From sle-security-updates at lists.suse.com Thu Mar 1 07:08:02 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 1 Mar 2018 15:08:02 +0100 (CET) Subject: SUSE-SU-2018:0568-1: important: Security update for the Linux Kernel (Live Patch 5 for SLE 12 SP2) Message-ID: <20180301140802.4DA1EFD81@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 5 for SLE 12 SP2) ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0568-1 Rating: important References: #1077404 Cross-References: CVE-2017-18075 Affected Products: SUSE Linux Enterprise Live Patching 12 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for the Linux Kernel 4.4.49-92_11 fixes one issue. The following security issue was fixed: - CVE-2017-18075: crypto/pcrypt.c in the Linux kernel mishandled freeing instances, allowing a local user able to access the AF_ALG-based AEAD interface (CONFIG_CRYPTO_USER_API_AEAD) and pcrypt (CONFIG_CRYPTO_PCRYPT) to cause a denial of service (kfree of an incorrect pointer) or possibly have unspecified other impact by executing a crafted sequence of system calls (bsc#1077404). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Live Patching 12: zypper in -t patch SUSE-SLE-Live-Patching-12-2018-378=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Live Patching 12 (x86_64): kgraft-patch-4_4_49-92_11-default-11-2.1 References: https://www.suse.com/security/cve/CVE-2017-18075.html https://bugzilla.suse.com/1077404 From sle-security-updates at lists.suse.com Thu Mar 1 10:09:02 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 1 Mar 2018 18:09:02 +0100 (CET) Subject: SUSE-SU-2018:0571-1: moderate: Security update for puppet Message-ID: <20180301170902.C2B0EFD33@maintenance.suse.de> SUSE Security Update: Security update for puppet ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0571-1 Rating: moderate References: #1080288 Cross-References: CVE-2017-10689 Affected Products: SUSE Linux Enterprise Module for Advanced Systems Management 12 SUSE Linux Enterprise Desktop 12-SP3 SUSE Linux Enterprise Desktop 12-SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for puppet fixes the following issues: - CVE-2017-10689: Reset permissions when unpacking tar in PMT. When using minitar, files were unpacked with whatever permissions are in the tarball. This is potentially unsafe, as tarballs can be easily created with weird permissions (bsc#1080288) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Advanced Systems Management 12: zypper in -t patch SUSE-SLE-Module-Adv-Systems-Management-12-2018-379=1 - SUSE Linux Enterprise Desktop 12-SP3: zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-379=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2018-379=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Module for Advanced Systems Management 12 (ppc64le s390x x86_64): puppet-3.8.5-15.9.1 puppet-server-3.8.5-15.9.1 - SUSE Linux Enterprise Desktop 12-SP3 (x86_64): puppet-3.8.5-15.9.1 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): puppet-3.8.5-15.9.1 References: https://www.suse.com/security/cve/CVE-2017-10689.html https://bugzilla.suse.com/1080288 From sle-security-updates at lists.suse.com Thu Mar 1 13:09:05 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 1 Mar 2018 21:09:05 +0100 (CET) Subject: SUSE-SU-2018:0572-1: important: Security update for the Linux Kernel (Live Patch 14 for SLE 12 SP2) Message-ID: <20180301200905.75DABFD29@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 14 for SLE 12 SP2) ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0572-1 Rating: important References: #1077268 #1077404 Cross-References: CVE-2017-18075 Affected Products: SUSE Linux Enterprise Live Patching 12 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for the Linux Kernel 4.4.90-92_45 fixes several issues. The following security issue was fixed: - CVE-2017-18075: crypto/pcrypt.c in the Linux kernel mishandled freeing instances, allowing a local user able to access the AF_ALG-based AEAD interface (CONFIG_CRYPTO_USER_API_AEAD) and pcrypt (CONFIG_CRYPTO_PCRYPT) to cause a denial of service (kfree of an incorrect pointer) or possibly have unspecified other impact by executing a crafted sequence of system calls (bsc#1077404). Non security issue fixed: - btrfs: account for pinned bytes in should_alloc_chunk (bsc#1077268) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Live Patching 12: zypper in -t patch SUSE-SLE-Live-Patching-12-2018-395=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Live Patching 12 (x86_64): kgraft-patch-4_4_90-92_45-default-4-2.1 References: https://www.suse.com/security/cve/CVE-2017-18075.html https://bugzilla.suse.com/1077268 https://bugzilla.suse.com/1077404 From sle-security-updates at lists.suse.com Thu Mar 1 13:09:41 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 1 Mar 2018 21:09:41 +0100 (CET) Subject: SUSE-SU-2018:0573-1: important: Security update for the Linux Kernel (Live Patch 7 for SLE 12 SP2) Message-ID: <20180301200941.DF542FD29@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 7 for SLE 12 SP2) ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0573-1 Rating: important References: #1077404 Cross-References: CVE-2017-18075 Affected Products: SUSE Linux Enterprise Live Patching 12 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for the Linux Kernel 4.4.59-92_17 fixes one issue. The following security issue was fixed: - CVE-2017-18075: crypto/pcrypt.c in the Linux kernel mishandled freeing instances, allowing a local user able to access the AF_ALG-based AEAD interface (CONFIG_CRYPTO_USER_API_AEAD) and pcrypt (CONFIG_CRYPTO_PCRYPT) to cause a denial of service (kfree of an incorrect pointer) or possibly have unspecified other impact by executing a crafted sequence of system calls (bsc#1077404). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Live Patching 12: zypper in -t patch SUSE-SLE-Live-Patching-12-2018-387=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Live Patching 12 (x86_64): kgraft-patch-4_4_59-92_17-default-9-2.1 References: https://www.suse.com/security/cve/CVE-2017-18075.html https://bugzilla.suse.com/1077404 From sle-security-updates at lists.suse.com Thu Mar 1 13:10:13 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 1 Mar 2018 21:10:13 +0100 (CET) Subject: SUSE-SU-2018:0574-1: important: Security update for the Linux Kernel (Live Patch 8 for SLE 12 SP2) Message-ID: <20180301201013.02332FD29@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 8 for SLE 12 SP2) ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0574-1 Rating: important References: #1077404 Cross-References: CVE-2017-18075 Affected Products: SUSE Linux Enterprise Live Patching 12 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for the Linux Kernel 4.4.59-92_20 fixes one issue. The following security issue was fixed: - CVE-2017-18075: crypto/pcrypt.c in the Linux kernel mishandled freeing instances, allowing a local user able to access the AF_ALG-based AEAD interface (CONFIG_CRYPTO_USER_API_AEAD) and pcrypt (CONFIG_CRYPTO_PCRYPT) to cause a denial of service (kfree of an incorrect pointer) or possibly have unspecified other impact by executing a crafted sequence of system calls (bsc#1077404). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Live Patching 12: zypper in -t patch SUSE-SLE-Live-Patching-12-2018-386=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Live Patching 12 (x86_64): kgraft-patch-4_4_59-92_20-default-9-2.1 References: https://www.suse.com/security/cve/CVE-2017-18075.html https://bugzilla.suse.com/1077404 From sle-security-updates at lists.suse.com Thu Mar 1 13:10:47 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 1 Mar 2018 21:10:47 +0100 (CET) Subject: SUSE-SU-2018:0575-1: important: Security update for the Linux Kernel (Live Patch 10 for SLE 12 SP2) Message-ID: <20180301201047.1886CFD29@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 10 for SLE 12 SP2) ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0575-1 Rating: important References: #1077268 #1077404 Cross-References: CVE-2017-18075 Affected Products: SUSE Linux Enterprise Live Patching 12 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for the Linux Kernel 4.4.74-92_29 fixes several issues. The following security issue was fixed: - CVE-2017-18075: crypto/pcrypt.c in the Linux kernel mishandled freeing instances, allowing a local user able to access the AF_ALG-based AEAD interface (CONFIG_CRYPTO_USER_API_AEAD) and pcrypt (CONFIG_CRYPTO_PCRYPT) to cause a denial of service (kfree of an incorrect pointer) or possibly have unspecified other impact by executing a crafted sequence of system calls (bsc#1077404). Non security issue fixed: - btrfs: account for pinned bytes in should_alloc_chunk (bsc#1077268) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Live Patching 12: zypper in -t patch SUSE-SLE-Live-Patching-12-2018-389=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Live Patching 12 (x86_64): kgraft-patch-4_4_74-92_29-default-8-2.1 References: https://www.suse.com/security/cve/CVE-2017-18075.html https://bugzilla.suse.com/1077268 https://bugzilla.suse.com/1077404 From sle-security-updates at lists.suse.com Thu Mar 1 13:11:27 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 1 Mar 2018 21:11:27 +0100 (CET) Subject: SUSE-SU-2018:0576-1: important: Security update for the Linux Kernel (Live Patch 6 for SLE 12 SP2) Message-ID: <20180301201127.79DABFD29@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 6 for SLE 12 SP2) ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0576-1 Rating: important References: #1077404 Cross-References: CVE-2017-18075 Affected Products: SUSE Linux Enterprise Live Patching 12 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for the Linux Kernel 4.4.49-92_14 fixes one issue. The following security issue was fixed: - CVE-2017-18075: crypto/pcrypt.c in the Linux kernel mishandled freeing instances, allowing a local user able to access the AF_ALG-based AEAD interface (CONFIG_CRYPTO_USER_API_AEAD) and pcrypt (CONFIG_CRYPTO_PCRYPT) to cause a denial of service (kfree of an incorrect pointer) or possibly have unspecified other impact by executing a crafted sequence of system calls (bsc#1077404). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Live Patching 12: zypper in -t patch SUSE-SLE-Live-Patching-12-2018-388=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Live Patching 12 (x86_64): kgraft-patch-4_4_49-92_14-default-10-2.1 References: https://www.suse.com/security/cve/CVE-2017-18075.html https://bugzilla.suse.com/1077404 From sle-security-updates at lists.suse.com Thu Mar 1 13:11:56 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 1 Mar 2018 21:11:56 +0100 (CET) Subject: SUSE-SU-2018:0577-1: important: Security update for the Linux Kernel (Live Patch 9 for SLE 12 SP2) Message-ID: <20180301201156.4E096FD29@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 9 for SLE 12 SP2) ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0577-1 Rating: important References: #1077404 Cross-References: CVE-2017-18075 Affected Products: SUSE Linux Enterprise Live Patching 12 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for the Linux Kernel 4.4.59-92_24 fixes one issue. The following security issue was fixed: - CVE-2017-18075: crypto/pcrypt.c in the Linux kernel mishandled freeing instances, allowing a local user able to access the AF_ALG-based AEAD interface (CONFIG_CRYPTO_USER_API_AEAD) and pcrypt (CONFIG_CRYPTO_PCRYPT) to cause a denial of service (kfree of an incorrect pointer) or possibly have unspecified other impact by executing a crafted sequence of system calls (bsc#1077404). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Live Patching 12: zypper in -t patch SUSE-SLE-Live-Patching-12-2018-385=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Live Patching 12 (x86_64): kgraft-patch-4_4_59-92_24-default-8-2.1 References: https://www.suse.com/security/cve/CVE-2017-18075.html https://bugzilla.suse.com/1077404 From sle-security-updates at lists.suse.com Thu Mar 1 13:12:24 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 1 Mar 2018 21:12:24 +0100 (CET) Subject: SUSE-SU-2018:0578-1: important: Security update for the Linux Kernel (Live Patch 16 for SLE 12 SP2) Message-ID: <20180301201224.D72C2FD29@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 16 for SLE 12 SP2) ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0578-1 Rating: important References: #1077268 #1077404 Cross-References: CVE-2017-18075 Affected Products: SUSE Linux Enterprise Live Patching 12 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for the Linux Kernel 4.4.103-92_53 fixes several issues. The following security issue was fixed: - CVE-2017-18075: crypto/pcrypt.c in the Linux kernel mishandled freeing instances, allowing a local user able to access the AF_ALG-based AEAD interface (CONFIG_CRYPTO_USER_API_AEAD) and pcrypt (CONFIG_CRYPTO_PCRYPT) to cause a denial of service (kfree of an incorrect pointer) or possibly have unspecified other impact by executing a crafted sequence of system calls (bsc#1077404). Non security issue fixed: - btrfs: account for pinned bytes in should_alloc_chunk (bsc#1077268) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Live Patching 12: zypper in -t patch SUSE-SLE-Live-Patching-12-2018-393=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Live Patching 12 (x86_64): kgraft-patch-4_4_103-92_53-default-3-2.1 References: https://www.suse.com/security/cve/CVE-2017-18075.html https://bugzilla.suse.com/1077268 https://bugzilla.suse.com/1077404 From sle-security-updates at lists.suse.com Thu Mar 1 13:13:03 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 1 Mar 2018 21:13:03 +0100 (CET) Subject: SUSE-SU-2018:0579-1: important: Security update for the Linux Kernel (Live Patch 13 for SLE 12 SP2) Message-ID: <20180301201303.29AE7FD29@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 13 for SLE 12 SP2) ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0579-1 Rating: important References: #1077268 #1077404 Cross-References: CVE-2017-18075 Affected Products: SUSE Linux Enterprise Live Patching 12 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for the Linux Kernel 4.4.74-92_38 fixes several issues. The following security issue was fixed: - CVE-2017-18075: crypto/pcrypt.c in the Linux kernel mishandled freeing instances, allowing a local user able to access the AF_ALG-based AEAD interface (CONFIG_CRYPTO_USER_API_AEAD) and pcrypt (CONFIG_CRYPTO_PCRYPT) to cause a denial of service (kfree of an incorrect pointer) or possibly have unspecified other impact by executing a crafted sequence of system calls (bsc#1077404). Non security issue fixed: - btrfs: account for pinned bytes in should_alloc_chunk (bsc#1077268) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Live Patching 12: zypper in -t patch SUSE-SLE-Live-Patching-12-2018-392=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Live Patching 12 (x86_64): kgraft-patch-4_4_74-92_38-default-6-2.1 References: https://www.suse.com/security/cve/CVE-2017-18075.html https://bugzilla.suse.com/1077268 https://bugzilla.suse.com/1077404 From sle-security-updates at lists.suse.com Thu Mar 1 13:14:20 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 1 Mar 2018 21:14:20 +0100 (CET) Subject: SUSE-SU-2018:0581-1: moderate: Security update for ImageMagick Message-ID: <20180301201420.40BA6FD29@maintenance.suse.de> SUSE Security Update: Security update for ImageMagick ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0581-1 Rating: moderate References: #1042824 #1042911 #1048110 #1048272 #1049374 #1049375 #1050048 #1050119 #1050122 #1050126 #1050132 #1050617 #1052207 #1052248 #1052251 #1052254 #1052472 #1052688 #1052711 #1052747 #1052750 #1052754 #1052761 #1055069 #1055229 #1056768 #1057163 #1058009 #1072898 #1074119 #1074170 #1075821 #1076182 #1078433 Cross-References: CVE-2017-11166 CVE-2017-11170 CVE-2017-11448 CVE-2017-11450 CVE-2017-11528 CVE-2017-11530 CVE-2017-11531 CVE-2017-11533 CVE-2017-11537 CVE-2017-11638 CVE-2017-11642 CVE-2017-12418 CVE-2017-12427 CVE-2017-12429 CVE-2017-12432 CVE-2017-12566 CVE-2017-12654 CVE-2017-12663 CVE-2017-12664 CVE-2017-12665 CVE-2017-12668 CVE-2017-12674 CVE-2017-13058 CVE-2017-13131 CVE-2017-14060 CVE-2017-14139 CVE-2017-14224 CVE-2017-17682 CVE-2017-17885 CVE-2017-17934 CVE-2017-18028 CVE-2017-9405 CVE-2017-9407 CVE-2018-5357 CVE-2018-6405 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP3 SUSE Linux Enterprise Workstation Extension 12-SP2 SUSE Linux Enterprise Software Development Kit 12-SP3 SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Desktop 12-SP3 SUSE Linux Enterprise Desktop 12-SP2 ______________________________________________________________________________ An update that fixes 35 vulnerabilities is now available. Description: This update for ImageMagick fixes the following issues: - CVE-2017-9405: A memory leak in the ReadICONImage function was fixed that could lead to DoS via memory exhaustion (bsc#1042911) - CVE-2017-9407: In ImageMagick, the ReadPALMImage function in palm.c allowed attackers to cause a denial of service (memory leak) via a crafted file. (bsc#1042824) - CVE-2017-11166: In ReadXWDImage in coders\xwd.c a memoryleak could have caused memory exhaustion via a crafted length (bsc#1048110) - CVE-2017-11170: ReadTGAImage in coders\tga.c allowed for memory exhaustion via invalid colors data in the header of a TGA or VST file (bsc#1048272) - CVE-2017-11448: The ReadJPEGImage function in coders/jpeg.c in ImageMagick allowed remote attackers to obtain sensitive information from uninitialized memory locations via a crafted file. (bsc#1049375) - CVE-2017-11450: A remote denial of service in coders/jpeg.c was fixed (bsc#1049374) - CVE-2017-11528: ReadDIBImage in coders/dib.c allows remote attackers to cause DoS via memory exhaustion (bsc#1050119) - CVE-2017-11530: ReadEPTImage in coders/ept.c allows remote attackers to cause DoS via memory exhaustion (bsc#1050122) - CVE-2017-11531: When ImageMagick processed a crafted file in convert, it could lead to a Memory Leak in the WriteHISTOGRAMImage() function in coders/histogram.c. (bsc#1050126) - CVE-2017-11533: A information leak by 1 byte due to heap-based buffer over-read in the WriteUILImage() in coders/uil.c was fixed (bsc#1050132) - CVE-2017-11537: When ImageMagick processed a crafted file in convert, it can lead to a Floating Point Exception (FPE) in the WritePALMImage() function in coders/palm.c, related to an incorrect bits-per-pixel calculation. (bsc#1050048) - CVE-2017-11638, CVE-2017-11642: A NULL pointer dereference in theWriteMAPImage() in coders/map.c was fixed which could lead to a crash (bsc#1050617) - CVE-2017-12418: ImageMagick had memory leaks in the parse8BIMW and format8BIM functions in coders/meta.c, related to the WriteImage function in MagickCore/constitute.c. (bsc#1052207) - CVE-2017-12427: ProcessMSLScript coders/msl.c allowed remote attackers to cause a DoS (bsc#1052248) - CVE-2017-12429: A memory exhaustion flaw in ReadMIFFImage in coders/miff.c was fixed, which allowed attackers to cause DoS (bsc#1052251) - CVE-2017-12432: In ImageMagick, a memory exhaustion vulnerability was found in the function ReadPCXImage in coders/pcx.c, which allowed attackers to cause a denial of service. (bsc#1052254) - CVE-2017-12566: A memory leak in ReadMVGImage in coders/mvg.c, could have allowed attackers to cause DoS (bsc#1052472) - CVE-2017-12654: The ReadPICTImage function in coders/pict.c in ImageMagick allowed attackers to cause a denial of service (memory leak) via a crafted file. (bsc#1052761) - CVE-2017-12663: A memory leak in WriteMAPImage in coders/map.c was fixed that could lead to a DoS via memory exhaustion (bsc#1052754) - CVE-2017-12664: ImageMagick had a memory leak vulnerability in WritePALMImage in coders/palm.c. (bsc#1052750) - CVE-2017-12665: ImageMagick had a memory leak vulnerability in WritePICTImage in coders/pict.c. (bsc#1052747) - CVE-2017-12668: ImageMagick had a memory leak vulnerability in WritePCXImage in coders/pcx.c. (bsc#1052688) - CVE-2017-12674: A CPU exhaustion in ReadPDBImage in coders/pdb.c was fixed, which allowed attackers to cause DoS (bsc#1052711) - CVE-2017-13058: In ImageMagick, a memory leak vulnerability was found in the function WritePCXImage in coders/pcx.c, which allowed attackers to cause a denial of service via a crafted file. (bsc#1055069) - CVE-2017-13131: A memory leak vulnerability was found in thefunction ReadMIFFImage in coders/miff.c, which allowed attackers tocause a denial of service (memory consumption in NewL (bsc#1055229) - CVE-2017-14060: A NULL Pointer Dereference issue in the ReadCUTImage function in coders/cut.c was fixed that could have caused a Denial of Service (bsc#1056768) - CVE-2017-14139: A memory leak vulnerability in WriteMSLImage in coders/msl.c was fixed. (bsc#1057163) - CVE-2017-14224: A heap-based buffer overflow in WritePCXImage in coders/pcx.c could lead to denial of service or code execution. (bsc#1058009) - CVE-2017-17682: A large loop vulnerability was fixed in ExtractPostscript in coders/wpg.c, which allowed attackers to cause a denial of service (CPU exhaustion) (bsc#1072898) - CVE-2017-17885: In ImageMagick, a memory leak vulnerability was found in the function ReadPICTImage in coders/pict.c, which allowed attackers to cause a denial of service via a crafted PICT image file. (bsc#1074119) - CVE-2017-17934: A memory leak in the function MSLPopImage and ProcessMSLScript could have lead to a denial of service (bsc#1074170) - CVE-2017-18028: A memory exhaustion in the function ReadTIFFImage in coders/tiff.c was fixed. (bsc#1076182) - CVE-2018-5357: ImageMagick had memory leaks in the ReadDCMImage function in coders/dcm.c. (bsc#1075821) - CVE-2018-6405: In the ReadDCMImage function in coders/dcm.c in ImageMagick, each redmap, greenmap, and bluemap variable can be overwritten by a new pointer. The previous pointer is lost, which leads to a memory leak. This allowed remote attackers to cause a denial of service. (bsc#1078433) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP3: zypper in -t patch SUSE-SLE-WE-12-SP3-2018-391=1 - SUSE Linux Enterprise Workstation Extension 12-SP2: zypper in -t patch SUSE-SLE-WE-12-SP2-2018-391=1 - SUSE Linux Enterprise Software Development Kit 12-SP3: zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-391=1 - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2018-391=1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2018-391=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-391=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-391=1 - SUSE Linux Enterprise Desktop 12-SP3: zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-391=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2018-391=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Workstation Extension 12-SP3 (x86_64): ImageMagick-6.8.8.1-71.42.1 ImageMagick-debuginfo-6.8.8.1-71.42.1 ImageMagick-debugsource-6.8.8.1-71.42.1 libMagick++-6_Q16-3-6.8.8.1-71.42.1 libMagick++-6_Q16-3-debuginfo-6.8.8.1-71.42.1 libMagickCore-6_Q16-1-32bit-6.8.8.1-71.42.1 libMagickCore-6_Q16-1-debuginfo-32bit-6.8.8.1-71.42.1 - SUSE Linux Enterprise Workstation Extension 12-SP2 (x86_64): ImageMagick-6.8.8.1-71.42.1 ImageMagick-debuginfo-6.8.8.1-71.42.1 ImageMagick-debugsource-6.8.8.1-71.42.1 libMagick++-6_Q16-3-6.8.8.1-71.42.1 libMagick++-6_Q16-3-debuginfo-6.8.8.1-71.42.1 libMagickCore-6_Q16-1-32bit-6.8.8.1-71.42.1 libMagickCore-6_Q16-1-debuginfo-32bit-6.8.8.1-71.42.1 - SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64): ImageMagick-6.8.8.1-71.42.1 ImageMagick-debuginfo-6.8.8.1-71.42.1 ImageMagick-debugsource-6.8.8.1-71.42.1 ImageMagick-devel-6.8.8.1-71.42.1 libMagick++-6_Q16-3-6.8.8.1-71.42.1 libMagick++-6_Q16-3-debuginfo-6.8.8.1-71.42.1 libMagick++-devel-6.8.8.1-71.42.1 perl-PerlMagick-6.8.8.1-71.42.1 perl-PerlMagick-debuginfo-6.8.8.1-71.42.1 - SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64): ImageMagick-6.8.8.1-71.42.1 ImageMagick-debuginfo-6.8.8.1-71.42.1 ImageMagick-debugsource-6.8.8.1-71.42.1 ImageMagick-devel-6.8.8.1-71.42.1 libMagick++-6_Q16-3-6.8.8.1-71.42.1 libMagick++-6_Q16-3-debuginfo-6.8.8.1-71.42.1 libMagick++-devel-6.8.8.1-71.42.1 perl-PerlMagick-6.8.8.1-71.42.1 perl-PerlMagick-debuginfo-6.8.8.1-71.42.1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): ImageMagick-debuginfo-6.8.8.1-71.42.1 ImageMagick-debugsource-6.8.8.1-71.42.1 libMagickCore-6_Q16-1-6.8.8.1-71.42.1 libMagickCore-6_Q16-1-debuginfo-6.8.8.1-71.42.1 libMagickWand-6_Q16-1-6.8.8.1-71.42.1 libMagickWand-6_Q16-1-debuginfo-6.8.8.1-71.42.1 - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64): ImageMagick-debuginfo-6.8.8.1-71.42.1 ImageMagick-debugsource-6.8.8.1-71.42.1 libMagickCore-6_Q16-1-6.8.8.1-71.42.1 libMagickCore-6_Q16-1-debuginfo-6.8.8.1-71.42.1 libMagickWand-6_Q16-1-6.8.8.1-71.42.1 libMagickWand-6_Q16-1-debuginfo-6.8.8.1-71.42.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le s390x x86_64): ImageMagick-debuginfo-6.8.8.1-71.42.1 ImageMagick-debugsource-6.8.8.1-71.42.1 libMagickCore-6_Q16-1-6.8.8.1-71.42.1 libMagickCore-6_Q16-1-debuginfo-6.8.8.1-71.42.1 libMagickWand-6_Q16-1-6.8.8.1-71.42.1 libMagickWand-6_Q16-1-debuginfo-6.8.8.1-71.42.1 - SUSE Linux Enterprise Desktop 12-SP3 (x86_64): ImageMagick-6.8.8.1-71.42.1 ImageMagick-debuginfo-6.8.8.1-71.42.1 ImageMagick-debugsource-6.8.8.1-71.42.1 libMagick++-6_Q16-3-6.8.8.1-71.42.1 libMagick++-6_Q16-3-debuginfo-6.8.8.1-71.42.1 libMagickCore-6_Q16-1-32bit-6.8.8.1-71.42.1 libMagickCore-6_Q16-1-6.8.8.1-71.42.1 libMagickCore-6_Q16-1-debuginfo-32bit-6.8.8.1-71.42.1 libMagickCore-6_Q16-1-debuginfo-6.8.8.1-71.42.1 libMagickWand-6_Q16-1-6.8.8.1-71.42.1 libMagickWand-6_Q16-1-debuginfo-6.8.8.1-71.42.1 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): ImageMagick-6.8.8.1-71.42.1 ImageMagick-debuginfo-6.8.8.1-71.42.1 ImageMagick-debugsource-6.8.8.1-71.42.1 libMagick++-6_Q16-3-6.8.8.1-71.42.1 libMagick++-6_Q16-3-debuginfo-6.8.8.1-71.42.1 libMagickCore-6_Q16-1-32bit-6.8.8.1-71.42.1 libMagickCore-6_Q16-1-6.8.8.1-71.42.1 libMagickCore-6_Q16-1-debuginfo-32bit-6.8.8.1-71.42.1 libMagickCore-6_Q16-1-debuginfo-6.8.8.1-71.42.1 libMagickWand-6_Q16-1-6.8.8.1-71.42.1 libMagickWand-6_Q16-1-debuginfo-6.8.8.1-71.42.1 References: https://www.suse.com/security/cve/CVE-2017-11166.html https://www.suse.com/security/cve/CVE-2017-11170.html https://www.suse.com/security/cve/CVE-2017-11448.html https://www.suse.com/security/cve/CVE-2017-11450.html https://www.suse.com/security/cve/CVE-2017-11528.html https://www.suse.com/security/cve/CVE-2017-11530.html https://www.suse.com/security/cve/CVE-2017-11531.html https://www.suse.com/security/cve/CVE-2017-11533.html https://www.suse.com/security/cve/CVE-2017-11537.html https://www.suse.com/security/cve/CVE-2017-11638.html https://www.suse.com/security/cve/CVE-2017-11642.html https://www.suse.com/security/cve/CVE-2017-12418.html https://www.suse.com/security/cve/CVE-2017-12427.html https://www.suse.com/security/cve/CVE-2017-12429.html https://www.suse.com/security/cve/CVE-2017-12432.html https://www.suse.com/security/cve/CVE-2017-12566.html https://www.suse.com/security/cve/CVE-2017-12654.html https://www.suse.com/security/cve/CVE-2017-12663.html https://www.suse.com/security/cve/CVE-2017-12664.html https://www.suse.com/security/cve/CVE-2017-12665.html https://www.suse.com/security/cve/CVE-2017-12668.html https://www.suse.com/security/cve/CVE-2017-12674.html https://www.suse.com/security/cve/CVE-2017-13058.html https://www.suse.com/security/cve/CVE-2017-13131.html https://www.suse.com/security/cve/CVE-2017-14060.html https://www.suse.com/security/cve/CVE-2017-14139.html https://www.suse.com/security/cve/CVE-2017-14224.html https://www.suse.com/security/cve/CVE-2017-17682.html https://www.suse.com/security/cve/CVE-2017-17885.html https://www.suse.com/security/cve/CVE-2017-17934.html https://www.suse.com/security/cve/CVE-2017-18028.html https://www.suse.com/security/cve/CVE-2017-9405.html https://www.suse.com/security/cve/CVE-2017-9407.html https://www.suse.com/security/cve/CVE-2018-5357.html https://www.suse.com/security/cve/CVE-2018-6405.html https://bugzilla.suse.com/1042824 https://bugzilla.suse.com/1042911 https://bugzilla.suse.com/1048110 https://bugzilla.suse.com/1048272 https://bugzilla.suse.com/1049374 https://bugzilla.suse.com/1049375 https://bugzilla.suse.com/1050048 https://bugzilla.suse.com/1050119 https://bugzilla.suse.com/1050122 https://bugzilla.suse.com/1050126 https://bugzilla.suse.com/1050132 https://bugzilla.suse.com/1050617 https://bugzilla.suse.com/1052207 https://bugzilla.suse.com/1052248 https://bugzilla.suse.com/1052251 https://bugzilla.suse.com/1052254 https://bugzilla.suse.com/1052472 https://bugzilla.suse.com/1052688 https://bugzilla.suse.com/1052711 https://bugzilla.suse.com/1052747 https://bugzilla.suse.com/1052750 https://bugzilla.suse.com/1052754 https://bugzilla.suse.com/1052761 https://bugzilla.suse.com/1055069 https://bugzilla.suse.com/1055229 https://bugzilla.suse.com/1056768 https://bugzilla.suse.com/1057163 https://bugzilla.suse.com/1058009 https://bugzilla.suse.com/1072898 https://bugzilla.suse.com/1074119 https://bugzilla.suse.com/1074170 https://bugzilla.suse.com/1075821 https://bugzilla.suse.com/1076182 https://bugzilla.suse.com/1078433 From sle-security-updates at lists.suse.com Thu Mar 1 13:19:33 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 1 Mar 2018 21:19:33 +0100 (CET) Subject: SUSE-SU-2018:0582-1: important: Security update for the Linux Kernel (Live Patch 17 for SLE 12 SP2) Message-ID: <20180301201933.1137DFD29@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 17 for SLE 12 SP2) ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0582-1 Rating: important References: #1077268 #1077404 Cross-References: CVE-2017-18075 Affected Products: SUSE Linux Enterprise Live Patching 12 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for the Linux Kernel 4.4.103-92_56 fixes several issues. The following security issue was fixed: - CVE-2017-18075: crypto/pcrypt.c in the Linux kernel mishandled freeing instances, allowing a local user able to access the AF_ALG-based AEAD interface (CONFIG_CRYPTO_USER_API_AEAD) and pcrypt (CONFIG_CRYPTO_PCRYPT) to cause a denial of service (kfree of an incorrect pointer) or possibly have unspecified other impact by executing a crafted sequence of system calls (bsc#1077404). Non security issue fixed: - btrfs: account for pinned bytes in should_alloc_chunk (bsc#1077268) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Live Patching 12: zypper in -t patch SUSE-SLE-Live-Patching-12-2018-394=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Live Patching 12 (x86_64): kgraft-patch-4_4_103-92_56-default-3-2.1 References: https://www.suse.com/security/cve/CVE-2017-18075.html https://bugzilla.suse.com/1077268 https://bugzilla.suse.com/1077404 From sle-security-updates at lists.suse.com Thu Mar 1 13:21:08 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 1 Mar 2018 21:21:08 +0100 (CET) Subject: SUSE-SU-2018:0584-1: important: Security update for the Linux Kernel (Live Patch 11 for SLE 12 SP2) Message-ID: <20180301202108.07853FD29@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 11 for SLE 12 SP2) ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0584-1 Rating: important References: #1077268 #1077404 Cross-References: CVE-2017-18075 Affected Products: SUSE Linux Enterprise Live Patching 12 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for the Linux Kernel 4.4.74-92_32 fixes several issues. The following security issue was fixed: - CVE-2017-18075: crypto/pcrypt.c in the Linux kernel mishandled freeing instances, allowing a local user able to access the AF_ALG-based AEAD interface (CONFIG_CRYPTO_USER_API_AEAD) and pcrypt (CONFIG_CRYPTO_PCRYPT) to cause a denial of service (kfree of an incorrect pointer) or possibly have unspecified other impact by executing a crafted sequence of system calls (bsc#1077404). Non security issue fixed: - btrfs: account for pinned bytes in should_alloc_chunk (bsc#1077268) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Live Patching 12: zypper in -t patch SUSE-SLE-Live-Patching-12-2018-390=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Live Patching 12 (x86_64): kgraft-patch-4_4_74-92_32-default-7-2.1 References: https://www.suse.com/security/cve/CVE-2017-18075.html https://bugzilla.suse.com/1077268 https://bugzilla.suse.com/1077404 From sle-security-updates at lists.suse.com Fri Mar 2 07:08:37 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 2 Mar 2018 15:08:37 +0100 (CET) Subject: SUSE-SU-2018:0585-1: moderate: Security update for openexr Message-ID: <20180302140837.91818FD88@maintenance.suse.de> SUSE Security Update: Security update for openexr ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0585-1 Rating: moderate References: #1040107 #1040114 #1052522 Cross-References: CVE-2017-12596 CVE-2017-9110 CVE-2017-9114 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP3 SUSE Linux Enterprise Workstation Extension 12-SP2 SUSE Linux Enterprise Software Development Kit 12-SP3 SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Desktop 12-SP3 SUSE Linux Enterprise Desktop 12-SP2 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for openexr fixes the following issues: * CVE-2017-9110: In OpenEXR, an invalid read of size 2 in the hufDecode function in ImfHuf.cpp could cause the application to crash. (bsc#1040107) * CVE-2017-9114: In OpenEXR, an invalid read of size 1 in the refill function in ImfFastHuf.cpp could cause the application to crash. (bsc#1040114) * CVE-2017-12596: In OpenEXR, a crafted image causes a heap-based buffer over-read in the hufDecode function in IlmImf/ImfHuf.cpp during exrmaketiled execution; it could have resulted in denial of service or possibly unspecified other impact. (bsc#1052522) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP3: zypper in -t patch SUSE-SLE-WE-12-SP3-2018-398=1 - SUSE Linux Enterprise Workstation Extension 12-SP2: zypper in -t patch SUSE-SLE-WE-12-SP2-2018-398=1 - SUSE Linux Enterprise Software Development Kit 12-SP3: zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-398=1 - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2018-398=1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2018-398=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-398=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-398=1 - SUSE Linux Enterprise Desktop 12-SP3: zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-398=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2018-398=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Workstation Extension 12-SP3 (x86_64): libIlmImf-Imf_2_1-21-32bit-2.1.0-6.3.1 libIlmImf-Imf_2_1-21-debuginfo-32bit-2.1.0-6.3.1 - SUSE Linux Enterprise Workstation Extension 12-SP2 (x86_64): libIlmImf-Imf_2_1-21-32bit-2.1.0-6.3.1 libIlmImf-Imf_2_1-21-debuginfo-32bit-2.1.0-6.3.1 - SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64): openexr-debuginfo-2.1.0-6.3.1 openexr-debugsource-2.1.0-6.3.1 openexr-devel-2.1.0-6.3.1 - SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64): openexr-debuginfo-2.1.0-6.3.1 openexr-debugsource-2.1.0-6.3.1 openexr-devel-2.1.0-6.3.1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): libIlmImf-Imf_2_1-21-2.1.0-6.3.1 libIlmImf-Imf_2_1-21-debuginfo-2.1.0-6.3.1 openexr-2.1.0-6.3.1 openexr-debuginfo-2.1.0-6.3.1 openexr-debugsource-2.1.0-6.3.1 - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64): libIlmImf-Imf_2_1-21-2.1.0-6.3.1 libIlmImf-Imf_2_1-21-debuginfo-2.1.0-6.3.1 openexr-2.1.0-6.3.1 openexr-debuginfo-2.1.0-6.3.1 openexr-debugsource-2.1.0-6.3.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le s390x x86_64): libIlmImf-Imf_2_1-21-2.1.0-6.3.1 libIlmImf-Imf_2_1-21-debuginfo-2.1.0-6.3.1 openexr-2.1.0-6.3.1 openexr-debuginfo-2.1.0-6.3.1 openexr-debugsource-2.1.0-6.3.1 - SUSE Linux Enterprise Desktop 12-SP3 (x86_64): libIlmImf-Imf_2_1-21-2.1.0-6.3.1 libIlmImf-Imf_2_1-21-32bit-2.1.0-6.3.1 libIlmImf-Imf_2_1-21-debuginfo-2.1.0-6.3.1 libIlmImf-Imf_2_1-21-debuginfo-32bit-2.1.0-6.3.1 openexr-2.1.0-6.3.1 openexr-debuginfo-2.1.0-6.3.1 openexr-debugsource-2.1.0-6.3.1 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): libIlmImf-Imf_2_1-21-2.1.0-6.3.1 libIlmImf-Imf_2_1-21-32bit-2.1.0-6.3.1 libIlmImf-Imf_2_1-21-debuginfo-2.1.0-6.3.1 libIlmImf-Imf_2_1-21-debuginfo-32bit-2.1.0-6.3.1 openexr-2.1.0-6.3.1 openexr-debuginfo-2.1.0-6.3.1 openexr-debugsource-2.1.0-6.3.1 References: https://www.suse.com/security/cve/CVE-2017-12596.html https://www.suse.com/security/cve/CVE-2017-9110.html https://www.suse.com/security/cve/CVE-2017-9114.html https://bugzilla.suse.com/1040107 https://bugzilla.suse.com/1040114 https://bugzilla.suse.com/1052522 From sle-security-updates at lists.suse.com Fri Mar 2 07:09:32 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 2 Mar 2018 15:09:32 +0100 (CET) Subject: SUSE-SU-2018:0586-1: important: Security update for the Linux Kernel (Live Patch 12 for SLE 12 SP2) Message-ID: <20180302140932.A4C75FD86@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 12 for SLE 12 SP2) ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0586-1 Rating: important References: #1077268 #1077404 Cross-References: CVE-2017-18075 Affected Products: SUSE Linux Enterprise Live Patching 12 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for the Linux Kernel 4.4.74-92_35 fixes several issues. The following security issue was fixed: - CVE-2017-18075: crypto/pcrypt.c in the Linux kernel mishandled freeing instances, allowing a local user able to access the AF_ALG-based AEAD interface (CONFIG_CRYPTO_USER_API_AEAD) and pcrypt (CONFIG_CRYPTO_PCRYPT) to cause a denial of service (kfree of an incorrect pointer) or possibly have unspecified other impact by executing a crafted sequence of system calls (bsc#1077404). Non security issue fixed: - btrfs: account for pinned bytes in should_alloc_chunk (bsc#1077268) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Live Patching 12: zypper in -t patch SUSE-SLE-Live-Patching-12-2018-396=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Live Patching 12 (x86_64): kgraft-patch-4_4_74-92_35-default-7-2.1 References: https://www.suse.com/security/cve/CVE-2017-18075.html https://bugzilla.suse.com/1077268 https://bugzilla.suse.com/1077404 From sle-security-updates at lists.suse.com Fri Mar 2 07:10:16 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 2 Mar 2018 15:10:16 +0100 (CET) Subject: SUSE-SU-2018:0587-1: moderate: Security update for OpenEXR Message-ID: <20180302141016.9CB7FFD82@maintenance.suse.de> SUSE Security Update: Security update for OpenEXR ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0587-1 Rating: moderate References: #1040107 #1040114 #1052522 Cross-References: CVE-2017-12596 CVE-2017-9110 CVE-2017-9114 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for OpenEXR fixes the following issues: * CVE-2017-9110: In OpenEXR, an invalid read of size 2 in the hufDecode function in ImfHuf.cpp could cause the application to crash. (bsc#1040107) * CVE-2017-9114: In OpenEXR, an invalid read of size 1 in the refill function in ImfFastHuf.cpp could cause the application to crash. (bsc#1040114) * CVE-2017-12596: In OpenEXR, a crafted image causes a heap-based buffer over-read in the hufDecode function in IlmImf/ImfHuf.cpp during exrmaketiled execution; it could have resulted in denial of service or possibly unspecified other impact. (bsc#1052522) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-OpenEXR-13496=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-OpenEXR-13496=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-OpenEXR-13496=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): OpenEXR-devel-1.6.1-83.17.3.1 - SUSE Linux Enterprise Software Development Kit 11-SP4 (x86_64): OpenEXR-32bit-1.6.1-83.17.3.1 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): OpenEXR-1.6.1-83.17.3.1 - SUSE Linux Enterprise Server 11-SP4 (ppc64 s390x x86_64): OpenEXR-32bit-1.6.1-83.17.3.1 - SUSE Linux Enterprise Server 11-SP4 (ia64): OpenEXR-x86-1.6.1-83.17.3.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): OpenEXR-debuginfo-1.6.1-83.17.3.1 OpenEXR-debugsource-1.6.1-83.17.3.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (ppc64 s390x x86_64): OpenEXR-debuginfo-32bit-1.6.1-83.17.3.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (ia64): OpenEXR-debuginfo-x86-1.6.1-83.17.3.1 References: https://www.suse.com/security/cve/CVE-2017-12596.html https://www.suse.com/security/cve/CVE-2017-9110.html https://www.suse.com/security/cve/CVE-2017-9114.html https://bugzilla.suse.com/1040107 https://bugzilla.suse.com/1040114 https://bugzilla.suse.com/1052522 From sle-security-updates at lists.suse.com Fri Mar 2 16:08:39 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 3 Mar 2018 00:08:39 +0100 (CET) Subject: SUSE-SU-2018:0590-1: important: Security update for the Linux Kernel (Live Patch 3 for SLE 12 SP3) Message-ID: <20180302230839.02C9BFCA8@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 3 for SLE 12 SP3) ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0590-1 Rating: important References: #1077404 Cross-References: CVE-2017-18075 Affected Products: SUSE Linux Enterprise Live Patching 12-SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for the Linux Kernel 4.4.82-6_9 fixes one issue. The following security issue was fixed: - CVE-2017-18075: crypto/pcrypt.c in the Linux kernel mishandled freeing instances, allowing a local user able to access the AF_ALG-based AEAD interface (CONFIG_CRYPTO_USER_API_AEAD) and pcrypt (CONFIG_CRYPTO_PCRYPT) to cause a denial of service (kfree of an incorrect pointer) or possibly have unspecified other impact by executing a crafted sequence of system calls (bsc#1077404). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Live Patching 12-SP3: zypper in -t patch SUSE-SLE-Live-Patching-12-SP3-2018-405=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Live Patching 12-SP3 (x86_64): kgraft-patch-4_4_82-6_9-default-5-2.1 kgraft-patch-4_4_82-6_9-default-debuginfo-5-2.1 References: https://www.suse.com/security/cve/CVE-2017-18075.html https://bugzilla.suse.com/1077404 From sle-security-updates at lists.suse.com Fri Mar 2 16:09:05 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 3 Mar 2018 00:09:05 +0100 (CET) Subject: SUSE-SU-2018:0591-1: important: Security update for the Linux Kernel (Live Patch 15 for SLE 12 SP2) Message-ID: <20180302230906.01995FCA8@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 15 for SLE 12 SP2) ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0591-1 Rating: important References: #1077268 #1077404 Cross-References: CVE-2017-18075 Affected Products: SUSE Linux Enterprise Live Patching 12 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for the Linux Kernel 4.4.90-92_50 fixes several issues. The following security issue was fixed: - CVE-2017-18075: crypto/pcrypt.c in the Linux kernel mishandled freeing instances, allowing a local user able to access the AF_ALG-based AEAD interface (CONFIG_CRYPTO_USER_API_AEAD) and pcrypt (CONFIG_CRYPTO_PCRYPT) to cause a denial of service (kfree of an incorrect pointer) or possibly have unspecified other impact by executing a crafted sequence of system calls (bsc#1077404). Non-security issue fixed: - btrfs: account for pinned bytes in should_alloc_chunk (bsc#1077268) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Live Patching 12: zypper in -t patch SUSE-SLE-Live-Patching-12-2018-407=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Live Patching 12 (x86_64): kgraft-patch-4_4_90-92_50-default-4-2.1 References: https://www.suse.com/security/cve/CVE-2017-18075.html https://bugzilla.suse.com/1077268 https://bugzilla.suse.com/1077404 From sle-security-updates at lists.suse.com Fri Mar 2 16:09:41 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 3 Mar 2018 00:09:41 +0100 (CET) Subject: SUSE-SU-2018:0592-1: important: Security update for the Linux Kernel (Live Patch 4 for SLE 12 SP3) Message-ID: <20180302230941.6E48BFCA8@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 4 for SLE 12 SP3) ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0592-1 Rating: important References: #1077268 #1077404 Cross-References: CVE-2017-18075 Affected Products: SUSE Linux Enterprise Live Patching 12-SP3 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for the Linux Kernel 4.4.90-6_12 fixes several issues. The following security issue was fixed: - CVE-2017-18075: crypto/pcrypt.c in the Linux kernel mishandled freeing instances, allowing a local user able to access the AF_ALG-based AEAD interface (CONFIG_CRYPTO_USER_API_AEAD) and pcrypt (CONFIG_CRYPTO_PCRYPT) to cause a denial of service (kfree of an incorrect pointer) or possibly have unspecified other impact by executing a crafted sequence of system calls (bsc#1077404). Non security issue fixed: - btrfs: account for pinned bytes in should_alloc_chunk (bsc#1077268) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Live Patching 12-SP3: zypper in -t patch SUSE-SLE-Live-Patching-12-SP3-2018-403=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Live Patching 12-SP3 (x86_64): kgraft-patch-4_4_92-6_18-default-4-2.1 kgraft-patch-4_4_92-6_18-default-debuginfo-4-2.1 References: https://www.suse.com/security/cve/CVE-2017-18075.html https://bugzilla.suse.com/1077268 https://bugzilla.suse.com/1077404 From sle-security-updates at lists.suse.com Fri Mar 2 16:10:16 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 3 Mar 2018 00:10:16 +0100 (CET) Subject: SUSE-SU-2018:0593-1: important: Security update for the Linux Kernel (Live Patch 7 for SLE 12 SP3) Message-ID: <20180302231016.F2844FCA8@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 7 for SLE 12 SP3) ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0593-1 Rating: important References: #1077404 Cross-References: CVE-2017-18075 Affected Products: SUSE Linux Enterprise Live Patching 12-SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for the Linux Kernel 4.4.103-6_38 fixes one issue. The following security issue was fixed: - CVE-2017-18075: crypto/pcrypt.c in the Linux kernel mishandled freeing instances, allowing a local user able to access the AF_ALG-based AEAD interface (CONFIG_CRYPTO_USER_API_AEAD) and pcrypt (CONFIG_CRYPTO_PCRYPT) to cause a denial of service (kfree of an incorrect pointer) or possibly have unspecified other impact by executing a crafted sequence of system calls (bsc#1077404). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Live Patching 12-SP3: zypper in -t patch SUSE-SLE-Live-Patching-12-SP3-2018-401=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Live Patching 12-SP3 (ppc64le x86_64): kgraft-patch-4_4_103-6_38-default-3-2.1 kgraft-patch-4_4_103-6_38-default-debuginfo-3-2.1 References: https://www.suse.com/security/cve/CVE-2017-18075.html https://bugzilla.suse.com/1077404 From sle-security-updates at lists.suse.com Fri Mar 2 16:10:48 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 3 Mar 2018 00:10:48 +0100 (CET) Subject: SUSE-SU-2018:0594-1: important: Security update for the Linux Kernel (Live Patch 6 for SLE 12 SP3) Message-ID: <20180302231048.3A134FCA8@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 6 for SLE 12 SP3) ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0594-1 Rating: important References: #1077404 Cross-References: CVE-2017-18075 Affected Products: SUSE Linux Enterprise Live Patching 12-SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for the Linux Kernel 4.4.103-6_33 fixes one issue. The following security issue was fixed: - CVE-2017-18075: crypto/pcrypt.c in the Linux kernel mishandled freeing instances, allowing a local user able to access the AF_ALG-based AEAD interface (CONFIG_CRYPTO_USER_API_AEAD) and pcrypt (CONFIG_CRYPTO_PCRYPT) to cause a denial of service (kfree of an incorrect pointer) or possibly have unspecified other impact by executing a crafted sequence of system calls (bsc#1077404). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Live Patching 12-SP3: zypper in -t patch SUSE-SLE-Live-Patching-12-SP3-2018-400=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Live Patching 12-SP3 (ppc64le x86_64): kgraft-patch-4_4_103-6_33-default-3-2.1 kgraft-patch-4_4_103-6_33-default-debuginfo-3-2.1 References: https://www.suse.com/security/cve/CVE-2017-18075.html https://bugzilla.suse.com/1077404 From sle-security-updates at lists.suse.com Fri Mar 2 16:11:21 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 3 Mar 2018 00:11:21 +0100 (CET) Subject: SUSE-SU-2018:0595-1: important: Security update for the Linux Kernel (Live Patch 1 for SLE 12 SP3) Message-ID: <20180302231121.51F0DFCA8@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 1 for SLE 12 SP3) ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0595-1 Rating: important References: #1077404 Cross-References: CVE-2017-18075 Affected Products: SUSE Linux Enterprise Live Patching 12-SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for the Linux Kernel 4.4.82-6_3 fixes one issue. The following security issue was fixed: - CVE-2017-18075: crypto/pcrypt.c in the Linux kernel mishandled freeing instances, allowing a local user able to access the AF_ALG-based AEAD interface (CONFIG_CRYPTO_USER_API_AEAD) and pcrypt (CONFIG_CRYPTO_PCRYPT) to cause a denial of service (kfree of an incorrect pointer) or possibly have unspecified other impact by executing a crafted sequence of system calls (bsc#1077404). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Live Patching 12-SP3: zypper in -t patch SUSE-SLE-Live-Patching-12-SP3-2018-406=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Live Patching 12-SP3 (x86_64): kgraft-patch-4_4_82-6_3-default-6-2.1 kgraft-patch-4_4_82-6_3-default-debuginfo-6-2.1 References: https://www.suse.com/security/cve/CVE-2017-18075.html https://bugzilla.suse.com/1077404 From sle-security-updates at lists.suse.com Fri Mar 2 16:11:52 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 3 Mar 2018 00:11:52 +0100 (CET) Subject: SUSE-SU-2018:0596-1: important: Security update for the Linux Kernel (Live Patch 5 for SLE 12 SP3) Message-ID: <20180302231152.4512CFCA8@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 5 for SLE 12 SP3) ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0596-1 Rating: important References: #1077268 #1077404 Cross-References: CVE-2017-18075 Affected Products: SUSE Linux Enterprise Live Patching 12-SP3 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for the Linux Kernel 4.4.92-6_30 fixes several issues. The following security issue was fixed: - CVE-2017-18075: crypto/pcrypt.c in the Linux kernel mishandled freeing instances, allowing a local user able to access the AF_ALG-based AEAD interface (CONFIG_CRYPTO_USER_API_AEAD) and pcrypt (CONFIG_CRYPTO_PCRYPT) to cause a denial of service (kfree of an incorrect pointer) or possibly have unspecified other impact by executing a crafted sequence of system calls (bsc#1077404). Non security issue fixed: - btrfs: account for pinned bytes in should_alloc_chunk (bsc#1077268) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Live Patching 12-SP3: zypper in -t patch SUSE-SLE-Live-Patching-12-SP3-2018-402=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Live Patching 12-SP3 (ppc64le x86_64): kgraft-patch-4_4_92-6_30-default-3-2.1 kgraft-patch-4_4_92-6_30-default-debuginfo-3-2.1 References: https://www.suse.com/security/cve/CVE-2017-18075.html https://bugzilla.suse.com/1077268 https://bugzilla.suse.com/1077404 From sle-security-updates at lists.suse.com Fri Mar 2 16:12:29 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 3 Mar 2018 00:12:29 +0100 (CET) Subject: SUSE-SU-2018:0597-1: important: Security update for the Linux Kernel (Live Patch 2 for SLE 12 SP3) Message-ID: <20180302231229.AAF45FCA8@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 2 for SLE 12 SP3) ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0597-1 Rating: important References: #1077404 Cross-References: CVE-2017-18075 Affected Products: SUSE Linux Enterprise Live Patching 12-SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for the Linux Kernel 4.4.82-6_6 fixes one issue. The following security issue was fixed: - CVE-2017-18075: crypto/pcrypt.c in the Linux kernel mishandled freeing instances, allowing a local user able to access the AF_ALG-based AEAD interface (CONFIG_CRYPTO_USER_API_AEAD) and pcrypt (CONFIG_CRYPTO_PCRYPT) to cause a denial of service (kfree of an incorrect pointer) or possibly have unspecified other impact by executing a crafted sequence of system calls (bsc#1077404). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Live Patching 12-SP3: zypper in -t patch SUSE-SLE-Live-Patching-12-SP3-2018-404=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Live Patching 12-SP3 (x86_64): kgraft-patch-4_4_82-6_6-default-5-2.1 kgraft-patch-4_4_82-6_6-default-debuginfo-5-2.1 References: https://www.suse.com/security/cve/CVE-2017-18075.html https://bugzilla.suse.com/1077404 From sle-security-updates at lists.suse.com Mon Mar 5 07:07:28 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 5 Mar 2018 15:07:28 +0100 (CET) Subject: SUSE-SU-2018:0600-1: moderate: Security update for puppet Message-ID: <20180305140728.8C291FD28@maintenance.suse.de> SUSE Security Update: Security update for puppet ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0600-1 Rating: moderate References: #1040151 #1077767 Cross-References: CVE-2017-2295 Affected Products: SUSE Linux Enterprise Server 11-SP4 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for puppet fixes the following issues: - CVE-2017-2295: Fixed a security vulnerability where an attacker could force YAML deserialization in an unsafe manner, which would lead to remote code execution. In default, this update would break a backwards compatibility with Puppet agents older than 3.2.2 as the SLE11 master doesn't support other fact formats than pson in default anymore. In order to allow users to continue using their SLE11 agents a patch was added that enables sending PSON from agents. For non-SUSE clients older that 3.2.2 a new puppet master boolean option "dangerous_fact_formats" was added. When it's set to true it enables using dangerous fact formats (e.g. YAML). When it's set to false, only PSON fact format is accepted. (bsc#1040151), (bsc#1077767) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-puppet-13498=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): puppet-2.7.26-0.5.3.1 puppet-server-2.7.26-0.5.3.1 References: https://www.suse.com/security/cve/CVE-2017-2295.html https://bugzilla.suse.com/1040151 https://bugzilla.suse.com/1077767 From sle-security-updates at lists.suse.com Mon Mar 5 07:08:08 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 5 Mar 2018 15:08:08 +0100 (CET) Subject: SUSE-SU-2018:0601-1: important: Security update for xen Message-ID: <20180305140808.75789FD28@maintenance.suse.de> SUSE Security Update: Security update for xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0601-1 Rating: important References: #1027519 #1035442 #1061081 #1068032 #1070158 #1070159 #1070160 #1070163 #1074562 #1076116 #1076180 #1080635 #1080662 Cross-References: CVE-2017-15595 CVE-2017-17563 CVE-2017-17564 CVE-2017-17565 CVE-2017-17566 CVE-2017-18030 CVE-2017-5715 CVE-2017-5753 CVE-2017-5754 CVE-2018-5683 Affected Products: SUSE Linux Enterprise Server 12-LTSS ______________________________________________________________________________ An update that solves 10 vulnerabilities and has three fixes is now available. Description: This update for xen fixes several issues. These security issues were fixed: - CVE-2017-5753, CVE-2017-5715, CVE-2017-5754: Prevent information leaks via side effects of speculative execution, aka "Spectre" and "Meltdown" attacks (bsc#1074562, bsc#1068032) - CVE-2018-5683: The vga_draw_text function allowed local OS guest privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) by leveraging improper memory address validation (bsc#1076116). - CVE-2017-18030: The cirrus_invalidate_region function allowed local OS guest privileged users to cause a denial of service (out-of-bounds array access and QEMU process crash) via vectors related to negative pitch (bsc#1076180). - CVE-2017-15595: x86 PV guest OS users were able to cause a DoS (unbounded recursion, stack consumption, and hypervisor crash) or possibly gain privileges via crafted page-table stacking (bsc#1061081) - CVE-2017-17566: Prevent PV guest OS users to cause a denial of service (host OS crash) or gain host OS privileges in shadow mode by mapping a certain auxiliary page (bsc#1070158). - CVE-2017-17563: Prevent guest OS users to cause a denial of service (host OS crash) or gain host OS privileges by leveraging an incorrect mask for reference-count overflow checking in shadow mode (bsc#1070159). - CVE-2017-17564: Prevent guest OS users to cause a denial of service (host OS crash) or gain host OS privileges by leveraging incorrect error handling for reference counting in shadow mode (bsc#1070160). - CVE-2017-17565: Prevent PV guest OS users to cause a denial of service (host OS crash) if shadow mode and log-dirty mode are in place, because of an incorrect assertion related to M2P (bsc#1070163). - Added missing intermediate preemption checks for guest requesting removal of memory. This allowed malicious guest administrator to cause denial of service due to the high cost of this operation (bsc#1080635). - Because of XEN not returning the proper error messages when transitioning grant tables from v2 to v1 a malicious guest was able to cause DoS or potentially allowed for privilege escalation as well as information leaks (bsc#1080662). This non-security issue was fixed: - bsc#1035442: Increased the value of LIBXL_DESTROY_TIMEOUT from 10 to 100 seconds. If many domUs shutdown in parallel the backends couldn't keep up - Upstream patches from Jan (bsc#1027519) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-2018-408=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 12-LTSS (x86_64): xen-4.4.4_28-22.62.1 xen-debugsource-4.4.4_28-22.62.1 xen-doc-html-4.4.4_28-22.62.1 xen-kmp-default-4.4.4_28_k3.12.61_52.119-22.62.1 xen-kmp-default-debuginfo-4.4.4_28_k3.12.61_52.119-22.62.1 xen-libs-32bit-4.4.4_28-22.62.1 xen-libs-4.4.4_28-22.62.1 xen-libs-debuginfo-32bit-4.4.4_28-22.62.1 xen-libs-debuginfo-4.4.4_28-22.62.1 xen-tools-4.4.4_28-22.62.1 xen-tools-debuginfo-4.4.4_28-22.62.1 xen-tools-domU-4.4.4_28-22.62.1 xen-tools-domU-debuginfo-4.4.4_28-22.62.1 References: https://www.suse.com/security/cve/CVE-2017-15595.html https://www.suse.com/security/cve/CVE-2017-17563.html https://www.suse.com/security/cve/CVE-2017-17564.html https://www.suse.com/security/cve/CVE-2017-17565.html https://www.suse.com/security/cve/CVE-2017-17566.html https://www.suse.com/security/cve/CVE-2017-18030.html https://www.suse.com/security/cve/CVE-2017-5715.html https://www.suse.com/security/cve/CVE-2017-5753.html https://www.suse.com/security/cve/CVE-2017-5754.html https://www.suse.com/security/cve/CVE-2018-5683.html https://bugzilla.suse.com/1027519 https://bugzilla.suse.com/1035442 https://bugzilla.suse.com/1061081 https://bugzilla.suse.com/1068032 https://bugzilla.suse.com/1070158 https://bugzilla.suse.com/1070159 https://bugzilla.suse.com/1070160 https://bugzilla.suse.com/1070163 https://bugzilla.suse.com/1074562 https://bugzilla.suse.com/1076116 https://bugzilla.suse.com/1076180 https://bugzilla.suse.com/1080635 https://bugzilla.suse.com/1080662 From sle-security-updates at lists.suse.com Mon Mar 5 07:11:01 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 5 Mar 2018 15:11:01 +0100 (CET) Subject: SUSE-SU-2018:0602-1: moderate: Security update for rubygem-puppet Message-ID: <20180305141101.8466EFD35@maintenance.suse.de> SUSE Security Update: Security update for rubygem-puppet ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0602-1 Rating: moderate References: #1080288 Cross-References: CVE-2017-10689 Affected Products: SUSE Linux Enterprise Module for Advanced Systems Management 12 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for rubygem-puppet fixes the following issues: - CVE-2017-10689: Reset permissions when unpacking tar in PMT. When using minitar, files were unpacked with whatever permissions are in the tarball. This is potentially unsafe, as tarballs can be easily created with weird permissions (bsc#1080288) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Advanced Systems Management 12: zypper in -t patch SUSE-SLE-Module-Adv-Systems-Management-12-2018-409=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Module for Advanced Systems Management 12 (ppc64le s390x x86_64): ruby2.1-rubygem-puppet-4.8.1-32.3.1 rubygem-puppet-4.8.1-32.3.1 References: https://www.suse.com/security/cve/CVE-2017-10689.html https://bugzilla.suse.com/1080288 From sle-security-updates at lists.suse.com Mon Mar 5 07:11:51 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 5 Mar 2018 15:11:51 +0100 (CET) Subject: SUSE-SU-2018:0604-1: important: Security update for cups Message-ID: <20180305141151.F1E8CFD28@maintenance.suse.de> SUSE Security Update: Security update for cups ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0604-1 Rating: important References: #1081557 Cross-References: CVE-2017-18190 Affected Products: SUSE OpenStack Cloud 6 SUSE Linux Enterprise Software Development Kit 12-SP3 SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Linux Enterprise Server 12-LTSS SUSE Linux Enterprise Desktop 12-SP3 SUSE Linux Enterprise Desktop 12-SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for cups fixes the following issues: - CVE-2017-18190: Removed localhost.localdomain from list of trustworthy hosts in scheduler/client.c to avoid arbitrary IPP command execution in conjunction with DNS rebinding. (bsc#1081557) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 6: zypper in -t patch SUSE-OpenStack-Cloud-6-2018-410=1 - SUSE Linux Enterprise Software Development Kit 12-SP3: zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-410=1 - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2018-410=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2018-410=1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2018-410=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-410=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-410=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2018-410=1 - SUSE Linux Enterprise Server 12-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-2018-410=1 - SUSE Linux Enterprise Desktop 12-SP3: zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-410=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2018-410=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE OpenStack Cloud 6 (x86_64): cups-1.7.5-20.3.1 cups-client-1.7.5-20.3.1 cups-client-debuginfo-1.7.5-20.3.1 cups-debuginfo-1.7.5-20.3.1 cups-debugsource-1.7.5-20.3.1 cups-libs-1.7.5-20.3.1 cups-libs-32bit-1.7.5-20.3.1 cups-libs-debuginfo-1.7.5-20.3.1 cups-libs-debuginfo-32bit-1.7.5-20.3.1 - SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64): cups-ddk-1.7.5-20.3.1 cups-ddk-debuginfo-1.7.5-20.3.1 cups-debuginfo-1.7.5-20.3.1 cups-debugsource-1.7.5-20.3.1 cups-devel-1.7.5-20.3.1 - SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64): cups-ddk-1.7.5-20.3.1 cups-ddk-debuginfo-1.7.5-20.3.1 cups-debuginfo-1.7.5-20.3.1 cups-debugsource-1.7.5-20.3.1 cups-devel-1.7.5-20.3.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (ppc64le x86_64): cups-1.7.5-20.3.1 cups-client-1.7.5-20.3.1 cups-client-debuginfo-1.7.5-20.3.1 cups-debuginfo-1.7.5-20.3.1 cups-debugsource-1.7.5-20.3.1 cups-libs-1.7.5-20.3.1 cups-libs-debuginfo-1.7.5-20.3.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): cups-libs-32bit-1.7.5-20.3.1 cups-libs-debuginfo-32bit-1.7.5-20.3.1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): cups-1.7.5-20.3.1 cups-client-1.7.5-20.3.1 cups-client-debuginfo-1.7.5-20.3.1 cups-debuginfo-1.7.5-20.3.1 cups-debugsource-1.7.5-20.3.1 cups-libs-1.7.5-20.3.1 cups-libs-debuginfo-1.7.5-20.3.1 - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64): cups-1.7.5-20.3.1 cups-client-1.7.5-20.3.1 cups-client-debuginfo-1.7.5-20.3.1 cups-debuginfo-1.7.5-20.3.1 cups-debugsource-1.7.5-20.3.1 cups-libs-1.7.5-20.3.1 cups-libs-debuginfo-1.7.5-20.3.1 - SUSE Linux Enterprise Server 12-SP3 (s390x x86_64): cups-libs-32bit-1.7.5-20.3.1 cups-libs-debuginfo-32bit-1.7.5-20.3.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le s390x x86_64): cups-1.7.5-20.3.1 cups-client-1.7.5-20.3.1 cups-client-debuginfo-1.7.5-20.3.1 cups-debuginfo-1.7.5-20.3.1 cups-debugsource-1.7.5-20.3.1 cups-libs-1.7.5-20.3.1 cups-libs-debuginfo-1.7.5-20.3.1 - SUSE Linux Enterprise Server 12-SP2 (s390x x86_64): cups-libs-32bit-1.7.5-20.3.1 cups-libs-debuginfo-32bit-1.7.5-20.3.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): cups-1.7.5-20.3.1 cups-client-1.7.5-20.3.1 cups-client-debuginfo-1.7.5-20.3.1 cups-debuginfo-1.7.5-20.3.1 cups-debugsource-1.7.5-20.3.1 cups-libs-1.7.5-20.3.1 cups-libs-debuginfo-1.7.5-20.3.