be initialized. - Code cleanup including trailing whitespace and compiler warnings. - Modernize autotools configuration slightly, add config.h. - Add small test suite for SNI. - Add compatibility for mod_ssl-style cipher definitions. - Add Camelia ciphers. - Remove Fortezza ciphers. - Add TLSv1.2-specific ciphers. - Initialize cipher list when re-negotiating handshake. - Completely remove support for SSLv2. - Add support for sqlite NSS databases. - Compare subject CN and VS hostname during server start up. - Add support for enabling TLS v1.2. - Don't enable SSL 3 by default. (CVE-2014-3566) - Improve protocol testing. - Add nss_pcache man page. - Fix argument handling in nss_pcache. - Support httpd 2.4+. - Allow users to configure a helper to ask for certificate passphrases via NSSPassPhraseDialog. (bsc#975394) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 5: zypper in -t patch sleclo50sp3-apache2-mod_nss-12751=1 - SUSE Manager Proxy 2.1: zypper in -t patch slemap21-apache2-mod_nss-12751=1 - SUSE Manager 2.1: zypper in -t patch sleman21-apache2-mod_nss-12751=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-apache2-mod_nss-12751=1 - SUSE Linux Enterprise Server 11-SP3-LTSS: zypper in -t patch slessp3-apache2-mod_nss-12751=1 - SUSE Linux Enterprise Server 11-SP2-LTSS: zypper in -t patch slessp2-apache2-mod_nss-12751=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-apache2-mod_nss-12751=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-apache2-mod_nss-12751=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-apache2-mod_nss-12751=1 - SUSE Linux Enterprise Debuginfo 11-SP2: zypper in -t patch dbgsp2-apache2-mod_nss-12751=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE OpenStack Cloud 5 (x86_64): apache2-mod_nss-1.0.14-0.4.25.1 - SUSE Manager Proxy 2.1 (x86_64): apache2-mod_nss-1.0.14-0.4.25.1 - SUSE Manager 2.1 (s390x x86_64): apache2-mod_nss-1.0.14-0.4.25.1 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): apache2-mod_nss-1.0.14-0.4.25.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (i586 s390x x86_64): apache2-mod_nss-1.0.14-0.4.25.1 - SUSE Linux Enterprise Server 11-SP2-LTSS (i586 s390x x86_64): apache2-mod_nss-1.0.14-0.4.25.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): apache2-mod_nss-1.0.14-0.4.25.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): apache2-mod_nss-debuginfo-1.0.14-0.4.25.1 apache2-mod_nss-debugsource-1.0.14-0.4.25.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): apache2-mod_nss-debuginfo-1.0.14-0.4.25.1 apache2-mod_nss-debugsource-1.0.14-0.4.25.1 - SUSE Linux Enterprise Debuginfo 11-SP2 (i586 s390x x86_64): apache2-mod_nss-debuginfo-1.0.14-0.4.25.1 apache2-mod_nss-debugsource-1.0.14-0.4.25.1 References: https://www.suse.com/security/cve/CVE-2013-4566.html https://www.suse.com/security/cve/CVE-2014-3566.html https://bugzilla.suse.com/975394 https://bugzilla.suse.com/979688 From sle-security-updates at lists.suse.com Fri Sep 16 13:13:26 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 16 Sep 2016 21:13:26 +0200 (CEST) Subject: SUSE-SU-2016:2330-1: moderate: Security update for curl Message-ID: <20160916191326.83540FC44@maintenance.suse.de> SUSE Security Update: Security update for curl ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2330-1 Rating: moderate References: #991389 #991390 #991391 #991746 #997420 Cross-References: CVE-2016-5419 CVE-2016-5420 CVE-2016-5421 CVE-2016-7141 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP1 SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Desktop 12-SP1 ______________________________________________________________________________ An update that solves four vulnerabilities and has one errata is now available. Description: This update for curl fixes the following issues: Security issues fixed: - CVE-2016-5419: TLS session resumption client cert bypass (bsc#991389) - CVE-2016-5420: Re-using connections with wrong client cert (bsc#991390) - CVE-2016-5421: use of connection struct after free (bsc#991391) - CVE-2016-7141: Fixed incorrect reuse of client certificates with NSS (bsc#997420) Also the following bug was fixed: - fixing a performance issue (bsc#991746) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP1: zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1364=1 - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1364=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1364=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64): curl-debuginfo-7.37.0-28.1 curl-debugsource-7.37.0-28.1 libcurl-devel-7.37.0-28.1 - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): curl-7.37.0-28.1 curl-debuginfo-7.37.0-28.1 curl-debugsource-7.37.0-28.1 libcurl4-7.37.0-28.1 libcurl4-debuginfo-7.37.0-28.1 - SUSE Linux Enterprise Server 12-SP1 (s390x x86_64): libcurl4-32bit-7.37.0-28.1 libcurl4-debuginfo-32bit-7.37.0-28.1 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): curl-7.37.0-28.1 curl-debuginfo-7.37.0-28.1 curl-debugsource-7.37.0-28.1 libcurl4-32bit-7.37.0-28.1 libcurl4-7.37.0-28.1 libcurl4-debuginfo-32bit-7.37.0-28.1 libcurl4-debuginfo-7.37.0-28.1 References: https://www.suse.com/security/cve/CVE-2016-5419.html https://www.suse.com/security/cve/CVE-2016-5420.html https://www.suse.com/security/cve/CVE-2016-5421.html https://www.suse.com/security/cve/CVE-2016-7141.html https://bugzilla.suse.com/991389 https://bugzilla.suse.com/991390 https://bugzilla.suse.com/991391 https://bugzilla.suse.com/991746 https://bugzilla.suse.com/997420 From sle-security-updates at lists.suse.com Tue Sep 20 12:09:29 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 20 Sep 2016 20:09:29 +0200 (CEST) Subject: SUSE-SU-2016:2343-1: important: Security update for mysql Message-ID: <20160920180929.753F5FC45@maintenance.suse.de> SUSE Security Update: Security update for mysql ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2343-1 Rating: important References: #937258 #967374 #989913 #989919 #989922 #989926 #998309 Cross-References: CVE-2016-3477 CVE-2016-3521 CVE-2016-3615 CVE-2016-5440 CVE-2016-6662 Affected Products: SUSE OpenStack Cloud 5 SUSE Manager Proxy 2.1 SUSE Manager 2.1 SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Server 11-SP3-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that solves 5 vulnerabilities and has two fixes is now available. Description: This mysql update to verson 5.5.52 fixes the following issues: Security issues fixed: - CVE-2016-3477: Fixed unspecified vulnerability in subcomponent parser (bsc#989913). - CVE-2016-3521: Fixed unspecified vulnerability in subcomponent types (bsc#989919). - CVE-2016-3615: Fixed unspecified vulnerability in subcomponent dml (bsc#989922). - CVE-2016-5440: Fixed unspecified vulnerability in subcomponent rbr (bsc#989926). - CVE-2016-6662: A malicious user with SQL and filesystem access could create a my.cnf in the datadir and , under certain circumstances, execute arbitrary code as mysql (or even root) user. (bsc#998309) More details can be found on: http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-52.html http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-51.html http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-50.html Bugs fixed: - bsc#967374: properly restart mysql multi instances during upgrade - bnc#937258: multi script to restart after crash Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 5: zypper in -t patch sleclo50sp3-mysql-12752=1 - SUSE Manager Proxy 2.1: zypper in -t patch slemap21-mysql-12752=1 - SUSE Manager 2.1: zypper in -t patch sleman21-mysql-12752=1 - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-mysql-12752=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-mysql-12752=1 - SUSE Linux Enterprise Server 11-SP3-LTSS: zypper in -t patch slessp3-mysql-12752=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-mysql-12752=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-mysql-12752=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-mysql-12752=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE OpenStack Cloud 5 (x86_64): libmysql55client18-32bit-5.5.52-0.27.1 libmysql55client18-5.5.52-0.27.1 libmysql55client_r18-5.5.52-0.27.1 mysql-5.5.52-0.27.1 mysql-client-5.5.52-0.27.1 mysql-tools-5.5.52-0.27.1 - SUSE Manager Proxy 2.1 (x86_64): libmysql55client18-32bit-5.5.52-0.27.1 libmysql55client18-5.5.52-0.27.1 libmysql55client_r18-5.5.52-0.27.1 mysql-5.5.52-0.27.1 mysql-client-5.5.52-0.27.1 mysql-tools-5.5.52-0.27.1 - SUSE Manager 2.1 (s390x x86_64): libmysql55client18-32bit-5.5.52-0.27.1 libmysql55client18-5.5.52-0.27.1 libmysql55client_r18-5.5.52-0.27.1 mysql-5.5.52-0.27.1 mysql-client-5.5.52-0.27.1 mysql-tools-5.5.52-0.27.1 - SUSE Linux Enterprise Software Development Kit 11-SP4 (ppc64 s390x x86_64): libmysql55client_r18-32bit-5.5.52-0.27.1 - SUSE Linux Enterprise Software Development Kit 11-SP4 (ia64): libmysql55client_r18-x86-5.5.52-0.27.1 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): libmysql55client18-5.5.52-0.27.1 libmysql55client_r18-5.5.52-0.27.1 mysql-5.5.52-0.27.1 mysql-client-5.5.52-0.27.1 mysql-tools-5.5.52-0.27.1 - SUSE Linux Enterprise Server 11-SP4 (ppc64 s390x x86_64): libmysql55client18-32bit-5.5.52-0.27.1 libmysql55client_r18-32bit-5.5.52-0.27.1 - SUSE Linux Enterprise Server 11-SP4 (ia64): libmysql55client18-x86-5.5.52-0.27.1 libmysql55client_r18-x86-5.5.52-0.27.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (i586 s390x x86_64): libmysql55client18-5.5.52-0.27.1 libmysql55client_r18-5.5.52-0.27.1 mysql-5.5.52-0.27.1 mysql-client-5.5.52-0.27.1 mysql-tools-5.5.52-0.27.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (s390x x86_64): libmysql55client18-32bit-5.5.52-0.27.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): libmysql55client18-5.5.52-0.27.1 libmysql55client_r18-5.5.52-0.27.1 mysql-5.5.52-0.27.1 mysql-client-5.5.52-0.27.1 mysql-tools-5.5.52-0.27.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): mysql-debuginfo-5.5.52-0.27.1 mysql-debugsource-5.5.52-0.27.