From sle-security-updates at lists.suse.com Mon May 4 07:17:51 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 4 May 2020 15:17:51 +0200 (CEST) Subject: SUSE-SU-2020:1164-1: important: Security update for LibVNCServer Message-ID: <20200504131751.E29EAFFE8@maintenance.suse.de> SUSE Security Update: Security update for LibVNCServer ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1164-1 Rating: important References: #1155419 #1160471 #1170441 Cross-References: CVE-2019-15681 CVE-2019-15690 CVE-2019-20788 Affected Products: SUSE Linux Enterprise Workstation Extension 15-SP2 SUSE Linux Enterprise Workstation Extension 15-SP1 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP2 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for LibVNCServer fixes the following issues: - CVE-2019-15690: Fixed a heap buffer overflow (bsc#1160471). - CVE-2019-15681: Fixed a memory leak which could have allowed to a remote attacker to read stack memory (bsc#1155419). - CVE-2019-20788: Fixed a integer overflow and heap-based buffer overflow via a large height or width value (bsc#1170441). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 15-SP2: zypper in -t patch SUSE-SLE-Product-WE-15-SP2-2020-1164=1 - SUSE Linux Enterprise Workstation Extension 15-SP1: zypper in -t patch SUSE-SLE-Product-WE-15-SP1-2020-1164=1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2: zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP2-2020-1164=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP2: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP2-2020-1164=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-1164=1 Package List: - SUSE Linux Enterprise Workstation Extension 15-SP2 (x86_64): LibVNCServer-debugsource-0.9.10-4.14.1 libvncclient0-0.9.10-4.14.1 libvncclient0-debuginfo-0.9.10-4.14.1 libvncserver0-0.9.10-4.14.1 libvncserver0-debuginfo-0.9.10-4.14.1 - SUSE Linux Enterprise Workstation Extension 15-SP1 (x86_64): LibVNCServer-debugsource-0.9.10-4.14.1 libvncclient0-0.9.10-4.14.1 libvncclient0-debuginfo-0.9.10-4.14.1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 (aarch64 ppc64le s390x x86_64): LibVNCServer-debugsource-0.9.10-4.14.1 libvncserver0-0.9.10-4.14.1 libvncserver0-debuginfo-0.9.10-4.14.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP2 (aarch64 ppc64le s390x x86_64): LibVNCServer-debugsource-0.9.10-4.14.1 LibVNCServer-devel-0.9.10-4.14.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): LibVNCServer-debugsource-0.9.10-4.14.1 LibVNCServer-devel-0.9.10-4.14.1 libvncserver0-0.9.10-4.14.1 libvncserver0-debuginfo-0.9.10-4.14.1 References: https://www.suse.com/security/cve/CVE-2019-15681.html https://www.suse.com/security/cve/CVE-2019-15690.html https://www.suse.com/security/cve/CVE-2019-20788.html https://bugzilla.suse.com/1155419 https://bugzilla.suse.com/1160471 https://bugzilla.suse.com/1170441 From sle-security-updates at lists.suse.com Mon May 4 07:21:15 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 4 May 2020 15:21:15 +0200 (CEST) Subject: SUSE-SU-2020:1163-1: important: Security update for permissions Message-ID: <20200504132115.4C5BBFFE8@maintenance.suse.de> SUSE Security Update: Security update for permissions ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1163-1 Rating: important References: #1160594 #1160764 #1161779 #1163922 Cross-References: CVE-2019-3688 CVE-2019-3690 CVE-2020-8013 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that solves three vulnerabilities and has one errata is now available. Description: This update for permissions fixes the following issues: Security issue fixed: - CVE-2020-8013: Fixed a local privilege escalation with mrsh and wodim (bsc#1163922). Non-security issues fixed: - Fixed regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594) - Fixed capability handling when doing multiple permission changes at once (bsc#1161779) - Fixed handling of relative directory symlinks in chkstat Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-1163=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-1163=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1163=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1163=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): permissions-20180125-3.21.1 permissions-debuginfo-20180125-3.21.1 permissions-debugsource-20180125-3.21.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): permissions-20180125-3.21.1 permissions-debuginfo-20180125-3.21.1 permissions-debugsource-20180125-3.21.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): permissions-20180125-3.21.1 permissions-debuginfo-20180125-3.21.1 permissions-debugsource-20180125-3.21.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): permissions-20180125-3.21.1 permissions-debuginfo-20180125-3.21.1 permissions-debugsource-20180125-3.21.1 References: https://www.suse.com/security/cve/CVE-2019-3688.html https://www.suse.com/security/cve/CVE-2019-3690.html https://www.suse.com/security/cve/CVE-2020-8013.html https://bugzilla.suse.com/1160594 https://bugzilla.suse.com/1160764 https://bugzilla.suse.com/1161779 https://bugzilla.suse.com/1163922 From sle-security-updates at lists.suse.com Mon May 4 07:24:46 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 4 May 2020 15:24:46 +0200 (CEST) Subject: SUSE-SU-2020:1165-1: important: Security update for LibVNCServer Message-ID: <20200504132446.A81DEFFE8@maintenance.suse.de> SUSE Security Update: Security update for LibVNCServer ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1165-1 Rating: important References: #1155419 #1160471 #1170441 Cross-References: CVE-2019-15681 CVE-2019-15690 CVE-2019-20788 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for LibVNCServer fixes the following issues: - CVE-2019-15690: Fixed a heap buffer overflow (bsc#1160471). - CVE-2019-15681: Fixed a memory leak which could have allowed to a remote attacker to read stack memory (bsc#1155419). - CVE-2019-20788: Fixed a integer overflow and heap-based buffer overflow via a large height or width value (bsc#1170441). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-1165=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-1165=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-1165=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-1165=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-1165=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-1165=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-1165=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2020-1165=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1165=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1165=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-1165=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-1165=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-1165=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-1165=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2020-1165=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-1165=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-1165=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): LibVNCServer-debugsource-0.9.9-17.19.1 libvncclient0-0.9.9-17.19.1 libvncclient0-debuginfo-0.9.9-17.19.1 libvncserver0-0.9.9-17.19.1 libvncserver0-debuginfo-0.9.9-17.19.1 - SUSE OpenStack Cloud 8 (x86_64): LibVNCServer-debugsource-0.9.9-17.19.1 libvncclient0-0.9.9-17.19.1 libvncclient0-debuginfo-0.9.9-17.19.1 libvncserver0-0.9.9-17.19.1 libvncserver0-debuginfo-0.9.9-17.19.1 - SUSE OpenStack Cloud 7 (s390x x86_64): LibVNCServer-debugsource-0.9.9-17.19.1 libvncclient0-0.9.9-17.19.1 libvncclient0-debuginfo-0.9.9-17.19.1 libvncserver0-0.9.9-17.19.1 libvncserver0-debuginfo-0.9.9-17.19.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): LibVNCServer-debugsource-0.9.9-17.19.1 LibVNCServer-devel-0.9.9-17.19.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): LibVNCServer-debugsource-0.9.9-17.19.1 LibVNCServer-devel-0.9.9-17.19.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): LibVNCServer-debugsource-0.9.9-17.19.1 libvncclient0-0.9.9-17.19.1 libvncclient0-debuginfo-0.9.9-17.19.1 libvncserver0-0.9.9-17.19.1 libvncserver0-debuginfo-0.9.9-17.19.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): LibVNCServer-debugsource-0.9.9-17.19.1 libvncclient0-0.9.9-17.19.1 libvncclient0-debuginfo-0.9.9-17.19.1 libvncserver0-0.9.9-17.19.1 libvncserver0-debuginfo-0.9.9-17.19.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): LibVNCServer-debugsource-0.9.9-17.19.1 libvncclient0-0.9.9-17.19.1 libvncclient0-debuginfo-0.9.9-17.19.1 libvncserver0-0.9.9-17.19.1 libvncserver0-debuginfo-0.9.9-17.19.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): LibVNCServer-debugsource-0.9.9-17.19.1 libvncclient0-0.9.9-17.19.1 libvncclient0-debuginfo-0.9.9-17.19.1 libvncserver0-0.9.9-17.19.1 libvncserver0-debuginfo-0.9.9-17.19.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): LibVNCServer-debugsource-0.9.9-17.19.1 libvncclient0-0.9.9-17.19.1 libvncclient0-debuginfo-0.9.9-17.19.1 libvncserver0-0.9.9-17.19.1 libvncserver0-debuginfo-0.9.9-17.19.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): LibVNCServer-debugsource-0.9.9-17.19.1 libvncclient0-0.9.9-17.19.1 libvncclient0-debuginfo-0.9.9-17.19.1 libvncserver0-0.9.9-17.19.1 libvncserver0-debuginfo-0.9.9-17.19.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): LibVNCServer-debugsource-0.9.9-17.19.1 libvncclient0-0.9.9-17.19.1 libvncclient0-debuginfo-0.9.9-17.19.1 libvncserver0-0.9.9-17.19.1 libvncserver0-debuginfo-0.9.9-17.19.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): LibVNCServer-debugsource-0.9.9-17.19.1 libvncclient0-0.9.9-17.19.1 libvncclient0-debuginfo-0.9.9-17.19.1 libvncserver0-0.9.9-17.19.1 libvncserver0-debuginfo-0.9.9-17.19.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): LibVNCServer-debugsource-0.9.9-17.19.1 libvncclient0-0.9.9-17.19.1 libvncclient0-debuginfo-0.9.9-17.19.1 libvncserver0-0.9.9-17.19.1 libvncserver0-debuginfo-0.9.9-17.19.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): LibVNCServer-debugsource-0.9.9-17.19.1 libvncclient0-0.9.9-17.19.1 libvncclient0-debuginfo-0.9.9-17.19.1 libvncserver0-0.9.9-17.19.1 libvncserver0-debuginfo-0.9.9-17.19.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): LibVNCServer-debugsource-0.9.9-17.19.1 libvncclient0-0.9.9-17.19.1 libvncclient0-debuginfo-0.9.9-17.19.1 libvncserver0-0.9.9-17.19.1 libvncserver0-debuginfo-0.9.9-17.19.1 - HPE Helion Openstack 8 (x86_64): LibVNCServer-debugsource-0.9.9-17.19.1 libvncclient0-0.9.9-17.19.1 libvncclient0-debuginfo-0.9.9-17.19.1 libvncserver0-0.9.9-17.19.1 libvncserver0-debuginfo-0.9.9-17.19.1 References: https://www.suse.com/security/cve/CVE-2019-15681.html https://www.suse.com/security/cve/CVE-2019-15690.html https://www.suse.com/security/cve/CVE-2019-20788.html https://bugzilla.suse.com/1155419 https://bugzilla.suse.com/1160471 https://bugzilla.suse.com/1170441 From sle-security-updates at lists.suse.com Mon May 4 07:32:22 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 4 May 2020 15:32:22 +0200 (CEST) Subject: SUSE-SU-2020:14355-1: important: Security update for LibVNCServer Message-ID: <20200504133222.D5ED7FE29@maintenance.suse.de> SUSE Security Update: Security update for LibVNCServer ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:14355-1 Rating: important References: #1155419 #1160471 #1170441 Cross-References: CVE-2019-15681 CVE-2019-15690 CVE-2019-20788 Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for LibVNCServer fixes the following issues: - CVE-2019-15690: Fixed a heap buffer overflow (bsc#1160471). - CVE-2019-15681: Fixed a memory leak which could have allowed to a remote attacker to read stack memory (bsc#1155419). - CVE-2019-20788: Fixed a integer overflow and heap-based buffer overflow via a large height or width value (bsc#1170441). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-LibVNCServer-14355=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-LibVNCServer-14355=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-LibVNCServer-14355=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-LibVNCServer-14355=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 ppc64 s390x x86_64): LibVNCServer-0.9.1-160.14.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): LibVNCServer-0.9.1-160.14.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64): LibVNCServer-debuginfo-0.9.1-160.14.1 LibVNCServer-debugsource-0.9.1-160.14.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): LibVNCServer-debuginfo-0.9.1-160.14.1 LibVNCServer-debugsource-0.9.1-160.14.1 References: https://www.suse.com/security/cve/CVE-2019-15681.html https://www.suse.com/security/cve/CVE-2019-15690.html https://www.suse.com/security/cve/CVE-2019-20788.html https://bugzilla.suse.com/1155419 https://bugzilla.suse.com/1160471 https://bugzilla.suse.com/1170441 From sle-security-updates at lists.suse.com Mon May 4 13:16:32 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 4 May 2020 21:16:32 +0200 (CEST) Subject: SUSE-SU-2020:1171-1: moderate: Security update for nginx Message-ID: <20200504191632.B9FB1FFEB@maintenance.suse.de> SUSE Security Update: Security update for nginx ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1171-1 Rating: moderate References: #1150711 #1155690 #1156202 #1160682 Cross-References: CVE-2019-20372 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that solves one vulnerability and has three fixes is now available. Description: This update for nginx fixes the following issues: nginx was updated to 1.16.1 (jsc#ECO-1401) - Added TLS 1.3 support (jsc#SLE-9295, bsc#1150711) - Replaced obsolete GeoIP module with MaxMinDB-based GeoIP2 (jsc#SLE-11184, bsc#1156202) - Started nginx after network is online (bsc#1155690) - CVE-2019-20372: Fixed an HTTP request smuggling with certain error_page configurations which could have allowed unauthorized web page reads (bsc#1160682). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-1171=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-1171=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1171=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1171=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): nginx-1.16.1-3.12.7 nginx-debuginfo-1.16.1-3.12.7 nginx-debugsource-1.16.1-3.12.7 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): nginx-1.16.1-3.12.7 nginx-debuginfo-1.16.1-3.12.7 nginx-debugsource-1.16.1-3.12.7 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): nginx-1.16.1-3.12.7 nginx-debuginfo-1.16.1-3.12.7 nginx-debugsource-1.16.1-3.12.7 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): nginx-1.16.1-3.12.7 nginx-debuginfo-1.16.1-3.12.7 nginx-debugsource-1.16.1-3.12.7 References: https://www.suse.com/security/cve/CVE-2019-20372.html https://bugzilla.suse.com/1150711 https://bugzilla.suse.com/1155690 https://bugzilla.suse.com/1156202 https://bugzilla.suse.com/1160682 From sle-security-updates at lists.suse.com Tue May 5 07:25:46 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 5 May 2020 15:25:46 +0200 (CEST) Subject: SUSE-SU-2020:1177-1: moderate: Security update for rpmlint Message-ID: <20200505132546.B0580FE29@maintenance.suse.de> SUSE Security Update: Security update for rpmlint ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1177-1 Rating: moderate References: #1129452 #1169365 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Development Tools 15-SP2 SUSE Linux Enterprise Module for Development Tools 15-SP1 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update for rpmlint fixes the following issues: - whitelist certmonger (bsc#1169365, bsc#1129452) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-1177=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-1177=1 - SUSE Linux Enterprise Module for Development Tools 15-SP2: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP2-2020-1177=1 - SUSE Linux Enterprise Module for Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP1-2020-1177=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1177=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1177=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): rpmlint-mini-1.10-5.12.2 rpmlint-mini-debuginfo-1.10-5.12.2 rpmlint-mini-debugsource-1.10-5.12.2 - SUSE Linux Enterprise Server for SAP 15 (noarch): rpmlint-1.10-7.12.2 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): rpmlint-mini-1.10-5.12.2 rpmlint-mini-debuginfo-1.10-5.12.2 rpmlint-mini-debugsource-1.10-5.12.2 - SUSE Linux Enterprise Server 15-LTSS (noarch): rpmlint-1.10-7.12.2 - SUSE Linux Enterprise Module for Development Tools 15-SP2 (noarch): rpmlint-1.10-7.12.2 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (noarch): rpmlint-1.10-7.12.2 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): rpmlint-mini-1.10-5.12.2 rpmlint-mini-debuginfo-1.10-5.12.2 rpmlint-mini-debugsource-1.10-5.12.2 - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): rpmlint-1.10-7.12.2 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): rpmlint-mini-1.10-5.12.2 rpmlint-mini-debuginfo-1.10-5.12.2 rpmlint-mini-debugsource-1.10-5.12.2 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): rpmlint-1.10-7.12.2 References: https://bugzilla.suse.com/1129452 https://bugzilla.suse.com/1169365 From sle-security-updates at lists.suse.com Tue May 5 07:28:50 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 5 May 2020 15:28:50 +0200 (CEST) Subject: SUSE-SU-2020:1178-1: moderate: Security update for rubygem-actionview-5_1 Message-ID: <20200505132850.E1FA8FE29@maintenance.suse.de> SUSE Security Update: Security update for rubygem-actionview-5_1 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1178-1 Rating: moderate References: #1167240 Cross-References: CVE-2020-5267 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise High Availability 15-SP1 SUSE Linux Enterprise High Availability 15 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for rubygem-actionview-5_1 fixes the following issues: - CVE-2020-5267: Fixed an XSS vulnerability in ActionView's JavaScript literal escape helpers (bsc#1167240). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-1178=1 - SUSE Linux Enterprise High Availability 15-SP1: zypper in -t patch SUSE-SLE-Product-HA-15-SP1-2020-1178=1 - SUSE Linux Enterprise High Availability 15: zypper in -t patch SUSE-SLE-Product-HA-15-2020-1178=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): ruby2.5-rubygem-actionview-doc-5_1-5.1.4-3.3.1 - SUSE Linux Enterprise High Availability 15-SP1 (aarch64 ppc64le s390x x86_64): ruby2.5-rubygem-actionview-5_1-5.1.4-3.3.1 - SUSE Linux Enterprise High Availability 15 (aarch64 ppc64le s390x x86_64): ruby2.5-rubygem-actionview-5_1-5.1.4-3.3.1 References: https://www.suse.com/security/cve/CVE-2020-5267.html https://bugzilla.suse.com/1167240 From sle-security-updates at lists.suse.com Tue May 5 07:38:06 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 5 May 2020 15:38:06 +0200 (CEST) Subject: SUSE-SU-2020:1179-1: moderate: Security update for rmt-server Message-ID: <20200505133806.00F27FE29@maintenance.suse.de> SUSE Security Update: Security update for rmt-server ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1179-1 Rating: moderate References: #1136020 #1160922 #1162296 #1165548 #1168554 Cross-References: CVE-2019-18904 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that solves one vulnerability and has four fixes is now available. Description: This update for rmt-server to version 2.5.7 fixes the following issues: Security issues fixed: - CVE-2019-18904: Fixed offline migrations (bsc#1160922). - Fixed a local denial of service (bsc#1165548). Non-security issues fixed: - Align supported subscription types with SCC (bsc#1168554). - Fix migrations in case adding migration_extra column failed (bsc#1162296). - Fix dependency to removed boot_cli_i18n file (bsc#1136020) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-1179=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-1179=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1179=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1179=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): rmt-server-2.5.7-3.31.1 rmt-server-config-2.5.7-3.31.1 rmt-server-debuginfo-2.5.7-3.31.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): rmt-server-2.5.7-3.31.1 rmt-server-config-2.5.7-3.31.1 rmt-server-debuginfo-2.5.7-3.31.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): rmt-server-2.5.7-3.31.1 rmt-server-config-2.5.7-3.31.1 rmt-server-debuginfo-2.5.7-3.31.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): rmt-server-2.5.7-3.31.1 rmt-server-config-2.5.7-3.31.1 rmt-server-debuginfo-2.5.7-3.31.1 References: https://www.suse.com/security/cve/CVE-2019-18904.html https://bugzilla.suse.com/1136020 https://bugzilla.suse.com/1160922 https://bugzilla.suse.com/1162296 https://bugzilla.suse.com/1165548 https://bugzilla.suse.com/1168554 From sle-security-updates at lists.suse.com Tue May 5 07:41:41 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 5 May 2020 15:41:41 +0200 (CEST) Subject: SUSE-SU-2020:1180-1: moderate: Security update for icu Message-ID: <20200505134141.6C485FE29@maintenance.suse.de> SUSE Security Update: Security update for icu ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1180-1 Rating: moderate References: #1166844 Cross-References: CVE-2020-10531 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Workstation Extension 12-SP5 SUSE Linux Enterprise Workstation Extension 12-SP4 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for icu fixes the following issues: - CVE-2020-10531: Fixed integer overflow in UnicodeString:doAppend() (bsc#1166844). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-1180=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-1180=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-1180=1 - SUSE Linux Enterprise Workstation Extension 12-SP5: zypper in -t patch SUSE-SLE-WE-12-SP5-2020-1180=1 - SUSE Linux Enterprise Workstation Extension 12-SP4: zypper in -t patch SUSE-SLE-WE-12-SP4-2020-1180=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-1180=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-1180=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-1180=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-1180=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2020-1180=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1180=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1180=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-1180=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-1180=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-1180=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-1180=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2020-1180=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-1180=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-1180=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): icu-debuginfo-52.1-8.10.1 icu-debugsource-52.1-8.10.1 libicu-doc-52.1-8.10.1 libicu52_1-32bit-52.1-8.10.1 libicu52_1-52.1-8.10.1 libicu52_1-data-52.1-8.10.1 libicu52_1-debuginfo-32bit-52.1-8.10.1 libicu52_1-debuginfo-52.1-8.10.1 - SUSE OpenStack Cloud 8 (x86_64): icu-debuginfo-52.1-8.10.1 icu-debugsource-52.1-8.10.1 libicu-doc-52.1-8.10.1 libicu52_1-32bit-52.1-8.10.1 libicu52_1-52.1-8.10.1 libicu52_1-data-52.1-8.10.1 libicu52_1-debuginfo-32bit-52.1-8.10.1 libicu52_1-debuginfo-52.1-8.10.1 - SUSE OpenStack Cloud 7 (s390x x86_64): icu-debuginfo-52.1-8.10.1 icu-debugsource-52.1-8.10.1 libicu-doc-52.1-8.10.1 libicu52_1-32bit-52.1-8.10.1 libicu52_1-52.1-8.10.1 libicu52_1-data-52.1-8.10.1 libicu52_1-debuginfo-32bit-52.1-8.10.1 libicu52_1-debuginfo-52.1-8.10.1 - SUSE Linux Enterprise Workstation Extension 12-SP5 (x86_64): icu-52.1-8.10.1 icu-debuginfo-52.1-8.10.1 icu-debugsource-52.1-8.10.1 - SUSE Linux Enterprise Workstation Extension 12-SP4 (x86_64): icu-52.1-8.10.1 icu-debuginfo-52.1-8.10.1 icu-debugsource-52.1-8.10.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): icu-debuginfo-52.1-8.10.1 icu-debugsource-52.1-8.10.1 libicu-devel-52.1-8.10.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): icu-debuginfo-52.1-8.10.1 icu-debugsource-52.1-8.10.1 libicu-devel-52.1-8.10.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): icu-debuginfo-52.1-8.10.1 icu-debugsource-52.1-8.10.1 libicu-doc-52.1-8.10.1 libicu52_1-52.1-8.10.1 libicu52_1-data-52.1-8.10.1 libicu52_1-debuginfo-52.1-8.10.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64): libicu52_1-32bit-52.1-8.10.1 libicu52_1-debuginfo-32bit-52.1-8.10.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): icu-debuginfo-52.1-8.10.1 icu-debugsource-52.1-8.10.1 libicu-doc-52.1-8.10.1 libicu52_1-52.1-8.10.1 libicu52_1-data-52.1-8.10.1 libicu52_1-debuginfo-52.1-8.10.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (x86_64): libicu52_1-32bit-52.1-8.10.1 libicu52_1-debuginfo-32bit-52.1-8.10.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): icu-debuginfo-52.1-8.10.1 icu-debugsource-52.1-8.10.1 libicu-doc-52.1-8.10.1 libicu52_1-32bit-52.1-8.10.1 libicu52_1-52.1-8.10.1 libicu52_1-data-52.1-8.10.1 libicu52_1-debuginfo-32bit-52.1-8.10.1 libicu52_1-debuginfo-52.1-8.10.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): icu-debuginfo-52.1-8.10.1 icu-debugsource-52.1-8.10.1 libicu-doc-52.1-8.10.1 libicu52_1-52.1-8.10.1 libicu52_1-data-52.1-8.10.1 libicu52_1-debuginfo-52.1-8.10.1 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): libicu52_1-32bit-52.1-8.10.1 libicu52_1-debuginfo-32bit-52.1-8.10.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): icu-debuginfo-52.1-8.10.1 icu-debugsource-52.1-8.10.1 libicu-doc-52.1-8.10.1 libicu52_1-52.1-8.10.1 libicu52_1-data-52.1-8.10.1 libicu52_1-debuginfo-52.1-8.10.1 - SUSE Linux Enterprise Server 12-SP4 (s390x x86_64): libicu52_1-32bit-52.1-8.10.1 libicu52_1-debuginfo-32bit-52.1-8.10.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): icu-debuginfo-52.1-8.10.1 icu-debugsource-52.1-8.10.1 libicu-doc-52.1-8.10.1 libicu52_1-52.1-8.10.1 libicu52_1-data-52.1-8.10.1 libicu52_1-debuginfo-52.1-8.10.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (s390x x86_64): libicu52_1-32bit-52.1-8.10.1 libicu52_1-debuginfo-32bit-52.1-8.10.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): icu-debuginfo-52.1-8.10.1 icu-debugsource-52.1-8.10.1 libicu-doc-52.1-8.10.1 libicu52_1-32bit-52.1-8.10.1 libicu52_1-52.1-8.10.1 libicu52_1-data-52.1-8.10.1 libicu52_1-debuginfo-32bit-52.1-8.10.1 libicu52_1-debuginfo-52.1-8.10.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): icu-debuginfo-52.1-8.10.1 icu-debugsource-52.1-8.10.1 libicu-doc-52.1-8.10.1 libicu52_1-52.1-8.10.1 libicu52_1-data-52.1-8.10.1 libicu52_1-debuginfo-52.1-8.10.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (s390x x86_64): libicu52_1-32bit-52.1-8.10.1 libicu52_1-debuginfo-32bit-52.1-8.10.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): icu-debuginfo-52.1-8.10.1 icu-debugsource-52.1-8.10.1 libicu-doc-52.1-8.10.1 libicu52_1-32bit-52.1-8.10.1 libicu52_1-52.1-8.10.1 libicu52_1-data-52.1-8.10.1 libicu52_1-debuginfo-32bit-52.1-8.10.1 libicu52_1-debuginfo-52.1-8.10.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): icu-debuginfo-52.1-8.10.1 icu-debugsource-52.1-8.10.1 libicu-doc-52.1-8.10.1 libicu52_1-52.1-8.10.1 libicu52_1-data-52.1-8.10.1 libicu52_1-debuginfo-52.1-8.10.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (s390x x86_64): libicu52_1-32bit-52.1-8.10.1 libicu52_1-debuginfo-32bit-52.1-8.10.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): icu-debuginfo-52.1-8.10.1 icu-debugsource-52.1-8.10.1 libicu-doc-52.1-8.10.1 libicu52_1-52.1-8.10.1 libicu52_1-data-52.1-8.10.1 libicu52_1-debuginfo-52.1-8.10.1 - SUSE Enterprise Storage 5 (x86_64): libicu52_1-32bit-52.1-8.10.1 libicu52_1-debuginfo-32bit-52.1-8.10.1 - HPE Helion Openstack 8 (x86_64): icu-debuginfo-52.1-8.10.1 icu-debugsource-52.1-8.10.1 libicu-doc-52.1-8.10.1 libicu52_1-32bit-52.1-8.10.1 libicu52_1-52.1-8.10.1 libicu52_1-data-52.1-8.10.1 libicu52_1-debuginfo-32bit-52.1-8.10.1 libicu52_1-debuginfo-52.1-8.10.1 References: https://www.suse.com/security/cve/CVE-2020-10531.html https://bugzilla.suse.com/1166844 From sle-security-updates at lists.suse.com Tue May 5 07:44:45 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 5 May 2020 15:44:45 +0200 (CEST) Subject: SUSE-SU-2020:14356-1: important: Security update for mailman Message-ID: <20200505134445.119CBFE29@maintenance.suse.de> SUSE Security Update: Security update for mailman ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:14356-1 Rating: important References: #1167068 #1170558 Cross-References: CVE-2020-12137 Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for mailman fixes the following issues: Security issue fixed: - CVE-2020-12137: Fixed a XSS vulnerability caused by MIME type confusion (bsc#1170558). Non-security issue fixed: - Fixed rights and ownership on /var/lib/mailman/archives (bsc#1167068). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-mailman-14356=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-mailman-14356=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-mailman-14356=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-mailman-14356=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 ppc64 s390x x86_64): mailman-2.1.15-9.6.20.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): mailman-2.1.15-9.6.20.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64): mailman-debuginfo-2.1.15-9.6.20.1 mailman-debugsource-2.1.15-9.6.20.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): mailman-debuginfo-2.1.15-9.6.20.1 mailman-debugsource-2.1.15-9.6.20.1 References: https://www.suse.com/security/cve/CVE-2020-12137.html https://bugzilla.suse.com/1167068 https://bugzilla.suse.com/1170558 From sle-security-updates at lists.suse.com Tue May 5 10:32:42 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 5 May 2020 18:32:42 +0200 (CEST) Subject: SUSE-SU-2020:1190-1: moderate: Security update for ardana-ansible, ardana-barbican, ardana-cluster, ardana-db, ardana-designate, ardana-input-model, ardana-logging, ardana-monasca, ardana-mq, ardana-neutron, ardana-octavia, ardana-osconfig, ardana-tempest, ardana-tls, crowbar-core, crowbar-ha, crowbar-openstack, memcached, openstack-ceilometer, openstack-cinder, openstack-designate, openstack-heat, openstack-ironic, openstack-ironic-image, openstack-manila, openstack-neutron, openstack-nova, openstack-octavia, openstack-octavia-amphora-image, python-cinderclient, python-glanceclient, python-ironic-lib, python-ironicclient, python-keystonemiddleware, python-manila-tempest-plugin, python-novaclient, python-octaviaclient, python-openstackclient, python-os-brick, python-oslo.config, python-oslo.rootwrap, python-oslo.utils, python-swiftclient, python-watcherclient, release-notes-suse-openstack-cloud, rubygem-crowbar-client, rubygem-puma, zookeeper Message-ID: <20200505163242.BBC09FE29@maintenance.suse.de> SUSE Security Update: Security update for ardana-ansible, ardana-barbican, ardana-cluster, ardana-db, ardana-designate, ardana-input-model, ardana-logging, ardana-monasca, ardana-mq, ardana-neutron, ardana-octavia, ardana-osconfig, ardana-tempest, ardana-tls, crowbar-core, crowbar-ha, crowbar-openstack, memcached, openstack-ceilometer, openstack-cinder, openstack-designate, openstack-heat, openstack-ironic, openstack-ironic-image, openstack-manila, openstack-neutron, openstack-nova, openstack-octavia, openstack-octavia-amphora-image, python-cinderclient, python-glanceclient, python-ironic-lib, python-ironicclient, python-keystonemiddleware, python-manila-tempest-plugin, python-novaclient, python-octaviaclient, python-openstackclient, python-os-brick, python-oslo.config, python-oslo.rootwrap, python-oslo.utils, python-swiftclient, python-watcherclient, release-notes-suse-openstack-cloud, rubygem-crowbar-client, rubygem-puma, zookeeper ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1190-1 Rating: moderate References: #1084739 #1124708 #1133817 #1135773 #1137622 #1149110 #1149535 #1163444 #1164838 #1165402 #1165723 #1166290 #1168512 #1168593 #1169770 Cross-References: CVE-2019-0201 CVE-2019-11596 CVE-2019-15026 CVE-2020-5247 CVE-2020-9543 Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud 9 ______________________________________________________________________________ An update that solves 5 vulnerabilities and has 10 fixes is now available. Description: This update for ardana-ansible, ardana-barbican, ardana-cluster, ardana-db, ardana-designate, ardana-input-model, ardana-logging, ardana-monasca, ardana-mq, ardana-neutron, ardana-octavia, ardana-osconfig, ardana-tempest, ardana-tls, crowbar-core, crowbar-ha, crowbar-openstack, memcached, openstack-ceilometer, openstack-cinder, openstack-designate, openstack-heat, openstack-ironic, openstack-ironic-image, openstack-manila, openstack-neutron, openstack-nova, openstack-octavia, openstack-octavia-amphora-image, python-cinderclient, python-glanceclient, python-ironic-lib, python-ironicclient, python-keystonemiddleware, python-manila-tempest-plugin, python-novaclient, python-octaviaclient, python-openstackclient, python-os-brick, python-oslo.config, python-oslo.rootwrap, python-oslo.utils, python-swiftclient, python-watcherclient, release-notes-suse-openstack-cloud, rubygem-crowbar-client, rubygem-puma, zookeeper contains the following fixes: Security fixes for memcached: - CVE-2019-15026: Fixed a stack-based buffer over-read in conn_to_str() (bsc#1149110). - CVE-2019-11596: Fixed a denial of service when parsing crafted lru command messages in process_lru_comma() (bsc#1133817). Security fixes for zookeeper: - CVE-2019-0201: Fixed a information disclosure vulnerability related to getACL() (bsc#1135773). Changes in rubygem-crowbar-client: - Update to 3.9.2 - Enable SES commands in Cloud8 (SOC-11122) Changes in rubygem-puma: - Add CVE-2020-5247.patch (bsc#1165402) "Fixes a problem where we were not splitting newlines in headers according to Rack spec" The patch is reduced compared to the upstream version, which was patching also the parts that are not implemented in our old Puma version. This applies to unit test as well. Changes in ardana-ansible: - Update to version 9.0+git.1587034359.a12678b: * Include SLE 12 SP3 LTSS repos in list of managed repos (SOC-11223) - Update to version 9.0+git.1586793433.f7bbf1b: * Ensure rabbitmq-server not running during dist-upgrade (SOC-11083) - Update to version 9.0+git.1586521995.f709c73: * Upgrade packages before _osconfig-upgrade.yml (SOC-11149) - Update to version 9.0+git.1584135277.f4d488a: * Serialise the _ardana-update-base.yml zypper actions (SOC-11083) - Update to version 9.0+git.1583518616.d4eb33f: * Upgrade pre-checks in Cloud 8 and Cloud 9 (SOC-10300) Changes in ardana-barbican: - Update to version 9.0+git.1583953599.cd723bb: * monitor ardana-node-cert (SOC-10873) Changes in ardana-cluster: - Update to version 9.0+git.1585653734.c1fe3b2: * Use bool filter to ensure valid boolean evaluation (SOC-11192) Changes in ardana-db: - Update to version 9.0+git.1586543314.6b6aa20: * Improve boostrap error handling (SOC-11207) - Update to version 9.0+git.1583946648.0892bab: * monitor MySQL TLS certificate (SOC-10873) - Update to version 9.0+git.1583527362.d9e9436: * fix mysql output and root password update (SOC-11152) Changes in ardana-designate: - Update to version 9.0+git.1583445435.4bd1793: * Designate zone/pool to worker/producer migration (SOC-10095) Changes in ardana-input-model: - Update to version 9.0+git.1584632190.9541c56: * add port neutron security extension to CI models (SOC-11027) Changes in ardana-logging: - Update to version 9.0+git.1585929695.f35b591: * Fix YAMLLoadWarning: calling yaml.load() without Loader (bsc#1168593) Changes in ardana-monasca: - Update to version 9.0+git.1586769889.d43d736: * Retry systemctl status for auto-restarting services (SOC-11210) - Update to version 9.0+git.1583359379.b92a013: * Add certificate file check alarm (SOC-10873) Changes in ardana-mq: - Update to version 9.0+git.1586350749.a463fd2: * Actually fail if sync HA queues retries exceeded (SOC-11083) - Update to version 9.0+git.1583428243.c1a72a8: * monitor RabbitMQ TLS certificate (SOC-10873) Changes in ardana-neutron: - Update to version 9.0+git.1587667603.507fb50: * Add network.target "After" option (bsc#1169770) - Update to version 9.0+git.1584635234.e7e6b08: * Add symlink for neutron-fwaas.json.j2 (bsc#1166290) Changes in ardana-octavia: - Update to version 9.0+git.1587486004.8e99c6b: * Perform Neutron to Octavia migrate (SOC-11207) - Update to version 9.0+git.1584737314.873b84c: * Reconfigure monitor if needed (SOC-10873) - Update to version 9.0+git.1584682274.4693189: * fix Octavia client cert redeploy (SOC-10873) - Update to version 9.0+git.1584392355.7368ea3: * monitor Octavia client certificate (SOC-10873) Changes in ardana-osconfig: - Update to version 9.0+git.1586546715.dbd07ab: * Ensure ovs_user and ovs_group defined (SOC-11149) Changes in ardana-tempest: - Update to version 9.0+git.1587398456.b31cc4a: * Revert: Remove blacklisted octavia test(SOC-11027) - Update to version 9.0+git.1586901636.089de51: * Manila: Skip additional manila tests due to Ardana policy (SOC-11211) - Update to version 9.0+git.1586875796.43d9039: * Remove blacklisted octavia test(SOC-11027) - Update to version 9.0+git.1586350084.01a56ee: * Manila: Skip ShareNetworksTest due to Ardana policy (SOC-11211) - Update to version 9.0+git.1585746746.8f38be7: * Remove deprecated neutron extension from tempest (bsc#1124708) - Update to version 9.0+git.1582537125.359622b: * Enable port-security feature in tempest(SOC-11027) Changes in ardana-tls: - Update to version 9.0+git.1586301209.c9413b4: * Simplify VNC cert deployment (SOC-9742) Changes in crowbar-core: - Update to version 6.0+git.1587558898.313bb9fd3: * upgrade: Restart nova services at the end of disruptive upgrade (SOC-11202) - Update to version 6.0+git.1586175344.480d46e76: * Revert: Add lb-mgmt-net to network.json (SOC-10904) - Update to version 6.0+git.1585339930.336361e4c: * Add lb-mgmt-net to network.json (SOC-10904) - Update to version 6.0+git.1585229942.1ddd6e742: * upgrade: Point to config dir instead of config file (SOC-11171) * upgrade: Do not call neutron-evacuate-lbaasv2-agent with use_crm (SOC-11171) - Update to version 6.0+git.1584974229.c5a263be6: * Update the default value of OS version (trivial) * Ignore CVE-2020-5267 in CI (bsc#1167240) * Ignore CVE-2020-10663 in CI (bsc#1167244) * upgrade: Remove the assignement of crowbar-upgrade role (SOC-11166) - Update to version 6.0+git.1584564132.03cfcb5d0: * Remove comment that's no longer relevant (trivial) * Move role_to_proposal method from model to controller (trivial) * upgrade: proper check for remote elements (trivial) * Remove FIXME proposals that won't be fixed (trivial) * Drop unused suggestion (trivial) * Drop obsolete code (trivial) - Update to version 6.0+git.1583841628.7a9cacf85: * Ignore CVE-2020-8130 in CI (bsc#1164804) * Ignore CVE-2020-5247 (bsc#1165402) * Ignore CVE-2020-7595 in CI (bsc#1161517) * ses: Make SES UI safe for unknown options (trivial) * ses: Use cinder user for nova (SOC-5269) - Update to version 6.0+git.1583502199.abec5c91e: * upgrade: Raise the timeout for nodes evacuation (trivial) Changes in crowbar-ha: - Update to version 6.0+git.1586256059.e6f67e1: * Hide libvirt STONITH option from the UI (bsc#1084739) - Update to version 6.0+git.1585316150.ee52acc: * add ssl termination on haproxy (bsc#1149535) Changes in crowbar-openstack: - Update to version 6.0+git.1587753188.da39e44a7: * tempest: retry openstack commands (SOC-11238) - Update to version 6.0+git.1587560956.475ebae91: * nova: Hide setup_shared_instance_storage (SOC-11225) - Update to version 6.0+git.1587110382.e00bbeeb8: * octavia: remove mgmt_net from UI (SOC-10904) - Update to version 6.0+git.1586351116.5977d44ce: * neutron: fix neutron cli to use internal endpoint (bsc#1168512) - Update to version 6.0+git.1586249148.97e221138: * neutron: don't add physnets for non-enabled networks (SOC-11204) * octavia: move management network creation to octavia barclamp (SOC-10904) * octavia: move amphora changes check to worker recipe * octavia: use octavia network for health monitors (SOC-10904) * octavia: rework emanagement network config (SOC-10904) - Update to version 6.0+git.1585653227.5004f0a1f: * Disable "OpenStack RC File (identity API v2)" in horizon (bsc#1163444) - Update to version 6.0+git.1585444839.ec56032ca: * Revert "Octavia: Hide UI until complete (SOC-10550)" - Update to version 6.0+git.1585282212.df338c7f6: * Add lb-mgmt-net for Octavia (SOC-10904) - Update to version 6.0+git.1585237884.e441a435b: * fix travis CI to handle reverted commits properly (SOC-11180) - Update to version 6.0+git.1585143832.fa2fd2714: * nova: Populate cinder SES settings early (SOC-11179) - Update to version 6.0+git.1585068621.f53f95864: * tempest: blacklist shelve tests when using RBD ephemeral (SOC-11176) * tempest: disable block migration when using RBD (SOC-11176) - Update to version 6.0+git.1584967542.06b4f7cda: * magnum: Populate SSL configuration (SOC-9849) * magnum: Add SSL support (SOC-9849) - Update to version 6.0+git.1584603207.1dc71c848: * nova: Drop redundant disk_cachemodes (trivial) * nova: Add option to disable ephemeral on ceph (SOC-5269) - Update to version 6.0+git.1584540693.0d3b72090: * keystone: fix keystone node lookup (SOC-11333, bsc#1164838) * keystone: Register SES RadosGW endpoints (SOC-5270) * heat: Increase heat_register syncmark timeout (SOC-11103) * heat: Simplify domain registration code (SOC-11103) - Update to version 6.0+git.1584437931.10aebd310: * nova: Setup CEPH secrets later (SOC-11141) - Update to version 6.0+git.1584347033.7472a6925: * nova: Enable ephemeral volumes on SES (SOC-5269) Changes in memcached: - version update to 1.5.17 * bugfixes fix strncpy call in stats conns to avoid ASAN violation (bsc#1149110, CVE-2019-15026) extstore: fix indentation add error handling when calling dup function add unlock when item_cachedump malloc failed extstore: emulate pread(v) for macOS fix off-by-one in logger to allow CAS commands to be logged. use strdup for explicitly configured slab sizes move mem_requested from slabs.c to items.c (internal cleanup) * new features add server address to the "stats conns" output log client connection id with fetchers and mutations Add a handler for seccomp crashes - version update to 1.5.16 * bugfixes When nsuffix is 0 space for flags hasn't been allocated so don't memcpy them. - version update to 1.5.15 * bugfixes Speed up incr/decr by replacing snprintf. Use correct buffer size for internal URI encoding. change some links from http to https Fix small memory leak in testapp.c. free window_global in slab_automove_extstore.c remove inline_ascii_response option -Y [filename] for ascii authentication mode fix: idle-timeout wasn't compatible with binprot * features -Y [authfile] enables an authentication mode for ASCII protocol. - modified patches % memcached-autofoo.patch (refreshed) - version update to 1.5.14 * update -h output for -I (max item size) * fix segfault in "lru" command (bsc#1133817, CVE-2019-11596) * fix compile error on centos7 * extstore: error adjusting page_size after ext_path * extstore: fix segfault if page_count is too high. * close delete + incr item survival race bug * memcached-tool dump fix loss of exp value * Fix "qw" in "MemcachedTest.pm" so wait_ext_flush is exported properly * Experimental TLS support. * Basic implementation of TLS for memcached. * Improve Get And Touch documentation * fix INCR/DECR refcount leak for invalid items - modified patches % memcached-autofoo.patch (refreshed) Changes in openstack-ceilometer: - Update to version ceilometer-11.1.1.dev5: * [stable-only] Cap stestr for python 2 - Update to version ceilometer-11.1.1.dev3: 11.1.0 * Add availability\_zone attribute to gnocchi instance resources * Set instance\_type\_id in event traits to be a string * Fix name of option group removed in Rocky Changes in openstack-ceilometer: - Update to version ceilometer-11.1.1.dev5: * [stable-only] Cap stestr for python 2 - Update to version ceilometer-11.1.1.dev3: 11.1.0 * Add availability\_zone attribute to gnocchi instance resources * Set instance\_type\_id in event traits to be a string * Fix name of option group removed in Rocky Changes in openstack-cinder: - Update to version cinder-13.0.10.dev9: * PowerMax Driver - Legacy volume not found * NEC driver: fix an undefined variable - Update to version cinder-13.0.10.dev6: * RBD: fix volume reference handling in clone logic - Update to version cinder-13.0.10.dev4: * [Unity] Fix TypeError for test case test\_delete\_host\_wo\_lock - Update to version cinder-13.0.10.dev3: * ChunkedBackupDriver: Freeing memory on restore - Update to version cinder-13.0.10.dev1: * Don't quote {posargs} in tox.ini 13.0.9 Changes in openstack-cinder: - Update to version cinder-13.0.10.dev9: * PowerMax Driver - Legacy volume not found * NEC driver: fix an undefined variable - Update to version cinder-13.0.10.dev6: * RBD: fix volume reference handling in clone logic - Update to version cinder-13.0.10.dev4: * [Unity] Fix TypeError for test case test\_delete\_host\_wo\_lock - Update to version cinder-13.0.10.dev3: * ChunkedBackupDriver: Freeing memory on restore - Update to version cinder-13.0.10.dev1: * Don't quote {posargs} in tox.ini 13.0.9 Changes in openstack-designate: - Update to version designate-7.0.1.dev25: * Clean up zone locking Changes in openstack-designate: - Update to version designate-7.0.1.dev25: * Clean up zone locking Changes in openstack-heat: - Update to version openstack-heat-11.0.3.dev35: * Ignore Not Found when deleting Keystone role assignment * Handle OS::Mistral::Workflow resource replacement properly Changes in openstack-heat: - Update to version openstack-heat-11.0.3.dev35: * Ignore Not Found when deleting Keystone role assignment * Handle OS::Mistral::Workflow resource replacement properly Changes in openstack-ironic: - Update to version ironic-11.1.5.dev3: * Make deploy step failure logging indicate the error 11.1.4 - Update to version ironic-11.1.4.dev26: * Remove rocky grenade jobs * tell reno to ignore the kilo branch * [stable] consume virtualbmc from pip packages Changes in openstack-ironic: - Update to version ironic-11.1.5.dev3: * Make deploy step failure logging indicate the error 11.1.4 - Update to version ironic-11.1.4.dev26: * Remove rocky grenade jobs * tell reno to ignore the kilo branch * [stable] consume virtualbmc from pip packages Changes in openstack-ironic-image: - Add haveged package (bsc#1137622) It is needed to ensure there's enough entroy available to perform the iSCSI operations. Changes in openstack-manila: - Update to version manila-7.4.2.dev4: * Increase MANILA\_SERVICE\_VM\_FLAVOR\_DISK - Update to version manila-7.4.2.dev3: * If only .pyc exist, the extension API will be disabled - Update to version manila-7.4.2.dev2: * Enforce policy checks for share export locations - Update to version manila-7.4.2.dev1: * [stable-only] Pin neutron-tempest-plugin to 0.9.0 7.4.1 - Update to version manila-7.4.1.dev2: * share\_networks: enable project\_only API only * Fix over-quota exception of snapshot creation 7.4.0 - Update to version manila-7.4.1.dev1: * Fix over-quota exception of snapshot creation 7.4.0 Changes in openstack-manila: - Update to version manila-7.4.2.dev4: * Increase MANILA\_SERVICE\_VM\_FLAVOR\_DISK - Update to version manila-7.4.2.dev3: * If only .pyc exist, the extension API will be disabled - Update to version manila-7.4.2.dev2: * Enforce policy checks for share export locations - Update to version manila-7.4.2.dev1: * [stable-only] Pin neutron-tempest-plugin to 0.9.0 7.4.1 - Rebased patches: + cve-2020-9543-stable-rocky.patch dropped (merged upstream) - Update to version manila-7.4.1.dev2: * share\_networks: enable project\_only API only * Fix over-quota exception of snapshot creation 7.4.0 Changes in openstack-neutron: - Update to version neutron-13.0.8.dev28: * Prioritize port create and update ready messages - Update to version neutron-13.0.8.dev26: * Support iproute2 4.15 in l3\_tc\_lib - Update to version neutron-13.0.8.dev24: * Add trunk subports to be one of dvr serviced device owners - Update to version neutron-13.0.8.dev22: * Filter by owner SGs when retrieving the SG rules * Delay HA router transition from "backup" to "master" * Increase waiting time for network rescheduling * Check dnsmasq process is active when spawned * Wait before deleting trunk bridges for DPDK vhu * [DVR] Don't populate unbound ports in router's ARP cache * Optimize DVR related port DB query - Update to version neutron-13.0.8.dev9: * Add bulk IP address assignment to ipam driver - Update to version neutron-13.0.8.dev7: * Add accepted egress direct flow - Update to version neutron-13.0.8.dev6: * Add VLAN type conntrack direct flow - Update to version neutron-13.0.8.dev4: * Use rally-openstack 1.7.0 for stable/rocky - Update to version neutron-13.0.8.dev3: * Remove extra header fields in proxied metadata requests * Ensure that default SG exists during list of SG rules API call 13.0.7 Changes in openstack-neutron: - Update to version neutron-13.0.8.dev28: * Prioritize port create and update ready messages - Update to version neutron-13.0.8.dev26: * Support iproute2 4.15 in l3\_tc\_lib - Update to version neutron-13.0.8.dev24: * Add trunk subports to be one of dvr serviced device owners - Update to version neutron-13.0.8.dev22: * Filter by owner SGs when retrieving the SG rules * Delay HA router transition from "backup" to "master" * Increase waiting time for network rescheduling * Check dnsmasq process is active when spawned * Wait before deleting trunk bridges for DPDK vhu * [DVR] Don't populate unbound ports in router's ARP cache * Optimize DVR related port DB query - Update to version neutron-13.0.8.dev9: * Add bulk IP address assignment to ipam driver - Update to version neutron-13.0.8.dev7: * Add accepted egress direct flow - Update to version neutron-13.0.8.dev6: * Add VLAN type conntrack direct flow - Update to version neutron-13.0.8.dev4: * Use rally-openstack 1.7.0 for stable/rocky - Update to version neutron-13.0.8.dev3: * Remove extra header fields in proxied metadata requests * Ensure that default SG exists during list of SG rules API call 13.0.7 Changes in openstack-nova: - Update to version nova-18.3.1.dev17: * Unplug VIFs as part of cleanup of networks - Update to version