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (s390x x86_64): cups-libs-32bit-1.7.5-20.3.1 cups-libs-debuginfo-32bit-1.7.5-20.3.1 - SUSE Linux Enterprise Server 12-LTSS (ppc64le s390x x86_64): cups-1.7.5-20.3.1 cups-client-1.7.5-20.3.1 cups-client-debuginfo-1.7.5-20.3.1 cups-debuginfo-1.7.5-20.3.1 cups-debugsource-1.7.5-20.3.1 cups-libs-1.7.5-20.3.1 cups-libs-debuginfo-1.7.5-20.3.1 - SUSE Linux Enterprise Server 12-LTSS (s390x x86_64): cups-libs-32bit-1.7.5-20.3.1 cups-libs-debuginfo-32bit-1.7.5-20.3.1 - SUSE Linux Enterprise Desktop 12-SP3 (x86_64): cups-1.7.5-20.3.1 cups-client-1.7.5-20.3.1 cups-client-debuginfo-1.7.5-20.3.1 cups-debuginfo-1.7.5-20.3.1 cups-debugsource-1.7.5-20.3.1 cups-libs-1.7.5-20.3.1 cups-libs-32bit-1.7.5-20.3.1 cups-libs-debuginfo-1.7.5-20.3.1 cups-libs-debuginfo-32bit-1.7.5-20.3.1 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): cups-1.7.5-20.3.1 cups-client-1.7.5-20.3.1 cups-client-debuginfo-1.7.5-20.3.1 cups-debuginfo-1.7.5-20.3.1 cups-debugsource-1.7.5-20.3.1 cups-libs-1.7.5-20.3.1 cups-libs-32bit-1.7.5-20.3.1 cups-libs-debuginfo-1.7.5-20.3.1 cups-libs-debuginfo-32bit-1.7.5-20.3.1 References: https://www.suse.com/security/cve/CVE-2017-18190.html https://bugzilla.suse.com/1081557 From sle-security-updates at lists.suse.com Mon Mar 5 13:07:55 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 5 Mar 2018 21:07:55 +0100 (CET) Subject: SUSE-SU-2018:0607-1: moderate: Security update for wavpack Message-ID: <20180305200755.A8FA9FCA8@maintenance.suse.de> SUSE Security Update: Security update for wavpack ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0607-1 Rating: moderate References: #1021483 Cross-References: CVE-2016-10169 CVE-2016-10170 CVE-2016-10171 CVE-2016-10172 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for wavpack fixes the following issues: - CVE-2016-10169 CVE-2016-10170 CVE-2016-10171 CVE-2016-10172: Make sure upper and lower boundaries make sense, to avoid out of bounds memory reads that could lead to crashes or disclosing memory. (bsc#1021483) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-wavpack-13499=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-wavpack-13499=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-wavpack-13499=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): wavpack-4.50.1-1.27.1 wavpack-devel-4.50.1-1.27.1 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): libwavpack1-4.50.1-1.27.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): wavpack-debuginfo-4.50.1-1.27.1 wavpack-debugsource-4.50.1-1.27.1 References: https://www.suse.com/security/cve/CVE-2016-10169.html https://www.suse.com/security/cve/CVE-2016-10170.html https://www.suse.com/security/cve/CVE-2016-10171.html https://www.suse.com/security/cve/CVE-2016-10172.html https://bugzilla.suse.com/1021483 From sle-security-updates at lists.suse.com Mon Mar 5 13:08:26 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 5 Mar 2018 21:08:26 +0100 (CET) Subject: SUSE-SU-2018:0608-1: moderate: Security update for wavpack Message-ID: <20180305200826.2E78EFCA8@maintenance.suse.de> SUSE Security Update: Security update for wavpack ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0608-1 Rating: moderate References: #1021483 Cross-References: CVE-2016-10169 CVE-2016-10170 CVE-2016-10171 CVE-2016-10172 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP3 SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Desktop 12-SP3 SUSE Linux Enterprise Desktop 12-SP2 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for wavpack fixes the following issues: - CVE-2016-10169 CVE-2016-10170 CVE-2016-10171 CVE-2016-10172: Make sure upper and lower boundaries make sense, to avoid out of bounds memory reads that could lead to crashes or disclosing memory. (bsc#1021483) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP3: zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-414=1 - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2018-414=1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2018-414=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-414=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-414=1 - SUSE Linux Enterprise Desktop 12-SP3: zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-414=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2018-414=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64): wavpack-4.60.99-5.3.1 wavpack-debuginfo-4.60.99-5.3.1 wavpack-debugsource-4.60.99-5.3.1 wavpack-devel-4.60.99-5.3.1 - SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64): wavpack-4.60.99-5.3.1 wavpack-debuginfo-4.60.99-5.3.1 wavpack-debugsource-4.60.99-5.3.1 wavpack-devel-4.60.99-5.3.1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): libwavpack1-4.60.99-5.3.1 libwavpack1-debuginfo-4.60.99-5.3.1 wavpack-debuginfo-4.60.99-5.3.1 wavpack-debugsource-4.60.99-5.3.1 - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64): libwavpack1-4.60.99-5.3.1 libwavpack1-debuginfo-4.60.99-5.3.1 wavpack-debuginfo-4.60.99-5.3.1 wavpack-debugsource-4.60.99-5.3.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le s390x x86_64): libwavpack1-4.60.99-5.3.1 libwavpack1-debuginfo-4.60.99-5.3.1 wavpack-debuginfo-4.60.99-5.3.1 wavpack-debugsource-4.60.99-5.3.1 - SUSE Linux Enterprise Desktop 12-SP3 (x86_64): libwavpack1-4.60.99-5.3.1 libwavpack1-debuginfo-4.60.99-5.3.1 wavpack-debuginfo-4.60.99-5.3.1 wavpack-debugsource-4.60.99-5.3.1 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): libwavpack1-4.60.99-5.3.1 libwavpack1-debuginfo-4.60.99-5.3.1 wavpack-debuginfo-4.60.99-5.3.1 wavpack-debugsource-4.60.99-5.3.1 References: https://www.suse.com/security/cve/CVE-2016-10169.html https://www.suse.com/security/cve/CVE-2016-10170.html https://www.suse.com/security/cve/CVE-2016-10171.html https://www.suse.com/security/cve/CVE-2016-10172.html https://bugzilla.suse.com/1021483 From sle-security-updates at lists.suse.com Mon Mar 5 13:08:54 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 5 Mar 2018 21:08:54 +0100 (CET) Subject: SUSE-SU-2018:0609-1: important: Security update for xen Message-ID: <20180305200854.08C7CFCA8@maintenance.suse.de> SUSE Security Update: Security update for xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0609-1 Rating: important References: #1035442 #1061081 #1068032 #1070158 #1070159 #1070160 #1070163 #1074562 #1076116 #1076180 #1080635 #1080662 Cross-References: CVE-2017-15595 CVE-2017-17563 CVE-2017-17564 CVE-2017-17565 CVE-2017-17566 CVE-2017-18030 CVE-2017-5715 CVE-2017-5753 CVE-2017-5754 CVE-2018-5683 Affected Products: SUSE OpenStack Cloud 6 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP1-LTSS ______________________________________________________________________________ An update that solves 10 vulnerabilities and has two fixes is now available. Description: This update for xen fixes several issues. These security issues were fixed: - CVE-2017-5753, CVE-2017-5715, CVE-2017-5754: Prevent information leaks via side effects of speculative execution, aka "Spectre" and "Meltdown" attacks (bsc#1074562, bsc#1068032) - CVE-2018-5683: The vga_draw_text function allowed local OS guest privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) by leveraging improper memory address validation (bsc#1076116). - CVE-2017-18030: The cirrus_invalidate_region function allowed local OS guest privileged users to cause a denial of service (out-of-bounds array access and QEMU process crash) via vectors related to negative pitch (bsc#1076180). - CVE-2017-15595: x86 PV guest OS users were able to cause a DoS (unbounded recursion, stack consumption, and hypervisor crash) or possibly gain privileges via crafted page-table stacking (bsc#1061081) - CVE-2017-17566: Prevent PV guest OS users to cause a denial of service (host OS crash) or gain host OS privileges in shadow mode by mapping a certain auxiliary page (bsc#1070158). - CVE-2017-17563: Prevent guest OS users to cause a denial of service (host OS crash) or gain host OS privileges by leveraging an incorrect mask for reference-count overflow checking in shadow mode (bsc#1070159). - CVE-2017-17564: Prevent guest OS users to cause a denial of service (host OS crash) or gain host OS privileges by leveraging incorrect error handling for reference counting in shadow mode (bsc#1070160). - CVE-2017-17565: Prevent PV guest OS users to cause a denial of service (host OS crash) if shadow mode and log-dirty mode are in place, because of an incorrect assertion related to M2P (bsc#1070163). - Added missing intermediate preemption checks for guest requesting removal of memory. This allowed malicious guest administrator to cause denial of service due to the high cost of this operation (bsc#1080635). - Because of XEN not returning the proper error messages when transitioning grant tables from v2 to v1 a malicious guest was able to cause DoS or potentially allowed for privilege escalation as well as information leaks (bsc#1080662). This non-security issue was fixed: - bsc#1035442: Increased the value of LIBXL_DESTROY_TIMEOUT from 10 to 100 seconds. If many domUs shutdown in parallel the backends couldn't keep up Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 6: zypper in -t patch SUSE-OpenStack-Cloud-6-2018-415=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2018-415=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2018-415=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE OpenStack Cloud 6 (x86_64): xen-4.5.5_24-22.43.1 xen-debugsource-4.5.5_24-22.43.1 xen-doc-html-4.5.5_24-22.43.1 xen-kmp-default-4.5.5_24_k3.12.74_60.64.82-22.43.1 xen-kmp-default-debuginfo-4.5.5_24_k3.12.74_60.64.82-22.43.1 xen-libs-32bit-4.5.5_24-22.43.1 xen-libs-4.5.5_24-22.43.1 xen-libs-debuginfo-32bit-4.5.5_24-22.43.1 xen-libs-debuginfo-4.5.5_24-22.43.1 xen-tools-4.5.5_24-22.43.1 xen-tools-debuginfo-4.5.5_24-22.43.1 xen-tools-domU-4.5.5_24-22.43.1 xen-tools-domU-debuginfo-4.5.5_24-22.43.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): xen-4.5.5_24-22.43.1 xen-debugsource-4.5.5_24-22.43.1 xen-doc-html-4.5.5_24-22.43.1 xen-kmp-default-4.5.5_24_k3.12.74_60.64.82-22.43.1 xen-kmp-default-debuginfo-4.5.5_24_k3.12.74_60.64.82-22.43.1 xen-libs-32bit-4.5.5_24-22.43.1 xen-libs-4.5.5_24-22.43.1 xen-libs-debuginfo-32bit-4.5.5_24-22.43.1 xen-libs-debuginfo-4.5.5_24-22.43.1 xen-tools-4.5.5_24-22.43.1 xen-tools-debuginfo-4.5.5_24-22.43.1 xen-tools-domU-4.5.5_24-22.43.1 xen-tools-domU-debuginfo-4.5.5_24-22.43.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (x86_64): xen-4.5.5_24-22.43.1 xen-debugsource-4.5.5_24-22.43.1 xen-doc-html-4.5.5_24-22.43.1 xen-kmp-default-4.5.5_24_k3.12.74_60.64.82-22.43.1 xen-kmp-default-debuginfo-4.5.5_24_k3.12.74_60.64.82-22.43.1 xen-libs-32bit-4.5.5_24-22.43.1 xen-libs-4.5.5_24-22.43.1 xen-libs-debuginfo-32bit-4.5.5_24-22.43.1 xen-libs-debuginfo-4.5.5_24-22.43.1 xen-tools-4.5.5_24-22.43.1 xen-tools-debuginfo-4.5.5_24-22.43.1 xen-tools-domU-4.5.5_24-22.43.1 xen-tools-domU-debuginfo-4.5.5_24-22.43.1 References: https://www.suse.com/security/cve/CVE-2017-15595.html https://www.suse.com/security/cve/CVE-2017-17563.html https://www.suse.com/security/cve/CVE-2017-17564.html https://www.suse.com/security/cve/CVE-2017-17565.html https://www.suse.com/security/cve/CVE-2017-17566.html https://www.suse.com/security/cve/CVE-2017-18030.html https://www.suse.com/security/cve/CVE-2017-5715.html https://www.suse.com/security/cve/CVE-2017-5753.html https://www.suse.com/security/cve/CVE-2017-5754.html https://www.suse.com/security/cve/CVE-2018-5683.html https://bugzilla.suse.com/1035442 https://bugzilla.suse.com/1061081 https://bugzilla.suse.com/1068032 https://bugzilla.suse.com/1070158 https://bugzilla.suse.com/1070159 https://bugzilla.suse.com/1070160 https://bugzilla.suse.com/1070163 https://bugzilla.suse.com/1074562 https://bugzilla.suse.com/1076116 https://bugzilla.suse.com/1076180 https://bugzilla.suse.com/1080635 https://bugzilla.suse.com/1080662 From sle-security-updates at lists.suse.com Wed Mar 7 07:07:26 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 7 Mar 2018 15:07:26 +0100 (CET) Subject: SUSE-SU-2018:0630-1: important: Security update for java-1_7_1-ibm Message-ID: <20180307140726.6623EFD8A@maintenance.suse.de> SUSE Security Update: Security update for java-1_7_1-ibm ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0630-1 Rating: important References: #1057460 #1076390 #1082810 #929900 #966304 Cross-References: CVE-2018-2579 CVE-2018-2582 CVE-2018-2588 CVE-2018-2599 CVE-2018-2602 CVE-2018-2603 CVE-2018-2618 CVE-2018-2633 CVE-2018-2634 CVE-2018-2637 CVE-2018-2641 CVE-2018-2657 CVE-2018-2663 CVE-2018-2677 CVE-2018-2678 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 ______________________________________________________________________________ An update that fixes 15 vulnerabilities is now available. Description: This update for java-1_7_1-ibm provides the following fix: The version was updated to 7.1.4.20 [bsc#1082810] * Security fixes: - CVE-2018-2633 CVE-2018-2637 CVE-2018-2634 CVE-2018-2582 CVE-2018-2641 CVE-2018-2618 CVE-2018-2657 CVE-2018-2603 CVE-2018-2599 CVE-2018-2602 CVE-2018-2678 CVE-2018-2677 CVE-2018-2663 CVE-2018-2588 CVE-2018-2579 * Defect fixes: - IJ04281 Class Libraries: Startup time increase after applying apar IV96905 - IJ03822 Class Libraries: Update timezone information to tzdata2017c - IJ03605 Java Virtual Machine: Legacy security for com.ibm.jvm.dump, trace, log was not enabled by default - IJ03607 JIT Compiler: Result String contains a redundant dot when converted from BigDecimal with 0 on all platforms - IX90185 ORB: Upgrade ibmcfw.jar to version O1800.01 - IJ04282 Security: Change in location and default of jurisdiction policy files - IJ03853 Security: IBMCAC provider does not support SHA224 - IJ02679 Security: IBMPKCS11Impl ??? Bad sessions are being allocated internally - IJ02706 Security: IBMPKCS11Impl ??? Bad sessions are being allocated internally - IJ03552 Security: IBMPKCS11Impl - Config file problem with the slot specification attribute - IJ01901 Security: IBMPKCS11Impl ??? SecureRandom.setSeed() exception - IJ03801 Security: Issue with same DN certs, iKeyman GUI error with stash, JKS Chain issue and JVM argument parse issue with iKeyman - IJ03256 Security: javax.security.auth.Subject.toString() throws NPE - IJ02284 JIT Compiler: Division by zero in JIT compiler - Make it possible to run Java jnlp files from Firefox. (bsc#1057460) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-java-1_7_1-ibm-13500=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-java-1_7_1-ibm-13500=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ppc64 s390x x86_64): java-1_7_1-ibm-devel-1.7.1_sr4.20-26.13.1 - SUSE Linux Enterprise Server 11-SP4 (i586 ppc64 s390x x86_64): java-1_7_1-ibm-1.7.1_sr4.20-26.13.1 java-1_7_1-ibm-jdbc-1.7.1_sr4.20-26.13.1 - SUSE Linux Enterprise Server 11-SP4 (i586 x86_64): java-1_7_1-ibm-alsa-1.7.1_sr4.20-26.13.1 java-1_7_1-ibm-plugin-1.7.1_sr4.20-26.13.1 References: https://www.suse.com/security/cve/CVE-2018-2579.html https://www.suse.com/security/cve/CVE-2018-2582.html https://www.suse.com/security/cve/CVE-2018-2588.html https://www.suse.com/security/cve/CVE-2018-2599.html https://www.suse.com/security/cve/CVE-2018-2602.html https://www.suse.com/security/cve/CVE-2018-2603.html https://www.suse.com/security/cve/CVE-2018-2618.html https://www.suse.com/security/cve/CVE-2018-2633.html https://www.suse.com/security/cve/CVE-2018-2634.html https://www.suse.com/security/cve/CVE-2018-2637.html https://www.suse.com/security/cve/CVE-2018-2641.html https://www.suse.com/security/cve/CVE-2018-2657.html https://www.suse.com/security/cve/CVE-2018-2663.html https://www.suse.com/security/cve/CVE-2018-2677.html https://www.suse.com/security/cve/CVE-2018-2678.html https://bugzilla.suse.com/1057460 https://bugzilla.suse.com/1076390 https://bugzilla.suse.com/1082810 https://bugzilla.suse.com/929900 https://bugzilla.suse.com/966304 From sle-security-updates at lists.suse.com Wed Mar 7 07:08:37 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 7 Mar 2018 15:08:37 +0100 (CET) Subject: SUSE-SU-2018:0631-1: moderate: Security update for yaml-cpp Message-ID: <20180307140837.384D9FD89@maintenance.suse.de> SUSE Security Update: Security update for yaml-cpp ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0631-1 Rating: moderate References: #1032144 Cross-References: CVE-2017-5950 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP3 SUSE Linux Enterprise Workstation Extension 12-SP2 SUSE Linux Enterprise Desktop 12-SP3 SUSE Linux Enterprise Desktop 12-SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for yaml-cpp fixes the following issues: - CVE-2017-5950: Stack overflow in SingleDocParser::HandleNode() function (bsc#1032144) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP3: zypper in -t patch SUSE-SLE-WE-12-SP3-2018-423=1 - SUSE Linux Enterprise Workstation Extension 12-SP2: zypper in -t patch SUSE-SLE-WE-12-SP2-2018-423=1 - SUSE Linux Enterprise Desktop 12-SP3: zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-423=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2018-423=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Workstation Extension 12-SP3 (x86_64): libyaml-cpp0_5-0.5.3-3.3.2 libyaml-cpp0_5-debuginfo-0.5.3-3.3.2 yaml-cpp-debugsource-0.5.3-3.3.2 - SUSE Linux Enterprise Workstation Extension 12-SP2 (x86_64): libyaml-cpp0_5-0.5.3-3.3.2 libyaml-cpp0_5-debuginfo-0.5.3-3.3.2 yaml-cpp-debugsource-0.5.3-3.3.2 - SUSE Linux Enterprise Desktop 12-SP3 (x86_64): libyaml-cpp0_5-0.5.3-3.3.2 libyaml-cpp0_5-debuginfo-0.5.3-3.3.2 yaml-cpp-debugsource-0.5.3-3.3.2 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): libyaml-cpp0_5-0.5.3-3.3.2 libyaml-cpp0_5-debuginfo-0.5.3-3.3.2 yaml-cpp-debugsource-0.5.3-3.3.2 References: https://www.suse.com/security/cve/CVE-2017-5950.html https://bugzilla.suse.com/1032144 From sle-security-updates at lists.suse.com Thu Mar 8 10:13:01 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 8 Mar 2018 18:13:01 +0100 (CET) Subject: SUSE-SU-2018:0552-2: moderate: Security update for SUSE Manager Server 3.1 Message-ID: <20180308171301.EA9F6FDF1@maintenance.suse.de> SUSE Security Update: Security update for SUSE Manager Server 3.1 ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0552-2 Rating: moderate References: #1015956 #1016377 #1022077 #1022078 #1028285 #1031081 #1036302 #1045289 #1055296 #1061273 #1061574 #1063419 #1063759 #1064258 #1065023 #1065259 #1067608 #1068032 #1069943 #1070161 #1070372 #1070597 #1070782 #1071314 #1071468 #1071526 #1071553 #1072153 #1072157 #1072160 #1072797 #1073474 #1073482 #1073619 #1073713 #1073739 #1074300 #1074430 #1074508 #1074854 #1075044 #1075254 #1075345 #1075408 #1075862 #1076034 #1076201 #1076578 #1077076 #1077730 #1078749 #1079820 #979616 #979633 Cross-References: CVE-2017-5715 CVE-2017-5753 CVE-2017-5754 Affected Products: SUSE Manager Server 3.1 ______________________________________________________________________________ An update that solves three vulnerabilities and has 51 fixes is now available. Description: This update fixes the following issues: nutch: - Fix hadoop log dir. (bsc#1061574) osad, rhnlib: - Fix update mechanism when updating the updateservice (bsc#1073619) pxe-default-image: - Spectre and Meltdown mitigation. (CVE-2017-5753, CVE-2017-5715, CVE-2017-5754, bsc#1068032) spacecmd: - Support multiple FQDNs per system. (bsc#1063419) - Added custom JSON encoder in order to parse date fields correctly. (bsc#1070372) spacewalk-backend: - Fix spacewalk-data-fsck restore of broken package database entry. (bsc#1071526) - Support multiple FQDNs per system. (bsc#1063419) - Fix restore hostname and ip*addr in templated documents. (bsc#1075044) - Fix directory name in spacewalk-data-fsck. spacewalk-branding: - Replace custom states with configuration channels. - Fix pre formatted code. (bsc#1067608) - Fix message about package profile sync. (bsc#1073739) - Fix naming of the Tools channel. (bsc#979633) spacewalk-client-tools: - Support multiple FQDNs per system. (bsc#1063419) - Fix update mechanism when updating the updateservice. (bsc#1073619) spacewalk-java: - Fix the file count for deployed files. (bsc#1074300) - Remove previous activation keys when migrating to salt. (bsc#1031081) - Improve webui for comparing files. (bsc#1076201) - Separate Salt calls based on config revisions and server grouping. (bsc#1074854) - For minion, no option to modifiy config file but just view. - Handle gpg_check correctly. (bsc#1076578) - Uniform date formatting in System Details view. (bsc#1045289) - Import content of custom states from filesystem to database on startup, backup old state files. - Change the directory of the (normal) configuration channels from mgr_cfg_org_N to manager_org_N. - Replace custom states with configuration channels. - Hide ownership/permission fields from create/upload config file forms for state channels. (bsc#1072153) - Hide files from state channels from deploy/compare file lists. (bsc#1072160) - Disable and hide deploy files tab for state config channels. (bsc#1072157) - Allow ordering config channels in state revision. - Disallow creating 'normal' config channels when a 'state' channel with the same name and org already exists and vice versa. - UI has been updated to manage state channels. - Support multiple FQDNs per system. (bsc#1063419) - Setting 'Base Channels' as default tab for 'Channels' tab in SSM Overview screen. (bsc#979616) - Log triggers that are in ERROR state. - Refresh pillar data on formular change. (bsc#1028285) - Uniform the notification message when rebooting a system. (bsc#1036302) - Avoid use of the potentially-slow rhnServerNeededPackageCache view. - Speed up scheduling of package updates through the SSM. (bsc#1076034) - Fix encoding/decoding of url_bounce with more parameters. (bsc#1075408) - After dry-run, sync channels back with the server. (bsc#1071468) - Fix message about package profile sync. (bsc#1073739) - On registration, assign server to the organization of the creator when activation key is empty. (bsc#1016377) - Fix logging issues when saving autoyast profiles. (bsc#1073474) - Add VM state as info gathered from VMware. (bsc#1063759) - Improve performance of token checking, when RPMs or metadata are downloaded from minions. (bsc#1061273) - Allow selecting unnamed context in kubeconfig. (bsc#1073482) - Fix action names and date formatting in system event history. (bsc#1073713) - Fix incorrect 'os-release' report after SP migration. (bsc#1071553) - Fix failed package installation when in RES 32 and 64 bit packages are installed together. (bsc#1071314) - Add user preferences in order to change items-per-page. (bsc#1055296) - Order salt formulas alphabetically. (bsc#1022077) - Improved error message. (bsc#1064258) - Display messages about wrong input more end-user friendly. (bsc#1015956) - Add api calls for content staging. - Fix content refresh when product keys change. (bsc#1069943) - Allow 'Package List Refresh' when package arch has changed. (bsc#1065259) - New API call for scheduling highstate application. - Adding initial version of web ui notifications. - Show the time on the event history page in the users preferred timezone. spacewalk-reports, spacewalk-search: - More rhnServerNetwork refactoring (bsc#1063419) spacewalk-utils: - Remove restrictions imposed on regex used in 'removelist' parameter passed to spacewalk-clone-by-date that allowed only exact match. (bsc#1075254) spacewalk-web: - Replace custom states with configuration channels. - Add 'yaml' option for Ace editor. - Add links to salt formula list and adjust behavior. (bsc#1022078) - Allow selecting unnamed context in kubeconfig. (bsc#1073482) - Add user preferences in order to change items-per-page. (bsc#1055296) - Fix main menu column height. - Adding initial version of web ui notifications. susemanager: - Fix custom SERVER_KEY overriding. (bsc#1075862) - Detect subvolumes on /var even with newer btrfs tools. (bsc#1077076) - Notify admin that database backups need reconfiguration after db upgrade. - Add syslinux-x86_64 dependency for ppc64le. (bsc#1065023) - Do not try to force db encoding on db upgrade; use same value as for installation. (bsc#1077730) susemanager-schema: - Make migration idempotent. (bsc#1078749) - Fix schema with proper extension. (bsc#1079820) - Migrate old custom states to state channels, assign systems to these new channels, delete old custom-state-to-system assignments, delete the custom states from the db; Before migrating, rename custom states with same name as existing configuration channel labels. - Update queries for global channels. - Check if channel is already subscribed even before checking if parent channel is subscribed or not. (bsc#1072797) - Support multiple FQDNs per system. (bsc#1063419) - Avoid use of the potentially-slow rhnServerNeededPackageCache view. - Handle duplicate serverpackage entries while fixing duplicate evr ids. (bsc#1075345) - Fix duplicate entries in channel listings. - Handle nevra not found case while fixing duplicate evr ids. (bsc#1074508) - Added a script which will remove existing server locks against minions. (bsc#1064258) - Add column to store the 'test' option for state apply actions. - Adding initial version of web ui notifications. susemanager-sls: - Compare osmajorrelease in jinja always as integer. - Python3 compatibility fixes in modules and states. - Fix cleanup state error when deleting ssh-push minion. (bsc#1070161) - Fix image inspect when entrypoint is used by overwriting it. (bsc#1070782) susemanager-sync-data: - Use TLS for mirroring OES2018 channels. (bsc#1074430) - Add SUSE Manager Server 3.0 and 3.1 channels for mirroring. virtual-host-gatherer: - Add VM state as info gathered from VMware. (bsc#1063759) - Explore the entire tree of nodes from VMware. (bsc#1070597) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Manager Server 3.1: zypper in -t patch SUSE-SUSE-Manager-Server-3.1-2018-361=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Manager Server 3.1 (ppc64le s390x): spacewalk-branding-2.7.2.11-2.12.6 susemanager-3.1.12-2.12.3 susemanager-tools-3.1.12-2.12.3 - SUSE Manager Server 3.1 (noarch): nutch-1.0-0.9.6.2 osa-common-5.11.80.5-2.9.2 osa-dispatcher-5.11.80.5-2.9.2 pxe-default-image-3.1-0.13.3.3 pxe-default-image-debugsource-3.1-0.13.3.3 rhnlib-2.7.2.2-3.3.2 spacecmd-2.7.8.9-2.12.2 spacewalk-backend-2.7.73.11-2.12.3 spacewalk-backend-app-2.7.73.11-2.12.3 spacewalk-backend-applet-2.7.73.11-2.12.3 spacewalk-backend-config-files-2.7.73.11-2.12.3 spacewalk-backend-config-files-common-2.7.73.11-2.12.3 spacewalk-backend-config-files-tool-2.7.73.11-2.12.3 spacewalk-backend-iss-2.7.73.11-2.12.3 spacewalk-backend-iss-export-2.7.73.11-2.12.3 spacewalk-backend-libs-2.7.73.11-2.12.3 spacewalk-backend-package-push-server-2.7.73.11-2.12.3 spacewalk-backend-server-2.7.73.11-2.12.3 spacewalk-backend-sql-2.7.73.11-2.12.3 spacewalk-backend-sql-oracle-2.7.73.11-2.12.3 spacewalk-backend-sql-postgresql-2.7.73.11-2.12.3 spacewalk-backend-tools-2.7.73.11-2.12.3 spacewalk-backend-xml-export-libs-2.7.73.11-2.12.3 spacewalk-backend-xmlrpc-2.7.73.11-2.12.3 spacewalk-base-2.7.1.14-2.12.3 spacewalk-base-minimal-2.7.1.14-2.12.3 spacewalk-base-minimal-config-2.7.1.14-2.12.3 spacewalk-client-tools-2.7.6.3-3.3.3 spacewalk-html-2.7.1.14-2.12.3 spacewalk-java-2.7.46.10-2.14.2 spacewalk-java-config-2.7.46.10-2.14.2 spacewalk-java-lib-2.7.46.10-2.14.2 spacewalk-java-oracle-2.7.46.10-2.14.2 spacewalk-java-postgresql-2.7.46.10-2.14.2 spacewalk-reports-2.7.5.4-2.6.3 spacewalk-search-2.7.3.4-2.9.7 spacewalk-taskomatic-2.7.46.10-2.14.2 spacewalk-utils-2.7.10.6-2.6.3 susemanager-schema-3.1.15-2.16.1 susemanager-sls-3.1.15-2.16.2 susemanager-sync-data-3.1.10-2.14.2 virtual-host-gatherer-1.0.16-2.9.3 virtual-host-gatherer-Kubernetes-1.0.16-2.9.3 virtual-host-gatherer-VMware-1.0.16-2.9.3 References: https://www.suse.com/security/cve/CVE-2017-5715.html https://www.suse.com/security/cve/CVE-2017-5753.html https://www.suse.com/security/cve/CVE-2017-5754.html https://bugzilla.suse.com/1015956 https://bugzilla.suse.com/1016377 https://bugzilla.suse.com/1022077 https://bugzilla.suse.com/1022078 https://bugzilla.suse.com/1028285 https://bugzilla.suse.com/1031081 https://bugzilla.suse.com/1036302 https://bugzilla.suse.com/1045289 https://bugzilla.suse.com/1055296 https://bugzilla.suse.com/1061273 https://bugzilla.suse.com/1061574 https://bugzilla.suse.com/1063419 https://bugzilla.suse.com/1063759 https://bugzilla.suse.com/1064258 https://bugzilla.suse.com/1065023 https://bugzilla.suse.com/1065259 https://bugzilla.suse.com/1067608 https://bugzilla.suse.com/1068032 https://bugzilla.suse.com/1069943 https://bugzilla.suse.com/1070161 https://bugzilla.suse.com/1070372 https://bugzilla.suse.com/1070597 https://bugzilla.suse.com/1070782 https://bugzilla.suse.com/1071314 https://bugzilla.suse.com/1071468 https://bugzilla.suse.com/1071526 https://bugzilla.suse.com/1071553 https://bugzilla.suse.com/1072153 https://bugzilla.suse.com/1072157 https://bugzilla.suse.com/1072160 https://bugzilla.suse.com/1072797 https://bugzilla.suse.com/1073474 https://bugzilla.suse.com/1073482 https://bugzilla.suse.com/1073619 https://bugzilla.suse.com/1073713 https://bugzilla.suse.com/1073739 https://bugzilla.suse.com/1074300 https://bugzilla.suse.com/1074430 https://bugzilla.suse.com/1074508 https://bugzilla.suse.com/1074854 https://bugzilla.suse.com/1075044 https://bugzilla.suse.com/1075254 https://bugzilla.suse.com/1075345 https://bugzilla.suse.com/1075408 https://bugzilla.suse.com/1075862 https://bugzilla.suse.com/1076034 https://bugzilla.suse.com/1076201 https://bugzilla.suse.com/1076578 https://bugzilla.suse.com/1077076 https://bugzilla.suse.com/1077730 https://bugzilla.suse.com/1078749 https://bugzilla.suse.com/1079820 https://bugzilla.suse.com/979616 https://bugzilla.suse.com/979633 From sle-security-updates at lists.suse.com Thu Mar 8 13:08:36 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 8 Mar 2018 21:08:36 +0100 (CET) Subject: SUSE-SU-2018:0636-1: moderate: Security update for squid Message-ID: <20180308200836.E899DFDF1@maintenance.suse.de> SUSE Security Update: Security update for squid ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0636-1 Rating: moderate References: #1077003 #1077006 Cross-References: CVE-2018-1000024 CVE-2018-1000027 Affected Products: SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Server 12-SP2 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for squid fixes the following issues: Security issues fixed: - CVE-2018-1000024: DoS fix caused by incorrect pointer handling when processing ESI responses. This affects the default custom esi_parser (bsc#1077003). - CVE-2018-1000027: DoS fix caused by incorrect pointer handing whien processing ESI responses or downloading intermediate CA certificates (bsc#1077006). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2018-428=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-428=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-428=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): squid-3.5.21-26.6.1 squid-debuginfo-3.5.21-26.6.1 squid-debugsource-3.5.21-26.6.1 - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64): squid-3.5.21-26.6.1 squid-debuginfo-3.5.21-26.6.1 squid-debugsource-3.5.21-26.6.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le s390x x86_64): squid-3.5.21-26.6.1 squid-debuginfo-3.5.21-26.6.1 squid-debugsource-3.5.21-26.6.1 References: https://www.suse.com/security/cve/CVE-2018-1000024.html https://www.suse.com/security/cve/CVE-2018-1000027.html https://bugzilla.suse.com/1077003 https://bugzilla.suse.com/1077006 From sle-security-updates at lists.suse.com Thu Mar 8 13:09:20 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 8 Mar 2018 21:09:20 +0100 (CET) Subject: SUSE-SU-2018:0637-1: moderate: Security update for shotwell Message-ID: <20180308200920.DFD44FDF1@maintenance.suse.de> SUSE Security Update: Security update for shotwell ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0637-1 Rating: moderate References: #1054311 Cross-References: CVE-2017-1000024 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP3 SUSE Linux Enterprise Workstation Extension 12-SP2 SUSE Linux Enterprise Desktop 12-SP3 SUSE Linux Enterprise Desktop 12-SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for shotwell fixes the following issues: Security issue fixed: - CVE-2017-1000024: Use HTTPS encryption all over the publishing plugins (bsc#1054311). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP3: zypper in -t patch SUSE-SLE-WE-12-SP3-2018-429=1 - SUSE Linux Enterprise Workstation Extension 12-SP2: zypper in -t patch SUSE-SLE-WE-12-SP2-2018-429=1 - SUSE Linux Enterprise Desktop 12-SP3: zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-429=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2018-429=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Workstation Extension 12-SP3 (x86_64): shotwell-0.22.0+git.20160103-15.6.1 shotwell-debuginfo-0.22.0+git.20160103-15.6.1 shotwell-debugsource-0.22.0+git.20160103-15.6.1 - SUSE Linux Enterprise Workstation Extension 12-SP3 (noarch): shotwell-lang-0.22.0+git.20160103-15.6.1 - SUSE Linux Enterprise Workstation Extension 12-SP2 (x86_64): shotwell-0.22.0+git.20160103-15.6.1 shotwell-debuginfo-0.22.0+git.20160103-15.6.1 shotwell-debugsource-0.22.0+git.20160103-15.6.1 - SUSE Linux Enterprise Workstation Extension 12-SP2 (noarch): shotwell-lang-0.22.0+git.20160103-15.6.1 - SUSE Linux Enterprise Desktop 12-SP3 (noarch): shotwell-lang-0.22.0+git.20160103-15.6.1 - SUSE Linux Enterprise Desktop 12-SP3 (x86_64): shotwell-0.22.0+git.20160103-15.6.1 shotwell-debuginfo-0.22.0+git.20160103-15.6.1 shotwell-debugsource-0.22.0+git.20160103-15.6.1 - SUSE Linux Enterprise Desktop 12-SP2 (noarch): shotwell-lang-0.22.0+git.20160103-15.6.1 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): shotwell-0.22.0+git.20160103-15.6.1 shotwell-debuginfo-0.22.0+git.20160103-15.6.1 shotwell-debugsource-0.22.0+git.20160103-15.6.1 References: https://www.suse.com/security/cve/CVE-2017-1000024.html https://bugzilla.suse.com/1054311 From sle-security-updates at lists.suse.com Thu Mar 8 13:09:54 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 8 Mar 2018 21:09:54 +0100 (CET) Subject: SUSE-SU-2018:0638-1: important: Security update for xen Message-ID: <20180308200954.B7627FDF1@maintenance.suse.de> SUSE Security Update: Security update for xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0638-1 Rating: important References: #1027519 #1031382 #1035442 #1061081 #1068032 #1070158 #1070159 #1070160 #1070163 #1074562 #1076116 #1076180 #1080635 #1080662 Cross-References: CVE-2017-15595 CVE-2017-17563 CVE-2017-17564 CVE-2017-17565 CVE-2017-17566 CVE-2017-18030 CVE-2017-5715 CVE-2017-5753 CVE-2017-5754 CVE-2018-5683 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that solves 10 vulnerabilities and has four fixes is now available. Description: This update for xen fixes several issues. This new feature was included: - add script and sysv service to watch for vcpu online/offline events in a HVM domU These security issues were fixed: - CVE-2017-5753, CVE-2017-5715, CVE-2017-5754: Prevent information leaks via side effects of speculative execution, aka "Spectre" and "Meltdown" attacks (bsc#1074562, bsc#1068032) - CVE-2018-5683: The vga_draw_text function allowed local OS guest privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) by leveraging improper memory address validation (bsc#1076116). - CVE-2017-18030: The cirrus_invalidate_region function allowed local OS guest privileged users to cause a denial of service (out-of-bounds array access and QEMU process crash) via vectors related to negative pitch (bsc#1076180). - CVE-2017-15595: x86 PV guest OS users were able to cause a DoS (unbounded recursion, stack consumption, and hypervisor crash) or possibly gain privileges via crafted page-table stacking (bsc#1061081) - CVE-2017-17566: Prevent PV guest OS users to cause a denial of service (host OS crash) or gain host OS privileges in shadow mode by mapping a certain auxiliary page (bsc#1070158). - CVE-2017-17563: Prevent guest OS users to cause a denial of service (host OS crash) or gain host OS privileges by leveraging an incorrect mask for reference-count overflow checking in shadow mode (bsc#1070159). - CVE-2017-17564: Prevent guest OS users to cause a denial of service (host OS crash) or gain host OS privileges by leveraging incorrect error handling for reference counting in shadow mode (bsc#1070160). - CVE-2017-17565: Prevent PV guest OS users to cause a denial of service (host OS crash) if shadow mode and log-dirty mode are in place, because of an incorrect assertion related to M2P (bsc#1070163). - Added missing intermediate preemption checks for guest requesting removal of memory. This allowed malicious guest administrator to cause denial of service due to the high cost of this operation (bsc#1080635). - Because of XEN not returning the proper error messages when transitioning grant tables from v2 to v1 a malicious guest was able to cause DoS or potentially allowed for privilege escalation as well as information leaks (bsc#1080662). These non-security issues were fixed: - bsc#1035442: Increased the value of LIBXL_DESTROY_TIMEOUT from 10 to 100 seconds. If many domUs shutdown in parallel the backends couldn't keep up - bsc#1031382: Prevent VMs from crashing when migrating between dom0 hosts in case read() returns zero on the receiver side. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-xen-13501=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-xen-13501=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-xen-13501=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 x86_64): xen-devel-4.4.4_28-61.23.2 - SUSE Linux Enterprise Server 11-SP4 (i586 x86_64): xen-kmp-default-4.4.4_28_3.0.101_108.35-61.23.2 xen-libs-4.4.4_28-61.23.2 xen-tools-domU-4.4.4_28-61.23.2 - SUSE Linux Enterprise Server 11-SP4 (x86_64): xen-4.4.4_28-61.23.2 xen-doc-html-4.4.4_28-61.23.2 xen-libs-32bit-4.4.4_28-61.23.2 xen-tools-4.4.4_28-61.23.2 - SUSE Linux Enterprise Server 11-SP4 (i586): xen-kmp-pae-4.4.4_28_3.0.101_108.35-61.23.2 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 x86_64): xen-debuginfo-4.4.4_28-61.23.2 xen-debugsource-4.4.4_28-61.23.2 References: https://www.suse.com/security/cve/CVE-2017-15595.html https://www.suse.com/security/cve/CVE-2017-17563.html https://www.suse.com/security/cve/CVE-2017-17564.html https://www.suse.com/security/cve/CVE-2017-17565.html https://www.suse.com/security/cve/CVE-2017-17566.html https://www.suse.com/security/cve/CVE-2017-18030.html https://www.suse.com/security/cve/CVE-2017-5715.html https://www.suse.com/security/cve/CVE-2017-5753.html https://www.suse.com/security/cve/CVE-2017-5754.html https://www.suse.com/security/cve/CVE-2018-5683.html https://bugzilla.suse.com/1027519 https://bugzilla.suse.com/1031382 https://bugzilla.suse.com/1035442 https://bugzilla.suse.com/1061081 https://bugzilla.suse.com/1068032 https://bugzilla.suse.com/1070158 https://bugzilla.suse.com/1070159 https://bugzilla.suse.com/1070160 https://bugzilla.suse.com/1070163 https://bugzilla.suse.com/1074562 https://bugzilla.suse.com/1076116 https://bugzilla.suse.com/1076180 https://bugzilla.suse.com/1080635 https://bugzilla.suse.com/1080662 From sle-security-updates at lists.suse.com Thu Mar 8 13:12:52 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 8 Mar 2018 21:12:52 +0100 (CET) Subject: SUSE-SU-2018:0639-1: moderate: Security update for evince Message-ID: <20180308201252.4E86BFDF1@maintenance.suse.de> SUSE Security Update: Security update for evince ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0639-1 Rating: moderate References: #1070046 Cross-References: CVE-2017-1000159 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for evince provides the following fix: - CVE-2017-1000159: Prevent command line injections via filenames when printing to a file. (bsc#1070046) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-evince-13502=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-evince-13502=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-evince-13502=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): evince-devel-2.28.2-0.7.3.1 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): evince-2.28.2-0.7.3.1 evince-doc-2.28.2-0.7.3.1 evince-lang-2.28.2-0.7.3.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): evince-debuginfo-2.28.2-0.7.3.1 evince-debugsource-2.28.2-0.7.3.1 References: https://www.suse.com/security/cve/CVE-2017-1000159.html https://bugzilla.suse.com/1070046 From sle-security-updates at lists.suse.com Fri Mar 9 04:09:56 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 9 Mar 2018 12:09:56 +0100 (CET) Subject: SUSE-SU-2018:0645-1: important: Security update for java-1_7_0-ibm Message-ID: <20180309110956.B0204FDF2@maintenance.suse.de> SUSE Security Update: Security update for java-1_7_0-ibm ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0645-1 Rating: important References: #1057460 #1076390 #1082810 #929900 #966304 Cross-References: CVE-2018-2579 CVE-2018-2582 CVE-2018-2588 CVE-2018-2599 CVE-2018-2602 CVE-2018-2603 CVE-2018-2618 CVE-2018-2633 CVE-2018-2634 CVE-2018-2637 CVE-2018-2641 CVE-2018-2657 CVE-2018-2663 CVE-2018-2677 CVE-2018-2678 Affected Products: SUSE Linux Enterprise Server 11-SP3-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 ______________________________________________________________________________ An update that fixes 15 vulnerabilities is now available. Description: This update for java-1_7_0-ibm provides the following fixes: The version was updated to 7.0.10.20 [bsc#1082810]: * Following security issues were fixed: - CVE-2018-2633 CVE-2018-2637 CVE-2018-2634 CVE-2018-2582 CVE-2018-2641 CVE-2018-2618 CVE-2018-2657 CVE-2018-2603 CVE-2018-2599 CVE-2018-2602 CVE-2018-2678 CVE-2018-2677 CVE-2018-2663 CVE-2018-2588 CVE-2018-2579 * Defect fixes: - IJ04281 Class Libraries: Startup time increase after applying apar IV96905 - IJ03822 Class Libraries: Update timezone information to tzdata2017c - IJ03605 Java Virtual Machine: Legacy security for com.ibm.jvm.dump, trace, log was not enabled by default - IJ03607 JIT Compiler: Result String contains a redundant dot when converted from BigDecimal with 0 on all platforms - IX90185 ORB: Upgrade ibmcfw.jar to version O1800.01 - IJ04282 Security: Change in location and default of jurisdiction policy files - IJ03853 Security: IBMCAC provider does not support SHA224 - IJ02679 Security: IBMPKCS11Impl ??? Bad sessions are being allocated internally - IJ02706 Security: IBMPKCS11Impl ??? Bad sessions are being allocated internally - IJ03552 Security: IBMPKCS11Impl - Config file problem with the slot specification attribute - IJ01901 Security: IBMPKCS11Impl ??? SecureRandom.setSeed() exception - IJ03801 Security: Issue with same DN certs, iKeyman GUI error with stash, JKS Chain issue and JVM argument parse issue with iKeyman - IJ02284 JIT Compiler: Division by zero in JIT compiler - Make it possible to run Java jnlp files from Firefox. (bsc#1057460) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP3-LTSS: zypper in -t patch slessp3-java-1_7_0-ibm-13503=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-java-1_7_0-ibm-13503=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11-SP3-LTSS (i586 s390x x86_64): java-1_7_0-ibm-1.7.0_sr10.20-65.13.1 java-1_7_0-ibm-devel-1.7.0_sr10.20-65.13.1 java-1_7_0-ibm-jdbc-1.7.0_sr10.20-65.13.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (i586 x86_64): java-1_7_0-ibm-alsa-1.7.0_sr10.20-65.13.1 java-1_7_0-ibm-plugin-1.7.0_sr10.20-65.13.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): java-1_7_0-ibm-1.7.0_sr10.20-65.13.1 java-1_7_0-ibm-alsa-1.7.0_sr10.20-65.13.1 java-1_7_0-ibm-devel-1.7.0_sr10.20-65.13.1 java-1_7_0-ibm-jdbc-1.7.0_sr10.20-65.13.1 java-1_7_0-ibm-plugin-1.7.0_sr10.20-65.13.1 References: https://www.suse.com/security/cve/CVE-2018-2579.html https://www.suse.com/security/cve/CVE-2018-2582.html https://www.suse.com/security/cve/CVE-2018-2588.html https://www.suse.com/security/cve/CVE-2018-2599.html https://www.suse.com/security/cve/CVE-2018-2602.html https://www.suse.com/security/cve/CVE-2018-2603.html https://www.suse.com/security/cve/CVE-2018-2618.html https://www.suse.com/security/cve/CVE-2018-2633.html https://www.suse.com/security/cve/CVE-2018-2634.html https://www.suse.com/security/cve/CVE-2018-2637.html https://www.suse.com/security/cve/CVE-2018-2641.html https://www.suse.com/security/cve/CVE-2018-2657.html https://www.suse.com/security/cve/CVE-2018-2663.html https://www.suse.com/security/cve/CVE-2018-2677.html https://www.suse.com/security/cve/CVE-2018-2678.html https://bugzilla.suse.com/1057460 https://bugzilla.suse.com/1076390 https://bugzilla.suse.com/1082810 https://bugzilla.suse.com/929900 https://bugzilla.suse.com/966304 From sle-security-updates at lists.suse.com Fri Mar 9 04:11:20 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 9 Mar 2018 12:11:20 +0100 (CET) Subject: SUSE-SU-2018:0646-1: moderate: Security update for php7 Message-ID: <20180309111120.2D281FDF1@maintenance.suse.de> SUSE Security Update: Security update for php7 ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0646-1 Rating: moderate References: #1076970 #1083639 Cross-References: CVE-2018-7584 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP3 SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Module for Web Scripting 12 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for php7 provides the following fix: Security issues fixed: - CVE-2018-7584: Fixed stack-based buffer under-read while parsing an HTTPresponse in the php_stream_url_wrap_http_ex (bsc#1083639). Bug fixes: - Fix a memory leak in the pg_escape_bytea function of the pgsql extension. (bsc#1076970) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP3: zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-434=1 - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2018-434=1 - SUSE Linux Enterprise Module for Web Scripting 12: zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2018-434=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64): php7-debuginfo-7.0.7-50.32.1 php7-debugsource-7.0.7-50.32.1 php7-devel-7.0.7-50.32.1 - SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64): php7-debuginfo-7.0.7-50.32.1 php7-debugsource-7.0.7-50.32.1 php7-devel-7.0.7-50.32.1 - SUSE Linux Enterprise Module for Web Scripting 12 (aarch64 ppc64le s390x x86_64): apache2-mod_php7-7.0.7-50.32.1 apache2-mod_php7-debuginfo-7.0.7-50.32.1 php7-7.0.7-50.32.1 php7-bcmath-7.0.7-50.32.1 php7-bcmath-debuginfo-7.0.7-50.32.1 php7-bz2-7.0.7-50.32.1 php7-bz2-debuginfo-7.0.7-50.32.1 php7-calendar-7.0.7-50.32.1 php7-calendar-debuginfo-7.0.7-50.32.1 php7-ctype-7.0.7-50.32.1 php7-ctype-debuginfo-7.0.7-50.32.1 php7-curl-7.0.7-50.32.1 php7-curl-debuginfo-7.0.7-50.32.1 php7-dba-7.0.7-50.32.1 php7-dba-debuginfo-7.0.7-50.32.1 php7-debuginfo-7.0.7-50.32.1 php7-debugsource-7.0.7-50.32.1 php7-dom-7.0.7-50.32.1 php7-dom-debuginfo-7.0.7-50.32.1 php7-enchant-7.0.7-50.32.1 php7-enchant-debuginfo-7.0.7-50.32.1 php7-exif-7.0.7-50.32.1 php7-exif-debuginfo-7.0.7-50.32.1 php7-fastcgi-7.0.7-50.32.1 php7-fastcgi-debuginfo-7.0.7-50.32.1 php7-fileinfo-7.0.7-50.32.1 php7-fileinfo-debuginfo-7.0.7-50.32.1 php7-fpm-7.0.7-50.32.1 php7-fpm-debuginfo-7.0.7-50.32.1 php7-ftp-7.0.7-50.32.1 php7-ftp-debuginfo-7.0.7-50.32.1 php7-gd-7.0.7-50.32.1 php7-gd-debuginfo-7.0.7-50.32.1 php7-gettext-7.0.7-50.32.1 php7-gettext-debuginfo-7.0.7-50.32.1 php7-gmp-7.0.7-50.32.1 php7-gmp-debuginfo-7.0.7-50.32.1 php7-iconv-7.0.7-50.32.1 php7-iconv-debuginfo-7.0.7-50.32.1 php7-imap-7.0.7-50.32.1 php7-imap-debuginfo-7.0.7-50.32.1 php7-intl-7.0.7-50.32.1 php7-intl-debuginfo-7.0.7-50.32.1 php7-json-7.0.7-50.32.1 php7-json-debuginfo-7.0.7-50.32.1 php7-ldap-7.0.7-50.32.1 php7-ldap-debuginfo-7.0.7-50.32.1 php7-mbstring-7.0.7-50.32.1 php7-mbstring-debuginfo-7.0.7-50.32.1 php7-mcrypt-7.0.7-50.32.1 php7-mcrypt-debuginfo-7.0.7-50.32.1 php7-mysql-7.0.7-50.32.1 php7-mysql-debuginfo-7.0.7-50.32.1 php7-odbc-7.0.7-50.32.1 php7-odbc-debuginfo-7.0.7-50.32.1 php7-opcache-7.0.7-50.32.1 php7-opcache-debuginfo-7.0.7-50.32.1 php7-openssl-7.0.7-50.32.1 php7-openssl-debuginfo-7.0.7-50.32.1 php7-pcntl-7.0.7-50.32.1 php7-pcntl-debuginfo-7.0.7-50.32.1 php7-pdo-7.0.7-50.32.1 php7-pdo-debuginfo-7.0.7-50.32.1 php7-pgsql-7.0.7-50.32.1 php7-pgsql-debuginfo-7.0.7-50.32.1 php7-phar-7.0.7-50.32.1 php7-phar-debuginfo-7.0.7-50.32.1 php7-posix-7.0.7-50.32.1 php7-posix-debuginfo-7.0.7-50.32.1 php7-pspell-7.0.7-50.32.1 php7-pspell-debuginfo-7.0.7-50.32.1 php7-shmop-7.0.7-50.32.1 php7-shmop-debuginfo-7.0.7-50.32.1 php7-snmp-7.0.7-50.32.1 php7-snmp-debuginfo-7.0.7-50.32.1 php7-soap-7.0.7-50.32.1 php7-soap-debuginfo-7.0.7-50.32.1 php7-sockets-7.0.7-50.32.1 php7-sockets-debuginfo-7.0.7-50.32.1 php7-sqlite-7.0.7-50.32.1 php7-sqlite-debuginfo-7.0.7-50.32.1 php7-sysvmsg-7.0.7-50.32.1 php7-sysvmsg-debuginfo-7.0.7-50.32.1 php7-sysvsem-7.0.7-50.32.1 php7-sysvsem-debuginfo-7.0.7-50.32.1 php7-sysvshm-7.0.7-50.32.1 php7-sysvshm-debuginfo-7.0.7-50.32.1 php7-tokenizer-7.0.7-50.32.1 php7-tokenizer-debuginfo-7.0.7-50.32.1 php7-wddx-7.0.7-50.32.1 php7-wddx-debuginfo-7.0.7-50.32.1 php7-xmlreader-7.0.7-50.32.1 php7-xmlreader-debuginfo-7.0.7-50.32.1 php7-xmlrpc-7.0.7-50.32.1 php7-xmlrpc-debuginfo-7.0.7-50.32.1 php7-xmlwriter-7.0.7-50.32.1 php7-xmlwriter-debuginfo-7.0.7-50.32.1 php7-xsl-7.0.7-50.32.1 php7-xsl-debuginfo-7.0.7-50.32.1 php7-zip-7.0.7-50.32.1 php7-zip-debuginfo-7.0.7-50.32.1 php7-zlib-7.0.7-50.32.1 php7-zlib-debuginfo-7.0.7-50.32.1 - SUSE Linux Enterprise Module for Web Scripting 12 (noarch): php7-pear-7.0.7-50.32.1 php7-pear-Archive_Tar-7.0.7-50.32.1 References: https://www.suse.com/security/cve/CVE-2018-7584.html https://bugzilla.suse.com/1076970 https://bugzilla.suse.com/1083639 From sle-security-updates at lists.suse.com Fri Mar 9 10:07:59 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 9 Mar 2018 18:07:59 +0100 (CET) Subject: SUSE-SU-2018:0650-1: Security update for augeas Message-ID: <20180309170759.8E912F7BA@maintenance.suse.de> SUSE Security Update: Security update for augeas ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0650-1 Rating: low References: #1054171 Cross-References: CVE-2017-7555 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP3 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Desktop 12-SP3 SUSE CaaS Platform ALL ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for augeas fixes the following issues: Security issue fixed: - CVE-2017-7555: Fix a memory corruption bug could have lead to arbitrary code execution by passing crafted strings that would be mis-handled by parse_name() (bsc#1054171). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP3: zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-439=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-439=1 - SUSE Linux Enterprise Desktop 12-SP3: zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-439=1 - SUSE CaaS Platform ALL: zypper in -t patch SUSE-CAASP-ALL-2018-439=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64): augeas-debuginfo-1.2.0-17.3.1 augeas-debugsource-1.2.0-17.3.1 augeas-devel-1.2.0-17.3.1 - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64): augeas-1.2.0-17.3.1 augeas-debuginfo-1.2.0-17.3.1 augeas-debugsource-1.2.0-17.3.1 augeas-lenses-1.2.0-17.3.1 libaugeas0-1.2.0-17.3.1 libaugeas0-debuginfo-1.2.0-17.3.1 - SUSE Linux Enterprise Desktop 12-SP3 (x86_64): augeas-1.2.0-17.3.1 augeas-debuginfo-1.2.0-17.3.1 augeas-debugsource-1.2.0-17.3.1 augeas-lenses-1.2.0-17.3.1 libaugeas0-1.2.0-17.3.1 libaugeas0-debuginfo-1.2.0-17.3.1 - SUSE CaaS Platform ALL (x86_64): augeas-debuginfo-1.2.0-17.3.1 augeas-debugsource-1.2.0-17.3.1 libaugeas0-1.2.0-17.3.1 libaugeas0-debuginfo-1.2.0-17.3.1 References: https://www.suse.com/security/cve/CVE-2017-7555.html https://bugzilla.suse.com/1054171 From sle-security-updates at lists.suse.com Fri Mar 9 10:08:42 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 9 Mar 2018 18:08:42 +0100 (CET) Subject: SUSE-SU-2018:0652-1: Security update for augeas Message-ID: <20180309170842.6EEDFF7BA@maintenance.suse.de> SUSE Security Update: Security update for augeas ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0652-1 Rating: low References: #1054171 Cross-References: CVE-2017-7555 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Desktop 12-SP2 OpenStack Cloud Magnum Orchestration 7 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for augeas fixes the following issues: Security issue fixed: - CVE-2017-7555: Fix a memory corruption bug could have lead to arbitrary code execution by passing crafted strings that would be mis-handled by parse_name() (bsc#1054171). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2018-440=1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2018-440=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-440=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2018-440=1 - OpenStack Cloud Magnum Orchestration 7: zypper in -t patch SUSE-OpenStack-Cloud-Magnum-Orchestration-7-2018-440=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64): augeas-debuginfo-1.2.0-12.3.1 augeas-debugsource-1.2.0-12.3.1 augeas-devel-1.2.0-12.3.1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): augeas-1.2.0-12.3.1 augeas-debuginfo-1.2.0-12.3.1 augeas-debugsource-1.2.0-12.3.1 augeas-lenses-1.2.0-12.3.1 libaugeas0-1.2.0-12.3.1 libaugeas0-debuginfo-1.2.0-12.3.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le s390x x86_64): augeas-1.2.0-12.3.1 augeas-debuginfo-1.2.0-12.3.1 augeas-debugsource-1.2.0-12.3.1 augeas-lenses-1.2.0-12.3.1 libaugeas0-1.2.0-12.3.1 libaugeas0-debuginfo-1.2.0-12.3.1 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): augeas-1.2.0-12.3.1 augeas-debuginfo-1.2.0-12.3.1 augeas-debugsource-1.2.0-12.3.1 augeas-lenses-1.2.0-12.3.1 libaugeas0-1.2.0-12.3.1 libaugeas0-debuginfo-1.2.0-12.3.1 - OpenStack Cloud Magnum Orchestration 7 (x86_64): augeas-debuginfo-1.2.0-12.3.1 augeas-debugsource-1.2.0-12.3.1 libaugeas0-1.2.0-12.3.1 libaugeas0-debuginfo-1.2.0-12.3.1 References: https://www.suse.com/security/cve/CVE-2017-7555.html https://bugzilla.suse.com/1054171 From sle-security-updates at lists.suse.com Fri Mar 9 10:09:13 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 9 Mar 2018 18:09:13 +0100 (CET) Subject: SUSE-SU-2018:0653-1: moderate: Security update for augeas Message-ID: <20180309170913.1371FF7BA@maintenance.suse.de> SUSE Security Update: Security update for augeas ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0653-1 Rating: moderate References: #1054171 #925225 Cross-References: CVE-2014-8119 CVE-2017-7555 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for augeas fixes the following issues: Security issues fixed: - CVE-2017-7555: Fix a memory corruption bug could have lead to arbitrary code execution by passing crafted strings that would be mis-handled by parse_name() (bsc#1054171). - CVE-2014-8119: Fix improper handling of escaped strings leading to memory corruption (bsc#925225). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-augeas-13504=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-augeas-13504=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-augeas-13504=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): augeas-devel-0.9.0-3.21.3.1 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): augeas-0.9.0-3.21.3.1 augeas-lenses-0.9.0-3.21.3.1 libaugeas0-0.9.0-3.21.3.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): augeas-debuginfo-0.9.0-3.21.3.1 augeas-debugsource-0.9.0-3.21.3.1 References: https://www.suse.com/security/cve/CVE-2014-8119.html https://www.suse.com/security/cve/CVE-2017-7555.html https://bugzilla.suse.com/1054171 https://bugzilla.suse.com/925225 From sle-security-updates at lists.suse.com Fri Mar 9 13:08:47 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 9 Mar 2018 21:08:47 +0100 (CET) Subject: SUSE-SU-2018:0655-1: moderate: Security update for glibc Message-ID: <20180309200847.F04F8F7BA@maintenance.suse.de> SUSE Security Update: Security update for glibc ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0655-1 Rating: moderate References: #1081556 Cross-References: CVE-2017-12133 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP3 SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Desktop 12-SP3 SUSE Linux Enterprise Desktop 12-SP2 SUSE CaaS Platform ALL OpenStack Cloud Magnum Orchestration 7 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for glibc fixes the following issues: - CVE-2017-12133: Avoid use-after-free read access in clntudp_call (bsc#1081556) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP3: zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-443=1 - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2018-443=1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2018-443=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-443=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-443=1 - SUSE Linux Enterprise Desktop 12-SP3: zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-443=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2018-443=1 - SUSE CaaS Platform ALL: zypper in -t patch SUSE-CAASP-ALL-2018-443=1 - OpenStack Cloud Magnum Orchestration 7: zypper in -t patch SUSE-OpenStack-Cloud-Magnum-Orchestration-7-2018-443=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64): glibc-debuginfo-2.22-62.10.1 glibc-debugsource-2.22-62.10.1 glibc-devel-static-2.22-62.10.1 - SUSE Linux Enterprise Software Development Kit 12-SP3 (noarch): glibc-info-2.22-62.10.1 - SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64): glibc-debuginfo-2.22-62.10.1 glibc-debugsource-2.22-62.10.1 glibc-devel-static-2.22-62.10.1 - SUSE Linux Enterprise Software Development Kit 12-SP2 (noarch): glibc-info-2.22-62.10.1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): glibc-2.22-62.10.1 glibc-debuginfo-2.22-62.10.1 glibc-debugsource-2.22-62.10.1 glibc-devel-2.22-62.10.1 glibc-devel-debuginfo-2.22-62.10.1 glibc-locale-2.22-62.10.1 glibc-locale-debuginfo-2.22-62.10.1 glibc-profile-2.22-62.10.1 nscd-2.22-62.10.1 nscd-debuginfo-2.22-62.10.1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (noarch): glibc-html-2.22-62.10.1 glibc-i18ndata-2.22-62.10.1 glibc-info-2.22-62.10.1 - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64): glibc-2.22-62.10.1 glibc-debuginfo-2.22-62.10.1 glibc-debugsource-2.22-62.10.1 glibc-devel-2.22-62.10.1 glibc-devel-debuginfo-2.22-62.10.1 glibc-locale-2.22-62.10.1 glibc-locale-debuginfo-2.22-62.10.1 glibc-profile-2.22-62.10.1 nscd-2.22-62.10.1 nscd-debuginfo-2.22-62.10.1 - SUSE Linux Enterprise Server 12-SP3 (s390x x86_64): glibc-32bit-2.22-62.10.1 glibc-debuginfo-32bit-2.22-62.10.1 glibc-devel-32bit-2.22-62.10.1 glibc-devel-debuginfo-32bit-2.22-62.10.1 glibc-locale-32bit-2.22-62.10.1 glibc-locale-debuginfo-32bit-2.22-62.10.1 glibc-profile-32bit-2.22-62.10.1 - SUSE Linux Enterprise Server 12-SP3 (noarch): glibc-html-2.22-62.10.1 glibc-i18ndata-2.22-62.10.1 glibc-info-2.22-62.10.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le s390x x86_64): glibc-2.22-62.10.1 glibc-debuginfo-2.22-62.10.1 glibc-debugsource-2.22-62.10.1 glibc-devel-2.22-62.10.1 glibc-devel-debuginfo-2.22-62.10.1 glibc-locale-2.22-62.10.1 glibc-locale-debuginfo-2.22-62.10.1 glibc-profile-2.22-62.10.1 nscd-2.22-62.10.1 nscd-debuginfo-2.22-62.10.1 - SUSE Linux Enterprise Server 12-SP2 (s390x x86_64): glibc-32bit-2.22-62.10.1 glibc-debuginfo-32bit-2.22-62.10.1 glibc-devel-32bit-2.22-62.10.1 glibc-devel-debuginfo-32bit-2.22-62.10.1 glibc-locale-32bit-2.22-62.10.1 glibc-locale-debuginfo-32bit-2.22-62.10.1 glibc-profile-32bit-2.22-62.10.1 - SUSE Linux Enterprise Server 12-SP2 (noarch): glibc-html-2.22-62.10.1 glibc-i18ndata-2.22-62.10.1 glibc-info-2.22-62.10.1 - SUSE Linux Enterprise Desktop 12-SP3 (x86_64): glibc-2.22-62.10.1 glibc-32bit-2.22-62.10.1 glibc-debuginfo-2.22-62.10.1 glibc-debuginfo-32bit-2.22-62.10.1 glibc-debugsource-2.22-62.10.1 glibc-devel-2.22-62.10.1 glibc-devel-32bit-2.22-62.10.1 glibc-devel-debuginfo-2.22-62.10.1 glibc-devel-debuginfo-32bit-2.22-62.10.1 glibc-locale-2.22-62.10.1 glibc-locale-32bit-2.22-62.10.1 glibc-locale-debuginfo-2.22-62.10.1 glibc-locale-debuginfo-32bit-2.22-62.10.1 nscd-2.22-62.10.1 nscd-debuginfo-2.22-62.10.1 - SUSE Linux Enterprise Desktop 12-SP3 (noarch): glibc-i18ndata-2.22-62.10.1 - SUSE Linux Enterprise Desktop 12-SP2 (noarch): glibc-i18ndata-2.22-62.10.1 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): glibc-2.22-62.10.1 glibc-32bit-2.22-62.10.1 glibc-debuginfo-2.22-62.10.1 glibc-debuginfo-32bit-2.22-62.10.1 glibc-debugsource-2.22-62.10.1 glibc-devel-2.22-62.10.1 glibc-devel-32bit-2.22-62.10.1 glibc-devel-debuginfo-2.22-62.10.1 glibc-devel-debuginfo-32bit-2.22-62.10.1 glibc-locale-2.22-62.10.1 glibc-locale-32bit-2.22-62.10.1 glibc-locale-debuginfo-2.22-62.10.1 glibc-locale-debuginfo-32bit-2.22-62.10.1 nscd-2.22-62.10.1 nscd-debuginfo-2.22-62.10.1 - SUSE CaaS Platform ALL (x86_64): glibc-2.22-62.10.1 glibc-debuginfo-2.22-62.10.1 glibc-debugsource-2.22-62.10.1 glibc-locale-2.22-62.10.1 glibc-locale-debuginfo-2.22-62.10.1 - OpenStack Cloud Magnum Orchestration 7 (x86_64): glibc-2.22-62.10.1 glibc-debuginfo-2.22-62.10.1 glibc-debugsource-2.22-62.10.1 glibc-locale-2.22-62.10.1 glibc-locale-debuginfo-2.22-62.10.1 References: https://www.suse.com/security/cve/CVE-2017-12133.html https://bugzilla.suse.com/1081556 From sle-security-updates at lists.suse.com Mon Mar 12 05:08:21 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 12 Mar 2018 12:08:21 +0100 (CET) Subject: SUSE-SU-2018:0660-1: important: Security update for the Linux Kernel Message-ID: <20180312110821.4DEAEF7BA@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0660-1 Rating: important References: #1012382 #1054305 #1060279 #1068032 #1068984 #1070781 #1073311 #1074488 #1074621 #1075091 #1075410 #1075617 #1075621 #1075908 #1075994 #1076017 #1076154 #1076278 #1076849 #1077406 #1077560 #1077922 Cross-References: CVE-2017-13215 CVE-2017-17741 CVE-2017-18017 CVE-2017-18079 CVE-2017-5715 CVE-2018-1000004 CVE-2018-5332 CVE-2018-5333 Affected Products: SUSE Linux Enterprise Server 11-SP3-LTSS SUSE Linux Enterprise Server 11-EXTRA SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that solves 8 vulnerabilities and has 14 fixes is now available. Description: The SUSE Linux Enterprise 11 SP3 LTSS kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2017-5715: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis (bnc#1068032). The previous fix using CPU Microcode has been complemented by building the Linux Kernel with return trampolines aka "retpolines". - CVE-2018-5332: In the Linux kernel the rds_message_alloc_sgs() function did not validate a value that is used during DMA page allocation, leading to a heap-based out-of-bounds write (related to the rds_rdma_extra_size function in net/rds/rdma.c) (bnc#1075621). - CVE-2018-5333: In the Linux kernel the rds_cmsg_atomic function in net/rds/rdma.c mishandled cases where page pinning fails or an invalid address is supplied, leading to an rds_atomic_free_op NULL pointer dereference (bnc#1075617). - CVE-2017-18017: The tcpmss_mangle_packet function in net/netfilter/xt_TCPMSS.c in the Linux kernel allowed remote attackers to cause a denial of service (use-after-free and memory corruption) or possibly have unspecified other impact by leveraging the presence of xt_TCPMSS in an iptables action (bnc#1074488). - CVE-2017-18079: drivers/input/serio/i8042.c in the Linux kernel allowed attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact because the port->exists value can change after it is validated (bnc#1077922). - CVE-2017-17741: The KVM implementation in the Linux kernel allowed attackers to obtain potentially sensitive information from kernel memory, aka a write_mmio stack-based out-of-bounds read, related to arch/x86/kvm/x86.c and include/trace/events/kvm.h (bnc#1073311). - CVE-2017-13215: A elevation of privilege vulnerability in the Upstream kernel skcipher. (bnc#1075908). - CVE-2018-1000004: In the Linux kernel a race condition vulnerability exists in the sound system, this can lead to a deadlock and denial of service condition (bnc#1076017). The following non-security bugs were fixed: - cdc-acm: apply quirk for card reader (bsc#1060279). - Enable CPU vulnerabilities reporting via sysfs - fork: clear thread stack upon allocation (bsc#1077560). - kaiser: Set _PAGE_NX only if supported (bnc#1012382, bnc#1076278). - kbuild: modversions for EXPORT_SYMBOL() for asm (bsc#1074621 bsc#1068032). - Move kABI fixup for retpolines to proper place. - powerpc/vdso64: Use double word compare on pointers (bsc#1070781). - s390: add ppa to the idle loop (bnc#1077406, LTC#163910). - s390/cpuinfo: show facilities as reported by stfle (bnc#1076849, LTC#163741). - storvsc: do not assume SG list is continuous when doing bounce buffers (bsc#1075410). - sysfs/cpu: Add vulnerability folder (bnc#1012382). - sysfs/cpu: Fix typos in vulnerability documentation (bnc#1012382). - sysfs: spectre_v2, handle spec_ctrl (bsc#1075994 bsc#1075091). - x86/acpi: Handle SCI interrupts above legacy space gracefully (bsc#1068984). - x86/acpi: Reduce code duplication in mp_override_legacy_irq() (bsc#1068984). - x86/boot: Fix early command-line parsing when matching at end (bsc#1068032). - x86/cpu: Factor out application of forced CPU caps (bsc#1075994 bsc#1075091). - x86/cpu: Implement CPU vulnerabilites sysfs functions (bnc#1012382). - x86/CPU: Sync CPU feature flags late (bsc#1075994 bsc#1075091). - x86/kaiser: Populate shadow PGD with NX bit only if supported by platform (bsc#1076154 bsc#1076278). - x86/kaiser: use trampoline stack for kernel entry. - x86/microcode/intel: Disable late loading on model 79 (bsc#1054305). - x86/microcode/intel: Extend BDW late-loading further with LLC size check (bsc#1054305). - x86/microcode/intel: Extend BDW late-loading with a revision check (bsc#1054305). - x86/microcode: Rescan feature flags upon late loading (bsc#1075994 bsc#1075091). - x86/retpolines/spec_ctrl: disable IBRS on !SKL if retpolines are active (bsc#1068032). - x86/spec_ctrl: handle late setting of X86_FEATURE_SPEC_CTRL properly (bsc#1075994 bsc#1075091). - x86/spectre_v2: fix ordering in IBRS initialization (bsc#1075994 bsc#1075091). - x86/spectre_v2: nospectre_v2 means nospec too (bsc#1075994 bsc#1075091). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP3-LTSS: zypper in -t patch slessp3-kernel-20180212-13505=1 - SUSE Linux Enterprise Server 11-EXTRA: zypper in -t patch slexsp3-kernel-20180212-13505=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-kernel-20180212-13505=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-kernel-20180212-13505=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11-SP3-LTSS (i586 s390x x86_64): kernel-default-3.0.101-0.47.106.19.1 kernel-default-base-3.0.101-0.47.106.19.1 kernel-default-devel-3.0.101-0.47.106.19.1 kernel-source-3.0.101-0.47.106.19.1 kernel-syms-3.0.101-0.47.106.19.1 kernel-trace-3.0.101-0.47.106.19.1 kernel-trace-base-3.0.101-0.47.106.19.1 kernel-trace-devel-3.0.101-0.47.106.19.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (i586 x86_64): kernel-ec2-3.0.101-0.47.106.19.1 kernel-ec2-base-3.0.101-0.47.106.19.1 kernel-ec2-devel-3.0.101-0.47.106.19.1 kernel-xen-3.0.101-0.47.106.19.1 kernel-xen-base-3.0.101-0.47.106.19.1 kernel-xen-devel-3.0.101-0.47.106.19.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (x86_64): kernel-bigsmp-3.0.101-0.47.106.19.1 kernel-bigsmp-base-3.0.101-0.47.106.19.1 kernel-bigsmp-devel-3.0.101-0.47.106.19.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (s390x): kernel-default-man-3.0.101-0.47.106.19.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (i586): kernel-pae-3.0.101-0.47.106.19.1 kernel-pae-base-3.0.101-0.47.106.19.1 kernel-pae-devel-3.0.101-0.47.106.19.1 - SUSE Linux Enterprise Server 11-EXTRA (i586 ia64 ppc64 s390x x86_64): kernel-default-extra-3.0.101-0.47.106.19.1 - SUSE Linux Enterprise Server 11-EXTRA (i586 x86_64): kernel-xen-extra-3.0.101-0.47.106.19.1 - SUSE Linux Enterprise Server 11-EXTRA (x86_64): kernel-bigsmp-extra-3.0.101-0.47.106.19.1 kernel-trace-extra-3.0.101-0.47.106.19.1 - SUSE Linux Enterprise Server 11-EXTRA (ppc64): kernel-ppc64-extra-3.0.101-0.47.106.19.1 - SUSE Linux Enterprise Server 11-EXTRA (i586): kernel-pae-extra-3.0.101-0.47.106.19.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): kernel-default-3.0.101-0.47.106.19.1 kernel-default-base-3.0.101-0.47.106.19.1 kernel-default-devel-3.0.101-0.47.106.19.1 kernel-ec2-3.0.101-0.47.106.19.1 kernel-ec2-base-3.0.101-0.47.106.19.1 kernel-ec2-devel-3.0.101-0.47.106.19.1 kernel-pae-3.0.101-0.47.106.19.1 kernel-pae-base-3.0.101-0.47.106.19.1 kernel-pae-devel-3.0.101-0.47.106.19.1 kernel-source-3.0.101-0.47.106.19.1 kernel-syms-3.0.101-0.47.106.19.1 kernel-trace-3.0.101-0.47.106.19.1 kernel-trace-base-3.0.101-0.47.106.19.1 kernel-trace-devel-3.0.101-0.47.106.19.1 kernel-xen-3.0.101-0.47.106.19.1 kernel-xen-base-3.0.101-0.47.106.19.1 kernel-xen-devel-3.0.101-0.47.106.19.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): kernel-default-debuginfo-3.0.101-0.47.106.19.1 kernel-default-debugsource-3.0.101-0.47.106.19.1 kernel-trace-debuginfo-3.0.101-0.47.106.19.1 kernel-trace-debugsource-3.0.101-0.47.106.19.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 x86_64): kernel-ec2-debuginfo-3.0.101-0.47.106.19.1 kernel-ec2-debugsource-3.0.101-0.47.106.19.1 kernel-xen-debuginfo-3.0.101-0.47.106.19.1 kernel-xen-debugsource-3.0.101-0.47.106.19.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (x86_64): kernel-bigsmp-debuginfo-3.0.101-0.47.106.19.1 kernel-bigsmp-debugsource-3.0.101-0.47.106.19.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586): kernel-pae-debuginfo-3.0.101-0.47.106.19.1 kernel-pae-debugsource-3.0.101-0.47.106.19.1 References: https://www.suse.com/security/cve/CVE-2017-13215.html https://www.suse.com/security/cve/CVE-2017-17741.html https://www.suse.com/security/cve/CVE-2017-18017.html https://www.suse.com/security/cve/CVE-2017-18079.html https://www.suse.com/security/cve/CVE-2017-5715.html https://www.suse.com/security/cve/CVE-2018-1000004.html https://www.suse.com/security/cve/CVE-2018-5332.html https://www.suse.com/security/cve/CVE-2018-5333.html https://bugzilla.suse.com/1012382 https://bugzilla.suse.com/1054305 https://bugzilla.suse.com/1060279 https://bugzilla.suse.com/1068032 https://bugzilla.suse.com/1068984 https://bugzilla.suse.com/1070781 https://bugzilla.suse.com/1073311 https://bugzilla.suse.com/1074488 https://bugzilla.suse.com/1074621 https://bugzilla.suse.com/1075091 https://bugzilla.suse.com/1075410 https://bugzilla.suse.com/1075617 https://bugzilla.suse.com/1075621 https://bugzilla.suse.com/1075908 https://bugzilla.suse.com/1075994 https://bugzilla.suse.com/1076017 https://bugzilla.suse.com/1076154 https://bugzilla.suse.com/1076278 https://bugzilla.suse.com/1076849 https://bugzilla.suse.com/1077406 https://bugzilla.suse.com/1077560 https://bugzilla.suse.com/1077922 From sle-security-updates at lists.suse.com Mon Mar 12 11:08:01 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 12 Mar 2018 18:08:01 +0100 (CET) Subject: SUSE-SU-2018:0661-1: important: Security update for java-1_7_0-openjdk Message-ID: <20180312170801.F1D97F7BA@maintenance.suse.de> SUSE Security Update: Security update for java-1_7_0-openjdk ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0661-1 Rating: important References: #1076366 Cross-References: CVE-2018-2579 CVE-2018-2588 CVE-2018-2599 CVE-2018-2602 CVE-2018-2603 CVE-2018-2618 CVE-2018-2629 CVE-2018-2633 CVE-2018-2634 CVE-2018-2637 CVE-2018-2641 CVE-2018-2663 CVE-2018-2677 CVE-2018-2678 Affected Products: SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Desktop 12-SP3 SUSE Linux Enterprise Desktop 12-SP2 ______________________________________________________________________________ An update that fixes 14 vulnerabilities is now available. Description: This update for java-1_7_0-openjdk fixes the following issues: Security issues fixed in OpenJDK 7u171 (January 2018 CPU)(bsc#1076366): - CVE-2018-2579: Improve key keying case - CVE-2018-2588: Improve LDAP logins - CVE-2018-2599: Improve reliability of DNS lookups - CVE-2018-2602: Improve usage messages - CVE-2018-2603: Improve PKCS usage - CVE-2018-2618: Stricter key generation - CVE-2018-2629: Improve GSS handling - CVE-2018-2633: Improve LDAP lookup robustness - CVE-2018-2634: Improve property negotiations - CVE-2018-2637: Improve JMX supportive features - CVE-2018-2641: Improve GTK initialization - CVE-2018-2663: More refactoring for deserialization cases - CVE-2018-2677: More refactoring for client deserialization cases - CVE-2018-2678: More refactoring for naming Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2018-448=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-448=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-448=1 - SUSE Linux Enterprise Desktop 12-SP3: zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-448=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2018-448=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): java-1_7_0-openjdk-1.7.0.171-43.12.1 java-1_7_0-openjdk-debuginfo-1.7.0.171-43.12.1 java-1_7_0-openjdk-debugsource-1.7.0.171-43.12.1 java-1_7_0-openjdk-demo-1.7.0.171-43.12.1 java-1_7_0-openjdk-demo-debuginfo-1.7.0.171-43.12.1 java-1_7_0-openjdk-devel-1.7.0.171-43.12.1 java-1_7_0-openjdk-devel-debuginfo-1.7.0.171-43.12.1 java-1_7_0-openjdk-headless-1.7.0.171-43.12.1 java-1_7_0-openjdk-headless-debuginfo-1.7.0.171-43.12.1 - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64): java-1_7_0-openjdk-1.7.0.171-43.12.1 java-1_7_0-openjdk-debuginfo-1.7.0.171-43.12.1 java-1_7_0-openjdk-debugsource-1.7.0.171-43.12.1 java-1_7_0-openjdk-demo-1.7.0.171-43.12.1 java-1_7_0-openjdk-demo-debuginfo-1.7.0.171-43.12.1 java-1_7_0-openjdk-devel-1.7.0.171-43.12.1 java-1_7_0-openjdk-devel-debuginfo-1.7.0.171-43.12.1 java-1_7_0-openjdk-headless-1.7.0.171-43.12.1 java-1_7_0-openjdk-headless-debuginfo-1.7.0.171-43.12.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le s390x x86_64): java-1_7_0-openjdk-1.7.0.171-43.12.1 java-1_7_0-openjdk-debuginfo-1.7.0.171-43.12.1 java-1_7_0-openjdk-debugsource-1.7.0.171-43.12.1 java-1_7_0-openjdk-demo-1.7.0.171-43.12.1 java-1_7_0-openjdk-demo-debuginfo-1.7.0.171-43.12.1 java-1_7_0-openjdk-devel-1.7.0.171-43.12.1 java-1_7_0-openjdk-devel-debuginfo-1.7.0.171-43.12.1 java-1_7_0-openjdk-headless-1.7.0.171-43.12.1 java-1_7_0-openjdk-headless-debuginfo-1.7.0.171-43.12.1 - SUSE Linux Enterprise Desktop 12-SP3 (x86_64): java-1_7_0-openjdk-1.7.0.171-43.12.1 java-1_7_0-openjdk-debuginfo-1.7.0.171-43.12.1 java-1_7_0-openjdk-debugsource-1.7.0.171-43.12.1 java-1_7_0-openjdk-headless-1.7.0.171-43.12.1 java-1_7_0-openjdk-headless-debuginfo-1.7.0.171-43.12.1 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): java-1_7_0-openjdk-1.7.0.171-43.12.1 java-1_7_0-openjdk-debuginfo-1.7.0.171-43.12.1 java-1_7_0-openjdk-debugsource-1.7.0.171-43.12.1 java-1_7_0-openjdk-headless-1.7.0.171-43.12.1 java-1_7_0-openjdk-headless-debuginfo-1.7.0.171-43.12.1 References: https://www.suse.com/security/cve/CVE-2018-2579.html https://www.suse.com/security/cve/CVE-2018-2588.html https://www.suse.com/security/cve/CVE-2018-2599.html https://www.suse.com/security/cve/CVE-2018-2602.html https://www.suse.com/security/cve/CVE-2018-2603.html https://www.suse.com/security/cve/CVE-2018-2618.html https://www.suse.com/security/cve/CVE-2018-2629.html https://www.suse.com/security/cve/CVE-2018-2633.html https://www.suse.com/security/cve/CVE-2018-2634.html https://www.suse.com/security/cve/CVE-2018-2637.html https://www.suse.com/security/cve/CVE-2018-2641.html https://www.suse.com/security/cve/CVE-2018-2663.html https://www.suse.com/security/cve/CVE-2018-2677.html https://www.suse.com/security/cve/CVE-2018-2678.html https://bugzilla.suse.com/1076366 From sle-security-updates at lists.suse.com Mon Mar 12 11:08:31 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 12 Mar 2018 18:08:31 +0100 (CET) Subject: SUSE-SU-2018:0662-1: moderate: Security update for shadow Message-ID: <20180312170831.98867F7BD@maintenance.suse.de> SUSE Security Update: Security update for shadow ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0662-1 Rating: moderate References: #1081294 Cross-References: CVE-2018-7169 Affected Products: SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Desktop 12-SP3 SUSE Linux Enterprise Desktop 12-SP2 SUSE CaaS Platform ALL OpenStack Cloud Magnum Orchestration 7 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for shadow fixes the following issues: - CVE-2018-7169: Fixed an privilege escalation in newgidmap, which allowed an unprivileged user to be placed in a user namespace where setgroups(2) is allowed. (bsc#1081294) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2018-446=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-446=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-446=1 - SUSE Linux Enterprise Desktop 12-SP3: zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-446=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2018-446=1 - SUSE CaaS Platform ALL: zypper in -t patch SUSE-CAASP-ALL-2018-446=1 - OpenStack Cloud Magnum Orchestration 7: zypper in -t patch SUSE-OpenStack-Cloud-Magnum-Orchestration-7-2018-446=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): shadow-4.2.1-27.6.1 shadow-debuginfo-4.2.1-27.6.1 shadow-debugsource-4.2.1-27.6.1 - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64): shadow-4.2.1-27.6.1 shadow-debuginfo-4.2.1-27.6.1 shadow-debugsource-4.2.1-27.6.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le s390x x86_64): shadow-4.2.1-27.6.1 shadow-debuginfo-4.2.1-27.6.1 shadow-debugsource-4.2.1-27.6.1 - SUSE Linux Enterprise Desktop 12-SP3 (x86_64): shadow-4.2.1-27.6.1 shadow-debuginfo-4.2.1-27.6.1 shadow-debugsource-4.2.1-27.6.1 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): shadow-4.2.1-27.6.1 shadow-debuginfo-4.2.1-27.6.1 shadow-debugsource-4.2.1-27.6.1 - SUSE CaaS Platform ALL (x86_64): shadow-4.2.1-27.6.1 shadow-debuginfo-4.2.1-27.6.1 shadow-debugsource-4.2.1-27.6.1 - OpenStack Cloud Magnum Orchestration 7 (x86_64): shadow-4.2.1-27.6.1 shadow-debuginfo-4.2.1-27.6.1 shadow-debugsource-4.2.1-27.6.1 References: https://www.suse.com/security/cve/CVE-2018-7169.html https://bugzilla.suse.com/1081294 From sle-security-updates at lists.suse.com Mon Mar 12 11:09:09 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 12 Mar 2018 18:09:09 +0100 (CET) Subject: SUSE-SU-2018:0663-1: important: Security update for java-1_8_0-openjdk Message-ID: <20180312170909.A5542F7BA@maintenance.suse.de> SUSE Security Update: Security update for java-1_8_0-openjdk ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0663-1 Rating: important References: #1076366 Cross-References: CVE-2018-2579 CVE-2018-2582 CVE-2018-2588 CVE-2018-2599 CVE-2018-2602 CVE-2018-2603 CVE-2018-2618 CVE-2018-2629 CVE-2018-2633 CVE-2018-2634 CVE-2018-2637 CVE-2018-2641 CVE-2018-2663 CVE-2018-2677 CVE-2018-2678 Affected Products: SUSE OpenStack Cloud 6 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Linux Enterprise Desktop 12-SP3 SUSE Linux Enterprise Desktop 12-SP2 ______________________________________________________________________________ An update that fixes 15 vulnerabilities is now available. Description: This update for java-1_8_0-openjdk fixes the following issues: Security issues fix in jdk8u161 (icedtea 3.7.0)(bsc#1076366): - CVE-2018-2579: Improve key keying case - CVE-2018-2582: Better interface invocations - CVE-2018-2588: Improve LDAP logins - CVE-2018-2599: Improve reliability of DNS lookups - CVE-2018-2602: Improve usage messages - CVE-2018-2603: Improve PKCS usage - CVE-2018-2618: Stricter key generation - CVE-2018-2629: Improve GSS handling - CVE-2018-2633: Improve LDAP lookup robustness - CVE-2018-2634: Improve property negotiations - CVE-2018-2637: Improve JMX supportive features - CVE-2018-2641: Improve GTK initialization - CVE-2018-2663: More refactoring for deserialization cases - CVE-2018-2677: More refactoring for client deserialization cases - CVE-2018-2678: More refactoring for naming deserialization cases Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 6: zypper in -t patch SUSE-OpenStack-Cloud-6-2018-449=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2018-449=1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2018-449=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-449=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-449=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2018-449=1 - SUSE Linux Enterprise Desktop 12-SP3: zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-449=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2018-449=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE OpenStack Cloud 6 (x86_64): java-1_8_0-openjdk-1.8.0.161-27.13.1 java-1_8_0-openjdk-debuginfo-1.8.0.161-27.13.1 java-1_8_0-openjdk-debugsource-1.8.0.161-27.13.1 java-1_8_0-openjdk-demo-1.8.0.161-27.13.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.161-27.13.1 java-1_8_0-openjdk-devel-1.8.0.161-27.13.1 java-1_8_0-openjdk-headless-1.8.0.161-27.13.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.161-27.13.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (ppc64le x86_64): java-1_8_0-openjdk-1.8.0.161-27.13.1 java-1_8_0-openjdk-debuginfo-1.8.0.161-27.13.1 java-1_8_0-openjdk-debugsource-1.8.0.161-27.13.1 java-1_8_0-openjdk-demo-1.8.0.161-27.13.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.161-27.13.1 java-1_8_0-openjdk-devel-1.8.0.161-27.13.1 java-1_8_0-openjdk-headless-1.8.0.161-27.13.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.161-27.13.1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): java-1_8_0-openjdk-1.8.0.161-27.13.1 java-1_8_0-openjdk-debuginfo-1.8.0.161-27.13.1 java-1_8_0-openjdk-debugsource-1.8.0.161-27.13.1 java-1_8_0-openjdk-demo-1.8.0.161-27.13.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.161-27.13.1 java-1_8_0-openjdk-devel-1.8.0.161-27.13.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.161-27.13.1 java-1_8_0-openjdk-headless-1.8.0.161-27.13.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.161-27.13.1 - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64): java-1_8_0-openjdk-1.8.0.161-27.13.1 java-1_8_0-openjdk-debuginfo-1.8.0.161-27.13.1 java-1_8_0-openjdk-debugsource-1.8.0.161-27.13.1 java-1_8_0-openjdk-demo-1.8.0.161-27.13.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.161-27.13.1 java-1_8_0-openjdk-devel-1.8.0.161-27.13.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.161-27.13.1 java-1_8_0-openjdk-headless-1.8.0.161-27.13.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.161-27.13.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le s390x x86_64): java-1_8_0-openjdk-1.8.0.161-27.13.1 java-1_8_0-openjdk-debuginfo-1.8.0.161-27.13.1 java-1_8_0-openjdk-debugsource-1.8.0.161-27.13.1 java-1_8_0-openjdk-demo-1.8.0.161-27.13.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.161-27.13.1 java-1_8_0-openjdk-devel-1.8.0.161-27.13.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.161-27.13.1 java-1_8_0-openjdk-headless-1.8.0.161-27.13.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.161-27.13.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): java-1_8_0-openjdk-1.8.0.161-27.13.1 java-1_8_0-openjdk-debuginfo-1.8.0.161-27.13.1 java-1_8_0-openjdk-debugsource-1.8.0.161-27.13.1 java-1_8_0-openjdk-demo-1.8.0.161-27.13.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.161-27.13.1 java-1_8_0-openjdk-devel-1.8.0.161-27.13.1 java-1_8_0-openjdk-headless-1.8.0.161-27.13.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.161-27.13.1 - SUSE Linux Enterprise Desktop 12-SP3 (x86_64): java-1_8_0-openjdk-1.8.0.161-27.13.1 java-1_8_0-openjdk-debuginfo-1.8.0.161-27.13.1 java-1_8_0-openjdk-debugsource-1.8.0.161-27.13.1 java-1_8_0-openjdk-headless-1.8.0.161-27.13.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.161-27.13.1 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): java-1_8_0-openjdk-1.8.0.161-27.13.1 java-1_8_0-openjdk-debuginfo-1.8.0.161-27.13.1 java-1_8_0-openjdk-debugsource-1.8.0.161-27.13.1 java-1_8_0-openjdk-headless-1.8.0.161-27.13.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.161-27.13.1 References: https://www.suse.com/security/cve/CVE-2018-2579.html https://www.suse.com/security/cve/CVE-2018-2582.html https://www.suse.com/security/cve/CVE-2018-2588.html https://www.suse.com/security/cve/CVE-2018-2599.html https://www.suse.com/security/cve/CVE-2018-2602.html https://www.suse.com/security/cve/CVE-2018-2603.html https://www.suse.com/security/cve/CVE-2018-2618.html https://www.suse.com/security/cve/CVE-2018-2629.html https://www.suse.com/security/cve/CVE-2018-2633.html https://www.suse.com/security/cve/CVE-2018-2634.html https://www.suse.com/security/cve/CVE-2018-2637.html https://www.suse.com/security/cve/CVE-2018-2641.html https://www.suse.com/security/cve/CVE-2018-2663.html https://www.suse.com/security/cve/CVE-2018-2677.html https://www.suse.com/security/cve/CVE-2018-2678.html https://bugzilla.suse.com/1076366 From sle-security-updates at lists.suse.com Mon Mar 12 11:09:52 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 12 Mar 2018 18:09:52 +0100 (CET) Subject: SUSE-SU-2018:0664-1: important: Security update for the Linux Kernel (Live Patch 32 for SLE 12) Message-ID: <20180312170952.3E337F7BA@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 32 for SLE 12) ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0664-1 Rating: important References: #1064392 Cross-References: CVE-2017-15649 Affected Products: SUSE Linux Enterprise Server 12-LTSS ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for the Linux Kernel 3.12.61-52_122 fixes several issues. The following security issue was fixed: - CVE-2017-15649: net/packet/af_packet.c in the Linux kernel allowed local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346 (bsc#1064392) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-2018-450=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 12-LTSS (x86_64): kgraft-patch-3_12_61-52_122-default-2-2.1 kgraft-patch-3_12_61-52_122-xen-2-2.1 References: https://www.suse.com/security/cve/CVE-2017-15649.html https://bugzilla.suse.com/1064392 From sle-security-updates at lists.suse.com Mon Mar 12 11:10:24 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 12 Mar 2018 18:10:24 +0100 (CET) Subject: SUSE-SU-2018:0665-1: important: Security update for java-1_8_0-ibm Message-ID: <20180312171024.842AAF7BA@maintenance.suse.de> SUSE Security Update: Security update for java-1_8_0-ibm ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0665-1 Rating: important References: #1076390 #1082810 #929900 #955131 Cross-References: CVE-2018-2579 CVE-2018-2582 CVE-2018-2588 CVE-2018-2599 CVE-2018-2602 CVE-2018-2603 CVE-2018-2618 CVE-2018-2633 CVE-2018-2634 CVE-2018-2637 CVE-2018-2638 CVE-2018-2639 CVE-2018-2641 CVE-2018-2663 CVE-2018-2677 CVE-2018-2678 Affected Products: SUSE OpenStack Cloud 6 SUSE Linux Enterprise Software Development Kit 12-SP3 SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Server 12-SP1-LTSS ______________________________________________________________________________ An update that fixes 16 vulnerabilities is now available. Description: This update for java-1_8_0-ibm fixes the following issues: - Removed java-1_8_0-ibm-alsa and java-1_8_0-ibm-plugin entries in baselibs.conf due to errors in osc source_validator Version update to 8.0.5.10 [bsc#1082810] * Security fixes: CVE-2018-2639 CVE-2018-2638 CVE-2018-2633 CVE-2018-2637 CVE-2018-2634 CVE-2018-2582 CVE-2018-2641 CVE-2018-2618 CVE-2018-2603 CVE-2018-2599 CVE-2018-2602 CVE-2018-2678 CVE-2018-2677 CVE-2018-2663 CVE-2018-2588 CVE-2018-2579 * Defect fixes: - IJ02608 Class Libraries: Change of namespace definitions with handlers that implement javax.xml.ws.handler.soap.soaphandler - IJ04280 Class Libraries: Deploy Upgrade to Oracle level 8u161-b12 - IJ03390 Class Libraries: JCL Upgrade to Oracle level 8u161-b12 - IJ04001 Class Libraries: Performance improvement with child process on AIX - IJ04281 Class Libraries: Startup time increase after applying apar IV96905 - IJ03822 Class Libraries: Update timezone information to tzdata2017c - IJ03440 Java Virtual Machine: Assertion failure during class creation - IJ03717 Java Virtual Machine: Assertion for gencon with concurrent scavenger on ZOS64 - IJ03513 Java Virtual Machine: Assertion in concurrent scavenger if initial heap memory size -Xms is set too low - IJ03994 Java Virtual Machine: Class.getmethods() does not return all methods - IJ03413 Java Virtual Machine: Hang creating thread after redefining classes - IJ03852 Java Virtual Machine: ICH408I message when groupaccess is specified with -xshareclasses - IJ03716 Java Virtual Machine: java/lang/linkageerror from sun/misc/unsafe.definean onymousclass() - IJ03116 Java Virtual Machine: java.fullversion string contains an extra space - IJ03347 Java Virtual Machine: java.lang.IllegalStateException in related class MemoryMXBean - IJ03878 Java Virtual Machine: java.lang.StackOverflowError is thrown when custom security manager in place - IJ03605 Java Virtual Machine: Legacy security for com.ibm.jvm.dump, trace, log was not enabled by default - IJ04248 JIT Compiler: ArrayIndexOutOfBoundsException is thrown when converting BigDecimal to String - IJ04250 JIT Compiler: Assertion failure with concurrentScavenge on Z14 - IJ03606 JIT Compiler: Java crashes with -version - IJ04251 JIT Compiler: JIT compiled method that takes advantage of AutoSIMD produces an incorrect result on x86 - IJ03854 JIT Compiler: JVM info message appears in stdout - IJ03607 JIT Compiler: Result String contains a redundant dot when converted from BigDecimal with 0 on all platforms - IX90185 ORB: Upgrade ibmcfw.jar to version O1800.01 - IJ03715 Security: Add additional support for the IBMJCEPlus provider, add support for new IBMJCEPlusFIPS provider - IJ03800 Security: A fix in CMS provider for KDB integrity - IJ04282 Security: Change in location and default of jurisdiction policy files - IJ03853 Security: IBMCAC provider does not support SHA224 - IJ02679 Security: IBMPKCS11Impl ??? Bad sessions are being allocated internally - IJ02706 Security: IBMPKCS11Impl ??? Bad sessions are being allocated internally - IJ03552 Security: IBMPKCS11Impl - Config file problem with the slot specification attribute - IJ01901 Security: IBMPKCS11Impl ??? SecureRandom.setSeed() exception - IJ03801 Security: Issue with same DN certs, iKeyman GUI error with stash, JKS Chain issue and JVM argument parse issue with iKeyman - IJ03256 Security: javax.security.auth.Subject.toString() throws NPE - PI93233 z/OS Extentions: Cipher.doFinal() fails when using AES/GCM/nopadding with AAD data of 13 bytes and a block size of 4081 to 4096 * Fixes in 8.0.5.7: - IJ02605 Class Libraries: Update IBM-1371 charset with new specification support - IJ02541 Java Virtual Machine: Assertions in GC when jvmti runs with Concurrent Scavenger - IJ02443 Java Virtual Machine: Committed eden region size is bigger than maximum eden region size - IJ02378 Java Virtual Machine: Existing signal action for SIG_IGN/SIG_DFL is not detected properly - IJ02758 JIT Compiler: Crash in JIT module during method compilation - IJ02733 JIT Compiler: Crash in jit module when compiling in non-default configuration * Fixes in 8.0.5.6: - IJ02283 Java Virtual Machine: IllegalAccessException due to a missing access check for the same class in MethodHandle apis - IJ02082 Java Virtual Machine: The default value for class unloading kick off threshold is not set - IJ02018 JIT Compiler: Crash or assertion while attempting to acquire VM access - IJ02284 JIT Compiler: Division by zero in JIT compiler - IV88941 JIT Compiler: JIT compiler takes far too long to compile a method - IJ02285 JIT Compiler: Performance degradation during class unloading in Java 8 SR5 - Support Java jnlp files run from Firefox. [bsc#1076390] Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 6: zypper in -t patch SUSE-OpenStack-Cloud-6-2018-447=1 - SUSE Linux Enterprise Software Development Kit 12-SP3: zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-447=1 - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2018-447=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2018-447=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-447=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-447=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2018-447=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE OpenStack Cloud 6 (x86_64): java-1_8_0-ibm-1.8.0_sr5.10-30.16.1 java-1_8_0-ibm-alsa-1.8.0_sr5.10-30.16.1 java-1_8_0-ibm-devel-1.8.0_sr5.10-30.16.1 java-1_8_0-ibm-plugin-1.8.0_sr5.10-30.16.1 - SUSE Linux Enterprise Software Development Kit 12-SP3 (ppc64le s390x x86_64): java-1_8_0-ibm-devel-1.8.0_sr5.10-30.16.1 - SUSE Linux Enterprise Software Development Kit 12-SP2 (ppc64le s390x x86_64): java-1_8_0-ibm-devel-1.8.0_sr5.10-30.16.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (ppc64le x86_64): java-1_8_0-ibm-1.8.0_sr5.10-30.16.1 java-1_8_0-ibm-devel-1.8.0_sr5.10-30.16.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): java-1_8_0-ibm-alsa-1.8.0_sr5.10-30.16.1 java-1_8_0-ibm-plugin-1.8.0_sr5.10-30.16.1 - SUSE Linux Enterprise Server 12-SP3 (ppc64le s390x x86_64): java-1_8_0-ibm-1.8.0_sr5.10-30.16.1 - SUSE Linux Enterprise Server 12-SP3 (x86_64): java-1_8_0-ibm-alsa-1.8.0_sr5.10-30.16.1 java-1_8_0-ibm-plugin-1.8.0_sr5.10-30.16.1 - SUSE Linux Enterprise Server 12-SP2 (ppc64le s390x x86_64): java-1_8_0-ibm-1.8.0_sr5.10-30.16.1 - SUSE Linux Enterprise Server 12-SP2 (x86_64): java-1_8_0-ibm-alsa-1.8.0_sr5.10-30.16.1 java-1_8_0-ibm-plugin-1.8.0_sr5.10-30.16.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): java-1_8_0-ibm-1.8.0_sr5.10-30.16.1 java-1_8_0-ibm-devel-1.8.0_sr5.10-30.16.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (x86_64): java-1_8_0-ibm-alsa-1.8.0_sr5.10-30.16.1 java-1_8_0-ibm-plugin-1.8.0_sr5.10-30.16.1 References: https://www.suse.com/security/cve/CVE-2018-2579.html https://www.suse.com/security/cve/CVE-2018-2582.html https://www.suse.com/security/cve/CVE-2018-2588.html https://www.suse.com/security/cve/CVE-2018-2599.html https://www.suse.com/security/cve/CVE-2018-2602.html https://www.suse.com/security/cve/CVE-2018-2603.html https://www.suse.com/security/cve/CVE-2018-2618.html https://www.suse.com/security/cve/CVE-2018-2633.html https://www.suse.com/security/cve/CVE-2018-2634.html https://www.suse.com/security/cve/CVE-2018-2637.html https://www.suse.com/security/cve/CVE-2018-2638.html https://www.suse.com/security/cve/CVE-2018-2639.html https://www.suse.com/security/cve/CVE-2018-2641.html https://www.suse.com/security/cve/CVE-2018-2663.html https://www.suse.com/security/cve/CVE-2018-2677.html https://www.suse.com/security/cve/CVE-2018-2678.html https://bugzilla.suse.com/1076390 https://bugzilla.suse.com/1082810 https://bugzilla.suse.com/929900 https://bugzilla.suse.com/955131 From sle-security-updates at lists.suse.com Wed Mar 14 14:07:48 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 14 Mar 2018 21:07:48 +0100 (CET) Subject: SUSE-SU-2018:0671-1: moderate: Security update for kernel-firmware Message-ID: <20180314200748.CDB26F7BA@maintenance.suse.de> SUSE Security Update: Security update for kernel-firmware ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0671-1 Rating: moderate References: #1077355 Cross-References: CVE-2015-1142857 Affected Products: SUSE Linux Enterprise Server 11-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for kernel-firmware fixes the following issues: - CVE-2015-1142857: Add 7.13.1.0 bnx2x firmware files for ethernet flow control vulnerability in SRIOV devices (bsc#1077355) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-kernel-firmware-13508=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11-SP4 (noarch): kernel-firmware-20110923-0.59.3.1 References: https://www.suse.com/security/cve/CVE-2015-1142857.html https://bugzilla.suse.com/1077355 From sle-security-updates at lists.suse.com Wed Mar 14 14:08:16 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 14 Mar 2018 21:08:16 +0100 (CET) Subject: SUSE-SU-2018:0672-1: moderate: Security update for GraphicsMagick Message-ID: <20180314200816.1F938F7BA@maintenance.suse.de> SUSE Security Update: Security update for GraphicsMagick ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0672-1 Rating: moderate References: #1042911 #1050119 #1050132 #1052754 #1072898 #1077737 Cross-References: CVE-2017-11528 CVE-2017-11533 CVE-2017-12663 CVE-2017-17500 CVE-2017-17682 CVE-2017-9405 Affected Products: SUSE Studio Onsite 1.3 SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes 6 vulnerabilities is now available. Description: This update for GraphicsMagick fixes the following issues: Security issues fixed: - CVE-2017-9405: A memory leak in the ReadICONImage function was fixed that could lead to DoS via memory exhaustion (bsc#1042911) - CVE-2017-11528: ReadDIBImage in coders/dib.c allows remote attackers to cause DoS via memory exhaustion (bsc#1050119) - CVE-2017-11533: A information leak by 1 byte due to heap-based buffer over-read in the WriteUILImage() in coders/uil.c was fixed (bsc#1050132) - CVE-2017-12663: A memory leak in WriteMAPImage in coders/map.c was fixed that could lead to a DoS via memory exhaustion (bsc#1052754) - CVE-2017-17682: A large loop vulnerability was fixed in ExtractPostscript in coders/wpg.c, which allowed attackers to cause a denial of service (CPU exhaustion) (bsc#1072898) - CVE-2017-17500: A heap-based buffer overflow (read) in the ImportRGBQuantumType was fixed. (bsc#1077737) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Studio Onsite 1.3: zypper in -t patch slestso13-GraphicsMagick-13509=1 - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-GraphicsMagick-13509=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-GraphicsMagick-13509=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Studio Onsite 1.3 (x86_64): GraphicsMagick-1.2.5-4.78.41.1 libGraphicsMagick2-1.2.5-4.78.41.1 - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): GraphicsMagick-1.2.5-4.78.41.1 libGraphicsMagick2-1.2.5-4.78.41.1 perl-GraphicsMagick-1.2.5-4.78.41.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): GraphicsMagick-debuginfo-1.2.5-4.78.41.1 GraphicsMagick-debugsource-1.2.5-4.78.41.1 References: https://www.suse.com/security/cve/CVE-2017-11528.html https://www.suse.com/security/cve/CVE-2017-11533.html https://www.suse.com/security/cve/CVE-2017-12663.html https://www.suse.com/security/cve/CVE-2017-17500.html https://www.suse.com/security/cve/CVE-2017-17682.html https://www.suse.com/security/cve/CVE-2017-9405.html https://bugzilla.suse.com/1042911 https://bugzilla.suse.com/1050119 https://bugzilla.suse.com/1050132 https://bugzilla.suse.com/1052754 https://bugzilla.suse.com/1072898 https://bugzilla.suse.com/1077737 From sle-security-updates at lists.suse.com Wed Mar 14 14:09:32 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 14 Mar 2018 21:09:32 +0100 (CET) Subject: SUSE-SU-2018:0673-1: moderate: Security update for libcdio Message-ID: <20180314200932.CB988F7BA@maintenance.suse.de> SUSE Security Update: Security update for libcdio ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0673-1 Rating: moderate References: #1082877 Cross-References: CVE-2017-18201 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP3 SUSE Linux Enterprise Workstation Extension 12-SP2 SUSE Linux Enterprise Software Development Kit 12-SP3 SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Desktop 12-SP3 SUSE Linux Enterprise Desktop 12-SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for libcdio fixes the following issues: - CVE-2017-18201: Fixed a double free vulnerability (bsc#1082877). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP3: zypper in -t patch SUSE-SLE-WE-12-SP3-2018-459=1 - SUSE Linux Enterprise Workstation Extension 12-SP2: zypper in -t patch SUSE-SLE-WE-12-SP2-2018-459=1 - SUSE Linux Enterprise Software Development Kit 12-SP3: zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-459=1 - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2018-459=1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2018-459=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-459=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-459=1 - SUSE Linux Enterprise Desktop 12-SP3: zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-459=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2018-459=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Workstation Extension 12-SP3 (x86_64): libcdio-debugsource-0.90-6.3.1 libiso9660-8-0.90-6.3.1 libiso9660-8-debuginfo-0.90-6.3.1 - SUSE Linux Enterprise Workstation Extension 12-SP2 (x86_64): libcdio-debugsource-0.90-6.3.1 libiso9660-8-0.90-6.3.1 libiso9660-8-debuginfo-0.90-6.3.1 - SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64): libcdio++0-0.90-6.3.1 libcdio++0-debuginfo-0.90-6.3.1 libcdio-debugsource-0.90-6.3.1 libcdio-devel-0.90-6.3.1 libiso9660-8-0.90-6.3.1 libiso9660-8-debuginfo-0.90-6.3.1 libudf0-0.90-6.3.1 libudf0-debuginfo-0.90-6.3.1 - SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64): libcdio++0-0.90-6.3.1 libcdio++0-debuginfo-0.90-6.3.1 libcdio-debugsource-0.90-6.3.1 libcdio-devel-0.90-6.3.1 libiso9660-8-0.90-6.3.1 libiso9660-8-debuginfo-0.90-6.3.1 libudf0-0.90-6.3.1 libudf0-debuginfo-0.90-6.3.1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): libcdio-debugsource-0.90-6.3.1 libcdio14-0.90-6.3.1 libcdio14-debuginfo-0.90-6.3.1 - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64): libcdio-debugsource-0.90-6.3.1 libcdio14-0.90-6.3.1 libcdio14-debuginfo-0.90-6.3.1 - SUSE Linux Enterprise Server 12-SP3 (s390x x86_64): libcdio14-32bit-0.90-6.3.1 libcdio14-debuginfo-32bit-0.90-6.3.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le s390x x86_64): libcdio-debugsource-0.90-6.3.1 libcdio14-0.90-6.3.1 libcdio14-debuginfo-0.90-6.3.1 - SUSE Linux Enterprise Server 12-SP2 (s390x x86_64): libcdio14-32bit-0.90-6.3.1 libcdio14-debuginfo-32bit-0.90-6.3.1 - SUSE Linux Enterprise Desktop 12-SP3 (x86_64): libcdio-debugsource-0.90-6.3.1 libcdio14-0.90-6.3.1 libcdio14-32bit-0.90-6.3.1 libcdio14-debuginfo-0.90-6.3.1 libcdio14-debuginfo-32bit-0.90-6.3.1 libiso9660-8-0.90-6.3.1 libiso9660-8-debuginfo-0.90-6.3.1 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): libcdio-debugsource-0.90-6.3.1 libcdio14-0.90-6.3.1 libcdio14-32bit-0.90-6.3.1 libcdio14-debuginfo-0.90-6.3.1 libcdio14-debuginfo-32bit-0.90-6.3.1 libiso9660-8-0.90-6.3.1 libiso9660-8-debuginfo-0.90-6.3.1 References: https://www.suse.com/security/cve/CVE-2017-18201.html https://bugzilla.suse.com/1082877 From sle-security-updates at lists.suse.com Wed Mar 14 14:10:02 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 14 Mar 2018 21:10:02 +0100 (CET) Subject: SUSE-SU-2018:0674-1: moderate: Security update for kernel-firmware Message-ID: <20180314201002.46FB6F7BA@maintenance.suse.de> SUSE Security Update: Security update for kernel-firmware ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0674-1 Rating: moderate References: #1077355 Cross-References: CVE-2015-1142857 Affected Products: SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Desktop 12-SP3 SUSE Linux Enterprise Desktop 12-SP2 SUSE CaaS Platform ALL ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for kernel-firmware fixes the following issues: - CVE-2015-1142857: Add 7.13.1.0 bnx2x firmware files to fix a ethernet flow control vulnerability in SRIOV devices (bsc#1077355) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2018-457=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-457=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-457=1 - SUSE Linux Enterprise Desktop 12-SP3: zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-457=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2018-457=1 - SUSE CaaS Platform ALL: zypper in -t patch SUSE-CAASP-ALL-2018-457=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (noarch): kernel-firmware-20170530-21.19.1 - SUSE Linux Enterprise Server 12-SP3 (noarch): kernel-firmware-20170530-21.19.1 ucode-amd-20170530-21.19.1 - SUSE Linux Enterprise Server 12-SP2 (noarch): kernel-firmware-20170530-21.19.1 ucode-amd-20170530-21.19.1 - SUSE Linux Enterprise Desktop 12-SP3 (noarch): kernel-firmware-20170530-21.19.1 ucode-amd-20170530-21.19.1 - SUSE Linux Enterprise Desktop 12-SP2 (noarch): kernel-firmware-20170530-21.19.1 ucode-amd-20170530-21.19.1 - SUSE CaaS Platform ALL (noarch): kernel-firmware-20170530-21.19.1 References: https://www.suse.com/security/cve/CVE-2015-1142857.html https://bugzilla.suse.com/1077355 From sle-security-updates at lists.suse.com Wed Mar 14 14:10:31 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 14 Mar 2018 21:10:31 +0100 (CET) Subject: SUSE-SU-2018:0675-1: moderate: Security update for postgresql94 Message-ID: <20180314201031.E034BF7BA@maintenance.suse.de> SUSE Security Update: Security update for postgresql94 ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0675-1 Rating: moderate References: #1077983 Cross-References: CVE-2018-1053 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Desktop 12-SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for postgresql94 fixes the following issues: PostgreSQL was updated to version 9.4.15, the full release notes are here: https://www.postgresql.org/docs/9.4/static/release-9-4-15.html - CVE-2018-1053: Ensure that all temporary files made by pg_upgrade are non-world-readable. (bsc#1077983) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2018-455=1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2018-455=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-455=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2018-455=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64): postgresql94-devel-9.4.16-21.16.1 postgresql94-devel-debuginfo-9.4.16-21.16.1 postgresql94-libs-debugsource-9.4.16-21.16.1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): postgresql94-9.4.16-21.16.1 postgresql94-contrib-9.4.16-21.16.1 postgresql94-contrib-debuginfo-9.4.16-21.16.1 postgresql94-debuginfo-9.4.16-21.16.1 postgresql94-debugsource-9.4.16-21.16.1 postgresql94-server-9.4.16-21.16.1 postgresql94-server-debuginfo-9.4.16-21.16.1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (noarch): postgresql94-docs-9.4.16-21.16.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le s390x x86_64): postgresql94-9.4.16-21.16.1 postgresql94-contrib-9.4.16-21.16.1 postgresql94-contrib-debuginfo-9.4.16-21.16.1 postgresql94-debuginfo-9.4.16-21.16.1 postgresql94-debugsource-9.4.16-21.16.1 postgresql94-server-9.4.16-21.16.1 postgresql94-server-debuginfo-9.4.16-21.16.1 - SUSE Linux Enterprise Server 12-SP2 (noarch): postgresql94-docs-9.4.16-21.16.1 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): postgresql94-9.4.16-21.16.1 postgresql94-debuginfo-9.4.16-21.16.1 postgresql94-debugsource-9.4.16-21.16.1 References: https://www.suse.com/security/cve/CVE-2018-1053.html https://bugzilla.suse.com/1077983 From sle-security-updates at lists.suse.com Wed Mar 14 17:08:50 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 15 Mar 2018 00:08:50 +0100 (CET) Subject: SUSE-SU-2018:0678-1: important: Security update for xen Message-ID: <20180314230850.77CBCF7BA@maintenance.suse.de> SUSE Security Update: Security update for xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0678-1 Rating: important References: #1024307 #1030144 #1061081 #1068032 #1070158 #1070159 #1070160 #1070163 #1074562 #1076116 #1076180 #1080635 #1080662 Cross-References: CVE-2017-11334 CVE-2017-15595 CVE-2017-17563 CVE-2017-17564 CVE-2017-17565 CVE-2017-17566 CVE-2017-18030 CVE-2017-5715 CVE-2017-5753 CVE-2017-5754 CVE-2017-5898 CVE-2018-5683 CVE-2018-7540 CVE-2018-7541 Affected Products: SUSE Linux Enterprise Server 11-SP3-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that fixes 14 vulnerabilities is now available. Description: This update for xen fixes several issues. These security issues were fixed: - CVE-2017-5753, CVE-2017-5715, CVE-2017-5754: Prevent information leaks via side effects of speculative execution, aka "Spectre" and "Meltdown" attacks (bsc#1074562, bsc#1068032) - CVE-2018-5683: The vga_draw_text function allowed local OS guest privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) by leveraging improper memory address validation (bsc#1076116). - CVE-2017-18030: The cirrus_invalidate_region function allowed local OS guest privileged users to cause a denial of service (out-of-bounds array access and QEMU process crash) via vectors related to negative pitch (bsc#1076180). - CVE-2017-15595: x86 PV guest OS users were able to cause a DoS (unbounded recursion, stack consumption, and hypervisor crash) or possibly gain privileges via crafted page-table stacking (bsc#1061081) - CVE-2017-17566: Prevent PV guest OS users to cause a denial of service (host OS crash) or gain host OS privileges in shadow mode by mapping a certain auxiliary page (bsc#1070158). - CVE-2017-17563: Prevent guest OS users to cause a denial of service (host OS crash) or gain host OS privileges by leveraging an incorrect mask for reference-count overflow checking in shadow mode (bsc#1070159). - CVE-2017-17564: Prevent guest OS users to cause a denial of service (host OS crash) or gain host OS privileges by leveraging incorrect error handling for reference counting in shadow mode (bsc#1070160). - CVE-2017-17565: Prevent PV guest OS users to cause a denial of service (host OS crash) if shadow mode and log-dirty mode are in place, because of an incorrect assertion related to M2P (bsc#1070163). - Added missing intermediate preemption checks for guest requesting removal of memory. This allowed malicious guest administrator to cause denial of service due to the high cost of this operation (bsc#1080635). - Because of XEN not returning the proper error messages when transitioning grant tables from v2 to v1 a malicious guest was able to cause DoS or potentially allowed for privilege escalation as well as information leaks (bsc#1080662). - CVE-2017-5898: The CCID Card device emulator support was vulnerable to an integer overflow flaw allowing a privileged user to crash the Qemu process on the host resulting in DoS (bsc#1024307) - Unprivileged domains could have issued well-timed writes to xenstore which conflict with transactions to stall progress of the control domain or driver domain, possibly leading to DoS (bsc#1030144, XSA-206). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP3-LTSS: zypper in -t patch slessp3-xen-13511=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-xen-13511=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-xen-13511=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11-SP3-LTSS (i586 x86_64): xen-kmp-default-4.2.5_21_3.0.101_0.47.106.14-45.19.1 xen-libs-4.2.5_21-45.19.1 xen-tools-domU-4.2.5_21-45.19.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (x86_64): xen-4.2.5_21-45.19.1 xen-doc-html-4.2.5_21-45.19.1 xen-doc-pdf-4.2.5_21-45.19.1 xen-libs-32bit-4.2.5_21-45.19.1 xen-tools-4.2.5_21-45.19.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (i586): xen-kmp-pae-4.2.5_21_3.0.101_0.47.106.14-45.19.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): xen-kmp-default-4.2.5_21_3.0.101_0.47.106.14-45.19.1 xen-kmp-pae-4.2.5_21_3.0.101_0.47.106.14-45.19.1 xen-libs-4.2.5_21-45.19.1 xen-tools-domU-4.2.5_21-45.19.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 x86_64): xen-debuginfo-4.2.5_21-45.19.1 xen-debugsource-4.2.5_21-45.19.1 References: https://www.suse.com/security/cve/CVE-2017-11334.html https://www.suse.com/security/cve/CVE-2017-15595.html https://www.suse.com/security/cve/CVE-2017-17563.html https://www.suse.com/security/cve/CVE-2017-17564.html https://www.suse.com/security/cve/CVE-2017-17565.html https://www.suse.com/security/cve/CVE-2017-17566.html https://www.suse.com/security/cve/CVE-2017-18030.html https://www.suse.com/security/cve/CVE-2017-5715.html https://www.suse.com/security/cve/CVE-2017-5753.html https://www.suse.com/security/cve/CVE-2017-5754.html https://www.suse.com/security/cve/CVE-2017-5898.html https://www.suse.com/security/cve/CVE-2018-5683.html https://www.suse.com/security/cve/CVE-2018-7540.html https://www.suse.com/security/cve/CVE-2018-7541.html https://bugzilla.suse.com/1024307 https://bugzilla.suse.com/1030144 https://bugzilla.suse.com/1061081 https://bugzilla.suse.com/1068032 https://bugzilla.suse.com/1070158 https://bugzilla.suse.com/1070159 https://bugzilla.suse.com/1070160 https://bugzilla.suse.com/1070163 https://bugzilla.suse.com/1074562 https://bugzilla.suse.com/1076116 https://bugzilla.suse.com/1076180 https://bugzilla.suse.com/1080635 https://bugzilla.suse.com/1080662 From sle-security-updates at lists.suse.com Thu Mar 15 11:07:53 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 15 Mar 2018 18:07:53 +0100 (CET) Subject: SUSE-SU-2018:0694-1: important: Security update for java-1_7_1-ibm Message-ID: <20180315170753.20A07F7BD@maintenance.suse.de> SUSE Security Update: Security update for java-1_7_1-ibm ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0694-1 Rating: important References: #1057460 #1076390 #1082810 #1085018 #929900 #955131 #966304 Cross-References: CVE-2018-2579 CVE-2018-2582 CVE-2018-2588 CVE-2018-2599 CVE-2018-2602 CVE-2018-2603 CVE-2018-2618 CVE-2018-2633 CVE-2018-2634 CVE-2018-2637 CVE-2018-2641 CVE-2018-2657 CVE-2018-2663 CVE-2018-2677 CVE-2018-2678 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP3 SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Server 12-SP2 ______________________________________________________________________________ An update that fixes 15 vulnerabilities is now available. Description: This update for java-1_7_1-ibm fixes the following issues: The version was updated to 7.1.4.20 [bsc#1082810] * Security fixes: - CVE-2018-2633 CVE-2018-2637 CVE-2018-2634 CVE-2018-2582 CVE-2018-2641 CVE-2018-2618 CVE-2018-2657 CVE-2018-2603 CVE-2018-2599 CVE-2018-2602 CVE-2018-2678 CVE-2018-2677 CVE-2018-2663 CVE-2018-2588 CVE-2018-2579 * Defect fixes: - IJ04281 Class Libraries: Startup time increase after applying apar IV96905 - IJ03822 Class Libraries: Update timezone information to tzdata2017c - IJ03605 Java Virtual Machine: Legacy security for com.ibm.jvm.dump, trace, log was not enabled by default - IJ03607 JIT Compiler: Result String contains a redundant dot when converted from BigDecimal with 0 on all platforms - IX90185 ORB: Upgrade ibmcfw.jar to version O1800.01 - IJ04282 Security: Change in location and default of jurisdiction policy files - IJ03853 Security: IBMCAC provider does not support SHA224 - IJ02679 Security: IBMPKCS11Impl -- Bad sessions are being allocated internally - IJ02706 Security: IBMPKCS11Impl -- Bad sessions are being allocated internally - IJ03552 Security: IBMPKCS11Impl -- Config file problem with the slot specification attribute - IJ01901 Security: IBMPKCS11Impl -- SecureRandom.setSeed() exception - IJ03801 Security: Issue with same DN certs, iKeyman GUI error with stash, JKS Chain issue and JVM argument parse issue with iKeyman - IJ03256 Security: javax.security.auth.Subject.toString() throws NPE - IJ02284 JIT Compiler: Division by zero in JIT compiler * SUSE fixes: - Make it possible to run Java jnlp files from Firefox. (bsc#1057460) - Fixed symlinks to policy files on update [bsc#1085018] - Fixed jpackage-java-1_7_1-ibm-webstart.desktop file to allow Java jnlp files run from Firefox. [bsc#1057460, bsc#1076390] - Fix javaws segfaults when java expiration timer has elapsed. [bsc#929900] - Provide IBM Java updates for IBMs PMR 55931,671,760 and for SUSEs SR 110991601735. [bsc#966304] Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP3: zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-475=1 - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2018-475=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-475=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-475=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP3 (ppc64le s390x x86_64): java-1_7_1-ibm-devel-1.7.1_sr4.20-38.12.1 - SUSE Linux Enterprise Software Development Kit 12-SP2 (ppc64le s390x x86_64): java-1_7_1-ibm-devel-1.7.1_sr4.20-38.12.1 - SUSE Linux Enterprise Server 12-SP3 (ppc64le s390x x86_64): java-1_7_1-ibm-1.7.1_sr4.20-38.12.1 java-1_7_1-ibm-jdbc-1.7.1_sr4.20-38.12.1 - SUSE Linux Enterprise Server 12-SP3 (x86_64): java-1_7_1-ibm-alsa-1.7.1_sr4.20-38.12.1 java-1_7_1-ibm-plugin-1.7.1_sr4.20-38.12.1 - SUSE Linux Enterprise Server 12-SP2 (ppc64le s390x x86_64): java-1_7_1-ibm-1.7.1_sr4.20-38.12.1 java-1_7_1-ibm-jdbc-1.7.1_sr4.20-38.12.1 - SUSE Linux Enterprise Server 12-SP2 (x86_64): java-1_7_1-ibm-alsa-1.7.1_sr4.20-38.12.1 java-1_7_1-ibm-plugin-1.7.1_sr4.20-38.12.1 References: https://www.suse.com/security/cve/CVE-2018-2579.html https://www.suse.com/security/cve/CVE-2018-2582.html https://www.suse.com/security/cve/CVE-2018-2588.html https://www.suse.com/security/cve/CVE-2018-2599.html https://www.suse.com/security/cve/CVE-2018-2602.html https://www.suse.com/security/cve/CVE-2018-2603.html https://www.suse.com/security/cve/CVE-2018-2618.html https://www.suse.com/security/cve/CVE-2018-2633.html https://www.suse.com/security/cve/CVE-2018-2634.html https://www.suse.com/security/cve/CVE-2018-2637.html https://www.suse.com/security/cve/CVE-2018-2641.html https://www.suse.com/security/cve/CVE-2018-2657.html https://www.suse.com/security/cve/CVE-2018-2663.html https://www.suse.com/security/cve/CVE-2018-2677.html https://www.suse.com/security/cve/CVE-2018-2678.html https://bugzilla.suse.com/1057460 https://bugzilla.suse.com/1076390 https://bugzilla.suse.com/1082810 https://bugzilla.suse.com/1085018 https://bugzilla.suse.com/929900 https://bugzilla.suse.com/955131 https://bugzilla.suse.com/966304 From sle-security-updates at lists.suse.com Thu Mar 15 14:07:15 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 15 Mar 2018 21:07:15 +0100 (CET) Subject: SUSE-SU-2018:0697-1: important: Security update for mariadb Message-ID: <20180315200715.6D6C9F7BA@maintenance.suse.de> SUSE Security Update: Security update for mariadb ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0697-1 Rating: important References: #1078431 Cross-References: CVE-2018-2562 CVE-2018-2612 CVE-2018-2622 CVE-2018-2640 CVE-2018-2665 CVE-2018-2668 Affected Products: SUSE OpenStack Cloud 6 SUSE Linux Enterprise Workstation Extension 12-SP3 SUSE Linux Enterprise Workstation Extension 12-SP2 SUSE Linux Enterprise Software Development Kit 12-SP3 SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Linux Enterprise Desktop 12-SP3 SUSE Linux Enterprise Desktop 12-SP2 ______________________________________________________________________________ An update that fixes 6 vulnerabilities is now available. Description: This update for mariadb fixes the following issues: MariaDB was updated to 10.0.34 (bsc#1078431) The following security vulnerabilities are fixed: - CVE-2018-2562: Vulnerability in the MySQL Server subcomponent: Server : Partition. Easily exploitable vulnerability allowed low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. - CVE-2018-2622: Vulnerability in the MySQL Server subcomponent: Server: DDL. Easily exploitable vulnerability allowed low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. - CVE-2018-2640: Vulnerability in the MySQL Server subcomponent: Server: Optimizer. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. - CVE-2018-2665: Vulnerability in the MySQL Server subcomponent: Server: Optimizer. Easily exploitable vulnerability allowed low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. - CVE-2018-2668: Vulnerability in the MySQL Server subcomponent: Server: Optimizer. Easily exploitable vulnerability allowed low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. - CVE-2018-2612: Vulnerability in the MySQL Server subcomponent: InnoDB. Easily exploitable vulnerability allowed high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all MySQL Server accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. The MariaDB external release notes and changelog for this release: * https://kb.askmonty.org/en/mariadb-10034-release-notes * https://kb.askmonty.org/en/mariadb-10034-changelog Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 6: zypper in -t patch SUSE-OpenStack-Cloud-6-2018-478=1 - SUSE Linux Enterprise Workstation Extension 12-SP3: zypper in -t patch SUSE-SLE-WE-12-SP3-2018-478=1 - SUSE Linux Enterprise Workstation Extension 12-SP2: zypper in -t patch SUSE-SLE-WE-12-SP2-2018-478=1 - SUSE Linux Enterprise Software Development Kit 12-SP3: zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-478=1 - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2018-478=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2018-478=1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2018-478=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-478=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-478=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2018-478=1 - SUSE Linux Enterprise Desktop 12-SP3: zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-478=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2018-478=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE OpenStack Cloud 6 (x86_64): libmysqlclient-devel-10.0.34-29.16.1 libmysqlclient18-10.0.34-29.16.1 libmysqlclient18-32bit-10.0.34-29.16.1 libmysqlclient18-debuginfo-10.0.34-29.16.1 libmysqlclient18-debuginfo-32bit-10.0.34-29.16.1 libmysqlclient_r18-10.0.34-29.16.1 libmysqld-devel-10.0.34-29.16.1 libmysqld18-10.0.34-29.16.1 libmysqld18-debuginfo-10.0.34-29.16.1 mariadb-10.0.34-29.16.1 mariadb-client-10.0.34-29.16.1 mariadb-client-debuginfo-10.0.34-29.16.1 mariadb-debuginfo-10.0.34-29.16.1 mariadb-debugsource-10.0.34-29.16.1 mariadb-errormessages-10.0.34-29.16.1 mariadb-tools-10.0.34-29.16.1 mariadb-tools-debuginfo-10.0.34-29.16.1 - SUSE Linux Enterprise Workstation Extension 12-SP3 (x86_64): libmysqlclient_r18-10.0.34-29.16.1 libmysqlclient_r18-32bit-10.0.34-29.16.1 mariadb-debuginfo-10.0.34-29.16.1 mariadb-debugsource-10.0.34-29.16.1 - SUSE Linux Enterprise Workstation Extension 12-SP2 (x86_64): libmysqlclient_r18-10.0.34-29.16.1 libmysqlclient_r18-32bit-10.0.34-29.16.1 mariadb-debuginfo-10.0.34-29.16.1 mariadb-debugsource-10.0.34-29.16.1 - SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64): libmysqlclient-devel-10.0.34-29.16.1 libmysqlclient_r18-10.0.34-29.16.1 libmysqld-devel-10.0.34-29.16.1 libmysqld18-10.0.34-29.16.1 libmysqld18-debuginfo-10.0.34-29.16.1 mariadb-debuginfo-10.0.34-29.16.1 mariadb-debugsource-10.0.34-29.16.1 - SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64): libmysqlclient-devel-10.0.34-29.16.1 libmysqlclient_r18-10.0.34-29.16.1 libmysqld-devel-10.0.34-29.16.1 libmysqld18-10.0.34-29.16.1 libmysqld18-debuginfo-10.0.34-29.16.1 mariadb-debuginfo-10.0.34-29.16.1 mariadb-debugsource-10.0.34-29.16.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (ppc64le x86_64): libmysqlclient-devel-10.0.34-29.16.1 libmysqlclient18-10.0.34-29.16.1 libmysqlclient18-debuginfo-10.0.34-29.16.1 libmysqlclient_r18-10.0.34-29.16.1 libmysqld-devel-10.0.34-29.16.1 libmysqld18-10.0.34-29.16.1 libmysqld18-debuginfo-10.0.34-29.16.1 mariadb-10.0.34-29.16.1 mariadb-client-10.0.34-29.16.1 mariadb-client-debuginfo-10.0.34-29.16.1 mariadb-debuginfo-10.0.34-29.16.1 mariadb-debugsource-10.0.34-29.16.1 mariadb-errormessages-10.0.34-29.16.1 mariadb-tools-10.0.34-29.16.1 mariadb-tools-debuginfo-10.0.34-29.16.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): libmysqlclient18-32bit-10.0.34-29.16.1 libmysqlclient18-debuginfo-32bit-10.0.34-29.16.1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): libmysqlclient18-10.0.34-29.16.1 libmysqlclient18-debuginfo-10.0.34-29.16.1 mariadb-10.0.34-29.16.1 mariadb-client-10.0.34-29.16.1 mariadb-client-debuginfo-10.0.34-29.16.1 mariadb-debuginfo-10.0.34-29.16.1 mariadb-debugsource-10.0.34-29.16.1 mariadb-errormessages-10.0.34-29.16.1 mariadb-tools-10.0.34-29.16.1 mariadb-tools-debuginfo-10.0.34-29.16.1 - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64): libmysqlclient18-10.0.34-29.16.1 libmysqlclient18-debuginfo-10.0.34-29.16.1 mariadb-10.0.34-29.16.1 mariadb-client-10.0.34-29.16.1 mariadb-client-debuginfo-10.0.34-29.16.1 mariadb-debuginfo-10.0.34-29.16.1 mariadb-debugsource-10.0.34-29.16.1 mariadb-errormessages-10.0.34-29.16.1 mariadb-tools-10.0.34-29.16.1 mariadb-tools-debuginfo-10.0.34-29.16.1 - SUSE Linux Enterprise Server 12-SP3 (s390x x86_64): libmysqlclient18-32bit-10.0.34-29.16.1 libmysqlclient18-debuginfo-32bit-10.0.34-29.16.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le s390x x86_64): libmysqlclient18-10.0.34-29.16.1 libmysqlclient18-debuginfo-10.0.34-29.16.1 mariadb-10.0.34-29.16.1 mariadb-client-10.0.34-29.16.1 mariadb-client-debuginfo-10.0.34-29.16.1 mariadb-debuginfo-10.0.34-29.16.1 mariadb-debugsource-10.0.34-29.16.1 mariadb-errormessages-10.0.34-29.16.1 mariadb-tools-10.0.34-29.16.1 mariadb-tools-debuginfo-10.0.34-29.16.1 - SUSE Linux Enterprise Server 12-SP2 (s390x x86_64): libmysqlclient18-32bit-10.0.34-29.16.1 libmysqlclient18-debuginfo-32bit-10.0.34-29.16.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): libmysqlclient-devel-10.0.34-29.16.1 libmysqlclient18-10.0.34-29.16.1 libmysqlclient18-debuginfo-10.0.34-29.16.1 libmysqlclient_r18-10.0.34-29.16.1 libmysqld-devel-10.0.34-29.16.1 libmysqld18-10.0.34-29.16.1 libmysqld18-debuginfo-10.0.34-29.16.1 mariadb-10.0.34-29.16.1 mariadb-client-10.0.34-29.16.1 mariadb-client-debuginfo-10.0.34-29.16.1 mariadb-debuginfo-10.0.34-29.16.1 mariadb-debugsource-10.0.34-29.16.1 mariadb-errormessages-10.0.34-29.16.1 mariadb-tools-10.0.34-29.16.1 mariadb-tools-debuginfo-10.0.34-29.16.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (s390x x86_64): libmysqlclient18-32bit-10.0.34-29.16.1 libmysqlclient18-debuginfo-32bit-10.0.34-29.16.1 - SUSE Linux Enterprise Desktop 12-SP3 (x86_64): libmysqlclient18-10.0.34-29.16.1 libmysqlclient18-32bit-10.0.34-29.16.1 libmysqlclient18-debuginfo-10.0.34-29.16.1 libmysqlclient18-debuginfo-32bit-10.0.34-29.16.1 libmysqlclient_r18-10.0.34-29.16.1 libmysqlclient_r18-32bit-10.0.34-29.16.1 mariadb-10.0.34-29.16.1 mariadb-client-10.0.34-29.16.1 mariadb-client-debuginfo-10.0.34-29.16.1 mariadb-debuginfo-10.0.34-29.16.1 mariadb-debugsource-10.0.34-29.16.1 mariadb-errormessages-10.0.34-29.16.1 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): libmysqlclient18-10.0.34-29.16.1 libmysqlclient18-32bit-10.0.34-29.16.1 libmysqlclient18-debuginfo-10.0.34-29.16.1 libmysqlclient18-debuginfo-32bit-10.0.34-29.16.1 libmysqlclient_r18-10.0.34-29.16.1 libmysqlclient_r18-32bit-10.0.34-29.16.1 mariadb-10.0.34-29.16.1 mariadb-client-10.0.34-29.16.1 mariadb-client-debuginfo-10.0.34-29.16.1 mariadb-debuginfo-10.0.34-29.16.1 mariadb-debugsource-10.0.34-29.16.1 mariadb-errormessages-10.0.34-29.16.1 References: https://www.suse.com/security/cve/CVE-2018-2562.html https://www.suse.com/security/cve/CVE-2018-2612.html https://www.suse.com/security/cve/CVE-2018-2622.html https://www.suse.com/security/cve/CVE-2018-2640.html https://www.suse.com/security/cve/CVE-2018-2665.html https://www.suse.com/security/cve/CVE-2018-2668.html https://bugzilla.suse.com/1078431 From sle-security-updates at lists.suse.com Thu Mar 15 14:07:43 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 15 Mar 2018 21:07:43 +0100 (CET) Subject: SUSE-SU-2018:0698-1: important: Security update for mariadb Message-ID: <20180315200743.DA85AF7BA@maintenance.suse.de> SUSE Security Update: Security update for mariadb ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0698-1 Rating: important References: #1064101 #1064115 #1072665 #1078431 Cross-References: CVE-2017-10268 CVE-2017-10378 CVE-2018-2562 CVE-2018-2612 CVE-2018-2622 CVE-2018-2640 CVE-2018-2665 CVE-2018-2668 Affected Products: SUSE Linux Enterprise Server 12-LTSS ______________________________________________________________________________ An update that fixes 8 vulnerabilities is now available. Description: This update for mariadb to 10.0.34 fixes several issues. These security issues were fixed: - CVE-2017-10378: Vulnerability in subcomponent: Server: Optimizer. Easily exploitable vulnerability allowed low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) (bsc#1064115). - CVE-2017-10268: Vulnerability in subcomponent: Server: Replication. Difficult to exploit vulnerability allowed high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data (bsc#1064101). - CVE-2018-2562: Vulnerability in the MySQL Server subcomponent: Server : Partition. Easily exploitable vulnerability allowed low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. - CVE-2018-2622: Vulnerability in the MySQL Server subcomponent: Server: DDL. Easily exploitable vulnerability allowed low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. - CVE-2018-2640: Vulnerability in the MySQL Server subcomponent: Server: Optimizer. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. - CVE-2018-2665: Vulnerability in the MySQL Server subcomponent: Server: Optimizer. Easily exploitable vulnerability allowed low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. - CVE-2018-2668: Vulnerability in the MySQL Server subcomponent: Server: Optimizer. Easily exploitable vulnerability allowed low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. - CVE-2018-2612: Vulnerability in the MySQL Server subcomponent: InnoDB. Easily exploitable vulnerability allowed high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all MySQL Server accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. These non-security issues were fixed: - Relax the required version of mariadb-errormessages to fix the update to MariaDB 10.2. (bsc#1072665) - CHECK TABLE no longer returns an error when run on a CONNECT table - 'Undo log record is too big.' error occurring in very narrow range of string lengths - Race condition between INFORMATION_SCHEMA.INNODB_SYS_TABLESTATS and ALTER/DROP/TRUNCATE TABLE - Wrong result after altering a partitioned table fixed bugs in InnoDB FULLTEXT INDEX - InnoDB FTS duplicate key error * MDEV-13051: InnoDB crash after failed ADD INDEX and table_definition_cache eviction - fts_create_doc_id() unnecessarily allocates 8 bytes for every inserted row - IMPORT TABLESPACE may corrupt ROW_FORMAT=REDUNDANT tables For additional changes please see https://kb.askmonty.org/en/mariadb-10033-changelog and https://kb.askmonty.org/en/mariadb-10034-changelog . Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-2018-477=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 12-LTSS (ppc64le s390x x86_64): libmysqlclient-devel-10.0.34-20.43.1 libmysqlclient18-10.0.34-20.43.1 libmysqlclient18-debuginfo-10.0.34-20.43.1 libmysqlclient_r18-10.0.34-20.43.1 libmysqld-devel-10.0.34-20.43.1 libmysqld18-10.0.34-20.43.1 libmysqld18-debuginfo-10.0.34-20.43.1 mariadb-10.0.34-20.43.1 mariadb-client-10.0.34-20.43.1 mariadb-client-debuginfo-10.0.34-20.43.1 mariadb-debuginfo-10.0.34-20.43.1 mariadb-debugsource-10.0.34-20.43.1 mariadb-errormessages-10.0.34-20.43.1 mariadb-tools-10.0.34-20.43.1 mariadb-tools-debuginfo-10.0.34-20.43.1 - SUSE Linux Enterprise Server 12-LTSS (s390x x86_64): libmysqlclient18-32bit-10.0.34-20.43.1 libmysqlclient18-debuginfo-32bit-10.0.34-20.43.1 References: https://www.suse.com/security/cve/CVE-2017-10268.html https://www.suse.com/security/cve/CVE-2017-10378.html https://www.suse.com/security/cve/CVE-2018-2562.html https://www.suse.com/security/cve/CVE-2018-2612.html https://www.suse.com/security/cve/CVE-2018-2622.html https://www.suse.com/security/cve/CVE-2018-2640.html https://www.suse.com/security/cve/CVE-2018-2665.html https://www.suse.com/security/cve/CVE-2018-2668.html https://bugzilla.suse.com/1064101 https://bugzilla.suse.com/1064115 https://bugzilla.suse.com/1072665 https://bugzilla.suse.com/1078431 From sle-security-updates at lists.suse.com Fri Mar 16 11:07:29 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 16 Mar 2018 18:07:29 +0100 (CET) Subject: SUSE-SU-2018:0705-1: important: Security update for microcode_ctl Message-ID: <20180316170729.D8218F7BA@maintenance.suse.de> SUSE Security Update: Security update for microcode_ctl ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0705-1 Rating: important References: #1085207 Cross-References: CVE-2017-5715 Affected Products: SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Server 11-SP3-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for ucode-intel fixes the following issues: The Intel CPU microcode version was updated to version 20180312. This update enables the IBPB+IBRS based mitigations of the Spectre v2 flaws (boo#1085207 CVE-2017-5715) - New Platforms - BDX-DE EGW A0 6-56-5:10 e000009 - SKX B1 6-55-3:97 1000140 - Updates - SNB D2 6-2a-7:12 29->2d - JKT C1 6-2d-6:6d 619->61c - JKT C2 6-2d-7:6d 710->713 - IVB E2 6-3a-9:12 1c->1f - IVT C0 6-3e-4:ed 428->42c - IVT D1 6-3e-7:ed 70d->713 - HSW Cx/Dx 6-3c-3:32 22->24 - HSW-ULT Cx/Dx 6-45-1:72 20->23 - CRW Cx 6-46-1:32 17->19 - HSX C0 6-3f-2:6f 3a->3c - HSX-EX E0 6-3f-4:80 0f->11 - BDW-U/Y E/F 6-3d-4:c0 25->2a - BDW-H E/G 6-47-1:22 17->1d - BDX-DE V0/V1 6-56-2:10 0f->15 - BDW-DE V2 6-56-3:10 700000d->7000012 - BDW-DE Y0 6-56-4:10 f00000a->f000011 - SKL-U/Y D0 6-4e-3:c0 ba->c2 - SKL R0 6-5e-3:36 ba->c2 - KBL-U/Y H0 6-8e-9:c0 62->84 - KBL B0 6-9e-9:2a 5e->84 - CFL D0 6-8e-a:c0 70->84 - CFL U0 6-9e-a:22 70->84 - CFL B0 6-9e-b:02 72->84 - SKX H0 6-55-4:b7 2000035->2000043 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-microcode_ctl-13514=1 - SUSE Linux Enterprise Server 11-SP3-LTSS: zypper in -t patch slessp3-microcode_ctl-13514=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-microcode_ctl-13514=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11-SP4 (i586 x86_64): microcode_ctl-1.17-102.83.15.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (i586 x86_64): microcode_ctl-1.17-102.83.15.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): microcode_ctl-1.17-102.83.15.1 References: https://www.suse.com/security/cve/CVE-2017-5715.html https://bugzilla.suse.com/1085207 From sle-security-updates at lists.suse.com Fri Mar 16 11:09:02 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 16 Mar 2018 18:09:02 +0100 (CET) Subject: SUSE-SU-2018:0708-1: important: Security update for ucode-intel Message-ID: <20180316170902.D1765F7BD@maintenance.suse.de> SUSE Security Update: Security update for ucode-intel ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0708-1 Rating: important References: #1085207 Cross-References: CVE-2017-5715 Affected Products: SUSE OpenStack Cloud 6 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Linux Enterprise Server 12-LTSS SUSE Linux Enterprise Desktop 12-SP3 SUSE Linux Enterprise Desktop 12-SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for ucode-intel fixes the following issues: The Intel CPU microcode version was updated to version 20180312. This update enables the IBPB+IBRS based mitigations of the Spectre v2 flaws (boo#1085207 CVE-2017-5715) - New Platforms - BDX-DE EGW A0 6-56-5:10 e000009 - SKX B1 6-55-3:97 1000140 - Updates - SNB D2 6-2a-7:12 29->2d - JKT C1 6-2d-6:6d 619->61c - JKT C2 6-2d-7:6d 710->713 - IVB E2 6-3a-9:12 1c->1f - IVT C0 6-3e-4:ed 428->42c - IVT D1 6-3e-7:ed 70d->713 - HSW Cx/Dx 6-3c-3:32 22->24 - HSW-ULT Cx/Dx 6-45-1:72 20->23 - CRW Cx 6-46-1:32 17->19 - HSX C0 6-3f-2:6f 3a->3c - HSX-EX E0 6-3f-4:80 0f->11 - BDW-U/Y E/F 6-3d-4:c0 25->2a - BDW-H E/G 6-47-1:22 17->1d - BDX-DE V0/V1 6-56-2:10 0f->15 - BDW-DE V2 6-56-3:10 700000d->7000012 - BDW-DE Y0 6-56-4:10 f00000a->f000011 - SKL-U/Y D0 6-4e-3:c0 ba->c2 - SKL R0 6-5e-3:36 ba->c2 - KBL-U/Y H0 6-8e-9:c0 62->84 - KBL B0 6-9e-9:2a 5e->84 - CFL D0 6-8e-a:c0 70->84 - CFL U0 6-9e-a:22 70->84 - CFL B0 6-9e-b:02 72->84 - SKX H0 6-55-4:b7 2000035->2000043 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 6: zypper in -t patch SUSE-OpenStack-Cloud-6-2018-479=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2018-479=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-479=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-479=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2018-479=1 - SUSE Linux Enterprise Server 12-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-2018-479=1 - SUSE Linux Enterprise Desktop 12-SP3: zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-479=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2018-479=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE OpenStack Cloud 6 (x86_64): ucode-intel-20180312-13.17.1 ucode-intel-debuginfo-20180312-13.17.1 ucode-intel-debugsource-20180312-13.17.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): ucode-intel-20180312-13.17.1 ucode-intel-debuginfo-20180312-13.17.1 ucode-intel-debugsource-20180312-13.17.1 - SUSE Linux Enterprise Server 12-SP3 (x86_64): ucode-intel-20180312-13.17.1 ucode-intel-debuginfo-20180312-13.17.1 ucode-intel-debugsource-20180312-13.17.1 - SUSE Linux Enterprise Server 12-SP2 (x86_64): ucode-intel-20180312-13.17.1 ucode-intel-debuginfo-20180312-13.17.1 ucode-intel-debugsource-20180312-13.17.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (x86_64): ucode-intel-20180312-13.17.1 ucode-intel-debuginfo-20180312-13.17.1 ucode-intel-debugsource-20180312-13.17.1 - SUSE Linux Enterprise Server 12-LTSS (x86_64): ucode-intel-20180312-13.17.1 ucode-intel-debuginfo-20180312-13.17.1 ucode-intel-debugsource-20180312-13.17.1 - SUSE Linux Enterprise Desktop 12-SP3 (x86_64): ucode-intel-20180312-13.17.1 ucode-intel-debuginfo-20180312-13.17.1 ucode-intel-debugsource-20180312-13.17.1 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): ucode-intel-20180312-13.17.1 ucode-intel-debuginfo-20180312-13.17.1 ucode-intel-debugsource-20180312-13.17.1 References: https://www.suse.com/security/cve/CVE-2017-5715.html https://bugzilla.suse.com/1085207 From sle-security-updates at lists.suse.com Fri Mar 16 14:08:44 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 16 Mar 2018 21:08:44 +0100 (CET) Subject: SUSE-SU-2018:0715-1: moderate: Security update for libid3tag Message-ID: <20180316200844.37A4AF7BA@maintenance.suse.de> SUSE Security Update: Security update for libid3tag ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0715-1 Rating: moderate References: #1081959 #1081961 #1081962 #387731 Cross-References: CVE-2004-2779 CVE-2008-2109 CVE-2017-11550 CVE-2017-11551 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for libid3tag fixes the following issues: - CVE-2004-2779 CVE-2017-11551: Fixed id3_utf16_deserialize() in utf16.c, which previously misparsed ID3v2 tags encoded in UTF-16 with an odd number of bytes, triggering an endless loop allocating memory until OOM leading to DoS. (bsc#1081959 bsc#1081961) - CVE-2017-11550 CVE-2008-2109: Fixed the handling of unknown encodings when parsing ID3 tags. (bsc#1081962 bsc#387731) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-libid3tag-13517=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-libid3tag-13517=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): libid3tag-0.15.1b-132.3.1 libid3tag-devel-0.15.1b-132.3.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): libid3tag-debuginfo-0.15.1b-132.3.1 libid3tag-debugsource-0.15.1b-132.3.1 References: https://www.suse.com/security/cve/CVE-2004-2779.html https://www.suse.com/security/cve/CVE-2008-2109.html https://www.suse.com/security/cve/CVE-2017-11550.html https://www.suse.com/security/cve/CVE-2017-11551.html https://bugzilla.suse.com/1081959 https://bugzilla.suse.com/1081961 https://bugzilla.suse.com/1081962 https://bugzilla.suse.com/387731 From sle-security-updates at lists.suse.com Fri Mar 16 14:10:04 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 16 Mar 2018 21:10:04 +0100 (CET) Subject: SUSE-SU-2018:0717-1: moderate: Security update for php5 Message-ID: <20180316201004.71E45F7BA@maintenance.suse.de> SUSE Security Update: Security update for php5 ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0717-1 Rating: moderate References: #1083639 Cross-References: CVE-2018-7584 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP3 SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Module for Web Scripting 12 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for php5 fixes the following issues: Security issues fixed: - CVE-2018-7584: Fixed stack-based buffer under-read while parsing an HTTPresponse in the php_stream_url_wrap_http_ex (bsc#1083639). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP3: zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-487=1 - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2018-487=1 - SUSE Linux Enterprise Module for Web Scripting 12: zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2018-487=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64): php5-debuginfo-5.5.14-109.24.1 php5-debugsource-5.5.14-109.24.1 php5-devel-5.5.14-109.24.1 - SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64): php5-debuginfo-5.5.14-109.24.1 php5-debugsource-5.5.14-109.24.1 php5-devel-5.5.14-109.24.1 - SUSE Linux Enterprise Module for Web Scripting 12 (aarch64 ppc64le s390x x86_64): apache2-mod_php5-5.5.14-109.24.1 apache2-mod_php5-debuginfo-5.5.14-109.24.1 php5-5.5.14-109.24.1 php5-bcmath-5.5.14-109.24.1 php5-bcmath-debuginfo-5.5.14-109.24.1 php5-bz2-5.5.14-109.24.1 php5-bz2-debuginfo-5.5.14-109.24.1 php5-calendar-5.5.14-109.24.1 php5-calendar-debuginfo-5.5.14-109.24.1 php5-ctype-5.5.14-109.24.1 php5-ctype-debuginfo-5.5.14-109.24.1 php5-curl-5.5.14-109.24.1 php5-curl-debuginfo-5.5.14-109.24.1 php5-dba-5.5.14-109.24.1 php5-dba-debuginfo-5.5.14-109.24.1 php5-debuginfo-5.5.14-109.24.1 php5-debugsource-5.5.14-109.24.1 php5-dom-5.5.14-109.24.1 php5-dom-debuginfo-5.5.14-109.24.1 php5-enchant-5.5.14-109.24.1 php5-enchant-debuginfo-5.5.14-109.24.1 php5-exif-5.5.14-109.24.1 php5-exif-debuginfo-5.5.14-109.24.1 php5-fastcgi-5.5.14-109.24.1 php5-fastcgi-debuginfo-5.5.14-109.24.1 php5-fileinfo-5.5.14-109.24.1 php5-fileinfo-debuginfo-5.5.14-109.24.1 php5-fpm-5.5.14-109.24.1 php5-fpm-debuginfo-5.5.14-109.24.1 php5-ftp-5.5.14-109.24.1 php5-ftp-debuginfo-5.5.14-109.24.1 php5-gd-5.5.14-109.24.1 php5-gd-debuginfo-5.5.14-109.24.1 php5-gettext-5.5.14-109.24.1 php5-gettext-debuginfo-5.5.14-109.24.1 php5-gmp-5.5.14-109.24.1 php5-gmp-debuginfo-5.5.14-109.24.1 php5-iconv-5.5.14-109.24.1 php5-iconv-debuginfo-5.5.14-109.24.1 php5-imap-5.5.14-109.24.1 php5-imap-debuginfo-5.5.14-109.24.1 php5-intl-5.5.14-109.24.1 php5-intl-debuginfo-5.5.14-109.24.1 php5-json-5.5.14-109.24.1 php5-json-debuginfo-5.5.14-109.24.1 php5-ldap-5.5.14-109.24.1 php5-ldap-debuginfo-5.5.14-109.24.1 php5-mbstring-5.5.14-109.24.1 php5-mbstring-debuginfo-5.5.14-109.24.1 php5-mcrypt-5.5.14-109.24.1 php5-mcrypt-debuginfo-5.5.14-109.24.1 php5-mysql-5.5.14-109.24.1 php5-mysql-debuginfo-5.5.14-109.24.1 php5-odbc-5.5.14-109.24.1 php5-odbc-debuginfo-5.5.14-109.24.1 php5-opcache-5.5.14-109.24.1 php5-opcache-debuginfo-5.5.14-109.24.1 php5-openssl-5.5.14-109.24.1 php5-openssl-debuginfo-5.5.14-109.24.1 php5-pcntl-5.5.14-109.24.1 php5-pcntl-debuginfo-5.5.14-109.24.1 php5-pdo-5.5.14-109.24.1 php5-pdo-debuginfo-5.5.14-109.24.1 php5-pgsql-5.5.14-109.24.1 php5-pgsql-debuginfo-5.5.14-109.24.1 php5-phar-5.5.14-109.24.1 php5-phar-debuginfo-5.5.14-109.24.1 php5-posix-5.5.14-109.24.1 php5-posix-debuginfo-5.5.14-109.24.1 php5-pspell-5.5.14-109.24.1 php5-pspell-debuginfo-5.5.14-109.24.1 php5-shmop-5.5.14-109.24.1 php5-shmop-debuginfo-5.5.14-109.24.1 php5-snmp-5.5.14-109.24.1 php5-snmp-debuginfo-5.5.14-109.24.1 php5-soap-5.5.14-109.24.1 php5-soap-debuginfo-5.5.14-109.24.1 php5-sockets-5.5.14-109.24.1 php5-sockets-debuginfo-5.5.14-109.24.1 php5-sqlite-5.5.14-109.24.1 php5-sqlite-debuginfo-5.5.14-109.24.1 php5-suhosin-5.5.14-109.24.1 php5-suhosin-debuginfo-5.5.14-109.24.1 php5-sysvmsg-5.5.14-109.24.1 php5-sysvmsg-debuginfo-5.5.14-109.24.1 php5-sysvsem-5.5.14-109.24.1 php5-sysvsem-debuginfo-5.5.14-109.24.1 php5-sysvshm-5.5.14-109.24.1 php5-sysvshm-debuginfo-5.5.14-109.24.1 php5-tokenizer-5.5.14-109.24.1 php5-tokenizer-debuginfo-5.5.14-109.24.1 php5-wddx-5.5.14-109.24.1 php5-wddx-debuginfo-5.5.14-109.24.1 php5-xmlreader-5.5.14-109.24.1 php5-xmlreader-debuginfo-5.5.14-109.24.1 php5-xmlrpc-5.5.14-109.24.1 php5-xmlrpc-debuginfo-5.5.14-109.24.1 php5-xmlwriter-5.5.14-109.24.1 php5-xmlwriter-debuginfo-5.5.14-109.24.1 php5-xsl-5.5.14-109.24.1 php5-xsl-debuginfo-5.5.14-109.24.1 php5-zip-5.5.14-109.24.1 php5-zip-debuginfo-5.5.14-109.24.1 php5-zlib-5.5.14-109.24.1 php5-zlib-debuginfo-5.5.14-109.24.1 - SUSE Linux Enterprise Module for Web Scripting 12 (noarch): php5-pear-5.5.14-109.24.1 References: https://www.suse.com/security/cve/CVE-2018-7584.html https://bugzilla.suse.com/1083639 From sle-security-updates at lists.suse.com Fri Mar 16 14:11:38 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 16 Mar 2018 21:11:38 +0100 (CET) Subject: SUSE-SU-2018:0720-1: moderate: Security update for xmltooling Message-ID: <20180316201138.55EF0F7BA@maintenance.suse.de> SUSE Security Update: Security update for xmltooling ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0720-1 Rating: moderate References: #1083247 Cross-References: CVE-2018-0486 CVE-2018-0489 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP3 SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Server 12-SP2 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for xmltooling fixes the following issues: - CVE-2018-0489: Fixed a security bug when xmltooling mishandled digital signatures of user data, which allows remote attackers to obtain sensitive information or conduct impersonation attacks via crafted XML data. NOTE: this issue exists because of an incomplete fix for CVE-2018-0486. (bsc#1083247) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP3: zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-488=1 - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2018-488=1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2018-488=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-488=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-488=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64): libxmltooling-devel-1.5.6-3.6.1 xmltooling-debugsource-1.5.6-3.6.1 - SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64): libxmltooling-devel-1.5.6-3.6.1 xmltooling-debugsource-1.5.6-3.6.1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): libxmltooling6-1.5.6-3.6.1 libxmltooling6-debuginfo-1.5.6-3.6.1 xmltooling-debugsource-1.5.6-3.6.1 xmltooling-schemas-1.5.6-3.6.1 - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64): libxmltooling6-1.5.6-3.6.1 libxmltooling6-debuginfo-1.5.6-3.6.1 xmltooling-debugsource-1.5.6-3.6.1 xmltooling-schemas-1.5.6-3.6.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le s390x x86_64): libxmltooling6-1.5.6-3.6.1 libxmltooling6-debuginfo-1.5.6-3.6.1 xmltooling-debugsource-1.5.6-3.6.1 xmltooling-schemas-1.5.6-3.6.1 References: https://www.suse.com/security/cve/CVE-2018-0486.html https://www.suse.com/security/cve/CVE-2018-0489.html https://bugzilla.suse.com/1083247 From sle-security-updates at lists.suse.com Fri Mar 16 14:15:09 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 16 Mar 2018 21:15:09 +0100 (CET) Subject: SUSE-SU-2018:0722-1: moderate: Security update for libid3tag Message-ID: <20180316201509.03EDAF7BD@maintenance.suse.de> SUSE Security Update: Security update for libid3tag ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0722-1 Rating: moderate References: #1081959 #1081961 #1081962 #387731 Cross-References: CVE-2004-2779 CVE-2008-2109 CVE-2017-11550 CVE-2017-11551 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP3 SUSE Linux Enterprise Workstation Extension 12-SP2 SUSE Linux Enterprise Software Development Kit 12-SP3 SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Desktop 12-SP3 SUSE Linux Enterprise Desktop 12-SP2 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for libid3tag fixes the following issues: - CVE-2004-2779 CVE-2017-11551: Fixed id3_utf16_deserialize() in utf16.c, which previously misparsed ID3v2 tags encoded in UTF-16 with an odd number of bytes, triggering an endless loop allocating memory until OOM leading to DoS. (bsc#1081959 bsc#1081961) - CVE-2017-11550 CVE-2008-2109: Fixed the handling of unknown encodings when parsing ID3 tags. (bsc#1081962 bsc#387731) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP3: zypper in -t patch SUSE-SLE-WE-12-SP3-2018-490=1 - SUSE Linux Enterprise Workstation Extension 12-SP2: zypper in -t patch SUSE-SLE-WE-12-SP2-2018-490=1 - SUSE Linux Enterprise Software Development Kit 12-SP3: zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-490=1 - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2018-490=1 - SUSE Linux Enterprise Desktop 12-SP3: zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-490=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2018-490=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Workstation Extension 12-SP3 (x86_64): libid3tag-debugsource-0.15.1b-184.3.1 libid3tag0-0.15.1b-184.3.1 libid3tag0-debuginfo-0.15.1b-184.3.1 - SUSE Linux Enterprise Workstation Extension 12-SP2 (x86_64): libid3tag-debugsource-0.15.1b-184.3.1 libid3tag0-0.15.1b-184.3.1 libid3tag0-debuginfo-0.15.1b-184.3.1 - SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64): libid3tag-debugsource-0.15.1b-184.3.1 libid3tag-devel-0.15.1b-184.3.1 libid3tag0-0.15.1b-184.3.1 libid3tag0-debuginfo-0.15.1b-184.3.1 - SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64): libid3tag-debugsource-0.15.1b-184.3.1 libid3tag-devel-0.15.1b-184.3.1 libid3tag0-0.15.1b-184.3.1 libid3tag0-debuginfo-0.15.1b-184.3.1 - SUSE Linux Enterprise Desktop 12-SP3 (x86_64): libid3tag-debugsource-0.15.1b-184.3.1 libid3tag0-0.15.1b-184.3.1 libid3tag0-debuginfo-0.15.1b-184.3.1 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): libid3tag-debugsource-0.15.1b-184.3.1 libid3tag0-0.15.1b-184.3.1 libid3tag0-debuginfo-0.15.1b-184.3.1 References: https://www.suse.com/security/cve/CVE-2004-2779.html https://www.suse.com/security/cve/CVE-2008-2109.html https://www.suse.com/security/cve/CVE-2017-11550.html https://www.suse.com/security/cve/CVE-2017-11551.html https://bugzilla.suse.com/1081959 https://bugzilla.suse.com/1081961 https://bugzilla.suse.com/1081962 https://bugzilla.suse.com/387731 From sle-security-updates at lists.suse.com Mon Mar 19 11:08:55 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 19 Mar 2018 18:08:55 +0100 (CET) Subject: SUSE-SU-2018:0743-1: important: Security update for java-1_7_1-ibm Message-ID: <20180319170855.E76D9F7BA@maintenance.suse.de> SUSE Security Update: Security update for java-1_7_1-ibm ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0743-1 Rating: important References: #1057460 #1076390 #1082810 #1085018 #929900 #955131 #966304 Cross-References: CVE-2018-2579 CVE-2018-2582 CVE-2018-2588 CVE-2018-2599 CVE-2018-2602 CVE-2018-2603 CVE-2018-2618 CVE-2018-2633 CVE-2018-2634 CVE-2018-2637 CVE-2018-2641 CVE-2018-2657 CVE-2018-2663 CVE-2018-2677 CVE-2018-2678 Affected Products: SUSE OpenStack Cloud 6 SUSE Linux Enterprise Software Development Kit 12-SP3 SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Linux Enterprise Server 12-LTSS ______________________________________________________________________________ An update that fixes 15 vulnerabilities is now available. Description: This update for java-1_7_1-ibm fixes the following issue: The version was updated to 7.1.4.20 [bsc#1082810] * Security fixes: - CVE-2018-2633 CVE-2018-2637 CVE-2018-2634 CVE-2018-2582 CVE-2018-2641 CVE-2018-2618 CVE-2018-2657 CVE-2018-2603 CVE-2018-2599 CVE-2018-2602 CVE-2018-2678 CVE-2018-2677 CVE-2018-2663 CVE-2018-2588 CVE-2018-2579 * Defect fixes: - IJ04281 Class Libraries: Startup time increase after applying apar IV96905 - IJ03822 Class Libraries: Update timezone information to tzdata2017c - IJ03605 Java Virtual Machine: Legacy security for com.ibm.jvm.dump, trace, log was not enabled by default - IJ03607 JIT Compiler: Result String contains a redundant dot when converted from BigDecimal with 0 on all platforms - IX90185 ORB: Upgrade ibmcfw.jar to version O1800.01 - IJ04282 Security: Change in location and default of jurisdiction policy files - IJ03853 Security: IBMCAC provider does not support SHA224 - IJ02679 Security: IBMPKCS11Impl -- Bad sessions are being allocated internally - IJ02706 Security: IBMPKCS11Impl -- Bad sessions are being allocated internally - IJ03552 Security: IBMPKCS11Impl -- Config file problem with the slot specification attribute - IJ01901 Security: IBMPKCS11Impl -- SecureRandom.setSeed() exception - IJ03801 Security: Issue with same DN certs, iKeyman GUI error with stash, JKS Chain issue and JVM argument parse issue with iKeyman - IJ03256 Security: javax.security.auth.Subject.toString() throws NPE - IJ02284 JIT Compiler: Division by zero in JIT compiler * SUSE fixes: - Make it possible to run Java jnlp files from Firefox. (bsc#1057460) - Fixed jpackage-java-1_7_1-ibm-webstart.desktop file to allow Java jnlp files run from Firefox. [bsc#1057460, bsc#1076390] - Fix javaws segfaults when java expiration timer has elapsed. [bsc#929900] - Provide IBM Java updates for IBMs PMR 55931,671,760 and for SUSEs SR 110991601735. [bsc#966304] - Ensure that all Java policy files are symlinked into the proper file system locations. Without those symlinks, several OES iManager plugins did not function properly. [bsc#1085018] Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 6: zypper in -t patch SUSE-OpenStack-Cloud-6-2018-498=1 - SUSE Linux Enterprise Software Development Kit 12-SP3: zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-498=1 - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2018-498=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2018-498=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-498=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-498=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2018-498=1 - SUSE Linux Enterprise Server 12-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-2018-498=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE OpenStack Cloud 6 (x86_64): java-1_7_1-ibm-1.7.1_sr4.20-38.16.1 java-1_7_1-ibm-alsa-1.7.1_sr4.20-38.16.1 java-1_7_1-ibm-devel-1.7.1_sr4.20-38.16.1 java-1_7_1-ibm-jdbc-1.7.1_sr4.20-38.16.1 java-1_7_1-ibm-plugin-1.7.1_sr4.20-38.16.1 - SUSE Linux Enterprise Software Development Kit 12-SP3 (ppc64le s390x x86_64): java-1_7_1-ibm-devel-1.7.1_sr4.20-38.16.1 - SUSE Linux Enterprise Software Development Kit 12-SP2 (ppc64le s390x x86_64): java-1_7_1-ibm-devel-1.7.1_sr4.20-38.16.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (ppc64le x86_64): java-1_7_1-ibm-1.7.1_sr4.20-38.16.1 java-1_7_1-ibm-devel-1.7.1_sr4.20-38.16.1 java-1_7_1-ibm-jdbc-1.7.1_sr4.20-38.16.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): java-1_7_1-ibm-alsa-1.7.1_sr4.20-38.16.1 java-1_7_1-ibm-plugin-1.7.1_sr4.20-38.16.1 - SUSE Linux Enterprise Server 12-SP3 (ppc64le s390x x86_64): java-1_7_1-ibm-1.7.1_sr4.20-38.16.1 java-1_7_1-ibm-jdbc-1.7.1_sr4.20-38.16.1 - SUSE Linux Enterprise Server 12-SP3 (x86_64): java-1_7_1-ibm-alsa-1.7.1_sr4.20-38.16.1 java-1_7_1-ibm-plugin-1.7.1_sr4.20-38.16.1 - SUSE Linux Enterprise Server 12-SP2 (ppc64le s390x x86_64): java-1_7_1-ibm-1.7.1_sr4.20-38.16.1 java-1_7_1-ibm-jdbc-1.7.1_sr4.20-38.16.1 - SUSE Linux Enterprise Server 12-SP2 (x86_64): java-1_7_1-ibm-alsa-1.7.1_sr4.20-38.16.1 java-1_7_1-ibm-plugin-1.7.1_sr4.20-38.16.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): java-1_7_1-ibm-1.7.1_sr4.20-38.16.1 java-1_7_1-ibm-devel-1.7.1_sr4.20-38.16.1 java-1_7_1-ibm-jdbc-1.7.1_sr4.20-38.16.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (x86_64): java-1_7_1-ibm-alsa-1.7.1_sr4.20-38.16.1 java-1_7_1-ibm-plugin-1.7.1_sr4.20-38.16.1 - SUSE Linux Enterprise Server 12-LTSS (ppc64le s390x x86_64): java-1_7_1-ibm-1.7.1_sr4.20-38.16.1 java-1_7_1-ibm-devel-1.7.1_sr4.20-38.16.1 java-1_7_1-ibm-jdbc-1.7.1_sr4.20-38.16.1 - SUSE Linux Enterprise Server 12-LTSS (x86_64): java-1_7_1-ibm-alsa-1.7.1_sr4.20-38.16.1 java-1_7_1-ibm-plugin-1.7.1_sr4.20-38.16.1 References: https://www.suse.com/security/cve/CVE-2018-2579.html https://www.suse.com/security/cve/CVE-2018-2582.html https://www.suse.com/security/cve/CVE-2018-2588.html https://www.suse.com/security/cve/CVE-2018-2599.html https://www.suse.com/security/cve/CVE-2018-2602.html https://www.suse.com/security/cve/CVE-2018-2603.html https://www.suse.com/security/cve/CVE-2018-2618.html https://www.suse.com/security/cve/CVE-2018-2633.html https://www.suse.com/security/cve/CVE-2018-2634.html https://www.suse.com/security/cve/CVE-2018-2637.html https://www.suse.com/security/cve/CVE-2018-2641.html https://www.suse.com/security/cve/CVE-2018-2657.html https://www.suse.com/security/cve/CVE-2018-2663.html https://www.suse.com/security/cve/CVE-2018-2677.html https://www.suse.com/security/cve/CVE-2018-2678.html https://bugzilla.suse.com/1057460 https://bugzilla.suse.com/1076390 https://bugzilla.suse.com/1082810 https://bugzilla.suse.com/1085018 https://bugzilla.suse.com/929900 https://bugzilla.suse.com/955131 https://bugzilla.suse.com/966304 From sle-security-updates at lists.suse.com Tue Mar 20 14:07:07 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 20 Mar 2018 21:07:07 +0100 (CET) Subject: SUSE-SU-2018:0748-1: moderate: Security update for kubernetes Message-ID: <20180320200707.1DB91F7BA@maintenance.suse.de> SUSE Security Update: Security update for kubernetes ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0748-1 Rating: moderate References: #1085007 Cross-References: CVE-2017-1002101 Affected Products: SUSE CaaS Platform ALL ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for kubernetes fixes the following issues: Security issue fixed: - CVE-2017-1002101: Fixed volume security that could be sidestepped with innocent emptyDir and subpath (bsc#1085007). Bug fixes: - Update to version 1.8.9+3fb1aafdafa3d33bc698930095db1e56c0f76452. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE CaaS Platform ALL: zypper in -t patch SUSE-CAASP-ALL-2018-505=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE CaaS Platform ALL (x86_64): kubernetes-client-1.8.9-11.6.1 kubernetes-common-1.8.9-11.6.1 kubernetes-kubelet-1.8.9-11.6.1 kubernetes-master-1.8.9-11.6.1 kubernetes-node-1.8.9-11.6.1 References: https://www.suse.com/security/cve/CVE-2017-1002101.html https://bugzilla.suse.com/1085007 From sle-security-updates at lists.suse.com Wed Mar 21 08:07:46 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 21 Mar 2018 15:07:46 +0100 (CET) Subject: SUSE-SU-2018:0752-1: moderate: Security update for squid3 Message-ID: <20180321140746.8EBE3F7BA@maintenance.suse.de> SUSE Security Update: Security update for squid3 ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0752-1 Rating: moderate References: #1077003 #1077006 Cross-References: CVE-2018-1000024 CVE-2018-1000027 Affected Products: SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for squid3 fixes the following issues: Security issues fixed: - CVE-2018-1000024: DoS fix caused by incorrect pointer handling when processing ESI responses. This affects the default custom esi_parser (bsc#1077003). - CVE-2018-1000027: DoS fix caused by incorrect pointer handing whien processing ESI responses or downloading intermediate CA certificates (bsc#1077006). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-squid3-13521=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-squid3-13521=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): squid3-3.1.23-8.16.37.3.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): squid3-debuginfo-3.1.23-8.16.37.3.1 squid3-debugsource-3.1.23-8.16.37.3.1 References: https://www.suse.com/security/cve/CVE-2018-1000024.html https://www.suse.com/security/cve/CVE-2018-1000027.html https://bugzilla.suse.com/1077003 https://bugzilla.suse.com/1077006 From sle-security-updates at lists.suse.com Wed Mar 21 08:08:50 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 21 Mar 2018 15:08:50 +0100 (CET) Subject: SUSE-SU-2018:0754-1: moderate: Security update for samba, talloc, tevent Message-ID: <20180321140850.01629F7BA@maintenance.suse.de> SUSE Security Update: Security update for samba, talloc, tevent ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0754-1 Rating: moderate References: #1069666 #1081741 #1084191 Cross-References: CVE-2018-1050 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP3 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise High Availability 12-SP3 SUSE Linux Enterprise Desktop 12-SP3 SUSE Enterprise Storage 5 ______________________________________________________________________________ An update that solves one vulnerability and has two fixes is now available. Description: Samba was updated to version 4.6.13 to fix several bugs. (bsc#1084191) Security issue fixed: - CVE-2018-1050: DOS vulnerability when SPOOLSS is run externally (bsc#1081741). The library talloc was updated to version 2.1.10: - build, documentation and python3 improvements The library tevent was updated to version 0.9.34 (bsc#1069666); - Remove unused select backend - Fix a race condition in tevent_threaded_schedule_immediate(); (bso#13130); - make tevent_req_print() more robust against crashes - Fix mutex locking in tevent_threaded_context_destructor(). - Re-init threading in tevent_re_initialise(). - Include the finish location in tevent_req_default_print(). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP3: zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-507=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-507=1 - SUSE Linux Enterprise High Availability 12-SP3: zypper in -t patch SUSE-SLE-HA-12-SP3-2018-507=1 - SUSE Linux Enterprise Desktop 12-SP3: zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-507=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2018-507=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64): libsmbclient-devel-4.6.13+git.72.2a684235f41-3.21.3 libtalloc-devel-2.1.10-3.3.2 libtevent-devel-0.9.34-3.3.2 libwbclient-devel-4.6.13+git.72.2a684235f41-3.21.3 python-talloc-devel-2.1.10-3.3.2 python-tevent-0.9.34-3.3.2 python-tevent-debuginfo-0.9.34-3.3.2 samba-debuginfo-4.6.13+git.72.2a684235f41-3.21.3 samba-debugsource-4.6.13+git.72.2a684235f41-3.21.3 talloc-debugsource-2.1.10-3.3.2 tevent-debugsource-0.9.34-3.3.2 - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64): libdcerpc-binding0-4.6.13+git.72.2a684235f41-3.21.3 libdcerpc-binding0-debuginfo-4.6.13+git.72.2a684235f41-3.21.3 libdcerpc0-4.6.13+git.72.2a684235f41-3.21.3 libdcerpc0-debuginfo-4.6.13+git.72.2a684235f41-3.21.3 libndr-krb5pac0-4.6.13+git.72.2a684235f41-3.21.3 libndr-krb5pac0-debuginfo-4.6.13+git.72.2a684235f41-3.21.3 libndr-nbt0-4.6.13+git.72.2a684235f41-3.21.3 libndr-nbt0-debuginfo-4.6.13+git.72.2a684235f41-3.21.3 libndr-standard0-4.6.13+git.72.2a684235f41-3.21.3 libndr-standard0-debuginfo-4.6.13+git.72.2a684235f41-3.21.3 libndr0-4.6.13+git.72.2a684235f41-3.21.3 libndr0-debuginfo-4.6.13+git.72.2a684235f41-3.21.3 libnetapi0-4.6.13+git.72.2a684235f41-3.21.3 libnetapi0-debuginfo-4.6.13+git.72.2a684235f41-3.21.3 libsamba-credentials0-4.6.13+git.72.2a684235f41-3.21.3 libsamba-credentials0-debuginfo-4.6.13+git.72.2a684235f41-3.21.3 libsamba-errors0-4.6.13+git.72.2a684235f41-3.21.3 libsamba-errors0-debuginfo-4.6.13+git.72.2a684235f41-3.21.3 libsamba-hostconfig0-4.6.13+git.72.2a684235f41-3.21.3 libsamba-hostconfig0-debuginfo-4.6.13+git.72.2a684235f41-3.21.3 libsamba-passdb0-4.6.13+git.72.2a684235f41-3.21.3 libsamba-passdb0-debuginfo-4.6.13+git.72.2a684235f41-3.21.3 libsamba-util0-4.6.13+git.72.2a684235f41-3.21.3 libsamba-util0-debuginfo-4.6.13+git.72.2a684235f41-3.21.3 libsamdb0-4.6.13+git.72.2a684235f41-3.21.3 libsamdb0-debuginfo-4.6.13+git.72.2a684235f41-3.21.3 libsmbclient0-4.6.13+git.72.2a684235f41-3.21.3 libsmbclient0-debuginfo-4.6.13+git.72.2a684235f41-3.21.3 libsmbconf0-4.6.13+git.72.2a684235f41-3.21.3 libsmbconf0-debuginfo-4.6.13+git.72.2a684235f41-3.21.3 libsmbldap0-4.6.13+git.72.2a684235f41-3.21.3 libsmbldap0-debuginfo-4.6.13+git.72.2a684235f41-3.21.3 libtalloc2-2.1.10-3.3.2 libtalloc2-debuginfo-2.1.10-3.3.2 libtevent-util0-4.6.13+git.72.2a684235f41-3.21.3 libtevent-util0-debuginfo-4.6.13+git.72.2a684235f41-3.21.3 libtevent0-0.9.34-3.3.2 libtevent0-debuginfo-0.9.34-3.3.2 libwbclient0-4.6.13+git.72.2a684235f41-3.21.3 libwbclient0-debuginfo-4.6.13+git.72.2a684235f41-3.21.3 python-talloc-2.1.10-3.3.2 python-talloc-debuginfo-2.1.10-3.3.2 samba-4.6.13+git.72.2a684235f41-3.21.3 samba-client-4.6.13+git.72.2a684235f41-3.21.3 samba-client-debuginfo-4.6.13+git.72.2a684235f41-3.21.3 samba-debuginfo-4.6.13+git.72.2a684235f41-3.21.3 samba-debugsource-4.6.13+git.72.2a684235f41-3.21.3 samba-libs-4.6.13+git.72.2a684235f41-3.21.3 samba-libs-debuginfo-4.6.13+git.72.2a684235f41-3.21.3 samba-winbind-4.6.13+git.72.2a684235f41-3.21.3 samba-winbind-debuginfo-4.6.13+git.72.2a684235f41-3.21.3 talloc-debugsource-2.1.10-3.3.2 tevent-debugsource-0.9.34-3.3.2 - SUSE Linux Enterprise Server 12-SP3 (s390x x86_64): libdcerpc-binding0-32bit-4.6.13+git.72.2a684235f41-3.21.3 libdcerpc-binding0-debuginfo-32bit-4.6.13+git.72.2a684235f41-3.21.3 libdcerpc0-32bit-4.6.13+git.72.2a684235f41-3.21.3 libdcerpc0-debuginfo-32bit-4.6.13+git.72.2a684235f41-3.21.3 libndr-krb5pac0-32bit-4.6.13+git.72.2a684235f41-3.21.3 libndr-krb5pac0-debuginfo-32bit-4.6.13+git.72.2a684235f41-3.21.3 libndr-nbt0-32bit-4.6.13+git.72.2a684235f41-3.21.3 libndr-nbt0-debuginfo-32bit-4.6.13+git.72.2a684235f41-3.21.3 libndr-standard0-32bit-4.6.13+git.72.2a684235f41-3.21.3 libndr-standard0-debuginfo-32bit-4.6.13+git.72.2a684235f41-3.21.3 libndr0-32bit-4.6.13+git.72.2a684235f41-3.21.3 libndr0-debuginfo-32bit-4.6.13+git.72.2a684235f41-3.21.3 libnetapi0-32bit-4.6.13+git.72.2a684235f41-3.21.3 libnetapi0-debuginfo-32bit-4.6.13+git.72.2a684235f41-3.21.3 libsamba-credentials0-32bit-4.6.13+git.72.2a684235f41-3.21.3 libsamba-credentials0-debuginfo-32bit-4.6.13+git.72.2a684235f41-3.21.3 libsamba-errors0-32bit-4.6.13+git.72.2a684235f41-3.21.3 libsamba-errors0-debuginfo-32bit-4.6.13+git.72.2a684235f41-3.21.3 libsamba-hostconfig0-32bit-4.6.13+git.72.2a684235f41-3.21.3 libsamba-hostconfig0-debuginfo-32bit-4.6.13+git.72.2a684235f41-3.21.3 libsamba-passdb0-32bit-4.6.13+git.72.2a684235f41-3.21.3 libsamba-passdb0-debuginfo-32bit-4.6.13+git.72.2a684235f41-3.21.3 libsamba-util0-32bit-4.6.13+git.72.2a684235f41-3.21.3 libsamba-util0-debuginfo-32bit-4.6.13+git.72.2a684235f41-3.21.3 libsamdb0-32bit-4.6.13+git.72.2a684235f41-3.21.3 libsamdb0-debuginfo-32bit-4.6.13+git.72.2a684235f41-3.21.3 libsmbclient0-32bit-4.6.13+git.72.2a684235f41-3.21.3 libsmbclient0-debuginfo-32bit-4.6.13+git.72.2a684235f41-3.21.3 libsmbconf0-32bit-4.6.13+git.72.2a684235f41-3.21.3 libsmbconf0-debuginfo-32bit-4.6.13+git.72.2a684235f41-3.21.3 libsmbldap0-32bit-4.6.13+git.72.2a684235f41-3.21.3 libsmbldap0-debuginfo-32bit-4.6.13+git.72.2a684235f41-3.21.3 libtalloc2-32bit-2.1.10-3.3.2 libtalloc2-debuginfo-32bit-2.1.10-3.3.2 libtevent-util0-32bit-4.6.13+git.72.2a684235f41-3.21.3 libtevent-util0-debuginfo-32bit-4.6.13+git.72.2a684235f41-3.21.3 libtevent0-32bit-0.9.34-3.3.2 libtevent0-debuginfo-32bit-0.9.34-3.3.2 libwbclient0-32bit-4.6.13+git.72.2a684235f41-3.21.3 libwbclient0-debuginfo-32bit-4.6.13+git.72.2a684235f41-3.21.3 python-talloc-32bit-2.1.10-3.3.2 python-talloc-debuginfo-32bit-2.1.10-3.3.2 samba-client-32bit-4.6.13+git.72.2a684235f41-3.21.3 samba-client-debuginfo-32bit-4.6.13+git.72.2a684235f41-3.21.3 samba-libs-32bit-4.6.13+git.72.2a684235f41-3.21.3 samba-libs-debuginfo-32bit-4.6.13+git.72.2a684235f41-3.21.3 samba-winbind-32bit-4.6.13+git.72.2a684235f41-3.21.3 samba-winbind-debuginfo-32bit-4.6.13+git.72.2a684235f41-3.21.3 - SUSE Linux Enterprise Server 12-SP3 (noarch): samba-doc-4.6.13+git.72.2a684235f41-3.21.3 - SUSE Linux Enterprise High Availability 12-SP3 (ppc64le s390x x86_64): ctdb-4.6.13+git.72.2a684235f41-3.21.3 ctdb-debuginfo-4.6.13+git.72.2a684235f41-3.21.3 samba-debuginfo-4.6.13+git.72.2a684235f41-3.21.3 samba-debugsource-4.6.13+git.72.2a684235f41-3.21.3 - SUSE Linux Enterprise Desktop 12-SP3 (noarch): samba-doc-4.6.13+git.72.2a684235f41-3.21.3 - SUSE Linux Enterprise Desktop 12-SP3 (x86_64): libdcerpc-binding0-32bit-4.6.13+git.72.2a684235f41-3.21.3 libdcerpc-binding0-4.6.13+git.72.2a684235f41-3.21.3 libdcerpc-binding0-debuginfo-32bit-4.6.13+git.72.2a684235f41-3.21.3 libdcerpc-binding0-debuginfo-4.6.13+git.72.2a684235f41-3.21.3 libdcerpc0-32bit-4.6.13+git.72.2a684235f41-3.21.3 libdcerpc0-4.6.13+git.72.2a684235f41-3.21.3 libdcerpc0-debuginfo-32bit-4.6.13+git.72.2a684235f41-3.21.3 libdcerpc0-debuginfo-4.6.13+git.72.2a684235f41-3.21.3 libndr-krb5pac0-32bit-4.6.13+git.72.2a684235f41-3.21.3 libndr-krb5pac0-4.6.13+git.72.2a684235f41-3.21.3 libndr-krb5pac0-debuginfo-32bit-4.6.13+git.72.2a684235f41-3.21.3 libndr-krb5pac0-debuginfo-4.6.13+git.72.2a684235f41-3.21.3 libndr-nbt0-32bit-4.6.13+git.72.2a684235f41-3.21.3 libndr-nbt0-4.6.13+git.72.2a684235f41-3.21.3 libndr-nbt0-debuginfo-32bit-4.6.13+git.72.2a684235f41-3.21.3 libndr-nbt0-debuginfo-4.6.13+git.72.2a684235f41-3.21.3 libndr-standard0-32bit-4.6.13+git.72.2a684235f41-3.21.3 libndr-standard0-4.6.13+git.72.2a684235f41-3.21.3 libndr-standard0-debuginfo-32bit-4.6.13+git.72.2a684235f41-3.21.3 libndr-standard0-debuginfo-4.6.13+git.72.2a684235f41-3.21.3 libndr0-32bit-4.6.13+git.72.2a684235f41-3.21.3 libndr0-4.6.13+git.72.2a684235f41-3.21.3 libndr0-debuginfo-32bit-4.6.13+git.72.2a684235f41-3.21.3 libndr0-debuginfo-4.6.13+git.72.2a684235f41-3.21.3 libnetapi0-32bit-4.6.13+git.72.2a684235f41-3.21.3 libnetapi0-4.6.13+git.72.2a684235f41-3.21.3 libnetapi0-debuginfo-32bit-4.6.13+git.72.2a684235f41-3.21.3 libnetapi0-debuginfo-4.6.13+git.72.2a684235f41-3.21.3 libsamba-credentials0-32bit-4.6.13+git.72.2a684235f41-3.21.3 libsamba-credentials0-4.6.13+git.72.2a684235f41-3.21.3 libsamba-credentials0-debuginfo-32bit-4.6.13+git.72.2a684235f41-3.21.3 libsamba-credentials0-debuginfo-4.6.13+git.72.2a684235f41-3.21.3 libsamba-errors0-32bit-4.6.13+git.72.2a684235f41-3.21.3 libsamba-errors0-4.6.13+git.72.2a684235f41-3.21.3 libsamba-errors0-debuginfo-32bit-4.6.13+git.72.2a684235f41-3.21.3 libsamba-errors0-debuginfo-4.6.13+git.72.2a684235f41-3.21.3 libsamba-hostconfig0-32bit-4.6.13+git.72.2a684235f41-3.21.3 libsamba-hostconfig0-4.6.13+git.72.2a684235f41-3.21.3 libsamba-hostconfig0-debuginfo-32bit-4.6.13+git.72.2a684235f41-3.21.3 libsamba-hostconfig0-debuginfo-4.6.13+git.72.2a684235f41-3.21.3 libsamba-passdb0-32bit-4.6.13+git.72.2a684235f41-3.21.3 libsamba-passdb0-4.6.13+git.72.2a684235f41-3.21.3 libsamba-passdb0-debuginfo-32bit-4.6.13+git.72.2a684235f41-3.21.3 libsamba-passdb0-debuginfo-4.6.13+git.72.2a684235f41-3.21.3 libsamba-util0-32bit-4.6.13+git.72.2a684235f41-3.21.3 libsamba-util0-4.6.13+git.72.2a684235f41-3.21.3 libsamba-util0-debuginfo-32bit-4.6.13+git.72.2a684235f41-3.21.3 libsamba-util0-debuginfo-4.6.13+git.72.2a684235f41-3.21.3 libsamdb0-32bit-4.6.13+git.72.2a684235f41-3.21.3 libsamdb0-4.6.13+git.72.2a684235f41-3.21.3 libsamdb0-debuginfo-32bit-4.6.13+git.72.2a684235f41-3.21.3 libsamdb0-debuginfo-4.6.13+git.72.2a684235f41-3.21.3 libsmbclient0-32bit-4.6.13+git.72.2a684235f41-3.21.3 libsmbclient0-4.6.13+git.72.2a684235f41-3.21.3 libsmbclient0-debuginfo-32bit-4.6.13+git.72.2a684235f41-3.21.3 libsmbclient0-debuginfo-4.6.13+git.72.2a684235f41-3.21.3 libsmbconf0-32bit-4.6.13+git.72.2a684235f41-3.21.3 libsmbconf0-4.6.13+git.72.2a684235f41-3.21.3 libsmbconf0-debuginfo-32bit-4.6.13+git.72.2a684235f41-3.21.3 libsmbconf0-debuginfo-4.6.13+git.72.2a684235f41-3.21.3 libsmbldap0-32bit-4.6.13+git.72.2a684235f41-3.21.3 libsmbldap0-4.6.13+git.72.2a684235f41-3.21.3 libsmbldap0-debuginfo-32bit-4.6.13+git.72.2a684235f41-3.21.3 libsmbldap0-debuginfo-4.6.13+git.72.2a684235f41-3.21.3 libtalloc2-2.1.10-3.3.2 libtalloc2-32bit-2.1.10-3.3.2 libtalloc2-debuginfo-2.1.10-3.3.2 libtalloc2-debuginfo-32bit-2.1.10-3.3.2 libtevent-util0-32bit-4.6.13+git.72.2a684235f41-3.21.3 libtevent-util0-4.6.13+git.72.2a684235f41-3.21.3 libtevent-util0-debuginfo-32bit-4.6.13+git.72.2a684235f41-3.21.3 libtevent-util0-debuginfo-4.6.13+git.72.2a684235f41-3.21.3 libtevent0-0.9.34-3.3.2 libtevent0-32bit-0.9.34-3.3.2 libtevent0-debuginfo-0.9.34-3.3.2 libtevent0-debuginfo-32bit-0.9.34-3.3.2 libwbclient0-32bit-4.6.13+git.72.2a684235f41-3.21.3 libwbclient0-4.6.13+git.72.2a684235f41-3.21.3 libwbclient0-debuginfo-32bit-4.6.13+git.72.2a684235f41-3.21.3 libwbclient0-debuginfo-4.6.13+git.72.2a684235f41-3.21.3 python-talloc-2.1.10-3.3.2 python-talloc-32bit-2.1.10-3.3.2 python-talloc-debuginfo-2.1.10-3.3.2 python-talloc-debuginfo-32bit-2.1.10-3.3.2 samba-4.6.13+git.72.2a684235f41-3.21.3 samba-client-32bit-4.6.13+git.72.2a684235f41-3.21.3 samba-client-4.6.13+git.72.2a684235f41-3.21.3 samba-client-debuginfo-32bit-4.6.13+git.72.2a684235f41-3.21.3 samba-client-debuginfo-4.6.13+git.72.2a684235f41-3.21.3 samba-debuginfo-4.6.13+git.72.2a684235f41-3.21.3 samba-debugsource-4.6.13+git.72.2a684235f41-3.21.3 samba-libs-32bit-4.6.13+git.72.2a684235f41-3.21.3 samba-libs-4.6.13+git.72.2a684235f41-3.21.3 samba-libs-debuginfo-32bit-4.6.13+git.72.2a684235f41-3.21.3 samba-libs-debuginfo-4.6.13+git.72.2a684235f41-3.21.3 samba-winbind-32bit-4.6.13+git.72.2a684235f41-3.21.3 samba-winbind-4.6.13+git.72.2a684235f41-3.21.3 samba-winbind-debuginfo-32bit-4.6.13+git.72.2a684235f41-3.21.3 samba-winbind-debuginfo-4.6.13+git.72.2a684235f41-3.21.3 talloc-debugsource-2.1.10-3.3.2 tevent-debugsource-0.9.34-3.3.2 - SUSE Enterprise Storage 5 (aarch64 x86_64): ctdb-4.6.13+git.72.2a684235f41-3.21.3 ctdb-debuginfo-4.6.13+git.72.2a684235f41-3.21.3 samba-ceph-4.6.13+git.72.2a684235f41-3.21.3 samba-ceph-debuginfo-4.6.13+git.72.2a684235f41-3.21.3 samba-debuginfo-4.6.13+git.72.2a684235f41-3.21.3 samba-debugsource-4.6.13+git.72.2a684235f41-3.21.3 References: https://www.suse.com/security/cve/CVE-2018-1050.html https://bugzilla.suse.com/1069666 https://bugzilla.suse.com/1081741 https://bugzilla.suse.com/1084191 From sle-security-updates at lists.suse.com Wed Mar 21 08:09:37 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 21 Mar 2018 15:09:37 +0100 (CET) Subject: SUSE-SU-2018:0755-1: moderate: Security update for postgresql94 Message-ID: <20180321140937.AAB03F7BA@maintenance.suse.de> SUSE Security Update: Security update for postgresql94 ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0755-1 Rating: moderate References: #1081925 Cross-References: CVE-2018-1058 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for postgresql94 fixes the following issues: Security issues fixed: - CVE-2018-1058: Fixed uncontrolled search path element in pg_dump and other client applications (bsc#1081925). Bug fixes: - See release notes for details: * https://www.postgresql.org/docs/9.4/static/release-9-4-17.html * https://www.postgresql.org/docs/9.4/static/release-9-4-16.html Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-postgresql94-13522=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-postgresql94-13522=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-postgresql94-13522=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): postgresql94-devel-9.4.17-0.23.16.1 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): libecpg6-9.4.17-0.23.16.1 libpq5-9.4.17-0.23.16.1 postgresql94-9.4.17-0.23.16.1 postgresql94-contrib-9.4.17-0.23.16.1 postgresql94-docs-9.4.17-0.23.16.1 postgresql94-server-9.4.17-0.23.16.1 - SUSE Linux Enterprise Server 11-SP4 (ppc64 s390x x86_64): libpq5-32bit-9.4.17-0.23.16.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): postgresql94-debuginfo-9.4.17-0.23.16.1 postgresql94-debugsource-9.4.17-0.23.16.1 postgresql94-libs-debuginfo-9.4.17-0.23.16.1 postgresql94-libs-debugsource-9.4.17-0.23.16.1 References: https://www.suse.com/security/cve/CVE-2018-1058.html https://bugzilla.suse.com/1081925 From sle-security-updates at lists.suse.com Wed Mar 21 08:10:14 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 21 Mar 2018 15:10:14 +0100 (CET) Subject: SUSE-SU-2018:0756-1: moderate: Security update for postgresql96 Message-ID: <20180321141014.1A9D3F7BA@maintenance.suse.de> SUSE Security Update: Security update for postgresql96 ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0756-1 Rating: moderate References: #1081925 Cross-References: CVE-2018-1058 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP3 SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Desktop 12-SP3 SUSE Linux Enterprise Desktop 12-SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for postgresql96 fixes the following issues: Security issues fixed: - CVE-2018-1058: Fixed uncontrolled search path element in pg_dump and other client applications (bsc#1081925). Bug fixes: - See release notes for details: * https://www.postgresql.org/docs/9.6/static/release-9-6-8.html Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP3: zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-510=1 - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2018-510=1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2018-510=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-510=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-510=1 - SUSE Linux Enterprise Desktop 12-SP3: zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-510=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2018-510=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64): postgresql96-devel-9.6.8-3.16.1 postgresql96-devel-debuginfo-9.6.8-3.16.1 postgresql96-libs-debugsource-9.6.8-3.16.1 - SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64): postgresql96-devel-9.6.8-3.16.1 postgresql96-devel-debuginfo-9.6.8-3.16.1 postgresql96-libs-debugsource-9.6.8-3.16.1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): libecpg6-9.6.8-3.16.1 libecpg6-debuginfo-9.6.8-3.16.1 libpq5-9.6.8-3.16.1 libpq5-debuginfo-9.6.8-3.16.1 postgresql96-9.6.8-3.16.1 postgresql96-contrib-9.6.8-3.16.1 postgresql96-contrib-debuginfo-9.6.8-3.16.1 postgresql96-debuginfo-9.6.8-3.16.1 postgresql96-debugsource-9.6.8-3.16.1 postgresql96-libs-debugsource-9.6.8-3.16.1 postgresql96-server-9.6.8-3.16.1 postgresql96-server-debuginfo-9.6.8-3.16.1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (noarch): postgresql96-docs-9.6.8-3.16.1 - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64): libecpg6-9.6.8-3.16.1 libecpg6-debuginfo-9.6.8-3.16.1 libpq5-9.6.8-3.16.1 libpq5-debuginfo-9.6.8-3.16.1 postgresql96-9.6.8-3.16.1 postgresql96-contrib-9.6.8-3.16.1 postgresql96-contrib-debuginfo-9.6.8-3.16.1 postgresql96-debuginfo-9.6.8-3.16.1 postgresql96-debugsource-9.6.8-3.16.1 postgresql96-libs-debugsource-9.6.8-3.16.1 postgresql96-server-9.6.8-3.16.1 postgresql96-server-debuginfo-9.6.8-3.16.1 - SUSE Linux Enterprise Server 12-SP3 (s390x x86_64): libpq5-32bit-9.6.8-3.16.1 libpq5-debuginfo-32bit-9.6.8-3.16.1 - SUSE Linux Enterprise Server 12-SP3 (noarch): postgresql96-docs-9.6.8-3.16.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le s390x x86_64): libecpg6-9.6.8-3.16.1 libecpg6-debuginfo-9.6.8-3.16.1 libpq5-9.6.8-3.16.1 libpq5-debuginfo-9.6.8-3.16.1 postgresql96-9.6.8-3.16.1 postgresql96-contrib-9.6.8-3.16.1 postgresql96-contrib-debuginfo-9.6.8-3.16.1 postgresql96-debuginfo-9.6.8-3.16.1 postgresql96-debugsource-9.6.8-3.16.1 postgresql96-libs-debugsource-9.6.8-3.16.1 postgresql96-server-9.6.8-3.16.1 postgresql96-server-debuginfo-9.6.8-3.16.1 - SUSE Linux Enterprise Server 12-SP2 (s390x x86_64): libpq5-32bit-9.6.8-3.16.1 libpq5-debuginfo-32bit-9.6.8-3.16.1 - SUSE Linux Enterprise Server 12-SP2 (noarch): postgresql96-docs-9.6.8-3.16.1 - SUSE Linux Enterprise Desktop 12-SP3 (x86_64): libecpg6-9.6.8-3.16.1 libecpg6-debuginfo-9.6.8-3.16.1 libpq5-32bit-9.6.8-3.16.1 libpq5-9.6.8-3.16.1 libpq5-debuginfo-32bit-9.6.8-3.16.1 libpq5-debuginfo-9.6.8-3.16.1 postgresql96-9.6.8-3.16.1 postgresql96-debuginfo-9.6.8-3.16.1 postgresql96-debugsource-9.6.8-3.16.1 postgresql96-libs-debugsource-9.6.8-3.16.1 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): libecpg6-9.6.8-3.16.1 libecpg6-debuginfo-9.6.8-3.16.1 libpq5-32bit-9.6.8-3.16.1 libpq5-9.6.8-3.16.1 libpq5-debuginfo-32bit-9.6.8-3.16.1 libpq5-debuginfo-9.6.8-3.16.1 postgresql96-9.6.8-3.16.1 postgresql96-debuginfo-9.6.8-3.16.1 postgresql96-debugsource-9.6.8-3.16.1 postgresql96-libs-debugsource-9.6.8-3.16.1 References: https://www.suse.com/security/cve/CVE-2018-1058.html https://bugzilla.suse.com/1081925 From sle-security-updates at lists.suse.com Wed Mar 21 08:10:44 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 21 Mar 2018 15:10:44 +0100 (CET) Subject: SUSE-SU-2018:0757-1: moderate: Security update for crash Message-ID: <20180321141044.98BEFF7BD@maintenance.suse.de> SUSE Security Update: Security update for crash ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0757-1 Rating: moderate References: #1013843 #1068032 Cross-References: CVE-2017-5715 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Real Time Extension 12-SP2 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for crash fixes the following issues: - Exclude openSUSE from RT KMP build (bsc#1013843) This update also rebuilds the crash kernel module packages with retpoline support to mitigate Spectre Variant 2. (bsc#1068032 CVE-2017-5715) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2018-508=1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2018-508=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-508=1 - SUSE Linux Enterprise Real Time Extension 12-SP2: zypper in -t patch SUSE-SLE-RT-12-SP2-2018-508=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64): crash-debuginfo-7.1.5-15.3.45 crash-debugsource-7.1.5-15.3.45 crash-devel-7.1.5-15.3.45 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): crash-7.1.5-15.3.45 crash-debuginfo-7.1.5-15.3.45 crash-debugsource-7.1.5-15.3.45 crash-kmp-default-7.1.5_k4.4.114_92.67-15.3.45 crash-kmp-default-debuginfo-7.1.5_k4.4.114_92.67-15.3.45 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le s390x x86_64): crash-7.1.5-15.3.45 crash-debuginfo-7.1.5-15.3.45 crash-debugsource-7.1.5-15.3.45 crash-kmp-default-7.1.5_k4.4.114_92.67-15.3.45 crash-kmp-default-debuginfo-7.1.5_k4.4.114_92.67-15.3.45 - SUSE Linux Enterprise Real Time Extension 12-SP2 (x86_64): crash-kmp-rt-7.1.5_k4.4.21_6-15.3.45 crash-kmp-rt-debuginfo-7.1.5_k4.4.21_6-15.3.45 References: https://www.suse.com/security/cve/CVE-2017-5715.html https://bugzilla.suse.com/1013843 https://bugzilla.suse.com/1068032 From sle-security-updates at lists.suse.com Wed Mar 21 14:07:12 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 21 Mar 2018 21:07:12 +0100 (CET) Subject: SUSE-SU-2018:0762-1: important: Security update for qemu Message-ID: <20180321200712.ECD2BF7C0@maintenance.suse.de> SUSE Security Update: Security update for qemu ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0762-1 Rating: important References: #1040202 #1068032 #1068613 #1070144 #1071228 #1073489 #1074572 #1076114 #1076775 #1076813 #1082276 #1083291 Cross-References: CVE-2017-15119 CVE-2017-15124 CVE-2017-16845 CVE-2017-17381 CVE-2017-18043 CVE-2017-5715 CVE-2018-5683 CVE-2018-7550 Affected Products: SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Desktop 12-SP3 SUSE CaaS Platform ALL ______________________________________________________________________________ An update that solves 8 vulnerabilities and has four fixes is now available. Description: This update for qemu fixes the following issues: This update has the next round of Spectre v2 related patches, which now integrate with corresponding changes in libvirt. (CVE-2017-5715 bsc#1068032) The January 2018 release of qemu initially addressed the Spectre v2 vulnerability for KVM guests by exposing the spec-ctrl feature for all x86 vcpu types, which was the quick and dirty approach, but not the proper solution. We replaced our initial patch by the patches from upstream. This update defines spec_ctrl and ibpb cpu feature flags as well as new cpu models which are clones of existing models with either -IBRS or -IBPB added to the end of the model name. These new vcpu models explicitly include the new feature(s), whereas the feature flags can be added to the cpu parameter as with other features. In short, for continued Spectre v2 protection, ensure that either the appropriate cpu feature flag is added to the QEMU command-line, or one of the new cpu models is used. Although migration from older versions is supported, the new cpu features won't be properly exposed to the guest until it is restarted with the cpu features explicitly added. A reboot is insufficient. A warning patch is added which attempts to detect a migration from a qemu version which had the quick and dirty fix (it only detects certain cases, but hopefully is helpful.) For additional information on Spectre v2 as it relates to QEMU, see: https://www.qemu.org/2018/02/14/qemu-2-11-1-and-spectre-update/ A patch is added to continue to detect Spectre v2 mitigation features (as shown by cpuid), and if found provide that feature to guests, even if running on older KVM (kernel) versions which do not yet expose that feature to QEMU. (bsc#1082276) These two patches will be removed when we can reasonably assume everyone is running with the appropriate updates. Spectre fixes for IBM Z Series were included by providing more hw features to guests (bsc#1076813) Also security fixes for the following CVE issues are included: - CVE-2017-17381: The Virtio Vring implementation in QEMU allowed local OS guest users to cause a denial of service (divide-by-zero error and QEMU process crash) by unsetting vring alignment while updating Virtio rings. (bsc#1071228) - CVE-2017-16845: The PS2 driver in Qemu did not validate 'rptr' and 'count' values during guest migration, leading to out-of-bounds access. (bsc#1068613) - CVE-2017-15119: The Network Block Device (NBD) server in Quick Emulator (QEMU), was vulnerable to a denial of service issue. It could occur if a client sent large option requests, making the server waste CPU time on reading up to 4GB per request. A client could use this flaw to keep the NBD server from serving other requests, resulting in DoS. (bsc#1070144) - CVE-2017-18043: Integer overflow in the macro ROUND_UP (n, d) in Quick Emulator (Qemu) allowed a user to cause a denial of service (Qemu process crash). (bsc#1076775) - CVE-2018-5683: The VGA driver in Qemu allowed local OS guest privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) by leveraging improper memory address validation. (bsc#1076114) - CVE-2018-7550: The multiboot functionality in Quick Emulator (aka QEMU) allowed local guest OS users to execute arbitrary code on the QEMU host via an out-of-bounds read or write memory access. (bsc#1083291) - CVE-2017-15124: VNC server implementation in Quick Emulator (QEMU) was found to be vulnerable to an unbounded memory allocation issue, as it did not throttle the framebuffer updates sent to its client. If the client did not consume these updates, VNC server allocates growing memory to hold onto this data. A malicious remote VNC client could use this flaw to cause DoS to the server host. (bsc#1073489) Additional bugs fixed: - Fix pcihp for 1.6 and older machine types (bsc#1074572) - Fix packaging dependencies (coreutils) for qemu-ksm package (bsc#1040202) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-516=1 - SUSE Linux Enterprise Desktop 12-SP3: zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-516=1 - SUSE CaaS Platform ALL: zypper in -t patch SUSE-CAASP-ALL-2018-516=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64): qemu-2.9.1-6.12.1 qemu-block-curl-2.9.1-6.12.1 qemu-block-curl-debuginfo-2.9.1-6.12.1 qemu-block-iscsi-2.9.1-6.12.1 qemu-block-iscsi-debuginfo-2.9.1-6.12.1 qemu-block-ssh-2.9.1-6.12.1 qemu-block-ssh-debuginfo-2.9.1-6.12.1 qemu-debugsource-2.9.1-6.12.1 qemu-guest-agent-2.9.1-6.12.1 qemu-guest-agent-debuginfo-2.9.1-6.12.1 qemu-lang-2.9.1-6.12.1 qemu-tools-2.9.1-6.12.1 qemu-tools-debuginfo-2.9.1-6.12.1 - SUSE Linux Enterprise Server 12-SP3 (aarch64 x86_64): qemu-block-rbd-2.9.1-6.12.1 qemu-block-rbd-debuginfo-2.9.1-6.12.1 - SUSE Linux Enterprise Server 12-SP3 (s390x x86_64): qemu-kvm-2.9.1-6.12.1 - SUSE Linux Enterprise Server 12-SP3 (aarch64): qemu-arm-2.9.1-6.12.1 qemu-arm-debuginfo-2.9.1-6.12.1 - SUSE Linux Enterprise Server 12-SP3 (ppc64le): qemu-ppc-2.9.1-6.12.1 qemu-ppc-debuginfo-2.9.1-6.12.1 - SUSE Linux Enterprise Server 12-SP3 (noarch): qemu-ipxe-1.0.0-6.12.1 qemu-seabios-1.10.2-6.12.1 qemu-sgabios-8-6.12.1 qemu-vgabios-1.10.2-6.12.1 - SUSE Linux Enterprise Server 12-SP3 (x86_64): qemu-x86-2.9.1-6.12.1 qemu-x86-debuginfo-2.9.1-6.12.1 - SUSE Linux Enterprise Server 12-SP3 (s390x): qemu-s390-2.9.1-6.12.1 qemu-s390-debuginfo-2.9.1-6.12.1 - SUSE Linux Enterprise Desktop 12-SP3 (x86_64): qemu-2.9.1-6.12.1 qemu-block-curl-2.9.1-6.12.1 qemu-block-curl-debuginfo-2.9.1-6.12.1 qemu-debugsource-2.9.1-6.12.1 qemu-kvm-2.9.1-6.12.1 qemu-tools-2.9.1-6.12.1 qemu-tools-debuginfo-2.9.1-6.12.1 qemu-x86-2.9.1-6.12.1 - SUSE Linux Enterprise Desktop 12-SP3 (noarch): qemu-ipxe-1.0.0-6.12.1 qemu-seabios-1.10.2-6.12.1 qemu-sgabios-8-6.12.1 qemu-vgabios-1.10.2-6.12.1 - SUSE CaaS Platform ALL (x86_64): qemu-debugsource-2.9.1-6.12.1 qemu-guest-agent-2.9.1-6.12.1 qemu-guest-agent-debuginfo-2.9.1-6.12.1 References: https://www.suse.com/security/cve/CVE-2017-15119.html https://www.suse.com/security/cve/CVE-2017-15124.html https://www.suse.com/security/cve/CVE-2017-16845.html https://www.suse.com/security/cve/CVE-2017-17381.html https://www.suse.com/security/cve/CVE-2017-18043.html https://www.suse.com/security/cve/CVE-2017-5715.html https://www.suse.com/security/cve/CVE-2018-5683.html https://www.suse.com/security/cve/CVE-2018-7550.html https://bugzilla.suse.com/1040202 https://bugzilla.suse.com/1068032 https://bugzilla.suse.com/1068613 https://bugzilla.suse.com/1070144 https://bugzilla.suse.com/1071228 https://bugzilla.suse.com/1073489 https://bugzilla.suse.com/1074572 https://bugzilla.suse.com/1076114 https://bugzilla.suse.com/1076775 https://bugzilla.suse.com/1076813 https://bugzilla.suse.com/1082276 https://bugzilla.suse.com/1083291 From sle-security-updates at lists.suse.com Thu Mar 22 10:27:53 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 22 Mar 2018 17:27:53 +0100 (CET) Subject: SUSE-SU-2018:0778-1: important: Security update for memcached Message-ID: <20180322162753.6B082F7C0@maintenance.suse.de> SUSE Security Update: Security update for memcached ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0778-1 Rating: important References: #1007869 #1007870 #1007871 #1056865 #798458 #817781 #857188 #858676 #858677 Cross-References: CVE-2011-4971 CVE-2013-0179 CVE-2013-7239 CVE-2013-7290 CVE-2013-7291 CVE-2016-8704 CVE-2016-8705 CVE-2016-8706 CVE-2017-9951 Affected Products: SUSE OpenStack Cloud 7 SUSE Enterprise Storage 4 ______________________________________________________________________________ An update that fixes 9 vulnerabilities is now available. Description: This update for memcached fixes the following issues: Security issues fixed: - CVE-2011-4971: remote DoS (bsc#817781). - CVE-2013-0179: DoS when printing out keys to be deleted in verbose mode (bsc#798458). - CVE-2013-7239: SASL authentication allows wrong credentials to access memcache (bsc#857188). - CVE-2013-7290: remote DoS (segmentation fault) via a request to delete a key (bsc#858677). - CVE-2013-7291: remote DoS (crash) via a request that triggers "unbounded key print" (bsc#858676). - CVE-2016-8704: Server append/prepend remote code execution (bsc#1007871). - CVE-2016-8705: Server update remote code execution (bsc#1007870). - CVE-2016-8706: Server ASL authentication remote code execution (bsc#1007869). - CVE-2017-9951: Heap-based buffer over-read in try_read_command function (incomplete fix for CVE-2016-8705) (bsc#1056865). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2018-529=1 - SUSE Enterprise Storage 4: zypper in -t patch SUSE-Storage-4-2018-529=1 Package List: - SUSE OpenStack Cloud 7 (aarch64 s390x x86_64): memcached-1.4.39-3.3.2 memcached-debuginfo-1.4.39-3.3.2 memcached-debugsource-1.4.39-3.3.2 - SUSE Enterprise Storage 4 (aarch64 x86_64): memcached-1.4.39-3.3.2 memcached-debuginfo-1.4.39-3.3.2 memcached-debugsource-1.4.39-3.3.2 References: https://www.suse.com/security/cve/CVE-2011-4971.html https://www.suse.com/security/cve/CVE-2013-0179.html https://www.suse.com/security/cve/CVE-2013-7239.html https://www.suse.com/security/cve/CVE-2013-7290.html https://www.suse.com/security/cve/CVE-2013-7291.html https://www.suse.com/security/cve/CVE-2016-8704.html https://www.suse.com/security/cve/CVE-2016-8705.html https://www.suse.com/security/cve/CVE-2016-8706.html https://www.suse.com/security/cve/CVE-2017-9951.html https://bugzilla.suse.com/1007869 https://bugzilla.suse.com/1007870 https://bugzilla.suse.com/1007871 https://bugzilla.suse.com/1056865 https://bugzilla.suse.com/798458 https://bugzilla.suse.com/817781 https://bugzilla.suse.com/857188 https://bugzilla.suse.com/858676 https://bugzilla.suse.com/858677 From sle-security-updates at lists.suse.com Fri Mar 23 08:07:52 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 23 Mar 2018 15:07:52 +0100 (CET) Subject: SUSE-SU-2018:0783-1: moderate: Security update for libvorbis Message-ID: <20180323140752.D0ED1FC98@maintenance.suse.de> SUSE Security Update: Security update for libvorbis ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0783-1 Rating: moderate References: #1085687 Cross-References: CVE-2018-5146 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for libvorbis fixes the following issues: - CVE-2018-5146: Fixed out of bounds memory write while processing Vorbis audio data (bsc#1085687). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-libvorbis-13529=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-libvorbis-13529=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-libvorbis-13529=1 Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): libvorbis-devel-1.2.0-79.20.6.1 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): libvorbis-1.2.0-79.20.6.1 libvorbis-doc-1.2.0-79.20.6.1 - SUSE Linux Enterprise Server 11-SP4 (ppc64 s390x x86_64): libvorbis-32bit-1.2.0-79.20.6.1 - SUSE Linux Enterprise Server 11-SP4 (ia64): libvorbis-x86-1.2.0-79.20.6.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): libvorbis-debuginfo-1.2.0-79.20.6.1 libvorbis-debugsource-1.2.0-79.20.6.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (ppc64 s390x x86_64): libvorbis-debuginfo-32bit-1.2.0-79.20.6.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (ia64): libvorbis-debuginfo-x86-1.2.0-79.20.6.1 References: https://www.suse.com/security/cve/CVE-2018-5146.html https://bugzilla.suse.com/1085687 From sle-security-updates at lists.suse.com Fri Mar 23 08:08:27 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 23 Mar 2018 15:08:27 +0100 (CET) Subject: SUSE-SU-2018:0784-1: moderate: Security update for libvorbis Message-ID: <20180323140827.9E821FC98@maintenance.suse.de> SUSE Security Update: Security update for libvorbis ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0784-1 Rating: moderate References: #1085687 Cross-References: CVE-2018-5146 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP3 SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Desktop 12-SP3 SUSE Linux Enterprise Desktop 12-SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for libvorbis fixes the following issues: - CVE-2018-5146: Fixed out of bounds memory write while processing Vorbis audio data (bsc#1085687). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP3: zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-531=1 - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2018-531=1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2018-531=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-531=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-531=1 - SUSE Linux Enterprise Desktop 12-SP3: zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-531=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2018-531=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64): libvorbis-debugsource-1.3.3-10.6.1 libvorbis-devel-1.3.3-10.6.1 - SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64): libvorbis-debugsource-1.3.3-10.6.1 libvorbis-devel-1.3.3-10.6.1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): libvorbis-debugsource-1.3.3-10.6.1 libvorbis0-1.3.3-10.6.1 libvorbis0-debuginfo-1.3.3-10.6.1 libvorbisenc2-1.3.3-10.6.1 libvorbisenc2-debuginfo-1.3.3-10.6.1 libvorbisfile3-1.3.3-10.6.1 libvorbisfile3-debuginfo-1.3.3-10.6.1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (noarch): libvorbis-doc-1.3.3-10.6.1 - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64): libvorbis-debugsource-1.3.3-10.6.1 libvorbis0-1.3.3-10.6.1 libvorbis0-debuginfo-1.3.3-10.6.1 libvorbisenc2-1.3.3-10.6.1 libvorbisenc2-debuginfo-1.3.3-10.6.1 libvorbisfile3-1.3.3-10.6.1 libvorbisfile3-debuginfo-1.3.3-10.6.1 - SUSE Linux Enterprise Server 12-SP3 (s390x x86_64): libvorbis0-32bit-1.3.3-10.6.1 libvorbis0-debuginfo-32bit-1.3.3-10.6.1 libvorbisenc2-32bit-1.3.3-10.6.1 libvorbisenc2-debuginfo-32bit-1.3.3-10.6.1 libvorbisfile3-32bit-1.3.3-10.6.1 libvorbisfile3-debuginfo-32bit-1.3.3-10.6.1 - SUSE Linux Enterprise Server 12-SP3 (noarch): libvorbis-doc-1.3.3-10.6.