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): mysql-debuginfo-5.5.52-0.27.1 mysql-debugsource-5.5.52-0.27.1 References: https://www.suse.com/security/cve/CVE-2016-3477.html https://www.suse.com/security/cve/CVE-2016-3521.html https://www.suse.com/security/cve/CVE-2016-3615.html https://www.suse.com/security/cve/CVE-2016-5440.html https://www.suse.com/security/cve/CVE-2016-6662.html https://bugzilla.suse.com/937258 https://bugzilla.suse.com/967374 https://bugzilla.suse.com/989913 https://bugzilla.suse.com/989919 https://bugzilla.suse.com/989922 https://bugzilla.suse.com/989926 https://bugzilla.suse.com/998309 From sle-security-updates at lists.suse.com Wed Sep 21 08:09:43 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 21 Sep 2016 16:09:43 +0200 (CEST) Subject: SUSE-SU-2016:2345-1: moderate: Security update for libgcrypt Message-ID: <20160921140943.F0B54FC45@maintenance.suse.de> SUSE Security Update: Security update for libgcrypt ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2345-1 Rating: moderate References: #994157 Cross-References: CVE-2016-6313 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP1 SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Desktop 12-SP1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for libgcrypt fixes the following issues: - RNG prediction vulnerability (bsc#994157, CVE-2016-6313) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP1: zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1370=1 - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1370=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1370=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64): libgcrypt-debugsource-1.6.1-16.33.1 libgcrypt-devel-1.6.1-16.33.1 libgcrypt-devel-debuginfo-1.6.1-16.33.1 - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): libgcrypt-debugsource-1.6.1-16.33.1 libgcrypt20-1.6.1-16.33.1 libgcrypt20-debuginfo-1.6.1-16.33.1 libgcrypt20-hmac-1.6.1-16.33.1 - SUSE Linux Enterprise Server 12-SP1 (s390x x86_64): libgcrypt20-32bit-1.6.1-16.33.1 libgcrypt20-debuginfo-32bit-1.6.1-16.33.1 libgcrypt20-hmac-32bit-1.6.1-16.33.1 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): libgcrypt-debugsource-1.6.1-16.33.1 libgcrypt20-1.6.1-16.33.1 libgcrypt20-32bit-1.6.1-16.33.1 libgcrypt20-debuginfo-1.6.1-16.33.1 libgcrypt20-debuginfo-32bit-1.6.1-16.33.1 References: https://www.suse.com/security/cve/CVE-2016-6313.html https://bugzilla.suse.com/994157 From sle-security-updates at lists.suse.com Wed Sep 21 09:10:40 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 21 Sep 2016 17:10:40 +0200 (CEST) Subject: SUSE-SU-2016:2346-1: moderate: Security update for libgcrypt Message-ID: <20160921151040.E96B2FC45@maintenance.suse.de> SUSE Security Update: Security update for libgcrypt ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2346-1 Rating: moderate References: #994157 Cross-References: CVE-2016-6313 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for libgcrypt fixes the following issues: - RNG prediction vulnerability (bsc#994157, CVE-2016-6313) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-libgcrypt-12753=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-libgcrypt-12753=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-libgcrypt-12753=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): libgcrypt-devel-1.5.0-0.22.1 - SUSE Linux Enterprise Software Development Kit 11-SP4 (ppc64 s390x x86_64): libgcrypt-devel-32bit-1.5.0-0.22.1 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): libgcrypt11-1.5.0-0.22.1 - SUSE Linux Enterprise Server 11-SP4 (ppc64 s390x x86_64): libgcrypt11-32bit-1.5.0-0.22.1 - SUSE Linux Enterprise Server 11-SP4 (ia64): libgcrypt11-x86-1.5.0-0.22.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): libgcrypt-debuginfo-1.5.0-0.22.1 libgcrypt-debugsource-1.5.0-0.22.1 References: https://www.suse.com/security/cve/CVE-2016-6313.html https://bugzilla.suse.com/994157 From sle-security-updates at lists.suse.com Wed Sep 21 12:10:11 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 21 Sep 2016 20:10:11 +0200 (CEST) Subject: SUSE-SU-2016:2347-1: important: Security update for java-1_7_1-ibm Message-ID: <20160921181011.2614EFC45@maintenance.suse.de> SUSE Security Update: Security update for java-1_7_1-ibm ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2347-1 Rating: important References: #992537 Cross-References: CVE-2016-3485 CVE-2016-3511 CVE-2016-3598 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP1 SUSE Linux Enterprise Server for SAP 12 SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Server 12-LTSS ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: IBM Java 7.1 was updated to version 7.1-3.50 to fix the following security issues: CVE-2016-3485 CVE-2016-3511 CVE-2016-3598 Please see https://www.ibm.com/developerworks/java/jdk/alerts/ for more information. - Add hwkeytool binary for zSeries. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP1: zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1372=1 - SUSE Linux Enterprise Server for SAP 12: zypper in -t patch SUSE-SLE-SAP-12-2016-1372=1 - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1372=1 - SUSE Linux Enterprise Server 12-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-2016-1372=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64): java-1_7_1-ibm-devel-1.7.1_sr3.50-28.2 - SUSE Linux Enterprise Server for SAP 12 (x86_64): java-1_7_1-ibm-1.7.1_sr3.50-28.2 java-1_7_1-ibm-alsa-1.7.1_sr3.50-28.2 java-1_7_1-ibm-devel-1.7.1_sr3.50-28.2 java-1_7_1-ibm-jdbc-1.7.1_sr3.50-28.2 java-1_7_1-ibm-plugin-1.7.1_sr3.50-28.2 - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): java-1_7_1-ibm-1.7.1_sr3.50-28.2 java-1_7_1-ibm-jdbc-1.7.1_sr3.50-28.2 - SUSE Linux Enterprise Server 12-SP1 (x86_64): java-1_7_1-ibm-alsa-1.7.1_sr3.50-28.2 java-1_7_1-ibm-plugin-1.7.1_sr3.50-28.2 - SUSE Linux Enterprise Server 12-LTSS (ppc64le s390x x86_64): java-1_7_1-ibm-1.7.1_sr3.50-28.2 java-1_7_1-ibm-devel-1.7.1_sr3.50-28.2 java-1_7_1-ibm-jdbc-1.7.1_sr3.50-28.2 - SUSE Linux Enterprise Server 12-LTSS (x86_64): java-1_7_1-ibm-alsa-1.7.1_sr3.50-28.2 java-1_7_1-ibm-plugin-1.7.1_sr3.50-28.2 References: https://www.suse.com/security/cve/CVE-2016-3485.html https://www.suse.com/security/cve/CVE-2016-3511.html https://www.suse.com/security/cve/CVE-2016-3598.html https://bugzilla.suse.com/992537 From sle-security-updates at lists.suse.com Wed Sep 21 12:10:45 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 21 Sep 2016 20:10:45 +0200 (CEST) Subject: SUSE-SU-2016:2348-1: important: Security update for java-1_6_0-ibm Message-ID: <20160921181045.D9C27FC45@maintenance.suse.de> SUSE Security Update: Security update for java-1_6_0-ibm ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2348-1 Rating: important References: #992537 Cross-References: CVE-2016-3485 Affected Products: SUSE OpenStack Cloud 5 SUSE Manager Proxy 2.1 SUSE Manager 2.1 SUSE Linux Enterprise Server 11-SP3-LTSS SUSE Linux Enterprise Server 11-SP2-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: IBM Java 6 was updated to version 6.0-16.30. Following security issue was fixed: CVE-2016-3485 Please see https://www.ibm.com/developerworks/java/jdk/alerts/ for more information. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 5: zypper in -t patch sleclo50sp3-java-1_6_0-ibm-12754=1 - SUSE Manager Proxy 2.1: zypper in -t patch slemap21-java-1_6_0-ibm-12754=1 - SUSE Manager 2.1: zypper in -t patch sleman21-java-1_6_0-ibm-12754=1 - SUSE Linux Enterprise Server 11-SP3-LTSS: zypper in -t patch slessp3-java-1_6_0-ibm-12754=1 - SUSE Linux Enterprise Server 11-SP2-LTSS: zypper in -t patch slessp2-java-1_6_0-ibm-12754=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-java-1_6_0-ibm-12754=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE OpenStack Cloud 5 (x86_64): java-1_6_0-ibm-1.6.0_sr16.30-75.1 java-1_6_0-ibm-devel-1.6.0_sr16.30-75.1 java-1_6_0-ibm-fonts-1.6.0_sr16.30-75.1 java-1_6_0-ibm-jdbc-1.6.0_sr16.30-75.1 java-1_6_0-ibm-plugin-1.6.0_sr16.30-75.1 - SUSE Manager Proxy 2.1 (x86_64): java-1_6_0-ibm-1.6.0_sr16.30-75.1 java-1_6_0-ibm-devel-1.6.0_sr16.30-75.1 java-1_6_0-ibm-fonts-1.6.0_sr16.30-75.1 java-1_6_0-ibm-jdbc-1.6.0_sr16.30-75.1 java-1_6_0-ibm-plugin-1.6.0_sr16.30-75.1 - SUSE Manager 2.1 (s390x x86_64): java-1_6_0-ibm-1.6.0_sr16.30-75.1 java-1_6_0-ibm-devel-1.6.0_sr16.30-75.1 java-1_6_0-ibm-fonts-1.6.0_sr16.30-75.1 java-1_6_0-ibm-jdbc-1.6.0_sr16.30-75.1 - SUSE Manager 2.1 (x86_64): java-1_6_0-ibm-plugin-1.6.0_sr16.30-75.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (i586 s390x x86_64): java-1_6_0-ibm-1.6.0_sr16.30-75.1 java-1_6_0-ibm-devel-1.6.0_sr16.30-75.1 java-1_6_0-ibm-fonts-1.6.0_sr16.30-75.1 java-1_6_0-ibm-jdbc-1.6.0_sr16.30-75.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (i586 x86_64): java-1_6_0-ibm-plugin-1.6.0_sr16.30-75.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (i586): java-1_6_0-ibm-alsa-1.6.0_sr16.30-75.1 - SUSE Linux Enterprise Server 11-SP2-LTSS (i586 s390x x86_64): java-1_6_0-ibm-1.6.0_sr16.30-75.1 java-1_6_0-ibm-devel-1.6.0_sr16.30-75.1 java-1_6_0-ibm-fonts-1.6.0_sr16.30-75.1 java-1_6_0-ibm-jdbc-1.6.0_sr16.30-75.1 - SUSE Linux Enterprise Server 11-SP2-LTSS (i586 x86_64): java-1_6_0-ibm-plugin-1.6.0_sr16.30-75.1 - SUSE Linux Enterprise Server 11-SP2-LTSS (i586): java-1_6_0-ibm-alsa-1.6.0_sr16.30-75.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): java-1_6_0-ibm-1.6.0_sr16.30-75.1 java-1_6_0-ibm-alsa-1.6.0_sr16.30-75.1 java-1_6_0-ibm-devel-1.6.0_sr16.30-75.1 java-1_6_0-ibm-fonts-1.6.0_sr16.30-75.1 java-1_6_0-ibm-jdbc-1.6.0_sr16.30-75.1 java-1_6_0-ibm-plugin-1.6.0_sr16.30-75.1 References: https://www.suse.com/security/cve/CVE-2016-3485.html https://bugzilla.suse.com/992537 From sle-security-updates at lists.suse.com Fri Sep 23 07:10:30 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 23 Sep 2016 15:10:30 +0200 (CEST) Subject: SUSE-SU-2016:2353-1: moderate: Security update for yast2-storage Message-ID: <20160923131030.519C1FC47@maintenance.suse.de> SUSE Security Update: Security update for yast2-storage ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2353-1 Rating: moderate References: #937942 #984245 #986971 #996208 Cross-References: CVE-2016-5746 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that solves one vulnerability and has three fixes is now available. Description: This update for yast2-storage provides the following fixes: Security issues fixed: - Use standard IPC, and not temporary files, to pass passwords between processes. (bsc#986971, CVE-2016-5746) Non security bugs fixed: - Fix usage of complete multipath disk as LVM physical volume. (bsc#984245) - Load the correct multipath module (dm-multipath). (bsc#937942) - Improve message for creating volumes with a filesystem but without a mount point. (bsc#996208) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-yast2-storage-12756=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-yast2-storage-12756=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-yast2-storage-12756=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): yast2-storage-devel-2.17.161-5.1 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): yast2-storage-2.17.161-5.1 yast2-storage-lib-2.17.161-5.