nova-18.3.1.dev16: * Functional test for UnexpectedDeletingTaskStateError - Update to version nova-18.3.1.dev15: * nova-live-migration: Wait for n-cpu services to come up after configuring Ceph * Replace ansible --sudo with --become in live\_migration/hooks scripts - Update to version nova-18.3.1.dev11: * Fix os-keypairs pagination links - Update to version nova-18.3.1.dev9: * Enhance service restart in functional env * Fix hypervisors paginted collection\_name * Avoid circular reference during serialization - Update to version nova-18.3.1.dev4: * Remove global state from the FakeDriver - Update to version nova-18.3.1.dev3: * Add retry\_on\_deadlock to migration\_update DB API * libvirt: Ignore DiskNotFound during update\_available\_resource 18.3.0 Changes in openstack-nova: - Update to version nova-18.3.1.dev17: * Unplug VIFs as part of cleanup of networks - Update to version nova-18.3.1.dev16: * Functional test for UnexpectedDeletingTaskStateError - Update to version nova-18.3.1.dev15: * nova-live-migration: Wait for n-cpu services to come up after configuring Ceph * Replace ansible --sudo with --become in live\_migration/hooks scripts - Update to version nova-18.3.1.dev11: * Fix os-keypairs pagination links - Update to version nova-18.3.1.dev9: * Enhance service restart in functional env * Fix hypervisors paginted collection\_name * Avoid circular reference during serialization - Update to version nova-18.3.1.dev4: * Remove global state from the FakeDriver - Update to version nova-18.3.1.dev3: * Add retry\_on\_deadlock to migration\_update DB API * libvirt: Ignore DiskNotFound during update\_available\_resource 18.3.0 Changes in openstack-octavia: - Update to version octavia-3.2.3.dev2: * Pick stale amphora randomly - Update to version octavia-3.2.3.dev1: * Remove the barbican "Grant access" from cookbook 3.2.2 - Add patch 0001-HTTPS-HMs-need-the-same-validation-path-as-HTTP.patch (bsc#1165723) https://review.opendev.org/#/c/710161/ Change-Id: I2fd51664336dca51f134b3fccd3e8c936b809839 Changes in openstack-octavia-amphora-image: - Update image to 0.1.3 to include latest changes Changes in python-cinderclient: - update to version 4.0.3 - Add missed 'Server ID' output in attachment-list Changes in python-glanceclient: - update to version 2.13.2 - OpenDev Migration Patch Changes in python-ironic-lib: - update to version 2.14.3 - Use last digit to determine paritition naming scheme - Erase expected GPT locations in metadata wipe - Rescan after making partition changes Changes in python-ironicclient: - update to version 2.5.4 - fix session cert arguments Changes in python-keystonemiddleware: - update to version 5.2.2 - Make tests pass in 2022 - Make sure audit middleware use own context Changes in python-manila-tempest-plugin: - added 0002-Fix-export-locations-tests.patch Changes in python-novaclient: - update to version 11.0.1 - Add test for console-log and docs for bug 1746534 - Use SHA256 instead of MD5 in completion cache - Improve the description of optional arguments - Revert "Fix crashing console-log" - Fix up userdata argument to rebuild. - OpenDev Migration Patch - Stop silently ignoring invalid 'nova boot --hint' options - Add missing options in CLI reference - import zuul job settings from project-config - Update .gitreview for stable/rocky - Replace openstack.org git:// URLs with https:// - Update UPPER_CONSTRAINTS_FILE for stable/rocky - Follow up "Fix up userdata argument to rebuild" Changes in python-octaviaclient: - update to version 1.6.2 - Fix long CLI error messages - Update tox.ini for new upper constraints strategy Changes in python-openstackclient: - update to version 3.16.3 - Fix bug in endpoint group deletion - OpenDev Migration Patch - Fix: Restore output 'VolumeBackupsRestore' object is not iterable - Stable branch combination fix - Add --name-lookup-one-by-one option to server list - Fix BFV server list handling with --name-lookup-one-by-one - Fix compute service set handling for 2.53+ - Don't display router's is_ha and is_distributed attributes always - Document 2.53 behavior for compute service list/delete - Remove str() when setting network objects names Changes in python-os-brick: - update to version 2.5.10 - Check path alive before get scsi wwn - Skip cryptsetup password quality checking - iscsi: Add _get_device_link retry when waiting for /dev/disk/by-id/ to populate - linuxscsi: Stop waiting for multipath devices during extend_volume - Handle None value 'inititator_target_map' - Fix FC scan too broad - Ignore pep8 W503/W504 Changes in python-oslo.config: - update to version 6.4.2 - Use constraints when building docs - Ensure option groups don't change during logging - OpenDev Migration Patch Changes in python-oslo.rootwrap: - update to version 5.14.2 - Run rootwrap with lower fd ulimit by default - Update UPPER_CONSTRAINTS_FILE for stable/rocky - import zuul job settings from project-config - Update .gitreview for stable/rocky - OpenDev Migration Patch Changes in python-oslo.utils: - update to version 3.36.5 - import zuul job settings from project-config - Update UPPER_CONSTRAINTS_FILE for stable/rocky - Make mask_dict_password case insensitive and add new patterns - Update .gitreview for stable/rocky - OpenDev Migration Patch - Make mask_password case insensitive, and add new patterns - Mask encryption_key_id Changes in python-swiftclient: - update to version 3.6.1 - OpenDev Migration Patch - Fix SLO re-upload - Update .gitreview for stable/rocky - Changelog for 3.6.1 - import zuul job settings from project-config - Fix up stable gate - Use Swift's in-tree DSVM test Changes in python-watcherclient: - update to version 2.1.1 - Update .gitreview for stable/rocky - OpenDev Migration Patch - Update UPPER_CONSTRAINTS_FILE for stable/rocky - import zuul job settings from project-config - Replace openstack.org git:// URLs with https:// - fix watcher actionplan show command Changes in release-notes-suse-openstack-cloud: - Update to version 9.20200319: * Update release notes to indicate Designate support has shipped Changes in zookeeper: - Apply 0002-Apply-patch-to-resolve-CVE-2019-0201.patch This applies the patch for ZOOKEEPER-1392 to resolve CVE-2019-0201 Should not allow to read ACL when not authorized to read node (bsc#1135773) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2020-1190=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2020-1190=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): crowbar-core-6.0+git.1587558898.313bb9fd3-3.22.2 crowbar-core-branding-upstream-6.0+git.1587558898.313bb9fd3-3.22.2 memcached-1.5.17-3.3.1 memcached-debuginfo-1.5.17-3.3.1 memcached-debugsource-1.5.17-3.3.1 ruby2.1-rubygem-crowbar-client-3.9.2-3.6.1 ruby2.1-rubygem-puma-2.16.0-4.6.1 ruby2.1-rubygem-puma-debuginfo-2.16.0-4.6.1 rubygem-puma-debugsource-2.16.0-4.6.1 - SUSE OpenStack Cloud Crowbar 9 (noarch): crowbar-ha-6.0+git.1586256059.e6f67e1-3.16.1 crowbar-openstack-6.0+git.1587753188.da39e44a7-3.22.1 openstack-ceilometer-11.1.1~dev5-3.13.2 openstack-ceilometer-agent-central-11.1.1~dev5-3.13.2 openstack-ceilometer-agent-compute-11.1.1~dev5-3.13.2 openstack-ceilometer-agent-ipmi-11.1.1~dev5-3.13.2 openstack-ceilometer-agent-notification-11.1.1~dev5-3.13.2 openstack-ceilometer-polling-11.1.1~dev5-3.13.2 openstack-cinder-13.0.10~dev9-3.19.1 openstack-cinder-api-13.0.10~dev9-3.19.1 openstack-cinder-backup-13.0.10~dev9-3.19.1 openstack-cinder-scheduler-13.0.10~dev9-3.19.1 openstack-cinder-volume-13.0.10~dev9-3.19.1 openstack-designate-7.0.1~dev25-3.16.2 openstack-designate-agent-7.0.1~dev25-3.16.2 openstack-designate-api-7.0.1~dev25-3.16.2 openstack-designate-central-7.0.1~dev25-3.16.2 openstack-designate-producer-7.0.1~dev25-3.16.2 openstack-designate-sink-7.0.1~dev25-3.16.2 openstack-designate-worker-7.0.1~dev25-3.16.2 openstack-heat-11.0.3~dev35-3.16.1 openstack-heat-api-11.0.3~dev35-3.16.1 openstack-heat-api-cfn-11.0.3~dev35-3.16.1 openstack-heat-engine-11.0.3~dev35-3.16.1 openstack-heat-plugin-heat_docker-11.0.3~dev35-3.16.1 openstack-ironic-11.1.5~dev3-3.16.1 openstack-ironic-api-11.1.5~dev3-3.16.1 openstack-ironic-conductor-11.1.5~dev3-3.16.1 openstack-ironic-image-debugsource-9.0.0-3.6.1 openstack-ironic-image-x86_64-9.0.0-3.6.1 openstack-manila-7.4.2~dev4-4.21.1 openstack-manila-api-7.4.2~dev4-4.21.1 openstack-manila-data-7.4.2~dev4-4.21.1 openstack-manila-scheduler-7.4.2~dev4-4.21.1 openstack-manila-share-7.4.2~dev4-4.21.1 openstack-neutron-13.0.8~dev28-3.22.1 openstack-neutron-dhcp-agent-13.0.8~dev28-3.22.1 openstack-neutron-ha-tool-13.0.8~dev28-3.22.1 openstack-neutron-l3-agent-13.0.8~dev28-3.22.1 openstack-neutron-linuxbridge-agent-13.0.8~dev28-3.22.1 openstack-neutron-macvtap-agent-13.0.8~dev28-3.22.1 openstack-neutron-metadata-agent-13.0.8~dev28-3.22.1 openstack-neutron-metering-agent-13.0.8~dev28-3.22.1 openstack-neutron-openvswitch-agent-13.0.8~dev28-3.22.1 openstack-neutron-server-13.0.8~dev28-3.22.1 openstack-nova-18.3.1~dev17-3.22.1 openstack-nova-api-18.3.1~dev17-3.22.1 openstack-nova-cells-18.3.1~dev17-3.22.1 openstack-nova-compute-18.3.1~dev17-3.22.1 openstack-nova-conductor-18.3.1~dev17-3.22.1 openstack-nova-console-18.3.1~dev17-3.22.1 openstack-nova-novncproxy-18.3.1~dev17-3.22.1 openstack-nova-placement-api-18.3.1~dev17-3.22.1 openstack-nova-scheduler-18.3.1~dev17-3.22.1 openstack-nova-serialproxy-18.3.1~dev17-3.22.1 openstack-nova-vncproxy-18.3.1~dev17-3.22.1 openstack-octavia-3.2.3~dev2-3.22.1 openstack-octavia-amphora-agent-3.2.3~dev2-3.22.1 openstack-octavia-amphora-image-debugsource-0.1.3-7.9.2 openstack-octavia-amphora-image-x86_64-0.1.3-7.9.2 openstack-octavia-api-3.2.3~dev2-3.22.1 openstack-octavia-health-manager-3.2.3~dev2-3.22.1 openstack-octavia-housekeeping-3.2.3~dev2-3.22.1 openstack-octavia-worker-3.2.3~dev2-3.22.1 python-ceilometer-11.1.1~dev5-3.13.2 python-cinder-13.0.10~dev9-3.19.1 python-cinderclient-4.0.3-3.6.2 python-cinderclient-doc-4.0.3-3.6.2 python-designate-7.0.1~dev25-3.16.2 python-glanceclient-2.13.2-3.3.2 python-glanceclient-doc-2.13.2-3.3.2 python-heat-11.0.3~dev35-3.16.1 python-ironic-11.1.5~dev3-3.16.1 python-ironic-lib-2.14.3-3.6.1 python-ironicclient-2.5.4-4.10.1 python-ironicclient-doc-2.5.4-4.10.1 python-keystonemiddleware-5.2.2-17.1 python-manila-7.4.2~dev4-4.21.1 python-manila-tempest-plugin-0.1.0-3.6.1 python-neutron-13.0.8~dev28-3.22.1 python-nova-18.3.1~dev17-3.22.1 python-novaclient-11.0.1-3.3.1 python-novaclient-doc-11.0.1-3.3.1 python-octavia-3.2.3~dev2-3.22.1 python-octaviaclient-1.6.2-3.6.1 python-openstackclient-3.16.3-11.1 python-os-brick-2.5.10-3.9.2 python-os-brick-common-2.5.10-3.9.2 python-oslo.config-6.4.2-3.3.1 python-oslo.config-doc-6.4.2-3.3.1 python-oslo.rootwrap-5.14.2-3.3.1 python-oslo.utils-3.36.5-3.3.1 python-swiftclient-3.6.1-3.3.1 python-swiftclient-doc-3.6.1-3.3.1 python-watcherclient-2.1.1-3.3.1 release-notes-suse-openstack-cloud-9.20200319-3.18.1 zookeeper-server-3.4.13-3.3.1 - SUSE OpenStack Cloud 9 (noarch): ardana-ansible-9.0+git.1587034359.a12678b-3.19.1 ardana-barbican-9.0+git.1583953599.cd723bb-3.10.1 ardana-cluster-9.0+git.1585653734.c1fe3b2-3.13.1 ardana-db-9.0+git.1586543314.6b6aa20-3.19.1 ardana-designate-9.0+git.1583445435.4bd1793-3.10.1 ardana-input-model-9.0+git.1584632190.9541c56-3.16.1 ardana-logging-9.0+git.1585929695.f35b591-3.10.1 ardana-monasca-9.0+git.1586769889.d43d736-3.16.1 ardana-mq-9.0+git.1586350749.a463fd2-3.13.1 ardana-neutron-9.0+git.1587667603.507fb50-3.19.1 ardana-octavia-9.0+git.1587486004.8e99c6b-3.16.1 ardana-osconfig-9.0+git.1586546715.dbd07ab-3.16.1 ardana-tempest-9.0+git.1587398456.b31cc4a-3.13.1 ardana-tls-9.0+git.1586301209.c9413b4-3.12.1 openstack-ceilometer-11.1.1~dev5-3.13.2 openstack-ceilometer-agent-central-11.1.1~dev5-3.13.2 openstack-ceilometer-agent-compute-11.1.1~dev5-3.13.2 openstack-ceilometer-agent-ipmi-11.1.1~dev5-3.13.2 openstack-ceilometer-agent-notification-11.1.1~dev5-3.13.2 openstack-ceilometer-polling-11.1.1~dev5-3.13.2 openstack-cinder-13.0.10~dev9-3.19.1 openstack-cinder-api-13.0.10~dev9-3.19.1 openstack-cinder-backup-13.0.10~dev9-3.19.1 openstack-cinder-scheduler-13.0.10~dev9-3.19.1 openstack-cinder-volume-13.0.10~dev9-3.19.1 openstack-designate-7.0.1~dev25-3.16.2 openstack-designate-agent-7.0.1~dev25-3.16.2 openstack-designate-api-7.0.1~dev25-3.16.2 openstack-designate-central-7.0.1~dev25-3.16.2 openstack-designate-producer-7.0.1~dev25-3.16.2 openstack-designate-sink-7.0.1~dev25-3.16.2 openstack-designate-worker-7.0.1~dev25-3.16.2 openstack-heat-11.0.3~dev35-3.16.1 openstack-heat-api-11.0.3~dev35-3.16.1 openstack-heat-api-cfn-11.0.3~dev35-3.16.1 openstack-heat-engine-11.0.3~dev35-3.16.1 openstack-heat-plugin-heat_docker-11.0.3~dev35-3.16.1 openstack-ironic-11.1.5~dev3-3.16.1 openstack-ironic-api-11.1.5~dev3-3.16.1 openstack-ironic-conductor-11.1.5~dev3-3.16.1 openstack-ironic-image-debugsource-9.0.0-3.6.1 openstack-ironic-image-x86_64-9.0.0-3.6.1 openstack-manila-7.4.2~dev4-4.21.1 openstack-manila-api-7.4.2~dev4-4.21.1 openstack-manila-data-7.4.2~dev4-4.21.1 openstack-manila-scheduler-7.4.2~dev4-4.21.1 openstack-manila-share-7.4.2~dev4-4.21.1 openstack-neutron-13.0.8~dev28-3.22.1 openstack-neutron-dhcp-agent-13.0.8~dev28-3.22.1 openstack-neutron-ha-tool-13.0.8~dev28-3.22.1 openstack-neutron-l3-agent-13.0.8~dev28-3.22.1 openstack-neutron-linuxbridge-agent-13.0.8~dev28-3.22.1 openstack-neutron-macvtap-agent-13.0.8~dev28-3.22.1 openstack-neutron-metadata-agent-13.0.8~dev28-3.22.1 openstack-neutron-metering-agent-13.0.8~dev28-3.22.1 openstack-neutron-openvswitch-agent-13.0.8~dev28-3.22.1 openstack-neutron-server-13.0.8~dev28-3.22.1 openstack-nova-18.3.1~dev17-3.22.1 openstack-nova-api-18.3.1~dev17-3.22.1 openstack-nova-cells-18.3.1~dev17-3.22.1 openstack-nova-compute-18.3.1~dev17-3.22.1 openstack-nova-conductor-18.3.1~dev17-3.22.1 openstack-nova-console-18.3.1~dev17-3.22.1 openstack-nova-novncproxy-18.3.1~dev17-3.22.1 openstack-nova-placement-api-18.3.1~dev17-3.22.1 openstack-nova-scheduler-18.3.1~dev17-3.22.1 openstack-nova-serialproxy-18.3.1~dev17-3.22.1 openstack-nova-vncproxy-18.3.1~dev17-3.22.1 openstack-octavia-3.2.3~dev2-3.22.1 openstack-octavia-amphora-agent-3.2.3~dev2-3.22.1 openstack-octavia-amphora-image-debugsource-0.1.3-7.9.2 openstack-octavia-amphora-image-x86_64-0.1.3-7.9.2 openstack-octavia-api-3.2.3~dev2-3.22.1 openstack-octavia-health-manager-3.2.3~dev2-3.22.1 openstack-octavia-housekeeping-3.2.3~dev2-3.22.1 openstack-octavia-worker-3.2.3~dev2-3.22.1 python-ceilometer-11.1.1~dev5-3.13.2 python-cinder-13.0.10~dev9-3.19.1 python-cinderclient-4.0.3-3.6.2 python-cinderclient-doc-4.0.3-3.6.2 python-designate-7.0.1~dev25-3.16.2 python-glanceclient-2.13.2-3.3.2 python-glanceclient-doc-2.13.2-3.3.2 python-heat-11.0.3~dev35-3.16.1 python-ironic-11.1.5~dev3-3.16.1 python-ironic-lib-2.14.3-3.6.1 python-ironicclient-2.5.4-4.10.1 python-ironicclient-doc-2.5.4-4.10.1 python-keystonemiddleware-5.2.2-17.1 python-manila-7.4.2~dev4-4.21.1 python-manila-tempest-plugin-0.1.0-3.6.1 python-neutron-13.0.8~dev28-3.22.1 python-nova-18.3.1~dev17-3.22.1 python-novaclient-11.0.1-3.3.1 python-novaclient-doc-11.0.1-3.3.1 python-octavia-3.2.3~dev2-3.22.1 python-octaviaclient-1.6.2-3.6.1 python-openstackclient-3.16.3-11.1 python-os-brick-2.5.10-3.9.2 python-os-brick-common-2.5.10-3.9.2 python-oslo.config-6.4.2-3.3.1 python-oslo.config-doc-6.4.2-3.3.1 python-oslo.rootwrap-5.14.2-3.3.1 python-oslo.utils-3.36.5-3.3.1 python-swiftclient-3.6.1-3.3.1 python-swiftclient-doc-3.6.1-3.3.1 python-watcherclient-2.1.1-3.3.1 release-notes-suse-openstack-cloud-9.20200319-3.18.1 venv-openstack-barbican-x86_64-7.0.1~dev24-3.17.1 venv-openstack-cinder-x86_64-13.0.10~dev9-3.17.1 venv-openstack-designate-x86_64-7.0.1~dev25-3.17.1 venv-openstack-glance-x86_64-17.0.1~dev30-3.15.1 venv-openstack-heat-x86_64-11.0.3~dev35-3.17.1 venv-openstack-horizon-x86_64-14.1.1~dev1-4.16.1 venv-openstack-ironic-x86_64-11.1.5~dev3-4.13.1 venv-openstack-keystone-x86_64-14.1.1~dev36-3.17.1 venv-openstack-magnum-x86_64-7.2.1~dev1-4.17.1 venv-openstack-manila-x86_64-7.4.2~dev4-3.19.1 venv-openstack-monasca-ceilometer-x86_64-1.8.2~dev3-3.17.1 venv-openstack-monasca-x86_64-2.7.1~dev10-3.15.1 venv-openstack-neutron-x86_64-13.0.8~dev28-6.17.1 venv-openstack-nova-x86_64-18.3.1~dev17-3.17.1 venv-openstack-octavia-x86_64-3.2.3~dev2-4.17.1 venv-openstack-sahara-x86_64-9.0.2~dev15-3.17.1 venv-openstack-swift-x86_64-2.19.2~dev48-2.12.1 zookeeper-server-3.4.13-3.3.1 - SUSE OpenStack Cloud 9 (x86_64): memcached-1.5.17-3.3.1 memcached-debuginfo-1.5.17-3.3.1 memcached-debugsource-1.5.17-3.3.1 References: https://www.suse.com/security/cve/CVE-2019-0201.html https://www.suse.com/security/cve/CVE-2019-11596.html https://www.suse.com/security/cve/CVE-2019-15026.html https://www.suse.com/security/cve/CVE-2020-5247.html https://www.suse.com/security/cve/CVE-2020-9543.html https://bugzilla.suse.com/1084739 https://bugzilla.suse.com/1124708 https://bugzilla.suse.com/1133817 https://bugzilla.suse.com/1135773 https://bugzilla.suse.com/1137622 https://bugzilla.suse.com/1149110 https://bugzilla.suse.com/1149535 https://bugzilla.suse.com/1163444 https://bugzilla.suse.com/1164838 https://bugzilla.suse.com/1165402 https://bugzilla.suse.com/1165723 https://bugzilla.suse.com/1166290 https://bugzilla.suse.com/1168512 https://bugzilla.suse.com/1168593 https://bugzilla.suse.com/1169770 From sle-security-updates at lists.suse.com Tue May 5 12:24:06 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 5 May 2020 20:24:06 +0200 (CEST) Subject: SUSE-CU-2020:158-1: Security update of suse/sle15 Message-ID: <20200505182406.6551BFE29@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:158-1 Container Tags : suse/sle15:15.0 , suse/sle15:15.0.4.22.191 Container Release : 4.22.191 Severity : important Type : security References : 1160594 1160764 1161779 1163922 CVE-2019-3688 CVE-2019-3690 CVE-2020-8013 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1163-1 Released: Mon May 4 09:45:01 2020 Summary: Security update for permissions Type: security Severity: important References: 1160594,1160764,1161779,1163922,CVE-2019-3688,CVE-2019-3690,CVE-2020-8013 This update for permissions fixes the following issues: Security issue fixed: - CVE-2020-8013: Fixed a local privilege escalation with mrsh and wodim (bsc#1163922). Non-security issues fixed: - Fixed regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594) - Fixed capability handling when doing multiple permission changes at once (bsc#1161779) - Fixed handling of relative directory symlinks in chkstat From sle-security-updates at lists.suse.com Tue May 5 13:16:30 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 5 May 2020 21:16:30 +0200 (CEST) Subject: SUSE-SU-2020:1193-1: important: Security update for openldap2 Message-ID: <20200505191630.6BA44FFEB@maintenance.suse.de> SUSE Security Update: Security update for openldap2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1193-1 Rating: important References: #1170771 Cross-References: CVE-2020-12243 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for openldap2 fixes the following issues: - CVE-2020-12243: Fixed a denial of service related to recursive filters (bsc#1170771). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-1193=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-1193=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-1193=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-1193=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-1193=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-1193=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-1193=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1193=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1193=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-1193=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-1193=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-1193=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-1193=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-1193=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-1193=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (noarch): openldap2-doc-2.4.41-18.68.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): libldap-2_4-2-2.4.41-18.68.1 libldap-2_4-2-32bit-2.4.41-18.68.1 libldap-2_4-2-debuginfo-2.4.41-18.68.1 libldap-2_4-2-debuginfo-32bit-2.4.41-18.68.1 openldap2-2.4.41-18.68.1 openldap2-back-meta-2.4.41-18.68.1 openldap2-back-meta-debuginfo-2.4.41-18.68.1 openldap2-client-2.4.41-18.68.1 openldap2-client-debuginfo-2.4.41-18.68.1 openldap2-debuginfo-2.4.41-18.68.1 openldap2-debugsource-2.4.41-18.68.1 openldap2-ppolicy-check-password-1.2-18.68.1 openldap2-ppolicy-check-password-debuginfo-1.2-18.68.1 - SUSE OpenStack Cloud 8 (noarch): openldap2-doc-2.4.41-18.68.1 - SUSE OpenStack Cloud 8 (x86_64): libldap-2_4-2-2.4.41-18.68.1 libldap-2_4-2-32bit-2.4.41-18.68.1 libldap-2_4-2-debuginfo-2.4.41-18.68.1 libldap-2_4-2-debuginfo-32bit-2.4.41-18.68.1 openldap2-2.4.41-18.68.1 openldap2-back-meta-2.4.41-18.68.1 openldap2-back-meta-debuginfo-2.4.41-18.68.1 openldap2-client-2.4.41-18.68.1 openldap2-client-debuginfo-2.4.41-18.68.1 openldap2-debuginfo-2.4.41-18.68.1 openldap2-debugsource-2.4.41-18.68.1 openldap2-ppolicy-check-password-1.2-18.68.1 openldap2-ppolicy-check-password-debuginfo-1.2-18.68.1 - SUSE OpenStack Cloud 7 (s390x x86_64): libldap-2_4-2-2.4.41-18.68.1 libldap-2_4-2-32bit-2.4.41-18.68.1 libldap-2_4-2-debuginfo-2.4.41-18.68.1 libldap-2_4-2-debuginfo-32bit-2.4.41-18.68.1 openldap2-2.4.41-18.68.1 openldap2-back-meta-2.4.41-18.68.1 openldap2-back-meta-debuginfo-2.4.41-18.68.1 openldap2-client-2.4.41-18.68.1 openldap2-client-debuginfo-2.4.41-18.68.1 openldap2-debuginfo-2.4.41-18.68.1 openldap2-debugsource-2.4.41-18.68.1 openldap2-ppolicy-check-password-1.2-18.68.1 openldap2-ppolicy-check-password-debuginfo-1.2-18.68.1 - SUSE OpenStack Cloud 7 (noarch): openldap2-doc-2.4.41-18.68.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): openldap2-back-perl-2.4.41-18.68.1 openldap2-back-perl-debuginfo-2.4.41-18.68.1 openldap2-debuginfo-2.4.41-18.68.1 openldap2-debugsource-2.4.41-18.68.1 openldap2-devel-2.4.41-18.68.1 openldap2-devel-static-2.4.41-18.68.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): openldap2-back-perl-2.4.41-18.68.1 openldap2-back-perl-debuginfo-2.4.41-18.68.1 openldap2-debuginfo-2.4.41-18.68.1 openldap2-debugsource-2.4.41-18.68.1 openldap2-devel-2.4.41-18.68.1 openldap2-devel-static-2.4.41-18.68.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): libldap-2_4-2-2.4.41-18.68.1 libldap-2_4-2-debuginfo-2.4.41-18.68.1 openldap2-2.4.41-18.68.1 openldap2-back-meta-2.4.41-18.68.1 openldap2-back-meta-debuginfo-2.4.41-18.68.1 openldap2-client-2.4.41-18.68.1 openldap2-client-debuginfo-2.4.41-18.68.1 openldap2-debuginfo-2.4.41-18.68.1 openldap2-debugsource-2.4.41-18.68.1 openldap2-ppolicy-check-password-1.2-18.68.1 openldap2-ppolicy-check-password-debuginfo-1.2-18.68.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64): libldap-2_4-2-32bit-2.4.41-18.68.1 libldap-2_4-2-debuginfo-32bit-2.4.41-18.68.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (noarch): openldap2-doc-2.4.41-18.68.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): libldap-2_4-2-2.4.41-18.68.1 libldap-2_4-2-debuginfo-2.4.41-18.68.1 openldap2-2.4.41-18.68.1 openldap2-back-meta-2.4.41-18.68.1 openldap2-back-meta-debuginfo-2.4.41-18.68.1 openldap2-client-2.4.41-18.68.1 openldap2-client-debuginfo-2.4.41-18.68.1 openldap2-debuginfo-2.4.41-18.68.1 openldap2-debugsource-2.4.41-18.68.1 openldap2-ppolicy-check-password-1.2-18.68.1 openldap2-ppolicy-check-password-debuginfo-1.2-18.68.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (noarch): openldap2-doc-2.4.41-18.68.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (x86_64): libldap-2_4-2-32bit-2.4.41-18.68.1 libldap-2_4-2-debuginfo-32bit-2.4.41-18.68.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libldap-2_4-2-2.4.41-18.68.1 libldap-2_4-2-debuginfo-2.4.41-18.68.1 openldap2-2.4.41-18.68.1 openldap2-back-meta-2.4.41-18.68.1 openldap2-back-meta-debuginfo-2.4.41-18.68.1 openldap2-client-2.4.41-18.68.1 openldap2-client-debuginfo-2.4.41-18.68.1 openldap2-debuginfo-2.4.41-18.68.1 openldap2-debugsource-2.4.41-18.68.1 openldap2-ppolicy-check-password-1.2-18.68.1 openldap2-ppolicy-check-password-debuginfo-1.2-18.68.1 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): libldap-2_4-2-32bit-2.4.41-18.68.1 libldap-2_4-2-debuginfo-32bit-2.4.41-18.68.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): openldap2-doc-2.4.41-18.68.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): libldap-2_4-2-2.4.41-18.68.1 libldap-2_4-2-debuginfo-2.4.41-18.68.1 openldap2-2.4.41-18.68.1 openldap2-back-meta-2.4.41-18.68.1 openldap2-back-meta-debuginfo-2.4.41-18.68.1 openldap2-client-2.4.41-18.68.1 openldap2-client-debuginfo-2.4.41-18.68.1 openldap2-debuginfo-2.4.41-18.68.1 openldap2-debugsource-2.4.41-18.68.1 openldap2-ppolicy-check-password-1.2-18.68.1 openldap2-ppolicy-check-password-debuginfo-1.2-18.68.1 - SUSE Linux Enterprise Server 12-SP4 (s390x x86_64): libldap-2_4-2-32bit-2.4.41-18.68.1 libldap-2_4-2-debuginfo-32bit-2.4.41-18.68.1 - SUSE Linux Enterprise Server 12-SP4 (noarch): openldap2-doc-2.4.41-18.68.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): libldap-2_4-2-2.4.41-18.68.1 libldap-2_4-2-debuginfo-2.4.41-18.68.1 openldap2-2.4.41-18.68.1 openldap2-back-meta-2.4.41-18.68.1 openldap2-back-meta-debuginfo-2.4.41-18.68.1 openldap2-client-2.4.41-18.68.1 openldap2-client-debuginfo-2.4.41-18.68.1 openldap2-debuginfo-2.4.41-18.68.1 openldap2-debugsource-2.4.41-18.68.1 openldap2-ppolicy-check-password-1.2-18.68.1 openldap2-ppolicy-check-password-debuginfo-1.2-18.68.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (s390x x86_64): libldap-2_4-2-32bit-2.4.41-18.68.1 libldap-2_4-2-debuginfo-32bit-2.4.41-18.68.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (noarch): openldap2-doc-2.4.41-18.68.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): libldap-2_4-2-2.4.41-18.68.1 libldap-2_4-2-32bit-2.4.41-18.68.1 libldap-2_4-2-debuginfo-2.4.41-18.68.1 libldap-2_4-2-debuginfo-32bit-2.4.41-18.68.1 openldap2-2.4.41-18.68.1 openldap2-back-meta-2.4.41-18.68.1 openldap2-back-meta-debuginfo-2.4.41-18.68.1 openldap2-client-2.4.41-18.68.1 openldap2-client-debuginfo-2.4.41-18.68.1 openldap2-debuginfo-2.4.41-18.68.1 openldap2-debugsource-2.4.41-18.68.1 openldap2-ppolicy-check-password-1.2-18.68.1 openldap2-ppolicy-check-password-debuginfo-1.2-18.68.1 - SUSE Linux Enterprise Server 12-SP3-BCL (noarch): openldap2-doc-2.4.41-18.68.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): libldap-2_4-2-2.4.41-18.68.1 libldap-2_4-2-debuginfo-2.4.41-18.68.1 openldap2-2.4.41-18.68.1 openldap2-back-meta-2.4.41-18.68.1 openldap2-back-meta-debuginfo-2.4.41-18.68.1 openldap2-client-2.4.41-18.68.1 openldap2-client-debuginfo-2.4.41-18.68.1 openldap2-debuginfo-2.4.41-18.68.1 openldap2-debugsource-2.4.41-18.68.1 openldap2-ppolicy-check-password-1.2-18.68.1 openldap2-ppolicy-check-password-debuginfo-1.2-18.68.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (s390x x86_64): libldap-2_4-2-32bit-2.4.41-18.68.1 libldap-2_4-2-debuginfo-32bit-2.4.41-18.68.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (noarch): openldap2-doc-2.4.41-18.68.1 - SUSE Linux Enterprise Server 12-SP2-BCL (noarch): openldap2-doc-2.4.41-18.68.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): libldap-2_4-2-2.4.41-18.68.1 libldap-2_4-2-32bit-2.4.41-18.68.1 libldap-2_4-2-debuginfo-2.4.41-18.68.1 libldap-2_4-2-debuginfo-32bit-2.4.41-18.68.1 openldap2-2.4.41-18.68.1 openldap2-back-meta-2.4.41-18.68.1 openldap2-back-meta-debuginfo-2.4.41-18.68.1 openldap2-client-2.4.41-18.68.1 openldap2-client-debuginfo-2.4.41-18.68.1 openldap2-debuginfo-2.4.41-18.68.1 openldap2-debugsource-2.4.41-18.68.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): libldap-2_4-2-2.4.41-18.68.1 libldap-2_4-2-debuginfo-2.4.41-18.68.1 openldap2-2.4.41-18.68.1 openldap2-back-meta-2.4.41-18.68.1 openldap2-back-meta-debuginfo-2.4.41-18.68.1 openldap2-client-2.4.41-18.68.1 openldap2-client-debuginfo-2.4.41-18.68.1 openldap2-debuginfo-2.4.41-18.68.1 openldap2-debugsource-2.4.41-18.68.1 openldap2-ppolicy-check-password-1.2-18.68.1 openldap2-ppolicy-check-password-debuginfo-1.2-18.68.1 - SUSE Enterprise Storage 5 (noarch): openldap2-doc-2.4.41-18.68.1 - SUSE Enterprise Storage 5 (x86_64): libldap-2_4-2-32bit-2.4.41-18.68.1 libldap-2_4-2-debuginfo-32bit-2.4.41-18.68.1 - HPE Helion Openstack 8 (x86_64): libldap-2_4-2-2.4.41-18.68.1 libldap-2_4-2-32bit-2.4.41-18.68.1 libldap-2_4-2-debuginfo-2.4.41-18.68.1 libldap-2_4-2-debuginfo-32bit-2.4.41-18.68.1 openldap2-2.4.41-18.68.1 openldap2-back-meta-2.4.41-18.68.1 openldap2-back-meta-debuginfo-2.4.41-18.68.1 openldap2-client-2.4.41-18.68.1 openldap2-client-debuginfo-2.4.41-18.68.1 openldap2-debuginfo-2.4.41-18.68.1 openldap2-debugsource-2.4.41-18.68.1 openldap2-ppolicy-check-password-1.2-18.68.1 openldap2-ppolicy-check-password-debuginfo-1.2-18.68.1 - HPE Helion Openstack 8 (noarch): openldap2-doc-2.4.41-18.68.1 References: https://www.suse.com/security/cve/CVE-2020-12243.html https://bugzilla.suse.com/1170771 From sle-security-updates at lists.suse.com Wed May 6 07:17:34 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 6 May 2020 15:17:34 +0200 (CEST) Subject: SUSE-SU-2020:1194-1: important: Security update for python-Pillow Message-ID: <20200506131734.56424FE29@maintenance.suse.de> SUSE Security Update: Security update for python-Pillow ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1194-1 Rating: important References: #967970 #975500 Cross-References: CVE-2016-2533 CVE-2016-4009 Affected Products: SUSE Enterprise Storage 5 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for python-Pillow fixes the following issues: Security issues fixed: - CVE-2016-2533: Fixed an integer overflow in the ImagingResampleHorizontal function (bsc#967970). - CVE-2016-4009: Fixed a buffer overflow in the PCD decoder (bsc#975500). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-1194=1 Package List: - SUSE Enterprise Storage 5 (aarch64 x86_64): python-Pillow-2.8.1-3.6.1 python-Pillow-debuginfo-2.8.1-3.6.1 python-Pillow-debugsource-2.8.1-3.6.1 References: https://www.suse.com/security/cve/CVE-2016-2533.html https://www.suse.com/security/cve/CVE-2016-4009.html https://bugzilla.suse.com/967970 https://bugzilla.suse.com/975500 From sle-security-updates at lists.suse.com Wed May 6 10:16:52 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 6 May 2020 18:16:52 +0200 (CEST) Subject: SUSE-SU-2020:1197-1: important: Security update for slirp4netns Message-ID: <20200506161652.26ECEFFE8@maintenance.suse.de> SUSE Security Update: Security update for slirp4netns ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1197-1 Rating: important References: #1170940 Cross-References: CVE-2020-1983 Affected Products: SUSE Linux Enterprise Module for Containers 15-SP1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for slirp4netns fixes the following issues: Security issue fixed: - CVE-2020-1983: Fixed a use-after-free in ip_reass (bsc#1170940). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Containers 15-SP1: zypper in -t patch SUSE-SLE-Module-Containers-15-SP1-2020-1197=1 Package List: - SUSE Linux Enterprise Module for Containers 15-SP1 (aarch64 ppc64le s390x x86_64): slirp4netns-0.4.5-3.9.1 slirp4netns-debuginfo-0.4.5-3.9.1 slirp4netns-debugsource-0.4.5-3.9.1 References: https://www.suse.com/security/cve/CVE-2020-1983.html https://bugzilla.suse.com/1170940 From sle-security-updates at lists.suse.com Wed May 6 10:19:52 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 6 May 2020 18:19:52 +0200 (CEST) Subject: SUSE-SU-2020:1198-1: important: Security update for webkit2gtk3 Message-ID: <20200506161952.8CE5CFE29@maintenance.suse.de> SUSE Security Update: Security update for webkit2gtk3 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1198-1 Rating: important References: #1170643 Cross-References: CVE-2020-3899 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Desktop Applications 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for webkit2gtk3 fixes the following issues: Security issue fixed: - CVE-2020-3899: Fixed a memory consumption issue that could have led to remote code execution (bsc#1170643). Non-security issues fixed: - Update to version 2.28.2 (bsc#1170643): + Fix excessive CPU usage due to GdkFrameClock not being stopped. + Fix UI process crash when EGL_WL_bind_wayland_display extension is not available. + Fix position of select popup menus in X11. + Fix playing of Youtube 'live stream'/H264 URLs. + Fix a crash under X11 when cairo uses xcb. + Fix several crashes and rendering issues. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-1198=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-1198=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-1198=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP1-2020-1198=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1198=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1198=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1198=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): libjavascriptcoregtk-4_0-18-2.28.2-3.54.1 libjavascriptcoregtk-4_0-18-debuginfo-2.28.2-3.54.1 libwebkit2gtk-4_0-37-2.28.2-3.54.1 libwebkit2gtk-4_0-37-debuginfo-2.28.2-3.54.1 webkit2gtk-4_0-injected-bundles-2.28.2-3.54.1 webkit2gtk-4_0-injected-bundles-debuginfo-2.28.2-3.54.1 webkit2gtk3-debugsource-2.28.2-3.54.1 webkit2gtk3-devel-2.28.2-3.54.1 - SUSE Linux Enterprise Server for SAP 15 (noarch): libwebkit2gtk3-lang-2.28.2-3.54.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): libjavascriptcoregtk-4_0-18-2.28.2-3.54.1 libjavascriptcoregtk-4_0-18-debuginfo-2.28.2-3.54.1 libwebkit2gtk-4_0-37-2.28.2-3.54.1 libwebkit2gtk-4_0-37-debuginfo-2.28.2-3.54.1 webkit2gtk-4_0-injected-bundles-2.28.2-3.54.1 webkit2gtk-4_0-injected-bundles-debuginfo-2.28.2-3.54.1 webkit2gtk3-debugsource-2.28.2-3.54.1 webkit2gtk3-devel-2.28.2-3.54.1 - SUSE Linux Enterprise Server 15-LTSS (noarch): libwebkit2gtk3-lang-2.28.2-3.54.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): webkit-jsc-4-2.28.2-3.54.1 webkit-jsc-4-debuginfo-2.28.2-3.54.1 webkit2gtk3-debugsource-2.28.2-3.54.1 webkit2gtk3-minibrowser-2.28.2-3.54.1 webkit2gtk3-minibrowser-debuginfo-2.28.2-3.54.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): libjavascriptcoregtk-4_0-18-32bit-2.28.2-3.54.1 libjavascriptcoregtk-4_0-18-32bit-debuginfo-2.28.2-3.54.1 libwebkit2gtk-4_0-37-32bit-2.28.2-3.54.1 libwebkit2gtk-4_0-37-32bit-debuginfo-2.28.2-3.54.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (aarch64 ppc64le s390x x86_64): typelib-1_0-JavaScriptCore-4_0-2.28.2-3.54.1 typelib-1_0-WebKit2-4_0-2.28.2-3.54.1 typelib-1_0-WebKit2WebExtension-4_0-2.28.2-3.54.1 webkit2gtk3-debugsource-2.28.2-3.54.1 webkit2gtk3-devel-2.28.2-3.54.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): libjavascriptcoregtk-4_0-18-2.28.2-3.54.1 libjavascriptcoregtk-4_0-18-debuginfo-2.28.2-3.54.1 libwebkit2gtk-4_0-37-2.28.2-3.54.1 libwebkit2gtk-4_0-37-debuginfo-2.28.2-3.54.1 webkit2gtk-4_0-injected-bundles-2.28.2-3.54.1 webkit2gtk-4_0-injected-bundles-debuginfo-2.28.2-3.54.1 webkit2gtk3-debugsource-2.28.2-3.54.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch): libwebkit2gtk3-lang-2.28.2-3.54.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): libjavascriptcoregtk-4_0-18-2.28.2-3.54.1 libjavascriptcoregtk-4_0-18-debuginfo-2.28.2-3.54.1 libwebkit2gtk-4_0-37-2.28.2-3.54.1 libwebkit2gtk-4_0-37-debuginfo-2.28.2-3.54.1 webkit2gtk-4_0-injected-bundles-2.28.2-3.54.1 webkit2gtk-4_0-injected-bundles-debuginfo-2.28.2-3.54.1 webkit2gtk3-debugsource-2.28.2-3.54.1 webkit2gtk3-devel-2.28.2-3.54.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): libwebkit2gtk3-lang-2.28.2-3.54.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): libjavascriptcoregtk-4_0-18-2.28.2-3.54.1 libjavascriptcoregtk-4_0-18-debuginfo-2.28.2-3.54.1 libwebkit2gtk-4_0-37-2.28.2-3.54.1 libwebkit2gtk-4_0-37-debuginfo-2.28.2-3.54.1 webkit2gtk-4_0-injected-bundles-2.28.2-3.54.1 webkit2gtk-4_0-injected-bundles-debuginfo-2.28.2-3.54.1 webkit2gtk3-debugsource-2.28.2-3.54.1 webkit2gtk3-devel-2.28.2-3.54.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): libwebkit2gtk3-lang-2.28.2-3.54.1 References: https://www.suse.com/security/cve/CVE-2020-3899.html https://bugzilla.suse.com/1170643 From sle-security-updates at lists.suse.com Wed May 6 10:30:41 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 6 May 2020 18:30:41 +0200 (CEST) Subject: SUSE-SU-2020:1199-1: moderate: Security update for php7 Message-ID: <20200506163041.AEFCBFE29@maintenance.suse.de> SUSE Security Update: Security update for php7 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1199-1 Rating: moderate References: #1168326 #1168352 Cross-References: CVE-2020-7064 CVE-2020-7066 Affected Products: SUSE Linux Enterprise Module for Web Scripting 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Development Tools 15-SP1 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for php7 fixes the following issues: - CVE-2020-7064: Fixed a one byte read of uninitialized memory in exif_read_data() (bsc#1168326). - CVE-2020-7066: Fixed URL truncation get_headers() if the URL contains zero (\0) character (bsc#1168352). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Web Scripting 15-SP1: zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-SP1-2020-1199=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-1199=1 - SUSE Linux Enterprise Module for Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP1-2020-1199=1 Package List: - SUSE Linux Enterprise Module for Web Scripting 15-SP1 (aarch64 ppc64le s390x x86_64): apache2-mod_php7-7.2.5-4.55.7 apache2-mod_php7-debuginfo-7.2.5-4.55.7 libtidy5-5.4.0-3.2.1 libtidy5-debuginfo-5.4.0-3.2.1 php7-7.2.5-4.55.7 php7-bcmath-7.2.5-4.55.7 php7-bcmath-debuginfo-7.2.5-4.55.7 php7-bz2-7.2.5-4.55.7 php7-bz2-debuginfo-7.2.5-4.55.7 php7-calendar-7.2.5-4.55.7 php7-calendar-debuginfo-7.2.5-4.55.7 php7-ctype-7.2.5-4.55.7 php7-ctype-debuginfo-7.2.5-4.55.7 php7-curl-7.2.5-4.55.7 php7-curl-debuginfo-7.2.5-4.55.7 php7-dba-7.2.5-4.55.7 php7-dba-debuginfo-7.2.5-4.55.7 php7-debuginfo-7.2.5-4.55.7 php7-debugsource-7.2.5-4.55.7 php7-devel-7.2.5-4.55.7 php7-dom-7.2.5-4.55.7 php7-dom-debuginfo-7.2.5-4.55.7 php7-enchant-7.2.5-4.55.7 php7-enchant-debuginfo-7.2.5-4.55.7 php7-exif-7.2.5-4.55.7 php7-exif-debuginfo-7.2.5-4.55.7 php7-fastcgi-7.2.5-4.55.7 php7-fastcgi-debuginfo-7.2.5-4.55.7 php7-fileinfo-7.2.5-4.55.7 php7-fileinfo-debuginfo-7.2.5-4.55.7 php7-fpm-7.2.5-4.55.7 php7-fpm-debuginfo-7.2.5-4.55.7 php7-ftp-7.2.5-4.55.7 php7-ftp-debuginfo-7.2.5-4.55.7 php7-gd-7.2.5-4.55.7 php7-gd-debuginfo-7.2.5-4.55.7 php7-gettext-7.2.5-4.55.7 php7-gettext-debuginfo-7.2.5-4.55.7 php7-gmp-7.2.5-4.55.7 php7-gmp-debuginfo-7.2.5-4.55.7 php7-iconv-7.2.5-4.55.7 php7-iconv-debuginfo-7.2.5-4.55.7 php7-intl-7.2.5-4.55.7 php7-intl-debuginfo-7.2.5-4.55.7 php7-json-7.2.5-4.55.7 php7-json-debuginfo-7.2.5-4.55.7 php7-ldap-7.2.5-4.55.7 php7-ldap-debuginfo-7.2.5-4.55.7 php7-mbstring-7.2.5-4.55.7 php7-mbstring-debuginfo-7.2.5-4.55.7 php7-mysql-7.2.5-4.55.7 php7-mysql-debuginfo-7.2.5-4.55.7 php7-odbc-7.2.5-4.55.7 php7-odbc-debuginfo-7.2.5-4.55.7 php7-opcache-7.2.5-4.55.7 php7-opcache-debuginfo-7.2.5-4.55.7 php7-openssl-7.2.5-4.55.7 php7-openssl-debuginfo-7.2.5-4.55.7 php7-pcntl-7.2.5-4.55.7 php7-pcntl-debuginfo-7.2.5-4.55.7 php7-pdo-7.2.5-4.55.7 php7-pdo-debuginfo-7.2.5-4.55.7 php7-pgsql-7.2.5-4.55.7 php7-pgsql-debuginfo-7.2.5-4.55.7 php7-phar-7.2.5-4.55.7 php7-phar-debuginfo-7.2.5-4.55.7 php7-posix-7.2.5-4.55.7 php7-posix-debuginfo-7.2.5-4.55.7 php7-readline-7.2.5-4.55.7 php7-readline-debuginfo-7.2.5-4.55.7 php7-shmop-7.2.5-4.55.7 php7-shmop-debuginfo-7.2.5-4.55.7 php7-snmp-7.2.5-4.55.7 php7-snmp-debuginfo-7.2.5-4.55.7 php7-soap-7.2.5-4.55.7 php7-soap-debuginfo-7.2.5-4.55.7 php7-sockets-7.2.5-4.55.7 php7-sockets-debuginfo-7.2.5-4.55.7 php7-sodium-7.2.5-4.55.7 php7-sodium-debuginfo-7.2.5-4.55.7 php7-sqlite-7.2.5-4.55.7 php7-sqlite-debuginfo-7.2.5-4.55.7 php7-sysvmsg-7.2.5-4.55.7 php7-sysvmsg-debuginfo-7.2.5-4.55.7 php7-sysvsem-7.2.5-4.55.7 php7-sysvsem-debuginfo-7.2.5-4.55.7 php7-sysvshm-7.2.5-4.55.7 php7-sysvshm-debuginfo-7.2.5-4.55.7 php7-tidy-7.2.5-4.55.7 php7-tidy-debuginfo-7.2.5-4.55.7 php7-tokenizer-7.2.5-4.55.7 php7-tokenizer-debuginfo-7.2.5-4.55.7 php7-wddx-7.2.5-4.55.7 php7-wddx-debuginfo-7.2.5-4.55.7 php7-xmlreader-7.2.5-4.55.7 php7-xmlreader-debuginfo-7.2.5-4.55.7 php7-xmlrpc-7.2.5-4.55.7 php7-xmlrpc-debuginfo-7.2.5-4.55.7 php7-xmlwriter-7.2.5-4.55.7 php7-xmlwriter-debuginfo-7.2.5-4.55.7 php7-xsl-7.2.5-4.55.7 php7-xsl-debuginfo-7.2.5-4.55.7 php7-zip-7.2.5-4.55.7 php7-zip-debuginfo-7.2.5-4.55.7 php7-zlib-7.2.5-4.55.7 php7-zlib-debuginfo-7.2.5-4.55.7 - SUSE Linux Enterprise Module for Web Scripting 15-SP1 (noarch): php7-pear-7.2.5-4.55.7 php7-pear-Archive_Tar-7.2.5-4.55.7 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): php7-debuginfo-7.2.5-4.55.7 php7-debugsource-7.2.5-4.55.7 php7-embed-7.2.5-4.55.7 php7-embed-debuginfo-7.2.5-4.55.7 php7-readline-7.2.5-4.55.7 php7-readline-debuginfo-7.2.5-4.55.7 php7-sodium-7.2.5-4.55.7 php7-sodium-debuginfo-7.2.5-4.55.7 php7-tidy-7.2.5-4.55.7 php7-tidy-debuginfo-7.2.5-4.55.7 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (noarch): tidy-doc-5.4.0-3.2.1 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): libtidy-devel-5.4.0-3.2.1 libtidy5-5.4.0-3.2.1 libtidy5-debuginfo-5.4.0-3.2.1 tidy-5.4.0-3.2.1 tidy-debuginfo-5.4.0-3.2.1 tidy-debugsource-5.4.0-3.2.1 References: https://www.suse.com/security/cve/CVE-2020-7064.html https://www.suse.com/security/cve/CVE-2020-7066.html https://bugzilla.suse.com/1168326 https://bugzilla.suse.com/1168352 From sle-security-updates at lists.suse.com Wed May 6 11:57:49 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 6 May 2020 19:57:49 +0200 (CEST) Subject: SUSE-CU-2020:159-1: Security update of suse/sles12sp3 Message-ID: <20200506175749.2C444FFE8@maintenance.suse.de> SUSE Container Update Advisory: suse/sles12sp3 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:159-1 Container Tags : suse/sles12sp3:2.0.2 , suse/sles12sp3:24.150 , suse/sles12sp3:latest Container Release : 24.150 Severity : important Type : security References : 1170771 CVE-2020-12243 ----------------------------------------------------------------- The container suse/sles12sp3 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1193-1 Released: Tue May 5 16:26:05 2020 Summary: Security update for openldap2 Type: security Severity: important References: 1170771,CVE-2020-12243 This update for openldap2 fixes the following issues: - CVE-2020-12243: Fixed a denial of service related to recursive filters (bsc#1170771). From sle-security-updates at lists.suse.com Wed May 6 12:07:50 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 6 May 2020 20:07:50 +0200 (CEST) Subject: SUSE-CU-2020:160-1: Security update of suse/sles12sp4 Message-ID: <20200506180750.8198AFFEB@maintenance.suse.de> SUSE Container Update Advisory: suse/sles12sp4 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:160-1 Container Tags : suse/sles12sp4:26.179 , suse/sles12sp4:latest Container Release : 26.179 Severity : important Type : security References : 1170771 CVE-2020-12243 ----------------------------------------------------------------- The container suse/sles12sp4 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1193-1 Released: Tue May 5 16:26:05 2020 Summary: Security update for openldap2 Type: security Severity: important References: 1170771,CVE-2020-12243 This update for openldap2 fixes the following issues: - CVE-2020-12243: Fixed a denial of service related to recursive filters (bsc#1170771). From sle-security-updates at lists.suse.com Wed May 6 12:11:27 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 6 May 2020 20:11:27 +0200 (CEST) Subject: SUSE-CU-2020:161-1: Security update of suse/sles12sp5 Message-ID: <20200506181127.405F5FFEB@maintenance.suse.de> SUSE Container Update Advisory: suse/sles12sp5 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:161-1 Container Tags : suse/sles12sp5:5.2.341 , suse/sles12sp5:latest Container Release : 5.2.341 Severity : important Type : security References : 1170771 CVE-2020-12243 ----------------------------------------------------------------- The container suse/sles12sp5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1193-1 Released: Tue May 5 16:26:05 2020 Summary: Security update for openldap2 Type: security Severity: important References: 1170771,CVE-2020-12243 This update for openldap2 fixes the following issues: - CVE-2020-12243: Fixed a denial of service related to recursive filters (bsc#1170771). From sle-security-updates at lists.suse.com Wed May 6 13:49:56 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 6 May 2020 21:49:56 +0200 (CEST) Subject: SUSE-CU-2020:164-1: Security update of caasp/v4/coredns Message-ID: <20200506194956.531DEFFE8@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/coredns ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:164-1 Container Tags : caasp/v4/coredns:1.6.5 , caasp/v4/coredns:1.6.5-rev3 , caasp/v4/coredns:1.6.5-rev3-build3.12.1 Container Release : 3.12.1 Severity : important Type : security References : 1013125 1084671 1092920 1102840 1106383 1121353 1125689 1133495 1135114 1139459 1139939 1146182 1146184 1148788 1149332 1151023 1151377 1151582 1152334 1152692 1154256 1154804 1154805 1155198 1155205 1155207 1155298 1155327 1155337 1155574 1155678 1155819 1156158 1156213 1156300 1156482 1157292 1157337 1157377 1157794 1157893 1158095 1158485 1158763 1158830 1158921 1158996 1159003 1159108 1159314 1159814 1160039 1160160 1160460 1160571 1160594 1160595 1160735 1160764 1160970 1160979 1161215 1161216 1161218 1161219 1161220 1161262 1161436 1161779 1161816 1162093 1162108 1162108 1162152 1162518 1163184 1163922 1164390 1164505 1164562 1164717 1164950 1164950 1165011 1165539 1165579 1165784 1166106 1166481 1166510 1166510 1166748 1166881 1167163 1167223 1167631 1167674 1168076 1168345 1168364 1168699 1168835 1169569 1169992 1170173 CVE-2019-14889 CVE-2019-18802 CVE-2019-18900 CVE-2019-19126 CVE-2019-20386 CVE-2019-3687 CVE-2019-5188 CVE-2019-9511 CVE-2019-9513 CVE-2020-10029 CVE-2020-11501 CVE-2020-1712 CVE-2020-1712 CVE-2020-1730 CVE-2020-1752 CVE-2020-8013 ----------------------------------------------------------------- The container caasp/v4/coredns was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:129-1 Released: Mon Jan 20 09:21:13 2020 Summary: Security update for libssh Type: security Severity: important References: 1158095,CVE-2019-14889 This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an unwanted command execution in scp caused by unsanitized location (bsc#1158095). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:225-1 Released: Fri Jan 24 06:49:07 2020 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1158830 This update for procps fixes the following issues: - Fix for 'ps -C' allowing to accept any arguments longer than 15 characters anymore. (bsc#1158830) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:256-1 Released: Wed Jan 29 09:39:17 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1157794,1160970 This update for aaa_base fixes the following issues: - Improves the way how the Java path is created to fix an issue with sapjvm. (bsc#1157794) - Drop 'dev.cdrom.autoclose' = 0 from sysctl config. (bsc#1160970) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:262-1 Released: Thu Jan 30 11:02:42 2020 Summary: Security update for glibc Type: security Severity: moderate References: 1149332,1151582,1157292,1157893,1158996,CVE-2019-19126 This update for glibc fixes the following issues: Security issue fixed: - CVE-2019-19126: Fixed to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition (bsc#1157292). Bug fixes: - Fixed z15 (s390x) strstr implementation that can return incorrect results if search string cross page boundary (bsc#1157893). - Fixed Hardware support in toolchain (bsc#1151582). - Fixed syscalls during early process initialization (SLE-8348). - Fixed an array overflow in backtrace for PowerPC (bsc#1158996). - Moved to posix_spawn on popen (bsc#1149332). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:265-1 Released: Thu Jan 30 14:05:34 2020 Summary: Security update for e2fsprogs Type: security Severity: moderate References: 1160571,CVE-2019-5188 This update for e2fsprogs fixes the following issues: - CVE-2019-5188: Fixed a code execution vulnerability in the directory rehashing functionality (bsc#1160571). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:279-1 Released: Fri Jan 31 12:01:39 2020 Summary: Recommended update for p11-kit Type: recommended Severity: moderate References: 1013125 This update for p11-kit fixes the following issues: - Also build documentation (bsc#1013125) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:335-1 Released: Thu Feb 6 11:37:24 2020 Summary: Security update for systemd Type: security Severity: important References: 1084671,1092920,1106383,1133495,1151377,1154256,1155207,1155574,1156213,1156482,1158485,1159814,1161436,1162108,CVE-2019-20386,CVE-2020-1712 This update for systemd fixes the following issues: - CVE-2020-1712 (bsc#bsc#1162108) Fix a heap use-after-free vulnerability, when asynchronous Polkit queries were performed while handling Dbus messages. A local unprivileged attacker could have abused this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted Dbus messages. - Use suse.pool.ntp.org server pool on SLE distros (jsc#SLE-7683) - libblkid: open device in nonblock mode. (bsc#1084671) - udev/cdrom_id: Do not open CD-rom in exclusive mode. (bsc#1154256) - bus_open leak sd_event_source when udevadm trigger??? (bsc#1161436 CVE-2019-20386) - fileio: introduce read_full_virtual_file() for reading virtual files in sysfs, procfs (bsc#1133495 bsc#1159814) - fileio: initialize errno to zero before we do fread() - fileio: try to read one byte too much in read_full_stream() - logind: consider 'greeter' sessions suitable as 'display' sessions of a user (bsc#1158485) - logind: never elect a session that is stopping as display - journal: include kmsg lines from the systemd process which exec()d us (#8078) - udevd: don't use monitor after manager_exit() - udevd: capitalize log messages in on_sigchld() - udevd: merge conditions to decrease indentation - Revert 'udevd: fix crash when workers time out after exit is signal caught' - core: fragments of masked units ought not be considered for NeedDaemonReload (#7060) (bsc#1156482) - udevd: fix crash when workers time out after exit is signal caught - udevd: wait for workers to finish when exiting (bsc#1106383) - Improve bash completion support (bsc#1155207) * shell-completion: systemctl: do not list template units in {re,}start * shell-completion: systemctl: pass current word to all list_unit* * bash-completion: systemctl: pass current partial unit to list-unit* (bsc#1155207) * bash-completion: systemctl: use systemctl --no-pager * bash-completion: also suggest template unit files * bash-completion: systemctl: add missing options and verbs * bash-completion: use the first argument instead of the global variable (#6457) - networkd: VXLan Make group and remote variable separate (bsc#1156213) - networkd: vxlan require Remote= to be a non multicast address (#8117) (bsc#1156213) - fs-util: let's avoid unnecessary strerror() - fs-util: introduce inotify_add_watch_and_warn() helper - ask-password: improve log message when inotify limit is reached (bsc#1155574) - shared/install: failing with -ELOOP can be due to the use of an alias in install_error() (bsc#1151377) - man: alias names can't be used with enable command (bsc#1151377) - Add boot option to not use swap at system start (jsc#SLE-7689) - Allow YaST to select Iranian (Persian, Farsi) keyboard layout (bsc#1092920) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:339-1 Released: Thu Feb 6 13:03:22 2020 Summary: Recommended update for openldap2 Type: recommended Severity: low References: 1158921 This update for openldap2 provides the following fix: - Add libldap-data to the product (as it contains ldap.conf). (bsc#1158921) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:432-1 Released: Fri Feb 21 14:34:16 2020 Summary: Security update for libsolv, libzypp, zypper Type: security Severity: moderate References: 1135114,1154804,1154805,1155198,1155205,1155298,1155678,1155819,1156158,1157377,1158763,CVE-2019-18900 This update for libsolv, libzypp, zypper fixes the following issues: Security issue fixed: - CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763). Bug fixes - Fixed removing orphaned packages dropped by to-be-installed products (bsc#1155819). - Adds libzypp API to mark all obsolete kernels according to the existing purge-kernel script rules (bsc#1155198). - Do not enforce 'en' being in RequestedLocales If the user decides to have a system without explicit language support he may do so (bsc#1155678). - Load only target resolvables for zypper rm (bsc#1157377). - Fix broken search by filelist (bsc#1135114). - Replace python by a bash script in zypper-log (fixes#304, fixes#306, bsc#1156158). - Do not sort out requested locales which are not available (bsc#1155678). - Prevent listing duplicate matches in tables. XML result is provided within the new list-patches-byissue element (bsc#1154805). - XML add patch issue-date and issue-list (bsc#1154805). - Fix zypper lp --cve/bugzilla/issue options (bsc#1155298). - Always execute commit when adding/removing locales (fixes bsc#1155205). - Fix description of --table-style,-s in man page (bsc#1154804). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:451-1 Released: Tue Feb 25 10:50:35 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1155337,1161215,1161216,1161218,1161219,1161220 This update for libgcrypt fixes the following issues: - ECDSA: Check range of coordinates (bsc#1161216) - FIPS: libgcrypt DSA PQG parameter generation: Missing value [bsc#1161219] - FIPS: libgcrypt DSA PQG verification incorrect results [bsc#1161215] - FIPS: libgcrypt RSA siggen/keygen: 4k not supported [bsc#1161220] - FIPS: keywrap gives incorrect results [bsc#1161218] - FIPS: RSA/DSA/ECDSA are missing hashing operation [bsc#1155337] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:476-1 Released: Tue Feb 25 14:23:14 2020 Summary: Recommended update for perl Type: recommended Severity: moderate References: 1102840,1160039 This update for perl fixes the following issues: - Some packages make assumptions about the date and time they are built. This update will solve the issues caused by calling the perl function timelocal expressing the year with two digit only instead of four digits. (bsc#1102840) (bsc#1160039) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:480-1 Released: Tue Feb 25 17:38:22 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1160735 This update for aaa_base fixes the following issues: - Change 'rp_filter' to increase the default priority to ethernet over the wifi. (bsc#1160735) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:525-1 Released: Fri Feb 28 11:49:36 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1164562 This update for pam fixes the following issues: - Add libdb as build-time dependency to enable pam_userdb module. Enable pam_userdb.so (jsc#sle-7258, bsc#1164562) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:547-1 Released: Fri Feb 28 16:26:21 2020 Summary: Security update for permissions Type: security Severity: moderate References: 1148788,1160594,1160764,1161779,1163922,CVE-2019-3687,CVE-2020-8013 This update for permissions fixes the following issues: Security issues fixed: - CVE-2019-3687: Fixed a privilege escalation which could allow a local user to read network traffic if wireshark is installed (bsc#1148788) - CVE-2020-8013: Fixed an issue where chkstat set unintended setuid/capabilities for mrsh and wodim (bsc#1163922). Non-security issues fixed: - Fixed a regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594). - Fixed capability handling when doing multiple permission changes at once (bsc#1161779). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:572-1 Released: Tue Mar 3 13:25:41 2020 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1162518 This update for cyrus-sasl fixes the following issues: - Added support for retrieving negotiated SSF in gssapi plugin (bsc#1162518) - Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF (bsc#1162518) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:573-1 Released: Tue Mar 3 13:37:28 2020 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1160160 This update for ca-certificates-mozilla to 2.40 fixes the following issues: Updated to 2.40 state of the Mozilla NSS Certificate store (bsc#1160160): Removed certificates: - Certplus Class 2 Primary CA - Deutsche Telekom Root CA 2 - CN=Swisscom Root CA 2 - UTN-USERFirst-Client Authentication and Email added certificates: - Entrust Root Certification Authority - G4 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:597-1 Released: Thu Mar 5 15:24:09 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1164950 This update for libgcrypt fixes the following issues: - FIPS: Run the self-tests from the constructor [bsc#1164950] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:633-1 Released: Tue Mar 10 16:23:08 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1139939,1151023 This update for aaa_base fixes the following issues: - get_kernel_version: fix for current kernel on s390x (bsc#1151023, bsc#1139939) - added '-h'/'--help' to the command old - change feedback url from http://www.suse.de/feedback to https://github.com/openSUSE/aaa_base/issues ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:668-1 Released: Fri Mar 13 10:48:58 2020 Summary: Security update for glibc Type: security Severity: moderate References: 1163184,1164505,1165784,CVE-2020-10029 This update for glibc fixes the following issues: - CVE-2020-10029: Fixed a potential overflow in on-stack buffer during range reduction (bsc#1165784). - Fixed an issue where pthread were not always locked correctly (bsc#1164505). - Document mprotect and introduce section on memory protection (bsc#1163184). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:689-1 Released: Fri Mar 13 17:09:01 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for PAM fixes the following issue: - The license of libdb linked against pam_userdb is not always wanted, so we temporary disabled pam_userdb again. It will be published in a different package at a later time. (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:475-1 Released: Thu Mar 19 11:00:46 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1160595 This update for systemd fixes the following issues: - Remove TasksMax limit for both user and system slices (jsc#SLE-10123) - Backport IP filtering feature (jsc#SLE-7743 bsc#1160595) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:726-1 Released: Thu Mar 19 13:23:03 2020 Summary: Security update for nghttp2 Type: security Severity: moderate References: 1125689,1146182,1146184,1159003,1166481,CVE-2019-18802,CVE-2019-9511,CVE-2019-9513 This update for nghttp2 fixes the following issues: Security issues fixed: - CVE-2019-9513: Fixed HTTP/2 implementation that is vulnerable to resource loops, potentially leading to a denial of service (bsc#1146184). - CVE-2019-9511: Fixed HTTP/2 implementations that are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service (bsc#11461). - CVE-2019-18802: Fixed malformed request header may cause bypass of route matchers resulting in escalation of privileges or information disclosure (bsc#1159003) Bug fixes and enhancements: - Fixed mistake in spec file (bsc#1125689) Update to version 1.40.0 to fix CVE-2019-18802 in envoy-proxy and cilium-proxy (bsc#1166481) * lib: Add nghttp2_check_authority as public API * lib: Fix the bug that stream is closed with wrong error code * lib: Faster huffman encoding and decoding * build: Avoid filename collision of static and dynamic lib * build: Add new flag ENABLE_STATIC_CRT for Windows * build: cmake: Support building nghttpx with systemd * third-party: Update neverbleed to fix memory leak * nghttpx: Fix bug that mruby is incorrectly shared between backends * nghttpx: Reconnect h1 backend if it lost connection before sending headers * nghttpx: Returns 408 if backend timed out before sending headers * nghttpx: Fix request stal - Conditionally remove dependecy on jemalloc for SLE-12 - Require correct library from devel package - boo#1125689 Update to version 1.39.2 (bsc#1146184, bsc#1146182): * This release fixes CVE-2019-9511 ???Data Dribble??? and CVE-2019-9513 ???Resource Loop??? vulnerability in nghttpx and nghttpd. Specially crafted HTTP/2 frames cause Denial of Service by consuming CPU time. Check out https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md for details. For nghttpx, additionally limiting inbound traffic by --read-rate and --read-burst options is quite effective against this kind of attack. * Add nghttp2_option_set_max_outbound_ack API function * nghttpx: Fix request stall Update to version 1.39.1: * This release fixes the bug that log-level is not set with cmd-line or configuration file. It also fixes FPE with default backend. Changes for version 1.39.0: * libnghttp2 now ignores content-length in 200 response to CONNECT request as per RFC 7230. * mruby has been upgraded to 2.0.1. * libnghttp2-asio now supports boost-1.70. * http-parser has been replaced with llhttp. * nghttpx now ignores Content-Length and Transfer-Encoding in 1xx or 200 to CONNECT. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:729-1 Released: Thu Mar 19 14:44:22 2020 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1166106 This update for glibc fixes the following issues: - Allow dlopen of filter object to work (bsc#1166106, BZ #16272) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:793-1 Released: Wed Mar 25 15:16:00 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1139459,1161262,1162108,1164717,1165579,CVE-2020-1712 This update for systemd fixes the following issues: - manager: fix job mode when signalled to shutdown etc (bsc#1161262) - remove fallback for user/exit.target - dbus method Manager.Exit() does not start exit.target - do not install rescue.target for alt-??? - %j/%J unit specifiers Added support for I/O scheduler selection with blk-mq (bsc#1165579, bsc#1164717). Added the udev 60-ssd-scheduler.rules: - This rules file which select the default IO scheduler for SSDs is being moved out from the git repo since this is not related to systemd or udev at all and is maintained by the kernel team. - core: coldplug possible nop_job (bsc#1139459) - Revert 'udev: use 'deadline' IO scheduler for SSD disks' - Fix typo in function name - polkit: when authorizing via PK let's re-resolve callback/userdata instead of caching it (bsc#1162108 CVE-2020-1712) - sd-bus: introduce API for re-enqueuing incoming messages - polkit: on async pk requests, re-validate action/details ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:814-1 Released: Mon Mar 30 16:23:42 2020 Summary: Recommended update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1 Type: recommended Severity: moderate References: 1161816,1162152,1167223 This update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1 fixes the following issues: libreoffice was updated to 6.4.2.2 (jsc#SLE-11174 jsc#SLE-11175 jsc#SLE-11176 bsc#1167223): Full Release Notes can be found on: https://wiki.documentfoundation.org/ReleaseNotes/6.4 - Fixed broken handling of non-ASCII characters in the KDE filedialog (bsc#1161816) - Move the animation library to core package bsc#1162152 xmlsec1 was updated to 1.2.28: * Added BoringSSL support (chenbd). * Added gnutls-3.6.x support (alonbl). * Added DSA and ECDSA key size getter for MSCNG (vmiklos). * Added --enable-mans configuration option (alonbl). * Added coninuous build integration for MacOSX (vmiklos). * Several other small fixes (more details). - Make sure to recommend at least one backend when you install just xmlsec1 - Drop the gnutls backend as based on the tests it is quite borked: * We still have nss and openssl backend for people to use Version update to 1.2.27: * Added AES-GCM support for OpenSSL and MSCNG (snargit). * Added DSA-SHA256 and ECDSA-SHA384 support for NSS (vmiklos). * Added RSA-OAEP support for MSCNG (vmiklos). * Continuous build integration in Travis and Appveyor. * Several other small fixes (more details). myspell-dictionaries was updated to 20191219: * Updated the English dictionaries: GB+US+CA+AU * Bring shipped Spanish dictionary up to version 2.5 boost was updated to fix: - add a backport of Boost.Optional::has_value() for LibreOffice The QR-Code-generator is shipped: - Initial commit, needed by libreoffice 6.4 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:820-1 Released: Tue Mar 31 13:02:22 2020 Summary: Security update for glibc Type: security Severity: important References: 1167631,CVE-2020-1752 This update for glibc fixes the following issues: - CVE-2020-1752: Fixed a use after free in glob which could have allowed a local attacker to create a specially crafted path that, when processed by the glob function, could potentially have led to arbitrary code execution (bsc#1167631). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:834-1 Released: Tue Mar 31 17:21:34 2020 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1167163 This update for permissions fixes the following issue: - whitelist s390-tools set group ID (setgid) bit on log directory. (bsc#1167163) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:846-1 Released: Thu Apr 2 07:24:07 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1164950,1166748,1167674 This update for libgcrypt fixes the following issues: - FIPS: Remove an unneeded check in _gcry_global_constructor (bsc#1164950) - FIPS: Fix drbg to be threadsafe (bsc#1167674) - FIPS: Run self-tests from constructor during power-on [bsc#1166748] * Set up global_init as the constructor function: * Relax the entropy requirements on selftest. This is especially important for virtual machines to boot properly before the RNG is available: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:917-1 Released: Fri Apr 3 15:02:25 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for pam fixes the following issues: - Moved pam_userdb into a separate package pam-extra. (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:948-1 Released: Wed Apr 8 07:44:21 2020 Summary: Security update for gmp, gnutls, libnettle Type: security Severity: moderate References: 1152692,1155327,1166881,1168345,CVE-2020-11501 This update for gmp, gnutls, libnettle fixes the following issues: Security issue fixed: - CVE-2020-11501: Fixed zero random value in DTLS client hello (bsc#1168345) FIPS related bugfixes: - FIPS: Install checksums for binary integrity verification which are required when running in FIPS mode (bsc#1152692, jsc#SLE-9518) - FIPS: Fixed a cfb8 decryption issue, no longer truncate output IV if input is shorter than block size. (bsc#1166881) - FIPS: Added Diffie Hellman public key verification test. (bsc#1155327) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:961-1 Released: Wed Apr 8 13:34:06 2020 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1160979 This update for e2fsprogs fixes the following issues: - e2fsck: clarify overflow link count error message (bsc#1160979) - ext2fs: update allocation info earlier in ext2fs_mkdir() (bsc#1160979) - ext2fs: implement dir entry creation in htree directories (bsc#1160979) - tests: add test to excercise indexed directories with metadata_csum (bsc#1160979) - tune2fs: update dir checksums when clearing dir_index feature (bsc#1160979) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:967-1 Released: Thu Apr 9 11:41:53 2020 Summary: Security update for libssh Type: security Severity: moderate References: 1168699,CVE-2020-1730 This update for libssh fixes the following issues: - CVE-2020-1730: Fixed a possible denial of service when using AES-CTR (bsc#1168699). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:969-1 Released: Thu Apr 9 11:43:17 2020 Summary: Security update for permissions Type: security Severity: moderate References: 1168364 This update for permissions fixes the following issues: - Fixed spelling of icinga group (bsc#1168364) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:981-1 Released: Mon Apr 13 15:43:44 2020 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1156300 This update for rpm fixes the following issues: - Fix for language package macros to avoid wrong requirement on shared library. (bsc#1156300) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1026-1 Released: Fri Apr 17 16:14:43 2020 Summary: Recommended update for libsolv Type: recommended Severity: moderate References: 1159314 This update for libsolv fixes the following issues: libsolv was updated to version 0.7.11: - fix solv_zchunk decoding error if large chunks are used (bsc#1159314) - treat retracted pathes as irrelevant - made add_update_target work with multiversion installs ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1047-1 Released: Tue Apr 21 10:33:06 2020 Summary: Recommended update for gnutls Type: recommended Severity: moderate References: 1168835 This update for gnutls fixes the following issues: - Backport AES XTS support (bsc#1168835) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1063-1 Released: Wed Apr 22 10:46:50 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1165539,1169569 This update for libgcrypt fixes the following issues: This update for libgcrypt fixes the following issues: - FIPS: Switch the PCT to use the new signature operation (bsc#1165539) - FIPS: Verify that the generated signature and the original input differ in test_keys function for RSA, DSA and ECC (bsc#1165539) - Add zero-padding when qx and qy have different lengths when assembling the Q point from affine coordinates. - Ship the FIPS checksum file in the shared library package and create a separate trigger file for the FIPS selftests (bsc#1169569) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1108-1 Released: Fri Apr 24 16:31:01 2020 Summary: Recommended update for gnutls Type: recommended Severity: moderate References: 1169992 This update for gnutls fixes the following issues: - FIPS: Do not check for /etc/system-fips which we don't have (bsc#1169992) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1175-1 Released: Tue May 5 08:33:43 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1165011,1168076 This update for systemd fixes the following issues: - Fix check for address to keep interface names stable. (bsc#1168076) - Fix for checking non-normalized WHAT for network FS. (bsc#1165011) - Allow to specify an arbitrary string for when vfs is used. (bsc#1165011) ----------------------------------------------------------------- Advisory ID: SUSE-feature-2020:1196-1 Released: Wed May 6 13:35:05 2020 Summary: Update to kubernetes 1.17, podman, cri-o and docs Type: feature Severity: moderate References: 1121353,1152334,1157337,1159108,1160460,1162093,1164390,1170173 = Required Actions == Kubernetes 1.17 In order to update to kubernetes 1.17, follow the instructions in the admin guide https://documentation.suse.com/suse-caasp/4.2/html/caasp-admin/_cluster_updates.html#_updating_kubernetes_components . Make sure you look at the Release Notes https://www.suse.com/releasenotes/x86_64/SUSE-CAASP/4/#_changes_in_4_3_0 for any known bug. == conmon and cri-o Conmon and cri-o will be updated by `skuba-update`. No action is required from your side. For more info see https://documentation.suse.com/suse-caasp/4.2/html/caasp-admin/_cluster_updates.html#_base_os_updates == skuba In order to update skuba, you need to update the admin workstation. See detailed instructions at https://documentation.suse.com/suse-caasp/4.1/html/caasp-admin/_cluster_updates.html#_update_management_workstation From sle-security-updates at lists.suse.com Wed May 6 13:53:06 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 6 May 2020 21:53:06 +0200 (CEST) Subject: SUSE-CU-2020:165-1: Security update of caasp/v4/etcd Message-ID: <20200506195306.25F0AFFE8@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/etcd ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:165-1 Container Tags : caasp/v4/etcd:3.4.3 , caasp/v4/etcd:3.4.3-rev3 , caasp/v4/etcd:3.4.3-rev3-build3.12.1 Container Release : 3.12.1 Severity : important Type : security References : 1013125 1084671 1092920 1102840 1106383 1121353 1125689 1133495 1135114 1139459 1139939 1145003 1146182 1146184 1148788 1149332 1150021 1151023 1151377 1151582 1152334 1152692 1154256 1154804 1154805 1155198 1155205 1155207 1155298 1155327 1155337 1155574 1155678 1155819 1156158 1156213 1156300 1156482 1157292 1157323 1157337 1157377 1157794 1157893 1158095 1158485 1158763 1158830 1158921 1158996 1159003 1159082 1159108 1159314 1159814 1160039 1160160 1160460 1160463 1160571 1160594 1160595 1160735 1160764 1160970 1160979 1161056 1161110 1161179 1161215 1161216 1161218 1161219 1161220 1161225 1161262 1161436 1161779 1161816 1162093 1162093 1162108 1162108 1162152 1162518 1163184 1163922 1164390 1164505 1164562 1164717 1164950 1164950 1165011 1165539 1165579 1165784 1166106 1166481 1166510 1166510 1166748 1166881 1167163 1167223 1167631 1167674 1168076 1168345 1168364 1168699 1168835 1169569 1169992 1170173 CVE-2019-14889 CVE-2019-18802 CVE-2019-18900 CVE-2019-19126 CVE-2019-20386 CVE-2019-3687 CVE-2019-5188 CVE-2019-9511 CVE-2019-9513 CVE-2020-10029 CVE-2020-11501 CVE-2020-1712 CVE-2020-1712 CVE-2020-1730 CVE-2020-1752 CVE-2020-8013 ----------------------------------------------------------------- The container caasp/v4/etcd was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:129-1 Released: Mon Jan 20 09:21:13 2020 Summary: Security update for libssh Type: security Severity: important References: 1158095,CVE-2019-14889 This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an unwanted command execution in scp caused by unsanitized location (bsc#1158095). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:225-1 Released: Fri Jan 24 06:49:07 2020 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1158830 This update for procps fixes the following issues: - Fix for 'ps -C' allowing to accept any arguments longer than 15 characters anymore. (bsc#1158830) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:256-1 Released: Wed Jan 29 09:39:17 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1157794,1160970 This update for aaa_base fixes the following issues: - Improves the way how the Java path is created to fix an issue with sapjvm. (bsc#1157794) - Drop 'dev.cdrom.autoclose' = 0 from sysctl config. (bsc#1160970) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:262-1 Released: Thu Jan 30 11:02:42 2020 Summary: Security update for glibc Type: security Severity: moderate References: 1149332,1151582,1157292,1157893,1158996,CVE-2019-19126 This update for glibc fixes the following issues: Security issue fixed: - CVE-2019-19126: Fixed to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition (bsc#1157292). Bug fixes: - Fixed z15 (s390x) strstr implementation that can return incorrect results if search string cross page boundary (bsc#1157893). - Fixed Hardware support in toolchain (bsc#1151582). - Fixed syscalls during early process initialization (SLE-8348). - Fixed an array overflow in backtrace for PowerPC (bsc#1158996). - Moved to posix_spawn on popen (bsc#1149332). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:265-1 Released: Thu Jan 30 14:05:34 2020 Summary: Security update for e2fsprogs Type: security Severity: moderate References: 1160571,CVE-2019-5188 This update for e2fsprogs fixes the following issues: - CVE-2019-5188: Fixed a code execution vulnerability in the directory rehashing functionality (bsc#1160571). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:279-1 Released: Fri Jan 31 12:01:39 2020 Summary: Recommended update for p11-kit Type: recommended Severity: moderate References: 1013125 This update for p11-kit fixes the following issues: - Also build documentation (bsc#1013125) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:335-1 Released: Thu Feb 6 11:37:24 2020 Summary: Security update for systemd Type: security Severity: important References: 1084671,1092920,1106383,1133495,1151377,1154256,1155207,1155574,1156213,1156482,1158485,1159814,1161436,1162108,CVE-2019-20386,CVE-2020-1712 This update for systemd fixes the following issues: - CVE-2020-1712 (bsc#bsc#1162108) Fix a heap use-after-free vulnerability, when asynchronous Polkit queries were performed while handling Dbus messages. A local unprivileged attacker could have abused this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted Dbus messages. - Use suse.pool.ntp.org server pool on SLE distros (jsc#SLE-7683) - libblkid: open device in nonblock mode. (bsc#1084671) - udev/cdrom_id: Do not open CD-rom in exclusive mode. (bsc#1154256) - bus_open leak sd_event_source when udevadm trigger??? (bsc#1161436 CVE-2019-20386) - fileio: introduce read_full_virtual_file() for reading virtual files in sysfs, procfs (bsc#1133495 bsc#1159814) - fileio: initialize errno to zero before we do fread() - fileio: try to read one byte too much in read_full_stream() - logind: consider 'greeter' sessions suitable as 'display' sessions of a user (bsc#1158485) - logind: never elect a session that is stopping as display - journal: include kmsg lines from the systemd process which exec()d us (#8078) - udevd: don't use monitor after manager_exit() - udevd: capitalize log messages in on_sigchld() - udevd: merge conditions to decrease indentation - Revert 'udevd: fix crash when workers time out after exit is signal caught' - core: fragments of masked units ought not be considered for NeedDaemonReload (#7060) (bsc#1156482) - udevd: fix crash when workers time out after exit is signal caught - udevd: wait for workers to finish when exiting (bsc#1106383) - Improve bash completion support (bsc#1155207) * shell-completion: systemctl: do not list template units in {re,}start * shell-completion: systemctl: pass current word to all list_unit* * bash-completion: systemctl: pass current partial unit to list-unit* (bsc#1155207) * bash-completion: systemctl: use systemctl --no-pager * bash-completion: also suggest template unit files * bash-completion: systemctl: add missing options and verbs * bash-completion: use the first argument instead of the global variable (#6457) - networkd: VXLan Make group and remote variable separate (bsc#1156213) - networkd: vxlan require Remote= to be a non multicast address (#8117) (bsc#1156213) - fs-util: let's avoid unnecessary strerror() - fs-util: introduce inotify_add_watch_and_warn() helper - ask-password: improve log message when inotify limit is reached (bsc#1155574) - shared/install: failing with -ELOOP can be due to the use of an alias in install_error() (bsc#1151377) - man: alias names can't be used with enable command (bsc#1151377) - Add boot option to not use swap at system start (jsc#SLE-7689) - Allow YaST to select Iranian (Persian, Farsi) keyboard layout (bsc#1092920) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:339-1 Released: Thu Feb 6 13:03:22 2020 Summary: Recommended update for openldap2 Type: recommended Severity: low References: 1158921 This update for openldap2 provides the following fix: - Add libldap-data to the product (as it contains ldap.conf). (bsc#1158921) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:368-1 Released: Fri Feb 7 13:49:41 2020 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1150021 This update for lvm2 fixes the following issues: - Fix for LVM in KVM: The scsi presistent reservation scenario can trigger and error during LVM actions. (bsc#1150021) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:432-1 Released: Fri Feb 21 14:34:16 2020 Summary: Security update for libsolv, libzypp, zypper Type: security Severity: moderate References: 1135114,1154804,1154805,1155198,1155205,1155298,1155678,1155819,1156158,1157377,1158763,CVE-2019-18900 This update for libsolv, libzypp, zypper fixes the following issues: Security issue fixed: - CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763). Bug fixes - Fixed removing orphaned packages dropped by to-be-installed products (bsc#1155819). - Adds libzypp API to mark all obsolete kernels according to the existing purge-kernel script rules (bsc#1155198). - Do not enforce 'en' being in RequestedLocales If the user decides to have a system without explicit language support he may do so (bsc#1155678). - Load only target resolvables for zypper rm (bsc#1157377). - Fix broken search by filelist (bsc#1135114). - Replace python by a bash script in zypper-log (fixes#304, fixes#306, bsc#1156158). - Do not sort out requested locales which are not available (bsc#1155678). - Prevent listing duplicate matches in tables. XML result is provided within the new list-patches-byissue element (bsc#1154805). - XML add patch issue-date and issue-list (bsc#1154805). - Fix zypper lp --cve/bugzilla/issue options (bsc#1155298). - Always execute commit when adding/removing locales (fixes bsc#1155205). - Fix description of --table-style,-s in man page (bsc#1154804). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:451-1 Released: Tue Feb 25 10:50:35 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1155337,1161215,1161216,1161218,1161219,1161220 This update for libgcrypt fixes the following issues: - ECDSA: Check range of coordinates (bsc#1161216) - FIPS: libgcrypt DSA PQG parameter generation: Missing value [bsc#1161219] - FIPS: libgcrypt DSA PQG verification incorrect results [bsc#1161215] - FIPS: libgcrypt RSA siggen/keygen: 4k not supported [bsc#1161220] - FIPS: keywrap gives incorrect results [bsc#1161218] - FIPS: RSA/DSA/ECDSA are missing hashing operation [bsc#1155337] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:476-1 Released: Tue Feb 25 14:23:14 2020 Summary: Recommended update for perl Type: recommended Severity: moderate References: 1102840,1160039 This update for perl fixes the following issues: - Some packages make assumptions about the date and time they are built. This update will solve the issues caused by calling the perl function timelocal expressing the year with two digit only instead of four digits. (bsc#1102840) (bsc#1160039) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:480-1 Released: Tue Feb 25 17:38:22 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1160735 This update for aaa_base fixes the following issues: - Change 'rp_filter' to increase the default priority to ethernet over the wifi. (bsc#1160735) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:525-1 Released: Fri Feb 28 11:49:36 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1164562 This update for pam fixes the following issues: - Add libdb as build-time dependency to enable pam_userdb module. Enable pam_userdb.so (jsc#sle-7258, bsc#1164562) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:547-1 Released: Fri Feb 28 16:26:21 2020 Summary: Security update for permissions Type: security Severity: moderate References: 1148788,1160594,1160764,1161779,1163922,CVE-2019-3687,CVE-2020-8013 This update for permissions fixes the following issues: Security issues fixed: - CVE-2019-3687: Fixed a privilege escalation which could allow a local user to read network traffic if wireshark is installed (bsc#1148788) - CVE-2020-8013: Fixed an issue where chkstat set unintended setuid/capabilities for mrsh and wodim (bsc#1163922). Non-security issues fixed: - Fixed a regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594). - Fixed capability handling when doing multiple permission changes at once (bsc#1161779). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:572-1 Released: Tue Mar 3 13:25:41 2020 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1162518 This update for cyrus-sasl fixes the following issues: - Added support for retrieving negotiated SSF in gssapi plugin (bsc#1162518) - Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF (bsc#1162518) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:573-1 Released: Tue Mar 3 13:37:28 2020 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1160160 This update for ca-certificates-mozilla to 2.40 fixes the following issues: Updated to 2.40 state of the Mozilla NSS Certificate store (bsc#1160160): Removed certificates: - Certplus Class 2 Primary CA - Deutsche Telekom Root CA 2 - CN=Swisscom Root CA 2 - UTN-USERFirst-Client Authentication and Email added certificates: - Entrust Root Certification Authority - G4 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:597-1 Released: Thu Mar 5 15:24:09 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1164950 This update for libgcrypt fixes the following issues: - FIPS: Run the self-tests from the constructor [bsc#1164950] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:633-1 Released: Tue Mar 10 16:23:08 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1139939,1151023 This update for aaa_base fixes the following issues: - get_kernel_version: fix for current kernel on s390x (bsc#1151023, bsc#1139939) - added '-h'/'--help' to the command old - change feedback url from http://www.suse.de/feedback to https://github.com/openSUSE/aaa_base/issues ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:668-1 Released: Fri Mar 13 10:48:58 2020 Summary: Security update for glibc Type: security Severity: moderate References: 1163184,1164505,1165784,CVE-2020-10029 This update for glibc fixes the following issues: - CVE-2020-10029: Fixed a potential overflow in on-stack buffer during range reduction (bsc#1165784). - Fixed an issue where pthread were not always locked correctly (bsc#1164505). - Document mprotect and introduce section on memory protection (bsc#1163184). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:689-1 Released: Fri Mar 13 17:09:01 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for PAM fixes the following issue: - The license of libdb linked against pam_userdb is not always wanted, so we temporary disabled pam_userdb again. It will be published in a different package at a later time. (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:710-1 Released: Wed Mar 18 07:32:24 2020 Summary: Upgrading to Terraform 0.12 and fix issues in crio, grafana, kubelet, skuba, and terraform Type: recommended Severity: important References: 1145003,1157323,1159082,1160463,1161056,1161110,1161179,1161225,1162093 Upgrade Terraform Files and State In order to seamlessly switch to Terraform 0.12 you need to make sure that: * all files follow the new syntax for the HashiCorp Configuration Language included in Terraform 0.12; * all boolean values are `true` or `false` and *not* 0 or 1; * all variables are explicitly declared; * all dependencies are explicitly declared to reach the expected behavior. Recommended Procedure If you can tear down your existing cluster, do delete your cluster before upgrading to Terraform 0.12. After that follow our documentation to create a new cluster. That will lead to the cleanest upgrade result. If you are using Terraform 0.11 and you cannot tear down your cluster, you will need to update your Terraform files (and states) in place for Terraform 0.12. To do this, enter your Terraform files/state folder and: * Migrate Terraform files with the automatic migration tool by running `terraform 0.12upgrade`. * For OpenStack, run the extra operations for in-place upgrade, which follow just below. * For VMware, there is no extra operation. * You can then run the `terraform init/plan/apply` commands as usual. Extra Operations for In-place Upgrade of OpenStack Terraform Files * Replace any boolean values written as a number with `false`/`true`. For example, for the variables in `openstack/variables.tf` (and their equivalent in your `terraform.tfvars` file), replace `default = 0` with `default = false` in the variables `workers_vol_enabled` and `dnsentry`. Do the same for any extra boolean variable you might have added. * Introduce a `depends_on` on the resource `'openstack_compute_floatingip_associate_v2' 'master_ext_ip'` in `master-instance.tf`: ---- depends_on = [openstack_compute_instance_v2.master] ---- * Introduce a `depends_on` on the resource `'master_wait_cloudinit'` in `master-instance.tf`: ---- depends_on = [ openstack_compute_instance_v2.master, openstack_compute_floatingip_associate_v2.master_ext_ip ] ---- * Introduce a `depends_on` on the resources `'openstack_compute_floatingip_associate_v2' 'worker_ext_ip'` and `'null_resource' 'worker_wait_cloudinit'` in `worker-instance.tf`, similarly to the ones for master. Replace `master` with `worker` in the examples above. * Update the resources `resource 'openstack_compute_instance_v2' 'master'` and `resource 'openstack_compute_instance_v2' 'worker'` with `master-instance.tf` and `worker-instance.tf` respectively. Add the following resources: ---- lifecycle { ignore_changes = [user_data] } ---- This will make it possible to update your cluster from a Terraform 0.11 state into a Terraform 0.12 state without tearing it down completely. [WARNING] When adding `lifecycle { ignore_change = [user_data] }` in your master and worker instances, you will effectively prevent updates of nodes, should you or SUSE update the `user_data`. This should be removed as soon as possible after the migration to Terraform 0.12. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:475-1 Released: Thu Mar 19 11:00:46 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1160595 This update for systemd fixes the following issues: - Remove TasksMax limit for both user and system slices (jsc#SLE-10123) - Backport IP filtering feature (jsc#SLE-7743 bsc#1160595) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:726-1 Released: Thu Mar 19 13:23:03 2020 Summary: Security update for nghttp2 Type: security Severity: moderate References: 1125689,1146182,1146184,1159003,1166481,CVE-2019-18802,CVE-2019-9511,CVE-2019-9513 This update for nghttp2 fixes the following issues: Security issues fixed: - CVE-2019-9513: Fixed HTTP/2 implementation that is vulnerable to resource loops, potentially leading to a denial of service (bsc#1146184). - CVE-2019-9511: Fixed HTTP/2 implementations that are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service (bsc#11461). - CVE-2019-18802: Fixed malformed request header may cause bypass of route matchers resulting in escalation of privileges or information disclosure (bsc#1159003) Bug fixes and enhancements: - Fixed mistake in spec file (bsc#1125689) Update to version 1.40.0 to fix CVE-2019-18802 in envoy-proxy and cilium-proxy (bsc#1166481) * lib: Add nghttp2_check_authority as public API * lib: Fix the bug that stream is closed with wrong error code * lib: Faster huffman encoding and decoding * build: Avoid filename collision of static and dynamic lib * build: Add new flag ENABLE_STATIC_CRT for Windows * build: cmake: Support building nghttpx with systemd * third-party: Update neverbleed to fix memory leak * nghttpx: Fix bug that mruby is incorrectly shared between backends * nghttpx: Reconnect h1 backend if it lost connection before sending headers * nghttpx: Returns 408 if backend timed out before sending headers * nghttpx: Fix request stal - Conditionally remove dependecy on jemalloc for SLE-12 - Require correct library from devel package - boo#1125689 Update to version 1.39.2 (bsc#1146184, bsc#1146182): * This release fixes CVE-2019-9511 ???Data Dribble??? and CVE-2019-9513 ???Resource Loop??? vulnerability in nghttpx and nghttpd. Specially crafted HTTP/2 frames cause Denial of Service by consuming CPU time. Check out https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md for details. For nghttpx, additionally limiting inbound traffic by --read-rate and --read-burst options is quite effective against this kind of attack. * Add nghttp2_option_set_max_outbound_ack API function * nghttpx: Fix request stall Update to version 1.39.1: * This release fixes the bug that log-level is not set with cmd-line or configuration file. It also fixes FPE with default backend. Changes for version 1.39.0: * libnghttp2 now ignores content-length in 200 response to CONNECT request as per RFC 7230. * mruby has been upgraded to 2.0.1. * libnghttp2-asio now supports boost-1.70. * http-parser has been replaced with llhttp. * nghttpx now ignores Content-Length and Transfer-Encoding in 1xx or 200 to CONNECT. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:729-1 Released: Thu Mar 19 14:44:22 2020 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1166106 This update for glibc fixes the following issues: - Allow dlopen of filter object to work (bsc#1166106, BZ #16272) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:793-1 Released: Wed Mar 25 15:16:00 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1139459,1161262,1162108,1164717,1165579,CVE-2020-1712 This update for systemd fixes the following issues: - manager: fix job mode when signalled to shutdown etc (bsc#1161262) - remove fallback for user/exit.target - dbus method Manager.Exit() does not start exit.target - do not install rescue.target for alt-??? - %j/%J unit specifiers Added support for I/O scheduler selection with blk-mq (bsc#1165579, bsc#1164717). Added the udev 60-ssd-scheduler.rules: - This rules file which select the default IO scheduler for SSDs is being moved out from the git repo since this is not related to systemd or udev at all and is maintained by the kernel team. - core: coldplug possible nop_job (bsc#1139459) - Revert 'udev: use 'deadline' IO scheduler for SSD disks' - Fix typo in function name - polkit: when authorizing via PK let's re-resolve callback/userdata instead of caching it (bsc#1162108 CVE-2020-1712) - sd-bus: introduce API for re-enqueuing incoming messages - polkit: on async pk requests, re-validate action/details ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:814-1 Released: Mon Mar 30 16:23:42 2020 Summary: Recommended update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1 Type: recommended Severity: moderate References: 1161816,1162152,1167223 This update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1 fixes the following issues: libreoffice was updated to 6.4.2.2 (jsc#SLE-11174 jsc#SLE-11175 jsc#SLE-11176 bsc#1167223): Full Release Notes can be found on: https://wiki.documentfoundation.org/ReleaseNotes/6.4 - Fixed broken handling of non-ASCII characters in the KDE filedialog (bsc#1161816) - Move the animation library to core package bsc#1162152 xmlsec1 was updated to 1.2.28: * Added BoringSSL support (chenbd). * Added gnutls-3.6.x support (alonbl). * Added DSA and ECDSA key size getter for MSCNG (vmiklos). * Added --enable-mans configuration option (alonbl). * Added coninuous build integration for MacOSX (vmiklos). * Several other small fixes (more details). - Make sure to recommend at least one backend when you install just xmlsec1 - Drop the gnutls backend as based on the tests it is quite borked: * We still have nss and openssl backend for people to use Version update to 1.2.27: * Added AES-GCM support for OpenSSL and MSCNG (snargit). * Added DSA-SHA256 and ECDSA-SHA384 support for NSS (vmiklos). * Added RSA-OAEP support for MSCNG (vmiklos). * Continuous build integration in Travis and Appveyor. * Several other small fixes (more details). myspell-dictionaries was updated to 20191219: * Updated the English dictionaries: GB+US+CA+AU * Bring shipped Spanish dictionary up to version 2.5 boost was updated to fix: - add a backport of Boost.Optional::has_value() for LibreOffice The QR-Code-generator is shipped: - Initial commit, needed by libreoffice 6.4 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:820-1 Released: Tue Mar 31 13:02:22 2020 Summary: Security update for glibc Type: security Severity: important References: 1167631,CVE-2020-1752 This update for glibc fixes the following issues: - CVE-2020-1752: Fixed a use after free in glob which could have allowed a local attacker to create a specially crafted path that, when processed by the glob function, could potentially have led to arbitrary code execution (bsc#1167631). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:834-1 Released: Tue Mar 31 17:21:34 2020 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1167163 This update for permissions fixes the following issue: - whitelist s390-tools set group ID (setgid) bit on log directory. (bsc#1167163) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:846-1 Released: Thu Apr 2 07:24:07 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1164950,1166748,1167674 This update for libgcrypt fixes the following issues: - FIPS: Remove an unneeded check in _gcry_global_constructor (bsc#1164950) - FIPS: Fix drbg to be threadsafe (bsc#1167674) - FIPS: Run self-tests from constructor during power-on [bsc#1166748] * Set up global_init as the constructor function: * Relax the entropy requirements on selftest. This is especially important for virtual machines to boot properly before the RNG is available: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:917-1 Released: Fri Apr 3 15:02:25 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for pam fixes the following issues: - Moved pam_userdb into a separate package pam-extra. (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:948-1 Released: Wed Apr 8 07:44:21 2020 Summary: Security update for gmp, gnutls, libnettle Type: security Severity: moderate References: 1152692,1155327,1166881,1168345,CVE-2020-11501 This update for gmp, gnutls, libnettle fixes the following issues: Security issue fixed: - CVE-2020-11501: Fixed zero random value in DTLS client hello (bsc#1168345) FIPS related bugfixes: - FIPS: Install checksums for binary integrity verification which are required when running in FIPS mode (bsc#1152692, jsc#SLE-9518) - FIPS: Fixed a cfb8 decryption issue, no longer truncate output IV if input is shorter than block size. (bsc#1166881) - FIPS: Added Diffie Hellman public key verification test. (bsc#1155327) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:961-1 Released: Wed Apr 8 13:34:06 2020 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1160979 This update for e2fsprogs fixes the following issues: - e2fsck: clarify overflow link count error message (bsc#1160979) - ext2fs: update allocation info earlier in ext2fs_mkdir() (bsc#1160979) - ext2fs: implement dir entry creation in htree directories (bsc#1160979) - tests: add test to excercise indexed directories with metadata_csum (bsc#1160979) - tune2fs: update dir checksums when clearing dir_index feature (bsc#1160979) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:967-1 Released: Thu Apr 9 11:41:53 2020 Summary: Security update for libssh Type: security Severity: moderate References: 1168699,CVE-2020-1730 This update for libssh fixes the following issues: - CVE-2020-1730: Fixed a possible denial of service when using AES-CTR (bsc#1168699). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:969-1 Released: Thu Apr 9 11:43:17 2020 Summary: Security update for permissions Type: security Severity: moderate References: 1168364 This update for permissions fixes the following issues: - Fixed spelling of icinga group (bsc#1168364) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:981-1 Released: Mon Apr 13 15:43:44 2020 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1156300 This update for rpm fixes the following issues: - Fix for language package macros to avoid wrong requirement on shared library. (bsc#1156300) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1026-1 Released: Fri Apr 17 16:14:43 2020 Summary: Recommended update for libsolv Type: recommended Severity: moderate References: 1159314 This update for libsolv fixes the following issues: libsolv was updated to version 0.7.11: - fix solv_zchunk decoding error if large chunks are used (bsc#1159314) - treat retracted pathes as irrelevant - made add_update_target work with multiversion installs ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1047-1 Released: Tue Apr 21 10:33:06 2020 Summary: Recommended update for gnutls Type: recommended Severity: moderate References: 1168835 This update for gnutls fixes the following issues: - Backport AES XTS support (bsc#1168835) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1063-1 Released: Wed Apr 22 10:46:50 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1165539,1169569 This update for libgcrypt fixes the following issues: This update for libgcrypt fixes the following issues: - FIPS: Switch the PCT to use the new signature operation (bsc#1165539) - FIPS: Verify that the generated signature and the original input differ in test_keys function for RSA, DSA and ECC (bsc#1165539) - Add zero-padding when qx and qy have different lengths when assembling the Q point from affine coordinates. - Ship the FIPS checksum file in the shared library package and create a separate trigger file for the FIPS selftests (bsc#1169569) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1108-1 Released: Fri Apr 24 16:31:01 2020 Summary: Recommended update for gnutls Type: recommended Severity: moderate References: 1169992 This update for gnutls fixes the following issues: - FIPS: Do not check for /etc/system-fips which we don't have (bsc#1169992) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1175-1 Released: Tue May 5 08:33:43 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1165011,1168076 This update for systemd fixes the following issues: - Fix check for address to keep interface names stable. (bsc#1168076) - Fix for checking non-normalized WHAT for network FS. (bsc#1165011) - Allow to specify an arbitrary string for when vfs is used. (bsc#1165011) ----------------------------------------------------------------- Advisory ID: SUSE-feature-2020:1196-1 Released: Wed May 6 13:35:05 2020 Summary: Update to kubernetes 1.17, podman, cri-o and docs Type: feature Severity: moderate References: 1121353,1152334,1157337,1159108,1160460,1162093,1164390,1170173 = Required Actions == Kubernetes 1.17 In order to update to kubernetes 1.17, follow the instructions in the admin guide https://documentation.suse.com/suse-caasp/4.2/html/caasp-admin/_cluster_updates.html#_updating_kubernetes_components . Make sure you look at the Release Notes https://www.suse.com/releasenotes/x86_64/SUSE-CAASP/4/#_changes_in_4_3_0 for any known bug. == conmon and cri-o Conmon and cri-o will be updated by `skuba-update`. No action is required from your side. For more info see https://documentation.suse.com/suse-caasp/4.2/html/caasp-admin/_cluster_updates.html#_base_os_updates == skuba In order to update skuba, you need to update the admin workstation. See detailed instructions at https://documentation.suse.com/suse-caasp/4.1/html/caasp-admin/_cluster_updates.html#_update_management_workstation From sle-security-updates at lists.suse.com Wed May 6 13:58:55 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 6 May 2020 21:58:55 +0200 (CEST) Subject: SUSE-CU-2020:166-1: Security update of caasp/v4/hyperkube Message-ID: <20200506195855.8BFE3FFE8@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/hyperkube ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:166-1 Container Tags : caasp/v4/hyperkube:v1.17.4 , caasp/v4/hyperkube:v1.17.4-rev5 , caasp/v4/hyperkube:v1.17.4-rev5-build3.12.1 Container Release : 3.12.1 Severity : important Type : security References : 1002895 1013125 1027282 1029377 1029902 1040164 1042670 1070853 1079761 1081750 1083507 1084671 1086001 1088004 1088009 1088573 1092920 1094814 1102840 1106383 1107030 1107105 1109663 1109847 1120644 1121353 1122191 1124556 1125689 1129346 1130840 1131817 1132337 1133452 1133495 1134365 1135114 1137227 1137337 1137942 1138459 1138666 1139459 1139939 1140504 1140879 1141203 1141853 1145571 1145756 1146182 1146184 1148360 1148498 1148788 1149121 1149332 1149792 1149955 1150021 1151023 1151377 1151490 1151582 1152334 1152335 1152692 1153238 1153876 1154230 1154256 1154804 1154805 1155045 1155198 1155205 1155207 1155298 1155323 1155327 1155337 1155350 1155357 1155360 1155463 1155574 1155593 1155655 1155678 1155810 1155819 1155950 1156158 1156213 1156300 1156482 1156571 1157292 1157337 1157377 1157611 1157794 1157802 1157893 1158095 1158485 1158763 1158830 1158921 1158923 1158925 1158926 1158927 1158929 1158930 1158931 1158932 1158933 1158996 1159003 1159035 1159074 1159108 1159314 1159452 1159622 1159814 1160039 1160160 1160443 1160460 1160571 1160594 1160595 1160600 1160735 1160764 1160920 1160970 1160979 1161056 1161074 1161179 1161215 1161216 1161218 1161219 1161220 1161262 1161312 1161436 1161770 1161779 1161816 1161975 1162093 1162108 1162108 1162152 1162224 1162367 1162423 1162518 1162825 1163184 1163922 1164390 1164505 1164562 1164717 1164950 1164950 1165011 1165539 1165579 1165784 1165894 1166106 1166139 1166403 1166481 1166484 1166510 1166510 1166748 1166880 1166881 1167163 1167223 1167631 1167674 1167732 1168076 1168345 1168364 1168669 1168699 1168835 1169569 1169872 1169992 1170173 1170571 1170572 637176 658604 673071 709442 743787 747125 751718 754447 754677 787526 809831 831629 834601 871152 885662 885882 917607 942751 951166 983582 984751 985177 985348 989523 CVE-2011-3389 CVE-2011-4944 CVE-2012-0845 CVE-2012-1150 CVE-2013-1752 CVE-2013-4238 CVE-2014-2667 CVE-2014-4650 CVE-2016-0772 CVE-2016-1000110 CVE-2016-5636 CVE-2016-5699 CVE-2017-18207 CVE-2018-1000802 CVE-2018-1060 CVE-2018-1061 CVE-2018-14647 CVE-2018-20406 CVE-2018-20852 CVE-2019-10160 CVE-2019-14889 CVE-2019-15903 CVE-2019-16056 CVE-2019-16935 CVE-2019-18802 CVE-2019-18900 CVE-2019-19126 CVE-2019-20386 CVE-2019-3687 CVE-2019-5010 CVE-2019-5188 CVE-2019-9511 CVE-2019-9513 CVE-2019-9636 CVE-2019-9674 CVE-2019-9947 CVE-2020-10029 CVE-2020-11501 CVE-2020-1699 CVE-2020-1700 CVE-2020-1712 CVE-2020-1712 CVE-2020-1730 CVE-2020-1752 CVE-2020-1759 CVE-2020-1760 CVE-2020-8013 CVE-2020-8492 ----------------------------------------------------------------- The container caasp/v4/hyperkube was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:114-1 Released: Thu Jan 16 10:11:52 2020 Summary: Security update for python3 Type: security Severity: important References: 1027282,1029377,1029902,1040164,1042670,1070853,1079761,1081750,1083507,1086001,1088004,1088009,1088573,1094814,1107030,1109663,1109847,1120644,1122191,1129346,1130840,1133452,1137942,1138459,1141853,1149121,1149792,1149955,1151490,1153238,1159035,1159622,637176,658604,673071,709442,743787,747125,751718,754447,754677,787526,809831,831629,834601,871152,885662,885882,917607,942751,951166,983582,984751,985177,985348,989523,CVE-2011-3389,CVE-2011-4944,CVE-2012-0845,CVE-2012-1150,CVE-2013-1752,CVE-2013-4238,CVE-2014-2667,CVE-2014-4650,CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699,CVE-2017-18207,CVE-2018-1000802,CVE-2018-1060,CVE-2018-1061,CVE-2018-14647,CVE-2018-20406,CVE-2018-20852,CVE-2019-10160,CVE-2019-15903,CVE-2019-16056,CVE-2019-16935,CVE-2019-5010,CVE-2019-9636,CVE-2019-9947 This update for python3 to version 3.6.10 fixes the following issues: - CVE-2017-18207: Fixed a denial of service in Wave_read._read_fmt_chunk() (bsc#1083507). - CVE-2019-16056: Fixed an issue where email parsing could fail for multiple @ (bsc#1149955). - CVE-2019-15903: Fixed a heap-based buffer over-read in libexpat (bsc#1149429). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:129-1 Released: Mon Jan 20 09:21:13 2020 Summary: Security update for libssh Type: security Severity: important References: 1158095,CVE-2019-14889 This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an unwanted command execution in scp caused by unsanitized location (bsc#1158095). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:158-1 Released: Wed Jan 22 08:03:20 2020 Summary: Recommended update for ceph Type: recommended Severity: moderate References: 1124556,1131817,1132337,1134365,1137227,1140504,1140879,1141203,1145571,1145756,1148360,1148498,1153876,1154230,1155045,1155463,1155655,1155950,1156571,1157611,1158923,1158925,1158926,1158927,1158929,1158930,1158931,1158932,1158933,1160920 This update for ceph fixes the following issues: Ceph was updated to 14.2.5-371-g3551250731: This is the upstream Nautilus 14.2.5 point release, see https://ceph.io/releases/v14-2-5-nautilus-released/ * health warnings will be issued if daemons have recently crashed (bsc#1158923) * pg_num must be a power of two, otherwise HEALTH_WARN (bsc#1158925) * pool size must be > 1, otherwise HEALTH_WARN (bsc#1158926) * health warning if average OSD heartbeat ping time exceeds threshold (bsc#1158927) * changes in the telemetry MGR module (bsc#1158929) * new OSD daemon command dump_recovery_reservations (bsc#1158930) * new OSD daemon command dump_scrub_reservations (bsc#1158931) * RGW now supports S3 Object Lock set of APIs (bsc#1158932) * RGW now supports List Objects V2 (bsc#1158933) * mon: keep v1 address type when explicitly (bsc#1140879) * doc: mention --namespace option in rados manpage (bsc#1157611) * mgr/dashboard: Remove env_build from e2e:ci * ceph-volume: check if we run in an selinux environment * qa/dashboard_e2e_tests.sh: Automatically use correct chromedriver version (bsc#1155950) * rebase on tip of upstream nautilus, SHA1 9989c20373e2294b7479ec4bd6ac5cce80b01645 * rgw: add S3 object lock feature to support object worm (jsc#SES-582) * os/bluestore: apply garbage collection against excessive blob count growth (bsc#1124556) * doc: update bluestore cache settings and clarify data fraction (bsc#1131817) * mgr/dashboard: Allow the decrease of pg's of an existing pool (bsc#1132337) * core: Improve health status for backfill_toofull and recovery_toofull and fix backfill_toofull seen on cluster where the most full OSD is at 1% (bsc#1134365) * mgr/dashboard: Set RO as the default access_type for RGW NFS exports (bsc#1137227) * mgr/dashboard: Allow disabling redirection on standby Dashboards (bsc#1140504) * rgw: dns name is not case sensitive (bsc#1141203) * os/bluestore: shallow fsck mode and legacy statfs auto repair (bsc#1145571) * mgr/dashboard: Display WWN and LUN number in iSCSI target details (bsc#1145756) * mgr/dashboard: access_control: add grafana scope read access to *-manager roles (bsc#1148360) * mgr/dashboard: internationalization support with AOT enabled (bsc#1148498) * mgr/dashboard: Fix data point alignment in MDS counters chart (bsc#1153876) * mgr/balancer: python3 compatibility issue (bsc#1154230) * mgr/dashboard: add debug mode, and accept expected exception when SSL handshaking (bsc#1155045) * mgr/{dashboard,prometheus}: return FQDN instead of '0.0.0.0' (bsc#1155463) * core: Improve health status for backfill_toofull and recovery_toofull and fix backfill_toofull seen on cluster where the most full OSD is at 1% (bsc#1155655) * mon: ensure prepare_failure() marks no_reply on op (bsc#1156571) * mgr/dashboard: Automatically use correct chromedriver version + Revert 'rgw_file: introduce fast S3 Unix stats (immutable)' because it is incompatible with NFS-Ganesha 2.8 * include hotfix from upstream v14.2.6 release (bsc#1160920): * mon/PGMap.h: disable network stats in dump_osd_stats * osd_stat_t::dump: Add option for ceph-mgr python callers to skip ping network ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:225-1 Released: Fri Jan 24 06:49:07 2020 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1158830 This update for procps fixes the following issues: - Fix for 'ps -C' allowing to accept any arguments longer than 15 characters anymore. (bsc#1158830) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:256-1 Released: Wed Jan 29 09:39:17 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1157794,1160970 This update for aaa_base fixes the following issues: - Improves the way how the Java path is created to fix an issue with sapjvm. (bsc#1157794) - Drop 'dev.cdrom.autoclose' = 0 from sysctl config. (bsc#1160970) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:262-1 Released: Thu Jan 30 11:02:42 2020 Summary: Security update for glibc Type: security Severity: moderate References: 1149332,1151582,1157292,1157893,1158996,CVE-2019-19126 This update for glibc fixes the following issues: Security issue fixed: - CVE-2019-19126: Fixed to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition (bsc#1157292). Bug fixes: - Fixed z15 (s390x) strstr implementation that can return incorrect results if search string cross page boundary (bsc#1157893). - Fixed Hardware support in toolchain (bsc#1151582). - Fixed syscalls during early process initialization (SLE-8348). - Fixed an array overflow in backtrace for PowerPC (bsc#1158996). - Moved to posix_spawn on popen (bsc#1149332). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:265-1 Released: Thu Jan 30 14:05:34 2020 Summary: Security update for e2fsprogs Type: security Severity: moderate References: 1160571,CVE-2019-5188 This update for e2fsprogs fixes the following issues: - CVE-2019-5188: Fixed a code execution vulnerability in the directory rehashing functionality (bsc#1160571). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:279-1 Released: Fri Jan 31 12:01:39 2020 Summary: Recommended update for p11-kit Type: recommended Severity: moderate References: 1013125 This update for p11-kit fixes the following issues: - Also build documentation (bsc#1013125) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:296-1 Released: Fri Jan 31 17:23:43 2020 Summary: Security update for ceph Type: security Severity: moderate References: 1161074,1161312,CVE-2020-1699,CVE-2020-1700 This update for ceph fixes the following issues: - CVE-2020-1700: Fixed a denial of service against the RGW server via connection leakage (bsc#1161312). - CVE-2020-1699: Fixed a information disclosure by improper URL checking (bsc#1161074). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:335-1 Released: Thu Feb 6 11:37:24 2020 Summary: Security update for systemd Type: security Severity: important References: 1084671,1092920,1106383,1133495,1151377,1154256,1155207,1155574,1156213,1156482,1158485,1159814,1161436,1162108,CVE-2019-20386,CVE-2020-1712 This update for systemd fixes the following issues: - CVE-2020-1712 (bsc#bsc#1162108) Fix a heap use-after-free vulnerability, when asynchronous Polkit queries were performed while handling Dbus messages. A local unprivileged attacker could have abused this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted Dbus messages. - Use suse.pool.ntp.org server pool on SLE distros (jsc#SLE-7683) - libblkid: open device in nonblock mode. (bsc#1084671) - udev/cdrom_id: Do not open CD-rom in exclusive mode. (bsc#1154256) - bus_open leak sd_event_source when udevadm trigger??? (bsc#1161436 CVE-2019-20386) - fileio: introduce read_full_virtual_file() for reading virtual files in sysfs, procfs (bsc#1133495 bsc#1159814) - fileio: initialize errno to zero before we do fread() - fileio: try to read one byte too much in read_full_stream() - logind: consider 'greeter' sessions suitable as 'display' sessions of a user (bsc#1158485) - logind: never elect a session that is stopping as display - journal: include kmsg lines from the systemd process which exec()d us (#8078) - udevd: don't use monitor after manager_exit() - udevd: capitalize log messages in on_sigchld() - udevd: merge conditions to decrease indentation - Revert 'udevd: fix crash when workers time out after exit is signal caught' - core: fragments of masked units ought not be considered for NeedDaemonReload (#7060) (bsc#1156482) - udevd: fix crash when workers time out after exit is signal caught - udevd: wait for workers to finish when exiting (bsc#1106383) - Improve bash completion support (bsc#1155207) * shell-completion: systemctl: do not list template units in {re,}start * shell-completion: systemctl: pass current word to all list_unit* * bash-completion: systemctl: pass current partial unit to list-unit* (bsc#1155207) * bash-completion: systemctl: use systemctl --no-pager * bash-completion: also suggest template unit files * bash-completion: systemctl: add missing options and verbs * bash-completion: use the first argument instead of the global variable (#6457) - networkd: VXLan Make group and remote variable separate (bsc#1156213) - networkd: vxlan require Remote= to be a non multicast address (#8117) (bsc#1156213) - fs-util: let's avoid unnecessary strerror() - fs-util: introduce inotify_add_watch_and_warn() helper - ask-password: improve log message when inotify limit is reached (bsc#1155574) - shared/install: failing with -ELOOP can be due to the use of an alias in install_error() (bsc#1151377) - man: alias names can't be used with enable command (bsc#1151377) - Add boot option to not use swap at system start (jsc#SLE-7689) - Allow YaST to select Iranian (Persian, Farsi) keyboard layout (bsc#1092920) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:339-1 Released: Thu Feb 6 13:03:22 2020 Summary: Recommended update for openldap2 Type: recommended Severity: low References: 1158921 This update for openldap2 provides the following fix: - Add libldap-data to the product (as it contains ldap.conf). (bsc#1158921) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:340-1 Released: Thu Feb 6 13:03:56 2020 Summary: Recommended update for python-rpm-macros Type: recommended Severity: moderate References: 1161770 This update for python-rpm-macros fixes the following issues: - Add macros related to the Python dist metadata dependency generator. (bsc#1161770) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:368-1 Released: Fri Feb 7 13:49:41 2020 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1150021 This update for lvm2 fixes the following issues: - Fix for LVM in KVM: The scsi presistent reservation scenario can trigger and error during LVM actions. (bsc#1150021) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:386-1 Released: Mon Feb 17 11:41:23 2020 Summary: Skuba bug fix, supportconfig update, cri-o and kubernetes fixes, and prometheus fixes Type: recommended Severity: important References: 1137337,1152335,1155323,1155593,1155810,1157802,1159074,1159452,1160443,1160600,1161056,1161179,1161975 = Required Actions Update skuba, kubernetes-client and kubernetes-kubeadm packages on your management workstation as you would do with any other package. Refer to: https://documentation.suse.com/sles/15-SP1/single-html/SLES-admin/#sec-zypper-softup-update Packages on your cluster nodes (cri-o, kubernetes, supportutils-plugin-suse-caasp) will be updated automatically by skuba-update link:https://documentation.suse.com/suse-caasp/4.1/html/caasp-admin/_cluster_updates.html#_base_os_updates Use `helm upgrade` command to fix prometheus kube-state-metrics image. Finally, to apply the prometheus pushgateway fix, enable it in your helm chart https://github.com/SUSE/kubernetes-charts-suse-com/blob/master/stable/prometheus/values.yaml#L848 and use helm ugrade command link:https://helm.sh/docs/intro/using_helm/#helm-upgrade-and-helm-rollback-upgrading-a-release-and-recovering-on-failure. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:432-1 Released: Fri Feb 21 14:34:16 2020 Summary: Security update for libsolv, libzypp, zypper Type: security Severity: moderate References: 1135114,1154804,1154805,1155198,1155205,1155298,1155678,1155819,1156158,1157377,1158763,CVE-2019-18900 This update for libsolv, libzypp, zypper fixes the following issues: Security issue fixed: - CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763). Bug fixes - Fixed removing orphaned packages dropped by to-be-installed products (bsc#1155819). - Adds libzypp API to mark all obsolete kernels according to the existing purge-kernel script rules (bsc#1155198). - Do not enforce 'en' being in RequestedLocales If the user decides to have a system without explicit language support he may do so (bsc#1155678). - Load only target resolvables for zypper rm (bsc#1157377). - Fix broken search by filelist (bsc#1135114). - Replace python by a bash script in zypper-log (fixes#304, fixes#306, bsc#1156158). - Do not sort out requested locales which are not available (bsc#1155678). - Prevent listing duplicate matches in tables. XML result is provided within the new list-patches-byissue element (bsc#1154805). - XML add patch issue-date and issue-list (bsc#1154805). - Fix zypper lp --cve/bugzilla/issue options (bsc#1155298). - Always execute commit when adding/removing locales (fixes bsc#1155205). - Fix description of --table-style,-s in man page (bsc#1154804). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:451-1 Released: Tue Feb 25 10:50:35 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1155337,1161215,1161216,1161218,1161219,1161220 This update for libgcrypt fixes the following issues: - ECDSA: Check range of coordinates (bsc#1161216) - FIPS: libgcrypt DSA PQG parameter generation: Missing value [bsc#1161219] - FIPS: libgcrypt DSA PQG verification incorrect results [bsc#1161215] - FIPS: libgcrypt RSA siggen/keygen: 4k not supported [bsc#1161220] - FIPS: keywrap gives incorrect results [bsc#1161218] - FIPS: RSA/DSA/ECDSA are missing hashing operation [bsc#1155337] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:467-1 Released: Tue Feb 25 12:00:39 2020 Summary: Security update for python3 Type: security Severity: moderate References: 1162224,1162367,1162423,1162825,CVE-2019-9674,CVE-2020-8492 This update for python3 fixes the following issues: Security issues fixed: - CVE-2019-9674: Improved the documentation to reflect the dangers of zip-bombs (bsc#1162825). - CVE-2020-8492: Fixed a regular expression in urrlib that was prone to denial of service via HTTP (bsc#1162367). Non-security issue fixed: - If the locale is 'C', coerce it to C.UTF-8 (bsc#1162423). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:476-1 Released: Tue Feb 25 14:23:14 2020 Summary: Recommended update for perl Type: recommended Severity: moderate References: 1102840,1160039 This update for perl fixes the following issues: - Some packages make assumptions about the date and time they are built. This update will solve the issues caused by calling the perl function timelocal expressing the year with two digit only instead of four digits. (bsc#1102840) (bsc#1160039) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:480-1 Released: Tue Feb 25 17:38:22 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1160735 This update for aaa_base fixes the following issues: - Change 'rp_filter' to increase the default priority to ethernet over the wifi. (bsc#1160735) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:525-1 Released: Fri Feb 28 11:49:36 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1164562 This update for pam fixes the following issues: - Add libdb as build-time dependency to enable pam_userdb module. Enable pam_userdb.so (jsc#sle-7258, bsc#1164562) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:547-1 Released: Fri Feb 28 16:26:21 2020 Summary: Security update for permissions Type: security Severity: moderate References: 1148788,1160594,1160764,1161779,1163922,CVE-2019-3687,CVE-2020-8013 This update for permissions fixes the following issues: Security issues fixed: - CVE-2019-3687: Fixed a privilege escalation which could allow a local user to read network traffic if wireshark is installed (bsc#1148788) - CVE-2020-8013: Fixed an issue where chkstat set unintended setuid/capabilities for mrsh and wodim (bsc#1163922). Non-security issues fixed: - Fixed a regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594). - Fixed capability handling when doing multiple permission changes at once (bsc#1161779). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:572-1 Released: Tue Mar 3 13:25:41 2020 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1162518 This update for cyrus-sasl fixes the following issues: - Added support for retrieving negotiated SSF in gssapi plugin (bsc#1162518) - Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF (bsc#1162518) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:573-1 Released: Tue Mar 3 13:37:28 2020 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1160160 This update for ca-certificates-mozilla to 2.40 fixes the following issues: Updated to 2.40 state of the Mozilla NSS Certificate store (bsc#1160160): Removed certificates: - Certplus Class 2 Primary CA - Deutsche Telekom Root CA 2 - CN=Swisscom Root CA 2 - UTN-USERFirst-Client Authentication and Email added certificates: - Entrust Root Certification Authority - G4 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:597-1 Released: Thu Mar 5 15:24:09 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1164950 This update for libgcrypt fixes the following issues: - FIPS: Run the self-tests from the constructor [bsc#1164950] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:633-1 Released: Tue Mar 10 16:23:08 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1139939,1151023 This update for aaa_base fixes the following issues: - get_kernel_version: fix for current kernel on s390x (bsc#1151023, bsc#1139939) - added '-h'/'--help' to the command old - change feedback url from http://www.suse.de/feedback to https://github.com/openSUSE/aaa_base/issues ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:668-1 Released: Fri Mar 13 10:48:58 2020 Summary: Security update for glibc Type: security Severity: moderate References: 1163184,1164505,1165784,CVE-2020-10029 This update for glibc fixes the following issues: - CVE-2020-10029: Fixed a potential overflow in on-stack buffer during range reduction (bsc#1165784). - Fixed an issue where pthread were not always locked correctly (bsc#1164505). - Document mprotect and introduce section on memory protection (bsc#1163184). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:689-1 Released: Fri Mar 13 17:09:01 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for PAM fixes the following issue: - The license of libdb linked against pam_userdb is not always wanted, so we temporary disabled pam_userdb again. It will be published in a different package at a later time. (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:475-1 Released: Thu Mar 19 11:00:46 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1160595 This update for systemd fixes the following issues: - Remove TasksMax limit for both user and system slices (jsc#SLE-10123) - Backport IP filtering feature (jsc#SLE-7743 bsc#1160595) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:726-1 Released: Thu Mar 19 13:23:03 2020 Summary: Security update for nghttp2 Type: security Severity: moderate References: 1125689,1146182,1146184,1159003,1166481,CVE-2019-18802,CVE-2019-9511,CVE-2019-9513 This update for nghttp2 fixes the following issues: Security issues fixed: - CVE-2019-9513: Fixed HTTP/2 implementation that is vulnerable to resource loops, potentially leading to a denial of service (bsc#1146184). - CVE-2019-9511: Fixed HTTP/2 implementations that are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service (bsc#11461). - CVE-2019-18802: Fixed malformed request header may cause bypass of route matchers resulting in escalation of privileges or information disclosure (bsc#1159003) Bug fixes and enhancements: - Fixed mistake in spec file (bsc#1125689) Update to version 1.40.0 to fix CVE-2019-18802 in envoy-proxy and cilium-proxy (bsc#1166481) * lib: Add nghttp2_check_authority as public API * lib: Fix the bug that stream is closed with wrong error code * lib: Faster huffman encoding and decoding * build: Avoid filename collision of static and dynamic lib * build: Add new flag ENABLE_STATIC_CRT for Windows * build: cmake: Support building nghttpx with systemd * third-party: Update neverbleed to fix memory leak * nghttpx: Fix bug that mruby is incorrectly shared between backends * nghttpx: Reconnect h1 backend if it lost connection before sending headers * nghttpx: Returns 408 if backend timed out before sending headers * nghttpx: Fix request stal - Conditionally remove dependecy on jemalloc for SLE-12 - Require correct library from devel package - boo#1125689 Update to version 1.39.2 (bsc#1146184, bsc#1146182): * This release fixes CVE-2019-9511 ???Data Dribble??? and CVE-2019-9513 ???Resource Loop??? vulnerability in nghttpx and nghttpd. Specially crafted HTTP/2 frames cause Denial of Service by consuming CPU time. Check out https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md for details. For nghttpx, additionally limiting inbound traffic by --read-rate and --read-burst options is quite effective against this kind of attack. * Add nghttp2_option_set_max_outbound_ack API function * nghttpx: Fix request stall Update to version 1.39.1: * This release fixes the bug that log-level is not set with cmd-line or configuration file. It also fixes FPE with default backend. Changes for version 1.39.0: * libnghttp2 now ignores content-length in 200 response to CONNECT request as per RFC 7230. * mruby has been upgraded to 2.0.1. * libnghttp2-asio now supports boost-1.70. * http-parser has been replaced with llhttp. * nghttpx now ignores Content-Length and Transfer-Encoding in 1xx or 200 to CONNECT. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:729-1 Released: Thu Mar 19 14:44:22 2020 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1166106 This update for glibc fixes the following issues: - Allow dlopen of filter object to work (bsc#1166106, BZ #16272) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:777-1 Released: Tue Mar 24 18:07:52 2020 Summary: Recommended update for python3 Type: recommended Severity: moderate References: 1165894 This update for python3 fixes the following issue: - Rename idle icons to idle3 in order to not conflict with python2 variant of the package (bsc#1165894) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:793-1 Released: Wed Mar 25 15:16:00 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1139459,1161262,1162108,1164717,1165579,CVE-2020-1712 This update for systemd fixes the following issues: - manager: fix job mode when signalled to shutdown etc (bsc#1161262) - remove fallback for user/exit.target - dbus method Manager.Exit() does not start exit.target - do not install rescue.target for alt-??? - %j/%J unit specifiers Added support for I/O scheduler selection with blk-mq (bsc#1165579, bsc#1164717). Added the udev 60-ssd-scheduler.rules: - This rules file which select the default IO scheduler for SSDs is being moved out from the git repo since this is not related to systemd or udev at all and is maintained by the kernel team. - core: coldplug possible nop_job (bsc#1139459) - Revert 'udev: use 'deadline' IO scheduler for SSD disks' - Fix typo in function name - polkit: when authorizing via PK let's re-resolve callback/userdata instead of caching it (bsc#1162108 CVE-2020-1712) - sd-bus: introduce API for re-enqueuing incoming messages - polkit: on async pk requests, re-validate action/details ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:814-1 Released: Mon Mar 30 16:23:42 2020 Summary: Recommended update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1 Type: recommended Severity: moderate References: 1161816,1162152,1167223 This update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1 fixes the following issues: libreoffice was updated to 6.4.2.2 (jsc#SLE-11174 jsc#SLE-11175 jsc#SLE-11176 bsc#1167223): Full Release Notes can be found on: https://wiki.documentfoundation.org/ReleaseNotes/6.4 - Fixed broken handling of non-ASCII characters in the KDE filedialog (bsc#1161816) - Move the animation library to core package bsc#1162152 xmlsec1 was updated to 1.2.28: * Added BoringSSL support (chenbd). * Added gnutls-3.6.x support (alonbl). * Added DSA and ECDSA key size getter for MSCNG (vmiklos). * Added --enable-mans configuration option (alonbl). * Added coninuous build integration for MacOSX (vmiklos). * Several other small fixes (more details). - Make sure to recommend at least one backend when you install just xmlsec1 - Drop the gnutls backend as based on the tests it is quite borked: * We still have nss and openssl backend for people to use Version update to 1.2.27: * Added AES-GCM support for OpenSSL and MSCNG (snargit). * Added DSA-SHA256 and ECDSA-SHA384 support for NSS (vmiklos). * Added RSA-OAEP support for MSCNG (vmiklos). * Continuous build integration in Travis and Appveyor. * Several other small fixes (more details). myspell-dictionaries was updated to 20191219: * Updated the English dictionaries: GB+US+CA+AU * Bring shipped Spanish dictionary up to version 2.5 boost was updated to fix: - add a backport of Boost.Optional::has_value() for LibreOffice The QR-Code-generator is shipped: - Initial commit, needed by libreoffice 6.4 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:820-1 Released: Tue Mar 31 13:02:22 2020 Summary: Security update for glibc Type: security Severity: important References: 1167631,CVE-2020-1752 This update for glibc fixes the following issues: - CVE-2020-1752: Fixed a use after free in glob which could have allowed a local attacker to create a specially crafted path that, when processed by the glob function, could potentially have led to arbitrary code execution (bsc#1167631). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:834-1 Released: Tue Mar 31 17:21:34 2020 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1167163 This update for permissions fixes the following issue: - whitelist s390-tools set group ID (setgid) bit on log directory. (bsc#1167163) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:846-1 Released: Thu Apr 2 07:24:07 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1164950,1166748,1167674 This update for libgcrypt fixes the following issues: - FIPS: Remove an unneeded check in _gcry_global_constructor (bsc#1164950) - FIPS: Fix drbg to be threadsafe (bsc#1167674) - FIPS: Run self-tests from constructor during power-on [bsc#1166748] * Set up global_init as the constructor function: * Relax the entropy requirements on selftest. This is especially important for virtual machines to boot properly before the RNG is available: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:850-1 Released: Thu Apr 2 14:37:31 2020 Summary: Recommended update for mozilla-nss Type: recommended Severity: moderate References: 1155350,1155357,1155360,1166880 This update for mozilla-nss fixes the following issues: Added various fixes related to FIPS certification: * Use getrandom() to obtain entropy where possible. * Make DSA KAT FIPS compliant. * Use FIPS compliant hash when validating keypair. * Enforce FIPS requirements on RSA key generation. * Miscellaneous fixes to CAVS tests. * Enforce FIPS limits on how much data can be processed without rekeying. * Run self tests on library initialization in FIPS mode. * Disable non-compliant algorithms in FIPS mode (hashes and the SEED cipher). * Clear various temporary variables after use. * Allow MD5 to be used in TLS PRF. * Preferentially gather entropy from /dev/random over /dev/urandom. * Allow enabling FIPS mode consistently with NSS_FIPS environment variable. * Fix argument parsing bug in lowhashtest. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:917-1 Released: Fri Apr 3 15:02:25 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for pam fixes the following issues: - Moved pam_userdb into a separate package pam-extra. (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:930-1 Released: Mon Apr 6 20:23:10 2020 Summary: Security update for ceph Type: security Severity: important References: 1166403,1166484,CVE-2020-1759,CVE-2020-1760 This update for ceph fixes the following issues: - CVE-2020-1759: Fixed once reuse in msgr V2 secure mode (bsc#1166403) - CVE-2020-1760: Fixed XSS due to RGW GetObject header-splitting (bsc#1166484). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:948-1 Released: Wed Apr 8 07:44:21 2020 Summary: Security update for gmp, gnutls, libnettle Type: security Severity: moderate References: 1152692,1155327,1166881,1168345,CVE-2020-11501 This update for gmp, gnutls, libnettle fixes the following issues: Security issue fixed: - CVE-2020-11501: Fixed zero random value in DTLS client hello (bsc#1168345) FIPS related bugfixes: - FIPS: Install checksums for binary integrity verification which are required when running in FIPS mode (bsc#1152692, jsc#SLE-9518) - FIPS: Fixed a cfb8 decryption issue, no longer truncate output IV if input is shorter than block size. (bsc#1166881) - FIPS: Added Diffie Hellman public key verification test. (bsc#1155327) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:949-1 Released: Wed Apr 8 07:45:48 2020 Summary: Recommended update for mozilla-nss Type: recommended Severity: moderate References: 1168669 This update for mozilla-nss fixes the following issues: - Use secure_getenv() to avoid PR_GetEnvSecure() being called when NSPR is unavailable, resulting in an abort (bsc#1168669). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:961-1 Released: Wed Apr 8 13:34:06 2020 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1160979 This update for e2fsprogs fixes the following issues: - e2fsck: clarify overflow link count error message (bsc#1160979) - ext2fs: update allocation info earlier in ext2fs_mkdir() (bsc#1160979) - ext2fs: implement dir entry creation in htree directories (bsc#1160979) - tests: add test to excercise indexed directories with metadata_csum (bsc#1160979) - tune2fs: update dir checksums when clearing dir_index feature (bsc#1160979) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:967-1 Released: Thu Apr 9 11:41:53 2020 Summary: Security update for libssh Type: security Severity: moderate References: 1168699,CVE-2020-1730 This update for libssh fixes the following issues: - CVE-2020-1730: Fixed a possible denial of service when using AES-CTR (bsc#1168699). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:969-1 Released: Thu Apr 9 11:43:17 2020 Summary: Security update for permissions Type: security Severity: moderate References: 1168364 This update for permissions fixes the following issues: - Fixed spelling of icinga group (bsc#1168364) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:981-1 Released: Mon Apr 13 15:43:44 2020 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1156300 This update for rpm fixes the following issues: - Fix for language package macros to avoid wrong requirement on shared library. (bsc#1156300) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1026-1 Released: Fri Apr 17 16:14:43 2020 Summary: Recommended update for libsolv Type: recommended Severity: moderate References: 1159314 This update for libsolv fixes the following issues: libsolv was updated to version 0.7.11: - fix solv_zchunk decoding error if large chunks are used (bsc#1159314) - treat retracted pathes as irrelevant - made add_update_target work with multiversion installs ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1037-1 Released: Mon Apr 20 10:49:39 2020 Summary: Recommended update for python-pytest Type: recommended Severity: low References: 1002895,1107105,1138666,1167732 This update fixes the following issues: New python-pytest versions are provided. In Basesystem: - python3-pexpect: updated to 4.8.0 - python3-py: updated to 1.8.1 - python3-zipp: shipped as dependency in version 0.6.0 In Python2: - python2-pexpect: updated to 4.8.0 - python2-py: updated to 1.8.1 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1047-1 Released: Tue Apr 21 10:33:06 2020 Summary: Recommended update for gnutls Type: recommended Severity: moderate References: 1168835 This update for gnutls fixes the following issues: - Backport AES XTS support (bsc#1168835) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1061-1 Released: Wed Apr 22 10:45:41 2020 Summary: Recommended update for mozilla-nss Type: recommended Severity: moderate References: 1169872 This update for mozilla-nss fixes the following issues: - This implements API mechanisms for performing DSA and ECDSA hash-and-sign in a single call, which will be required in future FIPS cycles (bsc#1169872). - Always perform nssdbm checksumming on softoken load, even if nssdbm itself is not loaded. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1063-1 Released: Wed Apr 22 10:46:50 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1165539,1169569 This update for libgcrypt fixes the following issues: This update for libgcrypt fixes the following issues: - FIPS: Switch the PCT to use the new signature operation (bsc#1165539) - FIPS: Verify that the generated signature and the original input differ in test_keys function for RSA, DSA and ECC (bsc#1165539) - Add zero-padding when qx and qy have different lengths when assembling the Q point from affine coordinates. - Ship the FIPS checksum file in the shared library package and create a separate trigger file for the FIPS selftests (bsc#1169569) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1069-1 Released: Wed Apr 22 16:48:00 2020 Summary: Recommended update for python-six Type: recommended Severity: moderate References: 1166139 This update for python-six fixes the following issues: - Use setuptools for building to support pip 10.x and avoid packages to be unistalled. (bsc#1166139) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1108-1 Released: Fri Apr 24 16:31:01 2020 Summary: Recommended update for gnutls Type: recommended Severity: moderate References: 1169992 This update for gnutls fixes the following issues: - FIPS: Do not check for /etc/system-fips which we don't have (bsc#1169992) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1131-1 Released: Tue Apr 28 11:59:17 2020 Summary: Recommended update for mozilla-nss Type: recommended Severity: moderate References: 1170571,1170572 This update for mozilla-nss fixes the following issues: - FIPS: Add Softoken POSTs for new DSA and ECDSA hash-and-sign update functions. (bsc#1170571) - FIPS: Add pairwise consistency check for CKM_SHA224_RSA_PKCS. Remove ditto checks for CKM_RSA_PKCS, CKM_DSA and CKM_ECDSA, since these are served by the new CKM_SHA224_RSA_PKCS, CKM_DSA_SHA224, CKM_ECDSA_SHA224 checks. - FIPS: Replace bad attempt at unconditional nssdbm checksumming with a dlopen(), so it can be located consistently and perform its own self-tests. - FIPS: This fixes an instance of inverted logic due to a boolean being mistaken for a SECStatus, which caused key derivation to fail when the caller provided a valid subprime. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1175-1 Released: Tue May 5 08:33:43 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1165011,1168076 This update for systemd fixes the following issues: - Fix check for address to keep interface names stable. (bsc#1168076) - Fix for checking non-normalized WHAT for network FS. (bsc#1165011) - Allow to specify an arbitrary string for when vfs is used. (bsc#1165011) ----------------------------------------------------------------- Advisory ID: SUSE-feature-2020:1196-1 Released: Wed May 6 13:35:05 2020 Summary: Update to kubernetes 1.17, podman, cri-o and docs Type: feature Severity: moderate References: 1121353,1152334,1157337,1159108,1160460,1162093,1164390,1170173 = Required Actions == Kubernetes 1.17 In order to update to kubernetes 1.17, follow the instructions in the admin guide https://documentation.suse.com/suse-caasp/4.2/html/caasp-admin/_cluster_updates.html#_updating_kubernetes_components . Make sure you look at the Release Notes https://www.suse.com/releasenotes/x86_64/SUSE-CAASP/4/#_changes_in_4_3_0 for any known bug. == conmon and cri-o Conmon and cri-o will be updated by `skuba-update`. No action is required from your side. For more info see https://documentation.suse.com/suse-caasp/4.2/html/caasp-admin/_cluster_updates.html#_base_os_updates == skuba In order to update skuba, you need to update the admin workstation. See detailed instructions at https://documentation.suse.com/suse-caasp/4.1/html/caasp-admin/_cluster_updates.html#_update_management_workstation From sle-security-updates at lists.suse.com Wed May 6 14:03:25 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 6 May 2020 22:03:25 +0200 (CEST) Subject: SUSE-CU-2020:168-1: Security update of caasp/v4/kured Message-ID: <20200506200325.1F4F4FFEB@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/kured ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:168-1 Container Tags : caasp/v4/kured:1.3.0 , caasp/v4/kured:1.3.0-rev4 , caasp/v4/kured:1.3.0-rev4-build3.12.1 Container Release : 3.12.1 Severity : important Type : security References : 1013125 1084671 1092920 1102840 1106383 1121353 1125689 1133495 1135114 1137337 1139459 1139939 1146182 1146184 1148788 1149332 1151023 1151377 1151582 1152334 1152335 1152692 1154256 1154804 1154805 1155198 1155205 1155207 1155298 1155323 1155327 1155337 1155574 1155593 1155678 1155810 1155819 1156158 1156213 1156300 1156482 1157292 1157337 1157377 1157794 1157802 1157893 1158095 1158485 1158763 1158830 1158921 1158996 1159003 1159074 1159108 1159314 1159452 1159814 1160039 1160160 1160443 1160460 1160571 1160594 1160595 1160600 1160735 1160764 1160970 1160979 1161056 1161179 1161215 1161216 1161218 1161219 1161220 1161262 1161436 1161779 1161816 1161975 1162093 1162108 1162108 1162152 1162518 1163184 1163922 1164390 1164505 1164562 1164717 1164950 1164950 1165011 1165539 1165579 1165784 1166106 1166481 1166510 1166510 1166748 1166881 1167163 1167223 1167631 1167674 1168076 1168345 1168364 1168699 1168835 1169569 1169992 1170173 CVE-2019-14889 CVE-2019-18802 CVE-2019-18900 CVE-2019-19126 CVE-2019-20386 CVE-2019-3687 CVE-2019-5188 CVE-2019-9511 CVE-2019-9513 CVE-2020-10029 CVE-2020-11501 CVE-2020-1712 CVE-2020-1712 CVE-2020-1730 CVE-2020-1752 CVE-2020-8013 ----------------------------------------------------------------- The container caasp/v4/kured was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:129-1 Released: Mon Jan 20 09:21:13 2020 Summary: Security update for libssh Type: security Severity: important References: 1158095,CVE-2019-14889 This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an unwanted command execution in scp caused by unsanitized location (bsc#1158095). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:225-1 Released: Fri Jan 24 06:49:07 2020 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1158830 This update for procps fixes the following issues: - Fix for 'ps -C' allowing to accept any arguments longer than 15 characters anymore. (bsc#1158830) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:256-1 Released: Wed Jan 29 09:39:17 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1157794,1160970 This update for aaa_base fixes the following issues: - Improves the way how the Java path is created to fix an issue with sapjvm. (bsc#1157794) - Drop 'dev.cdrom.autoclose' = 0 from sysctl config. (bsc#1160970) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:262-1 Released: Thu Jan 30 11:02:42 2020 Summary: Security update for glibc Type: security Severity: moderate References: 1149332,1151582,1157292,1157893,1158996,CVE-2019-19126 This update for glibc fixes the following issues: Security issue fixed: - CVE-2019-19126: Fixed to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition (bsc#1157292). Bug fixes: - Fixed z15 (s390x) strstr implementation that can return incorrect results if search string cross page boundary (bsc#1157893). - Fixed Hardware support in toolchain (bsc#1151582). - Fixed syscalls during early process initialization (SLE-8348). - Fixed an array overflow in backtrace for PowerPC (bsc#1158996). - Moved to posix_spawn on popen (bsc#1149332). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:265-1 Released: Thu Jan 30 14:05:34 2020 Summary: Security update for e2fsprogs Type: security Severity: moderate References: 1160571,CVE-2019-5188 This update for e2fsprogs fixes the following issues: - CVE-2019-5188: Fixed a code execution vulnerability in the directory rehashing functionality (bsc#1160571). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:279-1 Released: Fri Jan 31 12:01:39 2020 Summary: Recommended update for p11-kit Type: recommended Severity: moderate References: 1013125 This update for p11-kit fixes the following issues: - Also build documentation (bsc#1013125) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:335-1 Released: Thu Feb 6 11:37:24 2020 Summary: Security update for systemd Type: security Severity: important References: 1084671,1092920,1106383,1133495,1151377,1154256,1155207,1155574,1156213,1156482,1158485,1159814,1161436,1162108,CVE-2019-20386,CVE-2020-1712 This update for systemd fixes the following issues: - CVE-2020-1712 (bsc#bsc#1162108) Fix a heap use-after-free vulnerability, when asynchronous Polkit queries were performed while handling Dbus messages. A local unprivileged attacker could have abused this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted Dbus messages. - Use suse.pool.ntp.org server pool on SLE distros (jsc#SLE-7683) - libblkid: open device in nonblock mode. (bsc#1084671) - udev/cdrom_id: Do not open CD-rom in exclusive mode. (bsc#1154256) - bus_open leak sd_event_source when udevadm trigger??? (bsc#1161436 CVE-2019-20386) - fileio: introduce read_full_virtual_file() for reading virtual files in sysfs, procfs (bsc#1133495 bsc#1159814) - fileio: initialize errno to zero before we do fread() - fileio: try to read one byte too much in read_full_stream() - logind: consider 'greeter' sessions suitable as 'display' sessions of a user (bsc#1158485) - logind: never elect a session that is stopping as display - journal: include kmsg lines from the systemd process which exec()d us (#8078) - udevd: don't use monitor after manager_exit() - udevd: capitalize log messages in on_sigchld() - udevd: merge conditions to decrease indentation - Revert 'udevd: fix crash when workers time out after exit is signal caught' - core: fragments of masked units ought not be considered for NeedDaemonReload (#7060) (bsc#1156482) - udevd: fix crash when workers time out after exit is signal caught - udevd: wait for workers to finish when exiting (bsc#1106383) - Improve bash completion support (bsc#1155207) * shell-completion: systemctl: do not list template units in {re,}start * shell-completion: systemctl: pass current word to all list_unit* * bash-completion: systemctl: pass current partial unit to list-unit* (bsc#1155207) * bash-completion: systemctl: use systemctl --no-pager * bash-completion: also suggest template unit files * bash-completion: systemctl: add missing options and verbs * bash-completion: use the first argument instead of the global variable (#6457) - networkd: VXLan Make group and remote variable separate (bsc#1156213) - networkd: vxlan require Remote= to be a non multicast address (#8117) (bsc#1156213) - fs-util: let's avoid unnecessary strerror() - fs-util: introduce inotify_add_watch_and_warn() helper - ask-password: improve log message when inotify limit is reached (bsc#1155574) - shared/install: failing with -ELOOP can be due to the use of an alias in install_error() (bsc#1151377) - man: alias names can't be used with enable command (bsc#1151377) - Add boot option to not use swap at system start (jsc#SLE-7689) - Allow YaST to select Iranian (Persian, Farsi) keyboard layout (bsc#1092920) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:339-1 Released: Thu Feb 6 13:03:22 2020 Summary: Recommended update for openldap2 Type: recommended Severity: low References: 1158921 This update for openldap2 provides the following fix: - Add libldap-data to the product (as it contains ldap.conf). (bsc#1158921) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:386-1 Released: Mon Feb 17 11:41:23 2020 Summary: Skuba bug fix, supportconfig update, cri-o and kubernetes fixes, and prometheus fixes Type: recommended Severity: important References: 1137337,1152335,1155323,1155593,1155810,1157802,1159074,1159452,1160443,1160600,1161056,1161179,1161975 = Required Actions Update skuba, kubernetes-client and kubernetes-kubeadm packages on your management workstation as you would do with any other package. Refer to: https://documentation.suse.com/sles/15-SP1/single-html/SLES-admin/#sec-zypper-softup-update Packages on your cluster nodes (cri-o, kubernetes, supportutils-plugin-suse-caasp) will be updated automatically by skuba-update link:https://documentation.suse.com/suse-caasp/4.1/html/caasp-admin/_cluster_updates.html#_base_os_updates Use `helm upgrade` command to fix prometheus kube-state-metrics image. Finally, to apply the prometheus pushgateway fix, enable it in your helm chart https://github.com/SUSE/kubernetes-charts-suse-com/blob/master/stable/prometheus/values.yaml#L848 and use helm ugrade command link:https://helm.sh/docs/intro/using_helm/#helm-upgrade-and-helm-rollback-upgrading-a-release-and-recovering-on-failure. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:432-1 Released: Fri Feb 21 14:34:16 2020 Summary: Security update for libsolv, libzypp, zypper Type: security Severity: moderate References: 1135114,1154804,1154805,1155198,1155205,1155298,1155678,1155819,1156158,1157377,1158763,CVE-2019-18900 This update for libsolv, libzypp, zypper fixes the following issues: Security issue fixed: - CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763). Bug fixes - Fixed removing orphaned packages dropped by to-be-installed products (bsc#1155819). - Adds libzypp API to mark all obsolete kernels according to the existing purge-kernel script rules (bsc#1155198). - Do not enforce 'en' being in RequestedLocales If the user decides to have a system without explicit language support he may do so (bsc#1155678). - Load only target resolvables for zypper rm (bsc#1157377). - Fix broken search by filelist (bsc#1135114). - Replace python by a bash script in zypper-log (fixes#304, fixes#306, bsc#1156158). - Do not sort out requested locales which are not available (bsc#1155678). - Prevent listing duplicate matches in tables. XML result is provided within the new list-patches-byissue element (bsc#1154805). - XML add patch issue-date and issue-list (bsc#1154805). - Fix zypper lp --cve/bugzilla/issue options (bsc#1155298). - Always execute commit when adding/removing locales (fixes bsc#1155205). - Fix description of --table-style,-s in man page (bsc#1154804). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:451-1 Released: Tue Feb 25 10:50:35 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1155337,1161215,1161216,1161218,1161219,1161220 This update for libgcrypt fixes the following issues: - ECDSA: Check range of coordinates (bsc#1161216) - FIPS: libgcrypt DSA PQG parameter generation: Missing value [bsc#1161219] - FIPS: libgcrypt DSA PQG verification incorrect results [bsc#1161215] - FIPS: libgcrypt RSA siggen/keygen: 4k not supported [bsc#1161220] - FIPS: keywrap gives incorrect results [bsc#1161218] - FIPS: RSA/DSA/ECDSA are missing hashing operation [bsc#1155337] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:476-1 Released: Tue Feb 25 14:23:14 2020 Summary: Recommended update for perl Type: recommended Severity: moderate References: 1102840,1160039 This update for perl fixes the following issues: - Some packages make assumptions about the date and time they are built. This update will solve the issues caused by calling the perl function timelocal expressing the year with two digit only instead of four digits. (bsc#1102840) (bsc#1160039) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:480-1 Released: Tue Feb 25 17:38:22 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1160735 This update for aaa_base fixes the following issues: - Change 'rp_filter' to increase the default priority to ethernet over the wifi. (bsc#1160735) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:525-1 Released: Fri Feb 28 11:49:36 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1164562 This update for pam fixes the following issues: - Add libdb as build-time dependency to enable pam_userdb module. Enable pam_userdb.so (jsc#sle-7258, bsc#1164562) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:547-1 Released: Fri Feb 28 16:26:21 2020 Summary: Security update for permissions Type: security Severity: moderate References: 1148788,1160594,1160764,1161779,1163922,CVE-2019-3687,CVE-2020-8013 This update for permissions fixes the following issues: Security issues fixed: - CVE-2019-3687: Fixed a privilege escalation which could allow a local user to read network traffic if wireshark is installed (bsc#1148788) - CVE-2020-8013: Fixed an issue where chkstat set unintended setuid/capabilities for mrsh and wodim (bsc#1163922). Non-security issues fixed: - Fixed a regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594). - Fixed capability handling when doing multiple permission changes at once (bsc#1161779). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:572-1 Released: Tue Mar 3 13:25:41 2020 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1162518 This update for cyrus-sasl fixes the following issues: - Added support for retrieving negotiated SSF in gssapi plugin (bsc#1162518) - Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF (bsc#1162518) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:573-1 Released: Tue Mar 3 13:37:28 2020 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1160160 This update for ca-certificates-mozilla to 2.40 fixes the following issues: Updated to 2.40 state of the Mozilla NSS Certificate store (bsc#1160160): Removed certificates: - Certplus Class 2 Primary CA - Deutsche Telekom Root CA 2 - CN=Swisscom Root CA 2 - UTN-USERFirst-Client Authentication and Email added certificates: - Entrust Root Certification Authority - G4 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:597-1 Released: Thu Mar 5 15:24:09 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1164950 This update for libgcrypt fixes the following issues: - FIPS: Run the self-tests from the constructor [bsc#1164950] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:633-1 Released: Tue Mar 10 16:23:08 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1139939,1151023 This update for aaa_base fixes the following issues: - get_kernel_version: fix for current kernel on s390x (bsc#1151023, bsc#1139939) - added '-h'/'--help' to the command old - change feedback url from http://www.suse.de/feedback to https://github.com/openSUSE/aaa_base/issues ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:668-1 Released: Fri Mar 13 10:48:58 2020 Summary: Security update for glibc Type: security Severity: moderate References: 1163184,1164505,1165784,CVE-2020-10029 This update for glibc fixes the following issues: - CVE-2020-10029: Fixed a potential overflow in on-stack buffer during range reduction (bsc#1165784). - Fixed an issue where pthread were not always locked correctly (bsc#1164505). - Document mprotect and introduce section on memory protection (bsc#1163184). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:689-1 Released: Fri Mar 13 17:09:01 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for PAM fixes the following issue: - The license of libdb linked against pam_userdb is not always wanted, so we temporary disabled pam_userdb again. It will be published in a different package at a later time. (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:475-1 Released: Thu Mar 19 11:00:46 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1160595 This update for systemd fixes the following issues: - Remove TasksMax limit for both user and system slices (jsc#SLE-10123) - Backport IP filtering feature (jsc#SLE-7743 bsc#1160595) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:726-1 Released: Thu Mar 19 13:23:03 2020 Summary: Security update for nghttp2 Type: security Severity: moderate References: 1125689,1146182,1146184,1159003,1166481,CVE-2019-18802,CVE-2019-9511,CVE-2019-9513 This update for nghttp2 fixes the following issues: Security issues fixed: - CVE-2019-9513: Fixed HTTP/2 implementation that is vulnerable to resource loops, potentially leading to a denial of service (bsc#1146184). - CVE-2019-9511: Fixed HTTP/2 implementations that are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service (bsc#11461). - CVE-2019-18802: Fixed malformed request header may cause bypass of route matchers resulting in escalation of privileges or information disclosure (bsc#1159003) Bug fixes and enhancements: - Fixed mistake in spec file (bsc#1125689) Update to version 1.40.0 to fix CVE-2019-18802 in envoy-proxy and cilium-proxy (bsc#1166481) * lib: Add nghttp2_check_authority as public API * lib: Fix the bug that stream is closed with wrong error code * lib: Faster huffman encoding and decoding * build: Avoid filename collision of static and dynamic lib * build: Add new flag ENABLE_STATIC_CRT for Windows * build: cmake: Support building nghttpx with systemd * third-party: Update neverbleed to fix memory leak * nghttpx: Fix bug that mruby is incorrectly shared between backends * nghttpx: Reconnect h1 backend if it lost connection before sending headers * nghttpx: Returns 408 if backend timed out before sending headers * nghttpx: Fix request stal - Conditionally remove dependecy on jemalloc for SLE-12 - Require correct library from devel package - boo#1125689 Update to version 1.39.2 (bsc#1146184, bsc#1146182): * This release fixes CVE-2019-9511 ???Data Dribble??? and CVE-2019-9513 ???Resource Loop??? vulnerability in nghttpx and nghttpd. Specially crafted HTTP/2 frames cause Denial of Service by consuming CPU time. Check out https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md for details. For nghttpx, additionally limiting inbound traffic by --read-rate and --read-burst options is quite effective against this kind of attack. * Add nghttp2_option_set_max_outbound_ack API function * nghttpx: Fix request stall Update to version 1.39.1: * This release fixes the bug that log-level is not set with cmd-line or configuration file. It also fixes FPE with default backend. Changes for version 1.39.0: * libnghttp2 now ignores content-length in 200 response to CONNECT request as per RFC 7230. * mruby has been upgraded to 2.0.1. * libnghttp2-asio now supports boost-1.70. * http-parser has been replaced with llhttp. * nghttpx now ignores Content-Length and Transfer-Encoding in 1xx or 200 to CONNECT. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:729-1 Released: Thu Mar 19 14:44:22 2020 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1166106 This update for glibc fixes the following issues: - Allow dlopen of filter object to work (bsc#1166106, BZ #16272) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:793-1 Released: Wed Mar 25 15:16:00 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1139459,1161262,1162108,1164717,1165579,CVE-2020-1712 This update for systemd fixes the following issues: - manager: fix job mode when signalled to shutdown etc (bsc#1161262) - remove fallback for user/exit.target - dbus method Manager.Exit() does not start exit.target - do not install rescue.target for alt-??? - %j/%J unit specifiers Added support for I/O scheduler selection with blk-mq (bsc#1165579, bsc#1164717). Added the udev 60-ssd-scheduler.rules: - This rules file which select the default IO scheduler for SSDs is being moved out from the git repo since this is not related to systemd or udev at all and is maintained by the kernel team. - core: coldplug possible nop_job (bsc#1139459) - Revert 'udev: use 'deadline' IO scheduler for SSD disks' - Fix typo in function name - polkit: when authorizing via PK let's re-resolve callback/userdata instead of caching it (bsc#1162108 CVE-2020-1712) - sd-bus: introduce API for re-enqueuing incoming messages - polkit: on async pk requests, re-validate action/details ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:814-1 Released: Mon Mar 30 16:23:42 2020 Summary: Recommended update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1 Type: recommended Severity: moderate References: 1161816,1162152,1167223 This update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1 fixes the following issues: libreoffice was updated to 6.4.2.2 (jsc#SLE-11174 jsc#SLE-11175 jsc#SLE-11176 bsc#1167223): Full Release Notes can be found on: https://wiki.documentfoundation.org/ReleaseNotes/6.4 - Fixed broken handling of non-ASCII characters in the KDE filedialog (bsc#1161816) - Move the animation library to core package bsc#1162152 xmlsec1 was updated to 1.2.28: * Added BoringSSL support (chenbd). * Added gnutls-3.6.x support (alonbl). * Added DSA and ECDSA key size getter for MSCNG (vmiklos). * Added --enable-mans configuration option (alonbl). * Added coninuous build integration for MacOSX (vmiklos). * Several other small fixes (more details). - Make sure to recommend at least one backend when you install just xmlsec1 - Drop the gnutls backend as based on the tests it is quite borked: * We still have nss and openssl backend for people to use Version update to 1.2.27: * Added AES-GCM support for OpenSSL and MSCNG (snargit). * Added DSA-SHA256 and ECDSA-SHA384 support for NSS (vmiklos). * Added RSA-OAEP support for MSCNG (vmiklos). * Continuous build integration in Travis and Appveyor. * Several other small fixes (more details). myspell-dictionaries was updated to 20191219: * Updated the English dictionaries: GB+US+CA+AU * Bring shipped Spanish dictionary up to version 2.5 boost was updated to fix: - add a backport of Boost.Optional::has_value() for LibreOffice The QR-Code-generator is shipped: - Initial commit, needed by libreoffice 6.4 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:820-1 Released: Tue Mar 31 13:02:22 2020 Summary: Security update for glibc Type: security Severity: important References: 1167631,CVE-2020-1752 This update for glibc fixes the following issues: - CVE-2020-1752: Fixed a use after free in glob which could have allowed a local attacker to create a specially crafted path that, when processed by the glob function, could potentially have led to arbitrary code execution (bsc#1167631). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:834-1 Released: Tue Mar 31 17:21:34 2020 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1167163 This update for permissions fixes the following issue: - whitelist s390-tools set group ID (setgid) bit on log directory. (bsc#1167163) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:846-1 Released: Thu Apr 2 07:24:07 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1164950,1166748,1167674 This update for libgcrypt fixes the following issues: - FIPS: Remove an unneeded check in _gcry_global_constructor (bsc#1164950) - FIPS: Fix drbg to be threadsafe (bsc#1167674) - FIPS: Run self-tests from constructor during power-on [bsc#1166748] * Set up global_init as the constructor function: * Relax the entropy requirements on selftest. This is especially important for virtual machines to boot properly before the RNG is available: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:917-1 Released: Fri Apr 3 15:02:25 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for pam fixes the following issues: - Moved pam_userdb into a separate package pam-extra. (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:948-1 Released: Wed Apr 8 07:44:21 2020 Summary: Security update for gmp, gnutls, libnettle Type: security Severity: moderate References: 1152692,1155327,1166881,1168345,CVE-2020-11501 This update for gmp, gnutls, libnettle fixes the following issues: Security issue fixed: - CVE-2020-11501: Fixed zero random value in DTLS client hello (bsc#1168345) FIPS related bugfixes: - FIPS: Install checksums for binary integrity verification which are required when running in FIPS mode (bsc#1152692, jsc#SLE-9518) - FIPS: Fixed a cfb8 decryption issue, no longer truncate output IV if input is shorter than block size. (bsc#1166881) - FIPS: Added Diffie Hellman public key verification test. (bsc#1155327) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:961-1 Released: Wed Apr 8 13:34:06 2020 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1160979 This update for e2fsprogs fixes the following issues: - e2fsck: clarify overflow link count error message (bsc#1160979) - ext2fs: update allocation info earlier in ext2fs_mkdir() (bsc#1160979) - ext2fs: implement dir entry creation in htree directories (bsc#1160979) - tests: add test to excercise indexed directories with metadata_csum (bsc#1160979) - tune2fs: update dir checksums when clearing dir_index feature (bsc#1160979) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:967-1 Released: Thu Apr 9 11:41:53 2020 Summary: Security update for libssh Type: security Severity: moderate References: 1168699,CVE-2020-1730 This update for libssh fixes the following issues: - CVE-2020-1730: Fixed a possible denial of service when using AES-CTR (bsc#1168699). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:969-1 Released: Thu Apr 9 11:43:17 2020 Summary: Security update for permissions Type: security Severity: moderate References: 1168364 This update for permissions fixes the following issues: - Fixed spelling of icinga group (bsc#1168364) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:981-1 Released: Mon Apr 13 15:43:44 2020 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1156300 This update for rpm fixes the following issues: - Fix for language package macros to avoid wrong requirement on shared library. (bsc#1156300) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1026-1 Released: Fri Apr 17 16:14:43 2020 Summary: Recommended update for libsolv Type: recommended Severity: moderate References: 1159314 This update for libsolv fixes the following issues: libsolv was updated to version 0.7.11: - fix solv_zchunk decoding error if large chunks are used (bsc#1159314) - treat retracted pathes as irrelevant - made add_update_target work with multiversion installs ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1047-1 Released: Tue Apr 21 10:33:06 2020 Summary: Recommended update for gnutls Type: recommended Severity: moderate References: 1168835 This update for gnutls fixes the following issues: - Backport AES XTS support (bsc#1168835) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1063-1 Released: Wed Apr 22 10:46:50 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1165539,1169569 This update for libgcrypt fixes the following issues: This update for libgcrypt fixes the following issues: - FIPS: Switch the PCT to use the new signature operation (bsc#1165539) - FIPS: Verify that the generated signature and the original input differ in test_keys function for RSA, DSA and ECC (bsc#1165539) - Add zero-padding when qx and qy have different lengths when assembling the Q point from affine coordinates. - Ship the FIPS checksum file in the shared library package and create a separate trigger file for the FIPS selftests (bsc#1169569) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1108-1 Released: Fri Apr 24 16:31:01 2020 Summary: Recommended update for gnutls Type: recommended Severity: moderate References: 1169992 This update for gnutls fixes the following issues: - FIPS: Do not check for /etc/system-fips which we don't have (bsc#1169992) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1175-1 Released: Tue May 5 08:33:43 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1165011,1168076 This update for systemd fixes the following issues: - Fix check for address to keep interface names stable. (bsc#1168076) - Fix for checking non-normalized WHAT for network FS. (bsc#1165011) - Allow to specify an arbitrary string for when vfs is used. (bsc#1165011) ----------------------------------------------------------------- Advisory ID: SUSE-feature-2020:1196-1 Released: Wed May 6 13:35:05 2020 Summary: Update to kubernetes 1.17, podman, cri-o and docs Type: feature Severity: moderate References: 1121353,1152334,1157337,1159108,1160460,1162093,1164390,1170173 = Required Actions == Kubernetes 1.17 In order to update to kubernetes 1.17, follow the instructions in the admin guide https://documentation.suse.com/suse-caasp/4.2/html/caasp-admin/_cluster_updates.html#_updating_kubernetes_components . Make sure you look at the Release Notes https://www.suse.com/releasenotes/x86_64/SUSE-CAASP/4/#_changes_in_4_3_0 for any known bug. == conmon and cri-o Conmon and cri-o will be updated by `skuba-update`. No action is required from your side. For more info see https://documentation.suse.com/suse-caasp/4.2/html/caasp-admin/_cluster_updates.html#_base_os_updates == skuba In order to update skuba, you need to update the admin workstation. See detailed instructions at https://documentation.suse.com/suse-caasp/4.1/html/caasp-admin/_cluster_updates.html#_update_management_workstation From sle-security-updates at lists.suse.com Wed May 6 16:16:40 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 7 May 2020 00:16:40 +0200 (CEST) Subject: SUSE-SU-2020:1208-1: important: Security update for libvirt Message-ID: <20200506221640.54FDEFFEB@maintenance.suse.de> SUSE Security Update: Security update for libvirt ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1208-1 Rating: important References: #1145774 #1151850 #1152649 #1154093 #1157490 #1161883 #1162160 #1167007 #1168683 #1170765 Cross-References: CVE-2020-10703 CVE-2020-12430 Affected Products: SUSE Linux Enterprise Module for Server Applications 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that solves two vulnerabilities and has 8 fixes is now available. Description: This update for libvirt fixes the following issues: Security issues fixed: - CVE-2020-10703: Fixed a daemon crash caused by pools without target paths (bsc#1168683). - CVE-2020-12430: Fixed a memory leak in qemuDomainGetStatsIOThread (bsc#1170765). Non-security issues fixed: - Support setting credit2 scheduler parameters for xen (bsc#1162160). - Add SLE 15 and SLE 12 service packs support to 'libvirtd' (bsc#1154093). - Add support boot from 'vfio-ccw'and 'mdev' devices (jsc#SLE-5826, FATE#327355, bsc#1152649). - Fix lock manager lock ordering (bsc#1145774). - Do not define known no-op features. (bsc#1151850). - Enable use of newer libxl APIs for retrieving memory statistics (bsc#1157490, bsc#1167007). - Create multipath targets for qemu PR (bsc#1161883). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP1-2020-1208=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-1208=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1208=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15-SP1 (aarch64 ppc64le s390x x86_64): libvirt-5.1.0-8.16.1 libvirt-admin-5.1.0-8.16.1 libvirt-admin-debuginfo-5.1.0-8.16.1 libvirt-client-5.1.0-8.16.1 libvirt-client-debuginfo-5.1.0-8.16.1 libvirt-daemon-5.1.0-8.16.1 libvirt-daemon-config-network-5.1.0-8.16.1 libvirt-daemon-config-nwfilter-5.1.0-8.16.1 libvirt-daemon-debuginfo-5.1.0-8.16.1 libvirt-daemon-driver-interface-5.1.0-8.16.1 libvirt-daemon-driver-interface-debuginfo-5.1.0-8.16.1 libvirt-daemon-driver-lxc-5.1.0-8.16.1 libvirt-daemon-driver-lxc-debuginfo-5.1.0-8.16.1 libvirt-daemon-driver-network-5.1.0-8.16.1 libvirt-daemon-driver-network-debuginfo-5.1.0-8.16.1 libvirt-daemon-driver-nodedev-5.1.0-8.16.1 libvirt-daemon-driver-nodedev-debuginfo-5.1.0-8.16.1 libvirt-daemon-driver-nwfilter-5.1.0-8.16.1 libvirt-daemon-driver-nwfilter-debuginfo-5.1.0-8.16.1 libvirt-daemon-driver-qemu-5.1.0-8.16.1 libvirt-daemon-driver-qemu-debuginfo-5.1.0-8.16.1 libvirt-daemon-driver-secret-5.1.0-8.16.1 libvirt-daemon-driver-secret-debuginfo-5.1.0-8.16.1 libvirt-daemon-driver-storage-5.1.0-8.16.1 libvirt-daemon-driver-storage-core-5.1.0-8.16.1 libvirt-daemon-driver-storage-core-debuginfo-5.1.0-8.16.1 libvirt-daemon-driver-storage-disk-5.1.0-8.16.1 libvirt-daemon-driver-storage-disk-debuginfo-5.1.0-8.16.1 libvirt-daemon-driver-storage-iscsi-5.1.0-8.16.1 libvirt-daemon-driver-storage-iscsi-debuginfo-5.1.0-8.16.1 libvirt-daemon-driver-storage-logical-5.1.0-8.16.1 libvirt-daemon-driver-storage-logical-debuginfo-5.1.0-8.16.1 libvirt-daemon-driver-storage-mpath-5.1.0-8.16.1 libvirt-daemon-driver-storage-mpath-debuginfo-5.1.0-8.16.1 libvirt-daemon-driver-storage-scsi-5.1.0-8.16.1 libvirt-daemon-driver-storage-scsi-debuginfo-5.1.0-8.16.1 libvirt-daemon-hooks-5.1.0-8.16.1 libvirt-daemon-lxc-5.1.0-8.16.1 libvirt-daemon-qemu-5.1.0-8.16.1 libvirt-debugsource-5.1.0-8.16.1 libvirt-devel-5.1.0-8.16.1 libvirt-lock-sanlock-5.1.0-8.16.1 libvirt-lock-sanlock-debuginfo-5.1.0-8.16.1 libvirt-nss-5.1.0-8.16.1 libvirt-nss-debuginfo-5.1.0-8.16.1 - SUSE Linux Enterprise Module for Server Applications 15-SP1 (aarch64 x86_64): libvirt-daemon-driver-storage-rbd-5.1.0-8.16.1 libvirt-daemon-driver-storage-rbd-debuginfo-5.1.0-8.16.1 - SUSE Linux Enterprise Module for Server Applications 15-SP1 (noarch): libvirt-bash-completion-5.1.0-8.16.1 libvirt-doc-5.1.0-8.16.1 - SUSE Linux Enterprise Module for Server Applications 15-SP1 (x86_64): libvirt-daemon-driver-libxl-5.1.0-8.16.1 libvirt-daemon-driver-libxl-debuginfo-5.1.0-8.16.1 libvirt-daemon-xen-5.1.0-8.16.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): libvirt-debugsource-5.1.0-8.16.1 wireshark-plugin-libvirt-5.1.0-8.16.1 wireshark-plugin-libvirt-debuginfo-5.1.0-8.16.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): libvirt-devel-32bit-5.1.0-8.16.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): libvirt-debugsource-5.1.0-8.16.1 libvirt-libs-5.1.0-8.16.1 libvirt-libs-debuginfo-5.1.0-8.16.1 References: https://www.suse.com/security/cve/CVE-2020-10703.html https://www.suse.com/security/cve/CVE-2020-12430.html https://bugzilla.suse.com/1145774 https://bugzilla.suse.com/1151850 https://bugzilla.suse.com/1152649 https://bugzilla.suse.com/1154093 https://bugzilla.suse.com/1157490 https://bugzilla.suse.com/1161883 https://bugzilla.suse.com/1162160 https://bugzilla.suse.com/1167007 https://bugzilla.suse.com/1168683 https://bugzilla.suse.com/1170765 From sle-security-updates at lists.suse.com Thu May 7 07:20:08 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 7 May 2020 15:20:08 +0200 (CEST) Subject: SUSE-SU-2020:1213-1: moderate: Security update for rmt-server Message-ID: <20200507132008.78B8CFE29@maintenance.suse.de> SUSE Security Update: Security update for rmt-server ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1213-1 Rating: moderate References: #1165548 Affected Products: SUSE Linux Enterprise Module for Server Applications 15-SP1 SUSE Linux Enterprise Module for Public Cloud 15-SP1 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update for rmt-server to version 2.5.7 fixes the following issues: - Fixed a local denial of service (bsc#1165548). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP1-2020-1213=1 - SUSE Linux Enterprise Module for Public Cloud 15-SP1: zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP1-2020-1213=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15-SP1 (aarch64 ppc64le s390x x86_64): rmt-server-2.5.7-3.15.1 rmt-server-config-2.5.7-3.15.1 rmt-server-debuginfo-2.5.7-3.15.1 - SUSE Linux Enterprise Module for Public Cloud 15-SP1 (aarch64 ppc64le s390x x86_64): rmt-server-debuginfo-2.5.7-3.15.1 rmt-server-pubcloud-2.5.7-3.15.1 References: https://bugzilla.suse.com/1165548 From sle-security-updates at lists.suse.com Thu May 7 07:23:05 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 7 May 2020 15:23:05 +0200 (CEST) Subject: SUSE-SU-2020:1210-1: important: Security update for openldap2 Message-ID: <20200507132305.09181FE29@maintenance.suse.de> SUSE Security Update: Security update for openldap2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1210-1 Rating: important References: #1143194 #1143273 #1170771 Cross-References: CVE-2019-13057 CVE-2019-13565 CVE-2020-12243 Affected Products: SUSE Linux Enterprise Server for SAP 12-SP5 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Linux Enterprise Module for Legacy Software 12 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for openldap2 fixes the following issues: - CVE-2020-12243: Fixed a denial of service related to recursive filters (bsc#1170771). - CVE-2019-13565: Fixed an authentication bypass caused by incorrect authorization of another connection, granting excess connection rights (bsc#1143194). - CVE-2019-13057: Fixed an issue with improper authorization with delegated database admin privileges (bsc#1143273). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12-SP5: zypper in -t patch SUSE-SLE-SAP-12-SP5-2020-1210=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2020-1210=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-1210=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-1210=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2020-1210=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2020-1210=1 - SUSE Linux Enterprise Module for Legacy Software 12: zypper in -t patch SUSE-SLE-Module-Legacy-12-2020-1210=1 Package List: - SUSE Linux Enterprise Server for SAP 12-SP5 (ppc64le x86_64): compat-libldap-2_3-0-2.3.37-18.24.17.1 compat-libldap-2_3-0-debuginfo-2.3.37-18.24.17.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): compat-libldap-2_3-0-2.3.37-18.24.17.1 compat-libldap-2_3-0-debuginfo-2.3.37-18.24.17.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): compat-libldap-2_3-0-2.3.37-18.24.17.1 compat-libldap-2_3-0-debuginfo-2.3.37-18.24.17.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): compat-libldap-2_3-0-2.3.37-18.24.17.1 compat-libldap-2_3-0-debuginfo-2.3.37-18.24.17.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (ppc64le x86_64): compat-libldap-2_3-0-2.3.37-18.24.17.1 compat-libldap-2_3-0-debuginfo-2.3.37-18.24.17.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): libldap-2_4-2-2.4.41-18.24.17.1 libldap-2_4-2-32bit-2.4.41-18.24.17.1 libldap-2_4-2-debuginfo-2.4.41-18.24.17.1 libldap-2_4-2-debuginfo-32bit-2.4.41-18.24.17.1 openldap2-2.4.41-18.24.17.1 openldap2-back-meta-2.4.41-18.24.17.1 openldap2-back-meta-debuginfo-2.4.41-18.24.17.1 openldap2-client-2.4.41-18.24.17.1 openldap2-client-debuginfo-2.4.41-18.24.17.1 openldap2-client-debugsource-2.4.41-18.24.17.1 openldap2-debuginfo-2.4.41-18.24.17.1 openldap2-debugsource-2.4.41-18.24.17.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): libldap-2_4-2-2.4.41-18.24.17.1 libldap-2_4-2-debuginfo-2.4.41-18.24.17.1 openldap2-2.4.41-18.24.17.1 openldap2-back-meta-2.4.41-18.24.17.1 openldap2-back-meta-debuginfo-2.4.41-18.24.17.1 openldap2-client-2.4.41-18.24.17.1 openldap2-client-debuginfo-2.4.41-18.24.17.1 openldap2-client-debugsource-2.4.41-18.24.17.1 openldap2-debuginfo-2.4.41-18.24.17.1 openldap2-debugsource-2.4.41-18.24.17.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (s390x x86_64): libldap-2_4-2-32bit-2.4.41-18.24.17.1 libldap-2_4-2-debuginfo-32bit-2.4.41-18.24.17.1 - SUSE Linux Enterprise Module for Legacy Software 12 (aarch64 ppc64le s390x x86_64): compat-libldap-2_3-0-2.3.37-18.24.17.1 compat-libldap-2_3-0-debuginfo-2.3.37-18.24.17.1 References: https://www.suse.com/security/cve/CVE-2019-13057.html https://www.suse.com/security/cve/CVE-2019-13565.html https://www.suse.com/security/cve/CVE-2020-12243.html https://bugzilla.suse.com/1143194 https://bugzilla.suse.com/1143273 https://bugzilla.suse.com/1170771 From sle-security-updates at lists.suse.com Thu May 7 07:26:19 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 7 May 2020 15:26:19 +0200 (CEST) Subject: SUSE-SU-2020:1212-1: important: Security update for ghostscript Message-ID: <20200507132619.B0749FE29@maintenance.suse.de> SUSE Security Update: Security update for ghostscript ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1212-1 Rating: important References: #1170603 Cross-References: CVE-2020-12268 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for ghostscript to version 9.52 fixes the following issues: - CVE-2020-12268: Fixed a heap-based buffer overflow in jbig2_image_compose (bsc#1170603). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-1212=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-1212=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-1212=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-1212=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-1212=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-1212=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-1212=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2020-1212=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1212=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1212=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-1212=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-1212=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-1212=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-1212=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2020-1212=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-1212=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-1212=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): ghostscript-9.52-23.34.1 ghostscript-debuginfo-9.52-23.34.1 ghostscript-debugsource-9.52-23.34.1 ghostscript-x11-9.52-23.34.1 ghostscript-x11-debuginfo-9.52-23.34.1 libspectre-debugsource-0.2.7-12.10.1 libspectre1-0.2.7-12.10.1 libspectre1-debuginfo-0.2.7-12.10.1 - SUSE OpenStack Cloud 8 (x86_64): ghostscript-9.52-23.34.1 ghostscript-debuginfo-9.52-23.34.1 ghostscript-debugsource-9.52-23.34.1 ghostscript-x11-9.52-23.34.1 ghostscript-x11-debuginfo-9.52-23.34.1 libspectre-debugsource-0.2.7-12.10.1 libspectre1-0.2.7-12.10.1 libspectre1-debuginfo-0.2.7-12.10.1 - SUSE OpenStack Cloud 7 (s390x x86_64): ghostscript-9.52-23.34.1 ghostscript-debuginfo-9.52-23.34.1 ghostscript-debugsource-9.52-23.34.1 ghostscript-x11-9.52-23.34.1 ghostscript-x11-debuginfo-9.52-23.34.1 libspectre-debugsource-0.2.7-12.10.1 libspectre1-0.2.7-12.10.1 libspectre1-debuginfo-0.2.7-12.10.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): ghostscript-debuginfo-9.52-23.34.1 ghostscript-debugsource-9.52-23.34.1 ghostscript-devel-9.52-23.34.1 libspectre-debugsource-0.2.7-12.10.1 libspectre-devel-0.2.7-12.10.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): ghostscript-debuginfo-9.52-23.34.1 ghostscript-debugsource-9.52-23.34.1 ghostscript-devel-9.52-23.34.1 libspectre-debugsource-0.2.7-12.10.1 libspectre-devel-0.2.7-12.10.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): ghostscript-9.52-23.34.1 ghostscript-debuginfo-9.52-23.34.1 ghostscript-debugsource-9.52-23.34.1 ghostscript-x11-9.52-23.34.1 ghostscript-x11-debuginfo-9.52-23.34.1 libspectre-debugsource-0.2.7-12.10.1 libspectre1-0.2.7-12.10.1 libspectre1-debuginfo-0.2.7-12.10.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): ghostscript-9.52-23.34.1 ghostscript-debuginfo-9.52-23.34.1 ghostscript-debugsource-9.52-23.34.1 ghostscript-x11-9.52-23.34.1 ghostscript-x11-debuginfo-9.52-23.34.1 libspectre-debugsource-0.2.7-12.10.1 libspectre1-0.2.7-12.10.1 libspectre1-debuginfo-0.2.7-12.10.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): ghostscript-9.52-23.34.1 ghostscript-debuginfo-9.52-23.34.1 ghostscript-debugsource-9.52-23.34.1 ghostscript-x11-9.52-23.34.1 ghostscript-x11-debuginfo-9.52-23.34.1 libspectre-debugsource-0.2.7-12.10.1 libspectre1-0.2.7-12.10.1 libspectre1-debuginfo-0.2.7-12.10.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): ghostscript-9.52-23.34.1 ghostscript-debuginfo-9.52-23.34.1 ghostscript-debugsource-9.52-23.34.1 ghostscript-x11-9.52-23.34.1 ghostscript-x11-debuginfo-9.52-23.34.1 libspectre-debugsource-0.2.7-12.10.1 libspectre1-0.2.7-12.10.1 libspectre1-debuginfo-0.2.7-12.10.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): ghostscript-9.52-23.34.1 ghostscript-debuginfo-9.52-23.34.1 ghostscript-debugsource-9.52-23.34.1 ghostscript-x11-9.52-23.34.1 ghostscript-x11-debuginfo-9.52-23.34.1 libspectre-debugsource-0.2.7-12.10.1 libspectre1-0.2.7-12.10.1 libspectre1-debuginfo-0.2.7-12.10.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): ghostscript-9.52-23.34.1 ghostscript-debuginfo-9.52-23.34.1 ghostscript-debugsource-9.52-23.34.1 ghostscript-x11-9.52-23.34.1 ghostscript-x11-debuginfo-9.52-23.34.1 libspectre-debugsource-0.2.7-12.10.1 libspectre1-0.2.7-12.10.1 libspectre1-debuginfo-0.2.7-12.10.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): ghostscript-9.52-23.34.1 ghostscript-debuginfo-9.52-23.34.1 ghostscript-debugsource-9.52-23.34.1 ghostscript-x11-9.52-23.34.1 ghostscript-x11-debuginfo-9.52-23.34.1 libspectre-debugsource-0.2.7-12.10.1 libspectre1-0.2.7-12.10.1 libspectre1-debuginfo-0.2.7-12.10.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): ghostscript-9.52-23.34.1 ghostscript-debuginfo-9.52-23.34.1 ghostscript-debugsource-9.52-23.34.1 ghostscript-x11-9.52-23.34.1 ghostscript-x11-debuginfo-9.52-23.34.1 libspectre-debugsource-0.2.7-12.10.1 libspectre1-0.2.7-12.10.1 libspectre1-debuginfo-0.2.7-12.10.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): ghostscript-9.52-23.34.1 ghostscript-debuginfo-9.52-23.34.1 ghostscript-debugsource-9.52-23.34.1 ghostscript-x11-9.52-23.34.1 ghostscript-x11-debuginfo-9.52-23.34.1 libspectre-debugsource-0.2.7-12.10.1 libspectre1-0.2.7-12.10.1 libspectre1-debuginfo-0.2.7-12.10.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): ghostscript-9.52-23.34.1 ghostscript-debuginfo-9.52-23.34.1 ghostscript-debugsource-9.52-23.34.1 ghostscript-x11-9.52-23.34.1 ghostscript-x11-debuginfo-9.52-23.34.1 libspectre-debugsource-0.2.7-12.10.1 libspectre1-0.2.7-12.10.1 libspectre1-debuginfo-0.2.7-12.10.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): ghostscript-9.52-23.34.1 ghostscript-debuginfo-9.52-23.34.1 ghostscript-debugsource-9.52-23.34.1 ghostscript-x11-9.52-23.34.1 ghostscript-x11-debuginfo-9.52-23.34.1 libspectre-debugsource-0.2.7-12.10.1 libspectre1-0.2.7-12.10.1 libspectre1-debuginfo-0.2.7-12.10.1 - HPE Helion Openstack 8 (x86_64): ghostscript-9.52-23.34.1 ghostscript-debuginfo-9.52-23.34.1 ghostscript-debugsource-9.52-23.34.1 ghostscript-x11-9.52-23.34.1 ghostscript-x11-debuginfo-9.52-23.34.1 libspectre-debugsource-0.2.7-12.10.1 libspectre1-0.2.7-12.10.1 libspectre1-debuginfo-0.2.7-12.10.1 References: https://www.suse.com/security/cve/CVE-2020-12268.html https://bugzilla.suse.com/1170603 From sle-security-updates at lists.suse.com Thu May 7 07:29:17 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 7 May 2020 15:29:17 +0200 (CEST) Subject: SUSE-SU-2020:1209-1: important: Security update for MozillaFirefox Message-ID: <20200507132917.827ACFE29@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1209-1 Rating: important References: #1171186 Cross-References: CVE-2020-12387 CVE-2020-12388 CVE-2020-12389 CVE-2020-12392 CVE-2020-12393 CVE-2020-12395 CVE-2020-6831 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Desktop Applications 15-SP1 ______________________________________________________________________________ An update that fixes 7 vulnerabilities is now available. Description: This update for MozillaFirefox fixes the following issues: Update to version 68.8.0 ESR (bsc#1171186): - CVE-2020-12387: Use-after-free during worker shutdown - CVE-2020-12388: Sandbox escape with improperly guarded Access Tokens - CVE-2020-12389: Sandbox escape with improperly separated process types - CVE-2020-6831: Buffer overflow in SCTP chunk input validation - CVE-2020-12392: Arbitrary local file access with 'Copy as cURL' - CVE-2020-12393: Devtools' 'Copy as cURL' feature did not fully escape website-controlled data, potentially leading to command injection - CVE-2020-12395: Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8 Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-1209=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP1-2020-1209=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): MozillaFirefox-branding-upstream-68.8.0-3.87.1 MozillaFirefox-debuginfo-68.8.0-3.87.1 MozillaFirefox-debugsource-68.8.0-3.87.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): MozillaFirefox-buildsymbols-68.8.0-3.87.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (s390x): MozillaFirefox-devel-68.8.0-3.87.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (aarch64 ppc64le s390x x86_64): MozillaFirefox-68.8.0-3.87.1 MozillaFirefox-debuginfo-68.8.0-3.87.1 MozillaFirefox-debugsource-68.8.0-3.87.1 MozillaFirefox-translations-common-68.8.0-3.87.1 MozillaFirefox-translations-other-68.8.0-3.87.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (aarch64 ppc64le x86_64): MozillaFirefox-devel-68.8.0-3.87.1 References: https://www.suse.com/security/cve/CVE-2020-12387.html https://www.suse.com/security/cve/CVE-2020-12388.html https://www.suse.com/security/cve/CVE-2020-12389.html https://www.suse.com/security/cve/CVE-2020-12392.html https://www.suse.com/security/cve/CVE-2020-12393.html https://www.suse.com/security/cve/CVE-2020-12395.html https://www.suse.com/security/cve/CVE-2020-6831.html https://bugzilla.suse.com/1171186 From sle-security-updates at lists.suse.com Thu May 7 07:32:16 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 7 May 2020 15:32:16 +0200 (CEST) Subject: SUSE-SU-2020:1211-1: important: Security update for webkit2gtk3 Message-ID: <20200507133216.0FA69FE29@maintenance.suse.de> SUSE Security Update: Security update for webkit2gtk3 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1211-1 Rating: important References: #1170643 Cross-References: CVE-2020-3899 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Workstation Extension 12-SP4 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for webkit2gtk3 fixes the following issues: Security issue fixed: - CVE-2020-3899: Fixed a memory consumption issue that could have led to remote code execution (bsc#1170643). Non-security issues fixed: - Update to version 2.28.2 (bsc#1170643): + Fix excessive CPU usage due to GdkFrameClock not being stopped. + Fix UI process crash when EGL_WL_bind_wayland_display extension is not available. + Fix position of select popup menus in X11. + Fix playing of Youtube 'live stream'/H264 URLs. + Fix a crash under X11 when cairo uses xcb. + Fix the build in MIPS64. + Fix several crashes and rendering issues. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-1211=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-1211=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-1211=1 - SUSE Linux Enterprise Workstation Extension 12-SP4: zypper in -t patch SUSE-SLE-WE-12-SP4-2020-1211=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-1211=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-1211=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-1211=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-1211=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1211=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1211=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-1211=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-1211=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-1211=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-1211=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-1211=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-1211=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): libjavascriptcoregtk-4_0-18-2.28.2-2.53.2 libjavascriptcoregtk-4_0-18-debuginfo-2.28.2-2.53.2 libwebkit2gtk-4_0-37-2.28.2-2.53.2 libwebkit2gtk-4_0-37-debuginfo-2.28.2-2.53.2 typelib-1_0-JavaScriptCore-4_0-2.28.2-2.53.2 typelib-1_0-WebKit2-4_0-2.28.2-2.53.2 webkit2gtk-4_0-injected-bundles-2.28.2-2.53.2 webkit2gtk-4_0-injected-bundles-debuginfo-2.28.2-2.53.2 webkit2gtk3-debugsource-2.28.2-2.53.2 - SUSE OpenStack Cloud Crowbar 8 (noarch): libwebkit2gtk3-lang-2.28.2-2.53.2 - SUSE OpenStack Cloud 8 (x86_64): libjavascriptcoregtk-4_0-18-2.28.2-2.53.2 libjavascriptcoregtk-4_0-18-debuginfo-2.28.2-2.53.2 libwebkit2gtk-4_0-37-2.28.2-2.53.2 libwebkit2gtk-4_0-37-debuginfo-2.28.2-2.53.2 typelib-1_0-JavaScriptCore-4_0-2.28.2-2.53.2 typelib-1_0-WebKit2-4_0-2.28.2-2.53.2 webkit2gtk-4_0-injected-bundles-2.28.2-2.53.2 webkit2gtk-4_0-injected-bundles-debuginfo-2.28.2-2.53.2 webkit2gtk3-debugsource-2.28.2-2.53.2 - SUSE OpenStack Cloud 8 (noarch): libwebkit2gtk3-lang-2.28.2-2.53.2 - SUSE OpenStack Cloud 7 (s390x x86_64): libjavascriptcoregtk-4_0-18-2.28.2-2.53.2 libjavascriptcoregtk-4_0-18-debuginfo-2.28.2-2.53.2 libwebkit2gtk-4_0-37-2.28.2-2.53.2 libwebkit2gtk-4_0-37-debuginfo-2.28.2-2.53.2 typelib-1_0-JavaScriptCore-4_0-2.28.2-2.53.2 typelib-1_0-WebKit2-4_0-2.28.2-2.53.2 typelib-1_0-WebKit2WebExtension-4_0-2.28.2-2.53.2 webkit2gtk-4_0-injected-bundles-2.28.2-2.53.2 webkit2gtk-4_0-injected-bundles-debuginfo-2.28.2-2.53.2 webkit2gtk3-debugsource-2.28.2-2.53.2 webkit2gtk3-devel-2.28.2-2.53.2 - SUSE OpenStack Cloud 7 (noarch): libwebkit2gtk3-lang-2.28.2-2.53.2 - SUSE Linux Enterprise Workstation Extension 12-SP4 (noarch): libwebkit2gtk3-lang-2.28.2-2.53.2 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): typelib-1_0-WebKit2WebExtension-4_0-2.28.2-2.53.2 webkit2gtk3-debugsource-2.28.2-2.53.2 webkit2gtk3-devel-2.28.2-2.53.2 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): typelib-1_0-WebKit2WebExtension-4_0-2.28.2-2.53.2 webkit2gtk3-debugsource-2.28.2-2.53.2 webkit2gtk3-devel-2.28.2-2.53.2 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): libjavascriptcoregtk-4_0-18-2.28.2-2.53.2 libjavascriptcoregtk-4_0-18-debuginfo-2.28.2-2.53.2 libwebkit2gtk-4_0-37-2.28.2-2.53.2 libwebkit2gtk-4_0-37-debuginfo-2.28.2-2.53.2 typelib-1_0-JavaScriptCore-4_0-2.28.2-2.53.2 typelib-1_0-WebKit2-4_0-2.28.2-2.53.2 webkit2gtk-4_0-injected-bundles-2.28.2-2.53.2 webkit2gtk-4_0-injected-bundles-debuginfo-2.28.2-2.53.2 webkit2gtk3-debugsource-2.28.2-2.53.2 - SUSE Linux Enterprise Server for SAP 12-SP3 (noarch): libwebkit2gtk3-lang-2.28.2-2.53.2 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): libjavascriptcoregtk-4_0-18-2.28.2-2.53.2 libjavascriptcoregtk-4_0-18-debuginfo-2.28.2-2.53.2 libwebkit2gtk-4_0-37-2.28.2-2.53.2 libwebkit2gtk-4_0-37-debuginfo-2.28.2-2.53.2 typelib-1_0-JavaScriptCore-4_0-2.28.2-2.53.2 typelib-1_0-WebKit2-4_0-2.28.2-2.53.2 typelib-1_0-WebKit2WebExtension-4_0-2.28.2-2.53.2 webkit2gtk-4_0-injected-bundles-2.28.2-2.53.2 webkit2gtk-4_0-injected-bundles-debuginfo-2.28.2-2.53.2 webkit2gtk3-debugsource-2.28.2-2.53.2 webkit2gtk3-devel-2.28.2-2.53.2 - SUSE Linux Enterprise Server for SAP 12-SP2 (noarch): libwebkit2gtk3-lang-2.28.2-2.53.2 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libjavascriptcoregtk-4_0-18-2.28.2-2.53.2 libjavascriptcoregtk-4_0-18-debuginfo-2.28.2-2.53.2 libwebkit2gtk-4_0-37-2.28.2-2.53.2 libwebkit2gtk-4_0-37-debuginfo-2.28.2-2.53.2 typelib-1_0-JavaScriptCore-4_0-2.28.2-2.53.2 typelib-1_0-WebKit2-4_0-2.28.2-2.53.2 typelib-1_0-WebKit2WebExtension-4_0-2.28.2-2.53.2 webkit2gtk-4_0-injected-bundles-2.28.2-2.53.2 webkit2gtk-4_0-injected-bundles-debuginfo-2.28.2-2.53.2 webkit2gtk3-debugsource-2.28.2-2.53.2 - SUSE Linux Enterprise Server 12-SP5 (noarch): libwebkit2gtk3-lang-2.28.2-2.53.2 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): libjavascriptcoregtk-4_0-18-2.28.2-2.53.2 libjavascriptcoregtk-4_0-18-debuginfo-2.28.2-2.53.2 libwebkit2gtk-4_0-37-2.28.2-2.53.2 libwebkit2gtk-4_0-37-debuginfo-2.28.2-2.53.2 typelib-1_0-JavaScriptCore-4_0-2.28.2-2.53.2 typelib-1_0-WebKit2-4_0-2.28.2-2.53.2 webkit2gtk-4_0-injected-bundles-2.28.2-2.53.2 webkit2gtk-4_0-injected-bundles-debuginfo-2.28.2-2.53.2 webkit2gtk3-debugsource-2.28.2-2.53.2 - SUSE Linux Enterprise Server 12-SP4 (noarch): libwebkit2gtk3-lang-2.28.2-2.53.2 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): libjavascriptcoregtk-4_0-18-2.28.2-2.53.2 libjavascriptcoregtk-4_0-18-debuginfo-2.28.2-2.53.2 libwebkit2gtk-4_0-37-2.28.2-2.53.2 libwebkit2gtk-4_0-37-debuginfo-2.28.2-2.53.2 typelib-1_0-JavaScriptCore-4_0-2.28.2-2.53.2 typelib-1_0-WebKit2-4_0-2.28.2-2.53.2 webkit2gtk-4_0-injected-bundles-2.28.2-2.53.2 webkit2gtk-4_0-injected-bundles-debuginfo-2.28.2-2.53.2 webkit2gtk3-debugsource-2.28.2-2.53.2 - SUSE Linux Enterprise Server 12-SP3-LTSS (noarch): libwebkit2gtk3-lang-2.28.2-2.53.2 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): libjavascriptcoregtk-4_0-18-2.28.2-2.53.2 libjavascriptcoregtk-4_0-18-debuginfo-2.28.2-2.53.2 libwebkit2gtk-4_0-37-2.28.2-2.53.2 libwebkit2gtk-4_0-37-debuginfo-2.28.2-2.53.2 typelib-1_0-JavaScriptCore-4_0-2.28.2-2.53.2 typelib-1_0-WebKit2-4_0-2.28.2-2.53.2 webkit2gtk-4_0-injected-bundles-2.28.2-2.53.2 webkit2gtk-4_0-injected-bundles-debuginfo-2.28.2-2.53.2 webkit2gtk3-debugsource-2.28.2-2.53.2 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): libjavascriptcoregtk-4_0-18-2.28.2-2.53.2 libjavascriptcoregtk-4_0-18-debuginfo-2.28.2-2.53.2 libwebkit2gtk-4_0-37-2.28.2-2.53.2 libwebkit2gtk-4_0-37-debuginfo-2.28.2-2.53.2 typelib-1_0-JavaScriptCore-4_0-2.28.2-2.53.2 typelib-1_0-WebKit2-4_0-2.28.2-2.53.2 typelib-1_0-WebKit2WebExtension-4_0-2.28.2-2.53.2 webkit2gtk-4_0-injected-bundles-2.28.2-2.53.2 webkit2gtk-4_0-injected-bundles-debuginfo-2.28.2-2.53.2 webkit2gtk3-debugsource-2.28.2-2.53.2 webkit2gtk3-devel-2.28.2-2.53.2 - SUSE Linux Enterprise Server 12-SP2-LTSS (noarch): libwebkit2gtk3-lang-2.28.2-2.53.2 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): libjavascriptcoregtk-4_0-18-2.28.2-2.53.2 libjavascriptcoregtk-4_0-18-debuginfo-2.28.2-2.53.2 libwebkit2gtk-4_0-37-2.28.2-2.53.2 libwebkit2gtk-4_0-37-debuginfo-2.28.2-2.53.2 typelib-1_0-JavaScriptCore-4_0-2.28.2-2.53.2 typelib-1_0-WebKit2-4_0-2.28.2-2.53.2 typelib-1_0-WebKit2WebExtension-4_0-2.28.2-2.53.2 webkit2gtk-4_0-injected-bundles-2.28.2-2.53.2 webkit2gtk-4_0-injected-bundles-debuginfo-2.28.2-2.53.2 webkit2gtk3-debugsource-2.28.2-2.53.2 webkit2gtk3-devel-2.28.2-2.53.2 - SUSE Linux Enterprise Server 12-SP2-BCL (noarch): libwebkit2gtk3-lang-2.28.2-2.53.2 - SUSE Enterprise Storage 5 (aarch64 x86_64): libjavascriptcoregtk-4_0-18-2.28.2-2.53.2 libjavascriptcoregtk-4_0-18-debuginfo-2.28.2-2.53.2 libwebkit2gtk-4_0-37-2.28.2-2.53.2 libwebkit2gtk-4_0-37-debuginfo-2.28.2-2.53.2 typelib-1_0-JavaScriptCore-4_0-2.28.2-2.53.2 typelib-1_0-WebKit2-4_0-2.28.2-2.53.2 webkit2gtk-4_0-injected-bundles-2.28.2-2.53.2 webkit2gtk-4_0-injected-bundles-debuginfo-2.28.2-2.53.2 webkit2gtk3-debugsource-2.28.2-2.53.2 - SUSE Enterprise Storage 5 (noarch): libwebkit2gtk3-lang-2.28.2-2.53.2 - HPE Helion Openstack 8 (x86_64): libjavascriptcoregtk-4_0-18-2.28.2-2.53.2 libjavascriptcoregtk-4_0-18-debuginfo-2.28.2-2.53.2 libwebkit2gtk-4_0-37-2.28.2-2.53.2 libwebkit2gtk-4_0-37-debuginfo-2.28.2-2.53.2 typelib-1_0-JavaScriptCore-4_0-2.28.2-2.53.2 typelib-1_0-WebKit2-4_0-2.28.2-2.53.2 webkit2gtk-4_0-injected-bundles-2.28.2-2.53.2 webkit2gtk-4_0-injected-bundles-debuginfo-2.28.2-2.53.2 webkit2gtk3-debugsource-2.28.2-2.53.2 - HPE Helion Openstack 8 (noarch): libwebkit2gtk3-lang-2.28.2-2.53.2 References: https://www.suse.com/security/cve/CVE-2020-3899.html https://bugzilla.suse.com/1170643 From sle-security-updates at lists.suse.com Thu May 7 07:35:22 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 7 May 2020 15:35:22 +0200 (CEST) Subject: SUSE-SU-2020:14358-1: important: Security update for openldap2 Message-ID: <20200507133522.2DDADFE29@maintenance.suse.de> SUSE Security Update: Security update for openldap2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:14358-1 Rating: important References: #1170771 Cross-References: CVE-2020-12243 Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Server 11-SECURITY SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for openldap2 fixes the following issues: - CVE-2020-12243: Fixed a denial of service related to recursive filters (bsc#1170771). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-openldap2-14358=1 - SUSE Linux Enterprise Server 11-SECURITY: zypper in -t patch secsp3-openldap2-14358=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-openldap2-14358=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-openldap2-14358=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-openldap2-14358=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 ppc64 s390x x86_64): compat-libldap-2_3-0-2.3.37-2.74.9.1 libldap-2_4-2-2.4.26-0.74.9.1 openldap2-2.4.26-0.74.9.1 openldap2-back-meta-2.4.26-0.74.9.1 openldap2-client-2.4.26-0.74.9.1 - SUSE Linux Enterprise Server 11-SP4-LTSS (ppc64 s390x x86_64): libldap-2_4-2-32bit-2.4.26-0.74.9.1 - SUSE Linux Enterprise Server 11-SECURITY (i586 ia64 ppc64 s390x x86_64): libldap-openssl1-2_4-2-2.4.26-0.74.9.1 openldap2-client-openssl1-2.4.26-0.74.9.1 openldap2-openssl1-2.4.26-0.74.9.1 - SUSE Linux Enterprise Server 11-SECURITY (ppc64 s390x x86_64): libldap-openssl1-2_4-2-32bit-2.4.26-0.74.9.1 - SUSE Linux Enterprise Server 11-SECURITY (ia64): libldap-openssl1-2_4-2-x86-2.4.26-0.74.9.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): compat-libldap-2_3-0-2.3.37-2.74.9.1 libldap-2_4-2-2.4.26-0.74.9.1 openldap2-2.4.26-0.74.9.1 openldap2-back-meta-2.4.26-0.74.9.1 openldap2-client-2.4.26-0.74.9.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64): openldap2-client-debuginfo-2.4.26-0.74.9.1 openldap2-client-debugsource-2.4.26-0.74.9.1 openldap2-debuginfo-2.4.26-0.74.9.1 openldap2-debugsource-2.4.26-0.74.9.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): openldap2-client-debuginfo-2.4.26-0.74.9.1 openldap2-client-debugsource-2.4.26-0.74.9.1 openldap2-client-openssl1-debuginfo-2.4.26-0.74.9.1 openldap2-client-openssl1-debugsource-2.4.26-0.74.9.1 openldap2-debuginfo-2.4.26-0.74.9.1 openldap2-debugsource-2.4.26-0.74.9.1 References: https://www.suse.com/security/cve/CVE-2020-12243.html https://bugzilla.suse.com/1170771 From sle-security-updates at lists.suse.com Thu May 7 13:22:07 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 7 May 2020 21:22:07 +0200 (CEST) Subject: SUSE-SU-2020:1220-1: important: Security update for ghostscript Message-ID: <20200507192207.D5694FFE8@maintenance.suse.de> SUSE Security Update: Security update for ghostscript ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1220-1 Rating: important References: #1170603 Cross-References: CVE-2020-12268 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Desktop Applications 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for ghostscript to version 9.52 fixes the following issues: - CVE-2020-12268: Fixed a heap-based buffer overflow in jbig2_image_compose (bsc#1170603). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-1220=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-1220=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-1220=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP1-2020-1220=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1220=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1220=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1220=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): ghostscript-9.52-3.27.2 ghostscript-debuginfo-9.52-3.27.2 ghostscript-debugsource-9.52-3.27.2 ghostscript-devel-9.52-3.27.2 ghostscript-x11-9.52-3.27.2 ghostscript-x11-debuginfo-9.52-3.27.2 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): ghostscript-9.52-3.27.2 ghostscript-debuginfo-9.52-3.27.2 ghostscript-debugsource-9.52-3.27.2 ghostscript-devel-9.52-3.27.2 ghostscript-x11-9.52-3.27.2 ghostscript-x11-debuginfo-9.52-3.27.2 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): ghostscript-mini-9.52-3.27.1 ghostscript-mini-debuginfo-9.52-3.27.1 ghostscript-mini-debugsource-9.52-3.27.1 ghostscript-mini-devel-9.52-3.27.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (aarch64 ppc64le s390x x86_64): libspectre-debugsource-0.2.8-3.10.1 libspectre-devel-0.2.8-3.10.1 libspectre1-0.2.8-3.10.1 libspectre1-debuginfo-0.2.8-3.10.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): ghostscript-9.52-3.27.2 ghostscript-debuginfo-9.52-3.27.2 ghostscript-debugsource-9.52-3.27.2 ghostscript-devel-9.52-3.27.2 ghostscript-x11-9.52-3.27.2 ghostscript-x11-debuginfo-9.52-3.27.2 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): ghostscript-9.52-3.27.2 ghostscript-debuginfo-9.52-3.27.2 ghostscript-debugsource-9.52-3.27.2 ghostscript-devel-9.52-3.27.2 ghostscript-x11-9.52-3.27.2 ghostscript-x11-debuginfo-9.52-3.27.2 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): ghostscript-9.52-3.27.2 ghostscript-debuginfo-9.52-3.27.2 ghostscript-debugsource-9.52-3.27.2 ghostscript-devel-9.52-3.27.2 ghostscript-x11-9.52-3.27.2 ghostscript-x11-debuginfo-9.52-3.27.2 References: https://www.suse.com/security/cve/CVE-2020-12268.html https://bugzilla.suse.com/1170603 From sle-security-updates at lists.suse.com Thu May 7 13:25:10 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 7 May 2020 21:25:10 +0200 (CEST) Subject: SUSE-SU-2020:1218-1: important: Security update for MozillaFirefox Message-ID: <20200507192510.679D4FFE8@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1218-1 Rating: important References: #1171186 Cross-References: CVE-2020-12387 CVE-2020-12388 CVE-2020-12389 CVE-2020-12392 CVE-2020-12393 CVE-2020-12395 CVE-2020-6831 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes 7 vulnerabilities is now available. Description: This update for MozillaFirefox fixes the following issues: Update to version 68.8.0 ESR (bsc#1171186): - CVE-2020-12387: Use-after-free during worker shutdown - CVE-2020-12388: Sandbox escape with improperly guarded Access Tokens - CVE-2020-12389: Sandbox escape with improperly separated process types - CVE-2020-6831: Buffer overflow in SCTP chunk input validation - CVE-2020-12392: Arbitrary local file access with 'Copy as cURL' - CVE-2020-12393: Devtools' 'Copy as cURL' feature did not fully escape website-controlled data, potentially leading to command injection - CVE-2020-12395: Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8 Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-1218=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-1218=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-1218=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-1218=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-1218=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-1218=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-1218=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2020-1218=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1218=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1218=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-1218=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-1218=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-1218=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-1218=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2020-1218=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-1218=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-1218=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): MozillaFirefox-68.8.0-109.119.1 MozillaFirefox-debuginfo-68.8.0-109.119.1 MozillaFirefox-debugsource-68.8.0-109.119.1 MozillaFirefox-translations-common-68.8.0-109.119.1 - SUSE OpenStack Cloud 8 (x86_64): MozillaFirefox-68.8.0-109.119.1 MozillaFirefox-debuginfo-68.8.0-109.119.1 MozillaFirefox-debugsource-68.8.0-109.119.1 MozillaFirefox-translations-common-68.8.0-109.119.1 - SUSE OpenStack Cloud 7 (s390x x86_64): MozillaFirefox-68.8.0-109.119.1 MozillaFirefox-debuginfo-68.8.0-109.119.1 MozillaFirefox-debugsource-68.8.0-109.119.1 MozillaFirefox-devel-68.8.0-109.119.1 MozillaFirefox-translations-common-68.8.0-109.119.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): MozillaFirefox-debuginfo-68.8.0-109.119.1 MozillaFirefox-debugsource-68.8.0-109.119.1 MozillaFirefox-devel-68.8.0-109.119.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): MozillaFirefox-debuginfo-68.8.0-109.119.1 MozillaFirefox-debugsource-68.8.0-109.119.1 MozillaFirefox-devel-68.8.0-109.119.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): MozillaFirefox-68.8.0-109.119.1 MozillaFirefox-debuginfo-68.8.0-109.119.1 MozillaFirefox-debugsource-68.8.0-109.119.1 MozillaFirefox-translations-common-68.8.0-109.119.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): MozillaFirefox-68.8.0-109.119.1 MozillaFirefox-debuginfo-68.8.0-109.119.1 MozillaFirefox-debugsource-68.8.0-109.119.1 MozillaFirefox-devel-68.8.0-109.119.1 MozillaFirefox-translations-common-68.8.0-109.119.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): MozillaFirefox-68.8.0-109.119.1 MozillaFirefox-debuginfo-68.8.0-109.119.1 MozillaFirefox-debugsource-68.8.0-109.119.1 MozillaFirefox-devel-68.8.0-109.119.1 MozillaFirefox-translations-common-68.8.0-109.119.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): MozillaFirefox-68.8.0-109.119.1 MozillaFirefox-debuginfo-68.8.0-109.119.1 MozillaFirefox-debugsource-68.8.0-109.119.1 MozillaFirefox-translations-common-68.8.0-109.119.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): MozillaFirefox-68.8.0-109.119.1 MozillaFirefox-debuginfo-68.8.0-109.119.1 MozillaFirefox-debugsource-68.8.0-109.119.1 MozillaFirefox-translations-common-68.8.0-109.119.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): MozillaFirefox-68.8.0-109.119.1 MozillaFirefox-debuginfo-68.8.0-109.119.1 MozillaFirefox-debugsource-68.8.0-109.119.1 MozillaFirefox-translations-common-68.8.0-109.119.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): MozillaFirefox-68.8.0-109.119.1 MozillaFirefox-debuginfo-68.8.0-109.119.1 MozillaFirefox-debugsource-68.8.0-109.119.1 MozillaFirefox-translations-common-68.8.0-109.119.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): MozillaFirefox-68.8.0-109.119.1 MozillaFirefox-debuginfo-68.8.0-109.119.1 MozillaFirefox-debugsource-68.8.0-109.119.1 MozillaFirefox-devel-68.8.0-109.119.1 MozillaFirefox-translations-common-68.8.0-109.119.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): MozillaFirefox-68.8.0-109.119.1 MozillaFirefox-debuginfo-68.8.0-109.119.1 MozillaFirefox-debugsource-68.8.0-109.119.1 MozillaFirefox-devel-68.8.0-109.119.1 MozillaFirefox-translations-common-68.8.0-109.119.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): MozillaFirefox-68.8.0-109.119.1 MozillaFirefox-debuginfo-68.8.0-109.119.1 MozillaFirefox-debugsource-68.8.0-109.119.1 MozillaFirefox-devel-68.8.0-109.119.1 MozillaFirefox-translations-common-68.8.0-109.119.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): MozillaFirefox-68.8.0-109.119.1 MozillaFirefox-debuginfo-68.8.0-109.119.1 MozillaFirefox-debugsource-68.8.0-109.119.1 MozillaFirefox-translations-common-68.8.0-109.119.1 - HPE Helion Openstack 8 (x86_64): MozillaFirefox-68.8.0-109.119.1 MozillaFirefox-debuginfo-68.8.0-109.119.1 MozillaFirefox-debugsource-68.8.0-109.119.1 MozillaFirefox-translations-common-68.8.0-109.119.1 References: https://www.suse.com/security/cve/CVE-2020-12387.html https://www.suse.com/security/cve/CVE-2020-12388.html https://www.suse.com/security/cve/CVE-2020-12389.html https://www.suse.com/security/cve/CVE-2020-12392.html https://www.suse.com/security/cve/CVE-2020-12393.html https://www.suse.com/security/cve/CVE-2020-12395.html https://www.suse.com/security/cve/CVE-2020-6831.html https://bugzilla.suse.com/1171186 From sle-security-updates at lists.suse.com Thu May 7 13:28:12 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 7 May 2020 21:28:12 +0200 (CEST) Subject: SUSE-SU-2020:1221-1: moderate: Security update for syslog-ng Message-ID: <20200507192812.2CD31FFE8@maintenance.suse.de> SUSE Security Update: Security update for syslog-ng ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1221-1 Rating: moderate References: #1169385 Cross-References: CVE-2020-8019 Affected Products: SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Module for Legacy Software 12 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for syslog-ng fixes the following issues: - CVE-2020-8019: Fixed a local privilege escalation during package update (bsc#1169385). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2020-1221=1 - SUSE Linux Enterprise Module for Legacy Software 12: zypper in -t patch SUSE-SLE-Module-Legacy-12-2020-1221=1 Package List: - SUSE Linux Enterprise Server for SAP 12-SP1 (ppc64le x86_64): syslog-ng-3.6.4-12.8.1 syslog-ng-debuginfo-3.6.4-12.8.1 syslog-ng-debugsource-3.6.4-12.8.1 - SUSE Linux Enterprise Module for Legacy Software 12 (aarch64 ppc64le s390x x86_64): syslog-ng-3.6.4-12.8.1 syslog-ng-debuginfo-3.6.4-12.8.1 syslog-ng-debugsource-3.6.4-12.8.1 References: https://www.suse.com/security/cve/CVE-2020-8019.html https://bugzilla.suse.com/1169385 From sle-security-updates at lists.suse.com Thu May 7 13:31:08 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 7 May 2020 21:31:08 +0200 (CEST) Subject: SUSE-SU-2020:1219-1: important: Security update for openldap2 Message-ID: <20200507193108.8D536FFE8@maintenance.suse.de> SUSE Security Update: Security update for openldap2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1219-1 Rating: important References: #1170771 Cross-References: CVE-2020-12243 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Legacy Software 15-SP1 SUSE Linux Enterprise Module for Development Tools 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for openldap2 fixes the following issues: - CVE-2020-12243: Fixed a denial of service related to recursive filters (bsc#1170771). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-1219=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-1219=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-1219=1 - SUSE Linux Enterprise Module for Legacy Software 15-SP1: zypper in -t patch SUSE-SLE-Module-Legacy-15-SP1-2020-1219=1 - SUSE Linux Enterprise Module for Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP1-2020-1219=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1219=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1219=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1219=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): libldap-2_4-2-2.4.46-9.28.2 libldap-2_4-2-debuginfo-2.4.46-9.28.2 openldap2-2.4.46-9.28.2 openldap2-back-meta-2.4.46-9.28.2 openldap2-back-meta-debuginfo-2.4.46-9.28.2 openldap2-back-perl-2.4.46-9.28.2 openldap2-back-perl-debuginfo-2.4.46-9.28.2 openldap2-client-2.4.46-9.28.2 openldap2-client-debuginfo-2.4.46-9.28.2 openldap2-debuginfo-2.4.46-9.28.2 openldap2-debugsource-2.4.46-9.28.2 openldap2-devel-2.4.46-9.28.2 openldap2-devel-static-2.4.46-9.28.2 openldap2-ppolicy-check-password-1.2-9.28.2 openldap2-ppolicy-check-password-debuginfo-1.2-9.28.2 - SUSE Linux Enterprise Server for SAP 15 (x86_64): libldap-2_4-2-32bit-2.4.46-9.28.2 libldap-2_4-2-32bit-debuginfo-2.4.46-9.28.2 openldap2-devel-32bit-2.4.46-9.28.2 - SUSE Linux Enterprise Server for SAP 15 (noarch): libldap-data-2.4.46-9.28.2 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): libldap-2_4-2-2.4.46-9.28.2 libldap-2_4-2-debuginfo-2.4.46-9.28.2 openldap2-2.4.46-9.28.2 openldap2-back-meta-2.4.46-9.28.2 openldap2-back-meta-debuginfo-2.4.46-9.28.2 openldap2-back-perl-2.4.46-9.28.2 openldap2-back-perl-debuginfo-2.4.46-9.28.2 openldap2-client-2.4.46-9.28.2 openldap2-client-debuginfo-2.4.46-9.28.2 openldap2-debuginfo-2.4.46-9.28.2 openldap2-debugsource-2.4.46-9.28.2 openldap2-devel-2.4.46-9.28.2 openldap2-devel-static-2.4.46-9.28.2 openldap2-ppolicy-check-password-1.2-9.28.2 openldap2-ppolicy-check-password-debuginfo-1.2-9.28.2 - SUSE Linux Enterprise Server 15-LTSS (noarch): libldap-data-2.4.46-9.28.2 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): openldap2-back-sock-2.4.46-9.28.2 openldap2-back-sock-debuginfo-2.4.46-9.28.2 openldap2-back-sql-2.4.46-9.28.2 openldap2-back-sql-debuginfo-2.4.46-9.28.2 openldap2-contrib-2.4.46-9.28.2 openldap2-contrib-debuginfo-2.4.46-9.28.2 openldap2-debuginfo-2.4.46-9.28.2 openldap2-debugsource-2.4.46-9.28.2 openldap2-ppolicy-check-password-1.2-9.28.2 openldap2-ppolicy-check-password-debuginfo-1.2-9.28.2 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (noarch): libldap-data-2.4.46-9.28.2 openldap2-doc-2.4.46-9.28.2 - SUSE Linux Enterprise Module for Legacy Software 15-SP1 (aarch64 ppc64le s390x x86_64): openldap2-2.4.46-9.28.2 openldap2-back-meta-2.4.46-9.28.2 openldap2-back-meta-debuginfo-2.4.46-9.28.2 openldap2-back-perl-2.4.46-9.28.2 openldap2-back-perl-debuginfo-2.4.46-9.28.2 openldap2-debuginfo-2.4.46-9.28.2 openldap2-debugsource-2.4.46-9.28.2 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (x86_64): openldap2-debugsource-2.4.46-9.28.2 openldap2-devel-32bit-2.4.46-9.28.2 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): libldap-2_4-2-2.4.46-9.28.2 libldap-2_4-2-debuginfo-2.4.46-9.28.2 openldap2-client-2.4.46-9.28.2 openldap2-client-debuginfo-2.4.46-9.28.2 openldap2-debuginfo-2.4.46-9.28.2 openldap2-debugsource-2.4.46-9.28.2 openldap2-devel-2.4.46-9.28.2 openldap2-devel-static-2.4.46-9.28.2 openldap2-ppolicy-check-password-1.2-9.28.2 openldap2-ppolicy-check-password-debuginfo-1.2-9.28.2 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (x86_64): libldap-2_4-2-32bit-2.4.46-9.28.2 libldap-2_4-2-32bit-debuginfo-2.4.46-9.28.2 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch): libldap-data-2.4.46-9.28.2 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): libldap-2_4-2-2.4.46-9.28.2 libldap-2_4-2-debuginfo-2.4.46-9.28.2 openldap2-client-2.4.46-9.28.2 openldap2-client-debuginfo-2.4.46-9.28.2 openldap2-debuginfo-2.4.46-9.28.2 openldap2-debugsource-2.4.46-9.28.2 openldap2-devel-2.4.46-9.28.2 openldap2-devel-static-2.4.46-9.28.2 openldap2-ppolicy-check-password-1.2-9.28.2 openldap2-ppolicy-check-password-debuginfo-1.2-9.28.2 - SUSE Linux Enterprise High Performance Computing 15-LTSS (x86_64): libldap-2_4-2-32bit-2.4.46-9.28.2 libldap-2_4-2-32bit-debuginfo-2.4.46-9.28.2 openldap2-devel-32bit-2.4.46-9.28.2 - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): libldap-data-2.4.46-9.28.2 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): libldap-2_4-2-2.4.46-9.28.2 libldap-2_4-2-debuginfo-2.4.46-9.28.2 openldap2-client-2.4.46-9.28.2 openldap2-client-debuginfo-2.4.46-9.28.2 openldap2-debuginfo-2.4.46-9.28.2 openldap2-debugsource-2.4.46-9.28.2 openldap2-devel-2.4.46-9.28.2 openldap2-devel-static-2.4.46-9.28.2 openldap2-ppolicy-check-password-1.2-9.28.2 openldap2-ppolicy-check-password-debuginfo-1.2-9.28.2 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): libldap-data-2.4.46-9.28.2 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (x86_64): libldap-2_4-2-32bit-2.4.46-9.28.2 libldap-2_4-2-32bit-debuginfo-2.4.46-9.28.2 openldap2-devel-32bit-2.4.46-9.28.2 References: https://www.suse.com/security/cve/CVE-2020-12243.html https://bugzilla.suse.com/1170771 From sle-security-updates at lists.suse.com Fri May 8 12:10:08 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 8 May 2020 20:10:08 +0200 (CEST) Subject: SUSE-CU-2020:169-1: Security update of suse/sle15 Message-ID: <20200508181008.386C0FE27@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:169-1 Container Tags : suse/sle15:15.0 , suse/sle15:15.0.4.22.195 Container Release : 4.22.195 Severity : important Type : security References : 1170771 CVE-2020-12243 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1219-1 Released: Thu May 7 17:10:42 2020 Summary: Security update for openldap2 Type: security Severity: important References: 1170771,CVE-2020-12243 This update for openldap2 fixes the following issues: - CVE-2020-12243: Fixed a denial of service related to recursive filters (bsc#1170771). From sle-security-updates at lists.suse.com Fri May 8 12:16:42 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 8 May 2020 20:16:42 +0200 (CEST) Subject: SUSE-CU-2020:170-1: Security update of suse/sle15 Message-ID: <20200508181642.D287EFE0F@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:170-1 Container Tags : suse/sle15:15.1 , suse/sle15:15.1.6.2.222 Container Release : 6.2.222 Severity : important Type : security References : 1169944 1170771 CVE-2020-12243 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1214-1 Released: Thu May 7 11:20:34 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1169944 This update for libgcrypt fixes the following issues: - FIPS: libgcrypt: Fixed a double free in test_keys() on failed signature verification (bsc#1169944) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1219-1 Released: Thu May 7 17:10:42 2020 Summary: Security update for openldap2 Type: security Severity: important References: 1170771,CVE-2020-12243 This update for openldap2 fixes the following issues: - CVE-2020-12243: Fixed a denial of service related to recursive filters (bsc#1170771). From sle-security-updates at lists.suse.com Mon May 11 03:29:00 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 11 May 2020 11:29:00 +0200 (CEST) Subject: SUSE-SU-2020:1227-1: important: Security update for squid Message-ID: <20200511092900.2430CFDE6@maintenance.suse.de> SUSE Security Update: Security update for squid ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1227-1 Rating: important References: #1169659 #1170313 #1170423 Cross-References: CVE-2019-12519 CVE-2019-12520 CVE-2019-12521 CVE-2019-12524 CVE-2020-11945 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: This update for squid fixes the following issues: - CVE-2019-12519, CVE-2019-12521: fixes incorrect buffer handling that can result in cache poisoning, remote execution, and denial of service attacks when processing ESI responses (bsc#1169659). - CVE-2020-11945: fixes a potential remote execution vulnerability when using HTTP Digest Authentication (bsc#1170313). - CVE-2019-12520, CVE-2019-12524: fixes a potential ACL bypass, cache-bypass and cross-site scripting attack when processing invalid HTTP Request messages (bsc#1170423). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-1227=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-1227=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-1227=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-1227=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-1227=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1227=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-1227=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-1227=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-1227=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-1227=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-1227=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-1227=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): squid-3.5.21-26.23.1 squid-debuginfo-3.5.21-26.23.1 squid-debugsource-3.5.21-26.23.1 - SUSE OpenStack Cloud 8 (x86_64): squid-3.5.21-26.23.1 squid-debuginfo-3.5.21-26.23.1 squid-debugsource-3.5.21-26.23.1 - SUSE OpenStack Cloud 7 (s390x x86_64): squid-3.5.21-26.23.1 squid-debuginfo-3.5.21-26.23.1 squid-debugsource-3.5.21-26.23.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): squid-3.5.21-26.23.1 squid-debuginfo-3.5.21-26.23.1 squid-debugsource-3.5.21-26.23.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): squid-3.5.21-26.23.1 squid-debuginfo-3.5.21-26.23.1 squid-debugsource-3.5.21-26.23.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): squid-3.5.21-26.23.1 squid-debuginfo-3.5.21-26.23.1 squid-debugsource-3.5.21-26.23.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): squid-3.5.21-26.23.1 squid-debuginfo-3.5.21-26.23.1 squid-debugsource-3.5.21-26.23.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): squid-3.5.21-26.23.1 squid-debuginfo-3.5.21-26.23.1 squid-debugsource-3.5.21-26.23.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): squid-3.5.21-26.23.1 squid-debuginfo-3.5.21-26.23.1 squid-debugsource-3.5.21-26.23.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): squid-3.5.21-26.23.1 squid-debuginfo-3.5.21-26.23.1 squid-debugsource-3.5.21-26.23.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): squid-3.5.21-26.23.1 squid-debuginfo-3.5.21-26.23.1 squid-debugsource-3.5.21-26.23.1 - HPE Helion Openstack 8 (x86_64): squid-3.5.21-26.23.1 squid-debuginfo-3.5.21-26.23.1 squid-debugsource-3.5.21-26.23.1 References: https://www.suse.com/security/cve/CVE-2019-12519.html https://www.suse.com/security/cve/CVE-2019-12520.html https://www.suse.com/security/cve/CVE-2019-12521.html https://www.suse.com/security/cve/CVE-2019-12524.html https://www.suse.com/security/cve/CVE-2020-11945.html https://bugzilla.suse.com/1169659 https://bugzilla.suse.com/1170313 https://bugzilla.suse.com/1170423 From sle-security-updates at lists.suse.com Mon May 11 03:33:36 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 11 May 2020 11:33:36 +0200 (CEST) Subject: SUSE-SU-2020:14359-1: important: Security update for MozillaFirefox Message-ID: <20200511093336.3A729FDE6@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:14359-1 Rating: important References: #1162828 #1171186 Cross-References: CVE-2020-12387 CVE-2020-12388 CVE-2020-12389 CVE-2020-12392 CVE-2020-12393 CVE-2020-12395 CVE-2020-6831 Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS ______________________________________________________________________________ An update that fixes 7 vulnerabilities is now available. Description: This update for MozillaFirefox fixes the following issues: - Firefox Extended Support Release 68.8.0 ESR MFSA 2020-17 (bsc#1171186) * CVE-2020-12387 (bmo#1545345) Use-after-free during worker shutdown * CVE-2020-12388 (bmo#1618911) Sandbox escape with improperly guarded Access Tokens * CVE-2020-12389 (bmo#1554110) Sandbox escape with improperly separated process types * CVE-2020-6831 (bmo#1632241) Buffer overflow in SCTP chunk input validation * CVE-2020-12392 (bmo#1614468) Arbitrary local file access with 'Copy as cURL' * CVE-2020-12393 (bmo#1615471) Devtools' 'Copy as cURL' feature did not fully escape website-controlled data, potentially leading to command injection * CVE-2020-12395 (bmo#1595886, bmo#1611482, bmo#1614704, bmo#1624098, bmo#1625749, bmo#1626382, bmo#1628076, bmo#1631508) Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8 - Since firefox-gcc8 now has disabled autoreqprov for firefox-libstdc++6 and firefox-libgcc_s1, those packages don't provide some capabilities, we have to disable AutoReqProv in MozillaFirefox too so they're not added as automatic requirements. (bsc#1162828) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-MozillaFirefox-14359=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (x86_64): MozillaFirefox-68.8.0-78.73.1 MozillaFirefox-debuginfo-68.8.0-78.73.1 MozillaFirefox-translations-common-68.8.0-78.73.1 MozillaFirefox-translations-other-68.8.0-78.73.1 References: https://www.suse.com/security/cve/CVE-2020-12387.html https://www.suse.com/security/cve/CVE-2020-12388.html https://www.suse.com/security/cve/CVE-2020-12389.html https://www.suse.com/security/cve/CVE-2020-12392.html https://www.suse.com/security/cve/CVE-2020-12393.html https://www.suse.com/security/cve/CVE-2020-12395.html https://www.suse.com/security/cve/CVE-2020-6831.html https://bugzilla.suse.com/1162828 https://bugzilla.suse.com/1171186 From sle-security-updates at lists.suse.com Mon May 11 03:39:36 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 11 May 2020 11:39:36 +0200 (CEST) Subject: SUSE-SU-2020:1225-1: important: Security update for MozillaThunderbird Message-ID: <20200511093936.783B2FDE6@maintenance.suse.de> SUSE Security Update: Security update for MozillaThunderbird ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1225-1 Rating: important References: #1171186 Cross-References: CVE-2020-12387 CVE-2020-12392 CVE-2020-12393 CVE-2020-12395 CVE-2020-12397 CVE-2020-6831 Affected Products: SUSE Linux Enterprise Workstation Extension 15-SP2 SUSE Linux Enterprise Workstation Extension 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP2 ______________________________________________________________________________ An update that fixes 6 vulnerabilities is now available. Description: This update for MozillaThunderbird fixes the following issues: - Update to 68.8.0 ESR MFSA 2020-18 (bsc#1171186) * CVE-2020-12397 (bmo#1617370) Sender Email Address Spoofing using encoded Unicode characters * CVE-2020-12387 (bmo#1545345) Use-after-free during worker shutdown * CVE-2020-6831 (bmo#1632241) Buffer overflow in SCTP chunk input validation * CVE-2020-12392 (bmo#1614468) Arbitrary local file access with 'Copy as cURL' * CVE-2020-12393 (bmo#1615471) Devtools' 'Copy as cURL' feature did not fully escape website-controlled data, potentially leading to command injection * CVE-2020-12395 (bmo#1595886, bmo#1611482, bmo#1614704, bmo#1624098, bmo#1625749, bmo#1626382, bmo#1628076, bmo#1631508) Memory safety bugs fixed in Thunderbird 68.8.0 Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 15-SP2: zypper in -t patch SUSE-SLE-Product-WE-15-SP2-2020-1225=1 - SUSE Linux Enterprise Workstation Extension 15-SP1: zypper in -t patch SUSE-SLE-Product-WE-15-SP1-2020-1225=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP2: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP2-2020-1225=1 Package List: - SUSE Linux Enterprise Workstation Extension 15-SP2 (x86_64): MozillaThunderbird-68.8.0-3.80.2 MozillaThunderbird-debuginfo-68.8.0-3.80.2 MozillaThunderbird-debugsource-68.8.0-3.80.2 MozillaThunderbird-translations-common-68.8.0-3.80.2 MozillaThunderbird-translations-other-68.8.0-3.80.2 - SUSE Linux Enterprise Workstation Extension 15-SP1 (x86_64): MozillaThunderbird-68.8.0-3.80.2 MozillaThunderbird-debuginfo-68.8.0-3.80.2 MozillaThunderbird-debugsource-68.8.0-3.80.2 MozillaThunderbird-translations-common-68.8.0-3.80.2 MozillaThunderbird-translations-other-68.8.0-3.80.2 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP2 (s390x): MozillaThunderbird-68.8.0-3.80.2 MozillaThunderbird-debuginfo-68.8.0-3.80.2 MozillaThunderbird-debugsource-68.8.0-3.80.2 MozillaThunderbird-translations-common-68.8.0-3.80.2 MozillaThunderbird-translations-other-68.8.0-3.80.2 References: https://www.suse.com/security/cve/CVE-2020-12387.html https://www.suse.com/security/cve/CVE-2020-12392.html https://www.suse.com/security/cve/CVE-2020-12393.html https://www.suse.com/security/cve/CVE-2020-12395.html https://www.suse.com/security/cve/CVE-2020-12397.html https://www.suse.com/security/cve/CVE-2020-6831.html https://bugzilla.suse.com/1171186 From sle-security-updates at lists.suse.com Mon May 11 13:28:10 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 11 May 2020 21:28:10 +0200 (CEST) Subject: SUSE-SU-2020:1250-1: important: Security update for libvirt Message-ID: <20200511192810.86FEAFDE6@maintenance.suse.de> SUSE Security Update: Security update for libvirt ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1250-1 Rating: important References: #1133719 #1137137 #1138734 #1145586 #1149100 #1168683 Cross-References: CVE-2020-10703 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that solves one vulnerability and has 5 fixes is now available. Description: This update for libvirt fixes the following issues: Security issue fixed: - CVE-2020-10703: Fixed a daemon crash caused by pools without target paths (bsc#1168683). Non-security issues fixed: - apparmor: avoid copying empty profile name (bsc#1149100). - logging: ensure virtlogd rollover takes priority over logrotate (bsc#1137137). - qemu: Add support for overriding max threads per process limit (bsc#1133719). - util: fix copying bitmap to larger data buffer (bsc#1138734). - virsh: support for setting precopy bandwidth in migrate (bsc#1145586). - virsh: use upstream name for migration precopy bandwidth parameter (bsc#1145586). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-1250=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-1250=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1250=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1250=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): libvirt-4.0.0-9.32.1 libvirt-admin-4.0.0-9.32.1 libvirt-admin-debuginfo-4.0.0-9.32.1 libvirt-client-4.0.0-9.32.1 libvirt-client-debuginfo-4.0.0-9.32.1 libvirt-daemon-4.0.0-9.32.1 libvirt-daemon-config-network-4.0.0-9.32.1 libvirt-daemon-config-nwfilter-4.0.0-9.32.1 libvirt-daemon-debuginfo-4.0.0-9.32.1 libvirt-daemon-driver-interface-4.0.0-9.32.1 libvirt-daemon-driver-interface-debuginfo-4.0.0-9.32.1 libvirt-daemon-driver-lxc-4.0.0-9.32.1 libvirt-daemon-driver-lxc-debuginfo-4.0.0-9.32.1 libvirt-daemon-driver-network-4.0.0-9.32.1 libvirt-daemon-driver-network-debuginfo-4.0.0-9.32.1 libvirt-daemon-driver-nodedev-4.0.0-9.32.1 libvirt-daemon-driver-nodedev-debuginfo-4.0.0-9.32.1 libvirt-daemon-driver-nwfilter-4.0.0-9.32.1 libvirt-daemon-driver-nwfilter-debuginfo-4.0.0-9.32.1 libvirt-daemon-driver-qemu-4.0.0-9.32.1 libvirt-daemon-driver-qemu-debuginfo-4.0.0-9.32.1 libvirt-daemon-driver-secret-4.0.0-9.32.1 libvirt-daemon-driver-secret-debuginfo-4.0.0-9.32.1 libvirt-daemon-driver-storage-4.0.0-9.32.1 libvirt-daemon-driver-storage-core-4.0.0-9.32.1 libvirt-daemon-driver-storage-core-debuginfo-4.0.0-9.32.1 libvirt-daemon-driver-storage-disk-4.0.0-9.32.1 libvirt-daemon-driver-storage-disk-debuginfo-4.0.0-9.32.1 libvirt-daemon-driver-storage-iscsi-4.0.0-9.32.1 libvirt-daemon-driver-storage-iscsi-debuginfo-4.0.0-9.32.1 libvirt-daemon-driver-storage-logical-4.0.0-9.32.1 libvirt-daemon-driver-storage-logical-debuginfo-4.0.0-9.32.1 libvirt-daemon-driver-storage-mpath-4.0.0-9.32.1 libvirt-daemon-driver-storage-mpath-debuginfo-4.0.0-9.32.1 libvirt-daemon-driver-storage-scsi-4.0.0-9.32.1 libvirt-daemon-driver-storage-scsi-debuginfo-4.0.0-9.32.1 libvirt-daemon-hooks-4.0.0-9.32.1 libvirt-daemon-lxc-4.0.0-9.32.1 libvirt-daemon-qemu-4.0.0-9.32.1 libvirt-debugsource-4.0.0-9.32.1 libvirt-devel-4.0.0-9.32.1 libvirt-doc-4.0.0-9.32.1 libvirt-libs-4.0.0-9.32.1 libvirt-libs-debuginfo-4.0.0-9.32.1 libvirt-lock-sanlock-4.0.0-9.32.1 libvirt-lock-sanlock-debuginfo-4.0.0-9.32.1 libvirt-nss-4.0.0-9.32.1 libvirt-nss-debuginfo-4.0.0-9.32.1 - SUSE Linux Enterprise Server for SAP 15 (x86_64): libvirt-daemon-driver-libxl-4.0.0-9.32.1 libvirt-daemon-driver-libxl-debuginfo-4.0.0-9.32.1 libvirt-daemon-driver-storage-rbd-4.0.0-9.32.1 libvirt-daemon-driver-storage-rbd-debuginfo-4.0.0-9.32.1 libvirt-daemon-xen-4.0.0-9.32.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): libvirt-4.0.0-9.32.1 libvirt-admin-4.0.0-9.32.1 libvirt-admin-debuginfo-4.0.0-9.32.1 libvirt-client-4.0.0-9.32.1 libvirt-client-debuginfo-4.0.0-9.32.1 libvirt-daemon-4.0.0-9.32.1 libvirt-daemon-config-network-4.0.0-9.32.1 libvirt-daemon-config-nwfilter-4.0.0-9.32.1 libvirt-daemon-debuginfo-4.0.0-9.32.1 libvirt-daemon-driver-interface-4.0.0-9.32.1 libvirt-daemon-driver-interface-debuginfo-4.0.0-9.32.1 libvirt-daemon-driver-lxc-4.0.0-9.32.1 libvirt-daemon-driver-lxc-debuginfo-4.0.0-9.32.1 libvirt-daemon-driver-network-4.0.0-9.32.1 libvirt-daemon-driver-network-debuginfo-4.0.0-9.32.1 libvirt-daemon-driver-nodedev-4.0.0-9.32.1 libvirt-daemon-driver-nodedev-debuginfo-4.0.0-9.32.1 libvirt-daemon-driver-nwfilter-4.0.0-9.32.1 libvirt-daemon-driver-nwfilter-debuginfo-4.0.0-9.32.1 libvirt-daemon-driver-qemu-4.0.0-9.32.1 libvirt-daemon-driver-qemu-debuginfo-4.0.0-9.32.1 libvirt-daemon-driver-secret-4.0.0-9.32.1 libvirt-daemon-driver-secret-debuginfo-4.0.0-9.32.1 libvirt-daemon-driver-storage-4.0.0-9.32.1 libvirt-daemon-driver-storage-core-4.0.0-9.32.1 libvirt-daemon-driver-storage-core-debuginfo-4.0.0-9.32.1 libvirt-daemon-driver-storage-disk-4.0.0-9.32.1 libvirt-daemon-driver-storage-disk-debuginfo-4.0.0-9.32.1 libvirt-daemon-driver-storage-iscsi-4.0.0-9.32.1 libvirt-daemon-driver-storage-iscsi-debuginfo-4.0.0-9.32.1 libvirt-daemon-driver-storage-logical-4.0.0-9.32.1 libvirt-daemon-driver-storage-logical-debuginfo-4.0.0-9.32.1 libvirt-daemon-driver-storage-mpath-4.0.0-9.32.1 libvirt-daemon-driver-storage-mpath-debuginfo-4.0.0-9.32.1 libvirt-daemon-driver-storage-scsi-4.0.0-9.32.1 libvirt-daemon-driver-storage-scsi-debuginfo-4.0.0-9.32.1 libvirt-daemon-hooks-4.0.0-9.32.1 libvirt-daemon-lxc-4.0.0-9.32.1 libvirt-daemon-qemu-4.0.0-9.32.1 libvirt-debugsource-4.0.0-9.32.1 libvirt-devel-4.0.0-9.32.1 libvirt-doc-4.0.0-9.32.1 libvirt-libs-4.0.0-9.32.1 libvirt-libs-debuginfo-4.0.0-9.32.1 libvirt-lock-sanlock-4.0.0-9.32.1 libvirt-lock-sanlock-debuginfo-4.0.0-9.32.1 libvirt-nss-4.0.0-9.32.1 libvirt-nss-debuginfo-4.0.0-9.32.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64): libvirt-daemon-driver-storage-rbd-4.0.0-9.32.1 libvirt-daemon-driver-storage-rbd-debuginfo-4.0.0-9.32.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): libvirt-4.0.0-9.32.1 libvirt-admin-4.0.0-9.32.1 libvirt-admin-debuginfo-4.0.0-9.32.1 libvirt-client-4.0.0-9.32.1 libvirt-client-debuginfo-4.0.0-9.32.1 libvirt-daemon-4.0.0-9.32.1 libvirt-daemon-config-network-4.0.0-9.32.1 libvirt-daemon-config-nwfilter-4.0.0-9.32.1 libvirt-daemon-debuginfo-4.0.0-9.32.1 libvirt-daemon-driver-interface-4.0.0-9.32.1 libvirt-daemon-driver-interface-debuginfo-4.0.0-9.32.1 libvirt-daemon-driver-lxc-4.0.0-9.32.1 libvirt-daemon-driver-lxc-debuginfo-4.0.0-9.32.1 libvirt-daemon-driver-network-4.0.0-9.32.1 libvirt-daemon-driver-network-debuginfo-4.0.0-9.32.1 libvirt-daemon-driver-nodedev-4.0.0-9.32.1 libvirt-daemon-driver-nodedev-debuginfo-4.0.0-9.32.1 libvirt-daemon-driver-nwfilter-4.0.0-9.32.1 libvirt-daemon-driver-nwfilter-debuginfo-4.0.0-9.32.1 libvirt-daemon-driver-qemu-4.0.0-9.32.1 libvirt-daemon-driver-qemu-debuginfo-4.0.0-9.32.1 libvirt-daemon-driver-secret-4.0.0-9.32.1 libvirt-daemon-driver-secret-debuginfo-4.0.0-9.32.1 libvirt-daemon-driver-storage-4.0.0-9.32.1 libvirt-daemon-driver-storage-core-4.0.0-9.32.1 libvirt-daemon-driver-storage-core-debuginfo-4.0.0-9.32.1 libvirt-daemon-driver-storage-disk-4.0.0-9.32.1 libvirt-daemon-driver-storage-disk-debuginfo-4.0.0-9.32.1 libvirt-daemon-driver-storage-iscsi-4.0.0-9.32.1 libvirt-daemon-driver-storage-iscsi-debuginfo-4.0.0-9.32.1 libvirt-daemon-driver-storage-logical-4.0.0-9.32.1 libvirt-daemon-driver-storage-logical-debuginfo-4.0.0-9.32.1 libvirt-daemon-driver-storage-mpath-4.0.0-9.32.1 libvirt-daemon-driver-storage-mpath-debuginfo-4.0.0-9.32.1 libvirt-daemon-driver-storage-rbd-4.0.0-9.32.1 libvirt-daemon-driver-storage-rbd-debuginfo-4.0.0-9.32.1 libvirt-daemon-driver-storage-scsi-4.0.0-9.32.1 libvirt-daemon-driver-storage-scsi-debuginfo-4.0.0-9.32.1 libvirt-daemon-hooks-4.0.0-9.32.1 libvirt-daemon-lxc-4.0.0-9.32.1 libvirt-daemon-qemu-4.0.0-9.32.1 libvirt-debugsource-4.0.0-9.32.1 libvirt-devel-4.0.0-9.32.1 libvirt-doc-4.0.0-9.32.1 libvirt-libs-4.0.0-9.32.1 libvirt-libs-debuginfo-4.0.0-9.32.1 libvirt-lock-sanlock-4.0.0-9.32.1 libvirt-lock-sanlock-debuginfo-4.0.0-9.32.1 libvirt-nss-4.0.0-9.32.1 libvirt-nss-debuginfo-4.0.0-9.32.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (x86_64): libvirt-daemon-driver-libxl-4.0.0-9.32.1 libvirt-daemon-driver-libxl-debuginfo-4.0.0-9.32.1 libvirt-daemon-xen-4.0.0-9.32.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): libvirt-4.0.0-9.32.1 libvirt-admin-4.0.0-9.32.1 libvirt-admin-debuginfo-4.0.0-9.32.1 libvirt-client-4.0.0-9.32.1 libvirt-client-debuginfo-4.0.0-9.32.1 libvirt-daemon-4.0.0-9.32.1 libvirt-daemon-config-network-4.0.0-9.32.1 libvirt-daemon-config-nwfilter-4.0.0-9.32.1 libvirt-daemon-debuginfo-4.0.0-9.32.1 libvirt-daemon-driver-interface-4.0.0-9.32.1 libvirt-daemon-driver-interface-debuginfo-4.0.0-9.32.1 libvirt-daemon-driver-lxc-4.0.0-9.32.1 libvirt-daemon-driver-lxc-debuginfo-4.0.0-9.32.1 libvirt-daemon-driver-network-4.0.0-9.32.1 libvirt-daemon-driver-network-debuginfo-4.0.0-9.32.1 libvirt-daemon-driver-nodedev-4.0.0-9.32.1 libvirt-daemon-driver-nodedev-debuginfo-4.0.0-9.32.1 libvirt-daemon-driver-nwfilter-4.0.0-9.32.1 libvirt-daemon-driver-nwfilter-debuginfo-4.0.0-9.32.1 libvirt-daemon-driver-qemu-4.0.0-9.32.1 libvirt-daemon-driver-qemu-debuginfo-4.0.0-9.32.1 libvirt-daemon-driver-secret-4.0.0-9.32.1 libvirt-daemon-driver-secret-debuginfo-4.0.0-9.32.1 libvirt-daemon-driver-storage-4.0.0-9.32.1 libvirt-daemon-driver-storage-core-4.0.0-9.32.1 libvirt-daemon-driver-storage-core-debuginfo-4.0.0-9.32.1 libvirt-daemon-driver-storage-disk-4.0.0-9.32.1 libvirt-daemon-driver-storage-disk-debuginfo-4.0.0-9.32.1 libvirt-daemon-driver-storage-iscsi-4.0.0-9.32.1 libvirt-daemon-driver-storage-iscsi-debuginfo-4.0.0-9.32.1 libvirt-daemon-driver-storage-logical-4.0.0-9.32.1 libvirt-daemon-driver-storage-logical-debuginfo-4.0.0-9.32.1 libvirt-daemon-driver-storage-mpath-4.0.0-9.32.1 libvirt-daemon-driver-storage-mpath-debuginfo-4.0.0-9.32.1 libvirt-daemon-driver-storage-rbd-4.0.0-9.32.1 libvirt-daemon-driver-storage-rbd-debuginfo-4.0.0-9.32.1 libvirt-daemon-driver-storage-scsi-4.0.0-9.32.1 libvirt-daemon-driver-storage-scsi-debuginfo-4.0.0-9.32.1 libvirt-daemon-hooks-4.0.0-9.32.1 libvirt-daemon-lxc-4.0.0-9.32.1 libvirt-daemon-qemu-4.0.0-9.32.1 libvirt-debugsource-4.0.0-9.32.1 libvirt-devel-4.0.0-9.32.1 libvirt-doc-4.0.0-9.32.1 libvirt-libs-4.0.0-9.32.1 libvirt-libs-debuginfo-4.0.0-9.32.1 libvirt-lock-sanlock-4.0.0-9.32.1 libvirt-lock-sanlock-debuginfo-4.0.0-9.32.1 libvirt-nss-4.0.0-9.32.1 libvirt-nss-debuginfo-4.0.0-9.32.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (x86_64): libvirt-daemon-driver-libxl-4.0.0-9.32.1 libvirt-daemon-driver-libxl-debuginfo-4.0.0-9.32.1 libvirt-daemon-xen-4.0.0-9.32.1 References: https://www.suse.com/security/cve/CVE-2020-10703.html https://bugzilla.suse.com/1133719 https://bugzilla.suse.com/1137137 https://bugzilla.suse.com/1138734 https://bugzilla.suse.com/1145586 https://bugzilla.suse.com/1149100 https://bugzilla.suse.com/1168683 From sle-security-updates at lists.suse.com Tue May 12 07:18:40 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 12 May 2020 15:18:40 +0200 (CEST) Subject: SUSE-SU-2020:1255-1: important: Security update for the Linux Kernel Message-ID: <20200512131840.C7A55FDE6@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1255-1 Rating: important References: #1037216 #1075091 #1075994 #1087082 #1087813 #1091041 #1099279 #1120386 #1131107 #1133147 #1136449 #1137325 #1146519 #1146544 #1146612 #1149591 #1153811 #1154844 #1155311 #1155897 #1156060 #1157038 #1157042 #1157070 #1157143 #1157155 #1157157 #1157158 #1157303 #1157324 #1157333 #1157464 #1157804 #1157923 #1158021 #1158132 #1158381 #1158394 #1158398 #1158410 #1158413 #1158417 #1158427 #1158445 #1158819 #1158823 #1158824 #1158827 #1158834 #1158900 #1158903 #1158904 #1159199 #1159285 #1159297 #1159841 #1159908 #1159910 #1159911 #1159912 #1160195 #1162227 #1162298 #1162928 #1162929 #1162931 #1163971 #1164069 #1164078 #1164846 #1165111 #1165311 #1165873 #1165881 #1165984 #1165985 #1167629 #1168075 #1168295 #1168424 #1168829 #1168854 #1170056 #1170345 #1170778 Cross-References: CVE-2017-18255 CVE-2018-21008 CVE-2019-14615 CVE-2019-14895 CVE-2019-14896 CVE-2019-14897 CVE-2019-14901 CVE-2019-15213 CVE-2019-18660 CVE-2019-18675 CVE-2019-18683 CVE-2019-19052 CVE-2019-19062 CVE-2019-19066 CVE-2019-19073 CVE-2019-19074 CVE-2019-19319 CVE-2019-19332 CVE-2019-19447 CVE-2019-19523 CVE-2019-19524 CVE-2019-19525 CVE-2019-19527 CVE-2019-19530 CVE-2019-19531 CVE-2019-19532 CVE-2019-19533 CVE-2019-19534 CVE-2019-19535 CVE-2019-19536 CVE-2019-19537 CVE-2019-19767 CVE-2019-19768 CVE-2019-19965 CVE-2019-19966 CVE-2019-20054 CVE-2019-20096 CVE-2019-3701 CVE-2019-5108 CVE-2019-9455 CVE-2019-9458 CVE-2020-10690 CVE-2020-10720 CVE-2020-10942 CVE-2020-11494 CVE-2020-11608 CVE-2020-11609 CVE-2020-2732 CVE-2020-8647 CVE-2020-8648 CVE-2020-8649 CVE-2020-8992 CVE-2020-9383 Affected Products: SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Linux Enterprise High Availability 12-SP2 ______________________________________________________________________________ An update that solves 53 vulnerabilities and has 32 fixes is now available. Description: The SUSE Linux Enterprise 12 SP2 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2020-11494: An issue was discovered in slc_bump in drivers/net/can/slcan.c, which allowed attackers to read uninitialized can_frame data, potentially containing sensitive information from kernel stack memory, if the configuration lacks CONFIG_INIT_STACK_ALL (bnc#1168424). - CVE-2020-10942: In get_raw_socket in drivers/vhost/net.c lacks validation of an sk_family field, which might allow attackers to trigger kernel stack corruption via crafted system calls (bnc#1167629). - CVE-2020-8647: Fixed a use-after-free vulnerability in the vc_do_resize function in drivers/tty/vt/vt.c (bnc#1162929). - CVE-2020-8649: Fixed a use-after-free vulnerability in the vgacon_invert_region function in drivers/video/console/vgacon.c (bnc#1162931). - CVE-2020-9383: Fixed an issue in set_fdc in drivers/block/floppy.c, which leads to a wait_til_ready out-of-bounds read (bnc#1165111). - CVE-2019-9458: In the video driver there was a use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed (bnc#1168295). - CVE-2019-3701: Fixed an issue in can_can_gw_rcv, which could cause a system crash (bnc#1120386). - CVE-2019-19768: Fixed a use-after-free in the __blk_add_trace function in kernel/trace/blktrace.c (bnc#1159285). - CVE-2020-11609: Fixed a NULL pointer dereference in the stv06xx subsystem caused by mishandling invalid descriptors (bnc#1168854). - CVE-2020-10720: Fixed a use-after-free read in napi_gro_frags() (bsc#1170778). - CVE-2020-10690: Fixed the race between the release of ptp_clock and cdev (bsc#1170056). - CVE-2019-9455: Fixed a pointer leak due to a WARN_ON statement in a video driver. This could lead to local information disclosure with System execution privileges needed (bnc#1170345). - CVE-2020-11608: Fixed an issue in drivers/media/usb/gspca/ov519.c caused by a NULL pointer dereferences in ov511_mode_init_regs and ov518_mode_init_regs when there are zero endpoints (bnc#1168829). - CVE-2017-18255: The perf_cpu_time_max_percent_handler function in kernel/events/core.c allowed local users to cause a denial of service (integer overflow) or possibly have unspecified other impact via a large value, as demonstrated by an incorrect sample-rate calculation (bnc#1087813). - CVE-2020-8648: There was a use-after-free vulnerability in the n_tty_receive_buf_common function in drivers/tty/n_tty.c (bnc#1162928). - CVE-2020-2732: A flaw was discovered in the way that the KVM hypervisor handled instruction emulation for an L2 guest when nested virtualisation is enabled. Under some circumstances, an L2 guest may trick the L0 guest into accessing sensitive L1 resources that should be inaccessible to the L2 guest (bnc#1163971). - CVE-2019-5108: Fixed a denial-of-service vulnerability caused by triggering AP to send IAPP location updates for stations before the required authentication process has completed (bnc#1159912). - CVE-2020-8992: ext4_protect_reserved_inode in fs/ext4/block_validity.c allowed attackers to cause a denial of service (soft lockup) via a crafted journal size (bnc#1164069). - CVE-2018-21008: Fixed a use-after-free which could be caused by the function rsi_mac80211_detach in the file drivers/net/wireless/rsi/rsi_91x_mac80211.c (bnc#1149591). - CVE-2019-14896: A heap-based buffer overflow vulnerability was found in Marvell WiFi chip driver. A remote attacker could cause a denial of service (system crash) or, possibly execute arbitrary code, when the lbs_ibss_join_existing function is called after a STA connects to an AP (bnc#1157157). - CVE-2019-14897: A stack-based buffer overflow was found in Marvell WiFi chip driver. An attacker is able to cause a denial of service (system crash) or, possibly execute arbitrary code, when a STA works in IBSS mode (allows connecting stations together without the use of an AP) and connects to another STA (bnc#1157155). - CVE-2019-18675: Fixed an integer overflow in cpia2_remap_buffer in drivers/media/usb/cpia2/cpia2_core.c because cpia2 has its own mmap implementation. This allowed local users (with /dev/video0 access) to obtain read and write permissions on kernel physical pages, which can possibly result in a privilege escalation (bnc#1157804). - CVE-2019-14615: Insufficient control flow in certain data structures for some Intel(R) Processors with Intel(R) Processor Graphics may have allowed an unauthenticated user to potentially enable information disclosure via local access (bnc#1160195, bsc#1165881). - CVE-2019-19965: Fixed a NULL pointer dereference in drivers/scsi/libsas/sas_discover.c because of mishandling of port disconnection during discovery, related to a PHY down race condition (bnc#1159911). - CVE-2019-20054: Fixed a NULL pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c, related to put_links (bnc#1159910). - CVE-2019-20096: Fixed a memory leak in __feat_register_sp() in net/dccp/feat.c, which may cause denial of service (bnc#1159908). - CVE-2019-19966: Fixed a use-after-free in cpia2_exit() in drivers/media/usb/cpia2/cpia2_v4l.c that will cause denial of service (bnc#1159841). - CVE-2019-19447: Fixed an issue with mounting a crafted ext4 filesystem