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le s390x x86_64): libvorbis-debugsource-1.3.3-10.6.1 libvorbis0-1.3.3-10.6.1 libvorbis0-debuginfo-1.3.3-10.6.1 libvorbisenc2-1.3.3-10.6.1 libvorbisenc2-debuginfo-1.3.3-10.6.1 libvorbisfile3-1.3.3-10.6.1 libvorbisfile3-debuginfo-1.3.3-10.6.1 - SUSE Linux Enterprise Server 12-SP2 (s390x x86_64): libvorbis0-32bit-1.3.3-10.6.1 libvorbis0-debuginfo-32bit-1.3.3-10.6.1 libvorbisenc2-32bit-1.3.3-10.6.1 libvorbisenc2-debuginfo-32bit-1.3.3-10.6.1 libvorbisfile3-32bit-1.3.3-10.6.1 libvorbisfile3-debuginfo-32bit-1.3.3-10.6.1 - SUSE Linux Enterprise Server 12-SP2 (noarch): libvorbis-doc-1.3.3-10.6.1 - SUSE Linux Enterprise Desktop 12-SP3 (x86_64): libvorbis-debugsource-1.3.3-10.6.1 libvorbis0-1.3.3-10.6.1 libvorbis0-32bit-1.3.3-10.6.1 libvorbis0-debuginfo-1.3.3-10.6.1 libvorbis0-debuginfo-32bit-1.3.3-10.6.1 libvorbisenc2-1.3.3-10.6.1 libvorbisenc2-32bit-1.3.3-10.6.1 libvorbisenc2-debuginfo-1.3.3-10.6.1 libvorbisenc2-debuginfo-32bit-1.3.3-10.6.1 libvorbisfile3-1.3.3-10.6.1 libvorbisfile3-32bit-1.3.3-10.6.1 libvorbisfile3-debuginfo-1.3.3-10.6.1 libvorbisfile3-debuginfo-32bit-1.3.3-10.6.1 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): libvorbis-debugsource-1.3.3-10.6.1 libvorbis0-1.3.3-10.6.1 libvorbis0-32bit-1.3.3-10.6.1 libvorbis0-debuginfo-1.3.3-10.6.1 libvorbis0-debuginfo-32bit-1.3.3-10.6.1 libvorbisenc2-1.3.3-10.6.1 libvorbisenc2-32bit-1.3.3-10.6.1 libvorbisenc2-debuginfo-1.3.3-10.6.1 libvorbisenc2-debuginfo-32bit-1.3.3-10.6.1 libvorbisfile3-1.3.3-10.6.1 libvorbisfile3-32bit-1.3.3-10.6.1 libvorbisfile3-debuginfo-1.3.3-10.6.1 libvorbisfile3-debuginfo-32bit-1.3.3-10.6.1 References: https://www.suse.com/security/cve/CVE-2018-5146.html https://bugzilla.suse.com/1085687 From sle-security-updates at lists.suse.com Fri Mar 23 11:08:51 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 23 Mar 2018 18:08:51 +0100 (CET) Subject: SUSE-SU-2018:0785-1: important: Security update for the Linux Kernel Message-ID: <20180323170851.0C36BFC98@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0785-1 Rating: important References: #1005776 #1006867 #1012382 #1012829 #1027054 #1031717 #1034503 #1035432 #1042286 #1043441 #1045330 #1062840 #1065600 #1065615 #1066223 #1067118 #1068032 #1068569 #1069135 #1071306 #1071892 #1072363 #1072689 #1072739 #1072865 #1073401 #1074198 #1074426 #1075087 #1076282 #1077285 #1077513 #1077560 #1077779 #1078583 #1078609 #1078672 #1078673 #1078787 #1079029 #1079038 #1079384 #1079989 #1080014 #1080263 #1080344 #1080360 #1080364 #1080384 #1080464 #1080774 #1080809 #1080813 #1080851 #1081134 #1081431 #1081491 #1081498 #1081500 #1081512 #1081671 #1082223 #1082299 #1082478 #1082795 #1082864 #1082897 #1082979 #1082993 #1083494 #1083548 #1084610 #1085053 #1085107 #1085224 #1085239 #863764 #966328 #975772 #983145 Cross-References: CVE-2017-13166 CVE-2017-15951 CVE-2017-16644 CVE-2017-16912 CVE-2017-16913 CVE-2017-17975 CVE-2017-18208 CVE-2018-1000026 CVE-2018-1068 CVE-2018-8087 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP2 SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Live Patching 12 SUSE Linux Enterprise High Availability 12-SP2 SUSE Linux Enterprise Desktop 12-SP2 OpenStack Cloud Magnum Orchestration 7 ______________________________________________________________________________ An update that solves 10 vulnerabilities and has 70 fixes is now available. Description: The SUSE Linux Enterprise 12 SP2 kernel was updated to 4.4.120 to receive various security and bugfixes. The following security bugs were fixed: - CVE-2017-13166: An elevation of privilege vulnerability in the v4l2 video driver was fixed. (bnc#1072865). - CVE-2017-15951: The KEYS subsystem did not correctly synchronize the actions of updating versus finding a key in the "negative" state to avoid a race condition, which allowed local users to cause a denial of service or possibly have unspecified other impact via crafted system calls (bnc#1062840 bnc#1065615). - CVE-2017-16644: The hdpvr_probe function in drivers/media/usb/hdpvr/hdpvr-core.c allowed local users to cause a denial of service (improper error handling and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1067118). - CVE-2017-16912: The "get_pipe()" function (drivers/usb/usbip/stub_rx.c) allowed attackers to cause a denial of service (out-of-bounds read) via a specially crafted USB over IP packet (bnc#1078673). - CVE-2017-16913: The "stub_recv_cmd_submit()" function (drivers/usb/usbip/stub_rx.c) when handling CMD_SUBMIT packets allowed attackers to cause a denial of service (arbitrary memory allocation) via a specially crafted USB over IP packet (bnc#1078672). - CVE-2017-17975: Use-after-free in the usbtv_probe function in drivers/media/usb/usbtv/usbtv-core.c allowed attackers to cause a denial of service (system crash) or possibly have unspecified other impact by triggering failure of audio registration, because a kfree of the usbtv data structure occurs during a usbtv_video_free call, but the usbtv_video_fail label's code attempts to both access and free this data structure (bnc#1074426). - CVE-2017-18208: The madvise_willneed function in mm/madvise.c allowed local users to cause a denial of service (infinite loop) by triggering use of MADVISE_WILLNEED for a DAX mapping (bnc#1083494). - CVE-2018-8087: Memory leak in the hwsim_new_radio_nl function in drivers/net/wireless/mac80211_hwsim.c allowed local users to cause a denial of service (memory consumption) by triggering an out-of-array error case (bnc#1085053). - CVE-2018-1000026: A insufficient input validation vulnerability in the bnx2x network card driver could result in DoS: Network card firmware assertion takes card off-line. This attack appear to be exploitable via An attacker on a must pass a very large, specially crafted packet to the bnx2x card. This can be done from an untrusted guest VM. (bnc#1079384). - CVE-2018-1068: Insufficient user provided offset checking in the ebtables compat code allowed local attackers to overwrite kernel memory and potentially execute code. (bsc#1085107) The following non-security bugs were fixed: - acpi / bus: Leave modalias empty for devices which are not present (bnc#1012382). - acpi: sbshc: remove raw pointer from printk() message (bnc#1012382). - Add delay-init quirk for Corsair K70 RGB keyboards (bnc#1012382). - add ip6_make_flowinfo helper (bsc#1042286). - ahci: Add Intel Cannon Lake PCH-H PCI ID (bnc#1012382). - ahci: Add PCI ids for Intel Bay Trail, Cherry Trail and Apollo Lake AHCI (bnc#1012382). - ahci: Annotate PCI ids for mobile Intel chipsets as such (bnc#1012382). - alpha: fix crash if pthread_create races with signal delivery (bnc#1012382). - alpha: fix reboot on Avanti platform (bnc#1012382). - alsa: hda/ca0132 - fix possible NULL pointer use (bnc#1012382). - alsa: hda - Fix headset mic detection problem for two Dell machines (bnc#1012382). - alsa: hda/realtek - Add headset mode support for Dell laptop (bsc#1031717). - alsa: hda/realtek: PCI quirk for Fujitsu U7x7 (bnc#1012382). - alsa: hda - Reduce the suspend time consumption for ALC256 (bsc#1031717). - alsa: hda - Use IS_REACHABLE() for dependency on input (bsc#1031717). - alsa: seq: Fix racy pool initializations (bnc#1012382). - alsa: seq: Fix regression by incorrect ioctl_mutex usages (bnc#1012382). - alsa: usb-audio: add implicit fb quirk for Behringer UFX1204 (bnc#1012382). - alsa: usb-audio: Fix UAC2 get_ctl request with a RANGE attribute (bnc#1012382). - amd-xgbe: Fix unused suspend handlers build warning (bnc#1012382). - arm64: define BUG() instruction without CONFIG_BUG (bnc#1012382). - arm64: Disable unhandled signal log messages by default (bnc#1012382). - arm64: dts: add #cooling-cells to CPU nodes (bnc#1012382). - arm64: Kconfig: select COMPAT_BINFMT_ELF only when BINFMT_ELF is set (bnc#1012382). - arm: 8731/1: Fix csum_partial_copy_from_user() stack mismatch (bnc#1012382). - arm: AM33xx: PRM: Remove am33xx_pwrdm_read_prev_pwrst function (bnc#1012382). - arm: dts: am4372: Correct the interrupts_properties of McASP (bnc#1012382). - arm: dts: Fix omap4 hang with GPS connected to USB by using wakeupgen (bnc#1012382). - arm: dts: ls1021a: fix incorrect clock references (bnc#1012382). - arm: dts: s5pv210: add interrupt-parent for ohci (bnc#1012382). - arm: dts: STi: Add gpio polarity for "hdmi,hpd-gpio" property (bnc#1012382). - arm: kvm: Fix SMCCC handling of unimplemented SMC/HVC calls (bnc#1012382). - arm: OMAP2+: Fix SRAM virt to phys translation for save_secure_ram_context (bnc#1012382). - arm: omap2: hide omap3_save_secure_ram on non-OMAP3 builds (git-fixes). - arm: pxa/tosa-bt: add MODULE_LICENSE tag (bnc#1012382). - arm: spear13xx: Fix dmas cells (bnc#1012382). - arm: spear13xx: Fix spics gpio controller's warning (bnc#1012382). - arm: spear600: Add missing interrupt-parent of rtc (bnc#1012382). - arm: tegra: select USB_ULPI from EHCI rather than platform (bnc#1012382). - asoc: au1x: Fix timeout tests in au1xac97c_ac97_read() (bsc#1031717). - asoc: Intel: Kconfig: fix build when acpi is not enabled (bnc#1012382). - asoc: Intel: sst: Fix the return value of 'sst_send_byte_stream_mrfld()' (bsc#1031717). - asoc: mediatek: add i2c dependency (bnc#1012382). - asoc: nuc900: Fix a loop timeout test (bsc#1031717). - asoc: pcm512x: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE (bnc#1012382). - asoc: rockchip: disable clock on error (bnc#1012382). - asoc: rockchip: use __maybe_unused to hide st_irq_syscfg_resume (bnc#1012382). - asoc: rsnd: avoid duplicate free_irq() (bnc#1012382). - asoc: rsnd: do not call free_irq() on Parent SSI (bnc#1012382). - asoc: simple-card: Fix misleading error message (bnc#1012382). - asoc: ux500: add MODULE_LICENSE tag (bnc#1012382). - ata: ahci_xgene: free structure returned by acpi_get_object_info() (bsc#1082979). - b2c2: flexcop: avoid unused function warnings (bnc#1012382). - binder: add missing binder_unlock() (bnc#1012382). - binder: check for binder_thread allocation failure in binder_poll() (bnc#1012382). - binfmt_elf: compat: avoid unused function warning (bnc#1012382). - blacklist.conf: commit fd5f7cde1b85d4c8e09 ("printk: Never set console_may_schedule in console_trylock()") - blktrace: fix unlocked registration of tracepoints (bnc#1012382). - bluetooth: btsdio: Do not bind to non-removable BCM43341 (bnc#1012382). - bluetooth: btusb: Restore QCA Rome suspend/resume fix with a "rewritten" version (bnc#1012382). - bnx2x: Improve reliability in case of nested PCI errors (bnc#1012382). - bnxt_en: Fix the 'Invalid VF' id check in bnxt_vf_ndo_prep routine (bnc#1012382). - bpf: arsh is not supported in 32 bit alu thus reject it (bnc#1012382). - bpf: avoid false sharing of map refcount with max_entries (bnc#1012382). - bpf: fix 32-bit divide by zero (bnc#1012382). - bpf: fix bpf_tail_call() x64 JIT (bnc#1012382). - bpf: fix divides by zero (bnc#1012382). - bpf: introduce BPF_JIT_ALWAYS_ON config (bnc#1012382). - bpf: reject stores into ctx via st and xadd (bnc#1012382). - bridge: implement missing ndo_uninit() (bsc#1042286). - bridge: move bridge multicast cleanup to ndo_uninit (bsc#1042286). - btrfs: copy fsid to super_block s_uuid (bsc#1080774). - btrfs: fix crash due to not cleaning up tree log block's dirty bits (bnc#1012382). - btrfs: fix deadlock in run_delalloc_nocow (bnc#1012382). - btrfs: fix deadlock when writing out space cache (bnc#1012382). - btrfs: fix kernel oops while reading compressed data (bsc#1081671). - btrfs: Fix possible off-by-one in btrfs_search_path_in_tree (bnc#1012382). - btrfs: Fix quota reservation leak on preallocated files (bsc#1079989). - btrfs: fix unexpected -EEXIST when creating new inode (bnc#1012382). - btrfs: Handle btrfs_set_extent_delalloc failure in fixup worker (bnc#1012382). - can: flex_can: Correct the checking for frame length in flexcan_start_xmit() (bnc#1012382). - cdrom: turn off autoclose by default (bsc#1080813). - cfg80211: check dev_set_name() return value (bnc#1012382). - cfg80211: fix cfg80211_beacon_dup (bnc#1012382). - cifs: dump IPC tcon in debug proc file (bsc#1071306). - cifs: Fix autonegotiate security settings mismatch (bnc#1012382). - cifs: Fix missing put_xid in cifs_file_strict_mmap (bnc#1012382). - cifs: make IPC a regular tcon (bsc#1071306). - cifs: use tcon_ipc instead of use_ipc parameter of SMB2_ioctl (bsc#1071306). - cifs: zero sensitive data when freeing (bnc#1012382). - clk: fix a panic error caused by accessing NULL pointer (bnc#1012382). - console/dummy: leave .con_font_get set to NULL (bnc#1012382). - cpufreq: Add Loongson machine dependencies (bnc#1012382). - crypto: aesni - handle zero length dst buffer (bnc#1012382). - crypto: af_alg - whitelist mask and type (bnc#1012382). - crypto: caam - fix endless loop when DECO acquire fails (bnc#1012382). - crypto: cryptd - pass through absence of ->setkey() (bnc#1012382). - crypto: hash - introduce crypto_hash_alg_has_setkey() (bnc#1012382). - crypto: poly1305 - remove ->setkey() method (bnc#1012382). - crypto: s5p-sss - Fix kernel Oops in AES-ECB mode (bnc#1012382). - crypto: tcrypt - fix S/G table for test_aead_speed() (bnc#1012382). - crypto: x86/twofish-3way - Fix %rbp usage (bnc#1012382). - cw1200: fix bogus maybe-uninitialized warning (bnc#1012382). - dccp: limit sk_filter trim to payload (bsc#1042286). - dell-wmi, dell-laptop: depends DMI (bnc#1012382). - dlm: fix double list_del() (bsc#1082795). - dlm: fix NULL pointer dereference in send_to_sock() (bsc#1082795). - dmaengine: at_hdmac: fix potential NULL pointer dereference in atc_prep_dma_interleaved (bnc#1012382). - dmaengine: dmatest: fix container_of member in dmatest_callback (bnc#1012382). - dmaengine: ioat: Fix error handling path (bnc#1012382). - dmaengine: jz4740: disable/unprepare clk if probe fails (bnc#1012382). - dmaengine: zx: fix build warning (bnc#1012382). - dm: correctly handle chained bios in dec_pending() (bnc#1012382). - dn_getsockoptdecnet: move nf_{get/set}sockopt outside sock lock (bnc#1012382). - do not put symlink bodies in pagecache into highmem (bnc#1012382). - dpt_i2o: fix build warning (bnc#1012382). - driver-core: use 'dev' argument in dev_dbg_ratelimited stub (bnc#1012382). - drivers/net: fix eisa_driver probe section mismatch (bnc#1012382). - drm/amdgpu: Avoid leaking PM domain on driver unbind (v2) (bnc#1012382). - drm/amdgpu: Fix SDMA load/unload sequence on HWS disabled mode (bnc#1012382). - drm/amdkfd: Fix SDMA oversubsription handling (bnc#1012382). - drm/amdkfd: Fix SDMA ring buffer size calculation (bnc#1012382). - drm/armada: fix leak of crtc structure (bnc#1012382). - drm/edid: Add 6 bpc quirk for CPT panel in Asus UX303LA (bnc#1012382). - drm/gma500: remove helper function (bnc#1012382). - drm/gma500: Sanity-check pipe index (bnc#1012382). - drm/nouveau: hide gcc-4.9 -Wmaybe-uninitialized (bnc#1012382). - drm/nouveau/pci: do a msi rearm on init (bnc#1012382). - drm/radeon: adjust tested variable (bnc#1012382). - drm: rcar-du: Fix race condition when disabling planes at CRTC stop (bnc#1012382). - drm: rcar-du: Use the VBK interrupt for vblank events (bnc#1012382). - drm: Require __GFP_NOFAIL for the legacy drm_modeset_lock_all (bnc#1012382). - drm/ttm: check the return value of kzalloc (bnc#1012382). - drm/vmwgfx: use *_32_bits() macros (bnc#1012382). - e1000: fix disabling already-disabled warning (bnc#1012382). - edac, octeon: Fix an uninitialized variable warning (bnc#1012382). - em28xx: only use mt9v011 if camera support is enabled (bnc#1012382). - enable DST_CACHE in non-vanilla configs except s390x/zfcpdump - ext4: correct documentation for grpid mount option (bnc#1012382). - ext4: do not unnecessarily allocate buffer in recently_deleted() (bsc#1080344). - ext4: Fix data exposure after failed AIO DIO (bsc#1069135 bsc#1082864). - ext4: save error to disk in __ext4_grp_locked_error() (bnc#1012382). - f2fs: fix a bug caused by NULL extent tree (bsc#1082478). While this fs is not supported by SLE it affects opensuse users so let's add it to our kernel for opensuse merging. - fbdev: auo_k190x: avoid unused function warnings (bnc#1012382). - fbdev: s6e8ax0: avoid unused function warnings (bnc#1012382). - fbdev: sis: enforce selection of at least one backend (bnc#1012382). - fbdev: sm712fb: avoid unused function warnings (bnc#1012382). - flow_dissector: Check skb for VLAN only if skb specified (bsc#1042286). - flow_dissector: fix vlan tag handling (bsc#1042286). - flow_dissector: For stripped vlan, get vlan info from skb->vlan_tci (bsc#1042286). - ftrace: Remove incorrect setting of glob search field (bnc#1012382). - geneve: fix populating tclass in geneve_get_v6_dst (bsc#1042286). - genirq/msi: Add stubs for get_cached_msi_msg/pci_write_msi_msg (bnc#1012382). - genksyms: Fix segfault with invalid declarations (bnc#1012382). - gianfar: fix a flooded alignment reports because of padding issue (bnc#1012382). - go7007: add MEDIA_CAMERA_SUPPORT dependency (bnc#1012382). - gpio: ath79: add missing MODULE_DESCRIPTION/LICENSE (bnc#1012382). - gpio: intel-mid: Fix build warning when !CONFIG_PM (bnc#1012382). - gpio: iop: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE (bnc#1012382). - gpio: xgene: mark PM functions as __maybe_unused (bnc#1012382). - grace: replace BUG_ON by WARN_ONCE in exit_net hook (bnc#1012382). - gre: build header correctly for collect metadata tunnels (bsc#1042286). - gre: do not assign header_ops in collect metadata mode (bsc#1042286). - gre: do not keep the GRE header around in collect medata mode (bsc#1042286). - gre: reject GUE and FOU in collect metadata mode (bsc#1042286). - hdpvr: hide unused variable (bnc#1012382). - hid: quirks: Fix keyboard + touchpad on Toshiba Click Mini not working (bnc#1012382). - hippi: Fix a Fix a possible sleep-in-atomic bug in rr_close (bnc#1012382). - hrtimer: Ensure POSIX compliance (relative CLOCK_REALTIME hrtimers) (bnc#1012382). - hwmon: (pmbus) Use 64bit math for DIRECT format values (bnc#1012382). - hwrng: exynos - use __maybe_unused to hide pm functions (bnc#1012382). - i2c: remove __init from i2c_register_board_info() (bnc#1012382). - ib/ipoib: Fix race condition in neigh creation (bnc#1012382). - ib/mlx4: Fix incorrectly releasing steerable UD QPs when have only ETH ports (bnc#1012382). - ib/mlx4: Fix mlx4_ib_alloc_mr error flow (bnc#1012382). - ibmvnic: Account for VLAN header length in TX buffers (bsc#1085239). - ibmvnic: Account for VLAN tag in L2 Header descriptor (bsc#1085239). - ibmvnic: Allocate max queues stats buffers (bsc#1081498). - ibmvnic: Allocate statistics buffers during probe (bsc#1082993). - ibmvnic: Check for NULL skb's in NAPI poll routine (bsc#1081134, git-fixes). - ibmvnic: Clean RX pool buffers during device close (bsc#1081134). - ibmvnic: Clean up device close (bsc#1084610). - ibmvnic: Correct goto target for tx irq initialization failure (bsc#1082223). - ibmvnic: Do not attempt to login if RX or TX queues are not allocated (bsc#1082993). - ibmvnic: Do not disable device during failover or partition migration (bsc#1084610). - ibmvnic: Ensure that buffers are NULL after free (bsc#1080014). - ibmvnic: Fix early release of login buffer (bsc#1081134, git-fixes). - ibmvnic: fix empty firmware version and errors cleanup (bsc#1079038). - ibmvnic: fix firmware version when no firmware level has been provided by the VIOS server (bsc#1079038). - ibmvnic: Fix login buffer memory leaks (bsc#1081134). - ibmvnic: Fix NAPI structures memory leak (bsc#1081134). - ibmvnic: Fix recent errata commit (bsc#1085239). - ibmvnic: Fix rx queue cleanup for non-fatal resets (bsc#1080014). - ibmvnic: Fix TX descriptor tracking again (bsc#1082993). - ibmvnic: Fix TX descriptor tracking (bsc#1081491). - ibmvnic: Free and re-allocate scrqs when tx/rx scrqs change (bsc#1081498). - ibmvnic: Free RX socket buffer in case of adapter error (bsc#1081134). - ibmvnic: Generalize TX pool structure (bsc#1085224). - ibmvnic: Handle TSO backing device errata (bsc#1085239). - ibmvnic: Harden TX/RX pool cleaning (bsc#1082993). - ibmvnic: Improve TX buffer accounting (bsc#1085224). - ibmvnic: Keep track of supplementary TX descriptors (bsc#1081491). - ibmvnic: Make napi usage dynamic (bsc#1081498). - ibmvnic: Move active sub-crq count settings (bsc#1081498). - ibmvnic: Pad small packets to minimum MTU size (bsc#1085239). - ibmvnic: queue reset when CRQ gets closed during reset (bsc#1080263). - ibmvnic: Remove skb->protocol checks in ibmvnic_xmit (bsc#1080384). - ibmvnic: Rename active queue count variables (bsc#1081498). - ibmvnic: Reorganize device close (bsc#1084610). - ibmvnic: Report queue stops and restarts as debug output (bsc#1082993). - ibmvnic: Reset long term map ID counter (bsc#1080364). - ibmvnic: Split counters for scrq/pools/napi (bsc#1082223). - ibmvnic: Update and clean up reset TX pool routine (bsc#1085224). - ibmvnic: Update release RX pool routine (bsc#1085224). - ibmvnic: Update TX and TX completion routines (bsc#1085224). - ibmvnic: Update TX pool initialization routine (bsc#1085224). - ibmvnic: Wait until reset is complete to set carrier on (bsc#1081134). - idle: i7300: add PCI dependency (bnc#1012382). - igb: Free IRQs when device is hotplugged (bnc#1012382). - iio: adc: axp288: remove redundant duplicate const on axp288_adc_channels (bnc#1012382). - iio: adis_lib: Initialize trigger before requesting interrupt (bnc#1012382). - iio: buffer: check if a buffer has been set up when poll is called (bnc#1012382). - input: tca8418_keypad - hide gcc-4.9 -Wmaybe-uninitialized warning (bnc#1012382). - input: tca8418_keypad - remove double read of key event register (git-fixes). - iommu/amd: Add align parameter to alloc_irq_index() (bsc#975772). - iommu/amd: Enforce alignment for MSI IRQs (bsc#975772). - iommu/amd: Fix alloc_irq_index() increment (bsc#975772). - iommu/vt-d: Use domain instead of cache fetching (bsc#975772). - ip6mr: fix stale iterator (bnc#1012382). - ipc/msg: introduce msgctl(MSG_STAT_ANY) (bsc#1072689). - ipc/sem: introduce semctl(SEM_STAT_ANY) (bsc#1072689). - ipc/shm: introduce shmctl(SHM_STAT_ANY) (bsc#1072689). - ip_tunnel: fix preempt warning in ip tunnel creation/updating (bnc#1012382). - ip_tunnel: replace dst_cache with generic implementation (bnc#1012382). - ipv4: allow local fragmentation in ip_finish_output_gso() (bsc#1042286). - ipv4: fix checksum annotation in udp4_csum_init (bsc#1042286). - ipv4: ipconfig: avoid unused ic_proto_used symbol (bnc#1012382). - ipv4: update comment to document GSO fragmentation cases (bsc#1042286). - ipv6: datagram: Refactor dst lookup and update codes to a new function (bsc#1042286). - ipv6: datagram: Refactor flowi6 init codes to a new function (bsc#1042286). - ipv6: datagram: Update dst cache of a connected datagram sk during pmtu update (bsc#1042286). - ipv6: fix checksum annotation in udp6_csum_init (bsc#1042286). - ipv6: icmp6: Allow icmp messages to be looped back (bnc#1012382). - ipv6/ila: fix nlsize calculation for lwtunnel (bsc#1042286). - ipv6: remove unused in6_addr struct (bsc#1042286). - ipv6: tcp: fix endianness annotation in tcp_v6_send_response (bsc#1042286). - ipv6: udp: Do a route lookup and update during release_cb (bsc#1042286). - ipvlan: Add the skb->mark as flow4's member to lookup route (bnc#1012382). - ipvlan: fix multicast processing (bsc#1042286). - ipvlan: fix various issues in ipvlan_process_multicast() (bsc#1042286). - irqchip/gic-v3: Use wmb() instead of smb_wmb() in gic_raise_softirq() (bnc#1012382). - isdn: eicon: reduce stack size of sig_ind function (bnc#1012382). - isdn: icn: remove a #warning (bnc#1012382). - isdn: sc: work around type mismatch warning (bnc#1012382). - jffs2: Fix use-after-free bug in jffs2_iget()'s error handling path (git-fixes). - kABI: protect struct cpuinfo_x86 (kabi). - kABI: protect struct ip_tunnel and reintroduce ip_tunnel_dst_reset_all (kabi). - kABI: reintroduce crypto_poly1305_setkey (kabi). - kabi: restore kabi after "net: replace dst_cache ip6_tunnel implementation with the generic one" (bsc#1082897). - kabi: restore nft_set_elem_destroy() signature (bsc#1042286). - kabi: restore rhashtable_insert_slow() signature (bsc#1042286). - kabi/severities: add __x86_indirect_thunk_rsp - kabi/severities: as per bsc#1068569 we can ignore XFS kabi The gods have spoken, let there be light. - kabi: uninline sk_receive_skb() (bsc#1042286). - kaiser: fix compile error without vsyscall (bnc#1012382). - kaiser: fix intel_bts perf crashes (bnc#1012382). - kasan: rework Kconfig settings (bnc#1012382). - kernel/async.c: revert "async: simplify lowest_in_progress()" (bnc#1012382). - kernel: fix rwlock implementation (bnc#1080360, LTC#164371). - kernfs: fix regression in kernfs_fop_write caused by wrong type (bnc#1012382). - keys: encrypted: fix buffer overread in valid_master_desc() (bnc#1012382). - kmemleak: add scheduling point to kmemleak_scan() (bnc#1012382). - kvm: add X86_LOCAL_APIC dependency (bnc#1012382). - kvm: arm/arm64: Check pagesize when allocating a hugepage at Stage 2 (bsc#1079029). - kvm: nVMX: Fix kernel panics induced by illegal INVEPT/INVVPID types (bnc#1012382). - kvm: nVMX: Fix races when sending nested PI while dest enters/leaves L2 (bnc#1012382). - kvm: nVMX: invvpid handling improvements (bnc#1012382). - kvm: nVMX: kmap() can't fail (bnc#1012382). - kvm: nVMX: vmx_complete_nested_posted_interrupt() can't fail (bnc#1012382). - kvm: PPC: Book3S PR: Fix svcpu copying with preemption enabled (bsc#1066223). - kvm: VMX: clean up declaration of VPID/EPT invalidation types (bnc#1012382). - kvm: VMX: Fix rflags cache during vCPU reset (bnc#1012382). - kvm: VMX: Make indirect call speculation safe (bnc#1012382). - kvm: x86: Do not re-execute instruction when not passing CR2 value (bnc#1012382). - kvm: x86: emulator: Return to user-mode on L1 CPL=0 emulation failure (bnc#1012382). - kvm: x86: fix escape of guest dr6 to the host (bnc#1012382). - kvm: X86: Fix operand/address-size during instruction decoding (bnc#1012382). - kvm: x86: ioapic: Clear Remote IRR when entry is switched to edge-triggered (bnc#1012382). - kvm: x86: ioapic: Fix level-triggered EOI and IOAPIC reconfigure race (bnc#1012382). - kvm: x86: ioapic: Preserve read-only values in the redirection table (bnc#1012382). - kvm: x86: Make indirect calls in emulator speculation safe (bnc#1012382). - kvm/x86: Reduce retpoline performance impact in slot_handle_level_range(), by always inlining iterator helper methods (bnc#1012382). - l2tp: fix use-after-free during module unload (bsc#1042286). - led: core: Fix brightness setting when setting delay_off=0 (bnc#1012382). - leds: do not overflow sysfs buffer in led_trigger_show (bsc#1080464). - lib/mpi: Fix umul_ppmm() for MIPS64r6 (bnc#1012382). - livepatch: introduce shadow variable API (bsc#1082299 fate#313296). Shadow variables support. - livepatch: __kgr_shadow_get_or_alloc() is local to shadow.c (bsc#1082299 fate#313296). Shadow variables support. - lockd: fix "list_add double add" caused by legacy signal interface (bnc#1012382). - loop: fix concurrent lo_open/lo_release (bnc#1012382). - mac80211: fix the update of path metric for RANN frame (bnc#1012382). - mac80211: mesh: drop frames appearing to be from us (bnc#1012382). - Make DST_CACHE a silent config option (bnc#1012382). - mdio-sun4i: Fix a memory leak (bnc#1012382). - md/raid1: Use a new variable to count flighting sync requests(bsc#1078609) - media: cxusb, dib0700: ignore XC2028_I2C_FLUSH (bnc#1012382). - media: dvb-usb-v2: lmedm04: Improve logic checking of warm start (bnc#1012382). - media: dvb-usb-v2: lmedm04: move ts2020 attach to dm04_lme2510_tuner (bnc#1012382). - media: r820t: fix r820t_write_reg for KASAN (bnc#1012382). - media: s5k6aa: describe some function parameters (bnc#1012382). - media: soc_camera: soc_scale_crop: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE (bnc#1012382). - media: ts2020: avoid integer overflows on 32 bit machines (bnc#1012382). - media: usbtv: add a new usbid (bnc#1012382). - media: v4l2-compat-ioctl32.c: add missing VIDIOC_PREPARE_BUF (bnc#1012382). - media: v4l2-compat-ioctl32.c: avoid sizeof(type) (bnc#1012382). - media: v4l2-compat-ioctl32.c: copy clip list in put_v4l2_window32 (bnc#1012382). - media: v4l2-compat-ioctl32.c: copy m.userptr in put_v4l2_plane32 (bnc#1012382). - media: v4l2-compat-ioctl32.c: do not copy back the result for certain errors (bnc#1012382). - media: v4l2-compat-ioctl32.c: drop pr_info for unknown buffer type (bnc#1012382). - media: v4l2-compat-ioctl32.c: fix ctrl_is_pointer (bnc#1012382). - media: v4l2-compat-ioctl32.c: fix the indentation (bnc#1012382). - media: v4l2-compat-ioctl32.c: make ctrl_is_pointer work for subdevs (bnc#1012382). - media: v4l2-compat-ioctl32.c: move 'helper' functions to __get/put_v4l2_format32 (bnc#1012382). - media: v4l2-compat-ioctl32: Copy v4l2_window->global_alpha (bnc#1012382). - media: v4l2-compat-ioctl32.c: refactor compat ioctl32 logic (bnc#1012382). - media: v4l2-ioctl.c: do not copy back the result for -ENOTTY (bnc#1012382). - mips: Implement __multi3 for GCC7 MIPS64r6 builds (bnc#1012382). - mmc: bcm2835: Do not overwrite max frequency unconditionally (bsc#983145, git-fixes). - mm/early_ioremap: Fix boot hang with earlyprintk=efi,keep (bnc#1012382). - mm: hide a #warning for COMPILE_TEST (bnc#1012382). - mm/kmemleak.c: make cond_resched() rate-limiting more efficient (git-fixes). - mm: pin address_space before dereferencing it while isolating an LRU page (bnc#1081500). - mm,vmscan: Make unregister_shrinker() no-op if register_shrinker() failed (bnc#1012382). - mn10300/misalignment: Use SIGSEGV SEGV_MAPERR to report a failed user copy (bnc#1012382). - modsign: hide openssl output in silent builds (bnc#1012382). - module/retpoline: Warn about missing retpoline in module (bnc#1012382). - mpt3sas: Do not mark fw_event workqueue as WQ_MEM_RECLAIM (bsc#1078583). - mptfusion: hide unused seq_mpt_print_ioc_summary function (bnc#1012382). - mtd: cfi: convert inline functions to macros (bnc#1012382). - mtd: cfi: enforce valid geometry configuration (bnc#1012382). - mtd: ichxrom: maybe-uninitialized with gcc-4.9 (bnc#1012382). - mtd: maps: add __init attribute (bnc#1012382). - mtd: nand: brcmnand: Disable prefetch by default (bnc#1012382). - mtd: nand: denali_pci: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE (bnc#1012382). - mtd: nand: Fix nand_do_read_oob() return value (bnc#1012382). - mtd: nand: gpmi: Fix failure when a erased page has a bitflip at BBM (bnc#1012382). - mtd: nand: sunxi: Fix ECC strength choice (bnc#1012382). - mtd: sh_flctl: pass FIFO as physical address (bnc#1012382). - mvpp2: fix multicast address filter (bnc#1012382). - ncpfs: fix unused variable warning (bnc#1012382). - ncr5380: shut up gcc indentation warning (bnc#1012382). - net: add dst_cache support (bnc#1012382). - net: arc_emac: fix arc_emac_rx() error paths (bnc#1012382). - net: avoid skb_warn_bad_offload on IS_ERR (bnc#1012382). - net: cdc_ncm: initialize drvflags before usage (bnc#1012382). - net: dst_cache_per_cpu_dst_set() can be static (bnc#1012382). - net: ena: add detection and recovery mechanism for handling missed/misrouted MSI-X (bsc#1083548). - net: ena: add new admin define for future support of IPv6 RSS (bsc#1083548). - net: ena: add power management ops to the ENA driver (bsc#1083548). - net: ena: add statistics for missed tx packets (bsc#1083548). - net: ena: fix error handling in ena_down() sequence (bsc#1083548). - net: ena: fix race condition between device reset and link up setup (bsc#1083548). - net: ena: fix rare kernel crash when bar memory remap fails (bsc#1083548). - net: ena: fix wrong max Tx/Rx queues on ethtool (bsc#1083548). - net: ena: improve ENA driver boot time (bsc#1083548). - net: ena: increase ena driver version to 1.3.0 (bsc#1083548). - net: ena: increase ena driver version to 1.5.0 (bsc#1083548). - net: ena: reduce the severity of some printouts (bsc#1083548). - net: ena: remove legacy suspend suspend/resume support (bsc#1083548). - net: ena: Remove redundant unlikely() (bsc#1083548). - net: ena: unmask MSI-X only after device initialization is completed (bsc#1083548). - net: ethernet: xilinx: Mark XILINX_LL_TEMAC broken on 64-bit (bnc#1012382). - netfilter: drop outermost socket lock in getsockopt() (bnc#1012382). - netfilter: ebtables: CONFIG_COMPAT: do not trust userland offsets (bsc#1085107). - netfilter: ebtables: fix erroneous reject of last rule (bsc#1085107). - netfilter: ipt_CLUSTERIP: fix out-of-bounds accesses in clusterip_tg_check() (bnc#1012382). - netfilter: ipvs: avoid unused variable warnings (bnc#1012382). - netfilter: nf_queue: Make the queue_handler pernet (bnc#1012382). - netfilter: nf_tables: fix a wrong check to skip the inactive rules (bsc#1042286). - netfilter: nf_tables: fix inconsistent element expiration calculation (bsc#1042286). - netfilter: nf_tables: fix *leak* when expr clone fail (bsc#1042286). - netfilter: nf_tables: fix race when create new element in dynset (bsc#1042286). - netfilter: on sockopt() acquire sock lock only in the required scope (bnc#1012382). - netfilter: tee: select NF_DUP_IPV6 unconditionally (bsc#1042286). - netfilter: x_tables: avoid out-of-bounds reads in xt_request_find_{match|target} (bnc#1012382). - netfilter: x_tables: fix int overflow in xt_alloc_table_info() (bnc#1012382). - netfilter: xt_RATEEST: acquire xt_rateest_mutex for hash insert (bnc#1012382). - netfilter: xt_socket: fix transparent match for IPv6 request sockets (bsc#1042286). - net: gianfar_ptp: move set_fipers() to spinlock protecting area (bnc#1012382). - net: hp100: remove unnecessary #ifdefs (bnc#1012382). - net: igmp: add a missing rcu locking section (bnc#1012382). - net/ipv4: Introduce IPSKB_FRAG_SEGS bit to inet_skb_parm.flags (bsc#1042286). - netlink: fix nla_put_{u8,u16,u32} for KASAN (bnc#1012382). - net: replace dst_cache ip6_tunnel implementation with the generic one (bnc#1012382). - net_sched: red: Avoid devision by zero (bnc#1012382). - net_sched: red: Avoid illegal values (bnc#1012382). - net: vxlan: lwt: Fix vxlan local traffic (bsc#1042286). - net: vxlan: lwt: Use source ip address during route lookup (bsc#1042286). - nfs: Add a cond_resched() to nfs_commit_release_pages() (bsc#1077779). - nfs: commit direct writes even if they fail partially (bnc#1012382). - nfsd: check for use of the closed special stateid (bnc#1012382). - nfsd: CLOSE SHOULD return the invalid special stateid for NFSv4.x (x>0) (bnc#1012382). - nfsd: Ensure we check stateid validity in the seqid operation checks (bnc#1012382). - nfs: Do not convert nfs_idmap_cache_timeout to jiffies (git-fixes). - nfs: fix a deadlock in nfs client initialization (bsc#1074198). - nfs/pnfs: fix nfs_direct_req ref leak when i/o falls back to the mds (bnc#1012382). - nfs: reject request for id_legacy key without auxdata (bnc#1012382). - nfs: Trunking detection should handle ERESTARTSYS/EINTR (bsc#1074198). - nvme: Fix managing degraded controllers (bnc#1012382). - ocfs2: return error when we attempt to access a dirty bh in jbd2 (bsc#1012829). - openvswitch: fix the incorrect flow action alloc size (bnc#1012382). - ovl: fix failure to fsync lower dir (bnc#1012382). - ovs/geneve: fix rtnl notifications on iface deletion (bsc#1042286). - ovs/gre: fix rtnl notifications on iface deletion (bsc#1042286). - ovs/gre,geneve: fix error path when creating an iface (bsc#1042286). - ovs/vxlan: fix rtnl notifications on iface deletion (bsc#1042286). - pci/ASPM: Do not retrain link if ASPM not possible (bnc#1071892). - pci: keystone: Fix interrupt-controller-node lookup (bnc#1012382). - perf bench numa: Fixup discontiguous/sparse numa nodes (bnc#1012382). - perf top: Fix window dimensions change handling (bnc#1012382). - perf/x86: Shut up false-positive -Wmaybe-uninitialized warning (bnc#1012382). - pinctrl: sunxi: Fix A80 interrupt pin bank (bnc#1012382). - pipe: cap initial pipe capacity according to pipe-max-size limit (bsc#1045330). - pktcdvd: Fix pkt_setup_dev() error path (bnc#1012382). - platform/x86: intel_mid_thermal: Fix suspend handlers unused warning (bnc#1012382). - PM / devfreq: Propagate error from devfreq_add_device() (bnc#1012382). - PM / wakeirq: Fix unbalanced IRQ enable for wakeirq (bsc#1031717). - posix-timer: Properly check sigevent->sigev_notify (bnc#1012382). - power: bq27xxx_battery: mark some symbols __maybe_unused (bnc#1012382). - powerpc/64: Fix flush_(d|i)cache_range() called from modules (FATE#315275 LTC#103998 bnc#1012382 bnc#863764). - powerpc/64s: Fix RFI flush dependency on HARDLOCKUP_DETECTOR (bnc#1012382). - powerpc/64s: Improve RFI L1-D cache flush fallback (bsc#1068032, bsc#1075087). - powerpc: Do not preempt_disable() in show_cpuinfo() (bsc#1066223). - powerpc/numa: Invalidate numa_cpu_lookup_table on cpu remove (bsc#1081512). - powerpc/perf: Fix oops when grouping different pmu events (bnc#1012382). - powerpc/powernv: Fix MCE handler to avoid trashing CR0/CR1 registers (bsc#1066223). - powerpc/powernv: Move IDLE_STATE_ENTER_SEQ macro to cpuidle.h (bsc#1066223). - powerpc/powernv: Support firmware disable of RFI flush (bsc#1068032, bsc#1075087). - powerpc/pseries: Support firmware disable of RFI flush (bsc#1068032, bsc#1075087). - powerpc: Simplify module TOC handling (bnc#1012382). - power: reset: zx-reboot: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE (bnc#1012382). - profile: hide unused functions when !CONFIG_PROC_FS (bnc#1012382). - Provide a function to create a NUL-terminated string from unterminated data (bnc#1012382). - pwc: hide unused label (bnc#1012382). - qla2xxx: asynchronous pci probing (bsc#1034503). - qlcnic: fix deadlock bug (bnc#1012382). - r8169: fix RTL8168EP take too long to complete driver initialization (bnc#1012382). - RDMA/cma: Make sure that PSN is not over max allowed (bnc#1012382). - reiserfs: avoid a -Wmaybe-uninitialized warning (bnc#1012382). - Revert "Bluetooth: btusb: fix QCA Rome suspend/resume" (bnc#1012382). - Revert "bpf: avoid false sharing of map refcount with max_entries" (kabi). - Revert "netfilter: nf_queue: Make the queue_handler pernet" (kabi). - Revert "net: replace dst_cache ip6_tunnel implementation with the generic one" (kabi bnc#1082897). - Revert "power: bq27xxx_battery: Remove unneeded dependency in Kconfig" (bnc#1012382). - Revert "powerpc: Simplify module TOC handling" (kabi). - Revert "x86/entry/64: Separate cpu_current_top_of_stack from TSS.sp0" This reverts commit 89ef3e2aec59362edf7b1cd1c48acc81cd74e319. - Revert "x86/entry/64: Use a per-CPU trampoline stack for IDT entries" This reverts commit 5812bed1a96b27804bfd1eadbe3e263cb58aafdf. - rfi-flush: Move the logic to avoid a redo into the debugfs code (bsc#1068032, bsc#1075087). - rfi-flush: Switch to new linear fallback flush (bsc#1068032, bsc#1075087). - rhashtable: add rhashtable_lookup_get_insert_key() (bsc#1042286). - rtc-opal: Fix handling of firmware error codes, prevent busy loops (bnc#1012382). - rtlwifi: fix gcc-6 indentation warning (bnc#1012382). - rtlwifi: rtl8821ae: Fix connection lost problem correctly (bnc#1012382). - s390/dasd: fix handling of internal requests (bsc#1080809). - s390/dasd: fix wrongly assigned configuration data (bnc#1012382). - s390/dasd: prevent prefix I/O error (bnc#1012382). - s390: fix handling of -1 in set{,fs}[gu]id16 syscalls (bnc#1012382). - sched/rt: Up the root domain ref count when passing it around via IPIs (bnc#1012382). - sched/rt: Use container_of() to get root domain in rto_push_irq_work_func() (bnc#1012382). - scripts/kernel-doc: Do not fail with status != 0 if error encountered with -none (bnc#1012382). - scsi: aacraid: Prevent crash in case of free interrupt during scsi EH path (bnc#1012382). - scsi: advansys: fix build warning for PCI=n (bnc#1012382). - scsi: advansys: fix uninitialized data access (bnc#1012382). - scsi: csiostor: fix use after free in csio_hw_use_fwconfig() (bsc#1005776). - scsi: fdomain: drop fdomain_pci_tbl when built-in (bnc#1012382). - scsi: ibmvfc: fix misdefined reserved field in ibmvfc_fcp_rsp_info (bnc#1012382). - SCSI: initio: remove duplicate module device table (bnc#1012382). - scsi: mvumi: use __maybe_unused to hide pm functions (bnc#1012382). - scsi: qla2xxx: Fix abort command deadlock due to spinlock (FATE#320146, bsc#966328). - scsi: qla2xxx: Remove aborting ELS IOCB call issued as part of timeout (FATE#320146, bsc#966328). - scsi: return correct blkprep status code in case scsi_init_io() fails (bsc#1082979). - scsi: sim710: fix build warning (bnc#1012382). - scsi: sr: workaround VMware ESXi cdrom emulation bug (bsc#1080813). - scsi: storvsc: Fix scsi_cmd error assignments in storvsc_handle_error (bnc#1012382). - scsi: sun_esp: fix device reference leaks (bsc#1082979). - scsi: ufs: ufshcd: fix potential NULL pointer dereference in ufshcd_config_vreg (bnc#1012382). - sctp: make use of pre-calculated len (bnc#1012382). - selinux: ensure the context is NUL terminated in security_context_to_sid_core() (bnc#1012382). - selinux: general protection fault in sock_has_perm (bnc#1012382). - selinux: skip bounded transition processing if the policy isn't loaded (bnc#1012382). - serial: 8250_mid: fix broken DMA dependency (bnc#1012382). - serial: 8250_uniphier: fix error return code in uniphier_uart_probe() (bsc#1031717). - serial: imx: Only wakeup via RTSDEN bit if the system has RTS/CTS (bnc#1012382). - sget(): handle failures of register_shrinker() (bnc#1012382). - signal/openrisc: Fix do_unaligned_access to send the proper signal (bnc#1012382). - signal/sh: Ensure si_signo is initialized in do_divide_error (bnc#1012382). - SolutionEngine771x: fix Ether platform data (bnc#1012382). - spi: atmel: fixed spin_lock usage inside atmel_spi_remove (bnc#1012382). - spi: imx: do not access registers while clocks disabled (bnc#1012382). - spi: sun4i: disable clocks in the remove function (bnc#1012382). - ssb: mark ssb_bus_register as __maybe_unused (bnc#1012382). - staging: android: ashmem: Fix a race condition in pin ioctls (bnc#1012382). - staging: iio: adc: ad7192: fix external frequency setting (bnc#1012382). - staging: rtl8188eu: Fix incorrect response to SIOCGIWESSID (bnc#1012382). - staging: ste_rmi4: avoid unused function warnings (bnc#1012382). - staging: unisys: visorinput depends on INPUT (bnc#1012382). - staging: wilc1000: fix kbuild test robot error (bnc#1012382). - SUNRPC: Allow connect to return EHOSTUNREACH (bnc#1012382). - tc1100-wmi: fix build warning when CONFIG_PM not enabled (bnc#1012382). - tc358743: fix register i2c_rd/wr function fix (git-fixes). - tc358743: fix register i2c_rd/wr functions (bnc#1012382). - tcp: do not set rtt_min to 1 (bsc#1042286). - tcp: release sk_frag.page in tcp_disconnect (bnc#1012382). - test_bpf: fix the dummy skb after dissector changes (bsc#1042286). - tg3: Add workaround to restrict 5762 MRRS to 2048 (bnc#1012382). - tg3: Enable PHY reset in MTU change path for 5720 (bnc#1012382). - thermal: fix INTEL_SOC_DTS_IOSF_CORE dependencies (bnc#1012382). - thermal: spear: use __maybe_unused for PM functions (bnc#1012382). - tlan: avoid unused label with PCI=n (bnc#1012382). - tools build: Add tools tree support for 'make -s' (bnc#1012382). - tty: cyclades: cyz_interrupt is only used for PCI (bnc#1012382). - tty: hvc_xen: hide xen_console_remove when unused (bnc#1012382). - tty: mxser: Remove ASYNC_CLOSING (bnc#1072363). - ubi: block: Fix locking for idr_alloc/idr_remove (bnc#1012382). - udp: restore UDPlite many-cast delivery (bsc#1042286). - usb: build drivers/usb/common/ when USB_SUPPORT is set (bnc#1012382). - USB: cdc-acm: Do not log urb submission errors on disconnect (bnc#1012382). - USB: cdc_subset: only build when one driver is enabled (bnc#1012382). - usb: dwc3: gadget: Set maxpacket size for ep0 IN (bnc#1012382). - usb: f_fs: Prevent gadget unbind if it is already unbound (bnc#1012382). - usb: gadget: do not dereference g until after it has been null checked (bnc#1012382). - usb: gadget: f_fs: Process all descriptors during bind (bnc#1012382). - usb: gadget: uvc: Missing files for configfs interface (bnc#1012382). - usbip: fix 3eee23c3ec14 tcp_socket address still in the status file (bnc#1012382). - usbip: keep usbip_device sockfd state in sync with tcp_socket (bnc#1012382). - usbip: list: do not list devices attached to vhci_hcd (bnc#1012382). - usbip: prevent bind loops on devices attached to vhci_hcd (bnc#1012382). - usbip: vhci_hcd: clear just the USB_PORT_STAT_POWER bit (bnc#1012382). - usb: ldusb: add PIDs for new CASSY devices supported by this driver (bnc#1012382). - usb: musb/ux500: remove duplicate check for dma_is_compatible (bnc#1012382). - usb: ohci: Proper handling of ed_rm_list to handle race condition between usb_kill_urb() and finish_unlinks() (bnc#1012382). - usb: option: Add support for FS040U modem (bnc#1012382). - usb: phy: msm add regulator dependency (bnc#1012382). - usb: renesas_usbhs: missed the "running" flag in usb_dmac with rx path (bnc#1012382). - USB: serial: io_edgeport: fix possible sleep-in-atomic (bnc#1012382). - USB: serial: pl2303: new device id for Chilitag (bnc#1012382). - USB: serial: simple: add Motorola Tetra driver (bnc#1012382). - usb: uas: unconditionally bring back host after reset (bnc#1012382). - v4l: remove MEDIA_TUNER dependency for VIDEO_TUNER (bnc#1012382). - vb2: V4L2_BUF_FLAG_DONE is set after DQBUF (bnc#1012382). - vfs: do not do RCU lookup of empty pathnames (bnc#1012382). - vhost_net: stop device during reset owner (bnc#1012382). - video: fbdev: atmel_lcdfb: fix display-timings lookup (bnc#1012382). - video: fbdev/mmp: add MODULE_LICENSE (bnc#1012382). - video: fbdev: sis: remove unused variable (bnc#1012382). - video: fbdev: via: remove possibly unused variables (bnc#1012382). - video: Use bool instead int pointer for get_opt_bool() argument (bnc#1012382). - virtio_balloon: prevent uninitialized variable use (bnc#1012382). - vlan: Check for vlan ethernet types for 8021.q or 802.1ad (bsc#1042286). - vmxnet3: prevent building with 64K pages (bnc#1012382). - vxlan: consolidate csum flag handling (bsc#1042286). - vxlan: consolidate output route calculation (bsc#1042286). - vxlan: consolidate vxlan_xmit_skb and vxlan6_xmit_skb (bsc#1042286). - vxlan: do not allow overwrite of config src addr (bsc#1042286). - watchdog: imx2_wdt: restore previous timeout after suspend+resume (bnc#1012382). - wireless: cw1200: use __maybe_unused to hide pm functions_ (bnc#1012382). - x86: add MULTIUSER dependency for KVM (bnc#1012382). - x86/asm: Fix inline asm call constraints for GCC 4.4 (bnc#1012382). - x86/boot: Avoid warning for zero-filling .bss (bnc#1012382). - x86: bpf_jit: small optimization in emit_bpf_tail_call() (bnc#1012382). - x86/bugs: Drop one "mitigation" from dmesg (bnc#1012382). - x86/build: Silence the build with "make -s" (bnc#1012382). - x86/cpu/bugs: Make retpoline module warning conditional (bnc#1012382). - x86/cpu: Change type of x86_cache_size variable to unsigned int (bnc#1012382). - x86/entry/64: Separate cpu_current_top_of_stack from TSS.sp0 (bsc#1077560). - x86/entry/64: Use a per-CPU trampoline stack for IDT entries (bsc#1077560). - x86: fix build warnign with 32-bit PAE (bnc#1012382). - x86/fpu/math-emu: Fix possible uninitialized variable use (bnc#1012382). - x86/kaiser: fix build error with KASAN && !FUNCTION_GRAPH_TRACER (bnc#1012382). - x86/kvm/vmx: do not use vm-exit instruction length for fast MMIO when running nested (bsc#1081431). - x86/mce: Pin the timer when modifying (bsc#1080851,1076282). - x86/microcode/AMD: Change load_microcode_amd()'s param to bool to fix preemptibility bug (bnc#1012382). - x86/microcode/AMD: Do not load when running on a hypervisor (bnc#1012382). - x86/microcode: Do the family check first (bnc#1012382). - x86/mm/kmmio: Fix mmiotrace for page unaligned addresses (bnc#1012382). - x86/nospec: Fix header guards names (bnc#1012382). - x86/oprofile: Fix bogus GCC-8 warning in nmi_setup() (bnc#1012382). - x86/paravirt: Remove 'noreplace-paravirt' cmdline option (bnc#1012382). - x86/platform: Add PCI dependency for PUNIT_ATOM_DEBUG (bnc#1012382). - x86/platform/olpc: Fix resume handler build warning (bnc#1012382). - x86/pti: Make unpoison of pgd for trusted boot work for real (bnc#1012382). - x86/ras/inject: Make it depend on X86_LOCAL_APIC=y (bnc#1012382). - x86/retpoline: Avoid retpolines for built-in __init functions (bnc#1012382). - x86/retpoline: Remove the esp/rsp thunk (bnc#1012382). - x86/spectre: Check CONFIG_RETPOLINE in command line parser (bnc#1012382). - x86/spectre: Fix an error message (git-fixes). - x86/spectre: Fix spelling mistake: "vunerable"-> "vulnerable" (bnc#1012382). - x86/spectre: Remove the out-of-tree RSB stuffing - x86/spectre: Simplify spectre_v2 command line parsing (bnc#1012382). - x86/speculation: Fix typo IBRS_ATT, which should be IBRS_ALL (bnc#1012382). - x86/xen: Zero MSR_IA32_SPEC_CTRL before suspend (bnc#1065600). - xen/gntdev: Fix off-by-one error when unmapping with holes (bnc#1012382). - xen/gntdev: Fix partial gntdev_mmap() cleanup (bnc#1012382). - xen-netfront: enable device after manual module load (bnc#1012382). - xen-netfront: remove warning when unloading module (bnc#1012382). - xen: XEN_acpi_PROCESSOR is Dom0-only (bnc#1012382). - xfrm: check id proto in validate_tmpl() (bnc#1012382). - xfrm: Fix stack-out-of-bounds read on socket policy lookup (bnc#1012382). - xfrm: Fix stack-out-of-bounds with misconfigured transport mode policies (bnc#1012382). - xfrm_user: propagate sec ctx allocation errors (bsc#1042286). - xfs: do not chain ioends during writepage submission (bsc#1077285 bsc#1043441). - xfs: factor mapping out of xfs_do_writepage (bsc#1077285 bsc#1043441). - xfs: Introduce writeback context for writepages (bsc#1077285 bsc#1043441). - xfs: ioends require logically contiguous file offsets (bsc#1077285 bsc#1043441). - xfs: quota: check result of register_shrinker() (bnc#1012382). - xfs: quota: fix missed destroy of qi_tree_lock (bnc#1012382). - xfs: reinit btree pointer on attr tree inactivation walk (bsc#1078787). - xfs: remove nonblocking mode from xfs_vm_writepage (bsc#1077285 bsc#1043441). - xfs: remove racy hasattr check from attr ops (bsc#1035432). - xfs: remove xfs_cancel_ioend (bsc#1077285 bsc#1043441). - xfs: stop searching for free slots in an inode chunk when there are none (bsc#1072739). - xfs: toggle readonly state around xfs_log_mount_finish (bsc#1073401). - xfs: ubsan fixes (bnc#1012382). - xfs: validate sb_logsunit is a multiple of the fs blocksize (bsc#1077513). - xfs: write unmount record for ro mounts (bsc#1073401). - xfs: xfs_cluster_write is redundant (bsc#1077285 bsc#1043441). - xtensa: fix futex_atomic_cmpxchg_inatomic (bnc#1012382). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP2: zypper in -t patch SUSE-SLE-WE-12-SP2-2018-535=1 - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2018-535=1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2018-535=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-535=1 - SUSE Linux Enterprise Live Patching 12: zypper in -t patch SUSE-SLE-Live-Patching-12-2018-535=1 - SUSE Linux Enterprise High Availability 12-SP2: zypper in -t patch SUSE-SLE-HA-12-SP2-2018-535=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2018-535=1 - OpenStack Cloud Magnum Orchestration 7: zypper in -t patch SUSE-OpenStack-Cloud-Magnum-Orchestration-7-2018-535=1 Package List: - SUSE Linux Enterprise Workstation Extension 12-SP2 (x86_64): kernel-default-debuginfo-4.4.120-92.70.1 kernel-default-debugsource-4.4.120-92.70.1 kernel-default-extra-4.4.120-92.70.1 kernel-default-extra-debuginfo-4.4.120-92.70.1 - SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64): kernel-obs-build-4.4.120-92.70.1 kernel-obs-build-debugsource-4.4.120-92.70.1 - SUSE Linux Enterprise Software Development Kit 12-SP2 (noarch): kernel-docs-4.4.120-92.70.1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): kernel-default-4.4.120-92.70.1 kernel-default-base-4.4.120-92.70.1 kernel-default-base-debuginfo-4.4.120-92.70.1 kernel-default-debuginfo-4.4.120-92.70.1 kernel-default-debugsource-4.4.120-92.70.1 kernel-default-devel-4.4.120-92.70.1 kernel-syms-4.4.120-92.70.1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (noarch): kernel-devel-4.4.120-92.70.1 kernel-macros-4.4.120-92.70.1 kernel-source-4.4.120-92.70.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le s390x x86_64): kernel-default-4.4.120-92.70.1 kernel-default-base-4.4.120-92.70.1 kernel-default-base-debuginfo-4.4.120-92.70.1 kernel-default-debuginfo-4.4.120-92.70.1 kernel-default-debugsource-4.4.120-92.70.1 kernel-default-devel-4.4.120-92.70.1 kernel-syms-4.4.120-92.70.1 - SUSE Linux Enterprise Server 12-SP2 (noarch): kernel-devel-4.4.120-92.70.1 kernel-macros-4.4.120-92.70.1 kernel-source-4.4.120-92.70.1 - SUSE Linux Enterprise Server 12-SP2 (s390x): kernel-default-man-4.4.120-92.70.1 - SUSE Linux Enterprise Live Patching 12 (x86_64): kgraft-patch-4_4_120-92_70-default-1-3.3.1 - SUSE Linux Enterprise High Availability 12-SP2 (ppc64le s390x x86_64): cluster-md-kmp-default-4.4.120-92.70.1 cluster-md-kmp-default-debuginfo-4.4.120-92.70.1 cluster-network-kmp-default-4.4.120-92.70.1 cluster-network-kmp-default-debuginfo-4.4.120-92.70.1 dlm-kmp-default-4.4.120-92.70.1 dlm-kmp-default-debuginfo-4.4.120-92.70.1 gfs2-kmp-default-4.4.120-92.70.1 gfs2-kmp-default-debuginfo-4.4.120-92.70.1 kernel-default-debuginfo-4.4.120-92.70.1 kernel-default-debugsource-4.4.120-92.70.1 ocfs2-kmp-default-4.4.120-92.70.1 ocfs2-kmp-default-debuginfo-4.4.120-92.70.1 - SUSE Linux Enterprise Desktop 12-SP2 (noarch): kernel-devel-4.4.120-92.70.1 kernel-macros-4.4.120-92.70.1 kernel-source-4.4.120-92.70.1 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): kernel-default-4.4.120-92.70.1 kernel-default-debuginfo-4.4.120-92.70.1 kernel-default-debugsource-4.4.120-92.70.1 kernel-default-devel-4.4.120-92.70.1 kernel-default-extra-4.4.120-92.70.1 kernel-default-extra-debuginfo-4.4.120-92.70.1 kernel-syms-4.4.120-92.70.1 - OpenStack Cloud Magnum Orchestration 7 (x86_64): kernel-default-4.4.120-92.70.1 kernel-default-debuginfo-4.4.120-92.70.1 kernel-default-debugsource-4.4.120-92.70.1 References: https://www.suse.com/security/cve/CVE-2017-13166.html https://www.suse.com/security/cve/CVE-2017-15951.html https://www.suse.com/security/cve/CVE-2017-16644.html https://www.suse.com/security/cve/CVE-2017-16912.html https://www.suse.com/security/cve/CVE-2017-16913.html https://www.suse.com/security/cve/CVE-2017-17975.html https://www.suse.com/security/cve/CVE-2017-18208.html https://www.suse.com/security/cve/CVE-2018-1000026.html https://www.suse.com/security/cve/CVE-2018-1068.html https://www.suse.com/security/cve/CVE-2018-8087.html https://bugzilla.suse.com/1005776 https://bugzilla.suse.com/1006867 https://bugzilla.suse.com/1012382 https://bugzilla.suse.com/1012829 https://bugzilla.suse.com/1027054 https://bugzilla.suse.com/1031717 https://bugzilla.suse.com/1034503 https://bugzilla.suse.com/1035432 https://bugzilla.suse.com/1042286 https://bugzilla.suse.com/1043441 https://bugzilla.suse.com/1045330 https://bugzilla.suse.com/1062840 https://bugzilla.suse.com/1065600 https://bugzilla.suse.com/1065615 https://bugzilla.suse.com/1066223 https://bugzilla.suse.com/1067118 https://bugzilla.suse.com/1068032 https://bugzilla.suse.com/1068569 https://bugzilla.suse.com/1069135 https://bugzilla.suse.com/1071306 https://bugzilla.suse.com/1071892 https://bugzilla.suse.com/1072363 https://bugzilla.suse.com/1072689 https://bugzilla.suse.com/1072739 https://bugzilla.suse.com/1072865 https://bugzilla.suse.com/1073401 https://bugzilla.suse.com/1074198 https://bugzilla.suse.com/1074426 https://bugzilla.suse.com/1075087 https://bugzilla.suse.com/1076282 https://bugzilla.suse.com/1077285 https://bugzilla.suse.com/1077513 https://bugzilla.suse.com/1077560 https://bugzilla.suse.com/1077779 https://bugzilla.suse.com/1078583 https://bugzilla.suse.com/1078609 https://bugzilla.suse.com/1078672 https://bugzilla.suse.com/1078673 https://bugzilla.suse.com/1078787 https://bugzilla.suse.com/1079029 https://bugzilla.suse.com/1079038 https://bugzilla.suse.com/1079384 https://bugzilla.suse.com/1079989 https://bugzilla.suse.com/1080014 https://bugzilla.suse.com/1080263 https://bugzilla.suse.com/1080344 https://bugzilla.suse.com/1080360 https://bugzilla.suse.com/1080364 https://bugzilla.suse.com/1080384 https://bugzilla.suse.com/1080464 https://bugzilla.suse.com/1080774 https://bugzilla.suse.com/1080809 https://bugzilla.suse.com/1080813 https://bugzilla.suse.com/1080851 https://bugzilla.suse.com/1081134 https://bugzilla.suse.com/1081431 https://bugzilla.suse.com/1081491 https://bugzilla.suse.com/1081498 https://bugzilla.suse.com/1081500 https://bugzilla.suse.com/1081512 https://bugzilla.suse.com/1081671 https://bugzilla.suse.com/1082223 https://bugzilla.suse.com/1082299 https://bugzilla.suse.com/1082478 https://bugzilla.suse.com/1082795 https://bugzilla.suse.com/1082864 https://bugzilla.suse.com/1082897 https://bugzilla.suse.com/1082979 https://bugzilla.suse.com/1082993 https://bugzilla.suse.com/1083494 https://bugzilla.suse.com/1083548 https://bugzilla.suse.com/1084610 https://bugzilla.suse.com/1085053 https://bugzilla.suse.com/1085107 https://bugzilla.suse.com/1085224 https://bugzilla.suse.com/1085239 https://bugzilla.suse.com/863764 https://bugzilla.suse.com/966328 https://bugzilla.suse.com/975772 https://bugzilla.suse.com/983145 From sle-security-updates at lists.suse.com Fri Mar 23 11:23:29 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 23 Mar 2018 18:23:29 +0100 (CET) Subject: SUSE-SU-2018:0786-1: important: Security update for the Linux Kernel Message-ID: <20180323172329.34FAEFC98@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0786-1 Rating: important References: #1006867 #1012382 #1015342 #1015343 #1020645 #1022607 #1024376 #1027054 #1031717 #1033587 #1034503 #1042286 #1043441 #1043725 #1043726 #1062840 #1065600 #1065615 #1066223 #1067118 #1068032 #1068569 #1069135 #1070404 #1071306 #1071892 #1072363 #1072689 #1072739 #1072865 #1073401 #1073407 #1074198 #1074426 #1075087 #1076282 #1076693 #1076760 #1076982 #1077241 #1077285 #1077513 #1077560 #1077779 #1078583 #1078672 #1078673 #1078787 #1079029 #1079038 #1079195 #1079313 #1079384 #1079609 #1079886 #1079989 #1080014 #1080263 #1080321 #1080344 #1080364 #1080384 #1080464 #1080533 #1080656 #1080774 #1080813 #1080851 #1081134 #1081431 #1081436 #1081437 #1081491 #1081498 #1081500 #1081512 #1081514 #1081681 #1081735 #1082089 #1082223 #1082299 #1082373 #1082478 #1082632 #1082795 #1082864 #1082897 #1082979 #1082993 #1083048 #1083086 #1083223 #1083387 #1083409 #1083494 #1083548 #1083750 #1083770 #1084041 #1084397 #1084427 #1084610 #1084772 #1084888 #1084926 #1084928 #1084967 #1085011 #1085015 #1085045 #1085047 #1085050 #1085053 #1085054 #1085056 #1085107 #1085224 #1085239 #863764 #966170 #966172 #966328 #969476 #969477 #975772 #983145 Cross-References: CVE-2017-13166 CVE-2017-15951 CVE-2017-16644 CVE-2017-16912 CVE-2017-16913 CVE-2017-17975 CVE-2017-18174 CVE-2017-18208 CVE-2018-1000026 CVE-2018-1068 CVE-2018-8087 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP3 SUSE Linux Enterprise Software Development Kit 12-SP3 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Live Patching 12-SP3 SUSE Linux Enterprise High Availability 12-SP3 SUSE Linux Enterprise Desktop 12-SP3 SUSE CaaS Platform ALL ______________________________________________________________________________ An update that solves 11 vulnerabilities and has 116 fixes is now available. Description: The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.120 to receive various security and bugfixes. The following security bugs were fixed: - CVE-2017-13166: An elevation of privilege vulnerability in the v4l2 video driver. (bnc#1072865). - CVE-2017-15951: The KEYS subsystem did not correctly synchronize the actions of updating versus finding a key in the "negative" state to avoid a race condition, which allowed local users to cause a denial of service or possibly have unspecified other impact via crafted system calls (bnc#1062840 bnc#1065615). - CVE-2017-16644: The hdpvr_probe function in drivers/media/usb/hdpvr/hdpvr-core.c allowed local users to cause a denial of service (improper error handling and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1067118). - CVE-2017-16912: The "get_pipe()" function (drivers/usb/usbip/stub_rx.c) allowed attackers to cause a denial of service (out-of-bounds read) via a specially crafted USB over IP packet (bnc#1078673). - CVE-2017-16913: The "stub_recv_cmd_submit()" function (drivers/usb/usbip/stub_rx.c) when handling CMD_SUBMIT packets allowed attackers to cause a denial of service (arbitrary memory allocation) via a specially crafted USB over IP packet (bnc#1078672). - CVE-2017-17975: Use-after-free in the usbtv_probe function in drivers/media/usb/usbtv/usbtv-core.c allowed attackers to cause a denial of service (system crash) or possibly have unspecified other impact by triggering failure of audio registration, because a kfree of the usbtv data structure occurs during a usbtv_video_free call, but the usbtv_video_fail label's code attempts to both access and free this data structure (bnc#1074426). - CVE-2017-18174: The amd_gpio_remove function in drivers/pinctrl/pinctrl-amd.c calls the pinctrl_unregister function, leading to a double free (bnc#1080533). - CVE-2017-18208: The madvise_willneed function in mm/madvise.c allowed local users to cause a denial of service (infinite loop) by triggering use of MADVISE_WILLNEED for a DAX mapping (bnc#1083494). - CVE-2018-1000026: A insufficient input validation vulnerability in bnx2x network card driver could result in DoS: Network card firmware assertion takes card off-line. This attack appear to be exploitable via An attacker on a must pass a very large, specially crafted packet to the bnx2x card. This can be done from an untrusted guest VM. (bnc#1079384). - CVE-2018-8087: Memory leak in the hwsim_new_radio_nl function in drivers/net/wireless/mac80211_hwsim.c allowed local users to cause a denial of service (memory consumption) by triggering an out-of-array error case (bnc#1085053). - CVE-2018-1068: Insufficient user provided offset checking in the ebtables compat code allowed local attackers to overwrite kernel memory and potentially execute code. (bsc#1085107) The following non-security bugs were fixed: - acpi / bus: Leave modalias empty for devices which are not present (bnc#1012382). - acpi, nfit: fix health event notification (FATE#321135, FATE#321217, FATE#321256, FATE#321391, FATE#321393). - acpi, nfit: fix register dimm error handling (FATE#321135, FATE#321217, FATE#321256, FATE#321391, FATE#321393). - acpi: sbshc: remove raw pointer from printk() message (bnc#1012382). - Add delay-init quirk for Corsair K70 RGB keyboards (bnc#1012382). - add ip6_make_flowinfo helper (bsc#1042286). - ahci: Add Intel Cannon Lake PCH-H PCI ID (bnc#1012382). - ahci: Add PCI ids for Intel Bay Trail, Cherry Trail and Apollo Lake AHCI (bnc#1012382). - ahci: Annotate PCI ids for mobile Intel chipsets as such (bnc#1012382). - alpha: fix crash if pthread_create races with signal delivery (bnc#1012382). - alpha: fix reboot on Avanti platform (bnc#1012382). - alsa: hda/ca0132 - fix possible NULL pointer use (bnc#1012382). - alsa: hda - Fix headset mic detection problem for two Dell machines (bnc#1012382). - alsa: hda/realtek - Add headset mode support for Dell laptop (bsc#1031717). - alsa: hda/realtek: PCI quirk for Fujitsu U7x7 (bnc#1012382). - alsa: hda - Reduce the suspend time consumption for ALC256 (bsc#1031717). - alsa: hda - Use IS_REACHABLE() for dependency on input (bsc#1031717). - alsa: seq: Fix racy pool initializations (bnc#1012382). - alsa: seq: Fix regression by incorrect ioctl_mutex usages (bnc#1012382). - alsa: usb-audio: add implicit fb quirk for Behringer UFX1204 (bnc#1012382). - alsa: usb-audio: Fix UAC2 get_ctl request with a RANGE attribute (bnc#1012382). - amd-xgbe: Fix unused suspend handlers build warning (bnc#1012382). - arm64: add PTE_ADDR_MASK (bsc#1068032). - arm64: barrier: Add CSDB macros to control data-value prediction (bsc#1068032). - arm64: define BUG() instruction without CONFIG_BUG (bnc#1012382). - arm64: Disable unhandled signal log messages by default (bnc#1012382). - arm64: dts: add #cooling-cells to CPU nodes (bnc#1012382). - arm64: entry: Apply BP hardening for high-priority synchronous exceptions (bsc#1068032). - arm64: entry: Apply BP hardening for suspicious interrupts from EL0 (bsc#1068032). - arm64: entry: Ensure branch through syscall table is bounded under speculation (bsc#1068032). - arm64: entry: Reword comment about post_ttbr_update_workaround (bsc#1068032). - arm64: Force KPTI to be disabled on Cavium ThunderX (bsc#1068032). - arm64: futex: Mask __user pointers prior to dereference (bsc#1068032). - arm64: idmap: Use "awx" flags for .idmap.text .pushsection directives (bsc#1068032). - arm64: Implement array_index_mask_nospec() (bsc#1068032). - arm64: Kconfig: select COMPAT_BINFMT_ELF only when BINFMT_ELF is set (bnc#1012382). - arm64: kpti: Add ->enable callback to remap swapper using nG mappings (bsc#1068032). - arm64: kpti: Make use of nG dependent on arm64_kernel_unmapped_at_el0() (bsc#1068032). - arm64: Make USER_DS an inclusive limit (bsc#1068032). - arm64: mm: Permit transitioning from Global to Non-Global without BBM (bsc#1068032). - arm64: move TASK_* definitions to <asm/processor.h> (bsc#1068032). - arm64: Run enable method for errata work arounds on late CPUs (bsc#1085045). - arm64: uaccess: Do not bother eliding access_ok checks in __{get, put}_user (bsc#1068032). - arm64: uaccess: Mask __user pointers for __arch_{clear, copy_*}_user (bsc#1068032). - arm64: uaccess: Prevent speculative use of the current addr_limit (bsc#1068032). - arm64: Use pointer masking to limit uaccess speculation (bsc#1068032). - arm: 8731/1: Fix csum_partial_copy_from_user() stack mismatch (bnc#1012382). - arm: AM33xx: PRM: Remove am33xx_pwrdm_read_prev_pwrst function (bnc#1012382). - arm: dts: am4372: Correct the interrupts_properties of McASP (bnc#1012382). - arm: dts: Fix omap4 hang with GPS connected to USB by using wakeupgen (bnc#1012382). - arm: dts: ls1021a: fix incorrect clock references (bnc#1012382). - arm: dts: s5pv210: add interrupt-parent for ohci (bnc#1012382). - arm: dts: STi: Add gpio polarity for "hdmi,hpd-gpio" property (bnc#1012382). - arm: kvm: Fix SMCCC handling of unimplemented SMC/HVC calls (bnc#1012382). - arm: OMAP2+: Fix SRAM virt to phys translation for save_secure_ram_context (bnc#1012382). - arm: omap2: hide omap3_save_secure_ram on non-OMAP3 builds (git-fixes). - arm: pxa/tosa-bt: add MODULE_LICENSE tag (bnc#1012382). - arm: spear13xx: Fix dmas cells (bnc#1012382). - arm: spear13xx: Fix spics gpio controller's warning (bnc#1012382). - arm: spear600: Add missing interrupt-parent of rtc (bnc#1012382). - arm: tegra: select USB_ULPI from EHCI rather than platform (bnc#1012382). - asoc: au1x: Fix timeout tests in au1xac97c_ac97_read() (bsc#1031717). - asoc: Intel: Kconfig: fix build when ACPI is not enabled (bnc#1012382). - asoc: Intel: sst: Fix the return value of 'sst_send_byte_stream_mrfld()' (bsc#1031717). - asoc: mediatek: add i2c dependency (bnc#1012382). - asoc: nuc900: Fix a loop timeout test (bsc#1031717). - asoc: pcm512x: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE (bnc#1012382). - asoc: rockchip: disable clock on error (bnc#1012382). - asoc: rsnd: avoid duplicate free_irq() (bnc#1012382). - asoc: rsnd: do not call free_irq() on Parent SSI (bnc#1012382). - asoc: simple-card: Fix misleading error message (bnc#1012382). - asoc: ux500: add MODULE_LICENSE tag (bnc#1012382). - ata: ahci_xgene: free structure returned by acpi_get_object_info() (bsc#1082979). - ata: pata_artop: remove redundant initialization of pio (bsc#1082979). - ata: sata_dwc_460ex: remove incorrect locking (bsc#1082979). - b2c2: flexcop: avoid unused function warnings (bnc#1012382). - binder: add missing binder_unlock() (bnc#1012382). - binder: check for binder_thread allocation failure in binder_poll() (bnc#1012382). - binfmt_elf: compat: avoid unused function warning (bnc#1012382). - blk-mq: add warning to __blk_mq_run_hw_queue() for ints disabled (bsc#1084772). - blk-mq: stop 'delayed_run_work' in blk_mq_stop_hw_queue() (bsc#1084967). - blk-mq: turn WARN_ON in __blk_mq_run_hw_queue into printk (bsc#1084772). - blktrace: fix unlocked registration of tracepoints (bnc#1012382). - block: fix an error code in add_partition() (bsc#1082979). - block: Fix __bio_integrity_endio() documentation (bsc#1082979). - bluetooth: btsdio: Do not bind to non-removable BCM43341 (bnc#1012382). - bluetooth: btusb: Restore QCA Rome suspend/resume fix with a "rewritten" version (bnc#1012382). - bnx2x: Improve reliability in case of nested PCI errors (bnc#1012382). - bnxt_en: Fix the 'Invalid VF' id check in bnxt_vf_ndo_prep routine (bnc#1012382). - bpf: arsh is not supported in 32 bit alu thus reject it (bnc#1012382). - bpf: avoid false sharing of map refcount with max_entries (bnc#1012382). - bpf: fix 32-bit divide by zero (bnc#1012382). - bpf: fix bpf_tail_call() x64 JIT (bnc#1012382). - bpf: fix divides by zero (bnc#1012382). - bpf: introduce BPF_JIT_ALWAYS_ON config (bnc#1012382). - bpf: reject stores into ctx via st and xadd (bnc#1012382). - bridge: implement missing ndo_uninit() (bsc#1042286). - bridge: move bridge multicast cleanup to ndo_uninit (bsc#1042286). - btrfs: copy fsid to super_block s_uuid (bsc#1080774). - btrfs: fix crash due to not cleaning up tree log block's dirty bits (bnc#1012382). - btrfs: fix deadlock in run_delalloc_nocow (bnc#1012382). - btrfs: fix deadlock when writing out space cache (bnc#1012382). - btrfs: Fix possible off-by-one in btrfs_search_path_in_tree (bnc#1012382). - btrfs: Fix quota reservation leak on preallocated files (bsc#1079989). - btrfs: fix unexpected -EEXIST when creating new inode (bnc#1012382). - btrfs: Handle btrfs_set_extent_delalloc failure in fixup worker (bnc#1012382). - can: flex_can: Correct the checking for frame length in flexcan_start_xmit() (bnc#1012382). - cdrom: turn off autoclose by default (bsc#1080813). - ceph: fix incorrect snaprealm when adding caps (bsc#1081735). - ceph: fix un-balanced fsc->writeback_count update (bsc#1081735). - cfg80211: check dev_set_name() return value (bnc#1012382). - cfg80211: fix cfg80211_beacon_dup (bnc#1012382). - cifs: dump IPC tcon in debug proc file (bsc#1071306). - cifs: Fix autonegotiate security settings mismatch (bnc#1012382). - cifs: Fix missing put_xid in cifs_file_strict_mmap (bnc#1012382). - cifs: make IPC a regular tcon (bsc#1071306). - cifs: use tcon_ipc instead of use_ipc parameter of SMB2_ioctl (bsc#1071306). - cifs: zero sensitive data when freeing (bnc#1012382). - clk: fix a panic error caused by accessing NULL pointer (bnc#1012382). - console/dummy: leave .con_font_get set to NULL (bnc#1012382). - cpufreq: Add Loongson machine dependencies (bnc#1012382). - crypto: aesni - handle zero length dst buffer (bnc#1012382). - crypto: af_alg - whitelist mask and type (bnc#1012382). - crypto: caam - fix endless loop when DECO acquire fails (bnc#1012382). - crypto: cryptd - pass through absence of ->setkey() (bnc#1012382). - crypto: hash - introduce crypto_hash_alg_has_setkey() (bnc#1012382). - crypto: poly1305 - remove ->setkey() method (bnc#1012382). - crypto: s5p-sss - Fix kernel Oops in AES-ECB mode (bnc#1012382). - crypto: tcrypt - fix S/G table for test_aead_speed() (bnc#1012382). (bnc#1012382). - crypto: x86/twofish-3way - Fix %rbp usage (bnc#1012382). - cw1200: fix bogus maybe-uninitialized warning (bnc#1012382). - dccp: limit sk_filter trim to payload (bsc#1042286). - dell-wmi, dell-laptop: depends DMI (bnc#1012382). - direct-io: Fix sleep in atomic due to sync AIO (bsc#1084888). - dlm: fix double list_del() (bsc#1082795). - dlm: fix NULL pointer dereference in send_to_sock() (bsc#1082795). - dmaengine: at_hdmac: fix potential NULL pointer dereference in atc_prep_dma_interleaved (bnc#1012382). - dmaengine: dmatest: fix container_of member in dmatest_callback (bnc#1012382). - dmaengine: ioat: Fix error handling path (bnc#1012382). - dmaengine: jz4740: disable/unprepare clk if probe fails (bnc#1012382). - dmaengine: zx: fix build warning (bnc#1012382). - dm: correctly handle chained bios in dec_pending() (bnc#1012382). - dn_getsockoptdecnet: move nf_{get/set}sockopt outside sock lock (bnc#1012382). - do not put symlink bodies in pagecache into highmem (bnc#1012382). - dpt_i2o: fix build warning (bnc#1012382). - driver-core: use 'dev' argument in dev_dbg_ratelimited stub (bnc#1012382). - drivers: hv: balloon: Correctly update onlined page count (fate#315887, bsc#1082632). - drivers: hv: balloon: Initialize last_post_time on startup (fate#315887, bsc#1082632). - drivers: hv: balloon: Show the max dynamic memory assigned (fate#315887, bsc#1082632). - drivers: hv: kvp: Use MAX_ADAPTER_ID_SIZE for translating adapter id (fate#315887, bsc#1082632). - drivers: hv: Turn off write permission on the hypercall page (fate#315887, bsc#1082632). - drivers: hv: vmbus: Fix rescind handling (fate#315887, bsc#1082632). - drivers: hv: vmbus: Fix rescind handling issues (fate#315887, bsc#1082632). - drivers/net: fix eisa_driver probe section mismatch (bnc#1012382). - drm/amdgpu: Avoid leaking PM domain on driver unbind (v2) (bnc#1012382). - drm/amdgpu: Fix SDMA load/unload sequence on HWS disabled mode (bnc#1012382). - drm/amdkfd: Fix SDMA oversubsription handling (bnc#1012382). - drm/amdkfd: Fix SDMA ring buffer size calculation (bnc#1012382). - drm/armada: fix leak of crtc structure (bnc#1012382). - drm/edid: Add 6 bpc quirk for CPT panel in Asus UX303LA (bnc#1012382). - drm/gma500: remove helper function (bnc#1012382). - drm/gma500: Sanity-check pipe index (bnc#1012382). - drm/nouveau: hide gcc-4.9 -Wmaybe-uninitialized (bnc#1012382). - drm/nouveau/pci: do a msi rearm on init (bnc#1012382). - drm/radeon: adjust tested variable (bnc#1012382). - drm: rcar-du: Fix race condition when disabling planes at CRTC stop (bnc#1012382). - drm: rcar-du: Use the VBK interrupt for vblank events (bnc#1012382). - drm: Require __GFP_NOFAIL for the legacy drm_modeset_lock_all (bnc#1012382). - drm/ttm: check the return value of kzalloc (bnc#1012382). - drm/vmwgfx: use *_32_bits() macros (bnc#1012382). - Drop SUSE-specific qla2xxx patches (bsc#1043726) - e1000: fix disabling already-disabled warning (bnc#1012382). - edac, octeon: Fix an uninitialized variable warning (bnc#1012382). - em28xx: only use mt9v011 if camera support is enabled (bnc#1012382). - enable DST_CACHE in non-vanilla configs except s390x/zfcpdump - ext4: correct documentation for grpid mount option (bnc#1012382). - ext4: do not unnecessarily allocate buffer in recently_deleted() (bsc#1080344). - ext4: Fix data exposure after failed AIO DIO (bsc#1069135 bsc#1082864). - ext4: save error to disk in __ext4_grp_locked_error() (bnc#1012382). - f2fs: fix a bug caused by NULL extent tree (bsc#1082478). Does not affect SLE release but should be merged into leap updates - fbdev: auo_k190x: avoid unused function warnings (bnc#1012382). - fbdev: s6e8ax0: avoid unused function warnings (bnc#1012382). - fbdev: sis: enforce selection of at least one backend (bnc#1012382). - fbdev: sm712fb: avoid unused function warnings (bnc#1012382). - fs: Avoid invalidation in interrupt context in dio_complete() (bsc#1073407 bsc#1069135). - fs: Fix page cache inconsistency when mixing buffered and AIO DIO (bsc#1073407 bsc#1069135). - fs: invalidate page cache after end_io() in dio completion (bsc#1073407 bsc#1069135). - ftrace: Remove incorrect setting of glob search field (bnc#1012382). - geneve: fix populating tclass in geneve_get_v6_dst (bsc#1042286). - genirq/msi: Add stubs for get_cached_msi_msg/pci_write_msi_msg (bnc#1012382). - genirq/msi: Fix populating multiple interrupts (bsc#1085047). - genirq: Restore trigger settings in irq_modify_status() (bsc#1085056). - genksyms: Fix segfault with invalid declarations (bnc#1012382). - gianfar: fix a flooded alignment reports because of padding issue (bnc#1012382). - go7007: add MEDIA_CAMERA_SUPPORT dependency (bnc#1012382). - gpio: ath79: add missing MODULE_DESCRIPTION/LICENSE (bnc#1012382). - gpio: intel-mid: Fix build warning when !CONFIG_PM (bnc#1012382). - gpio: iop: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE (bnc#1012382). - gpio: xgene: mark PM functions as __maybe_unused (bnc#1012382). - grace: replace BUG_ON by WARN_ONCE in exit_net hook (bnc#1012382). - gre: build header correctly for collect metadata tunnels (bsc#1042286). - gre: do not assign header_ops in collect metadata mode (bsc#1042286). - gre: do not keep the GRE header around in collect medata mode (bsc#1042286). - gre: reject GUE and FOU in collect metadata mode (bsc#1042286). - hdpvr: hide unused variable (bnc#1012382). - hid: quirks: Fix keyboard + touchpad on Toshiba Click Mini not working (bnc#1012382). - hippi: Fix a Fix a possible sleep-in-atomic bug in rr_close (bnc#1012382). - hrtimer: Ensure POSIX compliance (relative CLOCK_REALTIME hrtimers) (bnc#1012382). - hv_netvsc: Add ethtool handler to set and get TCP hash levels (fate#315887, bsc#1082632). - hv_netvsc: Add ethtool handler to set and get UDP hash levels (fate#315887, bsc#1082632). - hv_netvsc: Add initialization of tx_table in netvsc_device_add() (fate#315887, bsc#1082632). - hv_netvsc: Change the hash level variable to bit flags (fate#315887, bsc#1082632). - hv_netvsc: Clean up an unused parameter in rndis_filter_set_rss_param() (fate#315887, bsc#1082632). - hv_netvsc: Clean up unused parameter from netvsc_get_hash() (fate#315887, bsc#1082632). - hv_netvsc: Clean up unused parameter from netvsc_get_rss_hash_opts() (fate#315887, bsc#1082632). - hv_netvsc: copy_to_send buf can be void (fate#315887, bsc#1082632). - hv_netvsc: do not need local xmit_more (fate#315887, bsc#1082632). - hv_netvsc: drop unused macros (fate#315887, bsc#1082632). - hv_netvsc: empty current transmit aggregation if flow blocked (fate#315887, bsc#1082632). - hv_netvsc: Fix rndis_filter_close error during netvsc_remove (fate#315887, bsc#1082632). - hv_netvsc: fix send buffer failure on MTU change (fate#315887, bsc#1082632). - hv_netvsc: Fix the channel limit in netvsc_set_rxfh() (fate#315887, bsc#1082632). - hv_netvsc: Fix the real number of queues of non-vRSS cases (fate#315887, bsc#1082632). - hv_netvsc: Fix the receive buffer size limit (fate#315887, bsc#1082632). - hv_netvsc: Fix the TX/RX buffer default sizes (fate#315887, bsc#1082632). - hv_netvsc: hide warnings about uninitialized/missing rndis device (fate#315887, bsc#1082632). - hv_netvsc: make const array ver_list static, reduces object code size (fate#315887, bsc#1082632). - hv_netvsc: optimize initialization of RNDIS header (fate#315887, bsc#1082632). - hv_netvsc: pass netvsc_device to receive callback (fate#315887, bsc#1082632). - hv_netvsc: remove open_cnt reference count (fate#315887, bsc#1082632). - hv_netvsc: Rename ind_table to rx_table (fate#315887, bsc#1082632). - hv_netvsc: Rename tx_send_table to tx_table (fate#315887, bsc#1082632). - hv_netvsc: replace divide with mask when computing padding (fate#315887, bsc#1082632). - hv_netvsc: report stop_queue and wake_queue (fate#315887, bsc#1082632). - hv_netvsc: simplify function args in receive status path (fate#315887, bsc#1082632). - hv_netvsc: Simplify the limit check in netvsc_set_channels() (fate#315887, bsc#1082632). - hv_netvsc: track memory allocation failures in ethtool stats (fate#315887, bsc#1082632). - hv: preserve kabi by keeping hv_do_hypercall (bnc#1082632). - hwmon: (pmbus) Use 64bit math for DIRECT format values (bnc#1012382). - hwrng: exynos - use __maybe_unused to hide pm functions (bnc#1012382). - hyper-v: trace vmbus_ongpadl_created() (fate#315887, bsc#1082632). - hyper-v: trace vmbus_ongpadl_torndown() (fate#315887, bsc#1082632). - hyper-v: trace vmbus_on_message() (fate#315887, bsc#1082632). - hyper-v: trace vmbus_on_msg_dpc() (fate#315887, bsc#1082632). - hyper-v: trace vmbus_onoffer() (fate#315887, bsc#1082632). - hyper-v: trace vmbus_onoffer_rescind() (fate#315887, bsc#1082632). - hyper-v: trace vmbus_onopen_result() (fate#315887, bsc#1082632). - hyper-v: trace vmbus_onversion_response() (fate#315887, bsc#1082632). - hyper-v: Use fast hypercall for HVCALL_SIGNAL_EVENT (fate#315887, bsc#1082632). - i2c: remove __init from i2c_register_board_info() (bnc#1012382). - i40iw: Correct Q1/XF object count equation (bsc#969476 FATE#319648 bsc#969477 FATE#319816). - i40iw: Fix sequence number for the first partial FPDU (bsc#969476 FATE#319648 bsc#969477 FATE#319816). - i40iw: Fix the connection ORD value for loopback (bsc#969476 FATE#319648 bsc#969477 FATE#319816). - i40iw: Remove limit on re-posting AEQ entries to HW (bsc#969476 FATE#319648 bsc#969477 FATE#319816). - i40iw: Selectively teardown QPs on IP addr change event (bsc#1024376 FATE#321249). - i40iw: Validate correct IRD/ORD connection parameters (bsc#969476 FATE#319648 bsc#969477 FATE#319816). - ib/hfi1: Fix for potential refcount leak in hfi1_open_file() (FATE#321231 FATE#321473). - ib/iser: Handle lack of memory management extentions correctly (bsc#1082979). - ib/mlx4: Fix incorrectly releasing steerable UD QPs when have only ETH ports (bnc#1012382). - ib/mlx4: Fix mlx4_ib_alloc_mr error flow (bnc#1012382). - ibmvnic: Account for VLAN header length in TX buffers (bsc#1085239). - ibmvnic: Account for VLAN tag in L2 Header descriptor (bsc#1085239). - ibmvnic: Allocate max queues stats buffers (bsc#1081498). - ibmvnic: Allocate statistics buffers during probe (bsc#1082993). - ibmvnic: Check for NULL skb's in NAPI poll routine (bsc#1081134, git-fixes). - ibmvnic: Clean RX pool buffers during device close (bsc#1081134). - ibmvnic: Clean up device close (bsc#1084610). - ibmvnic: Correct goto target for tx irq initialization failure (bsc#1082223). - ibmvnic: Do not attempt to login if RX or TX queues are not allocated (bsc#1082993). - ibmvnic: Do not disable device during failover or partition migration (bsc#1084610). - ibmvnic: Ensure that buffers are NULL after free (bsc#1080014). - ibmvnic: Fix early release of login buffer (bsc#1081134, git-fixes). - ibmvnic: fix empty firmware version and errors cleanup (bsc#1079038). - ibmvnic: fix firmware version when no firmware level has been provided by the VIOS server (bsc#1079038). - ibmvnic: Fix login buffer memory leaks (bsc#1081134). - ibmvnic: Fix NAPI structures memory leak (bsc#1081134). - ibmvnic: Fix recent errata commit (bsc#1085239). - ibmvnic: Fix rx queue cleanup for non-fatal resets (bsc#1080014). - ibmvnic: Fix TX descriptor tracking again (bsc#1082993). - ibmvnic: Fix TX descriptor tracking (bsc#1081491). - ibmvnic: Free and re-allocate scrqs when tx/rx scrqs change (bsc#1081498). - ibmvnic: Free RX socket buffer in case of adapter error (bsc#1081134). - ibmvnic: Generalize TX pool structure (bsc#1085224). - ibmvnic: Handle TSO backing device errata (bsc#1085239). - ibmvnic: Harden TX/RX pool cleaning (bsc#1082993). - ibmvnic: Improve TX buffer accounting (bsc#1085224). - ibmvnic: Keep track of supplementary TX descriptors (bsc#1081491). - ibmvnic: Make napi usage dynamic (bsc#1081498). - ibmvnic: Move active sub-crq count settings (bsc#1081498). - ibmvnic: Pad small packets to minimum MTU size (bsc#1085239). - ibmvnic: queue reset when CRQ gets closed during reset (bsc#1080263). - ibmvnic: Remove skb->protocol checks in ibmvnic_xmit (bsc#1080384). - ibmvnic: Rename active queue count variables (bsc#1081498). - ibmvnic: Reorganize device close (bsc#1084610). - ibmvnic: Report queue stops and restarts as debug output (bsc#1082993). - ibmvnic: Reset long term map ID counter (bsc#1080364). - ibmvnic: Split counters for scrq/pools/napi (bsc#1082223). - ibmvnic: Update and clean up reset TX pool routine (bsc#1085224). - ibmvnic: Update release RX pool routine (bsc#1085224). - ibmvnic: Update TX and TX completion routines (bsc#1085224). - ibmvnic: Update TX pool initialization routine (bsc#1085224). - ibmvnic: Wait until reset is complete to set carrier on (bsc#1081134). - ib/qib: Fix comparison error with qperf compare/swap test (FATE#321231 FATE#321473). - ib/srpt: Remove an unused structure member (bsc#1082979). - idle: i7300: add PCI dependency (bnc#1012382). - igb: Free IRQs when device is hotplugged (bnc#1012382). - iio: adc: axp288: remove redundant duplicate const on axp288_adc_channels (bnc#1012382). - iio: adis_lib: Initialize trigger before requesting interrupt (bnc#1012382). - iio: buffer: check if a buffer has been set up when poll is called (bnc#1012382). - input: tca8418_keypad - hide gcc-4.9 -Wmaybe-uninitialized warning (bnc#1012382). - input: tca8418_keypad - remove double read of key event register (git-fixes). - iommu/amd: Add align parameter to alloc_irq_index() (bsc#975772). - iommu/amd: Enforce alignment for MSI IRQs (bsc#975772). - iommu/amd: Fix alloc_irq_index() increment (bsc#975772). - iommu/amd: Limit the IOVA page range to the specified addresses (fate#321026). - iommu/arm-smmu-v3: Cope with duplicated Stream IDs (bsc#1084926). - iommu/iova: Fix underflow bug in __alloc_and_insert_iova_range (bsc#1084928). - iommu/vt-d: Use domain instead of cache fetching (bsc#975772). - ip6mr: fix stale iterator (bnc#1012382). - ipc/msg: introduce msgctl(MSG_STAT_ANY) (bsc#1072689). - ipc/sem: introduce semctl(SEM_STAT_ANY) (bsc#1072689). - ipc/shm: introduce shmctl(SHM_STAT_ANY) (bsc#1072689). - ip_tunnel: fix preempt warning in ip tunnel creation/updating (bnc#1012382). - ip_tunnel: replace dst_cache with generic implementation (bnc#1012382). - ipv4: allow local fragmentation in ip_finish_output_gso() (bsc#1042286). - ipv4: fix checksum annotation in udp4_csum_init (bsc#1042286). - ipv4: ipconfig: avoid unused ic_proto_used symbol (bnc#1012382). - ipv4: update comment to document GSO fragmentation cases (bsc#1042286). - ipv6: datagram: Refactor dst lookup and update codes to a new function (bsc#1042286). - ipv6: datagram: Refactor flowi6 init codes to a new function (bsc#1042286). - ipv6: datagram: Update dst cache of a connected datagram sk during pmtu update (bsc#1042286). - ipv6: fix checksum annotation in udp6_csum_init (bsc#1042286). - ipv6: icmp6: Allow icmp messages to be looped back (bnc#1012382). - ipv6/ila: fix nlsize calculation for lwtunnel (bsc#1042286). - ipv6: remove unused in6_addr struct (bsc#1042286). - ipv6: tcp: fix endianness annotation in tcp_v6_send_response (bsc#1042286). - ipv6: udp: Do a route lookup and update during release_cb (bsc#1042286). - ipvlan: Add the skb->mark as flow4's member to lookup route (bnc#1012382). - ipvlan: fix multicast processing (bsc#1042286). - ipvlan: fix various issues in ipvlan_process_multicast() (bsc#1042286). - irqchip/gic-v3: Use wmb() instead of smb_wmb() in gic_raise_softirq() (bnc#1012382). - isdn: eicon: reduce stack size of sig_ind function (bnc#1012382). - isdn: icn: remove a #warning (bnc#1012382). - isdn: sc: work around type mismatch warning (bnc#1012382). - jffs2: Fix use-after-free bug in jffs2_iget()'s error handling path (git-fixes). - kABI: protect struct cpuinfo_x86 (kabi). - kABI: protect struct ethtool_link_settings (bsc#1085050). - kABI: protect struct ip_tunnel and reintroduce ip_tunnel_dst_reset_all (kabi). - kABI: reintroduce crypto_poly1305_setkey (kabi). - kabi: restore kabi after "net: replace dst_cache ip6_tunnel implementation with the generic one" (bsc#1082897). - kabi: restore nft_set_elem_destroy() signature (bsc#1042286). - kabi: restore rhashtable_insert_slow() signature (bsc#1042286). - kabi/severities: add sclp to KABI ignore list - kabi/severities: add __x86_indirect_thunk_rsp - kabi/severities: as per bsc#1068569 we can ignore XFS kabi The gods have spoken, let there be light. - kabi/severities: Ignore kvm for KABI severities - kabi: uninline sk_receive_skb() (bsc#1042286). - kaiser: fix compile error without vsyscall (bnc#1012382). - kaiser: fix intel_bts perf crashes (bnc#1012382). - kasan: rework Kconfig settings (bnc#1012382). - kernel/async.c: revert "async: simplify lowest_in_progress()" (bnc#1012382). - kernel: fix rwlock implementation (bnc#1079886, LTC#164371). - kernfs: fix regression in kernfs_fop_write caused by wrong type (bnc#1012382). - keys: encrypted: fix buffer overread in valid_master_desc() (bnc#1012382). - kmemleak: add scheduling point to kmemleak_scan() (bnc#1012382). - kvm: add X86_LOCAL_APIC dependency (bnc#1012382). - kvm: ARM64: fix phy counter access failure in guest (bsc#1085015). - kvm: arm/arm64: Check pagesize when allocating a hugepage at Stage 2 (bsc#1079029). - kvm: nVMX: Fix kernel panics induced by illegal INVEPT/INVVPID types (bnc#1012382). - kvm: nVMX: Fix races when sending nested PI while dest enters/leaves L2 (bnc#1012382). - kvm: nVMX: invvpid handling improvements (bnc#1012382). - kvm: nVMX: kmap() can't fail (bnc#1012382). - kvm: nVMX: vmx_complete_nested_posted_interrupt() can't fail (bnc#1012382). - kvm: PPC: Book3S PR: Fix svcpu copying with preemption enabled (bsc#1066223). - kvm: s390: Add operation exception interception handler (FATE#324070, LTC#158959). - kvm: s390: Add sthyi emulation (FATE#324070, LTC#158959). - kvm: s390: Enable all facility bits that are known good for passthrough (FATE#324071, LTC#158956). - kvm: s390: Extend diag 204 fields (FATE#324070, LTC#158959). - kvm: s390: Fix STHYI buffer alignment for diag224 (FATE#324070, LTC#158959). - kvm: s390: instruction-execution-protection support (LTC#162428). - kvm: s390: Introduce BCD Vector Instructions to the guest (FATE#324072, LTC#158953). - kvm: s390: Introduce Vector Enhancements facility 1 to the guest (FATE#324072, LTC#158953). - kvm: s390: Limit sthyi execution (FATE#324070, LTC#158959). - kvm: s390: Populate mask of non-hypervisor managed facility bits (FATE#324071, LTC#158956). - kvm: VMX: clean up declaration of VPID/EPT invalidation types (bnc#1012382). - kvm: VMX: Fix rflags cache during vCPU reset (bnc#1012382). - kvm: VMX: Make indirect call speculation safe (bnc#1012382). - kvm: x86: Do not re-execute instruction when not passing CR2 value (bnc#1012382). - kvm: x86: emulator: Return to user-mode on L1 CPL=0 emulation failure (bnc#1012382). - kvm: x86: fix escape of guest dr6 to the host (bnc#1012382). - kvm: X86: Fix operand/address-size during instruction decoding (bnc#1012382). - kvm: x86: ioapic: Clear Remote IRR when entry is switched to edge-triggered (bnc#1012382). - kvm: x86: ioapic: Fix level-triggered EOI and IOAPIC reconfigure race (bnc#1012382). - kvm: x86: ioapic: Preserve read-only values in the redirection table (bnc#1012382). - kvm: x86: Make indirect calls in emulator speculation safe (bnc#1012382). - kvm/x86: Reduce retpoline performance impact in slot_handle_level_range(), by always inlining iterator helper methods (bnc#1012382). - l2tp: fix use-after-free during module unload (bsc#1042286). - led: core: Fix brightness setting when setting delay_off=0 (bnc#1012382). - leds: do not overflow sysfs buffer in led_trigger_show (bsc#1080464). - libceph: check kstrndup() return value (bsc#1081735). - lib/mpi: Fix umul_ppmm() for MIPS64r6 (bnc#1012382). - lib/uuid.c: introduce a few more generic helpers (fate#315887, bsc#1082632). - lib/uuid.c: use correct offset in uuid parser (fate#315887, bsc#1082632). - livepatch: introduce shadow variable API (bsc#1082299 fate#313296). Shadow variables support. - livepatch: __kgr_shadow_get_or_alloc() is local to shadow.c (bsc#1082299 fate#313296). Shadow variables support. - lockd: fix "list_add double add" caused by legacy signal interface (bnc#1012382). - loop: fix concurrent lo_open/lo_release (bnc#1012382). - mac80211: fix the update of path metric for RANN frame (bnc#1012382). - mac80211: mesh: drop frames appearing to be from us (bnc#1012382). - Make DST_CACHE a silent config option (bnc#1012382). - mdio-sun4i: Fix a memory leak (bnc#1012382). - md/raid1: Use a new variable to count flighting sync requests(bsc#1083048) - media: cxusb, dib0700: ignore XC2028_I2C_FLUSH (bnc#1012382). - media: dvb-usb-v2: lmedm04: Improve logic checking of warm start (bnc#1012382). - media: dvb-usb-v2: lmedm04: move ts2020 attach to dm04_lme2510_tuner (bnc#1012382). - media: r820t: fix r820t_write_reg for KASAN (bnc#1012382). - media: s5k6aa: describe some function parameters (bnc#1012382). - media: soc_camera: soc_scale_crop: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE (bnc#1012382). - media: ts2020: avoid integer overflows on 32 bit machines (bnc#1012382). - media: usbtv: add a new usbid (bnc#1012382). - media: v4l2-compat-ioctl32.c: add missing VIDIOC_PREPARE_BUF (bnc#1012382). - media: v4l2-compat-ioctl32.c: avoid sizeof(type) (bnc#1012382). - media: v4l2-compat-ioctl32.c: copy clip list in put_v4l2_window32 (bnc#1012382). - media: v4l2-compat-ioctl32.c: copy m.userptr in put_v4l2_plane32 (bnc#1012382). - media: v4l2-compat-ioctl32.c: do not copy back the result for certain errors (bnc#1012382). - media: v4l2-compat-ioctl32.c: drop pr_info for unknown buffer type (bnc#1012382). - media: v4l2-compat-ioctl32.c: fix ctrl_is_pointer (bnc#1012382). - media: v4l2-compat-ioctl32.c: fix the indentation (bnc#1012382). - media: v4l2-compat-ioctl32.c: make ctrl_is_pointer work for subdevs (bnc#1012382). - media: v4l2-compat-ioctl32.c: move 'helper' functions to __get/put_v4l2_format32 (bnc#1012382). - media: v4l2-compat-ioctl32: Copy v4l2_window->global_alpha (bnc#1012382). - media: v4l2-compat-ioctl32.c: refactor compat ioctl32 logic (bnc#1012382). - media: v4l2-ioctl.c: do not copy back the result for -ENOTTY (bnc#1012382). - mmc: bcm2835: Do not overwrite max frequency unconditionally (bsc#983145, git-fixes). - mm/early_ioremap: Fix boot hang with earlyprintk=efi,keep (bnc#1012382). - mm: hide a #warning for COMPILE_TEST (bnc#1012382). - mm/kmemleak.c: make cond_resched() rate-limiting more efficient (git-fixes). - mm: pin address_space before dereferencing it while isolating an LRU page (bnc#1081500). - mm,vmscan: Make unregister_shrinker() no-op if register_shrinker() failed (bnc#1012382). - mn10300/misalignment: Use SIGSEGV SEGV_MAPERR to report a failed user copy (bnc#1012382). - modsign: hide openssl output in silent builds (bnc#1012382). - module/retpoline: Warn about missing retpoline in module (bnc#1012382). - mpt3sas: Do not mark fw_event workqueue as WQ_MEM_RECLAIM (bsc#1078583). - mptfusion: hide unused seq_mpt_print_ioc_summary function (bnc#1012382). - mtd: cfi: convert inline functions to macros (bnc#1012382). - mtd: cfi: enforce valid geometry configuration (bnc#1012382). - mtd: ichxrom: maybe-uninitialized with gcc-4.9 (bnc#1012382). - mtd: maps: add __init attribute (bnc#1012382). - mtd: nand: brcmnand: Disable prefetch by default (bnc#1012382). - mtd: nand: denali_pci: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE (bnc#1012382). - mtd: nand: Fix nand_do_read_oob() return value (bnc#1012382). - mtd: nand: gpmi: Fix failure when a erased page has a bitflip at BBM (bnc#1012382). - mtd: nand: sunxi: Fix ECC strength choice (bnc#1012382). - mtd: sh_flctl: pass FIFO as physical address (bnc#1012382). - mvpp2: fix multicast address filter (bnc#1012382). - ncpfs: fix unused variable warning (bnc#1012382). - ncr5380: shut up gcc indentation warning (bnc#1012382). - net: add dst_cache support (bnc#1012382). - net: arc_emac: fix arc_emac_rx() error paths (bnc#1012382). - net: avoid skb_warn_bad_offload on IS_ERR (bnc#1012382). - net: cdc_ncm: initialize drvflags before usage (bnc#1012382). - net: dst_cache_per_cpu_dst_set() can be static (bnc#1012382). - net: ena: add detection and recovery mechanism for handling missed/misrouted MSI-X (bsc#1083548). - net: ena: add new admin define for future support of IPv6 RSS (bsc#1083548). - net: ena: add power management ops to the ENA driver (bsc#1083548). - net: ena: add statistics for missed tx packets (bsc#1083548). - net: ena: fix error handling in ena_down() sequence (bsc#1083548). - net: ena: fix race condition between device reset and link up setup (bsc#1083548). - net: ena: fix rare kernel crash when bar memory remap fails (bsc#1083548). - net: ena: fix wrong max Tx/Rx queues on ethtool (bsc#1083548). - net: ena: improve ENA driver boot time (bsc#1083548). - net: ena: increase ena driver version to 1.3.0 (bsc#1083548). - net: ena: increase ena driver version to 1.5.0 (bsc#1083548). - net: ena: reduce the severity of some printouts (bsc#1083548). - net: ena: remove legacy suspend suspend/resume support (bsc#1083548). - net: ena: Remove redundant unlikely() (bsc#1083548). - net: ena: unmask MSI-X only after device initialization is completed (bsc#1083548). - net: ethernet: cavium: Correct Cavium Thunderx NIC driver names accordingly to module name (bsc#1085011). - net: ethernet: xilinx: Mark XILINX_LL_TEMAC broken on 64-bit (bnc#1012382). - net: ethtool: Add back transceiver type (bsc#1085050). - net: ethtool: remove error check for legacy setting transceiver type (bsc#1085050). - netfilter: drop outermost socket lock in getsockopt() (bnc#1012382). - netfilter: ebtables: CONFIG_COMPAT: do not trust userland offsets (bsc#1085107). - netfilter: ebtables: fix erroneous reject of last rule (bsc#1085107). - netfilter: ipt_CLUSTERIP: fix out-of-bounds accesses in clusterip_tg_check() (bnc#1012382). - netfilter: ipvs: avoid unused variable warnings (bnc#1012382). - netfilter: nf_queue: Make the queue_handler pernet (bnc#1012382). - netfilter: nf_tables: fix a wrong check to skip the inactive rules (bsc#1042286). - netfilter: nf_tables: fix inconsistent element expiration calculation (bsc#1042286). - netfilter: nf_tables: fix *leak* when expr clone fail (bsc#1042286). - netfilter: nf_tables: fix race when create new element in dynset (bsc#1042286). - netfilter: on sockopt() acquire sock lock only in the required scope (bnc#1012382). - netfilter: tee: select NF_DUP_IPV6 unconditionally (bsc#1042286). - netfilter: x_tables: avoid out-of-bounds reads in xt_request_find_{match|target} (bnc#1012382). - netfilter: x_tables: fix int overflow in xt_alloc_table_info() (bnc#1012382). - netfilter: xt_RATEEST: acquire xt_rateest_mutex for hash insert (bnc#1012382). - netfilter: xt_socket: fix transparent match for IPv6 request sockets (bsc#1042286). - net: gianfar_ptp: move set_fipers() to spinlock protecting area (bnc#1012382). - net: hns: add ACPI mode support for ethtool -p (bsc#1084041). - net: hp100: remove unnecessary #ifdefs (bnc#1012382). - net: igmp: add a missing rcu locking section (bnc#1012382). - net/ipv4: Introduce IPSKB_FRAG_SEGS bit to inet_skb_parm.flags (bsc#1042286). - netlink: fix nla_put_{u8,u16,u32} for KASAN (bnc#1012382). - net/mlx5e: Fix loopback self test when GRO is off (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689). - net/mlx5e: Fix wrong delay calculation for overflow check scheduling (bsc#966170 FATE#320225 bsc#966172 FATE#320226). - net/mlx5e: Verify inline header size do not exceed SKB linear size (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689). - net/mlx5: Use 128B cacheline size for 128B or larger cachelines (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689). - net: phy: Keep reporting transceiver type (bsc#1085050). - net: replace dst_cache ip6_tunnel implementation with the generic one (bnc#1012382). - net_sched: red: Avoid devision by zero (bnc#1012382). - net_sched: red: Avoid illegal values (bnc#1012382). - net/smc: fix NULL pointer dereference on sock_create_kern() error path (bsc#1082979). - netvsc: allow controlling send/recv buffer size (fate#315887, bsc#1082632). - netvsc: allow driver to be removed even if VF is present (fate#315887, bsc#1082632). - netvsc: check error return when restoring channels and mtu (fate#315887, bsc#1082632). - netvsc: cleanup datapath switch (fate#315887, bsc#1082632). - netvsc: do not signal host twice if empty (fate#315887, bsc#1082632). - netvsc: fix deadlock betwen link status and removal (fate#315887, bsc#1082632). - netvsc: increase default receive buffer size (fate#315887, bsc#1082632). - netvsc: keep track of some non-fatal overload conditions (fate#315887, bsc#1082632). - netvsc: no need to allocate send/receive on numa node (fate#315887, bsc#1082632). - netvsc: propagate MAC address change to VF slave (fate#315887, bsc#1082632). - netvsc: remove unnecessary cast of void pointer (fate#315887, bsc#1082632). - netvsc: remove unnecessary check for NULL hdr (fate#315887, bsc#1082632). - netvsc: whitespace cleanup (fate#315887, bsc#1082632). - net: vxlan: lwt: Fix vxlan local traffic (bsc#1042286). - net: vxlan: lwt: Use source ip address during route lookup (bsc#1042286). - nfs: Add a cond_resched() to nfs_commit_release_pages() (bsc#1077779). - nfs: commit direct writes even if they fail partially (bnc#1012382). - nfsd: check for use of the closed special stateid (bnc#1012382). - nfsd: CLOSE SHOULD return the invalid special stateid for NFSv4.x (x>0) (bnc#1012382). - nfsd: Ensure we check stateid validity in the seqid operation checks (bnc#1012382). - nfs: Do not convert nfs_idmap_cache_timeout to jiffies (git-fixes). - nfs: fix a deadlock in nfs client initialization (bsc#1074198). - nfs/pnfs: fix nfs_direct_req ref leak when i/o falls back to the mds (bnc#1012382). - nfs: reject request for id_legacy key without auxdata (bnc#1012382). - nfs: Trunking detection should handle ERESTARTSYS/EINTR (bsc#1074198). - nvme_fc: cleanup io completion (bsc#1079609). - nvme_fc: correct abort race condition on resets (bsc#1079609). - nvme_fc: fix abort race on teardown with lld reject (bsc#1083750). - nvme_fc: fix ctrl create failures racing with workq items (bsc#1076982). - nvme_fc: io timeout should defer abort to ctrl reset (bsc#1085054). - nvme-fc: kick admin requeue list on disconnect (bsc#1077241). - nvme-fc: merge error on sles12sp3 for reset_work (bsc#1079195). - nvme_fc: minor fixes on sqsize (bsc#1076760). - nvme_fc: on remoteport reuse, set new nport_id and role (bsc#1076760). - nvme_fc: rework sqsize handling (bsc#1076760). - nvme: Fix managing degraded controllers (bnc#1012382). - nvme: Fix setting logical block format when revalidating (bsc#1079313). - nvme: only start KATO if the controller is live (bsc#1083387). - nvme-pci: clean up CMB initialization (bsc#1082979). - nvme-pci: clean up SMBSZ bit definitions (bsc#1082979). - nvme-pci: consistencly use ctrl->device for logging (bsc#1082979). - nvme-pci: fix typos in comments (bsc#1082979). - nvme-pci: Remap CMB SQ entries on every controller reset (bsc#1082979). - nvme-pci: Use PCI bus address for data/queues in CMB (bsc#1082979). - nvme: Quirks for PM1725 controllers (bsc#1082979). - nvme_rdma: clear NVME_RDMA_Q_LIVE bit if reconnect fails (bsc#1083770). - nvme-rdma: fix concurrent reset and reconnect (bsc#1082979). - nvme: remove nvme_revalidate_ns (bsc#1079313). - ocfs2: return error when we attempt to access a dirty bh in jbd2 (bsc#1070404). - openvswitch: fix the incorrect flow action alloc size (bnc#1012382). - ovl: fix failure to fsync lower dir (bnc#1012382). - ovs/geneve: fix rtnl notifications on iface deletion (bsc#1042286). - ovs/gre: fix rtnl notifications on iface deletion (bsc#1042286). - ovs/gre,geneve: fix error path when creating an iface (bsc#1042286). - ovs/vxlan: fix rtnl notifications on iface deletion (bsc#1042286). - pci/ASPM: Do not retrain link if ASPM not possible (bnc#1071892). - pci: hv: Do not sleep in compose_msi_msg() (fate#315887, bsc#1082632). - pci: keystone: Fix interrupt-controller-node lookup (bnc#1012382). - pci/MSI: Fix msi_desc->affinity memory leak when freeing MSI IRQs (bsc#1082979). - perf bench numa: Fixup discontiguous/sparse numa nodes (bnc#1012382). - perf top: Fix window dimensions change handling (bnc#1012382). - perf/x86: Shut up false-positive -Wmaybe-uninitialized warning (bnc#1012382). - pinctrl: sunxi: Fix A80 interrupt pin bank (bnc#1012382). - pktcdvd: Fix pkt_setup_dev() error path (bnc#1012382). - platform/x86: intel_mid_thermal: Fix suspend handlers unused warning (bnc#1012382). - pm / devfreq: Propagate error from devfreq_add_device() (bnc#1012382). - pm / wakeirq: Fix unbalanced IRQ enable for wakeirq (bsc#1031717). - posix-timer: Properly check sigevent->sigev_notify (bnc#1012382). - power: bq27xxx_battery: mark some symbols __maybe_unused (bnc#1012382). - powerpc/64: Fix flush_(d|i)cache_range() called from modules (FATE#315275 LTC#103998 bnc#1012382 bnc#863764). - powerpc/64s: Fix RFI flush dependency on HARDLOCKUP_DETECTOR (bnc#1012382). - powerpc/64s: Improve RFI L1-D cache flush fallback (bsc#1068032, bsc#1075087). - powerpc: Do not preempt_disable() in show_cpuinfo() (bsc#1066223). - powerpc/numa: Ensure nodes initialized for hotplug (FATE#322022, bsc#1081514). - powerpc/numa: Invalidate numa_cpu_lookup_table on cpu remove (bsc#1081512). - powerpc/numa: Use ibm,max-associativity-domains to discover possible nodes (FATE#322022, bsc#1081514). - powerpc/perf: Fix oops when grouping different pmu events (bnc#1012382). - powerpc/powernv: Fix MCE handler to avoid trashing CR0/CR1 registers (bsc#1066223). - powerpc/powernv: Move IDLE_STATE_ENTER_SEQ macro to cpuidle.h (bsc#1066223). - powerpc/powernv: Support firmware disable of RFI flush (bsc#1068032, bsc#1075087). - powerpc/pseries: Fix cpu hotplug crash with memoryless nodes (FATE#322022, bsc#1081514). - powerpc/pseries: Support firmware disable of RFI flush (bsc#1068032, bsc#1075087). - powerpc: Simplify module TOC handling (bnc#1012382). - power: reset: zx-reboot: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE (bnc#1012382). - profile: hide unused functions when !CONFIG_PROC_FS (bnc#1012382). - Provide a function to create a NUL-terminated string from unterminated data (bnc#1012382). - pwc: hide unused label (bnc#1012382). - qla2xxx: Add changes for devloss timeout in driver (bsc#1084427). - qla2xxx: Add FC-NVMe abort processing (bsc#1084427). - qla2xxx: asynchronous pci probing (bsc#1034503). - qla2xxx: Cleanup code to improve FC-NVMe error handling (bsc#1084427). - qla2xxx: Convert QLA_TGT_ABTS to TARGET_SCF_LOOKUP_LUN_FROM_TAG (bsc#1043726,FATE#324770). - qla2xxx: do not check login_state if no loop id is assigned (bsc#1081681). - qla2xxx: ensure async flags are reset correctly (bsc#1081681). - qla2xxx: Fix Async GPN_FT for FCP and FC-NVMe scan (bsc#1084427). - qla2xxx: Fix FC-NVMe IO abort during driver reset (bsc#1084427). - qla2xxx: Fix incorrect tcm_qla2xxx_free_cmd use during TMR ABORT (v2) (bsc#1043726,FATE#324770). - qla2xxx: Fix n2n_ae flag to prevent dev_loss on PDB change (bsc#1084427). - qla2xxx: Fix NVMe entry_type for iocb packet on BE system (bsc#1043726,FATE#324770). - qla2xxx: Fix retry for PRLI RJT with reason of BUSY (bsc#1084427). - qla2xxx: Fixup locking for session deletion (bsc#1081681). - qla2xxx: Remove nvme_done_list (bsc#1084427). - qla2xxx: Remove unneeded message and minor cleanup for FC-NVMe (bsc#1084427). - qla2xxx: remove use of FC-specific error codes (bsc#1043726,FATE#324770). - qla2xxx: Restore ZIO threshold setting (bsc#1084427). - qla2xxx: Return busy if rport going away (bsc#1084427). - qla2xxx: Set IIDMA and fcport state before qla_nvme_register_remote() (bsc#1084427). - qla2xxx: Update driver version to 10.00.00.06-k (bsc#1084427). - qlcnic: fix deadlock bug (bnc#1012382). - r8169: fix RTL8168EP take too long to complete driver initialization (bnc#1012382). - rdma/cma: Make sure that PSN is not over max allowed (bnc#1012382). - rdma/uverbs: Protect from command mask overflow (bsc#1082979). - reiserfs: avoid a -Wmaybe-uninitialized warning (bnc#1012382). - Revert "Bluetooth: btusb: fix QCA Rome suspend/resume" (bnc#1012382). - Revert "bpf: avoid false sharing of map refcount with max_entries" (kabi). - Revert "netfilter: nf_queue: Make the queue_handler pernet" (kabi). - Revert "net: replace dst_cache ip6_tunnel implementation with the generic one" (kabi bnc#1082897). - Revert "power: bq27xxx_battery: Remove unneeded dependency in Kconfig" (bnc#1012382). - Revert "powerpc: Simplify module TOC handling" (kabi). - Revert SUSE-specific qla2xxx patch 'Add module parameter for interrupt mode' (bsc#1043726) - Revert "x86/entry/64: Separate cpu_current_top_of_stack from TSS.sp0" - Revert "x86/entry/64: Use a per-CPU trampoline stack for IDT entries" - rfi-flush: Move the logic to avoid a redo into the debugfs code (bsc#1068032, bsc#1075087). - rfi-flush: Switch to new linear fallback flush (bsc#1068032, bsc#1075087). - rhashtable: add rhashtable_lookup_get_insert_key() (bsc#1042286). - rtc-opal: Fix handling of firmware error codes, prevent busy loops (bnc#1012382). - rtlwifi: fix gcc-6 indentation warning (bnc#1012382). - rtlwifi: rtl8821ae: Fix connection lost problem correctly (bnc#1012382). - s390: add no-execute support (FATE#324087, LTC#158827). - s390/dasd: fix handling of internal requests (bsc#1080321). - s390/dasd: fix wrongly assigned configuration data (bnc#1012382). - s390/dasd: prevent prefix I/O error (bnc#1012382). - s390: fix handling of -1 in set{,fs}[gu]id16 syscalls (bnc#1012382). - s390: hypfs: Move diag implementation and data definitions (FATE#324070, LTC#158959). - s390: kvm: Cpu model support for msa6, msa7 and msa8 (FATE#324069, LTC#159031). - s390: Make cpc_name accessible (FATE#324070, LTC#158959). - s390: Make diag224 public (FATE#324070, LTC#158959). - s390/mem_detect: use unsigned longs (FATE#324071, LTC#158956). - s390/mm: align swapper_pg_dir to 16k (FATE#324087, LTC#158827). - s390/mm: always use PAGE_KERNEL when mapping pages (FATE#324087, LTC#158827). - s390/noexec: execute kexec datamover without DAT (FATE#324087, LTC#158827). - s390/oprofile: fix address range for asynchronous stack (bsc#1082979). - s390/pageattr: allow kernel page table splitting (FATE#324087, LTC#158827). - s390/pageattr: avoid unnecessary page table splitting (FATE#324087, LTC#158827). - s390/pageattr: handle numpages parameter correctly (FATE#324087, LTC#158827). - s390/pci_dma: improve lazy flush for unmap (bnc#1079886, LTC#163393). - s390/pci_dma: improve map_sg (bnc#1079886, LTC#163393). - s390/pci_dma: make lazy flush independent from the tlb_refresh bit (bnc#1079886, LTC#163393). - s390/pci_dma: remove dma address range check (bnc#1079886, LTC#163393). - s390/pci_dma: simplify dma address calculation (bnc#1079886, LTC#163393). - s390/pci_dma: split dma_update_trans (bnc#1079886, LTC#163393). - s390/pci: fix dma address calculation in map_sg (bnc#1079886, LTC#163393). - s390/pci: handle insufficient resources during dma tlb flush (bnc#1079886, LTC#163393). - s390/pgtable: introduce and use generic csp inline asm (FATE#324087, LTC#158827). - s390/pgtable: make pmd and pud helper functions available (FATE#324087, LTC#158827). - s390/qeth: fix underestimated count of buffer elements (bnc#1082089, LTC#164529). - s390: report new vector facilities (FATE#324088, LTC#158828). - s390/sclp: Add hmfai field (FATE#324071, LTC#158956). - s390/vmem: align segment and region tables to 16k (FATE#324087, LTC#158827). - s390/vmem: introduce and use SEGMENT_KERNEL and REGION3_KERNEL (FATE#324087, LTC#158827). - s390/vmem: simplify vmem code for read-only mappings (FATE#324087, LTC#158827). - sched/rt: Up the root domain ref count when passing it around via IPIs (bnc#1012382). - sched/rt: Use container_of() to get root domain in rto_push_irq_work_func() (bnc#1012382). - scripts/kernel-doc: Do not fail with status != 0 if error encountered with -none (bnc#1012382). - scsi: aacraid: Fix hang in kdump (bsc#1022607, FATE#321673). - scsi: aacraid: Prevent crash in case of free interrupt during scsi EH path (bnc#1012382). - scsi: advansys: fix build warning for PCI=n (bnc#1012382). - scsi: advansys: fix uninitialized data access (bnc#1012382). - scsi: do not look for NULL devices handlers by name (bsc#1082373). - scsi: fas216: fix sense buffer initialization (bsc#1082979). - scsi: fdomain: drop fdomain_pci_tbl when built-in (bnc#1012382). - scsi: hisi_sas: directly attached disk LED feature for v2 hw (bsc#1083409). - scsi: ibmvfc: fix misdefined reserved field in ibmvfc_fcp_rsp_info (bnc#1012382). - scsi: initio: remove duplicate module device table (bnc#1012382 bsc#1082979). - scsi: initio: remove duplicate module device table (bsc#1082979). - scsi: libsas: fix error when getting phy events (bsc#1082979). - scsi: libsas: fix memory leak in sas_smp_get_phy_events() (bsc#1082979). - scsi: lpfc: Add WQ Full Logic for NVME Target (bsc#1080656). - scsi: lpfc: Allow set of maximum outstanding SCSI cmd limit for a target (bsc#1080656). - scsi: lpfc: Beef up stat counters for debug (bsc#1076693). - scsi: lpfc: correct debug counters for abort (bsc#1080656). - scsi: lpfc: do not dereference localport before it has been null checked (bsc#1076693). - scsi: lpfc: Do not return internal MBXERR_ERROR code from probe function (bsc#1082979). - scsi: lpfc: fix a couple of minor indentation issues (bsc#1076693). - scsi: lpfc: Fix -EOVERFLOW behavior for NVMET and defer_rcv (bsc#1076693). - scsi: lpfc: Fix header inclusion in lpfc_nvmet (bsc#1080656). - scsi: lpfc: Fix infinite wait when driver unregisters a remote NVME port (bsc#1076693). - scsi: lpfc: Fix IO failure during hba reset testing with nvme io (bsc#1080656). - scsi: lpfc: Fix issue_lip if link is disabled (bsc#1080656). - scsi: lpfc: Fix issues connecting with nvme initiator (bsc#1076693). - scsi: lpfc: Fix nonrecovery of NVME controller after cable swap (bsc#1080656). - scsi: lpfc: Fix PRLI handling when topology type changes (bsc#1080656). - scsi: lpfc: Fix receive PRLI handling (bsc#1076693). - scsi: lpfc: Fix RQ empty firmware trap (bsc#1080656). - scsi: lpfc: Fix SCSI io host reset causing kernel crash (bsc#1080656). - scsi: lpfc: Fix SCSI LUN discovery when SCSI and NVME enabled (bsc#1076693). - scsi: lpfc: Fix soft lockup in lpfc worker thread during LIP testing (bsc#1080656). - scsi: lpfc: Increase CQ and WQ sizes for SCSI (bsc#1080656). - scsi: lpfc: Increase SCSI CQ and WQ sizes (bsc#1076693). - scsi: lpfc: Indicate CONF support in NVMe PRLI (bsc#1080656). - scsi: lpfc: move placement of target destroy on driver detach (bsc#1080656). - scsi: lpfc: Treat SCSI Write operation Underruns as an error (bsc#1080656). - scsi: lpfc: Update 11.4.0.7 modified files for 2018 Copyright (bsc#1080656). - scsi: lpfc: update driver version to 11.4.0.6 (bsc#1076693). - scsi: lpfc: update driver version to 11.4.0.7 (bsc#1080656). - scsi: lpfc: Validate adapter support for SRIU option (bsc#1080656). - scsi: mvumi: use __maybe_unused to hide pm functions (bnc#1012382). - scsi: qla2xxx: Ability to process multiple SGEs in Command SGL for CT passthrough commands (bsc#1043726,FATE#324770). - scsi: qla2xxx: Accelerate SCSI BUSY status generation in target mode (bsc#1043725,FATE#324770). - scsi: qla2xxx: Add ability to autodetect SFP type (bsc#1043726,FATE#324770). - scsi: qla2xxx: Add ability to send PRLO (bsc#1043726,FATE#324770). - scsi: qla2xxx: Add ability to use GPNFT/GNNFT for RSCN handling (bsc#1043726,FATE#324770). - scsi: qla2xxx: Add ATIO-Q processing for INTx mode (bsc#1043726,FATE#324770). - scsi: qla2xxx: Add boundary checks for exchanges to be offloaded (bsc#1043726,FATE#324770). - scsi: qla2xxx: Add command completion for error path (bsc#1043726,FATE#324770). - scsi: qla2xxx: Add debug knob for user control workload (bsc#1043725,FATE#324770). - scsi: qla2xxx: Add debug logging routine for qpair (bsc#1043725,FATE#324770). - scsi: qla2xxx: Added change to enable ZIO for FC-NVMe devices (bsc#1043726,FATE#324770). - scsi: qla2xxx: Add FC-NVMe command handling (bsc#1043726,FATE#324770). - scsi: qla2xxx: Add FC-NVMe F/W initialization and transport registration (bsc#1043726,FATE#324770). - scsi: qla2xxx: Add FC-NVMe port discovery and PRLI handling (bsc#1043726,FATE#324770). - scsi: qla2xxx: Add function call to qpair for door bell (bsc#1043725,FATE#324770). - scsi: qla2xxx: Add fw_started flags to qpair (bsc#1043725,FATE#324770). - scsi: qla2xxx: Add lock protection around host lookup (bsc#1043726,FATE#324770). - scsi: qla2xxx: Add LR distance support from nvram bit (bsc#1043726,FATE#324770). - scsi: qla2xxx: add missing includes for qla_isr (bsc#1043726,FATE#324770). - scsi: qla2xxx: Add option for use reserve exch for ELS (bsc#1043726,FATE#324770). - scsi: qla2xxx: Add ql2xiniexchg parameter (bsc#1043725,FATE#324770). - scsi: qla2xxx: Add retry limit for fabric scan logic (bsc#1043726,FATE#324770). - scsi: qla2xxx: Add support for minimum link speed (bsc#1043726,FATE#324770). - scsi: qla2xxx: Add switch command to simplify fabric discovery (bsc#1043726,FATE#324770). - scsi: qla2xxx: Add timeout ability to wait_for_sess_deletion() (bsc#1043726,FATE#324770). - scsi: qla2xxx: Add XCB counters to debugfs (bsc#1043726,FATE#324770). - scsi: qla2xxx: Allow ABTS, PURX, RIDA on ATIOQ for ISP83XX/27XX (bsc#1043725,FATE#324770). - scsi: qla2xxx: Allow MBC_GET_PORT_DATABASE to query and save the port states (bsc#1043726,FATE#324770). - scsi: qla2xxx: Allow relogin and session creation after reset (bsc#1043726,FATE#324770). - scsi: qla2xxx: Allow SNS fabric login to be retried (bsc#1043726,FATE#324770). - scsi: qla2xxx: Allow target mode to accept PRLI in dual mode (bsc#1043726,FATE#324770). - scsi: qla2xxx: avoid unused-function warning (bsc#1043726,FATE#324770). - scsi: qla2xxx: Change ha->wq max_active value to default (bsc#1043726,FATE#324770). - scsi: qla2xxx: Changes to support N2N logins (bsc#1043726,FATE#324770). - scsi: qla2xxx: Chip reset uses wrong lock during IO flush (bsc#1043726,FATE#324770). - scsi: qla2xxx: Cleanup FC-NVMe code (bsc#1043726,FATE#324770). - scsi: qla2xxx: Cleanup NPIV host in target mode during config teardown (bsc#1043726,FATE#324770). - scsi: qla2xxx: Clear fc4f_nvme flag (bsc#1043726,FATE#324770). - scsi: qla2xxx: Clear loop id after delete (bsc#1043726,FATE#324770). - scsi: qla2xxx: Combine Active command arrays (bsc#1043725,FATE#324770). - scsi: qla2xxx: Convert 32-bit LUN usage to 64-bit (bsc#1043725,FATE#324770). - scsi: qla2xxx: Defer processing of GS IOCB calls (bsc#1043726,FATE#324770). - scsi: qla2xxx: Delay loop id allocation at login (bsc#1043726,FATE#324770). - scsi: qla2xxx: Do not call abort handler function during chip reset (bsc#1043726,FATE#324770). - scsi: qla2xxx: Do not call dma_free_coherent with IRQ disabled (bsc#1043726,FATE#324770). - scsi: qla2xxx: do not include (bsc#1043725,FATE#324770). - scsi: qla2xxx: Enable Async TMF processing (bsc#1043726,FATE#324770). - scsi: qla2xxx: Enable ATIO interrupt handshake for ISP27XX (bsc#1043726,FATE#324770). - scsi: qla2xxx: Enable Target Multi Queue (bsc#1043725,FATE#324770). - scsi: qla2xxx: Fix abort command deadlock due to spinlock (FATE#320146, bsc#966328). - scsi: qla2xxx: fix a bunch of typos and spelling mistakes (bsc#1043726,FATE#324770). - scsi: qla2xxx: Fix a locking imbalance in qlt_24xx_handle_els() (bsc#1082979). - scsi: qla2xxx: Fix compile warning (bsc#1043725,FATE#324770). - scsi: qla2xxx: Fix FC-NVMe LUN discovery (bsc#1083223). - scsi: qla2xxx: Fix Firmware dump size for Extended login and Exchange Offload (bsc#1043726,FATE#324770). - scsi: qla2xxx: Fix GPNFT/GNNFT error handling (bsc#1043726,FATE#324770). - scsi: qla2xxx: Fix gpnid error processing (bsc#1043726,FATE#324770). - scsi: qla2xxx: Fix incorrect handle for abort IOCB (bsc#1082979). - scsi: qla2xxx: Fix login state machine freeze (bsc#1043726,FATE#324770). - scsi: qla2xxx: Fix login state machine stuck at GPDB (bsc#1043726,FATE#324770). - scsi: qla2xxx: Fix logo flag for qlt_free_session_done() (bsc#1043726,FATE#324770). - scsi: qla2xxx: Fix mailbox failure while deleting Queue pairs (bsc#1043725,FATE#324770). - scsi: qla2xxx: Fix memory leak in dual/target mode (bsc#1043726,FATE#324770). - scsi: qla2xxx: Fix NPIV host cleanup in target mode (bsc#1043726,FATE#324770). - scsi: qla2xxx: Fix NPIV host enable after chip reset (bsc#1043726,FATE#324770). - scsi: qla2xxx: Fix NULL pointer access for fcport structure (bsc#1043726,FATE#324770). - scsi: qla2xxx: Fix NULL pointer crash due to active timer for ABTS (bsc#1082979). - scsi: qla2xxx: Fix NULL pointer crash due to probe failure (bsc#1043726,FATE#324770). - scsi: qla2xxx: Fix oops in qla2x00_probe_one error path (bsc#1043726,FATE#324770). - scsi: qla2xxx: Fix PRLI state check (bsc#1043726,FATE#324770). - scsi: qla2xxx: Fix queue ID for async abort with Multiqueue (bsc#1043726,FATE#324770). - scsi: qla2xxx: Fix recursion while sending terminate exchange (bsc#1043726,FATE#324770). - scsi: qla2xxx: Fix Relogin being triggered too fast (bsc#1043726,FATE#324770). - scsi: qla2xxx: Fix re-login for Nport Handle in use (bsc#1043726,FATE#324770). - scsi: qla2xxx: Fix remoteport disconnect for FC-NVMe (bsc#1043726,FATE#324770). - scsi: qla2xxx: Fix scan state field for fcport (bsc#1043726,FATE#324770). - scsi: qla2xxx: Fix session cleanup for N2N (bsc#1043726,FATE#324770). - scsi: qla2xxx: Fix slow mem alloc behind lock (bsc#1043726,FATE#324770). - scsi: qla2xxx: Fix smatch warning in qla25xx_delete_{rsp|req}_que (bsc#1043726,FATE#324770). - scsi: qla2xxx: fix spelling mistake of variable sfp_additonal_info (bsc#1043726,FATE#324770). - scsi: qla2xxx: Fix system crash for Notify ack timeout handling (bsc#1043726,FATE#324770). - scsi: qla2xxx: Fix system crash in qlt_plogi_ack_unref (bsc#1043726,FATE#324770). - scsi: qla2xxx: Fix system crash while triggering FW dump (bsc#1043726,FATE#324770). - scsi: qla2xxx: Fix system panic due to pointer access problem (bsc#1043726,FATE#324770). - scsi: qla2xxx: Fix target multiqueue configuration (bsc#1043726,FATE#324770). - scsi: qla2xxx: Fix task mgmt handling for NPIV (bsc#1043726,FATE#324770). - scsi: qla2xxx: Fix warning during port_name debug print (bsc#1043726,FATE#324770). - scsi: qla2xxx: Fix warning for code intentation in __qla24xx_handle_gpdb_event() (bsc#1043726,FATE#324770). - scsi: qla2xxx: Fix warning in qla2x00_async_iocb_timeout() (bsc#1043726,FATE#324770). - scsi: qla2xxx: Fix WWPN/WWNN in debug message (bsc#1043726,FATE#324770). - scsi: qla2xxx: Handle PCIe error for driver (bsc#1043726,FATE#324770). - scsi: qla2xxx: Include Exchange offload/Extended Login into FW dump (bsc#1043725,FATE#324770). - scsi: qla2xxx: Increase ql2xmaxqdepth to 64 (bsc#1043726,FATE#324770). - scsi: qla2xxx: Increase verbosity of debug messages logged (bsc#1043726,FATE#324770). - scsi: qla2xxx: Migrate switch registration commands away from mailbox interface (bsc#1043726,FATE#324770). - scsi: qla2xxx: move fields from qla_hw_data to qla_qpair (bsc#1043725,FATE#324770). - scsi: qla2xxx: Move function prototype to correct header (bsc#1043726,FATE#324770). - scsi: qla2xxx: Move logging default mask to execute once only (bsc#1043726,FATE#324770). - scsi: qla2xxx: Move session delete to driver work queue (bsc#1043726,FATE#324770). - scsi: qla2xxx: Move target stat counters from vha to qpair (bsc#1043725,FATE#324770). - scsi: qla2xxx: Move work element processing out of DPC thread (bsc#1043726,FATE#324770). - scsi: qla2xxx: Off by one in qlt_ctio_to_cmd() (bsc#1043726,FATE#324770). - scsi: qla2xxx: Preparation for Target MQ (bsc#1043725,FATE#324770). - scsi: qla2xxx: Prevent multiple active discovery commands per session (bsc#1043726,FATE#324770). - scsi: qla2xxx: Prevent relogin trigger from sending too many commands (bsc#1043726,FATE#324770). - scsi: qla2xxx: Prevent sp->free null/uninitialized pointer dereference (bsc#1043726,FATE#324770). - scsi: qla2xxx: Print correct mailbox registers in failed summary (bsc#1043726,FATE#324770). - scsi: qla2xxx: Properly extract ADISC error codes (bsc#1043726,FATE#324770). - scsi: qla2xxx: Protect access to qpair members with qpair->qp_lock (bsc#1043726,FATE#324770). - scsi: qla2xxx: Query FC4 type during RSCN processing (bsc#1043726,FATE#324770). - scsi: qla2xxx: Recheck session state after RSCN (bsc#1043726,FATE#324770) - scsi: qla2xxx: Reduce the use of terminate exchange (bsc#1043726,FATE#324770). - scsi: qla2xxx: Reduce trace noise for Async Events (bsc#1043726,FATE#324770). - scsi: qla2xxx: Reinstate module parameter ql2xenablemsix (bsc#1043726,FATE#324770). - scsi: qla2xxx: Relogin to target port on a cable swap (bsc#1043726,FATE#324770). - scsi: qla2xxx: Remove aborting ELS IOCB call issued as part of timeout (FATE#320146, bsc#966328). - scsi: qla2xxx: Remove an unused structure member (bsc#1043725,FATE#324770). - scsi: qla2xxx: Remove datasegs_per_cmd and datasegs_per_cont field (bsc#1043725,FATE#324770). - scsi: qla2xxx: Remove extra register read (bsc#1043725,FATE#324770). - scsi: qla2xxx: Remove extra register read (bsc#1043726,FATE#324770). - scsi: qla2xxx: Remove FC_NO_LOOP_ID for FCP and FC-NVMe Discovery (bsc#1084397). - scsi: qla2xxx: Remove potential macro parameter side-effect in ql_dump_regs() (bsc#1043726,FATE#324770). - scsi: qla2xxx: remove redundant assignment of d (bsc#1043726,FATE#324770). - scsi: qla2xxx: remove redundant null check on tgt (bsc#1043725,FATE#324770). - scsi: qla2xxx: Remove redundant wait when target is stopped (bsc#1043725,FATE#324770). - scsi: qla2xxx: Remove session creation redundant code (bsc#1043726,FATE#324770). - scsi: qla2xxx: Remove unused argument from qlt_schedule_sess_for_deletion() (bsc#1043726,FATE#324770). - scsi: qla2xxx: Remove unused irq_cmd_count field (bsc#1043725,FATE#324770). - scsi: qla2xxx: Remove unused tgt_enable_64bit_addr flag (bsc#1043725,FATE#324770). - scsi: qla2xxx: remove writeq/readq function definitions (bsc#1043725,FATE#324770). - scsi: qla2xxx: Replace fcport alloc with qla2x00_alloc_fcport (bsc#1043726,FATE#324770). - scsi: qla2xxx: Replace GPDB with async ADISC command (bsc#1043726,FATE#324770). - scsi: qla2xxx: Reset the logo flag, after target re-login (bsc#1043726,FATE#324770). - scsi: qla2xxx: Retry switch command on time out (bsc#1043726,FATE#324770). - scsi: qla2xxx: Send FC4 type NVMe to the management server (bsc#1043726,FATE#324770). - scsi: qla2xxx: Serialize GPNID for multiple RSCN (bsc#1043726,FATE#324770). - scsi: qla2xxx: Serialize session deletion by using work_lock (bsc#1043726,FATE#324770). - scsi: qla2xxx: Serialize session free in qlt_free_session_done (bsc#1043726,FATE#324770). - scsi: qla2xxx: Simpify unregistration of FC-NVMe local/remote ports (bsc#1043726,FATE#324770). - scsi: qla2xxx: Skip IRQ affinity for Target QPairs (bsc#1043726,FATE#324770). - scsi: qla2xxx: Skip zero queue count entry during FW dump capture (bsc#1043726,FATE#324770). - scsi: qla2xxx: Suppress a kernel complaint in qla_init_base_qpair() (bsc#1043726,FATE#324770). - scsi: qla2xxx: Tweak resource count dump (bsc#1043726,FATE#324770). - scsi: qla2xxx: Update Driver version to 10.00.00.00-k (bsc#1043726,FATE#324770). - scsi: qla2xxx: Update driver version to 10.00.00.01-k (bsc#1043726,FATE#324770). - scsi: qla2xxx: Update driver version to 10.00.00.02-k (bsc#1043726,FATE#324770). - scsi: qla2xxx: Update driver version to 10.00.00.03-k (bsc#1043726,FATE#324770). - scsi: qla2xxx: Update driver version to 10.00.00.04-k (bsc#1043726,FATE#324770). - scsi: qla2xxx: Update driver version to 10.00.00.05-k (bsc#1081681). - scsi: qla2xxx: Update driver version to 9.01.00.00-k (bsc#1043725,FATE#324770). - scsi: qla2xxx: Update fw_started flags at qpair creation (bsc#1043726,FATE#324770). - scsi: qla2xxx: Use BIT_6 to acquire FAWWPN from switch (bsc#1043726,FATE#324770) - scsi: qla2xxx: Use chip reset to bring down laser on unload (bsc#1043726,FATE#324770). - scsi: qla2xxx: use dma_mapping_error to check map errors (bsc#1043726,FATE#324770). - scsi: qla2xxx: Use FC-NVMe FC4 type for FDMI registration (bsc#1043726,FATE#324770). - scsi: qla2xxx: Use IOCB path to submit Control VP MBX command (bsc#1043726,FATE#324770). - scsi: qla2xxx: Use known NPort ID for Management Server login (bsc#1043726,FATE#324770). - scsi: qla2xxx: Use ql2xnvmeenable to enable Q-Pair for FC-NVMe (bsc#1043726,FATE#324770). - scsi: qla2xxx: use shadow register for ISP27XX (bsc#1043725,FATE#324770). - scsi: qla2xxx: Use shadow register for ISP27XX (bsc#1043726,FATE#324770). - scsi: qla2xxx: Use sp->free instead of hard coded call (bsc#1043726,FATE#324770). - scsi: ses: do not get power status of SES device slot on probe (bsc#1082979). - scsi: sim710: fix build warning (bnc#1012382). - scsi: sr: workaround VMware ESXi cdrom emulation bug (bsc#1080813). - scsi: storvsc: Fix scsi_cmd error assignments in storvsc_handle_error (bnc#1012382). - scsi: storvsc: remove unnecessary channel inbound lock (fate#315887, bsc#1082632). - scsi: sun_esp: fix device reference leaks (bsc#1082979). - scsi: tcm_qla2xxx: Do not allow aborted cmd to advance (bsc#1043725,FATE#324770). - scsi: ufs: ufshcd: fix potential NULL pointer dereference in ufshcd_config_vreg (bnc#1012382). - sctp: make use of pre-calculated len (bnc#1012382). - selinux: ensure the context is NUL terminated in security_context_to_sid_core() (bnc#1012382). - selinux: general protection fault in sock_has_perm (bnc#1012382). - selinux: skip bounded transition processing if the policy isn't loaded (bnc#1012382). - serial: 8250_mid: fix broken DMA dependency (bnc#1012382). - serial: 8250_uniphier: fix error return code in uniphier_uart_probe() (bsc#1031717). - serial: imx: Only wakeup via RTSDEN bit if the system has RTS/CTS (bnc#1012382). - series.conf: disable qla2xxx patches (bsc#1043725) - sget(): handle failures of register_shrinker() (bnc#1012382). - signal/openrisc: Fix do_unaligned_access to send the proper signal (bnc#1012382). - signal/sh: Ensure si_signo is initialized in do_divide_error (bnc#1012382). - SolutionEngine771x: fix Ether platform data (bnc#1012382). - spi: atmel: fixed spin_lock usage inside atmel_spi_remove (bnc#1012382). - spi: imx: do not access registers while clocks disabled (bnc#1012382). - spi: sun4i: disable clocks in the remove function (bnc#1012382). - ssb: mark ssb_bus_register as __maybe_unused (bnc#1012382). - staging: android: ashmem: Fix a race condition in pin ioctls (bnc#1012382). - staging: iio: adc: ad7192: fix external frequency setting (bnc#1012382). - staging: rtl8188eu: Fix incorrect response to SIOCGIWESSID (bnc#1012382). - staging: ste_rmi4: avoid unused function warnings (bnc#1012382). - staging: unisys: visorinput depends on INPUT (bnc#1012382). - staging: wilc1000: fix kbuild test robot error (bnc#1012382). - sunrpc: Allow connect to return EHOSTUNREACH (bnc#1012382). - target: Add support for TMR percpu reference counting (bsc#1043726,FATE#324770). - target: Add TARGET_SCF_LOOKUP_LUN_FROM_TAG support for ABORT_TASK (bsc#1043726,FATE#324770). - tc1100-wmi: fix build warning when CONFIG_PM not enabled (bnc#1012382). - tc358743: fix register i2c_rd/wr function fix (git-fixes). - tc358743: fix register i2c_rd/wr functions (bnc#1012382). - tcp: do not set rtt_min to 1 (bsc#1042286). - tcp: release sk_frag.page in tcp_disconnect (bnc#1012382). - test_bpf: fix the dummy skb after dissector changes (bsc#1042286). - tg3: Add workaround to restrict 5762 MRRS to 2048 (bnc#1012382). - tg3: Enable PHY reset in MTU change path for 5720 (bnc#1012382). - thermal: fix INTEL_SOC_DTS_IOSF_CORE dependencies (bnc#1012382). - thermal: spear: use __maybe_unused for PM functions (bnc#1012382). - tlan: avoid unused label with PCI=n (bnc#1012382). - tools build: Add tools tree support for 'make -s' (bnc#1012382). - tpm-dev-common: Reject too short writes (bsc#1020645, git-fixes). - tpm: fix potential buffer overruns caused by bit glitches on the bus (bsc#1020645, git-fixes). - tpm_i2c_infineon: fix potential buffer overruns caused by bit glitches on the bus (bsc#1020645, git-fixes). - tpm_i2c_nuvoton: fix potential buffer overruns caused by bit glitches on the bus (bsc#1020645, git-fixes). - tpm: st33zp24: fix potential buffer overruns caused by bit glitches on the bus (bsc#1020645, git-fixes). - tpm_tis: fix potential buffer overruns caused by bit glitches on the bus (bsc#1020645, git-fixes). - tty: cyclades: cyz_interrupt is only used for PCI (bnc#1012382). - tty: hvc_xen: hide xen_console_remove when unused (bnc#1012382). - tty: mxser: Remove ASYNC_CLOSING (bnc#1072363). - ubi: block: Fix locking for idr_alloc/idr_remove (bnc#1012382). - udp: restore UDPlite many-cast delivery (bsc#1042286). - usb: build drivers/usb/common/ when USB_SUPPORT is set (bnc#1012382). - usb: cdc-acm: Do not log urb submission errors on disconnect (bnc#1012382). - usb: cdc_subset: only build when one driver is enabled (bnc#1012382). - usb: dwc3: gadget: Set maxpacket size for ep0 IN (bnc#1012382). - usb: f_fs: Prevent gadget unbind if it is already unbound (bnc#1012382). - usb: gadget: do not dereference g until after it has been null checked (bnc#1012382). - usb: gadget: f_fs: Process all descriptors during bind (bnc#1012382). - usb: gadget: uvc: Missing files for configfs interface (bnc#1012382). - usbip: fix 3eee23c3ec14 tcp_socket address still in the status file (bnc#1012382). - usbip: keep usbip_device sockfd state in sync with tcp_socket (bnc#1012382). - usbip: list: do not list devices attached to vhci_hcd (bnc#1012382). - usbip: prevent bind loops on devices attached to vhci_hcd (bnc#1012382). - usbip: vhci_hcd: clear just the USB_PORT_STAT_POWER bit (bnc#1012382). - usb: ldusb: add PIDs for new CASSY devices supported by this driver (bnc#1012382). - usb: musb/ux500: remove duplicate check for dma_is_compatible (bnc#1012382). - usb: ohci: Proper handling of ed_rm_list to handle race condition between usb_kill_urb() and finish_unlinks() (bnc#1012382). - usb: option: Add support for FS040U modem (bnc#1012382). - usb: phy: msm add regulator dependency (bnc#1012382). - usb: renesas_usbhs: missed the "running" flag in usb_dmac with rx path (bnc#1012382). - usb: serial: io_edgeport: fix possible sleep-in-atomic (bnc#1012382). - usb: serial: pl2303: new device id for Chilitag (bnc#1012382). - usb: serial: simple: add Motorola Tetra driver (bnc#1012382). - usb: uas: unconditionally bring back host after reset (bnc#1012382). - v4l: remove MEDIA_TUNER dependency for VIDEO_TUNER (bnc#1012382). - vb2: V4L2_BUF_FLAG_DONE is set after DQBUF (bnc#1012382). - vfs: do not do RCU lookup of empty pathnames (bnc#1012382). - vhost_net: stop device during reset owner (bnc#1012382). - video: fbdev: atmel_lcdfb: fix display-timings lookup (bnc#1012382). - video: fbdev/mmp: add MODULE_LICENSE (bnc#1012382). - video: fbdev: sis: remove unused variable (bnc#1012382). - video: fbdev: via: remove possibly unused variables (bnc#1012382). - video: Use bool instead int pointer for get_opt_bool() argument (bnc#1012382). - virtio_balloon: prevent uninitialized variable use (bnc#1012382). - vmbus: add per-channel sysfs info (fate#315887, bsc#1082632). - vmbus: add prefetch to ring buffer iterator (fate#315887, bsc#1082632). - vmbus: do not acquire the mutex in vmbus_hvsock_device_unregister() (fate#315887, bsc#1082632). - vmbus: drop unused ring_buffer_info elements (fate#315887, bsc#1082632). - vmbus: eliminate duplicate cached index (fate#315887, bsc#1082632). - vmbus: hvsock: add proper sync for vmbus_hvsock_device_unregister() (fate#315887, bsc#1082632). - vmbus: initialize reserved fields in messages (fate#315887, bsc#1082632). - vmbus: make channel_message table constant (fate#315887, bsc#1082632). - vmbus: more host signalling avoidance (fate#315887, bsc#1082632). - vmbus: refactor hv_signal_on_read (fate#315887, bsc#1082632). - vmbus: remove unused vmbus_sendpacket_ctl (fate#315887, bsc#1082632). - vmbus: remove unused vmbus_sendpacket_multipagebuffer (fate#315887, bsc#1082632). - vmbus: remove unused vmubs_sendpacket_pagebuffer_ctl (fate#315887, bsc#1082632). - vmbus: Reuse uuid_le_to_bin() helper (fate#315887, bsc#1082632). - vmbus: simplify hv_ringbuffer_read (fate#315887, bsc#1082632). - vmbus: unregister device_obj->channels_kset (fate#315887, bsc#1082632). - vmxnet3: prevent building with 64K pages (bnc#1012382). - vxlan: consolidate csum flag handling (bsc#1042286). - vxlan: consolidate output route calculation (bsc#1042286). - vxlan: consolidate vxlan_xmit_skb and vxlan6_xmit_skb (bsc#1042286). - vxlan: do not allow overwrite of config src addr (bsc#1042286). - watchdog: imx2_wdt: restore previous timeout after suspend+resume (bnc#1012382). - wireless: cw1200: use __maybe_unused to hide pm functions_ (bnc#1012382). - x86: add MULTIUSER dependency for KVM (bnc#1012382). - x86/asm: Fix inline asm call constraints for GCC 4.4 (bnc#1012382). - x86/boot: Avoid warning for zero-filling .bss (bnc#1012382). - x86: bpf_jit: small optimization in emit_bpf_tail_call() (bnc#1012382). - x86/bugs: Drop one "mitigation" from dmesg (bnc#1012382). - x86/build: Silence the build with "make -s" (bnc#1012382). - x86/cpu/bugs: Make retpoline module warning conditional (bnc#1012382). - x86/cpu: Change type of x86_cache_size variable to unsigned int (bnc#1012382). - x86/entry/64: Separate cpu_current_top_of_stack from TSS.sp0 (bsc#1077560). - x86/entry/64: Use a per-CPU trampoline stack for IDT entries (bsc#1077560). - x86: fix build warnign with 32-bit PAE (bnc#1012382). - x86/fpu/math-emu: Fix possible uninitialized variable use (bnc#1012382). - x86/hyperv: Implement hv_get_tsc_page() (fate#315887, bsc#1082632). - x86/hyper-v: include hyperv/ only when CONFIG_HYPERV is set (fate#315887, bsc#1082632). - x86/hyper-v: Introduce fast hypercall implementation (fate#315887, bsc#1082632). - x86/hyper-v: Make hv_do_hypercall() inline (fate#315887, bsc#1082632). - x86/hyperv: Move TSC reading method to asm/mshyperv.h (fate#315887, bsc#1082632). - x86/kaiser: fix build error with KASAN && !FUNCTION_GRAPH_TRACER (bnc#1012382). - x86/kvm/vmx: do not use vm-exit instruction length for fast MMIO when running nested (bsc#1081431). - x86/mce: Pin the timer when modifying (bsc#1080851,1076282). - x86/microcode/AMD: Change load_microcode_amd()'s param to bool to fix preemptibility bug (bnc#1012382). - x86/microcode/AMD: Do not load when running on a hypervisor (bsc#1081436 bsc#1081437). - x86/microcode: Do the family check first (bnc#1012382). - x86/microcode: Do the family check first (bsc#1081436 bsc#1081437). - x86/mm/kmmio: Fix mmiotrace for page unaligned addresses (bnc#1012382). - x86/mm/pkeys: Fix fill_sig_info_pkey (fate#321300). - x86/nospec: Fix header guards names (bnc#1012382). - x86/oprofile: Fix bogus GCC-8 warning in nmi_setup() (bnc#1012382). - x86/paravirt: Remove 'noreplace-paravirt' cmdline option (bnc#1012382). - x86/platform: Add PCI dependency for PUNIT_ATOM_DEBUG (bnc#1012382). - x86/platform/olpc: Fix resume handler build warning (bnc#1012382). - x86/pti: Make unpoison of pgd for trusted boot work for real (bnc#1012382). - x86/ras/inject: Make it depend on X86_LOCAL_APIC=y (bnc#1012382). - x86/retpoline: Avoid retpolines for built-in __init functions (bnc#1012382). - x86/retpoline/hyperv: Convert assembler indirect jumps (fate#315887, bsc#1082632). - x86/retpoline: Remove the esp/rsp thunk (bnc#1012382). - x86/spectre: Check CONFIG_RETPOLINE in command line parser (bnc#1012382). - x86/spectre: Fix an error message (git-fixes). - x86/spectre: Fix spelling mistake: "vunerable"-> "vulnerable" (bnc#1012382). - x86/spectre: Remove the out-of-tree RSB stuffing - x86/spectre: Simplify spectre_v2 command line parsing (bnc#1012382). - x86/speculation: Fix typo IBRS_ATT, which should be IBRS_ALL (bnc#1012382). - x86/xen: Zero MSR_IA32_SPEC_CTRL before suspend (bnc#1065600). - xen/gntdev: Fix off-by-one error when unmapping with holes (bnc#1012382). - xen/gntdev: Fix partial gntdev_mmap() cleanup (bnc#1012382). - xen-netfront: enable device after manual module load (bnc#1012382). - xen-netfront: remove warning when unloading module (bnc#1012382). - xen: XEN_ACPI_PROCESSOR is Dom0-only (bnc#1012382). - xfrm: check id proto in validate_tmpl() (bnc#1012382). - xfrm: Fix stack-out-of-bounds read on socket policy lookup (bnc#1012382). - xfrm: Fix stack-out-of-bounds with misconfigured transport mode policies (bnc#1012382). - xfrm_user: propagate sec ctx allocation errors (bsc#1042286). - xfs: do not chain ioends during writepage submission (bsc#1077285 bsc#1043441). - xfs: factor mapping out of xfs_do_writepage (bsc#1077285 bsc#1043441). - xfs: Introduce writeback context for writepages (bsc#1077285 bsc#1043441). - xfs: ioends require logically contiguous file offsets (bsc#1077285 bsc#1043441). - xfs: quota: check result of register_shrinker() (bnc#1012382). - xfs: quota: fix missed destroy of qi_tree_lock (bnc#1012382). - xfs: reinit btree pointer on attr tree inactivation walk (bsc#1078787). - xfs: remove nonblocking mode from xfs_vm_writepage (bsc#1077285 bsc#1043441). - xfs: remove xfs_cancel_ioend (bsc#1077285 bsc#1043441). - xfs: stop searching for free slots in an inode chunk when there are none (bsc#1072739). - xfs: toggle readonly state around xfs_log_mount_finish (bsc#1073401). - xfs: ubsan fixes (bnc#1012382). - xfs: validate sb_logsunit is a multiple of the fs blocksize (bsc#1077513). - xfs: write unmount record for ro mounts (bsc#1073401). - xfs: xfs_cluster_write is redundant (bsc#1077285 bsc#1043441). - xtensa: fix futex_atomic_cmpxchg_inatomic (bnc#1012382). - zram: fix operator precedence to get offset (bsc#1082979). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP3: zypper in -t patch SUSE-SLE-WE-12-SP3-2018-534=1 - SUSE Linux Enterprise Software Development Kit 12-SP3: zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-534=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-534=1 - SUSE Linux Enterprise Live Patching 12-SP3: zypper in -t patch SUSE-SLE-Live-Patching-12-SP3-2018-534=1 - SUSE Linux Enterprise High Availability 12-SP3: zypper in -t patch SUSE-SLE-HA-12-SP3-2018-534=1 - SUSE Linux Enterprise Desktop 12-SP3: zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-534=1 - SUSE CaaS Platform ALL: To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Linux Enterprise Workstation Extension 12-SP3 (x86_64): kernel-default-debuginfo-4.4.120-94.17.1 kernel-default-debugsource-4.4.120-94.17.1 kernel-default-extra-4.4.120-94.17.1 kernel-default-extra-debuginfo-4.4.120-94.17.1 - SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64): kernel-obs-build-4.4.120-94.17.1 kernel-obs-build-debugsource-4.4.120-94.17.1 - SUSE Linux Enterprise Software Development Kit 12-SP3 (noarch): kernel-docs-4.4.120-94.17.1 - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64): kernel-default-4.4.120-94.17.1 kernel-default-base-4.4.120-94.17.1 kernel-default-base-debuginfo-4.4.120-94.17.1 kernel-default-debuginfo-4.4.120-94.17.1 kernel-default-debugsource-4.4.120-94.17.1 kernel-default-devel-4.4.120-94.17.1 kernel-syms-4.4.120-94.17.1 - SUSE Linux Enterprise Server 12-SP3 (noarch): kernel-devel-4.4.120-94.17.1 kernel-macros-4.4.120-94.17.1 kernel-source-4.4.120-94.17.1 - SUSE Linux Enterprise Server 12-SP3 (s390x): kernel-default-man-4.4.120-94.17.1 - SUSE Linux Enterprise Live Patching 12-SP3 (ppc64le x86_64): kgraft-patch-4_4_120-94_17-default-1-4.3.1 kgraft-patch-4_4_120-94_17-default-debuginfo-1-4.3.1 - SUSE Linux Enterprise High Availability 12-SP3 (ppc64le s390x x86_64): cluster-md-kmp-default-4.4.120-94.17.1 cluster-md-kmp-default-debuginfo-4.4.120-94.17.1 dlm-kmp-default-4.4.120-94.17.1 dlm-kmp-default-debuginfo-4.4.120-94.17.1 gfs2-kmp-default-4.4.120-94.17.1 gfs2-kmp-default-debuginfo-4.4.120-94.17.1 kernel-default-debuginfo-4.4.120-94.17.1 kernel-default-debugsource-4.4.120-94.17.1 ocfs2-kmp-default-4.4.120-94.17.1 ocfs2-kmp-default-debuginfo-4.4.120-94.17.1 - SUSE Linux Enterprise Desktop 12-SP3 (x86_64): kernel-default-4.4.120-94.17.1 kernel-default-debuginfo-4.4.120-94.17.1 kernel-default-debugsource-4.4.120-94.17.1 kernel-default-devel-4.4.120-94.17.1 kernel-default-extra-4.4.120-94.17.1 kernel-default-extra-debuginfo-4.4.120-94.17.1 kernel-syms-4.4.120-94.17.1 - SUSE Linux Enterprise Desktop 12-SP3 (noarch): kernel-devel-4.4.120-94.17.1 kernel-macros-4.4.120-94.17.1 kernel-source-4.4.120-94.17.1 - SUSE CaaS Platform ALL (x86_64): kernel-default-4.4.120-94.17.1 kernel-default-debuginfo-4.4.120-94.17.1 kernel-default-debugsource-4.4.120-94.17.1 References: https://www.suse.com/security/cve/CVE-2017-13166.html https://www.suse.com/security/cve/CVE-2017-15951.html https://www.suse.com/security/cve/CVE-2017-16644.html https://www.suse.com/security/cve/CVE-2017-16912.html https://www.suse.com/security/cve/CVE-2017-16913.html https://www.suse.com/security/cve/CVE-2017-17975.html https://www.suse.com/security/cve/CVE-2017-18174.html https://www.suse.com/security/cve/CVE-2017-18208.html https://www.suse.com/security/cve/CVE-2018-1000026.html https://www.suse.com/security/cve/CVE-2018-1068.html https://www.suse.com/security/cve/CVE-2018-8087.html https://bugzilla.suse.com/1006867 https://bugzilla.suse.com/1012382 https://bugzilla.suse.com/1015342 https://bugzilla.suse.com/1015343 https://bugzilla.suse.com/1020645 https://bugzilla.suse.com/1022607 https://bugzilla.suse.com/1024376 https://bugzilla.suse.com/1027054 https://bugzilla.suse.com/1031717 https://bugzilla.suse.com/1033587 https://bugzilla.suse.com/1034503 https://bugzilla.suse.com/1042286 https://bugzilla.suse.com/1043441 https://bugzilla.suse.com/1043725 https://bugzilla.suse.com/1043726 https://bugzilla.suse.com/1062840 https://bugzilla.suse.com/1065600 https://bugzilla.suse.com/1065615 https://bugzilla.suse.com/1066223 https://bugzilla.suse.com/1067118 https://bugzilla.suse.com/1068032 https://bugzilla.suse.com/1068569 https://bugzilla.suse.com/1069135 https://bugzilla.suse.com/1070404 https://bugzilla.suse.com/1071306 https://bugzilla.suse.com/1071892 https://bugzilla.suse.com/1072363 https://bugzilla.suse.com/1072689 https://bugzilla.suse.com/1072739 https://bugzilla.suse.com/1072865 https://bugzilla.suse.com/1073401 https://bugzilla.suse.com/1073407 https://bugzilla.suse.com/1074198 https://bugzilla.suse.com/1074426 https://bugzilla.suse.com/1075087 https://bugzilla.suse.com/1076282 https://bugzilla.suse.com/1076693 https://bugzilla.suse.com/1076760 https://bugzilla.suse.com/1076982 https://bugzilla.suse.com/1077241 https://bugzilla.suse.com/1077285 https://bugzilla.suse.com/1077513 https://bugzilla.suse.com/1077560 https://bugzilla.suse.com/1077779 https://bugzilla.suse.com/1078583 https://bugzilla.suse.com/1078672 https://bugzilla.suse.com/1078673 https://bugzilla.suse.com/1078787 https://bugzilla.suse.com/1079029 https://bugzilla.suse.com/1079038 https://bugzilla.suse.com/1079195 https://bugzilla.suse.com/1079313 https://bugzilla.suse.com/1079384 https://bugzilla.suse.com/1079609 https://bugzilla.suse.com/1079886 https://bugzilla.suse.com/1079989 https://bugzilla.suse.com/1080014 https://bugzilla.suse.com/1080263 https://bugzilla.suse.com/1080321 https://bugzilla.suse.com/1080344 https://bugzilla.suse.com/1080364 https://bugzilla.suse.com/1080384 https://bugzilla.suse.com/1080464 https://bugzilla.suse.com/1080533 https://bugzilla.suse.com/1080656 https://bugzilla.suse.com/1080774 https://bugzilla.suse.com/1080813 https://bugzilla.suse.com/1080851 https://bugzilla.suse.com/1081134 https://bugzilla.suse.com/1081431 https://bugzilla.suse.com/1081436 https://bugzilla.suse.com/1081437 https://bugzilla.suse.com/1081491 https://bugzilla.suse.com/1081498 https://bugzilla.suse.com/1081500 https://bugzilla.suse.com/1081512 https://bugzilla.suse.com/1081514 https://bugzilla.suse.com/1081681 https://bugzilla.suse.com/1081735 https://bugzilla.suse.com/1082089 https://bugzilla.suse.com/1082223 https://bugzilla.suse.com/1082299 https://bugzilla.suse.com/1082373 https://bugzilla.suse.com/1082478 https://bugzilla.suse.com/1082632 https://bugzilla.suse.com/1082795 https://bugzilla.suse.com/1082864 https://bugzilla.suse.com/1082897 https://bugzilla.suse.com/1082979 https://bugzilla.suse.com/1082993 https://bugzilla.suse.com/1083048 https://bugzilla.suse.com/1083086 https://bugzilla.suse.com/1083223 https://bugzilla.suse.com/1083387 https://bugzilla.suse.com/1083409 https://bugzilla.suse.com/1083494 https://bugzilla.suse.com/1083548 https://bugzilla.suse.com/1083750 https://bugzilla.suse.com/1083770 https://bugzilla.suse.com/1084041 https://bugzilla.suse.com/1084397 https://bugzilla.suse.com/1084427 https://bugzilla.suse.com/1084610 https://bugzilla.suse.com/1084772 https://bugzilla.suse.com/1084888 https://bugzilla.suse.com/1084926 https://bugzilla.suse.com/1084928 https://bugzilla.suse.com/1084967 https://bugzilla.suse.com/1085011 https://bugzilla.suse.com/1085015 https://bugzilla.suse.com/1085045 https://bugzilla.suse.com/1085047 https://bugzilla.suse.com/1085050 https://bugzilla.suse.com/1085053 https://bugzilla.suse.com/1085054 https://bugzilla.suse.com/1085056 https://bugzilla.suse.com/1085107 https://bugzilla.suse.com/1085224 https://bugzilla.suse.com/1085239 https://bugzilla.suse.com/863764 https://bugzilla.suse.com/966170 https://bugzilla.suse.com/966172 https://bugzilla.suse.com/966328 https://bugzilla.suse.com/969476 https://bugzilla.suse.com/969477 https://bugzilla.suse.com/975772 https://bugzilla.suse.com/983145 From sle-security-updates at lists.suse.com Mon Mar 26 07:08:04 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 26 Mar 2018 15:08:04 +0200 (CEST) Subject: SUSE-SU-2018:0806-1: important: Security update for php53 Message-ID: <20180326130804.2B86BFC98@maintenance.suse.de> SUSE Security Update: Security update for php53 ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0806-1 Rating: important References: #1076220 #1076391 #1080234 #1083639 #986247 #986391 Cross-References: CVE-2016-10712 CVE-2016-5771 CVE-2016-5773 CVE-2018-5711 CVE-2018-5712 CVE-2018-7584 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Server 11-SP3-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that fixes 6 vulnerabilities is now available. Description: This update for php53 fixes several issues. These security issues were fixed: - CVE-2016-10712: In PHP all of the return values of stream_get_meta_data could be controlled if the input can be controlled (e.g., during file uploads). (bsc#1080234) - CVE-2018-5712: Prevent reflected XSS on the PHAR 404 error page via the URI of a request for a .phar file that allowed for information disclosure (bsc#1076220) - CVE-2018-5711: Prevent integer signedness error that could have lead to an infinite loop via a crafted GIF file allowing for DoS (bsc#1076391) - CVE-2016-5773: php_zip.c in the zip extension in PHP improperly interacted with the unserialize implementation and garbage collection, which allowed remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted serialized data containing a ZipArchive object. (bsc#986247) - CVE-2016-5771: spl_array.c in the SPL extension in PHP improperly interacted with the unserialize implementation and garbage collection, which allowed remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted serialized data. (bsc#986391) - CVE-2018-7584: Fixed stack-based buffer under-read while parsing an HTTPresponse in the php_stream_url_wrap_http_ex. (bsc#1083639) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-php53-13532=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-php53-13532=1 - SUSE Linux Enterprise Server 11-SP3-LTSS: zypper in -t patch slessp3-php53-13532=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-php53-13532=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-php53-13532=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-php53-13532=1 Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): php53-devel-5.3.17-112.20.1 php53-imap-5.3.17-112.20.1 php53-posix-5.3.17-112.20.1 php53-readline-5.3.17-112.20.1 php53-sockets-5.3.17-112.20.1 php53-sqlite-5.3.17-112.20.1 php53-tidy-5.3.17-112.20.1 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): apache2-mod_php53-5.3.17-112.20.1 php53-5.3.17-112.20.1 php53-bcmath-5.3.17-112.20.1 php53-bz2-5.3.17-112.20.1 php53-calendar-5.3.17-112.20.1 php53-ctype-5.3.17-112.20.1 php53-curl-5.3.17-112.20.1 php53-dba-5.3.17-112.20.1 php53-dom-5.3.17-112.20.1 php53-exif-5.3.17-112.20.1 php53-fastcgi-5.3.17-112.20.1 php53-fileinfo-5.3.17-112.20.1 php53-ftp-5.3.17-112.20.1 php53-gd-5.3.17-112.20.1 php53-gettext-5.3.17-112.20.1 php53-gmp-5.3.17-112.20.1 php53-iconv-5.3.17-112.20.1 php53-intl-5.3.17-112.20.1 php53-json-5.3.17-112.20.1 php53-ldap-5.3.17-112.20.1 php53-mbstring-5.3.17-112.20.1 php53-mcrypt-5.3.17-112.20.1 php53-mysql-5.3.17-112.20.1 php53-odbc-5.3.17-112.20.1 php53-openssl-5.3.17-112.20.1 php53-pcntl-5.3.17-112.20.1 php53-pdo-5.3.17-112.20.1 php53-pear-5.3.17-112.20.1 php53-pgsql-5.3.17-112.20.1 php53-pspell-5.3.17-112.20.1 php53-shmop-5.3.17-112.20.1 php53-snmp-5.3.17-112.20.1 php53-soap-5.3.17-112.20.1 php53-suhosin-5.3.17-112.20.1 php53-sysvmsg-5.3.17-112.20.1 php53-sysvsem-5.3.17-112.20.1 php53-sysvshm-5.3.17-112.20.1 php53-tokenizer-5.3.17-112.20.1 php53-wddx-5.3.17-112.20.1 php53-xmlreader-5.3.17-112.20.1 php53-xmlrpc-5.3.17-112.20.1 php53-xmlwriter-5.3.17-112.20.1 php53-xsl-5.3.17-112.20.1 php53-zip-5.3.17-112.20.1 php53-zlib-5.3.17-112.20.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (i586 s390x x86_64): apache2-mod_php53-5.3.17-112.20.1 php53-5.3.17-112.20.1 php53-bcmath-5.3.17-112.20.1 php53-bz2-5.3.17-112.20.1 php53-calendar-5.3.17-112.20.1 php53-ctype-5.3.17-112.20.1 php53-curl-5.3.17-112.20.1 php53-dba-5.3.17-112.20.1 php53-dom-5.3.17-112.20.1 php53-exif-5.3.17-112.20.1 php53-fastcgi-5.3.17-112.20.1 php53-fileinfo-5.3.17-112.20.1 php53-ftp-5.3.17-112.20.1 php53-gd-5.3.17-112.20.1 php53-gettext-5.3.17-112.20.1 php53-gmp-5.3.17-112.20.1 php53-iconv-5.3.17-112.20.1 php53-intl-5.3.17-112.20.1 php53-json-5.3.17-112.20.1 php53-ldap-5.3.17-112.20.1 php53-mbstring-5.3.17-112.20.1 php53-mcrypt-5.3.17-112.20.1 php53-mysql-5.3.17-112.20.1 php53-odbc-5.3.17-112.20.1 php53-openssl-5.3.17-112.20.1 php53-pcntl-5.3.17-112.20.1 php53-pdo-5.3.17-112.20.1 php53-pear-5.3.17-112.20.1 php53-pgsql-5.3.17-112.20.1 php53-pspell-5.3.17-112.20.1 php53-shmop-5.3.17-112.20.1 php53-snmp-5.3.17-112.20.1 php53-soap-5.3.17-112.20.1 php53-suhosin-5.3.17-112.20.1 php53-sysvmsg-5.3.17-112.20.1 php53-sysvsem-5.3.17-112.20.1 php53-sysvshm-5.3.17-112.20.1 php53-tokenizer-5.3.17-112.20.1 php53-wddx-5.3.17-112.20.1 php53-xmlreader-5.3.17-112.20.1 php53-xmlrpc-5.3.17-112.20.1 php53-xmlwriter-5.3.17-112.20.1 php53-xsl-5.3.17-112.20.1 php53-zip-5.3.17-112.20.1 php53-zlib-5.3.17-112.20.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): apache2-mod_php53-5.3.17-112.20.1 php53-5.3.17-112.20.1 php53-bcmath-5.3.17-112.20.1 php53-bz2-5.3.17-112.20.1 php53-calendar-5.3.17-112.20.1 php53-ctype-5.3.17-112.20.1 php53-curl-5.3.17-112.20.1 php53-dba-5.3.17-112.20.1 php53-dom-5.3.17-112.20.1 php53-exif-5.3.17-112.20.1 php53-fastcgi-5.3.17-112.20.1 php53-fileinfo-5.3.17-112.20.1 php53-ftp-5.3.17-112.20.1 php53-gd-5.3.17-112.20.1 php53-gettext-5.3.17-112.20.1 php53-gmp-5.3.17-112.20.1 php53-iconv-5.3.17-112.20.1 php53-intl-5.3.17-112.20.1 php53-json-5.3.17-112.20.1 php53-ldap-5.3.17-112.20.1 php53-mbstring-5.3.17-112.20.1 php53-mcrypt-5.3.17-112.20.1 php53-mysql-5.3.17-112.20.1 php53-odbc-5.3.17-112.20.1 php53-openssl-5.3.17-112.20.1 php53-pcntl-5.3.17-112.20.1 php53-pdo-5.3.17-112.20.1 php53-pear-5.3.17-112.20.1 php53-pgsql-5.3.17-112.20.1 php53-pspell-5.3.17-112.20.1 php53-shmop-5.3.17-112.20.1 php53-snmp-5.3.17-112.20.1 php53-soap-5.3.17-112.20.1 php53-suhosin-5.3.17-112.20.1 php53-sysvmsg-5.3.17-112.20.1 php53-sysvsem-5.3.17-112.20.1 php53-sysvshm-5.3.17-112.20.1 php53-tokenizer-5.3.17-112.20.1 php53-wddx-5.3.17-112.20.1 php53-xmlreader-5.3.17-112.20.1 php53-xmlrpc-5.3.17-112.20.1 php53-xmlwriter-5.3.17-112.20.1 php53-xsl-5.3.17-112.20.1 php53-zip-5.3.17-112.20.1 php53-zlib-5.3.17-112.20.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): php53-debuginfo-5.3.17-112.20.1 php53-debugsource-5.3.17-112.20.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): php53-debuginfo-5.3.17-112.20.1 php53-debugsource-5.3.17-112.20.1 References: https://www.suse.com/security/cve/CVE-2016-10712.html https://www.suse.com/security/cve/CVE-2016-5771.html https://www.suse.com/security/cve/CVE-2016-5773.html https://www.suse.com/security/cve/CVE-2018-5711.html https://www.suse.com/security/cve/CVE-2018-5712.html https://www.suse.com/security/cve/CVE-2018-7584.html https://bugzilla.suse.com/1076220 https://bugzilla.suse.com/1076391 https://bugzilla.suse.com/1080234 https://bugzilla.suse.com/1083639 https://bugzilla.suse.com/986247 https://bugzilla.suse.com/986391 From sle-security-updates at lists.suse.com Mon Mar 26 07:09:29 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 26 Mar 2018 15:09:29 +0200 (CEST) Subject: SUSE-SU-2018:0807-1: important: Security update for memcached Message-ID: <20180326130929.CA6DEFC98@maintenance.suse.de> SUSE Security Update: Security update for memcached ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0807-1 Rating: important References: #1007869 #1007870 #1007871 #1056865 #798458 #817781 #857188 #858676 #858677 Cross-References: CVE-2011-4971 CVE-2013-0179 CVE-2013-7239 CVE-2013-7290 CVE-2013-7291 CVE-2016-8704 CVE-2016-8705 CVE-2016-8706 CVE-2017-9951 Affected Products: SUSE OpenStack Cloud 6 ______________________________________________________________________________ An update that fixes 9 vulnerabilities is now available. Description: This update for memcached fixes the following issues: Security issues fixed: - CVE-2011-4971: remote DoS (bsc#817781). - CVE-2013-0179: DoS when printing out keys to be deleted in verbose mode (bsc#798458). - CVE-2013-7239: SASL authentication allows wrong credentials to access memcache (bsc#857188). - CVE-2013-7290: remote DoS (segmentation fault) via a request to delete a key (bsc#858677). - CVE-2013-7291: remote DoS (crash) via a request that triggers "unbounded key print" (bsc#858676). - CVE-2016-8704: Server append/prepend remote code execution (bsc#1007871). - CVE-2016-8705: Server update remote code execution (bsc#1007870). - CVE-2016-8706: Server ASL authentication remote code execution (bsc#1007869). - CVE-2017-9951: Heap-based buffer over-read in try_read_command function (incomplete fix for CVE-2016-8705) (bsc#1056865). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 6: zypper in -t patch SUSE-OpenStack-Cloud-6-2018-545=1 Package List: - SUSE OpenStack Cloud 6 (x86_64): memcached-1.4.39-3.3.1 memcached-debuginfo-1.4.39-3.3.1 memcached-debugsource-1.4.39-3.3.1 References: https://www.suse.com/security/cve/CVE-2011-4971.html https://www.suse.com/security/cve/CVE-2013-0179.html https://www.suse.com/security/cve/CVE-2013-7239.html https://www.suse.com/security/cve/CVE-2013-7290.html https://www.suse.com/security/cve/CVE-2013-7291.html https://www.suse.com/security/cve/CVE-2016-8704.html https://www.suse.com/security/cve/CVE-2016-8705.html https://www.suse.com/security/cve/CVE-2016-8706.html https://www.suse.com/security/cve/CVE-2017-9951.html https://bugzilla.suse.com/1007869 https://bugzilla.suse.com/1007870 https://bugzilla.suse.com/1007871 https://bugzilla.suse.com/1056865 https://bugzilla.suse.com/798458 https://bugzilla.suse.com/817781 https://bugzilla.suse.com/857188 https://bugzilla.suse.com/858676 https://bugzilla.suse.com/858677 From sle-security-updates at lists.suse.com Mon Mar 26 07:11:25 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 26 Mar 2018 15:11:25 +0200 (CEST) Subject: SUSE-SU-2018:0808-1: moderate: Security update for ntp Message-ID: <20180326131125.9DBFAFC98@maintenance.suse.de> SUSE Security Update: Security update for ntp ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0808-1 Rating: moderate References: #1077445 #1082210 #1083417 #1083420 #1083422 #1083424 #1083426 Cross-References: CVE-2016-1549 CVE-2018-7170 CVE-2018-7182 CVE-2018-7183 CVE-2018-7184 CVE-2018-7185 Affected Products: SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that solves 6 vulnerabilities and has one errata is now available. Description: This update for ntp fixes the following issues: Security issues fixed: - CVE-2016-1549: Significant additional protections against CVE-2016-1549 that was fixed in ntp-4.2.8p7 (bsc#1082210). - CVE-2018-7170: Ephemeral association time spoofing additional protection (bsc#1083424). - CVE-2018-7182: Buffer read overrun leads information leak in ctl_getitem() (bsc#1083426). - CVE-2018-7183: decodearr() can write beyond its buffer limit (bsc#1083417). - CVE-2018-7184: Interleaved symmetric mode cannot recover from bad state (bsc#1083422). - CVE-2018-7185: Unauthenticated packet can reset authenticated interleaved association (bsc#1083420). Bug fixes: - bsc#1077445: Don't use libevent's cached time stamps in sntp. - Disable CMAC in ntp when building against a version of OpenSSL that doesn't support it. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-ntp-13534=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-ntp-13534=1 Package List: - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): ntp-4.2.8p11-64.4.1 ntp-doc-4.2.8p11-64.4.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): ntp-debuginfo-4.2.8p11-64.4.1 ntp-debugsource-4.2.8p11-64.4.1 References: https://www.suse.com/security/cve/CVE-2016-1549.html https://www.suse.com/security/cve/CVE-2018-7170.html https://www.suse.com/security/cve/CVE-2018-7182.html https://www.suse.com/security/cve/CVE-2018-7183.html https://www.suse.com/security/cve/CVE-2018-7184.html https://www.suse.com/security/cve/CVE-2018-7185.html https://bugzilla.suse.com/1077445 https://bugzilla.suse.com/1082210 https://bugzilla.suse.com/1083417 https://bugzilla.suse.com/1083420 https://bugzilla.suse.com/1083422 https://bugzilla.suse.com/1083424 https://bugzilla.suse.com/1083426 From sle-security-updates at lists.suse.com Mon Mar 26 07:12:52 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 26 Mar 2018 15:12:52 +0200 (CEST) Subject: SUSE-SU-2018:0809-1: important: Security update for clamav Message-ID: <20180326131252.41091FC98@maintenance.suse.de> SUSE Security Update: Security update for clamav ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0809-1 Rating: important References: #1045315 #1049423 #1052449 #1082858 #1083915 Cross-References: CVE-2012-6706 CVE-2017-11423 CVE-2017-6419 CVE-2018-0202 CVE-2018-1000085 Affected Products: SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Desktop 12-SP3 SUSE Linux Enterprise Desktop 12-SP2 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: This update for clamav fixes the following issues: Security issues fixed: - CVE-2012-6706: VMSF_DELTA filter inside the unrar implementation allows an arbitrary memory write (bsc#1045315). - CVE-2017-6419: A heap-based buffer overflow that can lead to a denial of service in libmspack via a crafted CHM file (bsc#1052449). - CVE-2017-11423: A stack-based buffer over-read that can lead to a denial of service in mspack via a crafted CAB file (bsc#1049423). - CVE-2018-1000085: An out-of-bounds heap read vulnerability was found in XAR parser that can lead to a denial of service (bsc#1082858). - CVE-2018-0202: Fixed two vulnerabilities in the PDF parsing code (bsc#1083915). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2018-541=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-541=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-541=1 - SUSE Linux Enterprise Desktop 12-SP3: zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-541=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2018-541=1 Package List: - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): clamav-0.99.4-33.9.1 clamav-debuginfo-0.99.4-33.9.1 clamav-debugsource-0.99.4-33.9.1 - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64): clamav-0.99.4-33.9.1 clamav-debuginfo-0.99.4-33.9.1 clamav-debugsource-0.99.4-33.9.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le s390x x86_64): clamav-0.99.4-33.9.1 clamav-debuginfo-0.99.4-33.9.1 clamav-debugsource-0.99.4-33.9.1 - SUSE Linux Enterprise Desktop 12-SP3 (x86_64): clamav-0.99.4-33.9.1 clamav-debuginfo-0.99.4-33.9.1 clamav-debugsource-0.99.4-33.9.1 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): clamav-0.99.4-33.9.1 clamav-debuginfo-0.99.4-33.9.1 clamav-debugsource-0.99.4-33.9.1 References: https://www.suse.com/security/cve/CVE-2012-6706.html https://www.suse.com/security/cve/CVE-2017-11423.html https://www.suse.com/security/cve/CVE-2017-6419.html https://www.suse.com/security/cve/CVE-2018-0202.html https://www.suse.com/security/cve/CVE-2018-1000085.html https://bugzilla.suse.com/1045315 https://bugzilla.suse.com/1049423 https://bugzilla.suse.com/1052449 https://bugzilla.suse.com/1082858 https://bugzilla.suse.com/1083915 From sle-security-updates at lists.suse.com Mon Mar 26 07:13:58 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 26 Mar 2018 15:13:58 +0200 (CEST) Subject: SUSE-SU-2018:0810-1: moderate: Security update for dhcp Message-ID: <20180326131358.6C2BBFCB3@maintenance.suse.de> SUSE Security Update: Security update for dhcp ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0810-1 Rating: moderate References: #1083302 #1083303 Cross-References: CVE-2018-5732 CVE-2018-5733 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for dhcp fixes the following issues: Security issues fixed: - CVE-2018-5733: reference count overflow in dhcpd (bsc#1083303). - CVE-2018-5732: buffer overflow in dhclient (bsc#1083302). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-dhcp-13533=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-dhcp-13533=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-dhcp-13533=1 Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): dhcp-devel-4.2.4.P2-0.28.8.1 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): dhcp-4.2.4.P2-0.28.8.1 dhcp-client-4.2.4.P2-0.28.8.1 dhcp-relay-4.2.4.P2-0.28.8.1 dhcp-server-4.2.4.P2-0.28.8.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): dhcp-debuginfo-4.2.4.P2-0.28.8.1 dhcp-debugsource-4.2.4.P2-0.28.8.1 References: https://www.suse.com/security/cve/CVE-2018-5732.html https://www.suse.com/security/cve/CVE-2018-5733.html https://bugzilla.suse.com/1083302 https://bugzilla.suse.com/1083303 From sle-security-updates at lists.suse.com Mon Mar 26 07:14:40 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 26 Mar 2018 15:14:40 +0200 (CEST) Subject: SUSE-SU-2018:0811-1: moderate: Security update for wireshark Message-ID: <20180326131440.4601EFC9E@maintenance.suse.de> SUSE Security Update: Security update for wireshark ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0811-1 Rating: moderate References: #1077080 #1082692 Cross-References: CVE-2017-17997 CVE-2018-7320 CVE-2018-7321 CVE-2018-7322 CVE-2018-7323 CVE-2018-7324 CVE-2018-7325 CVE-2018-7326 CVE-2018-7327 CVE-2018-7328 CVE-2018-7329 CVE-2018-7330 CVE-2018-7331 CVE-2018-7332 CVE-2018-7333 CVE-2018-7334 CVE-2018-7335 CVE-2018-7336 CVE-2018-7337 CVE-2018-7417 CVE-2018-7418 CVE-2018-7419 CVE-2018-7420 CVE-2018-7421 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP3 SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Desktop 12-SP3 SUSE Linux Enterprise Desktop 12-SP2 ______________________________________________________________________________ An update that fixes 24 vulnerabilities is now available. Description: This update for wireshark fixes the following issues: Security issue fixed (bsc#1082692): - CVE-2018-7335: The IEEE 802.11 dissector could crash (wnpa-sec-2018-05) - CVE-2018-7321: thrift long dissector loop (dissect_thrift_map) - CVE-2018-7322: DICOM: inifinite loop (dissect_dcm_tag) - CVE-2018-7323: WCCP: very long loop (dissect_wccp2_alternate_mask_value_set_element) - CVE-2018-7324: SCCP: infinite loop (dissect_sccp_optional_parameters) - CVE-2018-7325: RPKI-Router Protocol: infinite loop (dissect_rpkirtr_pdu) - CVE-2018-7326: LLTD: infinite loop (dissect_lltd_tlv) - CVE-2018-7327: openflow_v6: infinite loop (dissect_openflow_bundle_control_v6) - CVE-2018-7328: USB-DARWIN: long loop (dissect_darwin_usb_iso_transfer) - CVE-2018-7329: S7COMM: infinite loop (s7comm_decode_ud_cpu_alarm_main) - CVE-2018-7330: thread_meshcop: infinite loop (get_chancount) - CVE-2018-7331: GTP: infinite loop (dissect_gprscdr_GGSNPDPRecord, dissect_ber_set) - CVE-2018-7332: RELOAD: infinite loop (dissect_statans) - CVE-2018-7333: RPCoRDMA: infinite loop in get_write_list_chunk_count - CVE-2018-7421: Multiple dissectors could go into large infinite loops (wnpa-sec-2018-06) - CVE-2018-7334: The UMTS MAC dissector could crash (wnpa-sec-2018-07) - CVE-2018-7337: The DOCSIS dissector could crash (wnpa-sec-2018-08) - CVE-2018-7336: The FCP dissector could crash (wnpa-sec-2018-09) - CVE-2018-7320: The SIGCOMP dissector could crash (wnpa-sec-2018-10) - CVE-2018-7420: The pcapng file parser could crash (wnpa-sec-2018-11) - CVE-2018-7417: The IPMI dissector could crash (wnpa-sec-2018-12) - CVE-2018-7418: The SIGCOMP dissector could crash (wnpa-sec-2018-13) - CVE-2018-7419: The NBAP disssector could crash (wnpa-sec-2018-14) - CVE-2017-17997: Misuse of NULL pointer in MRDISC dissector (bsc#1077080). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP3: zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-546=1 - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2018-546=1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2018-546=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-546=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-546=1 - SUSE Linux Enterprise Desktop 12-SP3: zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-546=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2018-546=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64): wireshark-debuginfo-2.2.13-48.21.1 wireshark-debugsource-2.2.13-48.21.1 wireshark-devel-2.2.13-48.21.1 - SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64): wireshark-debuginfo-2.2.13-48.21.1 wireshark-debugsource-2.2.13-48.21.1 wireshark-devel-2.2.13-48.21.1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): libwireshark8-2.2.13-48.21.1 libwireshark8-debuginfo-2.2.13-48.21.1 libwiretap6-2.2.13-48.21.1 libwiretap6-debuginfo-2.2.13-48.21.1 libwscodecs1-2.2.13-48.21.1 libwscodecs1-debuginfo-2.2.13-48.21.1 libwsutil7-2.2.13-48.21.1 libwsutil7-debuginfo-2.2.13-48.21.1 wireshark-2.2.13-48.21.1 wireshark-debuginfo-2.2.13-48.21.1 wireshark-debugsource-2.2.13-48.21.1 wireshark-gtk-2.2.13-48.21.1 wireshark-gtk-debuginfo-2.2.13-48.21.1 - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64): libwireshark8-2.2.13-48.21.1 libwireshark8-debuginfo-2.2.13-48.21.1 libwiretap6-2.2.13-48.21.1 libwiretap6-debuginfo-2.2.13-48.21.1 libwscodecs1-2.2.13-48.21.1 libwscodecs1-debuginfo-2.2.13-48.21.1 libwsutil7-2.2.13-48.21.1 libwsutil7-debuginfo-2.2.13-48.21.1 wireshark-2.2.13-48.21.1 wireshark-debuginfo-2.2.13-48.21.1 wireshark-debugsource-2.2.13-48.21.1 wireshark-gtk-2.2.13-48.21.1 wireshark-gtk-debuginfo-2.2.13-48.21.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le s390x x86_64): libwireshark8-2.2.13-48.21.1 libwireshark8-debuginfo-2.2.13-48.21.1 libwiretap6-2.2.13-48.21.1 libwiretap6-debuginfo-2.2.13-48.21.1 libwscodecs1-2.2.13-48.21.1 libwscodecs1-debuginfo-2.2.13-48.21.1 libwsutil7-2.2.13-48.21.1 libwsutil7-debuginfo-2.2.13-48.21.1 wireshark-2.2.13-48.21.1 wireshark-debuginfo-2.2.13-48.21.1 wireshark-debugsource-2.2.13-48.21.1 wireshark-gtk-2.2.13-48.21.1 wireshark-gtk-debuginfo-2.2.13-48.21.1 - SUSE Linux Enterprise Desktop 12-SP3 (x86_64): libwireshark8-2.2.13-48.21.1 libwireshark8-debuginfo-2.2.13-48.21.1 libwiretap6-2.2.13-48.21.1 libwiretap6-debuginfo-2.2.13-48.21.1 libwscodecs1-2.2.13-48.21.1 libwscodecs1-debuginfo-2.2.13-48.21.1 libwsutil7-2.2.13-48.21.1 libwsutil7-debuginfo-2.2.13-48.21.1 wireshark-2.2.13-48.21.1 wireshark-debuginfo-2.2.13-48.21.1 wireshark-debugsource-2.2.13-48.21.1 wireshark-gtk-2.2.13-48.21.1 wireshark-gtk-debuginfo-2.2.13-48.21.1 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): libwireshark8-2.2.13-48.21.1 libwireshark8-debuginfo-2.2.13-48.21.1 libwiretap6-2.2.13-48.21.1 libwiretap6-debuginfo-2.2.13-48.21.1 libwscodecs1-2.2.13-48.21.1 libwscodecs1-debuginfo-2.2.13-48.21.1 libwsutil7-2.2.13-48.21.1 libwsutil7-debuginfo-2.2.13-48.21.1 wireshark-2.2.13-48.21.1 wireshark-debuginfo-2.2.13-48.21.1 wireshark-debugsource-2.2.13-48.21.1 wireshark-gtk-2.2.13-48.21.1 wireshark-gtk-debuginfo-2.2.13-48.21.1 References: https://www.suse.com/security/cve/CVE-2017-17997.html https://www.suse.com/security/cve/CVE-2018-7320.html https://www.suse.com/security/cve/CVE-2018-7321.html https://www.suse.com/security/cve/CVE-2018-7322.html https://www.suse.com/security/cve/CVE-2018-7323.html https://www.suse.com/security/cve/CVE-2018-7324.html https://www.suse.com/security/cve/CVE-2018-7325.html https://www.suse.com/security/cve/CVE-2018-7326.html https://www.suse.com/security/cve/CVE-2018-7327.html https://www.suse.com/security/cve/CVE-2018-7328.html https://www.suse.com/security/cve/CVE-2018-7329.html https://www.suse.com/security/cve/CVE-2018-7330.html https://www.suse.com/security/cve/CVE-2018-7331.html https://www.suse.com/security/cve/CVE-2018-7332.html https://www.suse.com/security/cve/CVE-2018-7333.html https://www.suse.com/security/cve/CVE-2018-7334.html https://www.suse.com/security/cve/CVE-2018-7335.html https://www.suse.com/security/cve/CVE-2018-7336.html https://www.suse.com/security/cve/CVE-2018-7337.html https://www.suse.com/security/cve/CVE-2018-7417.html https://www.suse.com/security/cve/CVE-2018-7418.html https://www.suse.com/security/cve/CVE-2018-7419.html https://www.suse.com/security/cve/CVE-2018-7420.html https://www.suse.com/security/cve/CVE-2018-7421.html https://bugzilla.suse.com/1077080 https://bugzilla.suse.com/1082692 From sle-security-updates at lists.suse.com Mon Mar 26 07:15:25 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 26 Mar 2018 15:15:25 +0200 (CEST) Subject: SUSE-SU-2018:0812-1: moderate: Security update for dhcp Message-ID: <20180326131525.38C77FC98@maintenance.suse.de> SUSE Security Update: Security update for dhcp ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0812-1 Rating: moderate References: #1083302 #1083303 Cross-References: CVE-2018-5732 CVE-2018-5733 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP3 SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Desktop 12-SP3 SUSE Linux Enterprise Desktop 12-SP2 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for dhcp fixes the following issues: Security issues fixed: - CVE-2018-5733: reference count overflow in dhcpd (bsc#1083303). - CVE-2018-5732: buffer overflow in dhclient (bsc#1083302). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP3: zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-542=1 - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2018-542=1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2018-542=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-542=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-542=1 - SUSE Linux Enterprise Desktop 12-SP3: zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-542=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2018-542=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64): dhcp-debuginfo-4.3.3-10.14.1 dhcp-debugsource-4.3.3-10.14.1 dhcp-devel-4.3.3-10.14.1 - SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64): dhcp-debuginfo-4.3.3-10.14.1 dhcp-debugsource-4.3.3-10.14.1 dhcp-devel-4.3.3-10.14.1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): dhcp-4.3.3-10.14.1 dhcp-client-4.3.3-10.14.1 dhcp-client-debuginfo-4.3.3-10.14.1 dhcp-debuginfo-4.3.3-10.14.1 dhcp-debugsource-4.3.3-10.14.1 dhcp-relay-4.3.3-10.14.1 dhcp-relay-debuginfo-4.3.3-10.14.1 dhcp-server-4.3.3-10.14.1 dhcp-server-debuginfo-4.3.3-10.14.1 - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64): dhcp-4.3.3-10.14.1 dhcp-client-4.3.3-10.14.1 dhcp-client-debuginfo-4.3.3-10.14.1 dhcp-debuginfo-4.3.3-10.14.1 dhcp-debugsource-4.3.3-10.14.1 dhcp-relay-4.3.3-10.14.1 dhcp-relay-debuginfo-4.3.3-10.14.1 dhcp-server-4.3.3-10.14.1 dhcp-server-debuginfo-4.3.3-10.14.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le s390x x86_64): dhcp-4.3.3-10.14.1 dhcp-client-4.3.3-10.14.1 dhcp-client-debuginfo-4.3.3-10.14.1 dhcp-debuginfo-4.3.3-10.14.1 dhcp-debugsource-4.3.3-10.14.1 dhcp-relay-4.3.3-10.14.1 dhcp-relay-debuginfo-4.3.3-10.14.1 dhcp-server-4.3.3-10.14.1 dhcp-server-debuginfo-4.3.3-10.14.1 - SUSE Linux Enterprise Desktop 12-SP3 (x86_64): dhcp-4.3.3-10.14.1 dhcp-client-4.3.3-10.14.1 dhcp-client-debuginfo-4.3.3-10.14.1 dhcp-debuginfo-4.3.3-10.14.1 dhcp-debugsource-4.3.3-10.14.1 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): dhcp-4.3.3-10.14.1 dhcp-client-4.3.3-10.14.1 dhcp-client-debuginfo-4.3.3-10.14.1 dhcp-debuginfo-4.3.3-10.14.1 dhcp-debugsource-4.3.3-10.14.1 References: https://www.suse.com/security/cve/CVE-2018-5732.html https://www.suse.com/security/cve/CVE-2018-5733.html https://bugzilla.suse.com/1083302 https://bugzilla.suse.com/1083303 From sle-security-updates at lists.suse.com Mon Mar 26 07:19:00 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 26 Mar 2018 15:19:00 +0200 (CEST) Subject: SUSE-SU-2018:0817-1: moderate: Security update for tomcat Message-ID: <20180326131900.0BFAAFC98@maintenance.suse.de> SUSE Security Update: Security update for tomcat ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0817-1 Rating: moderate References: #1078677 #1082480 #1082481 Cross-References: CVE-2017-15706 CVE-2018-1304 CVE-2018-1305 Affected Products: SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Server 12-SP2 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for tomcat fixes the following issues: Security issues fixed: - CVE-2018-1305: Fixed late application of security constraints that can lead to resource exposure for unauthorised users (bsc#1082481). - CVE-2018-1304: Fixed incorrect handling of empty string URL in security constraints that can lead to unitended exposure of resources (bsc#1082480). - CVE-2017-15706: Fixed incorrect documentation of CGI Servlet search algorithm that may lead to misconfiguration (bsc#1078677). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2018-543=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-543=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-543=1 Package List: - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (noarch): tomcat-8.0.50-29.8.2 tomcat-admin-webapps-8.0.50-29.8.2 tomcat-docs-webapp-8.0.50-29.8.2 tomcat-el-3_0-api-8.0.50-29.8.2 tomcat-javadoc-8.0.50-29.8.2 tomcat-jsp-2_3-api-8.0.50-29.8.2 tomcat-lib-8.0.50-29.8.2 tomcat-servlet-3_1-api-8.0.50-29.8.2 tomcat-webapps-8.0.50-29.8.2 - SUSE Linux Enterprise Server 12-SP3 (noarch): tomcat-8.0.50-29.8.2 tomcat-admin-webapps-8.0.50-29.8.2 tomcat-docs-webapp-8.0.50-29.8.2 tomcat-el-3_0-api-8.0.50-29.8.2 tomcat-javadoc-8.0.50-29.8.2 tomcat-jsp-2_3-api-8.0.50-29.8.2 tomcat-lib-8.0.50-29.8.2 tomcat-servlet-3_1-api-8.0.50-29.8.2 tomcat-webapps-8.0.50-29.8.2 - SUSE Linux Enterprise Server 12-SP2 (noarch): tomcat-8.0.50-29.8.2 tomcat-admin-webapps-8.0.50-29.8.2 tomcat-docs-webapp-8.0.50-29.8.2 tomcat-el-3_0-api-8.0.50-29.8.2 tomcat-javadoc-8.0.50-29.8.2 tomcat-jsp-2_3-api-8.0.50-29.8.2 tomcat-lib-8.0.50-29.8.2 tomcat-servlet-3_1-api-8.0.50-29.8.2 tomcat-webapps-8.0.50-29.8.2 References: https://www.suse.com/security/cve/CVE-2017-15706.html https://www.suse.com/security/cve/CVE-2018-1304.html https://www.suse.com/security/cve/CVE-2018-1305.html https://bugzilla.suse.com/1078677 https://bugzilla.suse.com/1082480 https://bugzilla.suse.com/1082481 From sle-security-updates at lists.suse.com Mon Mar 26 22:07:17 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 27 Mar 2018 06:07:17 +0200 (CEST) Subject: SUSE-SU-2018:0822-1: important: Security update for librelp Message-ID: <20180327040717.9D6F0FC98@maintenance.suse.de> SUSE Security Update: Security update for librelp ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0822-1 Rating: important References: #1086730 Cross-References: CVE-2018-1000140 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP3 SUSE Linux Enterprise Server 12-SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for librelp fixes the following issues: CVE-2018-1000140 (bsc#1086730): librelp contained a stack-based buffer overflow in the checking of x509 certificates. A remote attacker with an access to the rsyslog logging facility could have exploited it by sending a specially crafted x509 certificate. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP3: zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-552=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-552=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64): librelp-debugsource-1.2.12-3.3.1 librelp-devel-1.2.12-3.3.1 - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64): librelp-debugsource-1.2.12-3.3.1 librelp0-1.2.12-3.3.1 librelp0-debuginfo-1.2.12-3.3.1 References: https://www.suse.com/security/cve/CVE-2018-1000140.html https://bugzilla.suse.com/1086730 From sle-security-updates at lists.suse.com Tue Mar 27 10:08:18 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 27 Mar 2018 18:08:18 +0200 (CEST) Subject: SUSE-SU-2018:0828-1: important: Security update for librelp Message-ID: <20180327160818.CF9EBFC98@maintenance.suse.de> SUSE Security Update: Security update for librelp ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0828-1 Rating: important References: #1086730 Cross-References: CVE-2018-1000140 Affected Products: SUSE OpenStack Cloud 6 SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Linux Enterprise Server 12-LTSS ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for librelp fixes the following issues: CVE-2018-1000140 (bsc#1086730): librelp contained a stack-based buffer overflow in the checking of x509 certificates. A remote attacker with an access to the rsyslog logging facility could have exploited it by sending a specially crafted x509 certificate. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 6: zypper in -t patch SUSE-OpenStack-Cloud-6-2018-553=1 - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2018-553=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2018-553=1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2018-553=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-553=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2018-553=1 - SUSE Linux Enterprise Server 12-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-2018-553=1 Package List: - SUSE OpenStack Cloud 6 (x86_64): librelp-debugsource-1.2.7-3.3.1 librelp0-1.2.7-3.3.1 librelp0-debuginfo-1.2.7-3.3.1 - SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64): librelp-debugsource-1.2.7-3.3.1 librelp-devel-1.2.7-3.3.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (ppc64le x86_64): librelp-debugsource-1.2.7-3.3.1 librelp0-1.2.7-3.3.1 librelp0-debuginfo-1.2.7-3.3.1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): librelp-debugsource-1.2.7-3.3.1 librelp0-1.2.7-3.3.1 librelp0-debuginfo-1.2.7-3.3.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le s390x x86_64): librelp-debugsource-1.2.7-3.3.1 librelp0-1.2.7-3.3.1 librelp0-debuginfo-1.2.7-3.3.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): librelp-debugsource-1.2.7-3.3.1 librelp0-1.2.7-3.3.1 librelp0-debuginfo-1.2.7-3.3.1 - SUSE Linux Enterprise Server 12-LTSS (ppc64le s390x x86_64): librelp-debugsource-1.2.7-3.3.1 librelp0-1.2.7-3.3.1 librelp0-debuginfo-1.2.7-3.3.1 References: https://www.suse.com/security/cve/CVE-2018-1000140.html https://bugzilla.suse.com/1086730 From sle-security-updates at lists.suse.com Tue Mar 27 13:07:38 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 27 Mar 2018 21:07:38 +0200 (CEST) Subject: SUSE-SU-2018:0830-1: important: Security update for LibVNCServer Message-ID: <20180327190738.7439AFCB3@maintenance.suse.de> SUSE Security Update: Security update for LibVNCServer ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0830-1 Rating: important References: #1017711 #1017712 #1081493 Cross-References: CVE-2016-9941 CVE-2016-9942 CVE-2018-7225 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP3 SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Server 12-SP2 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: LibVNCServer was updated to fix two security issues. These security issues were fixed: - CVE-2018-7225: Missing input sanitization inside rfbserver.c rfbProcessClientNormalMessage() (bsc#1081493). - CVE-2016-9942: Heap-based buffer overflow in ultra.c allowed remote servers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted FramebufferUpdate message with the Ultra type tile, such that the LZO payload decompressed length exceeds what is specified by the tile dimensions (bsc#1017712). - CVE-2016-9941: Heap-based buffer overflow in rfbproto.c allowed remote servers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted FramebufferUpdate message containing a subrectangle outside of the client drawing area (bsc#1017711). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP3: zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-554=1 - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2018-554=1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2018-554=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-554=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-554=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64): LibVNCServer-debugsource-0.9.9-17.5.1 LibVNCServer-devel-0.9.9-17.5.1 - SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64): LibVNCServer-debugsource-0.9.9-17.5.1 LibVNCServer-devel-0.9.9-17.5.1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): LibVNCServer-debugsource-0.9.9-17.5.1 libvncclient0-0.9.9-17.5.1 libvncclient0-debuginfo-0.9.9-17.5.1 libvncserver0-0.9.9-17.5.1 libvncserver0-debuginfo-0.9.9-17.5.1 - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64): LibVNCServer-debugsource-0.9.9-17.5.1 libvncclient0-0.9.9-17.5.1 libvncclient0-debuginfo-0.9.9-17.5.1 libvncserver0-0.9.9-17.5.1 libvncserver0-debuginfo-0.9.9-17.5.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le s390x x86_64): LibVNCServer-debugsource-0.9.9-17.5.1 libvncclient0-0.9.9-17.5.1 libvncclient0-debuginfo-0.9.9-17.5.1 libvncserver0-0.9.9-17.5.1 libvncserver0-debuginfo-0.9.9-17.5.1 References: https://www.suse.com/security/cve/CVE-2016-9941.html https://www.suse.com/security/cve/CVE-2016-9942.html https://www.suse.com/security/cve/CVE-2018-7225.html https://bugzilla.suse.com/1017711 https://bugzilla.suse.com/1017712 https://bugzilla.suse.com/1081493 From sle-security-updates at lists.suse.com Tue Mar 27 13:08:28 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 27 Mar 2018 21:08:28 +0200 (CEST) Subject: SUSE-SU-2018:0831-1: important: Security update for qemu Message-ID: <20180327190828.0A764FC98@maintenance.suse.de> SUSE Security Update: Security update for qemu ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0831-1 Rating: important References: #1040202 #1068032 #1068613 #1070144 #1071228 #1073489 #1076114 #1076179 #1076775 #1076814 #1082276 #1083291 #1085598 Cross-References: CVE-2017-15119 CVE-2017-15124 CVE-2017-16845 CVE-2017-17381 CVE-2017-18030 CVE-2017-18043 CVE-2017-5715 CVE-2018-5683 CVE-2018-7550 Affected Products: SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Desktop 12-SP2 ______________________________________________________________________________ An update that solves 9 vulnerabilities and has four fixes is now available. Description: This update for qemu fixes the following issues: This update has the next round of Spectre v2 related patches, which now integrate with corresponding changes in libvirt. (CVE-2017-5715 bsc#1068032) The January 2018 release of qemu initially addressed the Spectre v2 vulnerability for KVM guests by exposing the spec-ctrl feature for all x86 vcpu types, which was the quick and dirty approach, but not the proper solution. We replaced our initial patch by the patches from upstream. This update defines spec_ctrl and ibpb cpu feature flags as well as new cpu models which are clones of existing models with either -IBRS or -IBPB added to the end of the model name. These new vcpu models explicitly include the new feature(s), whereas the feature flags can be added to the cpu parameter as with other features. In short, for continued Spectre v2 protection, ensure that either the appropriate cpu feature flag is added to the QEMU command-line, or one of the new cpu models is used. Although migration from older versions is supported, the new cpu features won't be properly exposed to the guest until it is restarted with the cpu features explicitly added. A reboot is insufficient. A warning patch is added which attempts to detect a migration from a qemu version which had the quick and dirty fix (it only detects certain cases, but hopefully is helpful.) For additional information on Spectre v2 as it relates to QEMU, see: https://www.qemu.org/2018/02/14/qemu-2-11-1-and-spectre-update/ A patch is added to continue to detect Spectre v2 mitigation features (as shown by cpuid), and if found provide that feature to guests, even if running on older KVM (kernel) versions which do not yet expose that feature to QEMU. (bsc#1082276) These two patches will be removed when we can reasonably assume everyone is running with the appropriate updates. Also security fixes for the following CVE issues are included: - CVE-2017-15119: The Network Block Device (NBD) server in Quick Emulator (QEMU), was vulnerable to a denial of service issue. It could occur if a client sent large option requests, making the server waste CPU time on reading up to 4GB per request. A client could use this flaw to keep the NBD server from serving other requests, resulting in DoS. (bsc#1070144) - CVE-2017-15124: VNC server implementation in Quick Emulator (QEMU) was found to be vulnerable to an unbounded memory allocation issue, as it did not throttle the framebuffer updates sent to its client. If the client did not consume these updates, VNC server allocates growing memory to hold onto this data. A malicious remote VNC client could use this flaw to cause DoS to the server host. (bsc#1073489) - CVE-2017-16845: The PS2 driver in Qemu did not validate 'rptr' and 'count' values during guest migration, leading to out-of-bounds access. (bsc#1068613) - CVE-2017-17381: The Virtio Vring implementation in QEMU allowed local OS guest users to cause a denial of service (divide-by-zero error and QEMU process crash) by unsetting vring alignment while updating Virtio rings. (bsc#1071228) - CVE-2017-18030: A problem in the Cirrus driver in Qemu allowed local OS guest privileged users to cause a denial of service (out-of-bounds array access and QEMU process crash) via vectors related to negative pitch. (bsc#1076179) - CVE-2017-18043: Integer overflow in the macro ROUND_UP (n, d) in Quick Emulator (Qemu) allowed a user to cause a denial of service (Qemu process crash). (bsc#1076775) - CVE-2018-5683: The VGA driver in Qemu allowed local OS guest privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) by leveraging improper memory address validation. (bsc#1076114) - CVE-2018-7550: The multiboot functionality in Quick Emulator (aka QEMU) allowed local guest OS users to execute arbitrary code on the QEMU host via an out-of-bounds read or write memory access. (bsc#1083291) Also the following bugs were fixed: - Eliminate bogus use of CPUID_7_0_EDX_PRED_CMD which we've carried since the initial Spectre v2 patch was added. EDX bit 27 of CPUID Leaf 07H, Sub-leaf 0 provides status on STIBP, and not the PRED_CMD MSR. Exposing the STIBP CPUID feature bit to the guest is wrong in general, since the VM doesn't directly control the scheduling of physical hyperthreads. This is left strictly to the L0 hypervisor. - Spectre fixes for IBM Z series by providing more hw features to guests (bsc#1076814) - Pre-add group kvm for qemu-tools (bsc#1040202) - the qemu-tools package also needs a prerequire of group management tools, from the shadow package. (bsc#1085598) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2018-555=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-555=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2018-555=1 Package List: - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): qemu-2.6.2-41.37.1 qemu-arm-2.6.2-41.37.1 qemu-arm-debuginfo-2.6.2-41.37.1 qemu-block-curl-2.6.2-41.37.1 qemu-block-curl-debuginfo-2.6.2-41.37.1 qemu-block-rbd-2.6.2-41.37.1 qemu-block-rbd-debuginfo-2.6.2-41.37.1 qemu-block-ssh-2.6.2-41.37.1 qemu-block-ssh-debuginfo-2.6.2-41.37.1 qemu-debugsource-2.6.2-41.37.1 qemu-guest-agent-2.6.2-41.37.1 qemu-guest-agent-debuginfo-2.6.2-41.37.1 qemu-lang-2.6.2-41.37.1 qemu-tools-2.6.2-41.37.1 qemu-tools-debuginfo-2.6.2-41.37.1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (noarch): qemu-ipxe-1.0.0-41.37.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le s390x x86_64): qemu-2.6.2-41.37.1 qemu-block-curl-2.6.2-41.37.1 qemu-block-curl-debuginfo-2.6.2-41.37.1 qemu-block-ssh-2.6.2-41.37.1 qemu-block-ssh-debuginfo-2.6.2-41.37.1 qemu-debugsource-2.6.2-41.37.1 qemu-guest-agent-2.6.2-41.37.1 qemu-guest-agent-debuginfo-2.6.2-41.37.1 qemu-lang-2.6.2-41.37.1 qemu-tools-2.6.2-41.37.1 qemu-tools-debuginfo-2.6.2-41.37.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64 x86_64): qemu-block-rbd-2.6.2-41.37.1 qemu-block-rbd-debuginfo-2.6.2-41.37.1 - SUSE Linux Enterprise Server 12-SP2 (s390x x86_64): qemu-kvm-2.6.2-41.37.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64): qemu-arm-2.6.2-41.37.1 qemu-arm-debuginfo-2.6.2-41.37.1 - SUSE Linux Enterprise Server 12-SP2 (ppc64le): qemu-ppc-2.6.2-41.37.1 qemu-ppc-debuginfo-2.6.2-41.37.1 - SUSE Linux Enterprise Server 12-SP2 (noarch): qemu-ipxe-1.0.0-41.37.1 qemu-seabios-1.9.1-41.37.1 qemu-sgabios-8-41.37.1 qemu-vgabios-1.9.1-41.37.1 - SUSE Linux Enterprise Server 12-SP2 (x86_64): qemu-x86-2.6.2-41.37.1 qemu-x86-debuginfo-2.6.2-41.37.1 - SUSE Linux Enterprise Server 12-SP2 (s390x): qemu-s390-2.6.2-41.37.1 qemu-s390-debuginfo-2.6.2-41.37.1 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): qemu-2.6.2-41.37.1 qemu-block-curl-2.6.2-41.37.1 qemu-block-curl-debuginfo-2.6.2-41.37.1 qemu-debugsource-2.6.2-41.37.1 qemu-kvm-2.6.2-41.37.1 qemu-tools-2.6.2-41.37.1 qemu-tools-debuginfo-2.6.2-41.37.1 qemu-x86-2.6.2-41.37.1 - SUSE Linux Enterprise Desktop 12-SP2 (noarch): qemu-ipxe-1.0.0-41.37.1 qemu-seabios-1.9.1-41.37.1 qemu-sgabios-8-41.37.1 qemu-vgabios-1.9.1-41.37.1 References: https://www.suse.com/security/cve/CVE-2017-15119.html https://www.suse.com/security/cve/CVE-2017-15124.html https://www.suse.com/security/cve/CVE-2017-16845.html https://www.suse.com/security/cve/CVE-2017-17381.html https://www.suse.com/security/cve/CVE-2017-18030.html https://www.suse.com/security/cve/CVE-2017-18043.html https://www.suse.com/security/cve/CVE-2017-5715.html https://www.suse.com/security/cve/CVE-2018-5683.html https://www.suse.com/security/cve/CVE-2018-7550.html https://bugzilla.suse.com/1040202 https://bugzilla.suse.com/1068032 https://bugzilla.suse.com/1068613 https://bugzilla.suse.com/1070144 https://bugzilla.suse.com/1071228 https://bugzilla.suse.com/1073489 https://bugzilla.suse.com/1076114 https://bugzilla.suse.com/1076179 https://bugzilla.suse.com/1076775 https://bugzilla.suse.com/1076814 https://bugzilla.suse.com/1082276 https://bugzilla.suse.com/1083291 https://bugzilla.suse.com/1085598 From sle-security-updates at lists.suse.com Tue Mar 27 13:10:46 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 27 Mar 2018 21:10:46 +0200 (CEST) Subject: SUSE-SU-2018:0832-1: moderate: Security update for samba Message-ID: <20180327191046.545A9FC98@maintenance.suse.de> SUSE Security Update: Security update for samba ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0832-1 Rating: moderate References: #1081741 Cross-References: CVE-2018-1050 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise High Availability 12-SP2 SUSE Linux Enterprise Desktop 12-SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for samba fixes the following issues: - CVE-2018-1050: DOS vulnerability when SPOOLSS is run externally (bsc#1081741) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2018-556=1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2018-556=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-556=1 - SUSE Linux Enterprise High Availability 12-SP2: zypper in -t patch SUSE-SLE-HA-12-SP2-2018-556=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2018-556=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64): libsmbclient-devel-4.4.2-38.17.1 libwbclient-devel-4.4.2-38.17.1 samba-debuginfo-4.4.2-38.17.1 samba-debugsource-4.4.2-38.17.1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): libdcerpc-binding0-4.4.2-38.17.1 libdcerpc-binding0-debuginfo-4.4.2-38.17.1 libdcerpc0-4.4.2-38.17.1 libdcerpc0-debuginfo-4.4.2-38.17.1 libndr-krb5pac0-4.4.2-38.17.1 libndr-krb5pac0-debuginfo-4.4.2-38.17.1 libndr-nbt0-4.4.2-38.17.1 libndr-nbt0-debuginfo-4.4.2-38.17.1 libndr-standard0-4.4.2-38.17.1 libndr-standard0-debuginfo-4.4.2-38.17.1 libndr0-4.4.2-38.17.1 libndr0-debuginfo-4.4.2-38.17.1 libnetapi0-4.4.2-38.17.1 libnetapi0-debuginfo-4.4.2-38.17.1 libsamba-credentials0-4.4.2-38.17.1 libsamba-credentials0-debuginfo-4.4.2-38.17.1 libsamba-errors0-4.4.2-38.17.1 libsamba-errors0-debuginfo-4.4.2-38.17.1 libsamba-hostconfig0-4.4.2-38.17.1 libsamba-hostconfig0-debuginfo-4.4.2-38.17.1 libsamba-passdb0-4.4.2-38.17.1 libsamba-passdb0-debuginfo-4.4.2-38.17.1 libsamba-util0-4.4.2-38.17.1 libsamba-util0-debuginfo-4.4.2-38.17.1 libsamdb0-4.4.2-38.17.1 libsamdb0-debuginfo-4.4.2-38.17.1 libsmbclient0-4.4.2-38.17.1 libsmbclient0-debuginfo-4.4.2-38.17.1 libsmbconf0-4.4.2-38.17.1 libsmbconf0-debuginfo-4.4.2-38.17.1 libsmbldap0-4.4.2-38.17.1 libsmbldap0-debuginfo-4.4.2-38.17.1 libtevent-util0-4.4.2-38.17.1 libtevent-util0-debuginfo-4.4.2-38.17.1 libwbclient0-4.4.2-38.17.1 libwbclient0-debuginfo-4.4.2-38.17.1 samba-4.4.2-38.17.1 samba-client-4.4.2-38.17.1 samba-client-debuginfo-4.4.2-38.17.1 samba-debuginfo-4.4.2-38.17.1 samba-debugsource-4.4.2-38.17.1 samba-libs-4.4.2-38.17.1 samba-libs-debuginfo-4.4.2-38.17.1 samba-winbind-4.4.2-38.17.1 samba-winbind-debuginfo-4.4.2-38.17.1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (noarch): samba-doc-4.4.2-38.17.