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): yast2-storage-debuginfo-2.17.161-5.1 yast2-storage-debugsource-2.17.161-5.1 References: https://www.suse.com/security/cve/CVE-2016-5746.html https://bugzilla.suse.com/937942 https://bugzilla.suse.com/984245 https://bugzilla.suse.com/986971 https://bugzilla.suse.com/996208 From sle-security-updates at lists.suse.com Fri Sep 23 08:10:12 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 23 Sep 2016 16:10:12 +0200 (CEST) Subject: SUSE-SU-2016:2355-1: moderate: Security update for libstorage Message-ID: <20160923141012.97C7CFC44@maintenance.suse.de> SUSE Security Update: Security update for libstorage ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2355-1 Rating: moderate References: #986971 Cross-References: CVE-2016-5746 Affected Products: SUSE Linux Enterprise Server for SAP 12 SUSE Linux Enterprise Server 12-LTSS ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for libstorage fixes the following issues: - Use stdin, not tmp files for passwords (bsc#986971, CVE-2016-5746) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12: zypper in -t patch SUSE-SLE-SAP-12-2016-1378=1 - SUSE Linux Enterprise Server 12-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-2016-1378=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server for SAP 12 (x86_64): libstorage-debugsource-2.25.16.1-3.1 libstorage-ruby-2.25.16.1-3.1 libstorage-ruby-debuginfo-2.25.16.1-3.1 libstorage5-2.25.16.1-3.1 libstorage5-debuginfo-2.25.16.1-3.1 - SUSE Linux Enterprise Server 12-LTSS (ppc64le s390x x86_64): libstorage-debugsource-2.25.16.1-3.1 libstorage-ruby-2.25.16.1-3.1 libstorage-ruby-debuginfo-2.25.16.1-3.1 libstorage5-2.25.16.1-3.1 libstorage5-debuginfo-2.25.16.1-3.1 References: https://www.suse.com/security/cve/CVE-2016-5746.html https://bugzilla.suse.com/986971 From sle-security-updates at lists.suse.com Fri Sep 23 10:10:47 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 23 Sep 2016 18:10:47 +0200 (CEST) Subject: SUSE-SU-2016:2358-1: moderate: Security update for wget Message-ID: <20160923161047.D1061FC45@maintenance.suse.de> SUSE Security Update: Security update for wget ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2358-1 Rating: moderate References: #958342 #984060 #995964 Cross-References: CVE-2016-4971 CVE-2016-7098 Affected Products: SUSE OpenStack Cloud 5 SUSE Manager Proxy 2.1 SUSE Manager 2.1 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Server 11-SP3-LTSS SUSE Linux Enterprise Server 11-SECURITY SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update for wget fixes the following issues: - CVE-2016-4971: A HTTP to FTP redirection file name confusion vulnerability was fixed. (bsc#984060). - CVE-2016-7098: A potential race condition was fixed by creating files with .tmp ext and making them accessible to the current user only. (bsc#995964) Bug fixed: - Wget failed with basicauth: Failed writing HTTP request: Bad file descriptor (bsc#958342) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 5: zypper in -t patch sleclo50sp3-wget-12757=1 - SUSE Manager Proxy 2.1: zypper in -t patch slemap21-wget-12757=1 - SUSE Manager 2.1: zypper in -t patch sleman21-wget-12757=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-wget-12757=1 - SUSE Linux Enterprise Server 11-SP3-LTSS: zypper in -t patch slessp3-wget-12757=1 - SUSE Linux Enterprise Server 11-SECURITY: zypper in -t patch secsp3-wget-12757=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-wget-12757=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-wget-12757=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-wget-12757=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE OpenStack Cloud 5 (x86_64): wget-1.11.4-1.32.1 - SUSE Manager Proxy 2.1 (x86_64): wget-1.11.4-1.32.1 - SUSE Manager 2.1 (s390x x86_64): wget-1.11.4-1.32.1 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): wget-1.11.4-1.32.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (i586 s390x x86_64): wget-1.11.4-1.32.1 - SUSE Linux Enterprise Server 11-SECURITY (i586 ia64 ppc64 s390x x86_64): wget-openssl1-1.11.4-1.32.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): wget-1.11.4-1.32.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): wget-debuginfo-1.11.4-1.32.1 wget-debugsource-1.11.4-1.32.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): wget-debuginfo-1.11.4-1.32.1 wget-debugsource-1.11.4-1.32.1 References: https://www.suse.com/security/cve/CVE-2016-4971.html https://www.suse.com/security/cve/CVE-2016-7098.html https://bugzilla.suse.com/958342 https://bugzilla.suse.com/984060 https://bugzilla.suse.com/995964 From sle-security-updates at lists.suse.com Mon Sep 26 09:10:36 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 26 Sep 2016 17:10:36 +0200 (CEST) Subject: SUSE-SU-2016:2385-1: moderate: Security update for libtcnative-1-0 Message-ID: <20160926151036.DE2D7FC44@maintenance.suse.de> SUSE Security Update: Security update for libtcnative-1-0 ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2385-1 Rating: moderate References: #938945 Cross-References: CVE-2015-4000 Affected Products: SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for libtcnative-1-0 fixes the following issues: - CVE-2015-4000: Disable 512-bit export-grade cryptography to prevent Logjam vulnerability (bsc#938945) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-libtcnative-1-0-12758=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-libtcnative-1-0-12758=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): libtcnative-1-0-1.3.3-12.4.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): libtcnative-1-0-debuginfo-1.3.3-12.4.1 libtcnative-1-0-debugsource-1.3.3-12.4.1 References: https://www.suse.com/security/cve/CVE-2015-4000.html https://bugzilla.suse.com/938945 From sle-security-updates at lists.suse.com Mon Sep 26 11:10:09 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 26 Sep 2016 19:10:09 +0200 (CEST) Subject: SUSE-SU-2016:2387-1: important: Security update for openssl Message-ID: <20160926171009.77661FC45@maintenance.suse.de> SUSE Security Update: Security update for openssl ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2387-1 Rating: important References: #979475 #982575 #982745 #983249 #988591 #990419 #993819 #994749 #994844 #995075 #995324 #995359 #995377 #998190 #999665 #999666 #999668 Cross-References: CVE-2016-2177 CVE-2016-2178 CVE-2016-2179 CVE-2016-2180 CVE-2016-2181 CVE-2016-2182 CVE-2016-2183 CVE-2016-6302 CVE-2016-6303 CVE-2016-6304 CVE-2016-6306 Affected Products: SUSE Linux Enterprise Server for SAP 12 SUSE Linux Enterprise Server 12-LTSS ______________________________________________________________________________ An update that solves 11 vulnerabilities and has 6 fixes is now available. Description: This update for openssl fixes the following issues: OpenSSL Security Advisory [22 Sep 2016] (bsc#999665) Severity: High * OCSP Status Request extension unbounded memory growth (CVE-2016-6304) (bsc#999666) Severity: Low * Pointer arithmetic undefined behaviour (CVE-2016-2177) (bsc#982575) * Constant time flag not preserved in DSA signing (CVE-2016-2178) (bsc#983249) * DTLS buffered message DoS (CVE-2016-2179) (bsc#994844) * OOB read in TS_OBJ_print_bio() (CVE-2016-2180) (bsc#990419) * DTLS replay protection DoS (CVE-2016-2181) (bsc#994749) * OOB write in BN_bn2dec() (CVE-2016-2182) (bsc#993819) * Birthday attack against 64-bit block ciphers (SWEET32) (CVE-2016-2183) (bsc#995359) * Malformed SHA512 ticket DoS (CVE-2016-6302) (bsc#995324) * OOB write in MDC2_Update() (CVE-2016-6303) (bsc#995377) * Certificate message OOB reads (CVE-2016-6306) (bsc#999668) More information can be found on: https://www.openssl.org/news/secadv/20160922.txt Also following bugs were fixed: * update expired S/MIME certs (bsc#979475) * improve s390x performance (bsc#982745) * allow >= 64GB AESGCM transfers (bsc#988591) * fix crash in print_notice (bsc#998190) * resume reading from /dev/urandom when interrupted by a signal (bsc#995075) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12: zypper in -t patch SUSE-SLE-SAP-12-2016-1386=1 - SUSE Linux Enterprise Server 12-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-2016-1386=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server for SAP 12 (x86_64): libopenssl1_0_0-1.0.1i-27.21.1 libopenssl1_0_0-32bit-1.0.1i-27.21.1 libopenssl1_0_0-debuginfo-1.0.1i-27.21.1 libopenssl1_0_0-debuginfo-32bit-1.0.1i-27.21.1 libopenssl1_0_0-hmac-1.0.1i-27.21.1 libopenssl1_0_0-hmac-32bit-1.0.1i-27.21.1 openssl-1.0.1i-27.21.1 openssl-debuginfo-1.0.1i-27.21.1 openssl-debugsource-1.0.1i-27.21.1 - SUSE Linux Enterprise Server for SAP 12 (noarch): openssl-doc-1.0.1i-27.21.1 - SUSE Linux Enterprise Server 12-LTSS (ppc64le s390x x86_64): libopenssl1_0_0-1.0.1i-27.21.1 libopenssl1_0_0-debuginfo-1.0.1i-27.21.1 libopenssl1_0_0-hmac-1.0.1i-27.21.1 openssl-1.0.1i-27.21.1 openssl-debuginfo-1.0.1i-27.21.1 openssl-debugsource-1.0.1i-27.21.1 - SUSE Linux Enterprise Server 12-LTSS (s390x x86_64): libopenssl1_0_0-32bit-1.0.1i-27.21.1 libopenssl1_0_0-debuginfo-32bit-1.0.1i-27.21.1 libopenssl1_0_0-hmac-32bit-1.0.1i-27.21.1 - SUSE Linux Enterprise Server 12-LTSS (noarch): openssl-doc-1.0.1i-27.21.1 References: https://www.suse.com/security/cve/CVE-2016-2177.html https://www.suse.com/security/cve/CVE-2016-2178.html https://www.suse.com/security/cve/CVE-2016-2179.html https://www.suse.com/security/cve/CVE-2016-2180.html https://www.suse.com/security/cve/CVE-2016-2181.html https://www.suse.com/security/cve/CVE-2016-2182.html https://www.suse.com/security/cve/CVE-2016-2183.html https://www.suse.com/security/cve/CVE-2016-6302.html https://www.suse.com/security/cve/CVE-2016-6303.html https://www.suse.com/security/cve/CVE-2016-6304.html https://www.suse.com/security/cve/CVE-2016-6306.html https://bugzilla.suse.com/979475 https://bugzilla.suse.com/982575 https://bugzilla.suse.com/982745 https://bugzilla.suse.com/983249 https://bugzilla.suse.com/988591 https://bugzilla.suse.com/990419 https://bugzilla.suse.com/993819 https://bugzilla.suse.com/994749 https://bugzilla.suse.com/994844 https://bugzilla.suse.com/995075 https://bugzilla.suse.com/995324 https://bugzilla.suse.com/995359 https://bugzilla.suse.com/995377 https://bugzilla.suse.com/998190 https://bugzilla.suse.com/999665 https://bugzilla.suse.com/999666 https://bugzilla.suse.com/999668 From sle-security-updates at lists.suse.com Mon Sep 26 13:09:33 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 26 Sep 2016 21:09:33 +0200 (CEST) Subject: SUSE-SU-2016:2388-1: moderate: Security update for openssh Message-ID: <20160926190933.2E137FC46@maintenance.suse.de> SUSE Security Update: Security update for openssh ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2388-1 Rating: moderate References: #932483 #948902 #959096 #962313 #962794 #970632 #975865 #981654 #989363 #992533 Cross-References: CVE-2015-8325 CVE-2016-1908 CVE-2016-3115 CVE-2016-6210 CVE-2016-6515 Affected Products: SUSE OpenStack Cloud 5 SUSE Manager Proxy 2.1 SUSE Manager 2.1 SUSE Linux Enterprise Server 11-SP3-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that solves 5 vulnerabilities and has 5 fixes is now available. Description: This update for OpenSSH fixes the following issues: - Prevent user enumeration through the timing of password processing. (bsc#989363, CVE-2016-6210) - Allow lowering the DH groups parameter limit in server as well as when GSSAPI key exchange is used. (bsc#948902) - Sanitize input for xauth(1). (bsc#970632, CVE-2016-3115) - Prevent X11 SECURITY circumvention when forwarding X11 connections. (bsc#962313, CVE-2016-1908) - Disable DH parameters under 2048 bits by default and allow lowering the limit back to the RFC 4419 specified minimum through an option. (bsc#932483, bsc#948902) - Ignore PAM environment when using login. (bsc#975865, CVE-2015-8325) - Limit the accepted password length (prevents a possible denial of service). (bsc#992533, CVE-2016-6515) - Relax version requires for the openssh-askpass sub-package. (bsc#962794) - Avoid complaining about unset DISPLAY variable. (bsc#981654) - Initialize message id to prevent connection breakups in some cases. (bsc#959096) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 5: zypper in -t patch sleclo50sp3-openssh-12759=1 - SUSE Manager Proxy 2.1: zypper in -t patch slemap21-openssh-12759=1 - SUSE Manager 2.1: zypper in -t patch sleman21-openssh-12759=1 - SUSE Linux Enterprise Server 11-SP3-LTSS: zypper in -t patch slessp3-openssh-12759=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-openssh-12759=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-openssh-12759=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE OpenStack Cloud 5 (x86_64): openssh-6.2p2-0.33.2 openssh-askpass-6.2p2-0.33.2 openssh-askpass-gnome-6.2p2-0.33.5 - SUSE Manager Proxy 2.1 (x86_64): openssh-6.2p2-0.33.2 openssh-askpass-6.2p2-0.33.2 openssh-askpass-gnome-6.2p2-0.33.5 - SUSE Manager 2.1 (s390x x86_64): openssh-6.2p2-0.33.2 openssh-askpass-6.2p2-0.33.2 openssh-askpass-gnome-6.2p2-0.33.5 - SUSE Linux Enterprise Server 11-SP3-LTSS (i586 s390x x86_64): openssh-6.2p2-0.33.2 openssh-askpass-6.2p2-0.33.2 openssh-askpass-gnome-6.2p2-0.33.5 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): openssh-6.2p2-0.33.2 openssh-askpass-6.2p2-0.33.2 openssh-askpass-gnome-6.2p2-0.33.5 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): openssh-askpass-gnome-debuginfo-6.2p2-0.33.5 openssh-debuginfo-6.2p2-0.33.2 openssh-debugsource-6.2p2-0.33.2 References: https://www.suse.com/security/cve/CVE-2015-8325.html https://www.suse.com/security/cve/CVE-2016-1908.html https://www.suse.com/security/cve/CVE-2016-3115.html https://www.suse.com/security/cve/CVE-2016-6210.html https://www.suse.com/security/cve/CVE-2016-6515.html https://bugzilla.suse.com/932483 https://bugzilla.suse.com/948902 https://bugzilla.suse.com/959096 https://bugzilla.suse.com/962313 https://bugzilla.suse.com/962794 https://bugzilla.suse.com/970632 https://bugzilla.suse.com/975865 https://bugzilla.suse.com/981654 https://bugzilla.suse.com/989363 https://bugzilla.suse.com/992533 From sle-security-updates at lists.suse.com Tue Sep 27 11:11:33 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 27 Sep 2016 19:11:33 +0200 (CEST) Subject: SUSE-SU-2016:2394-1: important: Security update for openssl Message-ID: <20160927171133.8766BFC45@maintenance.suse.de> SUSE Security Update: Security update for openssl ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2394-1 Rating: important References: #979475 #982575 #982745 #983249 #988591 #990419 #993819 #994749 #994844 #995075 #995324 #995359 #995377 #998190 #999665 #999666 #999668 Cross-References: CVE-2016-2177 CVE-2016-2178 CVE-2016-2179 CVE-2016-2180 CVE-2016-2181 CVE-2016-2182 CVE-2016-2183 CVE-2016-6302 CVE-2016-6303 CVE-2016-6304 CVE-2016-6306 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP1 SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Desktop 12-SP1 ______________________________________________________________________________ An update that solves 11 vulnerabilities and has 6 fixes is now available. Description: This update for openssl fixes the following issues: OpenSSL Security Advisory [22 Sep 2016] (bsc#999665) Severity: High * OCSP Status Request extension unbounded memory growth (CVE-2016-6304) (bsc#999666) Severity: Low * Pointer arithmetic undefined behaviour (CVE-2016-2177) (bsc#982575) * Constant time flag not preserved in DSA signing (CVE-2016-2178) (bsc#983249) * DTLS buffered message DoS (CVE-2016-2179) (bsc#994844) * OOB read in TS_OBJ_print_bio() (CVE-2016-2180) (bsc#990419) * DTLS replay protection DoS (CVE-2016-2181) (bsc#994749) * OOB write in BN_bn2dec() (CVE-2016-2182) (bsc#993819) * Birthday attack against 64-bit block ciphers (SWEET32) (CVE-2016-2183) (bsc#995359) * Malformed SHA512 ticket DoS (CVE-2016-6302) (bsc#995324) * OOB write in MDC2_Update() (CVE-2016-6303) (bsc#995377) * Certificate message OOB reads (CVE-2016-6306) (bsc#999668) More information can be found on: https://www.openssl.org/news/secadv/20160922.txt Also following bugs were fixed: * update expired S/MIME certs (bsc#979475) * improve s390x performance (bsc#982745) * allow >= 64GB AESGCM transfers (bsc#988591) * fix crash in print_notice (bsc#998190) * resume reading from /dev/urandom when interrupted by a signal (bsc#995075) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP1: zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1393=1 - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1393=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1393=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64): libopenssl-devel-1.0.1i-52.1 openssl-debuginfo-1.0.1i-52.1 openssl-debugsource-1.0.1i-52.1 - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): libopenssl1_0_0-1.0.1i-52.1 libopenssl1_0_0-debuginfo-1.0.1i-52.1 libopenssl1_0_0-hmac-1.0.1i-52.1 openssl-1.0.1i-52.1 openssl-debuginfo-1.0.1i-52.1 openssl-debugsource-1.0.1i-52.1 - SUSE Linux Enterprise Server 12-SP1 (s390x x86_64): libopenssl1_0_0-32bit-1.0.1i-52.1 libopenssl1_0_0-debuginfo-32bit-1.0.1i-52.1 libopenssl1_0_0-hmac-32bit-1.0.1i-52.1 - SUSE Linux Enterprise Server 12-SP1 (noarch): openssl-doc-1.0.1i-52.1 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): libopenssl1_0_0-1.0.1i-52.1 libopenssl1_0_0-32bit-1.0.1i-52.1 libopenssl1_0_0-debuginfo-1.0.1i-52.1 libopenssl1_0_0-debuginfo-32bit-1.0.1i-52.1 openssl-1.0.1i-52.1 openssl-debuginfo-1.0.1i-52.1 openssl-debugsource-1.0.1i-52.1 References: https://www.suse.com/security/cve/CVE-2016-2177.html https://www.suse.com/security/cve/CVE-2016-2178.html https://www.suse.com/security/cve/CVE-2016-2179.html https://www.suse.com/security/cve/CVE-2016-2180.html https://www.suse.com/security/cve/CVE-2016-2181.html https://www.suse.com/security/cve/CVE-2016-2182.html https://www.suse.com/security/cve/CVE-2016-2183.html https://www.suse.com/security/cve/CVE-2016-6302.html https://www.suse.com/security/cve/CVE-2016-6303.html https://www.suse.com/security/cve/CVE-2016-6304.html https://www.suse.com/security/cve/CVE-2016-6306.html https://bugzilla.suse.com/979475 https://bugzilla.suse.com/982575 https://bugzilla.suse.com/982745 https://bugzilla.suse.com/983249 https://bugzilla.suse.com/988591 https://bugzilla.suse.com/990419 https://bugzilla.suse.com/993819 https://bugzilla.suse.com/994749 https://bugzilla.suse.com/994844 https://bugzilla.suse.com/995075 https://bugzilla.suse.com/995324 https://bugzilla.suse.com/995359 https://bugzilla.suse.com/995377 https://bugzilla.suse.com/998190 https://bugzilla.suse.com/999665 https://bugzilla.suse.com/999666 https://bugzilla.suse.com/999668 From sle-security-updates at lists.suse.com Tue Sep 27 11:14:23 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 27 Sep 2016 19:14:23 +0200 (CEST) Subject: SUSE-SU-2016:2395-1: important: Security update for mariadb Message-ID: <20160927171423.BBD12FC45@maintenance.suse.de> SUSE Security Update: Security update for mariadb ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2395-1 Rating: important References: #949520 #998309 Cross-References: CVE-2016-6662 Affected Products: SUSE Linux Enterprise Server for SAP 12 SUSE Linux Enterprise Server 12-LTSS ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for mariadb to 1.0.0.27 fixes the following issues: Security issue fixed: * CVE-2016-6662: A malicious user with SQL and filesystem access could create a my.cnf in the datadir and , under certain circumstances, execute arbitrary code as mysql (or even root) user. (bsc#998309) * release notes: * https://kb.askmonty.org/en/mariadb-10027-release-notes * changelog: * https://kb.askmonty.org/en/mariadb-10027-changelog Bugs fixed: - Make ORDER BY optimization functions take into account multiple equalities. (bsc#949520) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12: zypper in -t patch SUSE-SLE-SAP-12-2016-1394=1 - SUSE Linux Enterprise Server 12-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-2016-1394=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server for SAP 12 (x86_64): libmysqlclient-devel-10.0.27-20.13.1 libmysqlclient18-10.0.27-20.13.1 libmysqlclient18-32bit-10.0.27-20.13.1 libmysqlclient18-debuginfo-10.0.27-20.13.1 libmysqlclient18-debuginfo-32bit-10.0.27-20.13.1 libmysqlclient_r18-10.0.27-20.13.1 libmysqld-devel-10.0.27-20.13.1 libmysqld18-10.0.27-20.13.1 libmysqld18-debuginfo-10.0.27-20.13.1 mariadb-10.0.27-20.13.1 mariadb-client-10.0.27-20.13.1 mariadb-client-debuginfo-10.0.27-20.13.1 mariadb-debuginfo-10.0.27-20.13.1 mariadb-debugsource-10.0.27-20.13.1 mariadb-errormessages-10.0.27-20.13.1 mariadb-tools-10.0.27-20.13.1 mariadb-tools-debuginfo-10.0.27-20.13.1 - SUSE Linux Enterprise Server 12-LTSS (ppc64le s390x x86_64): libmysqlclient-devel-10.0.27-20.13.1 libmysqlclient18-10.0.27-20.13.1 libmysqlclient18-debuginfo-10.0.27-20.13.1 libmysqlclient_r18-10.0.27-20.13.1 libmysqld-devel-10.0.27-20.13.1 libmysqld18-10.0.27-20.13.1 libmysqld18-debuginfo-10.0.27-20.13.1 mariadb-10.0.27-20.13.1 mariadb-client-10.0.27-20.13.1 mariadb-client-debuginfo-10.0.27-20.13.1 mariadb-debuginfo-10.0.27-20.13.1 mariadb-debugsource-10.0.27-20.13.1 mariadb-errormessages-10.0.27-20.13.1 mariadb-tools-10.0.27-20.13.1 mariadb-tools-debuginfo-10.0.27-20.13.1 - SUSE Linux Enterprise Server 12-LTSS (s390x x86_64): libmysqlclient18-32bit-10.0.27-20.13.1 libmysqlclient18-debuginfo-32bit-10.0.27-20.13.1 References: https://www.suse.com/security/cve/CVE-2016-6662.html https://bugzilla.suse.com/949520 https://bugzilla.suse.com/998309 From sle-security-updates at lists.suse.com Tue Sep 27 11:15:07 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 27 Sep 2016 19:15:07 +0200 (CEST) Subject: SUSE-SU-2016:2396-1: moderate: Security update for apache2-mod_nss Message-ID: <20160927171507.889E8FC45@maintenance.suse.de> SUSE Security Update: Security update for apache2-mod_nss ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2396-1 Rating: moderate References: #972968 #975394 #979688 Cross-References: CVE-2013-4566 CVE-2014-3566 CVE-2015-5244 CVE-2016-3099 Affected Products: SUSE Linux Enterprise Server for SAP 12 SUSE Linux Enterprise Server 12-LTSS ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update provides apache2-mod_nss 1.0.14, which brings several fixes and enhancements: - Fix OpenSSL ciphers stopped parsing at +. (CVE-2016-3099) - Created valgrind suppression files to ease debugging. - Implement SSL_PPTYPE_FILTER to call executables to get the key password pins. - Improvements to migrate.pl. - Update default ciphers to something more modern and secure. - Check for host and netstat commands in gencert before trying to use them. - Add server support for DHE ciphers. - Extract SAN from server/client certificates into env - Fix memory leaks and other coding issues caught by clang analyzer. - Add support for Server Name Indication (SNI). - Add support for SNI for reverse proxy connections. - Add RenegBufferSize? option. - Add support for TLS Session Tickets (RFC 5077). - Fix logical AND support in OpenSSL cipher compatibility. - Correctly handle disabled ciphers. (CVE-2015-5244) - Implement a slew more OpenSSL cipher macros. - Fix a number of illegal memory accesses and memory leaks. - Support for SHA384 ciphers if they are available in NSS. - Add compatibility for mod_ssl-style cipher definitions. - Add TLSv1.2-specific ciphers. - Completely remove support for SSLv2. - Add support for sqlite NSS databases. - Compare subject CN and VS hostname during server start up. - Add support for enabling TLS v1.2. - Don't enable SSL 3 by default. (CVE-2014-3566) - Fix CVE-2013-4566. - Move nss_pcache to /usr/libexec. - Support httpd 2.4+. - SHA256 cipher names change spelling from *_sha256 to *_sha_256. - Use apache2-systemd-ask-pass to prompt for a certificate passphrase. (bsc#972968, bsc#975394) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12: zypper in -t patch SUSE-SLE-SAP-12-2016-1391=1 - SUSE Linux Enterprise Server 12-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-2016-1391=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server for SAP 12 (x86_64): apache2-mod_nss-1.0.14-10.14.3 apache2-mod_nss-debuginfo-1.0.14-10.14.3 apache2-mod_nss-debugsource-1.0.14-10.14.3 - SUSE Linux Enterprise Server 12-LTSS (ppc64le s390x x86_64): apache2-mod_nss-1.0.14-10.14.3 apache2-mod_nss-debuginfo-1.0.14-10.14.3 apache2-mod_nss-debugsource-1.0.14-10.14.3 References: https://www.suse.com/security/cve/CVE-2013-4566.html https://www.suse.com/security/cve/CVE-2014-3566.html https://www.suse.com/security/cve/CVE-2015-5244.html https://www.suse.com/security/cve/CVE-2016-3099.html https://bugzilla.suse.com/972968 https://bugzilla.suse.com/975394 https://bugzilla.suse.com/979688 From sle-security-updates at lists.suse.com Tue Sep 27 11:15:54 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 27 Sep 2016 19:15:54 +0200 (CEST) Subject: SUSE-SU-2016:2397-1: moderate: Security update for flex, at, bogofilter, cyrus-imapd, kdelibs4, libQtWebKit4, libbonobo, mdbtools, netpbm, openslp, sgmltool, virtuoso, libqt5-qtwebkit Message-ID: <20160927171554.63BAEFC45@maintenance.suse.de> SUSE Security Update: Security update for flex, at, bogofilter, cyrus-imapd, kdelibs4, libQtWebKit4, libbonobo, mdbtools, netpbm, openslp, sgmltool, virtuoso, libqt5-qtwebkit ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2397-1 Rating: moderate References: #954210 #990856 Cross-References: CVE-2015-8079 CVE-2016-6354 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP1 SUSE Linux Enterprise Software Development Kit 12-SP1 SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Desktop 12-SP1 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: Various packages included vulnerable parsers generated by "flex". This update provides a fixed "flex" package and also rebuilds of packages that might have security issues caused by the auto generated code. Flex itself was updated to fix a buffer overflow in the generated scanner (bsc#990856, CVE-2016-6354) Packages that were rebuilt with the fixed flex: - at - bogofilter - cyrus-imapd - kdelibs4 - libQtWebKit4 - libbonobo - mdbtools - netpbm - openslp - sgmltool - virtuoso Also libqt5-qtwebkit received an additional security fix: - CVE-2015-8079: QtWebKit logs visited URLs to WebpageIcons.db in private browsing mode (bsc#954210). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP1: zypper in -t patch SUSE-SLE-WE-12-SP1-2016-1390=1 - SUSE Linux Enterprise Software Development Kit 12-SP1: zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1390=1 - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1390=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1390=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Workstation Extension 12-SP1 (x86_64): bogofilter-1.2.4-5.3 bogofilter-debuginfo-1.2.4-5.3 bogofilter-debugsource-1.2.4-5.3 - SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64): flex-2.5.37-8.1 flex-debuginfo-2.5.37-8.1 flex-debugsource-2.5.37-8.1 libbonobo-debuginfo-2.32.1-16.1 libbonobo-debugsource-2.32.1-16.1 libbonobo-devel-2.32.1-16.1 libnetpbm-devel-10.66.3-4.1 mdbtools-0.7-5.1 mdbtools-debuginfo-0.7-5.1 mdbtools-debugsource-0.7-5.1 netpbm-debuginfo-10.66.3-4.1 netpbm-debugsource-10.66.3-4.1 openslp-debuginfo-2.0.0-11.1 openslp-debugsource-2.0.0-11.1 openslp-devel-2.0.0-11.1 sgmltool-1.0.9-1075.1 sgmltool-debuginfo-1.0.9-1075.1 sgmltool-debugsource-1.0.9-1075.1 - SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le x86_64): libQtWebKit-devel-4.8.6+2.3.3-3.1 libQtWebKit4-debuginfo-4.8.6+2.3.3-3.1 libQtWebKit4-debugsource-4.8.6+2.3.3-3.1 - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): at-3.1.14-7.3 at-debuginfo-3.1.14-7.3 at-debugsource-3.1.14-7.3 cyrus-imapd-debuginfo-2.3.18-40.1 cyrus-imapd-debugsource-2.3.18-40.1 flex-2.5.37-8.1 flex-debuginfo-2.5.37-8.1 flex-debugsource-2.5.37-8.1 kdelibs4-debuginfo-4.12.0-7.3 kdelibs4-debugsource-4.12.0-7.3 libbonobo-2.32.1-16.1 libbonobo-debuginfo-2.32.1-16.1 libbonobo-debugsource-2.32.1-16.1 libbonobo-doc-2.32.1-16.1 libbonobo-doc-debuginfo-2.32.1-16.1 libkde4-4.12.0-7.3 libkde4-debuginfo-4.12.0-7.3 libkdecore4-4.12.0-7.3 libkdecore4-debuginfo-4.12.0-7.3 libksuseinstall1-4.12.0-7.3 libksuseinstall1-debuginfo-4.12.0-7.3 libnetpbm11-10.66.3-4.1 libnetpbm11-debuginfo-10.66.3-4.1 netpbm-10.66.3-4.1 netpbm-debuginfo-10.66.3-4.1 netpbm-debugsource-10.66.3-4.1 openslp-2.0.0-11.1 openslp-debuginfo-2.0.0-11.1 openslp-debugsource-2.0.0-11.1 openslp-server-2.0.0-11.1 openslp-server-debuginfo-2.0.0-11.1 perl-Cyrus-IMAP-2.3.18-40.1 perl-Cyrus-IMAP-debuginfo-2.3.18-40.1 perl-Cyrus-SIEVE-managesieve-2.3.18-40.1 perl-Cyrus-SIEVE-managesieve-debuginfo-2.3.18-40.1 - SUSE Linux Enterprise Server 12-SP1 (ppc64le x86_64): libQtWebKit4-4.8.6+2.3.3-3.1 libQtWebKit4-debuginfo-4.8.6+2.3.3-3.1 libQtWebKit4-debugsource-4.8.6+2.3.3-3.1 - SUSE Linux Enterprise Server 12-SP1 (s390x x86_64): flex-32bit-2.5.37-8.1 flex-debuginfo-32bit-2.5.37-8.1 libbonobo-32bit-2.32.1-16.1 libbonobo-debuginfo-32bit-2.32.1-16.1 libkde4-32bit-4.12.0-7.3 libkde4-debuginfo-32bit-4.12.0-7.3 libkdecore4-32bit-4.12.0-7.3 libkdecore4-debuginfo-32bit-4.12.0-7.3 libksuseinstall1-32bit-4.12.0-7.3 libksuseinstall1-debuginfo-32bit-4.12.0-7.3 libnetpbm11-32bit-10.66.3-4.1 libnetpbm11-debuginfo-32bit-10.66.3-4.1 openslp-32bit-2.0.0-11.1 openslp-debuginfo-32bit-2.0.0-11.1 - SUSE Linux Enterprise Server 12-SP1 (x86_64): libQtWebKit4-32bit-4.8.6+2.3.3-3.1 libQtWebKit4-debuginfo-32bit-4.8.6+2.3.3-3.1 - SUSE Linux Enterprise Server 12-SP1 (noarch): libbonobo-lang-2.32.1-16.1 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): at-3.1.14-7.3 at-debuginfo-3.1.14-7.3 at-debugsource-3.1.14-7.3 bogofilter-1.2.4-5.3 bogofilter-debuginfo-1.2.4-5.3 bogofilter-debugsource-1.2.4-5.3 kdelibs4-debuginfo-4.12.0-7.3 kdelibs4-debugsource-4.12.0-7.3 libQtWebKit4-32bit-4.8.6+2.3.3-3.1 libQtWebKit4-4.8.6+2.3.3-3.1 libQtWebKit4-debuginfo-32bit-4.8.6+2.3.3-3.1 libQtWebKit4-debuginfo-4.8.6+2.3.3-3.1 libQtWebKit4-debugsource-4.8.6+2.3.3-3.1 libbonobo-2.32.1-16.1 libbonobo-32bit-2.32.1-16.1 libbonobo-debuginfo-2.32.1-16.1 