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le s390x x86_64): libdcerpc-binding0-4.4.2-38.17.1 libdcerpc-binding0-debuginfo-4.4.2-38.17.1 libdcerpc0-4.4.2-38.17.1 libdcerpc0-debuginfo-4.4.2-38.17.1 libndr-krb5pac0-4.4.2-38.17.1 libndr-krb5pac0-debuginfo-4.4.2-38.17.1 libndr-nbt0-4.4.2-38.17.1 libndr-nbt0-debuginfo-4.4.2-38.17.1 libndr-standard0-4.4.2-38.17.1 libndr-standard0-debuginfo-4.4.2-38.17.1 libndr0-4.4.2-38.17.1 libndr0-debuginfo-4.4.2-38.17.1 libnetapi0-4.4.2-38.17.1 libnetapi0-debuginfo-4.4.2-38.17.1 libsamba-credentials0-4.4.2-38.17.1 libsamba-credentials0-debuginfo-4.4.2-38.17.1 libsamba-errors0-4.4.2-38.17.1 libsamba-errors0-debuginfo-4.4.2-38.17.1 libsamba-hostconfig0-4.4.2-38.17.1 libsamba-hostconfig0-debuginfo-4.4.2-38.17.1 libsamba-passdb0-4.4.2-38.17.1 libsamba-passdb0-debuginfo-4.4.2-38.17.1 libsamba-util0-4.4.2-38.17.1 libsamba-util0-debuginfo-4.4.2-38.17.1 libsamdb0-4.4.2-38.17.1 libsamdb0-debuginfo-4.4.2-38.17.1 libsmbclient0-4.4.2-38.17.1 libsmbclient0-debuginfo-4.4.2-38.17.1 libsmbconf0-4.4.2-38.17.1 libsmbconf0-debuginfo-4.4.2-38.17.1 libsmbldap0-4.4.2-38.17.1 libsmbldap0-debuginfo-4.4.2-38.17.1 libtevent-util0-4.4.2-38.17.1 libtevent-util0-debuginfo-4.4.2-38.17.1 libwbclient0-4.4.2-38.17.1 libwbclient0-debuginfo-4.4.2-38.17.1 samba-4.4.2-38.17.1 samba-client-4.4.2-38.17.1 samba-client-debuginfo-4.4.2-38.17.1 samba-debuginfo-4.4.2-38.17.1 samba-debugsource-4.4.2-38.17.1 samba-libs-4.4.2-38.17.1 samba-libs-debuginfo-4.4.2-38.17.1 samba-winbind-4.4.2-38.17.1 samba-winbind-debuginfo-4.4.2-38.17.1 - SUSE Linux Enterprise Server 12-SP2 (s390x x86_64): libdcerpc-binding0-32bit-4.4.2-38.17.1 libdcerpc-binding0-debuginfo-32bit-4.4.2-38.17.1 libdcerpc0-32bit-4.4.2-38.17.1 libdcerpc0-debuginfo-32bit-4.4.2-38.17.1 libndr-krb5pac0-32bit-4.4.2-38.17.1 libndr-krb5pac0-debuginfo-32bit-4.4.2-38.17.1 libndr-nbt0-32bit-4.4.2-38.17.1 libndr-nbt0-debuginfo-32bit-4.4.2-38.17.1 libndr-standard0-32bit-4.4.2-38.17.1 libndr-standard0-debuginfo-32bit-4.4.2-38.17.1 libndr0-32bit-4.4.2-38.17.1 libndr0-debuginfo-32bit-4.4.2-38.17.1 libnetapi0-32bit-4.4.2-38.17.1 libnetapi0-debuginfo-32bit-4.4.2-38.17.1 libsamba-credentials0-32bit-4.4.2-38.17.1 libsamba-credentials0-debuginfo-32bit-4.4.2-38.17.1 libsamba-errors0-32bit-4.4.2-38.17.1 libsamba-errors0-debuginfo-32bit-4.4.2-38.17.1 libsamba-hostconfig0-32bit-4.4.2-38.17.1 libsamba-hostconfig0-debuginfo-32bit-4.4.2-38.17.1 libsamba-passdb0-32bit-4.4.2-38.17.1 libsamba-passdb0-debuginfo-32bit-4.4.2-38.17.1 libsamba-util0-32bit-4.4.2-38.17.1 libsamba-util0-debuginfo-32bit-4.4.2-38.17.1 libsamdb0-32bit-4.4.2-38.17.1 libsamdb0-debuginfo-32bit-4.4.2-38.17.1 libsmbclient0-32bit-4.4.2-38.17.1 libsmbclient0-debuginfo-32bit-4.4.2-38.17.1 libsmbconf0-32bit-4.4.2-38.17.1 libsmbconf0-debuginfo-32bit-4.4.2-38.17.1 libsmbldap0-32bit-4.4.2-38.17.1 libsmbldap0-debuginfo-32bit-4.4.2-38.17.1 libtevent-util0-32bit-4.4.2-38.17.1 libtevent-util0-debuginfo-32bit-4.4.2-38.17.1 libwbclient0-32bit-4.4.2-38.17.1 libwbclient0-debuginfo-32bit-4.4.2-38.17.1 samba-client-32bit-4.4.2-38.17.1 samba-client-debuginfo-32bit-4.4.2-38.17.1 samba-libs-32bit-4.4.2-38.17.1 samba-libs-debuginfo-32bit-4.4.2-38.17.1 samba-winbind-32bit-4.4.2-38.17.1 samba-winbind-debuginfo-32bit-4.4.2-38.17.1 - SUSE Linux Enterprise Server 12-SP2 (noarch): samba-doc-4.4.2-38.17.1 - SUSE Linux Enterprise High Availability 12-SP2 (ppc64le s390x x86_64): ctdb-4.4.2-38.17.1 ctdb-debuginfo-4.4.2-38.17.1 samba-debuginfo-4.4.2-38.17.1 samba-debugsource-4.4.2-38.17.1 - SUSE Linux Enterprise Desktop 12-SP2 (noarch): samba-doc-4.4.2-38.17.1 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): libdcerpc-binding0-32bit-4.4.2-38.17.1 libdcerpc-binding0-4.4.2-38.17.1 libdcerpc-binding0-debuginfo-32bit-4.4.2-38.17.1 libdcerpc-binding0-debuginfo-4.4.2-38.17.1 libdcerpc0-32bit-4.4.2-38.17.1 libdcerpc0-4.4.2-38.17.1 libdcerpc0-debuginfo-32bit-4.4.2-38.17.1 libdcerpc0-debuginfo-4.4.2-38.17.1 libndr-krb5pac0-32bit-4.4.2-38.17.1 libndr-krb5pac0-4.4.2-38.17.1 libndr-krb5pac0-debuginfo-32bit-4.4.2-38.17.1 libndr-krb5pac0-debuginfo-4.4.2-38.17.1 libndr-nbt0-32bit-4.4.2-38.17.1 libndr-nbt0-4.4.2-38.17.1 libndr-nbt0-debuginfo-32bit-4.4.2-38.17.1 libndr-nbt0-debuginfo-4.4.2-38.17.1 libndr-standard0-32bit-4.4.2-38.17.1 libndr-standard0-4.4.2-38.17.1 libndr-standard0-debuginfo-32bit-4.4.2-38.17.1 libndr-standard0-debuginfo-4.4.2-38.17.1 libndr0-32bit-4.4.2-38.17.1 libndr0-4.4.2-38.17.1 libndr0-debuginfo-32bit-4.4.2-38.17.1 libndr0-debuginfo-4.4.2-38.17.1 libnetapi0-32bit-4.4.2-38.17.1 libnetapi0-4.4.2-38.17.1 libnetapi0-debuginfo-32bit-4.4.2-38.17.1 libnetapi0-debuginfo-4.4.2-38.17.1 libsamba-credentials0-32bit-4.4.2-38.17.1 libsamba-credentials0-4.4.2-38.17.1 libsamba-credentials0-debuginfo-32bit-4.4.2-38.17.1 libsamba-credentials0-debuginfo-4.4.2-38.17.1 libsamba-errors0-32bit-4.4.2-38.17.1 libsamba-errors0-4.4.2-38.17.1 libsamba-errors0-debuginfo-32bit-4.4.2-38.17.1 libsamba-errors0-debuginfo-4.4.2-38.17.1 libsamba-hostconfig0-32bit-4.4.2-38.17.1 libsamba-hostconfig0-4.4.2-38.17.1 libsamba-hostconfig0-debuginfo-32bit-4.4.2-38.17.1 libsamba-hostconfig0-debuginfo-4.4.2-38.17.1 libsamba-passdb0-32bit-4.4.2-38.17.1 libsamba-passdb0-4.4.2-38.17.1 libsamba-passdb0-debuginfo-32bit-4.4.2-38.17.1 libsamba-passdb0-debuginfo-4.4.2-38.17.1 libsamba-util0-32bit-4.4.2-38.17.1 libsamba-util0-4.4.2-38.17.1 libsamba-util0-debuginfo-32bit-4.4.2-38.17.1 libsamba-util0-debuginfo-4.4.2-38.17.1 libsamdb0-32bit-4.4.2-38.17.1 libsamdb0-4.4.2-38.17.1 libsamdb0-debuginfo-32bit-4.4.2-38.17.1 libsamdb0-debuginfo-4.4.2-38.17.1 libsmbclient0-32bit-4.4.2-38.17.1 libsmbclient0-4.4.2-38.17.1 libsmbclient0-debuginfo-32bit-4.4.2-38.17.1 libsmbclient0-debuginfo-4.4.2-38.17.1 libsmbconf0-32bit-4.4.2-38.17.1 libsmbconf0-4.4.2-38.17.1 libsmbconf0-debuginfo-32bit-4.4.2-38.17.1 libsmbconf0-debuginfo-4.4.2-38.17.1 libsmbldap0-32bit-4.4.2-38.17.1 libsmbldap0-4.4.2-38.17.1 libsmbldap0-debuginfo-32bit-4.4.2-38.17.1 libsmbldap0-debuginfo-4.4.2-38.17.1 libtevent-util0-32bit-4.4.2-38.17.1 libtevent-util0-4.4.2-38.17.1 libtevent-util0-debuginfo-32bit-4.4.2-38.17.1 libtevent-util0-debuginfo-4.4.2-38.17.1 libwbclient0-32bit-4.4.2-38.17.1 libwbclient0-4.4.2-38.17.1 libwbclient0-debuginfo-32bit-4.4.2-38.17.1 libwbclient0-debuginfo-4.4.2-38.17.1 samba-4.4.2-38.17.1 samba-client-32bit-4.4.2-38.17.1 samba-client-4.4.2-38.17.1 samba-client-debuginfo-32bit-4.4.2-38.17.1 samba-client-debuginfo-4.4.2-38.17.1 samba-debuginfo-4.4.2-38.17.1 samba-debugsource-4.4.2-38.17.1 samba-libs-32bit-4.4.2-38.17.1 samba-libs-4.4.2-38.17.1 samba-libs-debuginfo-32bit-4.4.2-38.17.1 samba-libs-debuginfo-4.4.2-38.17.1 samba-winbind-32bit-4.4.2-38.17.1 samba-winbind-4.4.2-38.17.1 samba-winbind-debuginfo-32bit-4.4.2-38.17.1 samba-winbind-debuginfo-4.4.2-38.17.1 References: https://www.suse.com/security/cve/CVE-2018-1050.html https://bugzilla.suse.com/1081741 From sle-security-updates at lists.suse.com Wed Mar 28 13:07:35 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 28 Mar 2018 21:07:35 +0200 (CEST) Subject: SUSE-SU-2018:0834-1: important: Security update for the Linux Kernel Message-ID: <20180328190735.0C96DFC9E@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0834-1 Rating: important References: #1010470 #1012382 #1045330 #1062568 #1063416 #1066001 #1067118 #1068032 #1072689 #1072865 #1074488 #1075617 #1075621 #1077560 #1078669 #1078672 #1078673 #1078674 #1080255 #1080464 #1080757 #1082299 #1083244 #1083483 #1083494 #1083640 #1084323 #1085107 #1085114 #1085279 #1085447 Cross-References: CVE-2016-7915 CVE-2017-12190 CVE-2017-13166 CVE-2017-15299 CVE-2017-16644 CVE-2017-16911 CVE-2017-16912 CVE-2017-16913 CVE-2017-16914 CVE-2017-18017 CVE-2017-18204 CVE-2017-18208 CVE-2017-18221 CVE-2018-1066 CVE-2018-1068 CVE-2018-5332 CVE-2018-5333 CVE-2018-6927 CVE-2018-7566 Affected Products: SUSE Linux Enterprise Server 12-LTSS SUSE Linux Enterprise Module for Public Cloud 12 ______________________________________________________________________________ An update that solves 19 vulnerabilities and has 12 fixes is now available. Description: The SUSE Linux Enterprise 12 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2018-1068: Fixed flaw in the implementation of 32-bit syscall interface for bridging. This allowed a privileged user to arbitrarily write to a limited range of kernel memory (bnc#1085107). - CVE-2017-18221: The __munlock_pagevec function allowed local users to cause a denial of service (NR_MLOCK accounting corruption) via crafted use of mlockall and munlockall system calls (bnc#1084323). - CVE-2018-1066: Prevent NULL pointer dereference in fs/cifs/cifsencrypt.c:setup_ntlmv2_rsp() that allowed an attacker controlling a CIFS server to kernel panic a client that has this server mounted, because an empty TargetInfo field in an NTLMSSP setup negotiation response was mishandled during session recovery (bnc#1083640). - CVE-2017-13166: Prevent elevation of privilege vulnerability in the kernel v4l2 video driver (bnc#1072865). - CVE-2017-16911: The vhci_hcd driver allowed local attackers to disclose kernel memory addresses. Successful exploitation required that a USB device was attached over IP (bnc#1078674). - CVE-2017-15299: The KEYS subsystem mishandled use of add_key for a key that already exists but is uninstantiated, which allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted system call (bnc#1063416). - CVE-2017-18208: The madvise_willneed function kernel allowed local users to cause a denial of service (infinite loop) by triggering use of MADVISE_WILLNEED for a DAX mapping (bnc#1083494). - CVE-2018-7566: The ALSA sequencer core initializes the event pool on demand by invoking snd_seq_pool_init() when the first write happens and the pool is empty. A user could have reset the pool size manually via ioctl concurrently, which may have lead UAF or out-of-bound access (bsc#1083483). - CVE-2017-18204: The ocfs2_setattr function allowed local users to cause a denial of service (deadlock) via DIO requests (bnc#1083244). - CVE-2017-16644: The hdpvr_probe function allowed local users to cause a denial of service (improper error handling and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1067118). - CVE-2018-6927: The futex_requeue function allowed attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact by triggering a negative wake or requeue value (bnc#1080757). - CVE-2017-16914: The "stub_send_ret_submit()" function allowed attackers to cause a denial of service (NULL pointer dereference) via a specially crafted USB over IP packet (bnc#1078669). - CVE-2016-7915: The hid_input_field function allowed physically proximate attackers to obtain sensitive information from kernel memory or cause a denial of service (out-of-bounds read) by connecting a device (bnc#1010470). - CVE-2017-12190: The bio_map_user_iov and bio_unmap_user functions did unbalanced refcounting when a SCSI I/O vector had small consecutive buffers belonging to the same page. The bio_add_pc_page function merged them into one, but the page reference was never dropped. This caused a memory leak and possible system lockup (exploitable against the host OS by a guest OS user, if a SCSI disk is passed through to a virtual machine) due to an out-of-memory condition (bnc#1062568). - CVE-2017-16912: The "get_pipe()" function allowed attackers to cause a denial of service (out-of-bounds read) via a specially crafted USB over IP packet (bnc#1078673). - CVE-2017-16913: The "stub_recv_cmd_submit()" function when handling CMD_SUBMIT packets allowed attackers to cause a denial of service (arbitrary memory allocation) via a specially crafted USB over IP packet (bnc#1078672). - CVE-2018-5332: The rds_message_alloc_sgs() function did not validate a value that is used during DMA page allocation, leading to a heap-based out-of-bounds write (related to the rds_rdma_extra_size function in net/rds/rdma.c) (bnc#1075621). - CVE-2018-5333: The rds_cmsg_atomic function in net/rds/rdma.c mishandled cases where page pinning fails or an invalid address is supplied, leading to an rds_atomic_free_op NULL pointer dereference (bnc#1075617). - CVE-2017-18017: The tcpmss_mangle_packet function allowed remote attackers to cause a denial of service (use-after-free and memory corruption) or possibly have unspecified other impact by leveraging the presence of xt_TCPMSS in an iptables action (bnc#1074488). The following non-security bugs were fixed: - Fix build on arm64 by defining empty gmb() (bnc#1068032). - KEYS: do not let add_key() update an uninstantiated key (bnc#1063416). - KEYS: fix writing past end of user-supplied buffer in keyring_read() (bsc#1066001). - KEYS: return full count in keyring_read() if buffer is too small (bsc#1066001). - include/stddef.h: Move offsetofend() from vfio.h to a generic kernel header (bsc#1077560). - ipc/msg: introduce msgctl(MSG_STAT_ANY) (bsc#1072689). - ipc/sem: introduce semctl(SEM_STAT_ANY) (bsc#1072689). - ipc/shm: introduce shmctl(SHM_STAT_ANY) (bsc#1072689). - x86/kaiser: use trampoline stack for kernel entry (bsc#1077560) - leds: do not overflow sysfs buffer in led_trigger_show (bsc#1080464). - livepatch: __kgr_shadow_get_or_alloc() is local to shadow.c. Shadow variables support (bsc#1082299). - livepatch: introduce shadow variable API. Shadow variables support (bsc#1082299) - media: v4l2-compat-ioctl32.c: add missing VIDIOC_PREPARE_BUF (bnc#1012382). - media: v4l2-compat-ioctl32.c: avoid sizeof(type) (bnc#1012382). - media: v4l2-compat-ioctl32.c: copy clip list in put_v4l2_window32 (bnc#1012382). - media: v4l2-compat-ioctl32.c: copy m.userptr in put_v4l2_plane32 (bnc#1012382). - media: v4l2-compat-ioctl32.c: do not copy back the result for certain errors (bnc#1012382). - media: v4l2-compat-ioctl32.c: drop pr_info for unknown buffer type (bnc#1012382). - media: v4l2-compat-ioctl32.c: fix the indentation (bnc#1012382). - media: v4l2-compat-ioctl32.c: move 'helper' functions to __get/put_v4l2_format32 (bnc#1012382). - media: v4l2-compat-ioctl32: Copy v4l2_window->global_alpha (bnc#1012382). - media: v4l2-ioctl.c: do not copy back the result for -ENOTTY (bnc#1012382). - netfilter: ebtables: CONFIG_COMPAT: do not trust userland offsets (bsc#1085107). - netfilter: ebtables: fix erroneous reject of last rule (bsc#1085107). - packet: only call dev_add_pack() on freshly allocated fanout instances - pipe: cap initial pipe capacity according to pipe-max-size limit (bsc#1045330). - x86/espfix: Fix return stack in do_double_fault() (bsc#1085279). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-2018-558=1 - SUSE Linux Enterprise Module for Public Cloud 12: zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2018-558=1 Package List: - SUSE Linux Enterprise Server 12-LTSS (ppc64le s390x x86_64): kernel-default-3.12.61-52.125.1 kernel-default-base-3.12.61-52.125.1 kernel-default-base-debuginfo-3.12.61-52.125.1 kernel-default-debuginfo-3.12.61-52.125.1 kernel-default-debugsource-3.12.61-52.125.1 kernel-default-devel-3.12.61-52.125.1 kernel-syms-3.12.61-52.125.1 - SUSE Linux Enterprise Server 12-LTSS (x86_64): kernel-xen-3.12.61-52.125.1 kernel-xen-base-3.12.61-52.125.1 kernel-xen-base-debuginfo-3.12.61-52.125.1 kernel-xen-debuginfo-3.12.61-52.125.1 kernel-xen-debugsource-3.12.61-52.125.1 kernel-xen-devel-3.12.61-52.125.1 kgraft-patch-3_12_61-52_125-default-1-1.3.1 kgraft-patch-3_12_61-52_125-xen-1-1.3.1 - SUSE Linux Enterprise Server 12-LTSS (noarch): kernel-devel-3.12.61-52.125.1 kernel-macros-3.12.61-52.125.1 kernel-source-3.12.61-52.125.1 - SUSE Linux Enterprise Server 12-LTSS (s390x): kernel-default-man-3.12.61-52.125.1 - SUSE Linux Enterprise Module for Public Cloud 12 (x86_64): kernel-ec2-3.12.61-52.125.1 kernel-ec2-debuginfo-3.12.61-52.125.1 kernel-ec2-debugsource-3.12.61-52.125.1 kernel-ec2-devel-3.12.61-52.125.1 kernel-ec2-extra-3.12.61-52.125.1 kernel-ec2-extra-debuginfo-3.12.61-52.125.1 References: https://www.suse.com/security/cve/CVE-2016-7915.html https://www.suse.com/security/cve/CVE-2017-12190.html https://www.suse.com/security/cve/CVE-2017-13166.html https://www.suse.com/security/cve/CVE-2017-15299.html https://www.suse.com/security/cve/CVE-2017-16644.html https://www.suse.com/security/cve/CVE-2017-16911.html https://www.suse.com/security/cve/CVE-2017-16912.html https://www.suse.com/security/cve/CVE-2017-16913.html https://www.suse.com/security/cve/CVE-2017-16914.html https://www.suse.com/security/cve/CVE-2017-18017.html https://www.suse.com/security/cve/CVE-2017-18204.html https://www.suse.com/security/cve/CVE-2017-18208.html https://www.suse.com/security/cve/CVE-2017-18221.html https://www.suse.com/security/cve/CVE-2018-1066.html https://www.suse.com/security/cve/CVE-2018-1068.html https://www.suse.com/security/cve/CVE-2018-5332.html https://www.suse.com/security/cve/CVE-2018-5333.html https://www.suse.com/security/cve/CVE-2018-6927.html https://www.suse.com/security/cve/CVE-2018-7566.html https://bugzilla.suse.com/1010470 https://bugzilla.suse.com/1012382 https://bugzilla.suse.com/1045330 https://bugzilla.suse.com/1062568 https://bugzilla.suse.com/1063416 https://bugzilla.suse.com/1066001 https://bugzilla.suse.com/1067118 https://bugzilla.suse.com/1068032 https://bugzilla.suse.com/1072689 https://bugzilla.suse.com/1072865 https://bugzilla.suse.com/1074488 https://bugzilla.suse.com/1075617 https://bugzilla.suse.com/1075621 https://bugzilla.suse.com/1077560 https://bugzilla.suse.com/1078669 https://bugzilla.suse.com/1078672 https://bugzilla.suse.com/1078673 https://bugzilla.suse.com/1078674 https://bugzilla.suse.com/1080255 https://bugzilla.suse.com/1080464 https://bugzilla.suse.com/1080757 https://bugzilla.suse.com/1082299 https://bugzilla.suse.com/1083244 https://bugzilla.suse.com/1083483 https://bugzilla.suse.com/1083494 https://bugzilla.suse.com/1083640 https://bugzilla.suse.com/1084323 https://bugzilla.suse.com/1085107 https://bugzilla.suse.com/1085114 https://bugzilla.suse.com/1085279 https://bugzilla.suse.com/1085447 From sle-security-updates at lists.suse.com Thu Mar 29 04:11:13 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 29 Mar 2018 12:11:13 +0200 (CEST) Subject: SUSE-SU-2018:0837-1: moderate: Security update for freetype2 Message-ID: <20180329101113.A4A97FC98@maintenance.suse.de> SUSE Security Update: Security update for freetype2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0837-1 Rating: moderate References: #1034191 Cross-References: CVE-2016-10328 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for freetype2 fixes the following issues: Security issue fixed: - CVE-2016-10328: Fixed heap-based buffer overflow in cff_parser_run function in cff/cffparse.c (bsc#1034191). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-freetype2-13537=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-freetype2-13537=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-freetype2-13537=1 Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): freetype2-devel-2.3.7-25.45.8.1 - SUSE Linux Enterprise Software Development Kit 11-SP4 (ppc64 s390x x86_64): freetype2-devel-32bit-2.3.7-25.45.8.1 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): freetype2-2.3.7-25.45.8.1 ft2demos-2.3.7-25.45.8.1 - SUSE Linux Enterprise Server 11-SP4 (ppc64 s390x x86_64): freetype2-32bit-2.3.7-25.45.8.1 - SUSE Linux Enterprise Server 11-SP4 (ia64): freetype2-x86-2.3.7-25.45.8.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): freetype2-debuginfo-2.3.7-25.45.8.1 freetype2-debugsource-2.3.7-25.45.8.1 ft2demos-debuginfo-2.3.7-25.45.8.1 ft2demos-debugsource-2.3.7-25.45.8.1 References: https://www.suse.com/security/cve/CVE-2016-10328.html https://bugzilla.suse.com/1034191 From sle-security-updates at lists.suse.com Thu Mar 29 04:11:46 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 29 Mar 2018 12:11:46 +0200 (CEST) Subject: SUSE-SU-2018:0838-1: important: Security update for libvirt Message-ID: <20180329101146.B28EBFC98@maintenance.suse.de> SUSE Security Update: Security update for libvirt ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0838-1 Rating: important References: #1055365 #1076500 #1079869 #1083061 #1083625 Cross-References: CVE-2017-5715 CVE-2018-1064 CVE-2018-5748 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that solves three vulnerabilities and has two fixes is now available. Description: This update for libvirt fixes the following issues: Security issues fixed: - CVE-2017-5715: Fixes for speculative side channel attacks aka "SpectreAttack" (var2) (bsc#1079869). - CVE-2018-1064: Fixed denial of service when reading from guest agent (bsc#1083625). - CVE-2018-5748: Fixed possible denial of service when reading from QEMU monitor (bsc#1076500). Non-security issues fixed: - bsc#1083061: Fixed 'dumpxml --migratable' exports domain id in output on SLES11 SP4. - bsc#1055365: Improve performance when listing hundreds of interfaces. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-libvirt-13538=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-libvirt-13538=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-libvirt-13538=1 Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): libvirt-devel-1.2.5-23.6.1 - SUSE Linux Enterprise Software Development Kit 11-SP4 (x86_64): libvirt-devel-32bit-1.2.5-23.6.1 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): libvirt-1.2.5-23.6.1 libvirt-client-1.2.5-23.6.1 libvirt-doc-1.2.5-23.6.1 libvirt-lock-sanlock-1.2.5-23.6.1 - SUSE Linux Enterprise Server 11-SP4 (ppc64 s390x x86_64): libvirt-client-32bit-1.2.5-23.6.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): libvirt-debuginfo-1.2.5-23.6.1 libvirt-debugsource-1.2.5-23.6.1 References: https://www.suse.com/security/cve/CVE-2017-5715.html https://www.suse.com/security/cve/CVE-2018-1064.html https://www.suse.com/security/cve/CVE-2018-5748.html https://bugzilla.suse.com/1055365 https://bugzilla.suse.com/1076500 https://bugzilla.suse.com/1079869 https://bugzilla.suse.com/1083061 https://bugzilla.suse.com/1083625 From sle-security-updates at lists.suse.com Thu Mar 29 04:12:59 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 29 Mar 2018 12:12:59 +0200 (CEST) Subject: SUSE-SU-2018:0839-1: important: Security update for memcached Message-ID: <20180329101259.43D9DFC98@maintenance.suse.de> SUSE Security Update: Security update for memcached ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0839-1 Rating: important References: #1056865 Cross-References: CVE-2017-9951 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Server 12-SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for memcached fixes the following issues: - CVE-2017-9951: Fixed heap-based buffer over-read in try_read_command function which allowed remote attackers to cause a denial of service attack (bsc#1056865). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2018-562=1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2018-562=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-562=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-562=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64): memcached-debuginfo-1.4.39-4.3.1 memcached-debugsource-1.4.39-4.3.1 memcached-devel-1.4.39-4.3.1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): memcached-1.4.39-4.3.1 memcached-debuginfo-1.4.39-4.3.1 memcached-debugsource-1.4.39-4.3.1 - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64): memcached-1.4.39-4.3.1 memcached-debuginfo-1.4.39-4.3.1 memcached-debugsource-1.4.39-4.3.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le s390x x86_64): memcached-1.4.39-4.3.1 memcached-debuginfo-1.4.39-4.3.1 memcached-debugsource-1.4.39-4.3.1 References: https://www.suse.com/security/cve/CVE-2017-9951.html https://bugzilla.suse.com/1056865 From sle-security-updates at lists.suse.com Thu Mar 29 07:07:43 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 29 Mar 2018 15:07:43 +0200 (CEST) Subject: SUSE-SU-2018:0841-1: important: Security update for the Linux Kernel Message-ID: <20180329130743.5CF74FC98@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0841-1 Rating: important References: #1012382 #1045538 #1048585 #1049128 #1050431 #1054305 #1059174 #1060279 #1060682 #1063544 #1064861 #1068032 #1068984 #1069508 #1070623 #1070781 #1073311 #1074488 #1074621 #1074880 #1075088 #1075091 #1075410 #1075617 #1075621 #1075908 #1075994 #1076017 #1076154 #1076278 #1076437 #1076849 #1077191 #1077355 #1077406 #1077487 #1077560 #1077922 #1078875 #1079917 #1080133 #1080359 #1080363 #1080372 #1080579 #1080685 #1080774 #1081500 #936530 #962257 Cross-References: CVE-2015-1142857 CVE-2017-13215 CVE-2017-17741 CVE-2017-18017 CVE-2017-18079 CVE-2017-5715 CVE-2018-1000004 CVE-2018-5332 CVE-2018-5333 Affected Products: SUSE Linux Enterprise Real Time Extension 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that solves 9 vulnerabilities and has 41 fixes is now available. Description: The SUSE Linux Enterprise 11 SP4 Realtime kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2017-5715: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis (bnc#1068032). The previous fix using CPU Microcode has been complemented by building the Linux Kernel with return trampolines aka "retpolines". - CVE-2015-1142857: On multiple SR-IOV cars it is possible for VF's assigned to guests to send ethernet flow control pause frames via the PF. This includes Linux kernel ixgbe driver, i40e/i40evf driver and the DPDK, additionally multiple vendor NIC firmware is affected (bnc#1077355). - CVE-2017-13215: A elevation of privilege vulnerability in the Upstream kernel skcipher. (bnc#1075908). - CVE-2017-17741: The KVM implementation in the Linux kernel allowed attackers to obtain potentially sensitive information from kernel memory, aka a write_mmio stack-based out-of-bounds read, related to arch/x86/kvm/x86.c and include/trace/events/kvm.h (bnc#1073311). - CVE-2017-18017: The tcpmss_mangle_packet function in net/netfilter/xt_TCPMSS.c in the Linux kernel allowed remote attackers to cause a denial of service (use-after-free and memory corruption) or possibly have unspecified other impact by leveraging the presence of xt_TCPMSS in an iptables action (bnc#1074488). - CVE-2017-18079: drivers/input/serio/i8042.c in the Linux kernel allowed attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact because the port->exists value can change after it is validated (bnc#1077922). - CVE-2018-1000004: In the Linux kernel a race condition vulnerability exists in the sound system, this can lead to a deadlock and denial of service condition (bnc#1076017). - CVE-2018-5332: In the Linux kernel the rds_message_alloc_sgs() function did not validate a value that is used during DMA page allocation, leading to a heap-based out-of-bounds write (related to the rds_rdma_extra_size function in net/rds/rdma.c) (bnc#1075621). - CVE-2018-5333: In the Linux kernel rds_cmsg_atomic function in net/rds/rdma.c mishandled cases where page pinning fails or an invalid address is supplied, leading to an rds_atomic_free_op NULL pointer dereference (bnc#1075617). The following non-security bugs were fixed: - Add proper NX hadnling for !NX-capable systems also to kaiser_add_user_map(). (bsc#1076278). - alsa: aloop: Fix inconsistent format due to incomplete rule (bsc#1045538). - alsa: aloop: Fix racy hw constraints adjustment (bsc#1045538). - alsa: aloop: Release cable upon open error path (bsc#1045538). - alsa: pcm: Abort properly at pending signal in OSS read/write loops (bsc#1045538). - alsa: pcm: Add missing error checks in OSS emulation plugin builder (bsc#1045538). - alsa: pcm: Allow aborting mutex lock at OSS read/write loops (bsc#1045538). - alsa: pcm: Remove incorrect snd_BUG_ON() usages (bsc#1045538). - alsa: pcm: Remove yet superfluous WARN_ON() (bsc#1045538). - btrfs: cleanup unnecessary assignment when cleaning up all the residual transaction (FATE#325056). - btrfs: copy fsid to super_block s_uuid (bsc#1080774). - btrfs: do not wait for all the writers circularly during the transaction commit (FATE#325056). - btrfs: do not WARN() in btrfs_transaction_abort() for IO errors (bsc#1080363). - btrfs: fix two use-after-free bugs with transaction cleanup (FATE#325056). - btrfs: make the state of the transaction more readable (FATE#325056). - btrfs: qgroup: exit the rescan worker during umount (bsc#1080685). - btrfs: qgroup: Fix dead judgement on qgroup_rescan_leaf() return value (bsc#1080685). - btrfs: reset intwrite on transaction abort (FATE#325056). - btrfs: set qgroup_ulist to be null after calling ulist_free() (bsc#1080359). - btrfs: stop waiting on current trans if we aborted (FATE#325056). - cdc-acm: apply quirk for card reader (bsc#1060279). - cdrom: factor out common open_for_* code (bsc#1048585). - cdrom: wait for tray to close (bsc#1048585). - delay: add poll_event_interruptible (bsc#1048585). - dm flakey: add corrupt_bio_byte feature (bsc#1080372). - dm flakey: add drop_writes (bsc#1080372). - dm flakey: error READ bios during the down_interval (bsc#1080372). - dm flakey: fix crash on read when corrupt_bio_byte not set (bsc#1080372). - dm flakey: fix reads to be issued if drop_writes configured (bsc#1080372). - dm flakey: introduce "error_writes" feature (bsc#1080372). - dm flakey: support feature args (bsc#1080372). - dm flakey: use dm_target_offset and support discards (bsc#1080372). - ext2: free memory allocated and forget buffer head when io error happens (bnc#1069508). - ext2: use unlikely to improve the efficiency of the kernel (bnc#1069508). - ext3: add necessary check in case IO error happens (bnc#1069508). - ext3: use unlikely to improve the efficiency of the kernel (bnc#1069508). - fork: clear thread stack upon allocation (bsc#1077560). - kabi/severities ignore Cell-specific symbols - kaiser: do not clobber ZF by calling ENABLE_IBRS after test and before jz - kaiser: fix ia32 compat sysexit (bsc#1080579) sysexit_from_sys_call cannot make assumption of accessible stack after CR3 switch, and therefore should use the SWITCH_USER_CR3_NO_STACK method to flip the pagetable hierarchy. - kaiser: Fix trampoline stack loading issue on XEN PV - kaiser: handle non-accessible stack in sysretl_from_sys_call properly (bsc#bsc#1080579) - kaiser: make sure not to touch stack after CR3 switch in compat syscall return - kaiser: really do switch away from trampoline stack to kernel stack in ia32_syscall entry (bsc#1080579) - kbuild: modversions for EXPORT_SYMBOL() for asm (bsc#1074621 bsc#1068032). - keys: trusted: fix writing past end of buffer in trusted_read() (bsc#1074880). - media: omap_vout: Fix a possible null pointer dereference in omap_vout_open() (bsc#1050431). - mISDN: fix a loop count (bsc#1077191). - mm: pin address_space before dereferencing it while isolating an LRU page (bnc#1081500). - nfsd: do not share group_info among threads (bsc at 1070623). - ocfs2: avoid blocking in ocfs2_mark_lockres_freeing() in downconvert thread (bsc#1076437). - ocfs2: do not set OCFS2_LOCK_UPCONVERT_FINISHING if nonblocking lock can not be granted at once (bsc#1076437). - ocfs2: NFS hangs in __ocfs2_cluster_lock due to race with ocfs2_unblock_lock (bsc#962257). - powerpc/64: Add macros for annotating the destination of rfid/hrfid (bsc#1068032, bsc#1075088). - powerpc/64: Convert fast_exception_return to use RFI_TO_USER/KERNEL (bsc#1068032, bsc#1075088). - powerpc/64: Convert the syscall exit path to use RFI_TO_USER/KERNEL (bsc#1068032, bsc#1075088). - powerpc/64s: Add EX_SIZE definition for paca exception save areas (bsc#1068032, bsc#1075088). - powerpc/64s: Add support for RFI flush of L1-D cache (bsc#1068032, bsc#1075088). - powerpc/64s: Allow control of RFI flush via debugfs (bsc#1068032, bsc#1075088). - powerpc/64s: Convert slb_miss_common to use RFI_TO_USER/KERNEL (bsc#1068032, bsc#1075088). - powerpc/64s: Simple RFI macro conversions (bsc#1068032, bsc#1075088). - powerpc/64s: Support disabling RFI flush with no_rfi_flush and nopti (bsc#1068032, bsc#1075088). - powerpc/64s: Wire up cpu_show_meltdown() (bsc#1068032). - powerpc/asm: Allow including ppc_asm.h in asm files (bsc#1068032, bsc#1075088). - powerpc: Fix register clobbering when accumulating stolen time (bsc#1059174). - powerpc: Fix up the kdump base cap to 128M (bsc#1079917, bsc#1077487). - powerpc: Mark CONFIG_PPC_DEBUG_RFI as BROKEN (bsc#1075088). - powerpc/perf: Dereference BHRB entries safely (bsc#1064861, FATE#317619, git-fixes). - powerpc/perf: Fix book3s kernel to userspace backtraces (bsc#1080133). - powerpc/pseries: Add H_GET_CPU_CHARACTERISTICS flags & wrapper (bsc#1068032, bsc#1075088). - powerpc/pseries: include linux/types.h in asm/hvcall.h (bsc#1068032, bsc#1075088). - powerpc/pseries: Introduce H_GET_CPU_CHARACTERISTICS (bsc#1068032, bsc#1075088). - powerpc/pseries: Kill all prefetch streams on context switch (bsc#1068032, bsc#1075088). - powerpc/pseries: Query hypervisor for RFI flush settings (bsc#1068032, bsc#1075088). - powerpc/pseries: rfi-flush: Call setup_rfi_flush() after LPM migration (bsc#1068032, bsc#1075088). - powerpc/pseries/rfi-flush: Call setup_rfi_flush() after LPM migration (bsc#1075088). - powerpc/pseries/rfi-flush: Drop PVR-based selection (bsc#1075088). - powerpc/rfi-flush: Add DEBUG_RFI config option (bsc#1068032, bsc#1075088). - powerpc/rfi-flush: Factor out init_fallback_flush() (bsc#1075088). - powerpc/rfi-flush: Make setup_rfi_flush() not __init (bsc#1075088). - powerpc/rfi-flush: Move RFI flush fields out of the paca (unbreak kABI) (bsc#1068032, bsc#1075088). - powerpc/rfi-flush: Move the logic to avoid a redo into the sysfs code (bsc#1068032, bsc#1075088). - powerpc/rfi-flush: Move the logic to avoid a redo into the sysfs code (bsc#1075088). - powerpc/vdso64: Use double word compare on pointers (bsc#1070781). - rfi-flush: Make DEBUG_RFI a CONFIG option (bsc#1068032, bsc#1075088). - rfi-flush: Move rfi_flush_fallback_area to end of paca (bsc#1075088). - rfi-flush: Move RFI flush fields out of the paca (unbreak kABI) (bsc#1075088). - rfi-flush: Switch to new linear fallback flush (bsc#1068032, bsc#1075088). - s390: add ppa to the idle loop (bnc#1077406, LTC#163910). - s390/cpuinfo: show facilities as reported by stfle (bnc#1076849, LTC#163741). - scsi: libiscsi: fix shifting of DID_REQUEUE host byte (bsc#1078875). - scsi: sr: wait for the medium to become ready (bsc#1048585). - scsi: virtio_scsi: let host do exception handling (bsc#936530,bsc#1060682). - storvsc: do not assume SG list is continuous when doing bounce buffers (bsc#1075410). - sysfs/cpu: Add vulnerability folder (bnc#1012382). - sysfs/cpu: Fix typos in vulnerability documentation (bnc#1012382). - sysfs: spectre_v2, handle spec_ctrl (bsc#1075994 bsc#1075091). - Update config files: enable CPU vulnerabilities reporting via sysfs - x86/acpi: Handle SCI interrupts above legacy space gracefully (bsc#1068984). - x86/acpi: Reduce code duplication in mp_override_legacy_irq() (bsc#1068984). - x86/boot: Fix early command-line parsing when matching at end (bsc#1068032). - x86/cpu: Factor out application of forced CPU caps (bsc#1075994 bsc#1075091). - x86/cpu: Implement CPU vulnerabilites sysfs functions (bnc#1012382). - x86/CPU: Sync CPU feature flags late (bsc#1075994 bsc#1075091). - x86/kaiser: Populate shadow PGD with NX bit only if supported by platform (bsc#1076154 bsc#1076278). - x86/kaiser: use trampoline stack for kernel entry. - x86/microcode/intel: Extend BDW late-loading further with LLC size check (bsc#1054305). - x86/microcode/intel: Extend BDW late-loading with a revision check (bsc#1054305). - x86/microcode: Rescan feature flags upon late loading (bsc#1075994 bsc#1075091). - x86/retpolines/spec_ctrl: disable IBRS on !SKL if retpolines are active (bsc#1068032). - x86/spec_ctrl: handle late setting of X86_FEATURE_SPEC_CTRL properly (bsc#1075994 bsc#1075091). - x86/spectre_v2: fix ordering in IBRS initialization (bsc#1075994 bsc#1075091). - x86/spectre_v2: nospectre_v2 means nospec too (bsc#1075994 bsc#1075091). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Real Time Extension 11-SP4: zypper in -t patch slertesp4-kernel-rt-20180209-13539=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-kernel-rt-20180209-13539=1 Package List: - SUSE Linux Enterprise Real Time Extension 11-SP4 (x86_64): kernel-rt-3.0.101.rt130-69.21.1 kernel-rt-base-3.0.101.rt130-69.21.1 kernel-rt-devel-3.0.101.rt130-69.21.1 kernel-rt_trace-3.0.101.rt130-69.21.1 kernel-rt_trace-base-3.0.101.rt130-69.21.1 kernel-rt_trace-devel-3.0.101.rt130-69.21.1 kernel-source-rt-3.0.101.rt130-69.21.1 kernel-syms-rt-3.0.101.rt130-69.21.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (x86_64): kernel-rt-debuginfo-3.0.101.rt130-69.21.1 kernel-rt-debugsource-3.0.101.rt130-69.21.1 kernel-rt_debug-debuginfo-3.0.101.rt130-69.21.1 kernel-rt_debug-debugsource-3.0.101.rt130-69.21.1 kernel-rt_trace-debuginfo-3.0.101.rt130-69.21.1 kernel-rt_trace-debugsource-3.0.101.rt130-69.21.1 References: https://www.suse.com/security/cve/CVE-2015-1142857.html https://www.suse.com/security/cve/CVE-2017-13215.html https://www.suse.com/security/cve/CVE-2017-17741.html https://www.suse.com/security/cve/CVE-2017-18017.html https://www.suse.com/security/cve/CVE-2017-18079.html https://www.suse.com/security/cve/CVE-2017-5715.html https://www.suse.com/security/cve/CVE-2018-1000004.html https://www.suse.com/security/cve/CVE-2018-5332.html https://www.suse.com/security/cve/CVE-2018-5333.html https://bugzilla.suse.com/1012382 https://bugzilla.suse.com/1045538 https://bugzilla.suse.com/1048585 https://bugzilla.suse.com/1049128 https://bugzilla.suse.com/1050431 https://bugzilla.suse.com/1054305 https://bugzilla.suse.com/1059174 https://bugzilla.suse.com/1060279 https://bugzilla.suse.com/1060682 https://bugzilla.suse.com/1063544 https://bugzilla.suse.com/1064861 https://bugzilla.suse.com/1068032 https://bugzilla.suse.com/1068984 https://bugzilla.suse.com/1069508 https://bugzilla.suse.com/1070623 https://bugzilla.suse.com/1070781 https://bugzilla.suse.com/1073311 https://bugzilla.suse.com/1074488 https://bugzilla.suse.com/1074621 https://bugzilla.suse.com/1074880 https://bugzilla.suse.com/1075088 https://bugzilla.suse.com/1075091 https://bugzilla.suse.com/1075410 https://bugzilla.suse.com/1075617 https://bugzilla.suse.com/1075621 https://bugzilla.suse.com/1075908 https://bugzilla.suse.com/1075994 https://bugzilla.suse.com/1076017 https://bugzilla.suse.com/1076154 https://bugzilla.suse.com/1076278 https://bugzilla.suse.com/1076437 https://bugzilla.suse.com/1076849 https://bugzilla.suse.com/1077191 https://bugzilla.suse.com/1077355 https://bugzilla.suse.com/1077406 https://bugzilla.suse.com/1077487 https://bugzilla.suse.com/1077560 https://bugzilla.suse.com/1077922 https://bugzilla.suse.com/1078875 https://bugzilla.suse.com/1079917 https://bugzilla.suse.com/1080133 https://bugzilla.suse.com/1080359 https://bugzilla.suse.com/1080363 https://bugzilla.suse.com/1080372 https://bugzilla.suse.com/1080579 https://bugzilla.suse.com/1080685 https://bugzilla.suse.com/1080774 https://bugzilla.suse.com/1081500 https://bugzilla.suse.com/936530 https://bugzilla.suse.com/962257 From sle-security-updates at lists.suse.com Thu Mar 29 10:08:30 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 29 Mar 2018 18:08:30 +0200 (CEST) Subject: SUSE-SU-2018:0844-1: important: Security update for python-paramiko Message-ID: <20180329160830.C29B4FC98@maintenance.suse.de> SUSE Security Update: Security update for python-paramiko ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0844-1 Rating: important References: #1085276 Cross-References: CVE-2018-7750 Affected Products: SUSE OpenStack Cloud 7 SUSE Enterprise Storage 4 OpenStack Cloud Magnum Orchestration 7 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for python-paramiko fixes the following issues: - CVE-2018-7750: Fixed transport.py in the SSH server implementation of Paramiko that does not properly check whether authentication is completed before processing other requests (bsc#1085276). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2018-566=1 - SUSE Enterprise Storage 4: zypper in -t patch SUSE-Storage-4-2018-566=1 - OpenStack Cloud Magnum Orchestration 7: zypper in -t patch SUSE-OpenStack-Cloud-Magnum-Orchestration-7-2018-566=1 Package List: - SUSE OpenStack Cloud 7 (noarch): python-paramiko-2.0.8-3.3.1 - SUSE Enterprise Storage 4 (noarch): python-paramiko-2.0.8-3.3.1 - OpenStack Cloud Magnum Orchestration 7 (noarch): python-paramiko-2.0.8-3.3.1 References: https://www.suse.com/security/cve/CVE-2018-7750.html https://bugzilla.suse.com/1085276 From sle-security-updates at lists.suse.com Thu Mar 29 10:09:15 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 29 Mar 2018 18:09:15 +0200 (CEST) Subject: SUSE-SU-2018:0846-1: moderate: Security update for krb5 Message-ID: <20180329160915.C6A9AFC98@maintenance.suse.de> SUSE Security Update: Security update for krb5 ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0846-1 Rating: moderate References: #1057662 #1081725 #1083926 #1083927 Cross-References: CVE-2018-5729 CVE-2018-5730 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP3 SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Desktop 12-SP3 SUSE Linux Enterprise Desktop 12-SP2 SUSE CaaS Platform ALL OpenStack Cloud Magnum Orchestration 7 ______________________________________________________________________________ An update that solves two vulnerabilities and has two fixes is now available. Description: This update for krb5 provides the following fixes: Security issues fixed: - CVE-2018-5730: DN container check bypass by supplying special crafted data (bsc#1083927). - CVE-2018-5729: Null pointer dereference in kadmind or DN container check bypass by supplying special crafted data (bsc#1083926). Non-security issues fixed: - Make it possible for legacy applications (e.g. SAP Netweaver) to remain compatible with newer Kerberos. System administrators who are experiencing this kind of compatibility issues may set the environment variable GSSAPI_ASSUME_MECH_MATCH to a non-empty value, and make sure the environment variable is visible and effective to the application startup script. (bsc#1057662) - Fix a GSS failure in legacy applications by not indicating deprecated GSS mechanisms in gss_indicate_mech() list. (bsc#1081725) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP3: zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-567=1 - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2018-567=1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2018-567=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-567=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-567=1 - SUSE Linux Enterprise Desktop 12-SP3: zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-567=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2018-567=1 - SUSE CaaS Platform ALL: To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. - OpenStack Cloud Magnum Orchestration 7: zypper in -t patch SUSE-OpenStack-Cloud-Magnum-Orchestration-7-2018-567=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64): krb5-debuginfo-1.12.5-40.23.2 krb5-debugsource-1.12.5-40.23.2 krb5-devel-1.12.5-40.23.2 - SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64): krb5-debuginfo-1.12.5-40.23.2 krb5-debugsource-1.12.5-40.23.2 krb5-devel-1.12.5-40.23.2 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): krb5-1.12.5-40.23.2 krb5-client-1.12.5-40.23.2 krb5-client-debuginfo-1.12.5-40.23.2 krb5-debuginfo-1.12.5-40.23.2 krb5-debugsource-1.12.5-40.23.2 krb5-doc-1.12.5-40.23.2 krb5-plugin-kdb-ldap-1.12.5-40.23.2 krb5-plugin-kdb-ldap-debuginfo-1.12.5-40.23.2 krb5-plugin-preauth-otp-1.12.5-40.23.2 krb5-plugin-preauth-otp-debuginfo-1.12.5-40.23.2 krb5-plugin-preauth-pkinit-1.12.5-40.23.2 krb5-plugin-preauth-pkinit-debuginfo-1.12.5-40.23.2 krb5-server-1.12.5-40.23.2 krb5-server-debuginfo-1.12.5-40.23.2 - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64): krb5-1.12.5-40.23.2 krb5-client-1.12.5-40.23.2 krb5-client-debuginfo-1.12.5-40.23.2 krb5-debuginfo-1.12.5-40.23.2 krb5-debugsource-1.12.5-40.23.2 krb5-doc-1.12.5-40.23.2 krb5-plugin-kdb-ldap-1.12.5-40.23.2 krb5-plugin-kdb-ldap-debuginfo-1.12.5-40.23.2 krb5-plugin-preauth-otp-1.12.5-40.23.2 krb5-plugin-preauth-otp-debuginfo-1.12.5-40.23.2 krb5-plugin-preauth-pkinit-1.12.5-40.23.2 krb5-plugin-preauth-pkinit-debuginfo-1.12.5-40.23.2 krb5-server-1.12.5-40.23.2 krb5-server-debuginfo-1.12.5-40.23.2 - SUSE Linux Enterprise Server 12-SP3 (s390x x86_64): krb5-32bit-1.12.5-40.23.2 krb5-debuginfo-32bit-1.12.5-40.23.2 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le s390x x86_64): krb5-1.12.5-40.23.2 krb5-client-1.12.5-40.23.2 krb5-client-debuginfo-1.12.5-40.23.2 krb5-debuginfo-1.12.5-40.23.2 krb5-debugsource-1.12.5-40.23.2 krb5-doc-1.12.5-40.23.2 krb5-plugin-kdb-ldap-1.12.5-40.23.2 krb5-plugin-kdb-ldap-debuginfo-1.12.5-40.23.2 krb5-plugin-preauth-otp-1.12.5-40.23.2 krb5-plugin-preauth-otp-debuginfo-1.12.5-40.23.2 krb5-plugin-preauth-pkinit-1.12.5-40.23.2 krb5-plugin-preauth-pkinit-debuginfo-1.12.5-40.23.2 krb5-server-1.12.5-40.23.2 krb5-server-debuginfo-1.12.5-40.23.2 - SUSE Linux Enterprise Server 12-SP2 (s390x x86_64): krb5-32bit-1.12.5-40.23.2 krb5-debuginfo-32bit-1.12.5-40.23.2 - SUSE Linux Enterprise Desktop 12-SP3 (x86_64): krb5-1.12.5-40.23.2 krb5-32bit-1.12.5-40.23.2 krb5-client-1.12.5-40.23.2 krb5-client-debuginfo-1.12.5-40.23.2 krb5-debuginfo-1.12.5-40.23.2 krb5-debuginfo-32bit-1.12.5-40.23.2 krb5-debugsource-1.12.5-40.23.2 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): krb5-1.12.5-40.23.2 krb5-32bit-1.12.5-40.23.2 krb5-client-1.12.5-40.23.2 krb5-client-debuginfo-1.12.5-40.23.2 krb5-debuginfo-1.12.5-40.23.2 krb5-debuginfo-32bit-1.12.5-40.23.2 krb5-debugsource-1.12.5-40.23.2 - SUSE CaaS Platform ALL (x86_64): krb5-1.12.5-40.23.2 krb5-debuginfo-1.12.5-40.23.2 krb5-debugsource-1.12.5-40.23.2 - OpenStack Cloud Magnum Orchestration 7 (x86_64): krb5-1.12.5-40.23.2 krb5-debuginfo-1.12.5-40.23.2 krb5-debugsource-1.12.5-40.23.2 References: https://www.suse.com/security/cve/CVE-2018-5729.html https://www.suse.com/security/cve/CVE-2018-5730.html https://bugzilla.suse.com/1057662 https://bugzilla.suse.com/1081725 https://bugzilla.suse.com/1083926 https://bugzilla.suse.com/1083927 From sle-security-updates at lists.suse.com Thu Mar 29 10:11:42 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 29 Mar 2018 18:11:42 +0200 (CEST) Subject: SUSE-SU-2018:0848-1: important: Security update for the Linux Kernel Message-ID: <20180329161142.BCD99FC98@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0848-1 Rating: important References: #1010470 #1012382 #1045330 #1055755 #1062568 #1063416 #1066001 #1067118 #1068032 #1072689 #1072865 #1074488 #1075617 #1075621 #1077182 #1077560 #1077779 #1078669 #1078672 #1078673 #1078674 #1080255 #1080287 #1080464 #1080757 #1081512 #1082299 #1083244 #1083483 #1083494 #1083640 #1084323 #1085107 #1085114 #1085447 Cross-References: CVE-2016-7915 CVE-2017-12190 CVE-2017-13166 CVE-2017-15299 CVE-2017-16644 CVE-2017-16911 CVE-2017-16912 CVE-2017-16913 CVE-2017-16914 CVE-2017-18017 CVE-2017-18204 CVE-2017-18208 CVE-2017-18221 CVE-2018-1066 CVE-2018-1068 CVE-2018-5332 CVE-2018-5333 CVE-2018-6927 CVE-2018-7566 Affected Products: SUSE OpenStack Cloud 6 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Linux Enterprise Module for Public Cloud 12 ______________________________________________________________________________ An update that solves 19 vulnerabilities and has 16 fixes is now available. Description: The SUSE Linux Enterprise 12 SP1 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2018-1068: Fixed flaw in the implementation of 32-bit syscall interface for bridging. This allowed a privileged user to arbitrarily write to a limited range of kernel memory (bnc#1085107). - CVE-2017-18221: The __munlock_pagevec function allowed local users to cause a denial of service (NR_MLOCK accounting corruption) via crafted use of mlockall and munlockall system calls (bnc#1084323). - CVE-2018-1066: Prevent NULL pointer dereference in fs/cifs/cifsencrypt.c:setup_ntlmv2_rsp() that allowed an attacker controlling a CIFS server to kernel panic a client that has this server mounted, because an empty TargetInfo field in an NTLMSSP setup negotiation response was mishandled during session recovery (bnc#1083640). - CVE-2017-13166: Prevent elevation of privilege vulnerability in the kernel v4l2 video driver (bnc#1072865). - CVE-2017-16911: The vhci_hcd driver allowed local attackers to disclose kernel memory addresses. Successful exploitation required that a USB device was attached over IP (bnc#1078674). - CVE-2017-15299: The KEYS subsystem mishandled use of add_key for a key that already exists but is uninstantiated, which allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted system call (bnc#1063416). - CVE-2017-18208: The madvise_willneed function kernel allowed local users to cause a denial of service (infinite loop) by triggering use of MADVISE_WILLNEED for a DAX mapping (bnc#1083494). - CVE-2018-7566: The ALSA sequencer core initializes the event pool on demand by invoking snd_seq_pool_init() when the first write happens and the pool is empty. A user could have reset the pool size manually via ioctl concurrently, which may have lead UAF or out-of-bound access (bsc#1083483). - CVE-2017-18204: The ocfs2_setattr function allowed local users to cause a denial of service (deadlock) via DIO requests (bnc#1083244). - CVE-2017-16644: The hdpvr_probe function allowed local users to cause a denial of service (improper error handling and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1067118). - CVE-2018-6927: The futex_requeue function allowed attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact by triggering a negative wake or requeue value (bnc#1080757). - CVE-2017-16914: The "stub_send_ret_submit()" function allowed attackers to cause a denial of service (NULL pointer dereference) via a specially crafted USB over IP packet (bnc#1078669). - CVE-2016-7915: The hid_input_field function allowed physically proximate attackers to obtain sensitive information from kernel memory or cause a denial of service (out-of-bounds read) by connecting a device (bnc#1010470). - CVE-2017-12190: The bio_map_user_iov and bio_unmap_user functions did unbalanced refcounting when a SCSI I/O vector had small consecutive buffers belonging to the same page. The bio_add_pc_page function merged them into one, but the page reference was never dropped. This caused a memory leak and possible system lockup (exploitable against the host OS by a guest OS user, if a SCSI disk is passed through to a virtual machine) due to an out-of-memory condition (bnc#1062568). - CVE-2017-16912: The "get_pipe()" function allowed attackers to cause a denial of service (out-of-bounds read) via a specially crafted USB over IP packet (bnc#1078673). - CVE-2017-16913: The "stub_recv_cmd_submit()" function when handling CMD_SUBMIT packets allowed attackers to cause a denial of service (arbitrary memory allocation) via a specially crafted USB over IP packet (bnc#1078672). - CVE-2018-5332: The rds_message_alloc_sgs() function did not validate a value that is used during DMA page allocation, leading to a heap-based out-of-bounds write (related to the rds_rdma_extra_size function in net/rds/rdma.c) (bnc#1075621). - CVE-2018-5333: The rds_cmsg_atomic function in net/rds/rdma.c mishandled cases where page pinning fails or an invalid address is supplied, leading to an rds_atomic_free_op NULL pointer dereference (bnc#1075617). - CVE-2017-18017: The tcpmss_mangle_packet function allowed remote attackers to cause a denial of service (use-after-free and memory corruption) or possibly have unspecified other impact by leveraging the presence of xt_TCPMSS in an iptables action (bnc#1074488). The following non-security bugs were fixed: - KEYS: do not let add_key() update an uninstantiated key (bnc#1063416). - KEYS: fix writing past end of user-supplied buffer in keyring_read() (bsc#1066001). - KEYS: return full count in keyring_read() if buffer is too small (bsc#1066001). - NFS: Add a cond_resched() to nfs_commit_release_pages() (bsc#1077779). - btrfs: qgroup: move noisy underflow warning to debugging build (bsc#1055755 and bsc#1080287). - ipc/msg: introduce msgctl(MSG_STAT_ANY) (bsc#1072689). - ipc/sem: introduce semctl(SEM_STAT_ANY) (bsc#1072689). - ipc/shm: introduce shmctl(SHM_STAT_ANY) (bsc#1072689). - x86/kaiser: use trampoline stack for kernel entry (bsc#1077560) - leds: do not overflow sysfs buffer in led_trigger_show (bsc#1080464). - livepatch: __kgr_shadow_get_or_alloc() is local to shadow.c. Shadow variables support (bsc#1082299). - livepatch: introduce shadow variable API. Shadow variables support (bsc#1082299) - media: v4l2-compat-ioctl32.c: add missing VIDIOC_PREPARE_BUF (bnc#1012382). - media: v4l2-compat-ioctl32.c: avoid sizeof(type) (bnc#1012382). - media: v4l2-compat-ioctl32.c: copy clip list in put_v4l2_window32 (bnc#1012382). - media: v4l2-compat-ioctl32.c: copy m.userptr in put_v4l2_plane32 (bnc#1012382). - media: v4l2-compat-ioctl32.c: do not copy back the result for certain errors (bnc#1012382). - media: v4l2-compat-ioctl32.c: drop pr_info for unknown buffer type (bnc#1012382). - media: v4l2-compat-ioctl32.c: fix the indentation (bnc#1012382). - media: v4l2-compat-ioctl32.c: move 'helper' functions to __get/put_v4l2_format32 (bnc#1012382). - media: v4l2-compat-ioctl32: Copy v4l2_window->global_alpha (bnc#1012382). - media: v4l2-ioctl.c: do not copy back the result for -ENOTTY (bnc#1012382). - netfilter: ebtables: CONFIG_COMPAT: do not trust userland offsets (bsc#1085107). - netfilter: ebtables: fix erroneous reject of last rule (bsc#1085107). - packet: only call dev_add_pack() on freshly allocated fanout instances - pipe: cap initial pipe capacity according to pipe-max-size limit (bsc#1045330). - powerpc/64s: Improve RFI L1-D cache flush fallback (bsc#1068032, bsc#1077182). - powerpc/numa: Invalidate numa_cpu_lookup_table on cpu remove (bsc#1081512). - powerpc/powernv: Support firmware disable of RFI flush (bsc#1068032, bsc#1077182). - powerpc/powernv: Support firmware disable of RFI flush (bsc#1068032, bsc#1077182). - powerpc/pseries: Support firmware disable of RFI flush (bsc#1068032, bsc#1077182). - powerpc/pseries: Support firmware disable of RFI flush (bsc#1068032, bsc#1077182). - rfi-flush: Move the logic to avoid a redo into the debugfs code (bsc#1068032, bsc#1077182). - rfi-flush: Switch to new linear fallback flush (bsc#1068032, bsc#1077182). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 6: zypper in -t patch SUSE-OpenStack-Cloud-6-2018-568=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2018-568=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2018-568=1 - SUSE Linux Enterprise Module for Public Cloud 12: zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2018-568=1 Package List: - SUSE OpenStack Cloud 6 (x86_64): kernel-default-3.12.74-60.64.85.1 kernel-default-base-3.12.74-60.64.85.1 kernel-default-base-debuginfo-3.12.74-60.64.85.1 kernel-default-debuginfo-3.12.74-60.64.85.1 kernel-default-debugsource-3.12.74-60.64.85.1 kernel-default-devel-3.12.74-60.64.85.1 kernel-syms-3.12.74-60.64.85.1 kernel-xen-3.12.74-60.64.85.1 kernel-xen-base-3.12.74-60.64.85.1 kernel-xen-base-debuginfo-3.12.74-60.64.85.1 kernel-xen-debuginfo-3.12.74-60.64.85.1 kernel-xen-debugsource-3.12.74-60.64.85.1 kernel-xen-devel-3.12.74-60.64.85.1 kgraft-patch-3_12_74-60_64_85-default-1-2.3.1 kgraft-patch-3_12_74-60_64_85-xen-1-2.3.1 - SUSE OpenStack Cloud 6 (noarch): kernel-devel-3.12.74-60.64.85.1 kernel-macros-3.12.74-60.64.85.1 kernel-source-3.12.74-60.64.85.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (ppc64le x86_64): kernel-default-3.12.74-60.64.85.1 kernel-default-base-3.12.74-60.64.85.1 kernel-default-base-debuginfo-3.12.74-60.64.85.1 kernel-default-debuginfo-3.12.74-60.64.85.1 kernel-default-debugsource-3.12.74-60.64.85.1 kernel-default-devel-3.12.74-60.64.85.1 kernel-syms-3.12.74-60.64.85.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): kernel-xen-3.12.74-60.64.85.1 kernel-xen-base-3.12.74-60.64.85.1 kernel-xen-base-debuginfo-3.12.74-60.64.85.1 kernel-xen-debuginfo-3.12.74-60.64.85.1 kernel-xen-debugsource-3.12.74-60.64.85.1 kernel-xen-devel-3.12.74-60.64.85.1 kgraft-patch-3_12_74-60_64_85-default-1-2.3.1 kgraft-patch-3_12_74-60_64_85-xen-1-2.3.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (noarch): kernel-devel-3.12.74-60.64.85.1 kernel-macros-3.12.74-60.64.85.1 kernel-source-3.12.74-60.64.85.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): kernel-default-3.12.74-60.64.85.1 kernel-default-base-3.12.74-60.64.85.1 kernel-default-base-debuginfo-3.12.74-60.64.85.1 kernel-default-debuginfo-3.12.74-60.64.85.1 kernel-default-debugsource-3.12.74-60.64.85.1 kernel-default-devel-3.12.74-60.64.85.1 kernel-syms-3.12.74-60.64.85.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (x86_64): kernel-xen-3.12.74-60.64.85.1 kernel-xen-base-3.12.74-60.64.85.1 kernel-xen-base-debuginfo-3.12.74-60.64.85.1 kernel-xen-debuginfo-3.12.74-60.64.85.1 kernel-xen-debugsource-3.12.74-60.64.85.1 kernel-xen-devel-3.12.74-60.64.85.1 kgraft-patch-3_12_74-60_64_85-default-1-2.3.1 kgraft-patch-3_12_74-60_64_85-xen-1-2.3.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (noarch): kernel-devel-3.12.74-60.64.85.1 kernel-macros-3.12.74-60.64.85.1 kernel-source-3.12.74-60.64.85.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (s390x): kernel-default-man-3.12.74-60.64.85.1 - SUSE Linux Enterprise Module for Public Cloud 12 (x86_64): kernel-ec2-3.12.74-60.64.85.1 kernel-ec2-debuginfo-3.12.74-60.64.85.1 kernel-ec2-debugsource-3.12.74-60.64.85.1 kernel-ec2-devel-3.12.74-60.64.85.1 kernel-ec2-extra-3.12.74-60.64.85.1 kernel-ec2-extra-debuginfo-3.12.74-60.64.85.1 References: https://www.suse.com/security/cve/CVE-2016-7915.html https://www.suse.com/security/cve/CVE-2017-12190.html https://www.suse.com/security/cve/CVE-2017-13166.html https://www.suse.com/security/cve/CVE-2017-15299.html https://www.suse.com/security/cve/CVE-2017-16644.html https://www.suse.com/security/cve/CVE-2017-16911.html https://www.suse.com/security/cve/CVE-2017-16912.html https://www.suse.com/security/cve/CVE-2017-16913.html https://www.suse.com/security/cve/CVE-2017-16914.html https://www.suse.com/security/cve/CVE-2017-18017.html https://www.suse.com/security/cve/CVE-2017-18204.html https://www.suse.com/security/cve/CVE-2017-18208.html https://www.suse.com/security/cve/CVE-2017-18221.html https://www.suse.com/security/cve/CVE-2018-1066.html https://www.suse.com/security/cve/CVE-2018-1068.html https://www.suse.com/security/cve/CVE-2018-5332.html https://www.suse.com/security/cve/CVE-2018-5333.html https://www.suse.com/security/cve/CVE-2018-6927.html https://www.suse.com/security/cve/CVE-2018-7566.html https://bugzilla.suse.com/1010470 https://bugzilla.suse.com/1012382 https://bugzilla.suse.com/1045330 https://bugzilla.suse.com/1055755 https://bugzilla.suse.com/1062568 https://bugzilla.suse.com/1063416 https://bugzilla.suse.com/1066001 https://bugzilla.suse.com/1067118 https://bugzilla.suse.com/1068032 https://bugzilla.suse.com/1072689 https://bugzilla.suse.com/1072865 https://bugzilla.suse.com/1074488 https://bugzilla.suse.com/1075617 https://bugzilla.suse.com/1075621 https://bugzilla.suse.com/1077182 https://bugzilla.suse.com/1077560 https://bugzilla.suse.com/1077779 https://bugzilla.suse.com/1078669 https://bugzilla.suse.com/1078672 https://bugzilla.suse.com/1078673 https://bugzilla.suse.com/1078674 https://bugzilla.suse.com/1080255 https://bugzilla.suse.com/1080287 https://bugzilla.suse.com/1080464 https://bugzilla.suse.com/1080757 https://bugzilla.suse.com/1081512 https://bugzilla.suse.com/1082299 https://bugzilla.suse.com/1083244 https://bugzilla.suse.com/1083483 https://bugzilla.suse.com/1083494 https://bugzilla.suse.com/1083640 https://bugzilla.suse.com/1084323 https://bugzilla.suse.com/1085107 https://bugzilla.suse.com/1085114 https://bugzilla.suse.com/1085447 From sle-security-updates at lists.suse.com Thu Mar 29 13:07:28 2018 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 29 Mar 2018 21:07:28 +0200 (CEST) Subject: SUSE-SU-2018:0850-1: moderate: Security update for MozillaFirefox Message-ID: <20180329190728.B14E1FC98@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0850-1 Rating: moderate References: #1085130 #1085671 #1087059 Cross-References: CVE-2018-5125 CVE-2018-5127 CVE-2018-5129 CVE-2018-5130 CVE-2018-5131 CVE-2018-5144 CVE-2018-5145 CVE-2018-5146 CVE-2018-5147 CVE-2018-5148 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP3 SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Desktop 12-SP3 SUSE Linux Enterprise Desktop 12-SP2 ______________________________________________________________________________ An update that fixes 10 vulnerabilities is now available. Description: This update for MozillaFirefox fixes the following issues: Security issues fixed in Firefox ESR 52.7.3 (bsc#1085130): - CVE-2018-5125: Memory safety bugs fixed in Firefox 59 and Firefox ESR 52.7 - CVE-2018-5127: Buffer overflow manipulating SVG animatedPathSegList - CVE-2018-5129: Out-of-bounds write with malformed IPC messages - CVE-2018-5130: Mismatched RTP payload type can trigger memory corruption - CVE-2018-5131: Fetch API improperly returns cached copies of no-store/no-cache resources - CVE-2018-5144: Integer overflow during Unicode conversion - CVE-2018-5145: Memory safety bugs fixed in Firefox ESR 52.7 - CVE-2018-5146: Out of bounds memory write in libvorbis (bsc#1085671) - CVE-2018-5147: Out of bounds memory write in libtremor (bsc#1085671) - CVE-2018-5148: Use-after-free in compositor (MFSA 2018-10) (bsc#1087059) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP3: zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-569=1 - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2018-569=1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2018-569=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-569=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-569=1 - SUSE Linux Enterprise Desktop 12-SP3: zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-569=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2018-569=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64): MozillaFirefox-debuginfo-52.7.3esr-109.25.1 MozillaFirefox-debugsource-52.7.3esr-109.25.1 MozillaFirefox-devel-52.7.3esr-109.25.1 - SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64): MozillaFirefox-debuginfo-52.7.3esr-109.25.1 MozillaFirefox-debugsource-52.7.3esr-109.25.1 MozillaFirefox-devel-52.7.3esr-109.25.1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): MozillaFirefox-52.7.3esr-109.25.1 MozillaFirefox-debuginfo-52.7.3esr-109.25.1 MozillaFirefox-debugsource-52.7.3esr-109.25.1 MozillaFirefox-translations-52.7.3esr-109.25.1 - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64): MozillaFirefox-52.7.3esr-109.25.1 MozillaFirefox-debuginfo-52.7.3esr-109.25.1 MozillaFirefox-debugsource-52.7.3esr-109.25.1 MozillaFirefox-translations-52.7.3esr-109.25.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le s390x x86_64): MozillaFirefox-52.7.3esr-109.25.1 MozillaFirefox-debuginfo-52.7.3esr-109.25.1 MozillaFirefox-debugsource-52.7.3esr-109.25.1 MozillaFirefox-translations-52.7.3esr-109.25.1 - SUSE Linux Enterprise Desktop 12-SP3 (x86_64): MozillaFirefox-52.7.3esr-109.25.1 MozillaFirefox-debuginfo-52.7.3esr-109.25.1 MozillaFirefox-debugsource-52.7.3esr-109.25.1 MozillaFirefox-translations-52.7.3esr-109.25.1 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): MozillaFirefox-52.7.3esr-109.25.1 MozillaFirefox-debuginfo-52.7.3esr-109.25.1 MozillaFirefox-debugsource-52.7.3esr-109.25.1 MozillaFirefox-translations-52.7.3esr-109.25.1 References: https://www.suse.com/security/cve/CVE-2018-5125.html https://www.suse.com/security/cve/CVE-2018-5127.html https://www.suse.com/security/cve/CVE-2018-5129.html https://www.suse.com/security/cve/CVE-2018-5130.html https://www.suse.com/security/cve/CVE-2018-5131.html https://www.suse.com/security/cve/CVE-2018-5144.html https://www.suse.com/security/cve/CVE-2018-5145.html https://www.suse.com/security/cve/CVE-2018-5146.html https://www.suse.com/security/cve/CVE-2018-5147.html https://www.suse.com/security/cve/CVE-2018-5148.html https://bugzilla.suse.com/1085130 https://bugzilla.suse.com/1085671 https://bugzilla.suse.com/1087059