libbonobo-debuginfo-32bit-2.32.1-16.1 libbonobo-debugsource-2.32.1-16.1 libkde4-32bit-4.12.0-7.3 libkde4-4.12.0-7.3 libkde4-debuginfo-32bit-4.12.0-7.3 libkde4-debuginfo-4.12.0-7.3 libkdecore4-32bit-4.12.0-7.3 libkdecore4-4.12.0-7.3 libkdecore4-debuginfo-32bit-4.12.0-7.3 libkdecore4-debuginfo-4.12.0-7.3 libksuseinstall1-32bit-4.12.0-7.3 libksuseinstall1-4.12.0-7.3 libksuseinstall1-debuginfo-32bit-4.12.0-7.3 libksuseinstall1-debuginfo-4.12.0-7.3 libnetpbm11-10.66.3-4.1 libnetpbm11-32bit-10.66.3-4.1 libnetpbm11-debuginfo-10.66.3-4.1 libnetpbm11-debuginfo-32bit-10.66.3-4.1 netpbm-10.66.3-4.1 netpbm-debuginfo-10.66.3-4.1 netpbm-debugsource-10.66.3-4.1 openslp-2.0.0-11.1 openslp-32bit-2.0.0-11.1 openslp-debuginfo-2.0.0-11.1 openslp-debuginfo-32bit-2.0.0-11.1 openslp-debugsource-2.0.0-11.1 - SUSE Linux Enterprise Desktop 12-SP1 (noarch): libbonobo-lang-2.32.1-16.1 References: https://www.suse.com/security/cve/CVE-2015-8079.html https://www.suse.com/security/cve/CVE-2016-6354.html https://bugzilla.suse.com/954210 https://bugzilla.suse.com/990856 From sle-security-updates at lists.suse.com Tue Sep 27 13:10:06 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 27 Sep 2016 21:10:06 +0200 (CEST) Subject: SUSE-SU-2016:2399-1: critical: Security update for bind Message-ID: <20160927191006.46D92FC45@maintenance.suse.de> SUSE Security Update: Security update for bind ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2399-1 Rating: critical References: #1000362 Cross-References: CVE-2016-2776 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP1 SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Desktop 12-SP1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: The nameserver bind was updated to fix a remote denial of service vulnerability, where a crafted packet could cause the nameserver to abort. (CVE-2016-2776, bsc#1000362) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP1: zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1399=1 - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1399=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1399=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64): bind-debuginfo-9.9.9P1-46.1 bind-debugsource-9.9.9P1-46.1 bind-devel-9.9.9P1-46.1 - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): bind-9.9.9P1-46.1 bind-chrootenv-9.9.9P1-46.1 bind-debuginfo-9.9.9P1-46.1 bind-debugsource-9.9.9P1-46.1 bind-libs-9.9.9P1-46.1 bind-libs-debuginfo-9.9.9P1-46.1 bind-utils-9.9.9P1-46.1 bind-utils-debuginfo-9.9.9P1-46.1 - SUSE Linux Enterprise Server 12-SP1 (s390x x86_64): bind-libs-32bit-9.9.9P1-46.1 bind-libs-debuginfo-32bit-9.9.9P1-46.1 - SUSE Linux Enterprise Server 12-SP1 (noarch): bind-doc-9.9.9P1-46.1 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): bind-debuginfo-9.9.9P1-46.1 bind-debugsource-9.9.9P1-46.1 bind-libs-32bit-9.9.9P1-46.1 bind-libs-9.9.9P1-46.1 bind-libs-debuginfo-32bit-9.9.9P1-46.1 bind-libs-debuginfo-9.9.9P1-46.1 bind-utils-9.9.9P1-46.1 bind-utils-debuginfo-9.9.9P1-46.1 References: https://www.suse.com/security/cve/CVE-2016-2776.html https://bugzilla.suse.com/1000362 From sle-security-updates at lists.suse.com Tue Sep 27 13:10:55 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 27 Sep 2016 21:10:55 +0200 (CEST) Subject: SUSE-SU-2016:2401-1: critical: Security update for bind Message-ID: <20160927191055.5F44EFC45@maintenance.suse.de> SUSE Security Update: Security update for bind ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2401-1 Rating: critical References: #1000362 Cross-References: CVE-2016-2776 Affected Products: SUSE Linux Enterprise Server for SAP 12 SUSE Linux Enterprise Server 12-LTSS ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: The nameserver bind was updated to fix a remote denial of service vulnerability, where a crafted packet could cause the nameserver to abort. (CVE-2016-2776, bsc#1000362) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12: zypper in -t patch SUSE-SLE-SAP-12-2016-1400=1 - SUSE Linux Enterprise Server 12-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-2016-1400=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server for SAP 12 (noarch): bind-doc-9.9.9P1-28.20.1 - SUSE Linux Enterprise Server for SAP 12 (x86_64): bind-9.9.9P1-28.20.1 bind-chrootenv-9.9.9P1-28.20.1 bind-debuginfo-9.9.9P1-28.20.1 bind-debugsource-9.9.9P1-28.20.1 bind-libs-32bit-9.9.9P1-28.20.1 bind-libs-9.9.9P1-28.20.1 bind-libs-debuginfo-32bit-9.9.9P1-28.20.1 bind-libs-debuginfo-9.9.9P1-28.20.1 bind-utils-9.9.9P1-28.20.1 bind-utils-debuginfo-9.9.9P1-28.20.1 - SUSE Linux Enterprise Server 12-LTSS (ppc64le s390x x86_64): bind-9.9.9P1-28.20.1 bind-chrootenv-9.9.9P1-28.20.1 bind-debuginfo-9.9.9P1-28.20.1 bind-debugsource-9.9.9P1-28.20.1 bind-libs-9.9.9P1-28.20.1 bind-libs-debuginfo-9.9.9P1-28.20.1 bind-utils-9.9.9P1-28.20.1 bind-utils-debuginfo-9.9.9P1-28.20.1 - SUSE Linux Enterprise Server 12-LTSS (s390x x86_64): bind-libs-32bit-9.9.9P1-28.20.1 bind-libs-debuginfo-32bit-9.9.9P1-28.20.1 - SUSE Linux Enterprise Server 12-LTSS (noarch): bind-doc-9.9.9P1-28.20.1 References: https://www.suse.com/security/cve/CVE-2016-2776.html https://bugzilla.suse.com/1000362 From sle-security-updates at lists.suse.com Tue Sep 27 13:12:05 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 27 Sep 2016 21:12:05 +0200 (CEST) Subject: SUSE-SU-2016:2404-1: important: Security update for mariadb Message-ID: <20160927191205.450F1FC46@maintenance.suse.de> SUSE Security Update: Security update for mariadb ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2404-1 Rating: important References: #949520 #998309 Cross-References: CVE-2016-6662 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP1 SUSE Linux Enterprise Software Development Kit 12-SP1 SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Desktop 12-SP1 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for mariadb to 1.0.0.27 fixes the following issues: Security issue fixed: * CVE-2016-6662: A malicious user with SQL and filesystem access could create a my.cnf in the datadir and, under certain circumstances, execute arbitrary code as mysql (or even root) user. (bsc#998309) * release notes: * https://kb.askmonty.org/en/mariadb-10027-release-notes * changelog: * https://kb.askmonty.org/en/mariadb-10027-changelog Bugs fixed: - Make ORDER BY optimization functions take into account multiple equalities. (bsc#949520) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP1: zypper in -t patch SUSE-SLE-WE-12-SP1-2016-1397=1 - SUSE Linux Enterprise Software Development Kit 12-SP1: zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1397=1 - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1397=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1397=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Workstation Extension 12-SP1 (x86_64): libmysqlclient_r18-10.0.27-12.1 libmysqlclient_r18-32bit-10.0.27-12.1 mariadb-debuginfo-10.0.27-12.1 mariadb-debugsource-10.0.27-12.1 - SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64): libmysqlclient-devel-10.0.27-12.1 libmysqlclient_r18-10.0.27-12.1 libmysqld-devel-10.0.27-12.1 libmysqld18-10.0.27-12.1 libmysqld18-debuginfo-10.0.27-12.1 mariadb-debuginfo-10.0.27-12.1 mariadb-debugsource-10.0.27-12.1 - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): libmysqlclient18-10.0.27-12.1 libmysqlclient18-debuginfo-10.0.27-12.1 mariadb-10.0.27-12.1 mariadb-client-10.0.27-12.1 mariadb-client-debuginfo-10.0.27-12.1 mariadb-debuginfo-10.0.27-12.1 mariadb-debugsource-10.0.27-12.1 mariadb-errormessages-10.0.27-12.1 mariadb-tools-10.0.27-12.1 mariadb-tools-debuginfo-10.0.27-12.1 - SUSE Linux Enterprise Server 12-SP1 (s390x x86_64): libmysqlclient18-32bit-10.0.27-12.1 libmysqlclient18-debuginfo-32bit-10.0.27-12.1 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): libmysqlclient18-10.0.27-12.1 libmysqlclient18-32bit-10.0.27-12.1 libmysqlclient18-debuginfo-10.0.27-12.1 libmysqlclient18-debuginfo-32bit-10.0.27-12.1 libmysqlclient_r18-10.0.27-12.1 libmysqlclient_r18-32bit-10.0.27-12.1 mariadb-10.0.27-12.1 mariadb-client-10.0.27-12.1 mariadb-client-debuginfo-10.0.27-12.1 mariadb-debuginfo-10.0.27-12.1 mariadb-debugsource-10.0.27-12.1 mariadb-errormessages-10.0.27-12.1 References: https://www.suse.com/security/cve/CVE-2016-6662.html https://bugzilla.suse.com/949520 https://bugzilla.suse.com/998309 From sle-security-updates at lists.suse.com Tue Sep 27 14:09:44 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 27 Sep 2016 22:09:44 +0200 (CEST) Subject: SUSE-SU-2016:2405-1: critical: Security update for bind Message-ID: <20160927200944.B6A2CFC45@maintenance.suse.de> SUSE Security Update: Security update for bind ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2405-1 Rating: critical References: #1000362 Cross-References: CVE-2016-2776 Affected Products: SUSE OpenStack Cloud 5 SUSE Manager Proxy 2.1 SUSE Manager 2.1 SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Server 11-SP3-LTSS SUSE Linux Enterprise Server 11-SP2-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: The nameserver bind was updated to fix a remote denial of service vulnerability, where a crafted packet could cause the nameserver to abort. (CVE-2016-2776, bsc#1000362) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 5: zypper in -t patch sleclo50sp3-bind-12763=1 - SUSE Manager Proxy 2.1: zypper in -t patch slemap21-bind-12763=1 - SUSE Manager 2.1: zypper in -t patch sleman21-bind-12763=1 - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-bind-12763=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-bind-12763=1 - SUSE Linux Enterprise Server 11-SP3-LTSS: zypper in -t patch slessp3-bind-12763=1 - SUSE Linux Enterprise Server 11-SP2-LTSS: zypper in -t patch slessp2-bind-12763=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-bind-12763=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-bind-12763=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-bind-12763=1 - SUSE Linux Enterprise Debuginfo 11-SP2: zypper in -t patch dbgsp2-bind-12763=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE OpenStack Cloud 5 (x86_64): bind-9.9.6P1-0.30.1 bind-chrootenv-9.9.6P1-0.30.1 bind-doc-9.9.6P1-0.30.1 bind-libs-32bit-9.9.6P1-0.30.1 bind-libs-9.9.6P1-0.30.1 bind-utils-9.9.6P1-0.30.1 - SUSE Manager Proxy 2.1 (x86_64): bind-9.9.6P1-0.30.1 bind-chrootenv-9.9.6P1-0.30.1 bind-doc-9.9.6P1-0.30.1 bind-libs-32bit-9.9.6P1-0.30.1 bind-libs-9.9.6P1-0.30.1 bind-utils-9.9.6P1-0.30.1 - SUSE Manager 2.1 (s390x x86_64): bind-9.9.6P1-0.30.1 bind-chrootenv-9.9.6P1-0.30.1 bind-doc-9.9.6P1-0.30.1 bind-libs-32bit-9.9.6P1-0.30.1 bind-libs-9.9.6P1-0.30.1 bind-utils-9.9.6P1-0.30.1 - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): bind-devel-9.9.6P1-0.30.1 - SUSE Linux Enterprise Software Development Kit 11-SP4 (ppc64): bind-devel-32bit-9.9.6P1-0.30.1 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): bind-9.9.6P1-0.30.1 bind-chrootenv-9.9.6P1-0.30.1 bind-doc-9.9.6P1-0.30.1 bind-libs-9.9.6P1-0.30.1 bind-utils-9.9.6P1-0.30.1 - SUSE Linux Enterprise Server 11-SP4 (ppc64 s390x x86_64): bind-libs-32bit-9.9.6P1-0.30.1 - SUSE Linux Enterprise Server 11-SP4 (ia64): bind-libs-x86-9.9.6P1-0.30.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (i586 s390x x86_64): bind-9.9.6P1-0.30.1 bind-chrootenv-9.9.6P1-0.30.1 bind-doc-9.9.6P1-0.30.1 bind-libs-9.9.6P1-0.30.1 bind-utils-9.9.6P1-0.30.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (s390x x86_64): bind-libs-32bit-9.9.6P1-0.30.1 - SUSE Linux Enterprise Server 11-SP2-LTSS (i586 s390x x86_64): bind-9.9.6P1-0.30.1 bind-chrootenv-9.9.6P1-0.30.1 bind-devel-9.9.6P1-0.30.1 bind-doc-9.9.6P1-0.30.1 bind-libs-9.9.6P1-0.30.1 bind-utils-9.9.6P1-0.30.1 - SUSE Linux Enterprise Server 11-SP2-LTSS (s390x x86_64): bind-libs-32bit-9.9.6P1-0.30.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): bind-9.9.6P1-0.30.1 bind-chrootenv-9.9.6P1-0.30.1 bind-doc-9.9.6P1-0.30.1 bind-libs-9.9.6P1-0.30.1 bind-utils-9.9.6P1-0.30.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): bind-debuginfo-9.9.6P1-0.30.1 bind-debugsource-9.9.6P1-0.30.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): bind-debuginfo-9.9.6P1-0.30.1 bind-debugsource-9.9.6P1-0.30.1 - SUSE Linux Enterprise Debuginfo 11-SP2 (i586 s390x x86_64): bind-debuginfo-9.9.6P1-0.30.1 bind-debugsource-9.9.6P1-0.30.1 References: https://www.suse.com/security/cve/CVE-2016-2776.html https://bugzilla.suse.com/1000362 From sle-security-updates at lists.suse.com Wed Sep 28 07:09:46 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 28 Sep 2016 15:09:46 +0200 (CEST) Subject: SUSE-SU-2016:2408-1: important: Security update for php5 Message-ID: <20160928130946.BC546FC46@maintenance.suse.de> SUSE Security Update: Security update for php5 ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2408-1 Rating: important References: #987530 #987580 #988032 #991422 #991424 #991426 #991427 #991428 #991429 #991430 #991433 #991434 #991437 #997206 #997207 #997208 #997210 #997211 #997220 #997225 #997230 #997248 #997257 Cross-References: CVE-2014-3587 CVE-2016-3587 CVE-2016-5399 CVE-2016-6128 CVE-2016-6161 CVE-2016-6207 CVE-2016-6288 CVE-2016-6289 CVE-2016-6290 CVE-2016-6291 CVE-2016-6292 CVE-2016-6295 CVE-2016-6296 CVE-2016-6297 CVE-2016-7124 CVE-2016-7125 CVE-2016-7126 CVE-2016-7127 CVE-2016-7128 CVE-2016-7129 CVE-2016-7130 CVE-2016-7131 CVE-2016-7132 CVE-2016-7134 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP1 SUSE Linux Enterprise Module for Web Scripting 12 ______________________________________________________________________________ An update that fixes 24 vulnerabilities is now available. Description: This update for php5 fixes the following security issues: * CVE-2016-6128: Invalid color index not properly handled [bsc#987580] * CVE-2016-6161: global out of bounds read when encoding gif from malformed input withgd2togif [bsc#988032] * CVE-2016-6292: Null pointer dereference in exif_process_user_comment [bsc#991422] * CVE-2016-6295: Use after free in SNMP with GC and unserialize() [bsc#991424] * CVE-2016-6297: Stack-based buffer overflow vulnerability in php_stream_zip_opener [bsc#991426] * CVE-2016-6291: Out-of-bounds access in exif_process_IFD_in_MAKERNOTE [bsc#991427] * CVE-2016-6289: Integer overflow leads to buffer overflow in virtual_file_ex [bsc#991428] * CVE-2016-6290: Use after free in unserialize() with Unexpected Session Deserialization [bsc#991429] * CVE-2016-5399: Improper error handling in bzread() [bsc#991430] * CVE-2016-6296: Heap buffer overflow vulnerability in simplestring_addn in simplestring.c [bsc#991437] * CVE-2016-6207: Integer overflow error within _gdContributionsAlloc() [bsc#991434] * CVE-2014-3587: Integer overflow in the cdf_read_property_info affecting SLES11 SP3 [bsc#987530] * CVE-2016-6288: Buffer over-read in php_url_parse_ex [bsc#991433] * CVE-2016-7124: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization * CVE-2016-7125: PHP Session Data Injection Vulnerability * CVE-2016-7126: select_colors write out-of-bounds * CVE-2016-7127: imagegammacorrect allowed arbitrary write access * CVE-2016-7128: Memory Leakage In exif_process_IFD_in_TIFF * CVE-2016-7129: wddx_deserialize allowed illegal memory access * CVE-2016-7130: wddx_deserialize null dereference * CVE-2016-7131: wddx_deserialize null dereference with invalid xml * CVE-2016-7132: wddx_deserialize null dereference in php_wddx_pop_element * CVE-2016-7134: Heap overflow in the function curl_escape Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP1: zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1403=1 - SUSE Linux Enterprise Module for Web Scripting 12: zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2016-1403=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64): php5-debuginfo-5.5.14-73.1 php5-debugsource-5.5.14-73.1 php5-devel-5.5.14-73.1 - SUSE Linux Enterprise Module for Web Scripting 12 (ppc64le s390x x86_64): apache2-mod_php5-5.5.14-73.1 apache2-mod_php5-debuginfo-5.5.14-73.1 php5-5.5.14-73.1 php5-bcmath-5.5.14-73.1 php5-bcmath-debuginfo-5.5.14-73.1 php5-bz2-5.5.14-73.1 php5-bz2-debuginfo-5.5.14-73.1 php5-calendar-5.5.14-73.1 php5-calendar-debuginfo-5.5.14-73.1 php5-ctype-5.5.14-73.1 php5-ctype-debuginfo-5.5.14-73.1 php5-curl-5.5.14-73.1 php5-curl-debuginfo-5.5.14-73.1 php5-dba-5.5.14-73.1 php5-dba-debuginfo-5.5.14-73.1 php5-debuginfo-5.5.14-73.1 php5-debugsource-5.5.14-73.1 php5-dom-5.5.14-73.1 php5-dom-debuginfo-5.5.14-73.1 php5-enchant-5.5.14-73.1 php5-enchant-debuginfo-5.5.14-73.1 php5-exif-5.5.14-73.1 php5-exif-debuginfo-5.5.14-73.1 php5-fastcgi-5.5.14-73.1 php5-fastcgi-debuginfo-5.5.14-73.1 php5-fileinfo-5.5.14-73.1 php5-fileinfo-debuginfo-5.5.14-73.1 php5-fpm-5.5.14-73.1 php5-fpm-debuginfo-5.5.14-73.1 php5-ftp-5.5.14-73.1 php5-ftp-debuginfo-5.5.14-73.1 php5-gd-5.5.14-73.1 php5-gd-debuginfo-5.5.14-73.1 php5-gettext-5.5.14-73.1 php5-gettext-debuginfo-5.5.14-73.1 php5-gmp-5.5.14-73.1 php5-gmp-debuginfo-5.5.14-73.1 php5-iconv-5.5.14-73.1 php5-iconv-debuginfo-5.5.14-73.1 php5-imap-5.5.14-73.1 php5-imap-debuginfo-5.5.14-73.1 php5-intl-5.5.14-73.1 php5-intl-debuginfo-5.5.14-73.1 php5-json-5.5.14-73.1 php5-json-debuginfo-5.5.14-73.1 php5-ldap-5.5.14-73.1 php5-ldap-debuginfo-5.5.14-73.1 php5-mbstring-5.5.14-73.1 php5-mbstring-debuginfo-5.5.14-73.1 php5-mcrypt-5.5.14-73.1 php5-mcrypt-debuginfo-5.5.14-73.1 php5-mysql-5.5.14-73.1 php5-mysql-debuginfo-5.5.14-73.1 php5-odbc-5.5.14-73.1 php5-odbc-debuginfo-5.5.14-73.1 php5-opcache-5.5.14-73.1 php5-opcache-debuginfo-5.5.14-73.1 php5-openssl-5.5.14-73.1 php5-openssl-debuginfo-5.5.14-73.1 php5-pcntl-5.5.14-73.1 php5-pcntl-debuginfo-5.5.14-73.1 php5-pdo-5.5.14-73.1 php5-pdo-debuginfo-5.5.14-73.1 php5-pgsql-5.5.14-73.1 php5-pgsql-debuginfo-5.5.14-73.1 php5-phar-5.5.14-73.1 php5-phar-debuginfo-5.5.14-73.1 php5-posix-5.5.14-73.1 php5-posix-debuginfo-5.5.14-73.1 php5-pspell-5.5.14-73.1 php5-pspell-debuginfo-5.5.14-73.1 php5-shmop-5.5.14-73.1 php5-shmop-debuginfo-5.5.14-73.1 php5-snmp-5.5.14-73.1 php5-snmp-debuginfo-5.5.14-73.1 php5-soap-5.5.14-73.1 php5-soap-debuginfo-5.5.14-73.1 php5-sockets-5.5.14-73.1 php5-sockets-debuginfo-5.5.14-73.1 php5-sqlite-5.5.14-73.1 php5-sqlite-debuginfo-5.5.14-73.1 php5-suhosin-5.5.14-73.1 php5-suhosin-debuginfo-5.5.14-73.1 php5-sysvmsg-5.5.14-73.1 php5-sysvmsg-debuginfo-5.5.14-73.1 php5-sysvsem-5.5.14-73.1 php5-sysvsem-debuginfo-5.5.14-73.1 php5-sysvshm-5.5.14-73.1 php5-sysvshm-debuginfo-5.5.14-73.1 php5-tokenizer-5.5.14-73.1 php5-tokenizer-debuginfo-5.5.14-73.1 php5-wddx-5.5.14-73.1 php5-wddx-debuginfo-5.5.14-73.1 php5-xmlreader-5.5.14-73.1 php5-xmlreader-debuginfo-5.5.14-73.1 php5-xmlrpc-5.5.14-73.1 php5-xmlrpc-debuginfo-5.5.14-73.1 php5-xmlwriter-5.5.14-73.1 php5-xmlwriter-debuginfo-5.5.14-73.1 php5-xsl-5.5.14-73.1 php5-xsl-debuginfo-5.5.14-73.1 php5-zip-5.5.14-73.1 php5-zip-debuginfo-5.5.14-73.1 php5-zlib-5.5.14-73.1 php5-zlib-debuginfo-5.5.14-73.1 - SUSE Linux Enterprise Module for Web Scripting 12 (noarch): php5-pear-5.5.14-73.1 References: https://www.suse.com/security/cve/CVE-2014-3587.html https://www.suse.com/security/cve/CVE-2016-3587.html https://www.suse.com/security/cve/CVE-2016-5399.html https://www.suse.com/security/cve/CVE-2016-6128.html https://www.suse.com/security/cve/CVE-2016-6161.html https://www.suse.com/security/cve/CVE-2016-6207.html https://www.suse.com/security/cve/CVE-2016-6288.html https://www.suse.com/security/cve/CVE-2016-6289.html https://www.suse.com/security/cve/CVE-2016-6290.html https://www.suse.com/security/cve/CVE-2016-6291.html https://www.suse.com/security/cve/CVE-2016-6292.html https://www.suse.com/security/cve/CVE-2016-6295.html https://www.suse.com/security/cve/CVE-2016-6296.html https://www.suse.com/security/cve/CVE-2016-6297.html https://www.suse.com/security/cve/CVE-2016-7124.html https://www.suse.com/security/cve/CVE-2016-7125.html https://www.suse.com/security/cve/CVE-2016-7126.html https://www.suse.com/security/cve/CVE-2016-7127.html https://www.suse.com/security/cve/CVE-2016-7128.html https://www.suse.com/security/cve/CVE-2016-7129.html https://www.suse.com/security/cve/CVE-2016-7130.html https://www.suse.com/security/cve/CVE-2016-7131.html https://www.suse.com/security/cve/CVE-2016-7132.html https://www.suse.com/security/cve/CVE-2016-7134.html https://bugzilla.suse.com/987530 https://bugzilla.suse.com/987580 https://bugzilla.suse.com/988032 https://bugzilla.suse.com/991422 https://bugzilla.suse.com/991424 https://bugzilla.suse.com/991426 https://bugzilla.suse.com/991427 https://bugzilla.suse.com/991428 https://bugzilla.suse.com/991429 https://bugzilla.suse.com/991430 https://bugzilla.suse.com/991433 https://bugzilla.suse.com/991434 https://bugzilla.suse.com/991437 https://bugzilla.suse.com/997206 https://bugzilla.suse.com/997207 https://bugzilla.suse.com/997208 https://bugzilla.suse.com/997210 https://bugzilla.suse.com/997211 https://bugzilla.suse.com/997220 https://bugzilla.suse.com/997225 https://bugzilla.suse.com/997230 https://bugzilla.suse.com/997248 https://bugzilla.suse.com/997257 From sle-security-updates at lists.suse.com Thu Sep 29 09:10:44 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 29 Sep 2016 17:10:44 +0200 (CEST) Subject: SUSE-SU-2016:2414-1: important: Security update for postgresql93 Message-ID: <20160929151044.D8D5CFC46@maintenance.suse.de> SUSE Security Update: Security update for postgresql93 ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2414-1 Rating: important References: #973660 #993453 #993454 Cross-References: CVE-2016-5423 CVE-2016-5424 Affected Products: SUSE Linux Enterprise Server for SAP 12 SUSE Linux Enterprise Server 12-LTSS ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update for postgresql93 to version 9.3.14 fixes the several issues. These security issues were fixed: - CVE-2016-5423: CASE/WHEN with inlining can cause untrusted pointer dereference (bsc#993454). - CVE-2016-5424: Fix client programs' handling of special characters in database and role names (bsc#993453). This non-security issue was fixed: - bsc#973660: Added "Requires: timezone" to Service Pack For additional non-security issues please refer to - http://www.postgresql.org/docs/9.3/static/release-9-3-14.html - http://www.postgresql.org/docs/9.3/static/release-9-3-13.html - http://www.postgresql.org/docs/9.4/static/release-9-3-12.html Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12: zypper in -t patch SUSE-SLE-SAP-12-2016-1407=1 - SUSE Linux Enterprise Server 12-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-2016-1407=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server for SAP 12 (noarch): postgresql93-docs-9.3.14-19.2 - SUSE Linux Enterprise Server for SAP 12 (x86_64): postgresql93-9.3.14-19.2 postgresql93-contrib-9.3.14-19.2 postgresql93-contrib-debuginfo-9.3.14-19.2 postgresql93-debuginfo-9.3.14-19.2 postgresql93-debugsource-9.3.14-19.2 postgresql93-server-9.3.14-19.2 postgresql93-server-debuginfo-9.3.14-19.2 - SUSE Linux Enterprise Server 12-LTSS (ppc64le s390x x86_64): postgresql93-9.3.14-19.2 postgresql93-contrib-9.3.14-19.2 postgresql93-contrib-debuginfo-9.3.14-19.2 postgresql93-debuginfo-9.3.14-19.2 postgresql93-debugsource-9.3.14-19.2 postgresql93-server-9.3.14-19.2 postgresql93-server-debuginfo-9.3.14-19.2 - SUSE Linux Enterprise Server 12-LTSS (noarch): postgresql93-docs-9.3.14-19.2 References: https://www.suse.com/security/cve/CVE-2016-5423.html https://www.suse.com/security/cve/CVE-2016-5424.html https://bugzilla.suse.com/973660 https://bugzilla.suse.com/993453 https://bugzilla.suse.com/993454 From sle-security-updates at lists.suse.com Thu Sep 29 09:11:32 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 29 Sep 2016 17:11:32 +0200 (CEST) Subject: SUSE-SU-2016:2415-1: important: Security update for postgresql94 Message-ID: <20160929151132.2A3CFFC45@maintenance.suse.de> SUSE Security Update: Security update for postgresql94 ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2415-1 Rating: important References: #973660 #993453 #993454 Cross-References: CVE-2016-5423 CVE-2016-5424 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP1 SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Desktop 12-SP1 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update for postgresql94 to version 9.4.9 fixes the several issues. These security issues were fixed: - CVE-2016-5423: CASE/WHEN with inlining can cause untrusted pointer dereference (bsc#993454). - CVE-2016-5424: Fix client programs' handling of special characters in database and role names (bsc#993453). This non-security issue was fixed: - bsc#973660: Added "Requires: timezone" to Service Pack For additional non-security issues please refer to - http://www.postgresql.org/docs/9.4/static/release-9-4-9.html - http://www.postgresql.org/docs/9.4/static/release-9-4-8.html - http://www.postgresql.org/docs/9.4/static/release-9-4-7.html Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP1: zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1409=1 - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1409=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1409=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64): postgresql94-devel-9.4.9-14.1 postgresql94-devel-debuginfo-9.4.9-14.1 postgresql94-libs-debugsource-9.4.9-14.1 - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): libecpg6-9.4.9-14.1 libecpg6-debuginfo-9.4.9-14.1 libpq5-9.4.9-14.1 libpq5-debuginfo-9.4.9-14.1 postgresql94-9.4.9-14.1 postgresql94-contrib-9.4.9-14.1 postgresql94-contrib-debuginfo-9.4.9-14.1 postgresql94-debuginfo-9.4.9-14.1 postgresql94-debugsource-9.4.9-14.1 postgresql94-libs-debugsource-9.4.9-14.1 postgresql94-server-9.4.9-14.1 postgresql94-server-debuginfo-9.4.9-14.1 - SUSE Linux Enterprise Server 12-SP1 (s390x x86_64): libpq5-32bit-9.4.9-14.1 libpq5-debuginfo-32bit-9.4.9-14.1 - SUSE Linux Enterprise Server 12-SP1 (noarch): postgresql94-docs-9.4.9-14.1 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): libecpg6-9.4.9-14.1 libecpg6-debuginfo-9.4.9-14.1 libpq5-32bit-9.4.9-14.1 libpq5-9.4.9-14.1 libpq5-debuginfo-32bit-9.4.9-14.1 libpq5-debuginfo-9.4.9-14.1 postgresql94-9.4.9-14.1 postgresql94-debuginfo-9.4.9-14.1 postgresql94-debugsource-9.4.9-14.1 postgresql94-libs-debugsource-9.4.9-14.1 References: https://www.suse.com/security/cve/CVE-2016-5423.html https://www.suse.com/security/cve/CVE-2016-5424.html https://bugzilla.suse.com/973660 https://bugzilla.suse.com/993453 https://bugzilla.suse.com/993454 From sle-security-updates at lists.suse.com Thu Sep 29 11:10:00 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 29 Sep 2016 19:10:00 +0200 (CEST) Subject: SUSE-SU-2016:2416-1: important: Security update for pidgin Message-ID: <20160929171000.64362FC45@maintenance.suse.de> SUSE Security Update: Security update for pidgin ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2416-1 Rating: important References: #991691 #991709 #991711 #991712 #991715 Cross-References: CVE-2016-2367 CVE-2016-2370 CVE-2016-2371 CVE-2016-2372 CVE-2016-2373 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: This update for pidgin fixes the following issues: Security issues fixed: - CVE-2016-2367: Fixed a MXIT Avatar Length Memory Disclosure Vulnerability (bsc#991715). - CVE-2016-2370: Fixed a MXIT Custom Resource Denial of Service Vulnerability (bsc#991712). - CVE-2016-2371: Fixed a MXIT Extended Profiles Code Execution Vulnerability (bsc#991691). - CVE-2016-2372: Fixed a MXIT File Transfer Length Memory Disclosure Vulnerability (bsc#991711). - CVE-2016-2373: Fixed a MXIT Contact Mood Denial of Service Vulnerability (bsc#991709) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-pidgin-12767=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-pidgin-12767=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): finch-2.6.6-0.29.1 finch-devel-2.6.6-0.29.1 libpurple-2.6.6-0.29.1 libpurple-devel-2.6.6-0.29.1 libpurple-lang-2.6.6-0.29.1 pidgin-2.6.6-0.29.1 pidgin-devel-2.6.6-0.29.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): pidgin-debuginfo-2.6.6-0.29.1 pidgin-debugsource-2.6.6-0.29.1 References: https://www.suse.com/security/cve/CVE-2016-2367.html https://www.suse.com/security/cve/CVE-2016-2370.html https://www.suse.com/security/cve/CVE-2016-2371.html https://www.suse.com/security/cve/CVE-2016-2372.html https://www.suse.com/security/cve/CVE-2016-2373.html https://bugzilla.suse.com/991691 https://bugzilla.suse.com/991709 https://bugzilla.suse.com/991711 https://bugzilla.suse.com/991712 https://bugzilla.suse.com/991715 From sle-security-updates at lists.suse.com Thu Sep 29 11:11:35 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 29 Sep 2016 19:11:35 +0200 (CEST) Subject: SUSE-SU-2016:2418-1: important: Security update for postgresql94 Message-ID: <20160929171135.17774FC45@maintenance.suse.de> SUSE Security Update: Security update for postgresql94 ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2418-1 Rating: important References: #993453 #993454 Cross-References: CVE-2016-5423 CVE-2016-5424 Affected Products: SUSE Manager 2.1 SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for postgresql94 to version 9.4.9 fixes the several issues. These security issues were fixed: - CVE-2016-5423: CASE/WHEN with inlining can cause untrusted pointer dereference (bsc#993454). - CVE-2016-5424: Fix client programs' handling of special characters in database and role names (bsc#993453). For the non-security issues please refer to - http://www.postgresql.org/docs/9.4/static/release-9-4-9.html - http://www.postgresql.org/docs/9.4/static/release-9-4-8.html - http://www.postgresql.org/docs/9.4/static/release-9-4-7.html Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Manager 2.1: zypper in -t patch sleman21-postgresql94-12766=1 - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-postgresql94-12766=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-postgresql94-12766=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-postgresql94-12766=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Manager 2.1 (s390x x86_64): postgresql94-pltcl-9.4.9-0.19.1 - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): postgresql94-devel-9.4.9-0.19.1 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): libecpg6-9.4.9-0.19.1 libpq5-9.4.9-0.19.1 postgresql94-9.4.9-0.19.1 postgresql94-contrib-9.4.9-0.19.1 postgresql94-docs-9.4.9-0.19.1 postgresql94-server-9.4.9-0.19.1 - SUSE Linux Enterprise Server 11-SP4 (ppc64 s390x x86_64): libpq5-32bit-9.4.9-0.19.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): postgresql94-debuginfo-9.4.9-0.19.1 postgresql94-debugsource-9.4.9-0.19.1 postgresql94-libs-debuginfo-9.4.9-0.19.1 postgresql94-libs-debugsource-9.4.9-0.19.1 References: https://www.suse.com/security/cve/CVE-2016-5423.html https://www.suse.com/security/cve/CVE-2016-5424.html https://bugzilla.suse.com/993453 https://bugzilla.suse.com/993454