image, performing some operations, and unmounting could lead to a use-after-free in ext4_put_super in fs/ext4/super.c, related to dump_orphan_list in fs/ext4/super.c (bnc#1158819). - CVE-2019-19319: Fixed an issue with a setxattr operation, after a mount of a crafted ext4 image, can cause a slab-out-of-bounds write access because of an ext4_xattr_set_entry use-after-free in fs/ext4/xattr.c when a large old_size value is used in a memset call (bnc#1158021). - CVE-2019-19767: Fixed mishandling of ext4_expand_extra_isize, as demonstrated by use-after-free errors in __ext4_expand_extra_isize and ext4_xattr_set_entry, related to fs/ext4/inode.c and fs/ext4/super.c (bnc#1159297). - CVE-2019-19066: Fixed memory leak in the bfad_im_get_stats() function in drivers/scsi/bfa/bfad_attr.c that allowed attackers to cause a denial of service (memory consumption) by triggering bfa_port_get_stats() failures (bnc#1157303). - CVE-2019-19332: There was an OOB memory write via kvm_dev_ioctl_get_cpuid (bsc#1158827). - CVE-2019-19537: There was a race condition bug that could have been caused by a malicious USB device in the USB character device driver layer (bnc#1158904). - CVE-2019-19535: There was an info-leak bug that could have been caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_fd.c driver (bnc#1158903). - CVE-2019-19527: There was a use-after-free bug that could have been caused by a malicious USB device in the drivers/hid/usbhid/hiddev.c driver (bnc#1158900). - CVE-2019-19533: There was an info-leak bug that could have been caused by a malicious USB device in the drivers/media/usb/ttusb-dec/ttusb_dec.c driver (bnc#1158834). - CVE-2019-19532: There were multiple out-of-bounds write bugs that could have been caused by a malicious USB device in the Linux kernel HID drivers (bnc#1158824). - CVE-2019-19523: There was a use-after-free bug that could have been caused by a malicious USB device in the drivers/usb/misc/adutux.c driver (bnc#1158823). - CVE-2019-15213: An issue was discovered in the Linux kernel, there was a use-after-free caused by a malicious USB device in the drivers/media/usb/dvb-usb/dvb-usb-init.c driver (bnc#1146544). - CVE-2019-19531: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/yurex.c driver (bnc#1158445). - CVE-2019-19525: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/net/ieee802154/atusb.c driver (bnc#1158417). - CVE-2019-19530: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/class/cdc-acm.c driver (bnc#1158410). - CVE-2019-19536: There was an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_pro.c driver (bnc#1158394). - CVE-2019-19524: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/input/ff-memless.c driver (bnc#1158413). - CVE-2019-19534: There was an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_core.c driver (bnc#1158398). - CVE-2019-14901: A heap overflow flaw was found in the Linux kernel in Marvell WiFi chip driver. The vulnerability allowed a remote attacker to cause a system crash, resulting in a denial of service, or execute arbitrary code. The highest threat with this vulnerability is with the availability of the system. If code execution occurs, the code will run with the permissions of root. This will affect both confidentiality and integrity of files on the system (bnc#1157042). - CVE-2019-14895: Fixed a heap-based buffer overflow in the Marvell WiFi chip driver. The flaw could occur when the station attempts a connection negotiation during the handling of the remote devices country settings. This could allow the remote device to cause a denial of service (system crash) or possibly execute arbitrary code (bnc#1157158). - CVE-2019-18660: Fixed a information disclosure on powerpc related to the Spectre-RSB mitigation. This is related to arch/powerpc/kernel/entry_64.S and arch/powerpc/kernel/security.c (bnc#1157038 1157923). - CVE-2019-18683: Fixed a privilege escalation where local users have /dev/video0 access, but only if the driver happens to be loaded. There are multiple race conditions during streaming stopping in this driver (part of the V4L2 subsystem) (bnc#1155897). - CVE-2019-19062: Fixed a memory leak in the crypto_report() function in crypto/crypto_user_base.c, which allowed attackers to cause a denial of service (memory consumption) by triggering crypto_report_alg() failures (bnc#1157333). - CVE-2019-19052: A memory leak in the gs_can_open() function in drivers/net/can/usb/gs_usb.c allowed attackers to cause a denial of service (memory consumption) by triggering usb_submit_urb() failures (bnc#1157324). - CVE-2019-19074: A memory leak in the ath9k_wmi_cmd() function in drivers/net/wireless/ath/ath9k/wmi.c allowed attackers to cause a denial of service (memory consumption) (bnc#1157143). - CVE-2019-19073: Memory leaks in drivers/net/wireless/ath/ath9k/htc_hst.c allowed attackers to cause a denial of service (memory consumption) by triggering wait_for_completion_timeout() failures (bnc#1157070). The following non-security bugs were fixed: - blk: Fix kabi due to blk_trace_mutex addition (bsc#1159285). - blktrace: fix dereference after null check (bsc#1159285). - blktrace: fix trace mutex deadlock (bsc#1159285). - btrfs: Fix bound checking in qgroup_trace_new_subtree_blocks (bsc#1155311). - btrfs: qgroup: Check bg while resuming relocation to avoid NULL pointer dereference (bsc#1155311). - btrfs: qgroup: Cleanup old subtree swap code (bsc#1155311). - btrfs: qgroup: Do not trace subtree if we're dropping reloc tree (bsc#1155311). - btrfs: qgroup: Introduce function to find all new tree blocks of reloc tree (bsc#1155311). - btrfs: qgroup: Introduce function to trace two swaped extents (bsc#1155311). - btrfs: qgroup: Introduce per-root swapped blocks infrastructure (bsc#1155311). - btrfs: qgroup: Only trace data extents in leaves if we're relocating data block group (bsc#1155311). - btrfs: qgroup: Refactor btrfs_qgroup_trace_subtree_swap (bsc#1155311). - btrfs: qgroup: Use delayed subtree rescan for balance (bsc#1155311). - btrfs: qgroup: Use generation-aware subtree swap to mark dirty extents (bsc#1155311). - btrfs: reloc: Also queue orphan reloc tree for cleanup to avoid BUG_ON() (bsc#1155311). - btrfs: relocation: Delay reloc tree deletion after merge_reloc_roots (bsc#1155311). - btrfs: relocation: fix use-after-free on dead relocation roots (bsc#1155311). - btrfs: reloc: Fix NULL pointer dereference due to expanded reloc_root lifespan (bsc#1155311). - cgroup: avoid copying strings longer than the buffers (bsc#1146544). - cgroup: use strlcpy() instead of strscpy() to avoid spurious warning (bsc#1146544). - enic: prevent waking up stopped tx queues over watchdog reset (bsc#1133147). - ext4: fix use-after-free race with debug_want_extra_isize (bsc#1136449). - fix PageHeadHuge() race with THP split (VM Functionality, bsc#1165311). - fs/binfmt_misc.c: do not allow offset overflow (bsc#1099279 bsc#1156060). - fs/xfs: fix f_ffree value for statfs when project quota is set (bsc#1165985). - futex: Use smp_store_release() in mark_wake_futex() (bsc#1157464). - Input: add safety guards to input_set_keycode() (bsc#1168075). - ipv4: correct gso_size for UFO (bsc#1154844). - ipv6: fix memory accounting during ipv6 queue expire (bsc#1162227) (bsc#1162227). - ipvlan: do not add hardware address of master to its unicast filter list (bsc#1137325). - media: ov519: add missing endpoint sanity checks (bsc#1168829). - media: stv06xx: add missing descriptor sanity checks (bsc#1168854). - netfilter: conntrack: sctp: use distinct states for new SCTP connections (bsc#1159199). - netfilter: nf_nat: do not bug when mapping already exists (bsc#1146612). - powerpc/64: Call setup_barrier_nospec() from setup_arch() (bsc#1131107). - powerpc/64: Make meltdown reporting Book3S 64 specific (bsc#1091041). - powerpc/64: Make stf barrier PPC_BOOK3S_64 specific (bsc#1131107). - powerpc/64s: Add new security feature flags for count cache flush (bsc#1131107). - powerpc/64s: Add support for software count cache flush (bsc#1131107). - powerpc/64s: support nospectre_v2 cmdline option (bsc#1131107). - powerpc/asm: Add a patch_site macro & helpers for patching instructions (bsc#1131107). - powerpc/fsl: Add nospectre_v2 command line argument (bsc#1131107). - powerpc/fsl: Fix spectre_v2 mitigations reporting (bsc#1131107). - powerpc/powernv: Query firmware for count cache flush settings (bsc#1131107). - powerpc/pseries: Query hypervisor for count cache flush settings (bsc#1131107). - powerpc/security/book3s64: Report L1TF status in sysfs (bsc#1091041). - powerpc/security: Fix spectre_v2 reporting (bsc#1131107). - powerpc/security: Fix wrong message when RFI Flush is disable (bsc#1131107). - powerpc/security: Show powerpc_security_features in debugfs (bsc#1131107). - route: set the deleted fnhe fnhe_daddr to 0 in ip_del_fnhe to fix a race (bsc#1037216). - sched/fair: WARN() and refuse to set buddy when !se->on_rq (bsc#1158132). - string: drop __must_check from strscpy() and restore strscpy() usages in cgroup (bsc#1146544). - x86/alternatives: Add int3_emulate_call() selftest (bsc#1153811). - x86/alternatives: Fix int3_emulate_call() selftest stack corruption (bsc#1153811). - x86/mitigations: Clear CPU buffers on the SYSCALL fast path (bsc#1164846). - xen/pv: Fix a boot up hang revealed by int3 self test (bsc#1153811). - xfs: also remove cached ACLs when removing the underlying attr (bsc#1165873). - xfs: bulkstat should copy lastip whenever userspace supplies one (bsc#1165984). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-1255=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-1255=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-1255=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-1255=1 - SUSE Linux Enterprise High Availability 12-SP2: zypper in -t patch SUSE-SLE-HA-12-SP2-2020-1255=1 Package List: - SUSE OpenStack Cloud 7 (s390x x86_64): kernel-default-4.4.121-92.129.1 kernel-default-base-4.4.121-92.129.1 kernel-default-base-debuginfo-4.4.121-92.129.1 kernel-default-debuginfo-4.4.121-92.129.1 kernel-default-debugsource-4.4.121-92.129.1 kernel-default-devel-4.4.121-92.129.1 kernel-syms-4.4.121-92.129.1 - SUSE OpenStack Cloud 7 (x86_64): kgraft-patch-4_4_121-92_129-default-1-3.3.1 - SUSE OpenStack Cloud 7 (noarch): kernel-devel-4.4.121-92.129.1 kernel-macros-4.4.121-92.129.1 kernel-source-4.4.121-92.129.1 - SUSE OpenStack Cloud 7 (s390x): kernel-default-man-4.4.121-92.129.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): kernel-default-4.4.121-92.129.1 kernel-default-base-4.4.121-92.129.1 kernel-default-base-debuginfo-4.4.121-92.129.1 kernel-default-debuginfo-4.4.121-92.129.1 kernel-default-debugsource-4.4.121-92.129.1 kernel-default-devel-4.4.121-92.129.1 kernel-syms-4.4.121-92.129.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (noarch): kernel-devel-4.4.121-92.129.1 kernel-macros-4.4.121-92.129.1 kernel-source-4.4.121-92.129.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (x86_64): kgraft-patch-4_4_121-92_129-default-1-3.3.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): kernel-default-4.4.121-92.129.1 kernel-default-base-4.4.121-92.129.1 kernel-default-base-debuginfo-4.4.121-92.129.1 kernel-default-debuginfo-4.4.121-92.129.1 kernel-default-debugsource-4.4.121-92.129.1 kernel-default-devel-4.4.121-92.129.1 kernel-syms-4.4.121-92.129.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (noarch): kernel-devel-4.4.121-92.129.1 kernel-macros-4.4.121-92.129.1 kernel-source-4.4.121-92.129.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (x86_64): kgraft-patch-4_4_121-92_129-default-1-3.3.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (s390x): kernel-default-man-4.4.121-92.129.1 - SUSE Linux Enterprise Server 12-SP2-BCL (noarch): kernel-devel-4.4.121-92.129.1 kernel-macros-4.4.121-92.129.1 kernel-source-4.4.121-92.129.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): kernel-default-4.4.121-92.129.1 kernel-default-base-4.4.121-92.129.1 kernel-default-base-debuginfo-4.4.121-92.129.1 kernel-default-debuginfo-4.4.121-92.129.1 kernel-default-debugsource-4.4.121-92.129.1 kernel-default-devel-4.4.121-92.129.1 kernel-syms-4.4.121-92.129.1 - SUSE Linux Enterprise High Availability 12-SP2 (ppc64le s390x x86_64): cluster-md-kmp-default-4.4.121-92.129.1 cluster-md-kmp-default-debuginfo-4.4.121-92.129.1 cluster-network-kmp-default-4.4.121-92.129.1 cluster-network-kmp-default-debuginfo-4.4.121-92.129.1 dlm-kmp-default-4.4.121-92.129.1 dlm-kmp-default-debuginfo-4.4.121-92.129.1 gfs2-kmp-default-4.4.121-92.129.1 gfs2-kmp-default-debuginfo-4.4.121-92.129.1 kernel-default-debuginfo-4.4.121-92.129.1 kernel-default-debugsource-4.4.121-92.129.1 ocfs2-kmp-default-4.4.121-92.129.1 ocfs2-kmp-default-debuginfo-4.4.121-92.129.1 References: https://www.suse.com/security/cve/CVE-2017-18255.html https://www.suse.com/security/cve/CVE-2018-21008.html https://www.suse.com/security/cve/CVE-2019-14615.html https://www.suse.com/security/cve/CVE-2019-14895.html https://www.suse.com/security/cve/CVE-2019-14896.html https://www.suse.com/security/cve/CVE-2019-14897.html https://www.suse.com/security/cve/CVE-2019-14901.html https://www.suse.com/security/cve/CVE-2019-15213.html https://www.suse.com/security/cve/CVE-2019-18660.html https://www.suse.com/security/cve/CVE-2019-18675.html https://www.suse.com/security/cve/CVE-2019-18683.html https://www.suse.com/security/cve/CVE-2019-19052.html https://www.suse.com/security/cve/CVE-2019-19062.html https://www.suse.com/security/cve/CVE-2019-19066.html https://www.suse.com/security/cve/CVE-2019-19073.html https://www.suse.com/security/cve/CVE-2019-19074.html https://www.suse.com/security/cve/CVE-2019-19319.html https://www.suse.com/security/cve/CVE-2019-19332.html https://www.suse.com/security/cve/CVE-2019-19447.html https://www.suse.com/security/cve/CVE-2019-19523.html https://www.suse.com/security/cve/CVE-2019-19524.html https://www.suse.com/security/cve/CVE-2019-19525.html https://www.suse.com/security/cve/CVE-2019-19527.html https://www.suse.com/security/cve/CVE-2019-19530.html https://www.suse.com/security/cve/CVE-2019-19531.html https://www.suse.com/security/cve/CVE-2019-19532.html https://www.suse.com/security/cve/CVE-2019-19533.html https://www.suse.com/security/cve/CVE-2019-19534.html https://www.suse.com/security/cve/CVE-2019-19535.html https://www.suse.com/security/cve/CVE-2019-19536.html https://www.suse.com/security/cve/CVE-2019-19537.html https://www.suse.com/security/cve/CVE-2019-19767.html https://www.suse.com/security/cve/CVE-2019-19768.html https://www.suse.com/security/cve/CVE-2019-19965.html https://www.suse.com/security/cve/CVE-2019-19966.html https://www.suse.com/security/cve/CVE-2019-20054.html https://www.suse.com/security/cve/CVE-2019-20096.html https://www.suse.com/security/cve/CVE-2019-3701.html https://www.suse.com/security/cve/CVE-2019-5108.html https://www.suse.com/security/cve/CVE-2019-9455.html https://www.suse.com/security/cve/CVE-2019-9458.html https://www.suse.com/security/cve/CVE-2020-10690.html https://www.suse.com/security/cve/CVE-2020-10720.html https://www.suse.com/security/cve/CVE-2020-10942.html https://www.suse.com/security/cve/CVE-2020-11494.html https://www.suse.com/security/cve/CVE-2020-11608.html https://www.suse.com/security/cve/CVE-2020-11609.html https://www.suse.com/security/cve/CVE-2020-2732.html https://www.suse.com/security/cve/CVE-2020-8647.html https://www.suse.com/security/cve/CVE-2020-8648.html https://www.suse.com/security/cve/CVE-2020-8649.html https://www.suse.com/security/cve/CVE-2020-8992.html https://www.suse.com/security/cve/CVE-2020-9383.html https://bugzilla.suse.com/1037216 https://bugzilla.suse.com/1075091 https://bugzilla.suse.com/1075994 https://bugzilla.suse.com/1087082 https://bugzilla.suse.com/1087813 https://bugzilla.suse.com/1091041 https://bugzilla.suse.com/1099279 https://bugzilla.suse.com/1120386 https://bugzilla.suse.com/1131107 https://bugzilla.suse.com/1133147 https://bugzilla.suse.com/1136449 https://bugzilla.suse.com/1137325 https://bugzilla.suse.com/1146519 https://bugzilla.suse.com/1146544 https://bugzilla.suse.com/1146612 https://bugzilla.suse.com/1149591 https://bugzilla.suse.com/1153811 https://bugzilla.suse.com/1154844 https://bugzilla.suse.com/1155311 https://bugzilla.suse.com/1155897 https://bugzilla.suse.com/1156060 https://bugzilla.suse.com/1157038 https://bugzilla.suse.com/1157042 https://bugzilla.suse.com/1157070 https://bugzilla.suse.com/1157143 https://bugzilla.suse.com/1157155 https://bugzilla.suse.com/1157157 https://bugzilla.suse.com/1157158 https://bugzilla.suse.com/1157303 https://bugzilla.suse.com/1157324 https://bugzilla.suse.com/1157333 https://bugzilla.suse.com/1157464 https://bugzilla.suse.com/1157804 https://bugzilla.suse.com/1157923 https://bugzilla.suse.com/1158021 https://bugzilla.suse.com/1158132 https://bugzilla.suse.com/1158381 https://bugzilla.suse.com/1158394 https://bugzilla.suse.com/1158398 https://bugzilla.suse.com/1158410 https://bugzilla.suse.com/1158413 https://bugzilla.suse.com/1158417 https://bugzilla.suse.com/1158427 https://bugzilla.suse.com/1158445 https://bugzilla.suse.com/1158819 https://bugzilla.suse.com/1158823 https://bugzilla.suse.com/1158824 https://bugzilla.suse.com/1158827 https://bugzilla.suse.com/1158834 https://bugzilla.suse.com/1158900 https://bugzilla.suse.com/1158903 https://bugzilla.suse.com/1158904 https://bugzilla.suse.com/1159199 https://bugzilla.suse.com/1159285 https://bugzilla.suse.com/1159297 https://bugzilla.suse.com/1159841 https://bugzilla.suse.com/1159908 https://bugzilla.suse.com/1159910 https://bugzilla.suse.com/1159911 https://bugzilla.suse.com/1159912 https://bugzilla.suse.com/1160195 https://bugzilla.suse.com/1162227 https://bugzilla.suse.com/1162298 https://bugzilla.suse.com/1162928 https://bugzilla.suse.com/1162929 https://bugzilla.suse.com/1162931 https://bugzilla.suse.com/1163971 https://bugzilla.suse.com/1164069 https://bugzilla.suse.com/1164078 https://bugzilla.suse.com/1164846 https://bugzilla.suse.com/1165111 https://bugzilla.suse.com/1165311 https://bugzilla.suse.com/1165873 https://bugzilla.suse.com/1165881 https://bugzilla.suse.com/1165984 https://bugzilla.suse.com/1165985 https://bugzilla.suse.com/1167629 https://bugzilla.suse.com/1168075 https://bugzilla.suse.com/1168295 https://bugzilla.suse.com/1168424 https://bugzilla.suse.com/1168829 https://bugzilla.suse.com/1168854 https://bugzilla.suse.com/1170056 https://bugzilla.suse.com/1170345 https://bugzilla.suse.com/1170778 From sle-security-updates at lists.suse.com Wed May 13 07:37:35 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 13 May 2020 15:37:35 +0200 (CEST) Subject: SUSE-SU-2020:1264-1: moderate: Security update for openconnect Message-ID: <20200513133735.3C7AFFDE5@maintenance.suse.de> SUSE Security Update: Security update for openconnect ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1264-1 Rating: moderate References: #1142093 #1170452 Cross-References: CVE-2020-12105 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP5 SUSE Linux Enterprise Workstation Extension 12-SP4 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for openconnect fixes the following issue: Security issue fixed: - CVE-2020-12105: Fixed the improper handling of negative return values from X509_check_ function calls that might have allowed MITM attacks (bsc#1170452). Non-security issue fixed: - This is a rebuild to have a higher version than openconnect on Packagehub, to avoid having a vpnc dependency. (bsc#1142093) - A vpnc-script is included in this openconnect package. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP5: zypper in -t patch SUSE-SLE-WE-12-SP5-2020-1264=1 - SUSE Linux Enterprise Workstation Extension 12-SP4: zypper in -t patch SUSE-SLE-WE-12-SP4-2020-1264=1 Package List: - SUSE Linux Enterprise Workstation Extension 12-SP5 (x86_64): openconnect-7.08-3.9.1 openconnect-debuginfo-7.08-3.9.1 openconnect-debugsource-7.08-3.9.1 - SUSE Linux Enterprise Workstation Extension 12-SP5 (noarch): openconnect-lang-7.08-3.9.1 - SUSE Linux Enterprise Workstation Extension 12-SP4 (noarch): openconnect-lang-7.08-3.9.1 - SUSE Linux Enterprise Workstation Extension 12-SP4 (x86_64): openconnect-7.08-3.9.1 openconnect-debuginfo-7.08-3.9.1 openconnect-debugsource-7.08-3.9.1 References: https://www.suse.com/security/cve/CVE-2020-12105.html https://bugzilla.suse.com/1142093 https://bugzilla.suse.com/1170452 From sle-security-updates at lists.suse.com Wed May 13 10:22:27 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 13 May 2020 18:22:27 +0200 (CEST) Subject: SUSE-SU-2020:1272-1: important: Security update for apache2 Message-ID: <20200513162227.9634CFDE6@maintenance.suse.de> SUSE Security Update: Security update for apache2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1272-1 Rating: important References: #1168404 #1168407 #1169066 Cross-References: CVE-2020-1927 CVE-2020-1934 CVE-2020-1938 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for apache2 fixes the following issues: - CVE-2020-1934: mod_proxy_ftp may use uninitialized memory when proxying to a malicious FTP server (bsc#1168404). - CVE-2020-1927: mod_rewrite configurations vulnerable to open redirect (bsc#1168407). - CVE-2020-1938: mod_proxy_ajp: Add "secret" parameter to proxy workers to implement legacy AJP13 authentication (bsc#1169066). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-1272=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-1272=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-1272=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-1272=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-1272=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-1272=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-1272=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1272=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1272=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-1272=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-1272=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-1272=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-1272=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-1272=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-1272=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): apache2-2.4.23-29.54.1 apache2-debuginfo-2.4.23-29.54.1 apache2-debugsource-2.4.23-29.54.1 apache2-example-pages-2.4.23-29.54.1 apache2-prefork-2.4.23-29.54.1 apache2-prefork-debuginfo-2.4.23-29.54.1 apache2-utils-2.4.23-29.54.1 apache2-utils-debuginfo-2.4.23-29.54.1 apache2-worker-2.4.23-29.54.1 apache2-worker-debuginfo-2.4.23-29.54.1 - SUSE OpenStack Cloud Crowbar 8 (noarch): apache2-doc-2.4.23-29.54.1 - SUSE OpenStack Cloud 8 (noarch): apache2-doc-2.4.23-29.54.1 - SUSE OpenStack Cloud 8 (x86_64): apache2-2.4.23-29.54.1 apache2-debuginfo-2.4.23-29.54.1 apache2-debugsource-2.4.23-29.54.1 apache2-example-pages-2.4.23-29.54.1 apache2-prefork-2.4.23-29.54.1 apache2-prefork-debuginfo-2.4.23-29.54.1 apache2-utils-2.4.23-29.54.1 apache2-utils-debuginfo-2.4.23-29.54.1 apache2-worker-2.4.23-29.54.1 apache2-worker-debuginfo-2.4.23-29.54.1 - SUSE OpenStack Cloud 7 (s390x x86_64): apache2-2.4.23-29.54.1 apache2-debuginfo-2.4.23-29.54.1 apache2-debugsource-2.4.23-29.54.1 apache2-example-pages-2.4.23-29.54.1 apache2-prefork-2.4.23-29.54.1 apache2-prefork-debuginfo-2.4.23-29.54.1 apache2-utils-2.4.23-29.54.1 apache2-utils-debuginfo-2.4.23-29.54.1 apache2-worker-2.4.23-29.54.1 apache2-worker-debuginfo-2.4.23-29.54.1 - SUSE OpenStack Cloud 7 (noarch): apache2-doc-2.4.23-29.54.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): apache2-debuginfo-2.4.23-29.54.1 apache2-debugsource-2.4.23-29.54.1 apache2-devel-2.4.23-29.54.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): apache2-debuginfo-2.4.23-29.54.1 apache2-debugsource-2.4.23-29.54.1 apache2-devel-2.4.23-29.54.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): apache2-2.4.23-29.54.1 apache2-debuginfo-2.4.23-29.54.1 apache2-debugsource-2.4.23-29.54.1 apache2-example-pages-2.4.23-29.54.1 apache2-prefork-2.4.23-29.54.1 apache2-prefork-debuginfo-2.4.23-29.54.1 apache2-utils-2.4.23-29.54.1 apache2-utils-debuginfo-2.4.23-29.54.1 apache2-worker-2.4.23-29.54.1 apache2-worker-debuginfo-2.4.23-29.54.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (noarch): apache2-doc-2.4.23-29.54.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): apache2-2.4.23-29.54.1 apache2-debuginfo-2.4.23-29.54.1 apache2-debugsource-2.4.23-29.54.1 apache2-example-pages-2.4.23-29.54.1 apache2-prefork-2.4.23-29.54.1 apache2-prefork-debuginfo-2.4.23-29.54.1 apache2-utils-2.4.23-29.54.1 apache2-utils-debuginfo-2.4.23-29.54.1 apache2-worker-2.4.23-29.54.1 apache2-worker-debuginfo-2.4.23-29.54.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (noarch): apache2-doc-2.4.23-29.54.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): apache2-2.4.23-29.54.1 apache2-debuginfo-2.4.23-29.54.1 apache2-debugsource-2.4.23-29.54.1 apache2-example-pages-2.4.23-29.54.1 apache2-prefork-2.4.23-29.54.1 apache2-prefork-debuginfo-2.4.23-29.54.1 apache2-utils-2.4.23-29.54.1 apache2-utils-debuginfo-2.4.23-29.54.1 apache2-worker-2.4.23-29.54.1 apache2-worker-debuginfo-2.4.23-29.54.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): apache2-doc-2.4.23-29.54.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): apache2-2.4.23-29.54.1 apache2-debuginfo-2.4.23-29.54.1 apache2-debugsource-2.4.23-29.54.1 apache2-example-pages-2.4.23-29.54.1 apache2-prefork-2.4.23-29.54.1 apache2-prefork-debuginfo-2.4.23-29.54.1 apache2-utils-2.4.23-29.54.1 apache2-utils-debuginfo-2.4.23-29.54.1 apache2-worker-2.4.23-29.54.1 apache2-worker-debuginfo-2.4.23-29.54.1 - SUSE Linux Enterprise Server 12-SP4 (noarch): apache2-doc-2.4.23-29.54.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): apache2-2.4.23-29.54.1 apache2-debuginfo-2.4.23-29.54.1 apache2-debugsource-2.4.23-29.54.1 apache2-example-pages-2.4.23-29.54.1 apache2-prefork-2.4.23-29.54.1 apache2-prefork-debuginfo-2.4.23-29.54.1 apache2-utils-2.4.23-29.54.1 apache2-utils-debuginfo-2.4.23-29.54.1 apache2-worker-2.4.23-29.54.1 apache2-worker-debuginfo-2.4.23-29.54.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (noarch): apache2-doc-2.4.23-29.54.1 - SUSE Linux Enterprise Server 12-SP3-BCL (noarch): apache2-doc-2.4.23-29.54.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): apache2-2.4.23-29.54.1 apache2-debuginfo-2.4.23-29.54.1 apache2-debugsource-2.4.23-29.54.1 apache2-example-pages-2.4.23-29.54.1 apache2-prefork-2.4.23-29.54.1 apache2-prefork-debuginfo-2.4.23-29.54.1 apache2-utils-2.4.23-29.54.1 apache2-utils-debuginfo-2.4.23-29.54.1 apache2-worker-2.4.23-29.54.1 apache2-worker-debuginfo-2.4.23-29.54.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): apache2-2.4.23-29.54.1 apache2-debuginfo-2.4.23-29.54.1 apache2-debugsource-2.4.23-29.54.1 apache2-example-pages-2.4.23-29.54.1 apache2-prefork-2.4.23-29.54.1 apache2-prefork-debuginfo-2.4.23-29.54.1 apache2-utils-2.4.23-29.54.1 apache2-utils-debuginfo-2.4.23-29.54.1 apache2-worker-2.4.23-29.54.1 apache2-worker-debuginfo-2.4.23-29.54.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (noarch): apache2-doc-2.4.23-29.54.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): apache2-2.4.23-29.54.1 apache2-debuginfo-2.4.23-29.54.1 apache2-debugsource-2.4.23-29.54.1 apache2-example-pages-2.4.23-29.54.1 apache2-prefork-2.4.23-29.54.1 apache2-prefork-debuginfo-2.4.23-29.54.1 apache2-utils-2.4.23-29.54.1 apache2-utils-debuginfo-2.4.23-29.54.1 apache2-worker-2.4.23-29.54.1 apache2-worker-debuginfo-2.4.23-29.54.1 - SUSE Linux Enterprise Server 12-SP2-BCL (noarch): apache2-doc-2.4.23-29.54.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): apache2-2.4.23-29.54.1 apache2-debuginfo-2.4.23-29.54.1 apache2-debugsource-2.4.23-29.54.1 apache2-example-pages-2.4.23-29.54.1 apache2-prefork-2.4.23-29.54.1 apache2-prefork-debuginfo-2.4.23-29.54.1 apache2-utils-2.4.23-29.54.1 apache2-utils-debuginfo-2.4.23-29.54.1 apache2-worker-2.4.23-29.54.1 apache2-worker-debuginfo-2.4.23-29.54.1 - SUSE Enterprise Storage 5 (noarch): apache2-doc-2.4.23-29.54.1 - HPE Helion Openstack 8 (x86_64): apache2-2.4.23-29.54.1 apache2-debuginfo-2.4.23-29.54.1 apache2-debugsource-2.4.23-29.54.1 apache2-example-pages-2.4.23-29.54.1 apache2-prefork-2.4.23-29.54.1 apache2-prefork-debuginfo-2.4.23-29.54.1 apache2-utils-2.4.23-29.54.1 apache2-utils-debuginfo-2.4.23-29.54.1 apache2-worker-2.4.23-29.54.1 apache2-worker-debuginfo-2.4.23-29.54.1 - HPE Helion Openstack 8 (noarch): apache2-doc-2.4.23-29.54.1 References: https://www.suse.com/security/cve/CVE-2020-1927.html https://www.suse.com/security/cve/CVE-2020-1934.html https://www.suse.com/security/cve/CVE-2020-1938.html https://bugzilla.suse.com/1168404 https://bugzilla.suse.com/1168407 https://bugzilla.suse.com/1169066 From sle-security-updates at lists.suse.com Wed May 13 13:15:46 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 13 May 2020 21:15:46 +0200 (CEST) Subject: SUSE-SU-2020:1273-1: moderate: Security update for grafana Message-ID: <20200513191546.B012DFE27@maintenance.suse.de> SUSE Security Update: Security update for grafana ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1273-1 Rating: moderate References: #1096985 #1106515 #1115960 #1139862 #1148383 #1167424 Cross-References: CVE-2018-12099 CVE-2018-15727 CVE-2018-19039 CVE-2018-558213 CVE-2019-13068 CVE-2019-15043 Affected Products: SUSE Enterprise Storage 5 ______________________________________________________________________________ An update that fixes 6 vulnerabilities is now available. Description: This update for grafana to version 4.6.5 fixes the following issues: Security issues fixed: - CVE-2019-15043: Added authentication to a few rest endpoints (jsc#SOC-10357, bsc#1148383). - CVE-2018-19039: Fixed File Exfiltration vulnerability (jsc#SOC-9976 bsc#1115960). - CVE-2018-15727: Fixed an LDAP and OAuth login vulnerability (jsc#SOC-9980 bsc#1106515). - CVE-2018-12099: Fixed cross site scripting vulnerabilities in dashboard links (bsc#1096985). - CVE-2019-13068: Fixed an HTML injection in the panel drilldown links (bsc#1139862). Non-security issue fixed: - Solve wrongly categorized "default.ini" file. (bsc#1167424) The configuration file was wrongly classified as documentation instead of configuration file. In systems where the documentation isn't installed by default was not possible to start the "grafana server" service. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-1273=1 Package List: - SUSE Enterprise Storage 5 (aarch64 x86_64): grafana-4.6.5-3.10.1 grafana-debuginfo-4.6.5-3.10.1 grafana-debugsource-4.6.5-3.10.1 References: https://www.suse.com/security/cve/CVE-2018-12099.html https://www.suse.com/security/cve/CVE-2018-15727.html https://www.suse.com/security/cve/CVE-2018-19039.html https://www.suse.com/security/cve/CVE-2018-558213.html https://www.suse.com/security/cve/CVE-2019-13068.html https://www.suse.com/security/cve/CVE-2019-15043.html https://bugzilla.suse.com/1096985 https://bugzilla.suse.com/1106515 https://bugzilla.suse.com/1115960 https://bugzilla.suse.com/1139862 https://bugzilla.suse.com/1148383 https://bugzilla.suse.com/1167424 From sle-security-updates at lists.suse.com Thu May 14 04:15:22 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 14 May 2020 12:15:22 +0200 (CEST) Subject: SUSE-SU-2020:1274-1: important: Security update for python-paramiko Message-ID: <20200514101522.926FAFDE5@maintenance.suse.de> SUSE Security Update: Security update for python-paramiko ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1274-1 Rating: important References: #1111151 Cross-References: CVE-2018-1000805 Affected Products: SUSE Enterprise Storage 5 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for python-paramiko to 2.0.9 fixes the following issues: Security issue fixed: - CVE-2018-1000805: Fixed an authentication bypass (bnc#1111151). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-1274=1 Package List: - SUSE Enterprise Storage 5 (noarch): python-paramiko-2.0.9-3.6.1 References: https://www.suse.com/security/cve/CVE-2018-1000805.html https://bugzilla.suse.com/1111151 From sle-security-updates at lists.suse.com Thu May 14 07:15:42 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 14 May 2020 15:15:42 +0200 (CEST) Subject: SUSE-SU-2020:1275-1: important: Security update for the Linux Kernel Message-ID: <20200514131542.77650FDE5@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1275-1 Rating: important References: #1056134 #1087813 #1120386 #1133147 #1137325 #1145929 #1149591 #1154118 #1154844 #1155689 #1157155 #1157157 #1157303 #1157804 #1158021 #1158642 #1158819 #1159199 #1159285 #1159297 #1159841 #1159908 #1159910 #1159911 #1159912 #1160195 #1161586 #1162227 #1162928 #1162929 #1162931 #1163508 #1163971 #1164009 #1164051 #1164069 #1164078 #1164846 #1165111 #1165311 #1165873 #1165881 #1165984 #1165985 #1167421 #1167423 #1167629 #1168075 #1168295 #1168424 #1168829 #1168854 #1170056 #1170345 #1170778 #1170847 Cross-References: CVE-2017-18255 CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2018-21008 CVE-2019-11091 CVE-2019-14615 CVE-2019-14896 CVE-2019-14897 CVE-2019-18675 CVE-2019-19066 CVE-2019-19319 CVE-2019-19447 CVE-2019-19767 CVE-2019-19768 CVE-2019-19965 CVE-2019-19966 CVE-2019-20054 CVE-2019-20096 CVE-2019-3701 CVE-2019-5108 CVE-2019-9455 CVE-2019-9458 CVE-2020-10690 CVE-2020-10720 CVE-2020-10942 CVE-2020-11494 CVE-2020-11608 CVE-2020-11609 CVE-2020-2732 CVE-2020-8647 CVE-2020-8648 CVE-2020-8649 CVE-2020-8992 CVE-2020-9383 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise High Availability 12-SP3 SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that solves 35 vulnerabilities and has 21 fixes is now available. Description: The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2020-11494: An issue was discovered in slc_bump in drivers/net/can/slcan.c, which allowed attackers to read uninitialized can_frame data, potentially containing sensitive information from kernel stack memory, if the configuration lacks CONFIG_INIT_STACK_ALL (bnc#1168424). - CVE-2020-10942: In get_raw_socket in drivers/vhost/net.c lacks validation of an sk_family field, which might allow attackers to trigger kernel stack corruption via crafted system calls (bnc#1167629). - CVE-2020-8647: Fixed a use-after-free vulnerability in the vc_do_resize function in drivers/tty/vt/vt.c (bnc#1162929). - CVE-2020-8649: Fixed a use-after-free vulnerability in the vgacon_invert_region function in drivers/video/console/vgacon.c (bnc#1162931). - CVE-2020-9383: Fixed an issue in set_fdc in drivers/block/floppy.c, which leads to a wait_til_ready out-of-bounds read (bnc#1165111). - CVE-2019-9458: In the video driver there was a use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed (bnc#1168295). - CVE-2019-3701: Fixed an issue in can_can_gw_rcv, which could cause a system crash (bnc#1120386). - CVE-2019-19768: Fixed a use-after-free in the __blk_add_trace function in kernel/trace/blktrace.c (bnc#1159285). - CVE-2020-11609: Fixed a NULL pointer dereference in the stv06xx subsystem caused by mishandling invalid descriptors (bnc#1168854). - CVE-2020-10720: Fixed a use-after-free read in napi_gro_frags() (bsc#1170778). - CVE-2020-10690: Fixed the race between the release of ptp_clock and cdev (bsc#1170056). - CVE-2019-9455: Fixed a pointer leak due to a WARN_ON statement in a video driver. This could lead to local information disclosure with System execution privileges needed (bnc#1170345). - CVE-2020-11608: Fixed an issue in drivers/media/usb/gspca/ov519.c caused by a NULL pointer dereferences in ov511_mode_init_regs and ov518_mode_init_regs when there are zero endpoints (bnc#1168829). - CVE-2017-18255: The perf_cpu_time_max_percent_handler function in kernel/events/core.c allowed local users to cause a denial of service (integer overflow) or possibly have unspecified other impact via a large value, as demonstrated by an incorrect sample-rate calculation (bnc#1087813). - CVE-2020-8648: There was a use-after-free vulnerability in the n_tty_receive_buf_common function in drivers/tty/n_tty.c (bnc#1162928). - CVE-2020-2732: A flaw was discovered in the way that the KVM hypervisor handled instruction emulation for an L2 guest when nested virtualisation is enabled. Under some circumstances, an L2 guest may trick the L0 guest into accessing sensitive L1 resources that should be inaccessible to the L2 guest (bnc#1163971). - CVE-2019-5108: Fixed a denial-of-service vulnerability caused by triggering AP to send IAPP location updates for stations before the required authentication process has completed (bnc#1159912). - CVE-2020-8992: ext4_protect_reserved_inode in fs/ext4/block_validity.c allowed attackers to cause a denial of service (soft lockup) via a crafted journal size (bnc#1164069). - CVE-2018-21008: Fixed a use-after-free which could be caused by the function rsi_mac80211_detach in the file drivers/net/wireless/rsi/rsi_91x_mac80211.c (bnc#1149591). - CVE-2019-14896: A heap-based buffer overflow vulnerability was found in Marvell WiFi chip driver. A remote attacker could cause a denial of service (system crash) or, possibly execute arbitrary code, when the lbs_ibss_join_existing function is called after a STA connects to an AP (bnc#1157157). - CVE-2019-14897: A stack-based buffer overflow was found in Marvell WiFi chip driver. An attacker is able to cause a denial of service (system crash) or, possibly execute arbitrary code, when a STA works in IBSS mode (allows connecting stations together without the use of an AP) and connects to another STA (bnc#1157155). - CVE-2019-18675: Fixed an integer overflow in cpia2_remap_buffer in drivers/media/usb/cpia2/cpia2_core.c because cpia2 has its own mmap implementation. This allowed local users (with /dev/video0 access) to obtain read and write permissions on kernel physical pages, which can possibly result in a privilege escalation (bnc#1157804). - CVE-2019-14615: Insufficient control flow in certain data structures for some Intel(R) Processors with Intel(R) Processor Graphics may have allowed an unauthenticated user to potentially enable information disclosure via local access (bnc#1160195, bsc#1165881). - CVE-2019-19965: Fixed a NULL pointer dereference in drivers/scsi/libsas/sas_discover.c because of mishandling of port disconnection during discovery, related to a PHY down race condition (bnc#1159911). - CVE-2019-20054: Fixed a NULL pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c, related to put_links (bnc#1159910). - CVE-2019-20096: Fixed a memory leak in __feat_register_sp() in net/dccp/feat.c, which may cause denial of service (bnc#1159908). - CVE-2019-19966: Fixed a use-after-free in cpia2_exit() in drivers/media/usb/cpia2/cpia2_v4l.c that will cause denial of service (bnc#1159841). - CVE-2019-19447: Fixed an issue with mounting a crafted ext4 filesystem image, performing some operations, and unmounting could lead to a use-after-free in ext4_put_super in fs/ext4/super.c, related to dump_orphan_list in fs/ext4/super.c (bnc#1158819). - CVE-2019-19319: Fixed an issue with a setxattr operation, after a mount of a crafted ext4 image, can cause a slab-out-of-bounds write access because of an ext4_xattr_set_entry use-after-free in fs/ext4/xattr.c when a large old_size value is used in a memset call (bnc#1158021). - CVE-2019-19767: Fixed mishandling of ext4_expand_extra_isize, as demonstrated by use-after-free errors in __ext4_expand_extra_isize and ext4_xattr_set_entry, related to fs/ext4/inode.c and fs/ext4/super.c (bnc#1159297). - CVE-2019-11091,CVE-2018-12126,CVE-2018-12130,CVE-2018-12127: Earlier mitigations for the "MDS" Microarchitectural Data Sampling attacks were not complete. An additional fix was added to the x86_64 fast systemcall path to further mitigate these attacks. (bsc#1164846 bsc#1170847) The following non-security bugs were fixed: - blk: Fix kabi due to blk_trace_mutex addition (bsc#1159285). - blktrace: fix dereference after null check (bsc#1159285). - blktrace: fix trace mutex deadlock (bsc#1159285). - btrfs: fix btrfs_wait_ordered_range() so that it waits for all ordered extents (bsc#1163508). - btrfs: fix panic during relocation after ENOSPC before writeback happens (bsc#1163508). - btrfs: qgroup: Fix root item corruption when multiple same source snapshots are created with quota enabled (bsc#1158642) - btrfs: relocation: fix reloc_root lifespan and access (bsc#1164009). - enic: prevent waking up stopped tx queues over watchdog reset (bsc#1133147). - fix PageHeadHuge() race with THP split (VM Functionality, bsc#1165311). - fs/xfs: fix f_ffree value for statfs when project quota is set (bsc#1165985). - ibmvnic: Bound waits for device queries (bsc#1155689 ltc#182047). - ibmvnic: Fix completion structure initialization (bsc#1155689 ltc#182047). - ibmvnic: Serialize device queries (bsc#1155689 ltc#182047). - ibmvnic: Terminate waiting device threads after loss of service (bsc#1155689 ltc#182047). - input: add safety guards to input_set_keycode() (bsc#1168075). - ipv4: correct gso_size for UFO (bsc#1154844). - ipv6: fix memory accounting during ipv6 queue expire (bsc#1162227) (bsc#1162227). - ipvlan: do not add hardware address of master to its unicast filter list (bsc#1137325). - md: add mddev->pers to avoid potential NULL pointer dereference (bsc#1056134). - md/bitmap: do not read page from device with Bitmap_sync (bsc#1056134). - md: change the initialization value for a spare device spot to MD_DISK_ROLE_SPARE (bsc#1056134). - md: Delete gendisk before cleaning up the request queue (bsc#1056134). - md: do not call bitmap_create() while array is quiesced (bsc#1056134). - md: do not set In_sync if array is frozen (bsc#1056134). - md: fix a potential deadlock of raid5/raid10 reshape (bsc#1056134). - md: md.c: Return -ENODEV when mddev is NULL in rdev_attr_show (bsc#1056134). - md: notify about new spare disk in the container (bsc#1056134). - md/raid0: Fix buffer overflow at debug print (bsc#1164051). - md/raid10: end bio when the device faulty (bsc#1056134). - md/raid10: Fix raid10 replace hang when new added disk faulty (bsc#1056134). - md/raid1,raid10: silence warning about wait-within-wait (bsc#1056134). - md: return -ENODEV if rdev has no mddev assigned (bsc#1056134). - media: ov519: add missing endpoint sanity checks (bsc#1168829). - media: stv06xx: add missing descriptor sanity checks (bsc#1168854). - net: ena: Add PCI shutdown handler to allow safe kexec (bsc#1167421, bsc#1167423). - netfilter: conntrack: sctp: use distinct states for new SCTP connections (bsc#1159199). - net/ibmvnic: Fix typo in retry check (bsc#1155689 ltc#182047). - rpm/kernel-binary.spec.in: Replace Novell with SUSE - sched/fair: Scale bandwidth quota and period without losing quota/period ratio precision (bsc#1161586). - scsi: core: avoid repetitive logging of device offline messages (bsc#1145929). - scsi: core: kABI fix already_offline (bsc#1145929). - tcp: clear tp->packets_out when purging write queue (bsc#1154118). - x86/mitigations: Clear CPU buffers on the SYSCALL fast path (bsc#1164846 bsc#1170847). - xfs: also remove cached ACLs when removing the underlying attr (bsc#1165873). - xfs: bulkstat should copy lastip whenever userspace supplies one (bsc#1165984). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-1275=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-1275=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-1275=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-1275=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-1275=1 - SUSE Linux Enterprise High Availability 12-SP3: zypper in -t patch SUSE-SLE-HA-12-SP3-2020-1275=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-1275=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-1275=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (noarch): kernel-devel-4.4.180-94.116.1 kernel-macros-4.4.180-94.116.1 kernel-source-4.4.180-94.116.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): kernel-default-4.4.180-94.116.1 kernel-default-base-4.4.180-94.116.1 kernel-default-base-debuginfo-4.4.180-94.116.1 kernel-default-debuginfo-4.4.180-94.116.1 kernel-default-debugsource-4.4.180-94.116.1 kernel-default-devel-4.4.180-94.116.1 kernel-default-kgraft-4.4.180-94.116.1 kernel-syms-4.4.180-94.116.1 kgraft-patch-4_4_180-94_116-default-1-4.3.1 kgraft-patch-4_4_180-94_116-default-debuginfo-1-4.3.1 - SUSE OpenStack Cloud 8 (noarch): kernel-devel-4.4.180-94.116.1 kernel-macros-4.4.180-94.116.1 kernel-source-4.4.180-94.116.1 - SUSE OpenStack Cloud 8 (x86_64): kernel-default-4.4.180-94.116.1 kernel-default-base-4.4.180-94.116.1 kernel-default-base-debuginfo-4.4.180-94.116.1 kernel-default-debuginfo-4.4.180-94.116.1 kernel-default-debugsource-4.4.180-94.116.1 kernel-default-devel-4.4.180-94.116.1 kernel-default-kgraft-4.4.180-94.116.1 kernel-syms-4.4.180-94.116.1 kgraft-patch-4_4_180-94_116-default-1-4.3.1 kgraft-patch-4_4_180-94_116-default-debuginfo-1-4.3.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): kernel-default-4.4.180-94.116.1 kernel-default-base-4.4.180-94.116.1 kernel-default-base-debuginfo-4.4.180-94.116.1 kernel-default-debuginfo-4.4.180-94.116.1 kernel-default-debugsource-4.4.180-94.116.1 kernel-default-devel-4.4.180-94.116.1 kernel-default-kgraft-4.4.180-94.116.1 kernel-syms-4.4.180-94.116.1 kgraft-patch-4_4_180-94_116-default-1-4.3.1 kgraft-patch-4_4_180-94_116-default-debuginfo-1-4.3.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (noarch): kernel-devel-4.4.180-94.116.1 kernel-macros-4.4.180-94.116.1 kernel-source-4.4.180-94.116.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): kernel-default-4.4.180-94.116.1 kernel-default-base-4.4.180-94.116.1 kernel-default-base-debuginfo-4.4.180-94.116.1 kernel-default-debuginfo-4.4.180-94.116.1 kernel-default-debugsource-4.4.180-94.116.1 kernel-default-devel-4.4.180-94.116.1 kernel-syms-4.4.180-94.116.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (ppc64le x86_64): kernel-default-kgraft-4.4.180-94.116.1 kgraft-patch-4_4_180-94_116-default-1-4.3.1 kgraft-patch-4_4_180-94_116-default-debuginfo-1-4.3.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (noarch): kernel-devel-4.4.180-94.116.1 kernel-macros-4.4.180-94.116.1 kernel-source-4.4.180-94.116.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (s390x): kernel-default-man-4.4.180-94.116.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): kernel-default-4.4.180-94.116.1 kernel-default-base-4.4.180-94.116.1 kernel-default-base-debuginfo-4.4.180-94.116.1 kernel-default-debuginfo-4.4.180-94.116.1 kernel-default-debugsource-4.4.180-94.116.1 kernel-default-devel-4.4.180-94.116.1 kernel-syms-4.4.180-94.116.1 - SUSE Linux Enterprise Server 12-SP3-BCL (noarch): kernel-devel-4.4.180-94.116.1 kernel-macros-4.4.180-94.116.1 kernel-source-4.4.180-94.116.1 - SUSE Linux Enterprise High Availability 12-SP3 (ppc64le s390x x86_64): cluster-md-kmp-default-4.4.180-94.116.1 cluster-md-kmp-default-debuginfo-4.4.180-94.116.1 dlm-kmp-default-4.4.180-94.116.1 dlm-kmp-default-debuginfo-4.4.180-94.116.1 gfs2-kmp-default-4.4.180-94.116.1 gfs2-kmp-default-debuginfo-4.4.180-94.116.1 kernel-default-debuginfo-4.4.180-94.116.1 kernel-default-debugsource-4.4.180-94.116.1 ocfs2-kmp-default-4.4.180-94.116.1 ocfs2-kmp-default-debuginfo-4.4.180-94.116.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): kernel-default-4.4.180-94.116.1 kernel-default-base-4.4.180-94.116.1 kernel-default-base-debuginfo-4.4.180-94.116.1 kernel-default-debuginfo-4.4.180-94.116.1 kernel-default-debugsource-4.4.180-94.116.1 kernel-default-devel-4.4.180-94.116.1 kernel-syms-4.4.180-94.116.1 - SUSE Enterprise Storage 5 (x86_64): kernel-default-kgraft-4.4.180-94.116.1 kgraft-patch-4_4_180-94_116-default-1-4.3.1 kgraft-patch-4_4_180-94_116-default-debuginfo-1-4.3.1 - SUSE Enterprise Storage 5 (noarch): kernel-devel-4.4.180-94.116.1 kernel-macros-4.4.180-94.116.1 kernel-source-4.4.180-94.116.1 - HPE Helion Openstack 8 (noarch): kernel-devel-4.4.180-94.116.1 kernel-macros-4.4.180-94.116.1 kernel-source-4.4.180-94.116.1 - HPE Helion Openstack 8 (x86_64): kernel-default-4.4.180-94.116.1 kernel-default-base-4.4.180-94.116.1 kernel-default-base-debuginfo-4.4.180-94.116.1 kernel-default-debuginfo-4.4.180-94.116.1 kernel-default-debugsource-4.4.180-94.116.1 kernel-default-devel-4.4.180-94.116.1 kernel-default-kgraft-4.4.180-94.116.1 kernel-syms-4.4.180-94.116.1 kgraft-patch-4_4_180-94_116-default-1-4.3.1 kgraft-patch-4_4_180-94_116-default-debuginfo-1-4.3.1 References: https://www.suse.com/security/cve/CVE-2017-18255.html https://www.suse.com/security/cve/CVE-2018-12126.html https://www.suse.com/security/cve/CVE-2018-12127.html https://www.suse.com/security/cve/CVE-2018-12130.html https://www.suse.com/security/cve/CVE-2018-21008.html https://www.suse.com/security/cve/CVE-2019-11091.html https://www.suse.com/security/cve/CVE-2019-14615.html https://www.suse.com/security/cve/CVE-2019-14896.html https://www.suse.com/security/cve/CVE-2019-14897.html https://www.suse.com/security/cve/CVE-2019-18675.html https://www.suse.com/security/cve/CVE-2019-19066.html https://www.suse.com/security/cve/CVE-2019-19319.html https://www.suse.com/security/cve/CVE-2019-19447.html https://www.suse.com/security/cve/CVE-2019-19767.html https://www.suse.com/security/cve/CVE-2019-19768.html https://www.suse.com/security/cve/CVE-2019-19965.html https://www.suse.com/security/cve/CVE-2019-19966.html https://www.suse.com/security/cve/CVE-2019-20054.html https://www.suse.com/security/cve/CVE-2019-20096.html https://www.suse.com/security/cve/CVE-2019-3701.html https://www.suse.com/security/cve/CVE-2019-5108.html https://www.suse.com/security/cve/CVE-2019-9455.html https://www.suse.com/security/cve/CVE-2019-9458.html https://www.suse.com/security/cve/CVE-2020-10690.html https://www.suse.com/security/cve/CVE-2020-10720.html https://www.suse.com/security/cve/CVE-2020-10942.html https://www.suse.com/security/cve/CVE-2020-11494.html https://www.suse.com/security/cve/CVE-2020-11608.html https://www.suse.com/security/cve/CVE-2020-11609.html https://www.suse.com/security/cve/CVE-2020-2732.html https://www.suse.com/security/cve/CVE-2020-8647.html https://www.suse.com/security/cve/CVE-2020-8648.html https://www.suse.com/security/cve/CVE-2020-8649.html https://www.suse.com/security/cve/CVE-2020-8992.html https://www.suse.com/security/cve/CVE-2020-9383.html https://bugzilla.suse.com/1056134 https://bugzilla.suse.com/1087813 https://bugzilla.suse.com/1120386 https://bugzilla.suse.com/1133147 https://bugzilla.suse.com/1137325 https://bugzilla.suse.com/1145929 https://bugzilla.suse.com/1149591 https://bugzilla.suse.com/1154118 https://bugzilla.suse.com/1154844 https://bugzilla.suse.com/1155689 https://bugzilla.suse.com/1157155 https://bugzilla.suse.com/1157157 https://bugzilla.suse.com/1157303 https://bugzilla.suse.com/1157804 https://bugzilla.suse.com/1158021 https://bugzilla.suse.com/1158642 https://bugzilla.suse.com/1158819 https://bugzilla.suse.com/1159199 https://bugzilla.suse.com/1159285 https://bugzilla.suse.com/1159297 https://bugzilla.suse.com/1159841 https://bugzilla.suse.com/1159908 https://bugzilla.suse.com/1159910 https://bugzilla.suse.com/1159911 https://bugzilla.suse.com/1159912 https://bugzilla.suse.com/1160195 https://bugzilla.suse.com/1161586 https://bugzilla.suse.com/1162227 https://bugzilla.suse.com/1162928 https://bugzilla.suse.com/1162929 https://bugzilla.suse.com/1162931 https://bugzilla.suse.com/1163508 https://bugzilla.suse.com/1163971 https://bugzilla.suse.com/1164009 https://bugzilla.suse.com/1164051 https://bugzilla.suse.com/1164069 https://bugzilla.suse.com/1164078 https://bugzilla.suse.com/1164846 https://bugzilla.suse.com/1165111 https://bugzilla.suse.com/1165311 https://bugzilla.suse.com/1165873 https://bugzilla.suse.com/1165881 https://bugzilla.suse.com/1165984 https://bugzilla.suse.com/1165985 https://bugzilla.suse.com/1167421 https://bugzilla.suse.com/1167423 https://bugzilla.suse.com/1167629 https://bugzilla.suse.com/1168075 https://bugzilla.suse.com/1168295 https://bugzilla.suse.com/1168424 https://bugzilla.suse.com/1168829 https://bugzilla.suse.com/1168854 https://bugzilla.suse.com/1170056 https://bugzilla.suse.com/1170345 https://bugzilla.suse.com/1170778 https://bugzilla.suse.com/1170847 From sle-security-updates at lists.suse.com Thu May 14 10:15:38 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 14 May 2020 18:15:38 +0200 (CEST) Subject: SUSE-SU-2020:14369-1: moderate: Security update for syslog-ng Message-ID: <20200514161538.71390FDE5@maintenance.suse.de> SUSE Security Update: Security update for syslog-ng ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:14369-1 Rating: moderate References: #1169385 Cross-References: CVE-2020-8019 Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for syslog-ng fixes the following issues: - CVE-2020-8019: Fixed a local privilege escalation during package update (bsc#1169385). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-syslog-ng-14369=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-syslog-ng-14369=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-syslog-ng-14369=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-syslog-ng-14369=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 ppc64 s390x x86_64): syslog-ng-2.0.9-27.34.40.5.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): syslog-ng-2.0.9-27.34.40.5.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64): syslog-ng-debuginfo-2.0.9-27.34.40.5.1 syslog-ng-debugsource-2.0.9-27.34.40.5.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): syslog-ng-debuginfo-2.0.9-27.34.40.5.1 syslog-ng-debugsource-2.0.9-27.34.40.5.1 References: https://www.suse.com/security/cve/CVE-2020-8019.html https://bugzilla.suse.com/1169385 From sle-security-updates at lists.suse.com Thu May 14 10:21:46 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 14 May 2020 18:21:46 +0200 (CEST) Subject: SUSE-SU-2020:1277-1: important: Security update for libvirt Message-ID: <20200514162146.22373FDE5@maintenance.suse.de> SUSE Security Update: Security update for libvirt ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1277-1 Rating: important References: #1157490 #1161883 #1162160 #1167007 #1168683 #1170765 Cross-References: CVE-2020-10703 CVE-2020-12430 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that solves two vulnerabilities and has four fixes is now available. Description: This update for libvirt fixes the following issues: Security issues fixed: - CVE-2020-10703: Fixed a daemon crash caused by pools without target paths (bsc#1168683). - CVE-2020-12430: Fixed a memory leak in qemuDomainGetStatsIOThread (bsc#1170765). Non-security issues fixed: - Support setting credit2 scheduler parameters for xen (bsc#1162160). - Enable use of newer libxl APIs for retrieving memory statistics (bsc#1157490, bsc#1167007). - Create multipath targets for qemu PR (bsc#1161883). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-1277=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1277=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): libvirt-debugsource-5.1.0-13.6.2 libvirt-devel-5.1.0-13.6.2 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libvirt-5.1.0-13.6.2 libvirt-admin-5.1.0-13.6.2 libvirt-admin-debuginfo-5.1.0-13.6.2 libvirt-client-5.1.0-13.6.2 libvirt-client-debuginfo-5.1.0-13.6.2 libvirt-daemon-5.1.0-13.6.2 libvirt-daemon-config-network-5.1.0-13.6.2 libvirt-daemon-config-nwfilter-5.1.0-13.6.2 libvirt-daemon-debuginfo-5.1.0-13.6.2 libvirt-daemon-driver-interface-5.1.0-13.6.2 libvirt-daemon-driver-interface-debuginfo-5.1.0-13.6.2 libvirt-daemon-driver-lxc-5.1.0-13.6.2 libvirt-daemon-driver-lxc-debuginfo-5.1.0-13.6.2 libvirt-daemon-driver-network-5.1.0-13.6.2 libvirt-daemon-driver-network-debuginfo-5.1.0-13.6.2 libvirt-daemon-driver-nodedev-5.1.0-13.6.2 libvirt-daemon-driver-nodedev-debuginfo-5.1.0-13.6.2 libvirt-daemon-driver-nwfilter-5.1.0-13.6.2 libvirt-daemon-driver-nwfilter-debuginfo-5.1.0-13.6.2 libvirt-daemon-driver-qemu-5.1.0-13.6.2 libvirt-daemon-driver-qemu-debuginfo-5.1.0-13.6.2 libvirt-daemon-driver-secret-5.1.0-13.6.2 libvirt-daemon-driver-secret-debuginfo-5.1.0-13.6.2 libvirt-daemon-driver-storage-5.1.0-13.6.2 libvirt-daemon-driver-storage-core-5.1.0-13.6.2 libvirt-daemon-driver-storage-core-debuginfo-5.1.0-13.6.2 libvirt-daemon-driver-storage-disk-5.1.0-13.6.2 libvirt-daemon-driver-storage-disk-debuginfo-5.1.0-13.6.2 libvirt-daemon-driver-storage-iscsi-5.1.0-13.6.2 libvirt-daemon-driver-storage-iscsi-debuginfo-5.1.0-13.6.2 libvirt-daemon-driver-storage-logical-5.1.0-13.6.2 libvirt-daemon-driver-storage-logical-debuginfo-5.1.0-13.6.2 libvirt-daemon-driver-storage-mpath-5.1.0-13.6.2 libvirt-daemon-driver-storage-mpath-debuginfo-5.1.0-13.6.2 libvirt-daemon-driver-storage-scsi-5.1.0-13.6.2 libvirt-daemon-driver-storage-scsi-debuginfo-5.1.0-13.6.2 libvirt-daemon-hooks-5.1.0-13.6.2 libvirt-daemon-lxc-5.1.0-13.6.2 libvirt-daemon-qemu-5.1.0-13.6.2 libvirt-debugsource-5.1.0-13.6.2 libvirt-doc-5.1.0-13.6.2 libvirt-libs-5.1.0-13.6.2 libvirt-libs-debuginfo-5.1.0-13.6.2 libvirt-lock-sanlock-5.1.0-13.6.2 libvirt-lock-sanlock-debuginfo-5.1.0-13.6.2 libvirt-nss-5.1.0-13.6.2 libvirt-nss-debuginfo-5.1.0-13.6.2 - SUSE Linux Enterprise Server 12-SP5 (aarch64 x86_64): libvirt-daemon-driver-storage-rbd-5.1.0-13.6.2 libvirt-daemon-driver-storage-rbd-debuginfo-5.1.0-13.6.2 - SUSE Linux Enterprise Server 12-SP5 (x86_64): libvirt-daemon-driver-libxl-5.1.0-13.6.2 libvirt-daemon-driver-libxl-debuginfo-5.1.0-13.6.2 libvirt-daemon-xen-5.1.0-13.6.2 References: https://www.suse.com/security/cve/CVE-2020-10703.html https://www.suse.com/security/cve/CVE-2020-12430.html https://bugzilla.suse.com/1157490 https://bugzilla.suse.com/1161883 https://bugzilla.suse.com/1162160 https://bugzilla.suse.com/1167007 https://bugzilla.suse.com/1168683 https://bugzilla.suse.com/1170765 From sle-security-updates at lists.suse.com Fri May 15 07:15:43 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 15 May 2020 15:15:43 +0200 (CEST) Subject: SUSE-SU-2020:1285-1: important: Security update for python-PyYAML Message-ID: <20200515131543.2566EFCEE@maintenance.suse.de> SUSE Security Update: Security update for python-PyYAML ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1285-1 Rating: important References: #1165439 Cross-References: CVE-2020-1747 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE OpenStack Cloud 6-LTSS SUSE Manager Tools 12 SUSE Manager Server 3.2 SUSE Manager Proxy 3.2 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Point of Sale 12-SP2 SUSE Linux Enterprise Module for Public Cloud 12 SUSE Linux Enterprise Module for Containers 12 SUSE Linux Enterprise Module for Advanced Systems Management 12 SUSE Linux Enterprise High Availability 12-SP2 SUSE Linux Enterprise High Availability 12-SP1 SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for python-PyYAML fixes the following issues: - CVE-2020-1747: Fixed an arbitrary code execution when YAML files are parsed by FullLoader (bsc#1165439). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-1285=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-1285=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-1285=1 - SUSE OpenStack Cloud 6-LTSS: zypper in -t patch SUSE-OpenStack-Cloud-6-LTSS-2020-1285=1 - SUSE Manager Tools 12: zypper in -t patch SUSE-SLE-Manager-Tools-12-2020-1285=1 - SUSE Manager Server 3.2: zypper in -t patch SUSE-SUSE-Manager-Server-3.2-2020-1285=1 - SUSE Manager Proxy 3.2: zypper in -t patch SUSE-SUSE-Manager-Proxy-3.2-2020-1285=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-1285=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1285=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1285=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-1285=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-1285=1 - SUSE Linux Enterprise Point of Sale 12-SP2: zypper in -t patch SUSE-SLE-POS-12-SP2-2020-1285=1 - SUSE Linux Enterprise Module for Public Cloud 12: zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2020-1285=1 - SUSE Linux Enterprise Module for Containers 12: zypper in -t patch SUSE-SLE-Module-Containers-12-2020-1285=1 - SUSE Linux Enterprise Module for Advanced Systems Management 12: zypper in -t patch SUSE-SLE-Module-Adv-Systems-Management-12-2020-1285=1 - SUSE Linux Enterprise High Availability 12-SP2: zypper in -t patch SUSE-SLE-HA-12-SP2-2020-1285=1 - SUSE Linux Enterprise High Availability 12-SP1: zypper in -t patch SUSE-SLE-HA-12-SP1-2020-1285=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-1285=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-1285=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): python-PyYAML-5.1.2-26.12.1 python-PyYAML-debuginfo-5.1.2-26.12.1 python-PyYAML-debugsource-5.1.2-26.12.1 python3-PyYAML-5.1.2-26.12.1 - SUSE OpenStack Cloud 8 (x86_64): python-PyYAML-5.1.2-26.12.1 python-PyYAML-debuginfo-5.1.2-26.12.1 python-PyYAML-debugsource-5.1.2-26.12.1 python3-PyYAML-5.1.2-26.12.1 - SUSE OpenStack Cloud 7 (aarch64 s390x x86_64): python-PyYAML-5.1.2-26.12.1 python-PyYAML-debuginfo-5.1.2-26.12.1 python-PyYAML-debugsource-5.1.2-26.12.1 - SUSE OpenStack Cloud 6-LTSS (x86_64): python-PyYAML-5.1.2-26.12.1 python-PyYAML-debuginfo-5.1.2-26.12.1 python-PyYAML-debugsource-5.1.2-26.12.1 - SUSE Manager Tools 12 (aarch64 ppc64le s390x x86_64): python-PyYAML-5.1.2-26.12.1 python-PyYAML-debuginfo-5.1.2-26.12.1 python-PyYAML-debugsource-5.1.2-26.12.1 python3-PyYAML-5.1.2-26.12.1 - SUSE Manager Server 3.2 (ppc64le s390x x86_64): python-PyYAML-5.1.2-26.12.1 python-PyYAML-debuginfo-5.1.2-26.12.1 python-PyYAML-debugsource-5.1.2-26.12.1 python3-PyYAML-5.1.2-26.12.1 python3-PyYAML-debuginfo-5.1.2-26.12.1 - SUSE Manager Proxy 3.2 (x86_64): python-PyYAML-5.1.2-26.12.1 python-PyYAML-debuginfo-5.1.2-26.12.1 python-PyYAML-debugsource-5.1.2-26.12.1 python3-PyYAML-5.1.2-26.12.1 python3-PyYAML-debuginfo-5.1.2-26.12.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): python-PyYAML-5.1.2-26.12.1 python-PyYAML-debuginfo-5.1.2-26.12.1 python-PyYAML-debugsource-5.1.2-26.12.1 python3-PyYAML-5.1.2-26.12.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): python-PyYAML-5.1.2-26.12.1 python-PyYAML-debuginfo-5.1.2-26.12.1 python-PyYAML-debugsource-5.1.2-26.12.1 python3-PyYAML-5.1.2-26.12.1 python3-PyYAML-debuginfo-5.1.2-26.12.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): python-PyYAML-5.1.2-26.12.1 python-PyYAML-debuginfo-5.1.2-26.12.1 python-PyYAML-debugsource-5.1.2-26.12.1 python3-PyYAML-5.1.2-26.12.1 python3-PyYAML-debuginfo-5.1.2-26.12.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): python-PyYAML-5.1.2-26.12.1 python-PyYAML-debuginfo-5.1.2-26.12.1 python-PyYAML-debugsource-5.1.2-26.12.1 python3-PyYAML-5.1.2-26.12.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): python-PyYAML-5.1.2-26.12.1 python-PyYAML-debuginfo-5.1.2-26.12.1 python-PyYAML-debugsource-5.1.2-26.12.1 python3-PyYAML-5.1.2-26.12.1 - SUSE Linux Enterprise Point of Sale 12-SP2 (x86_64): python-PyYAML-5.1.2-26.12.1 python-PyYAML-debuginfo-5.1.2-26.12.1 python-PyYAML-debugsource-5.1.2-26.12.1 python3-PyYAML-5.1.2-26.12.1 - SUSE Linux Enterprise Module for Public Cloud 12 (aarch64 ppc64le s390x x86_64): python-PyYAML-5.1.2-26.12.1 python-PyYAML-debuginfo-5.1.2-26.12.1 python-PyYAML-debugsource-5.1.2-26.12.1 python3-PyYAML-5.1.2-26.12.1 - SUSE Linux Enterprise Module for Containers 12 (x86_64): python-PyYAML-5.1.2-26.12.1 python-PyYAML-debuginfo-5.1.2-26.12.1 python-PyYAML-debugsource-5.1.2-26.12.1 - SUSE Linux Enterprise Module for Advanced Systems Management 12 (ppc64le s390x x86_64): python-PyYAML-5.1.2-26.12.1 python-PyYAML-debuginfo-5.1.2-26.12.1 python-PyYAML-debugsource-5.1.2-26.12.1 python3-PyYAML-5.1.2-26.12.1 - SUSE Linux Enterprise High Availability 12-SP2 (ppc64le s390x x86_64): python-PyYAML-5.1.2-26.12.1 python-PyYAML-debuginfo-5.1.2-26.12.1 python-PyYAML-debugsource-5.1.2-26.12.1 - SUSE Linux Enterprise High Availability 12-SP1 (ppc64le s390x x86_64): python-PyYAML-5.1.2-26.12.1 python-PyYAML-debuginfo-5.1.2-26.12.1 python-PyYAML-debugsource-5.1.2-26.12.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): python-PyYAML-5.1.2-26.12.1 python-PyYAML-debuginfo-5.1.2-26.12.1 python-PyYAML-debugsource-5.1.2-26.12.1 python3-PyYAML-5.1.2-26.12.1 - HPE Helion Openstack 8 (x86_64): python-PyYAML-5.1.2-26.12.1 python-PyYAML-debuginfo-5.1.2-26.12.1 python-PyYAML-debugsource-5.1.2-26.12.1 python3-PyYAML-5.1.2-26.12.1 References: https://www.suse.com/security/cve/CVE-2020-1747.html https://bugzilla.suse.com/1165439 From sle-security-updates at lists.suse.com Fri May 15 13:16:42 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 15 May 2020 21:16:42 +0200 (CEST) Subject: SUSE-SU-2020:1289-1: important: Security update for libvirt Message-ID: <20200515191642.5BF3DFDE5@maintenance.suse.de> SUSE Security Update: Security update for libvirt ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1289-1 Rating: important References: #1133719 #1137137 #1138734 #1145586 #1149100 #1154093 #1168683 Cross-References: CVE-2020-10703 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server 12-SP4 ______________________________________________________________________________ An update that solves one vulnerability and has 6 fixes is now available. Description: This update for libvirt fixes the following issues: Security issue fixed: - CVE-2020-10703: Fixed a daemon crash caused by pools without target paths (bsc#1168683). Non-security issues fixed: - apparmor: avoid copying empty profile name (bsc#1149100). - logging: ensure virtlogd rollover takes priority over logrotate (bsc#1137137). - qemu: Add support for overriding max threads per process limit (bsc#1133719). - util: fix copying bitmap to larger data buffer (bsc#1138734). - virsh: support for setting precopy bandwidth in migrate (bsc#1145586). - virsh: use upstream name for migration precopy bandwidth parameter (bsc#1145586). - virt-create-rootfs: add SLE 15 and SLE 12 service packs support (bsc#1154093). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-1289=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1289=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): libvirt-debugsource-4.0.0-8.20.2 libvirt-devel-4.0.0-8.20.2 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): libvirt-4.0.0-8.20.2 libvirt-admin-4.0.0-8.20.2 libvirt-admin-debuginfo-4.0.0-8.20.2 libvirt-client-4.0.0-8.20.2 libvirt-client-debuginfo-4.0.0-8.20.2 libvirt-daemon-4.0.0-8.20.2 libvirt-daemon-config-network-4.0.0-8.20.2 libvirt-daemon-config-nwfilter-4.0.0-8.20.2 libvirt-daemon-debuginfo-4.0.0-8.20.2 libvirt-daemon-driver-interface-4.0.0-8.20.2 libvirt-daemon-driver-interface-debuginfo-4.0.0-8.20.2 libvirt-daemon-driver-lxc-4.0.0-8.20.2 libvirt-daemon-driver-lxc-debuginfo-4.0.0-8.20.2 libvirt-daemon-driver-network-4.0.0-8.20.2 libvirt-daemon-driver-network-debuginfo-4.0.0-8.20.2 libvirt-daemon-driver-nodedev-4.0.0-8.20.2 libvirt-daemon-driver-nodedev-debuginfo-4.0.0-8.20.2 libvirt-daemon-driver-nwfilter-4.0.0-8.20.2 libvirt-daemon-driver-nwfilter-debuginfo-4.0.0-8.20.2 libvirt-daemon-driver-qemu-4.0.0-8.20.2 libvirt-daemon-driver-qemu-debuginfo-4.0.0-8.20.2 libvirt-daemon-driver-secret-4.0.0-8.20.2 libvirt-daemon-driver-secret-debuginfo-4.0.0-8.20.2 libvirt-daemon-driver-storage-4.0.0-8.20.2 libvirt-daemon-driver-storage-core-4.0.0-8.20.2 libvirt-daemon-driver-storage-core-debuginfo-4.0.0-8.20.2 libvirt-daemon-driver-storage-disk-4.0.0-8.20.2 libvirt-daemon-driver-storage-disk-debuginfo-4.0.0-8.20.2 libvirt-daemon-driver-storage-iscsi-4.0.0-8.20.2 libvirt-daemon-driver-storage-iscsi-debuginfo-4.0.0-8.20.2 libvirt-daemon-driver-storage-logical-4.0.0-8.20.2 libvirt-daemon-driver-storage-logical-debuginfo-4.0.0-8.20.2 libvirt-daemon-driver-storage-mpath-4.0.0-8.20.2 libvirt-daemon-driver-storage-mpath-debuginfo-4.0.0-8.20.2 libvirt-daemon-driver-storage-scsi-4.0.0-8.20.2 libvirt-daemon-driver-storage-scsi-debuginfo-4.0.0-8.20.2 libvirt-daemon-hooks-4.0.0-8.20.2 libvirt-daemon-lxc-4.0.0-8.20.2 libvirt-daemon-qemu-4.0.0-8.20.2 libvirt-debugsource-4.0.0-8.20.2 libvirt-doc-4.0.0-8.20.2 libvirt-libs-4.0.0-8.20.2 libvirt-libs-debuginfo-4.0.0-8.20.2 libvirt-lock-sanlock-4.0.0-8.20.2 libvirt-lock-sanlock-debuginfo-4.0.0-8.20.2 libvirt-nss-4.0.0-8.20.2 libvirt-nss-debuginfo-4.0.0-8.20.2 - SUSE Linux Enterprise Server 12-SP4 (aarch64 x86_64): libvirt-daemon-driver-storage-rbd-4.0.0-8.20.2 libvirt-daemon-driver-storage-rbd-debuginfo-4.0.0-8.20.2 - SUSE Linux Enterprise Server 12-SP4 (x86_64): libvirt-daemon-driver-libxl-4.0.0-8.20.2 libvirt-daemon-driver-libxl-debuginfo-4.0.0-8.20.2 libvirt-daemon-xen-4.0.0-8.20.2 References: https://www.suse.com/security/cve/CVE-2020-10703.html https://bugzilla.suse.com/1133719 https://bugzilla.suse.com/1137137 https://bugzilla.suse.com/1138734 https://bugzilla.suse.com/1145586 https://bugzilla.suse.com/1149100 https://bugzilla.suse.com/1154093 https://bugzilla.suse.com/1168683 From sle-security-updates at lists.suse.com Fri May 15 13:29:08 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 15 May 2020 21:29:08 +0200 (CEST) Subject: SUSE-CU-2020:173-1: Security update of sles12/nginx-ingress-controller Message-ID: <20200515192908.24EFFFCEE@maintenance.suse.de> SUSE Container Update Advisory: sles12/nginx-ingress-controller ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:173-1 Container Tags : sles12/nginx-ingress-controller:0.15.0 Container Release : 2.5.356 Severity : important Type : security References : 1049825 1050241 1082318 1093414 1104902 1106383 1107617 1108606 1110929 1114592 1114674 1116995 1117951 1121626 1123886 1123919 1124211 1124847 1125113 1128828 1131830 1133495 1134550 1135254 1136298 1137053 1137832 1139459 1139870 1139942 1140039 1140120 1140631 1140914 1141093 1141493 1141897 1142614 1142649 1142654 1142661 1143194 1143273 1145521 1146415 1146608 1148517 1148987 1149145 1149429 1149496 1150003 1150250 1150595 1150734 1151377 1151506 1151577 1153386 1153557 1154036 1154037 1154043 1154043 1154609 1154862 1154871 1154948 1155199 1155338 1155339 1155574 1156194 1156402 1156482 1157198 1157578 1158586 1158763 1158809 1159162 1159814 1160163 1160571 1160594 1160613 1160614 1160682 1160682 1160764 1161779 1162108 1162518 1162879 1163922 1165471 1165915 1165919 1166510 1168195 1169766 1170771 983268 CVE-2016-5102 CVE-2017-12652 CVE-2017-7890 CVE-2018-10754 CVE-2018-14553 CVE-2018-17000 CVE-2018-18311 CVE-2019-11038 CVE-2019-12749 CVE-2019-13050 CVE-2019-13057 CVE-2019-13565 CVE-2019-13627 CVE-2019-14250 CVE-2019-14866 CVE-2019-14973 CVE-2019-1547 CVE-2019-1551 CVE-2019-1563 CVE-2019-15847 CVE-2019-15903 CVE-2019-17498 CVE-2019-17594 CVE-2019-17595 CVE-2019-18197 CVE-2019-18900 CVE-2019-20372 CVE-2019-20372 CVE-2019-2201 CVE-2019-3688 CVE-2019-3690 CVE-2019-5188 CVE-2019-5482 CVE-2019-6128 CVE-2019-7317 CVE-2019-7663 CVE-2019-9232 CVE-2019-9433 CVE-2019-9893 CVE-2020-12243 CVE-2020-1712 CVE-2020-8013 SLE-10396 SLE-7081 SLE-7257 ----------------------------------------------------------------- The container sles12/nginx-ingress-controller was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2120-1 Released: Wed Aug 14 11:17:39 2019 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1136298,SLE-7257 This update for pam fixes the following issues: - Enable pam_userdb.so (SLE-7257,bsc#1136298) - Upgraded pam_userdb to 1.3.1. (bsc#1136298) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2264-1 Released: Mon Sep 2 09:07:12 2019 Summary: Security update for perl Type: security Severity: important References: 1114674,CVE-2018-18311 This update for perl fixes the following issues: Security issue fixed: - CVE-2018-18311: Fixed integer overflow with oversize environment (bsc#1114674). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2288-1 Released: Wed Sep 4 14:22:47 2019 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1104902,1107617,1137053,1142661 This update for systemd fixes the following issues: - Fixes an issue where the Kernel took very long to unmount a user's runtime directory (bsc#1104902) - udevd: changed the default value of udev.children-max (again) (bsc#1107617) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2372-1 Released: Thu Sep 12 14:01:27 2019 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1139942,1140914,SLE-7081 This update for krb5 fixes the following issues: - Fix missing responder if there is no pre-auth; (bsc#1139942) - Load mechglue config files from /etc/gss/mech.d; (bsc#1140914, jsc#SLE-7081) - Fix impersonate_name to work with interposers; (bsc#1140914, jsc#SLE-7081) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2339-1 Released: Thu Sep 12 14:17:53 2019 Summary: Security update for curl Type: security Severity: important References: 1149496,CVE-2019-5482 This update for curl fixes the following issues: Security issue fixed: - CVE-2019-5482: Fixed TFTP small blocksize heap buffer overflow (bsc#1149496). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2390-1 Released: Tue Sep 17 15:46:02 2019 Summary: Security update for openldap2 Type: security Severity: moderate References: 1143194,1143273,CVE-2019-13057,CVE-2019-13565 This update for openldap2 fixes the following issues: Security issues fixed: - CVE-2019-13565: Fixed ssf memory reuse that leads to incorrect authorization of another connection, granting excess connection rights (ssf) (bsc#1143194). - CVE-2019-13057: Fixed rootDN of a backend that may proxyauth incorrectly to another backend, violating multi-tenant isolation (bsc#1143273). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2413-1 Released: Fri Sep 20 10:44:26 2019 Summary: Security update for openssl Type: security Severity: moderate References: 1150003,1150250,CVE-2019-1547,CVE-2019-1563 This update for openssl fixes the following issues: OpenSSL Security Advisory [10 September 2019] - CVE-2019-1547: Added EC_GROUP_set_generator side channel attack avoidance (bsc#1150003). - CVE-2019-1563: Fixed Bleichenbacher attack against cms/pkcs7 encryption transported key (bsc#1150250). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2440-1 Released: Mon Sep 23 17:15:13 2019 Summary: Security update for expat Type: security Severity: moderate References: 1149429,CVE-2019-15903 This update for expat fixes the following issues: Security issue fixed: - CVE-2019-15903: Fixed a heap-based buffer over-read caused by crafted XML documents. (bsc#1149429) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2480-1 Released: Fri Sep 27 13:12:08 2019 Summary: Security update for gpg2 Type: security Severity: moderate References: 1124847,1141093,CVE-2019-13050 This update for gpg2 fixes the following issues: Security issue fixed: - CVE-2019-13050: Fixed denial-of-service attacks via big keys. (bsc#1141093) Non-security issue fixed: - Allow coredumps in X11 desktop sessions (bsc#1124847). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2510-1 Released: Tue Oct 1 17:37:12 2019 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1148987,CVE-2019-13627 This update for libgcrypt fixes the following issues: Security issues fixed: - CVE-2019-13627: Mitigated ECDSA timing attack. (bsc#1148987) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2818-1 Released: Tue Oct 29 17:22:01 2019 Summary: Recommended update for zypper and libzypp Type: recommended Severity: important References: 1049825,1116995,1140039,1145521,1146415,1153557 This update for zypper and libzypp fixes the following issues: Package: zypper - Fixed an issue where zypper exited on a SIGPIPE during package download (bsc#1145521) - Rephrased the file conflicts check summary (bsc#1140039) - Fixes an issue where the bash completion was wrongly expanded (bsc#1049825) Package: libzypp - Fixed an issue where YaST2 was not able to find base products via libzypp (bsc#1153557) - Added a new 'solver.focus' option for /etc/zypp/zypp.conf to define systemwide focus mode when resolving jobs (bsc#1146415) - Fixes a file descriptor leak in the media backend (bsc#1116995) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2887-1 Released: Mon Nov 4 17:31:49 2019 Summary: Recommended update for apparmor Type: recommended Severity: moderate References: 1139870 This update for apparmor provides the following fix: - Change pathname in logprof.conf and use check_qualifiers() in autodep to make sure apparmor does not generate profiles for programs marked as not having their own profiles. (bsc#1139870) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2898-1 Released: Tue Nov 5 17:00:27 2019 Summary: Recommended update for systemd Type: recommended Severity: important References: 1140631,1150595,1154948 This update for systemd fixes the following issues: - sd-bus: deal with cookie overruns (bsc#1150595) - rules: Add by-id symlinks for persistent memory (bsc#1140631) - Drop the old fds used for logging and reopen them in the sub process before doing any new logging. (bsc#1154948) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2936-1 Released: Fri Nov 8 13:19:55 2019 Summary: Security update for libssh2_org Type: security Severity: moderate References: 1154862,CVE-2019-17498 This update for libssh2_org fixes the following issue: - CVE-2019-17498: Fixed an integer overflow in a bounds check that might have led to the disclosure of sensitive information or a denial of service (bsc#1154862). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2941-1 Released: Tue Nov 12 10:03:32 2019 Summary: Security update for libseccomp Type: security Severity: moderate References: 1082318,1128828,1142614,CVE-2019-9893 This update for libseccomp fixes the following issues: Update to new upstream release 2.4.1: * Fix a BPF generation bug where the optimizer mistakenly identified duplicate BPF code blocks. Updated to 2.4.0 (bsc#1128828 CVE-2019-9893): * Update the syscall table for Linux v5.0-rc5 * Added support for the SCMP_ACT_KILL_PROCESS action * Added support for the SCMP_ACT_LOG action and SCMP_FLTATR_CTL_LOG attribute * Added explicit 32-bit (SCMP_AX_32(...)) and 64-bit (SCMP_AX_64(...)) argument comparison macros to help protect against unexpected sign extension * Added support for the parisc and parisc64 architectures * Added the ability to query and set the libseccomp API level via seccomp_api_get(3) and seccomp_api_set(3) * Return -EDOM on an endian mismatch when adding an architecture to a filter * Renumber the pseudo syscall number for subpage_prot() so it no longer conflicts with spu_run() * Fix PFC generation when a syscall is prioritized, but no rule exists * Numerous fixes to the seccomp-bpf filter generation code * Switch our internal hashing function to jhash/Lookup3 to MurmurHash3 * Numerous tests added to the included test suite, coverage now at ~92% * Update our Travis CI configuration to use Ubuntu 16.04 * Numerous documentation fixes and updates Update to release 2.3.3: * Updated the syscall table for Linux v4.15-rc7 Update to release 2.3.2: * Achieved full compliance with the CII Best Practices program * Added Travis CI builds to the GitHub repository * Added code coverage reporting with the '--enable-code-coverage' configure flag and added Coveralls to the GitHub repository * Updated the syscall tables to match Linux v4.10-rc6+ * Support for building with Python v3.x * Allow rules with the -1 syscall if the SCMP\_FLTATR\_API\_TSKIP attribute is set to true * Several small documentation fixes - ignore make check error for ppc64/ppc64le, bypass bsc#1142614 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2972-1 Released: Thu Nov 14 12:04:52 2019 Summary: Security update for libjpeg-turbo Type: security Severity: important References: 1156402,CVE-2019-2201 This update for libjpeg-turbo fixes the following issues: - CVE-2019-2201: Several integer overflow issues and subsequent segfaults occurred in libjpeg-turbo, when attempting to compress or decompress gigapixel images. [bsc#1156402] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3003-1 Released: Tue Nov 19 10:12:33 2019 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1153386,SLE-10396 This update for procps provides the following fixes: - Backport the MemAvailable patch into SLE12-SP4/SP5 procps. (jsc#SLE-10396) - Add missing ShmemPmdMapped entry for pmap with newer kernels. (bsc#1153386) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3058-1 Released: Mon Nov 25 17:32:43 2019 Summary: Security update for tiff Type: security Severity: moderate References: 1108606,1121626,1125113,1146608,983268,CVE-2016-5102,CVE-2018-17000,CVE-2019-14973,CVE-2019-6128,CVE-2019-7663 This update for tiff fixes the following issues: Security issues fixed: - CVE-2019-14973: Fixed an improper check which was depended on the compiler which could have led to integer overflow (bsc#1146608). - CVE-2016-5102: Fixed a buffer overflow in readgifimage() (bsc#983268) - CVE-2018-17000: Fixed a NULL pointer dereference in the _TIFFmemcmp function (bsc#1108606). - CVE-2019-6128: Fixed a memory leak in the TIFFFdOpen function in tif_unix.c (bsc#1121626). - CVE-2019-7663: Fixed an invalid address dereference in the TIFFWriteDirectoryTagTransfer function in libtiff/tif_dirwrite.c (bsc#1125113) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3064-1 Released: Mon Nov 25 18:44:36 2019 Summary: Security update for cpio Type: security Severity: moderate References: 1155199,CVE-2019-14866 This update for cpio fixes the following issues: - CVE-2019-14866: Fixed an improper validation of the values written in the header of a TAR file through the to_oct() function which could have led to unexpected TAR generation (bsc#1155199). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3085-1 Released: Thu Nov 28 10:01:53 2019 Summary: Security update for libxml2 Type: security Severity: low References: 1123919 This update for libxml2 doesn't fix any additional security issues, but correct the rpm changelog to reflect all CVEs that have been fixed over the past. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3094-1 Released: Thu Nov 28 16:47:52 2019 Summary: Security update for ncurses Type: security Severity: moderate References: 1131830,1134550,1154036,1154037,CVE-2018-10754,CVE-2019-17594,CVE-2019-17595 This update for ncurses fixes the following issues: Security issue fixed: - CVE-2018-10754: Fixed a denial of service caused by a NULL Pointer Dereference in the _nc_parse_entry() (bsc#1131830). - CVE-2019-17594: Fixed a heap-based buffer over-read in _nc_find_entry function in tinfo/comp_hash.c (bsc#1154036). - CVE-2019-17595: Fixed a heap-based buffer over-read in fmt_entry function in tinfo/comp_hash.c (bsc#1154037). Bug fixes: - Fixed ppc64le build configuration (bsc#1134550). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3132-1 Released: Tue Dec 3 10:52:14 2019 Summary: Recommended update for update-alternatives Type: recommended Severity: moderate References: 1154043 This update for update-alternatives fixes the following issues: - Fix post install scripts: test if there is actual file before calling update-alternatives. (bsc#1154043) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3180-1 Released: Thu Dec 5 11:42:40 2019 Summary: Security update for permissions Type: security Severity: moderate References: 1093414,1150734,1157198,CVE-2019-3688,CVE-2019-3690 This update for permissions fixes the following issues: - CVE-2019-3688: Changed wrong ownership in /usr/sbin/pinger to root:squid which could have allowed a squid user to gain persistence by changing the binary (bsc#1093414). - CVE-2019-3690: Fixed a privilege escalation through untrusted symbolic links (bsc#1150734). - Fixed a regression which caused segmentation fault (bsc#1157198). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3342-1 Released: Thu Dec 19 11:04:35 2019 Summary: Recommended update for elfutils Type: recommended Severity: moderate References: 1151577 This update for elfutils fixes the following issues: - Add require of 'libebl1' for 'libelf1'. (bsc#1151577) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3364-1 Released: Thu Dec 19 19:20:52 2019 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: 1158586,1159162 This update for ncurses fixes the following issues: - Work around a bug of old upstream gen-pkgconfig (bsc#1159162) - Remove doubled library path options (bsc#1159162) - Also remove private requirements as (lib)tinfo are binary compatible with normal and wide version of (lib)ncurses (bsc#1158586, bsc#1159162) - Fix last change, that is add missed library linker paths as well as missed include directories for none standard paths (bsc#1158586, bsc#1159162) - Do not mix include directories of different ncurses ABI (bsc#1158586) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:79-1 Released: Mon Jan 13 10:37:34 2020 Summary: Security update for libzypp Type: security Severity: moderate References: 1158763,CVE-2019-18900 This update for libzypp fixes the following issues: Security issue fixed: - CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:86-1 Released: Mon Jan 13 14:12:22 2020 Summary: Security update for e2fsprogs Type: security Severity: moderate References: 1160571,CVE-2019-5188 This update for e2fsprogs fixes the following issues: - CVE-2019-5188: Fixed a code execution vulnerability in the directory rehashing functionality (bsc#1160571). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:106-1 Released: Wed Jan 15 12:50:55 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: important References: 1155338,1155339 This update for libgcrypt fixes the following issues: - Fix test dsa-rfc6979 in FIPS mode: Disabled tests in elliptic curves with 192 bits which are not recommended in FIPS mode - Added CMAC AES and TDES FIPS self-tests: (bsc#1155339, bsc#1155338) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:373-1 Released: Tue Feb 18 15:06:18 2020 Summary: Security update for dbus-1 Type: security Severity: important References: 1137832,CVE-2019-12749 This update for dbus-1 fixes the following issues: Security issue fixed: - CVE-2019-12749: Fixed an implementation flaw in DBUS_COOKIE_SHA1 which could have allowed local attackers to bypass authentication (bsc#1137832). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:404-1 Released: Wed Feb 19 09:05:47 2020 Summary: Recommended update for p11-kit Type: recommended Severity: moderate References: 1154871 This update for p11-kit fixes the following issues: - Support loading NSS attribute 'CKA_NSS_MOZILLA_CA_POLICY' so Firefox detects built-in certificates. (bsc#1154871) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:459-1 Released: Tue Feb 25 11:02:12 2020 Summary: Security update for libvpx Type: security Severity: moderate References: 1160613,1160614,CVE-2019-9232,CVE-2019-9433 This update for libvpx fixes the following issues: - CVE-2019-9232: Fixed an out of bound memory access (bsc#1160613). - CVE-2019-9433: Fixdd a use-after-free in vp8_deblock() (bsc#1160614). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:474-1 Released: Tue Feb 25 13:24:15 2020 Summary: Security update for openssl Type: security Severity: moderate References: 1117951,1158809,1160163,CVE-2019-1551 This update for openssl fixes the following issues: Security issue fixed: - CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809). Non-security issue fixed: - Fixed a crash in BN_copy (bsc#1160163). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:545-1 Released: Fri Feb 28 15:50:46 2020 Summary: Security update for permissions Type: security Severity: moderate References: 1123886,1160594,1160764,1161779,1163922,CVE-2020-8013 This update for permissions fixes the following issues: Security issues fixed: - CVE-2020-8013: Fixed an issue where chkstat set unintended setuid/capabilities for mrsh and wodim (bsc#1163922). Non-security issues fixed: - Fixed a regression where chkstat broke when /proc was not available (bsc#1160764, bsc#1160594). - Fixed capability handling when doing multiple permission changes at once (bsc#1161779). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:561-1 Released: Mon Mar 2 17:24:59 2020 Summary: Recommended update for elfutils Type: recommended Severity: moderate References: 1110929,1157578 This update for elfutils fixes the following issues: - Fix 'eu-nm' issue in elfutils: Symbol iteration will be set to start at 0 instead of 1 to avoid missing symbols in the output. (bsc#1157578) - Fix for '.ko' file corruption in debug info. (bsc#1110929) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:569-1 Released: Tue Mar 3 11:43:43 2020 Summary: Security update for libpng16 Type: security Severity: moderate References: 1124211,1141493,CVE-2017-12652,CVE-2019-7317 This update for libpng16 fixes the following issues: Security issues fixed: - CVE-2019-7317: Fixed a use-after-free vulnerability, triggered when png_image_free() was called under png_safe_execute (bsc#1124211). - CVE-2017-12652: Fixed an Input Validation Error related to the length of chunks (bsc#1141493). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:571-1 Released: Tue Mar 3 13:23:35 2020 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1162518 This update for cyrus-sasl fixes the following issues: - Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF (bsc#1162518) - Added support for retrieving negotiated SSF in gssapi plugin (bsc#1162518) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:623-1 Released: Mon Mar 9 16:17:26 2020 Summary: Security update for gd Type: security Severity: moderate References: 1050241,1140120,1165471,CVE-2017-7890,CVE-2018-14553,CVE-2019-11038 This update for gd fixes the following issues: - CVE-2017-7890: Fixed a buffer over-read into uninitialized memory (bsc#1050241). - CVE-2018-14553: Fixed a null pointer dereference in gdImageClone() (bsc#1165471). - CVE-2019-11038: Fixed a information disclosure in gdImageCreateFromXbm() (bsc#1140120). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:702-1 Released: Tue Mar 17 14:44:37 2020 Summary: Security update for nginx-ingress-controller Type: security Severity: moderate References: 1160682,CVE-2019-20372 This update for nginx-ingress-controller fixes the following issues: - CVE-2019-20372: Fixed an HTTP request smuggling with certain error_page configurations which could have allowed unothorized web page reads (bsc#1160682). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:703-1 Released: Tue Mar 17 14:44:58 2020 Summary: Security update for nginx Type: security Severity: moderate References: 1160682,CVE-2019-20372 This update for nginx fixes the following issues: - CVE-2019-20372: Fixed an HTTP request smuggling with certain error_page configurations which could have allowed unothorized web page reads (bsc#1160682). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:331-1 Released: Wed Mar 18 12:52:46 2020 Summary: Security update for systemd Type: security Severity: important References: 1106383,1133495,1139459,1151377,1151506,1154043,1155574,1156482,1159814,1162108,CVE-2020-1712 This update for systemd fixes the following issues: - CVE-2020-1712 (bsc#bsc#1162108) Fix a heap use-after-free vulnerability, when asynchronous Polkit queries were performed while handling Dbus messages. A local unprivileged attacker could have abused this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted Dbus messages. - Unconfirmed fix for prevent hanging of systemctl during restart. (bsc#1139459) - Fix warnings thrown during package installation. (bsc#1154043) - Fix for system-udevd prevent crash within OES2018. (bsc#1151506) - Fragments of masked units ought not be considered for 'NeedDaemonReload'. (bsc#1156482) - Wait for workers to finish when exiting. (bsc#1106383) - Improve log message when inotify limit is reached. (bsc#1155574) - Mention in the man pages that alias names are only effective after command 'systemctl enable'. (bsc#1151377) - Introduce function for reading virtual files in 'sysfs' and 'procfs'. (bsc#1133495, bsc#1159814) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:786-1 Released: Wed Mar 25 06:47:18 2020 Summary: Recommended update for p11-kit Type: recommended Severity: moderate References: 1165915,1165919 This update for p11-kit fixes the following issues: - tag this version with 'p11-kit-tools-supports-CKA_NSS_MOZILLA_CA_POLICY' provides so we can pull it in. (bsc#1165915 bsc#1165919) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:822-1 Released: Tue Mar 31 13:06:24 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for pam fixes the following issues: - Moved pam_userdb to a separate package pam-extra (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:915-1 Released: Fri Apr 3 13:15:11 2020 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1168195 This update for openldap2 fixes the following issue: - The openldap2-ppolicy-check-password plugin is now included (FATE#319461 bsc#1168195) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:920-1 Released: Fri Apr 3 17:13:04 2020 Summary: Security update for libxslt Type: security Severity: moderate References: 1154609,CVE-2019-18197 This update for libxslt fixes the following issue: - CVE-2019-18197: Fixed a dangling pointer in xsltCopyText which may have led to information disclosure (bsc#1154609). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:394-1 Released: Tue Apr 14 17:25:16 2020 Summary: Security update for gcc9 Type: security Severity: moderate References: 1114592,1135254,1141897,1142649,1142654,1148517,1149145,CVE-2019-14250,CVE-2019-15847 This update for gcc9 fixes the following issues: The GNU Compiler Collection is shipped in version 9. A detailed changelog on what changed in GCC 9 is available at https://gcc.gnu.org/gcc-9/changes.html The compilers have been added to the SUSE Linux Enterprise Toolchain Module. To use these compilers, install e.g. gcc9, gcc9-c++ and build with CC=gcc-9 CXX=g++-9 set. For SUSE Linux Enterprise base products, the libstdc++6, libgcc_s1 and other compiler libraries have been switched from their gcc8 variants to their gcc9 variants. Security issues fixed: - CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145) - CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649) Non-security issues fixed: - Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254) - Fixed miscompilation for vector shift on s390. (bsc#1141897) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1168-1 Released: Mon May 4 14:06:46 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1162879 This update for libgcrypt fixes the following issues: - FIPS: Relax the entropy requirements on selftest during boot (bsc#1162879) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1193-1 Released: Tue May 5 16:26:05 2020 Summary: Security update for openldap2 Type: security Severity: important References: 1170771,CVE-2020-12243 This update for openldap2 fixes the following issues: - CVE-2020-12243: Fixed a denial of service related to recursive filters (bsc#1170771). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1254-1 Released: Tue May 12 11:17:06 2020 Summary: Recommended update for geolite2legacy, geoipupdate Type: recommended Severity: moderate References: 1156194,1169766 This update for geolite2legacy and geoipupdate fixes the following issues: - Create the initial package of GeoIP 2 Legacy, as the GeoIP is discontinued. (bsc#1156194) - Update README.SUSE in GeoIP with a description how to get the latest Geo IP data after the distribution changes. (jsc#SLE-11184, bsc#1156194, jsc#ECO-1405) From sle-security-updates at lists.suse.com Mon May 18 04:14:46 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 18 May 2020 12:14:46 +0200 (CEST) Subject: SUSE-SU-2020:1299-1: moderate: Security update for libxml2 Message-ID: <20200518101446.CA0C8FE0F@maintenance.suse.de> SUSE Security Update: Security update for libxml2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1299-1 Rating: moderate References: #1159928 #1161517 #1161521 Cross-References: CVE-2019-19956 CVE-2019-20388 CVE-2020-7595 Affected Products: SUSE Linux Enterprise Module for Python2 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for libxml2 fixes the following issues: - CVE-2019-20388: Fixed a memory leak in xmlSchemaPreRun (bsc#1161521). - CVE-2019-19956: Fixed a memory leak (bsc#1159928). - CVE-2020-7595: Fixed an infinite loop in an EOF situation (bsc#1161517). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Python2 15-SP1: zypper in -t patch SUSE-SLE-Module-Python2-15-SP1-2020-1299=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-1299=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1299=1 Package List: - SUSE Linux Enterprise Module for Python2 15-SP1 (aarch64 ppc64le s390x x86_64): python-libxml2-python-debugsource-2.9.7-3.19.10 python2-libxml2-python-2.9.7-3.19.10 python2-libxml2-python-debuginfo-2.9.7-3.19.10 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): libxml2-debugsource-2.9.7-3.19.8 libxml2-devel-32bit-2.9.7-3.19.8 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (noarch): libxml2-doc-2.9.7-3.19.8 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): libxml2-2-2.9.7-3.19.8 libxml2-2-debuginfo-2.9.7-3.19.8 libxml2-debugsource-2.9.7-3.19.8 libxml2-devel-2.9.7-3.19.8 libxml2-tools-2.9.7-3.19.8 libxml2-tools-debuginfo-2.9.7-3.19.8 python-libxml2-python-debugsource-2.9.7-3.19.10 python3-libxml2-python-2.9.7-3.19.10 python3-libxml2-python-debuginfo-2.9.7-3.19.10 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (x86_64): libxml2-2-32bit-2.9.7-3.19.8 libxml2-2-32bit-debuginfo-2.9.7-3.19.8 References: https://www.suse.com/security/cve/CVE-2019-19956.html https://www.suse.com/security/cve/CVE-2019-20388.html https://www.suse.com/security/cve/CVE-2020-7595.html https://bugzilla.suse.com/1159928 https://bugzilla.suse.com/1161517 https://bugzilla.suse.com/1161521 From sle-security-updates at lists.suse.com Mon May 18 04:15:42 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 18 May 2020 12:15:42 +0200 (CEST) Subject: SUSE-SU-2020:1294-1: moderate: Security update for file Message-ID: <20200518101542.AB0D5FE29@maintenance.suse.de> SUSE Security Update: Security update for file ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1294-1 Rating: moderate References: #1154661 #1169512 Cross-References: CVE-2019-18218 Affected Products: SUSE Linux Enterprise Module for Python2 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Development Tools 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for file fixes the following issues: Security issues fixed: - CVE-2019-18218: Fixed a heap-based buffer overflow in cdf_read_property_info() (bsc#1154661). Non-security issue fixed: - Fixed broken '--help' output (bsc#1169512). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Python2 15-SP1: zypper in -t patch SUSE-SLE-Module-Python2-15-SP1-2020-1294=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-1294=1 - SUSE Linux Enterprise Module for Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP1-2020-1294=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1294=1 Package List: - SUSE Linux Enterprise Module for Python2 15-SP1 (aarch64 ppc64le s390x x86_64): python2-magic-5.32-7.8.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): file-debugsource-5.32-7.8.1 file-devel-32bit-5.32-7.8.1 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): python3-magic-5.32-7.8.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): file-5.32-7.8.1 file-debuginfo-5.32-7.8.1 file-debugsource-5.32-7.8.1 file-devel-5.32-7.8.1 libmagic1-5.32-7.8.1 libmagic1-debuginfo-5.32-7.8.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch): file-magic-5.32-7.8.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (x86_64): libmagic1-32bit-5.32-7.8.1 libmagic1-32bit-debuginfo-5.32-7.8.1 References: https://www.suse.com/security/cve/CVE-2019-18218.html https://bugzilla.suse.com/1154661 https://bugzilla.suse.com/1169512 From sle-security-updates at lists.suse.com Mon May 18 04:16:31 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 18 May 2020 12:16:31 +0200 (CEST) Subject: SUSE-SU-2020:1298-1: moderate: Security update for libbsd Message-ID: <20200518101631.9D814FE29@maintenance.suse.de> SUSE Security Update: Security update for libbsd ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1298-1 Rating: moderate References: #1160551 Cross-References: CVE-2019-20367 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for libbsd fixes the following issues: - CVE-2019-20367: Fixed an out-of-bounds read during a comparison for a symbol names from the string table (bsc#1160551). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-1298=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1298=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): libbsd-ctor-static-0.8.7-3.3.17 libbsd-debugsource-0.8.7-3.3.17 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): libbsd-debugsource-0.8.7-3.3.17 libbsd-devel-0.8.7-3.3.17 libbsd0-0.8.7-3.3.17 libbsd0-debuginfo-0.8.7-3.3.17 References: https://www.suse.com/security/cve/CVE-2019-20367.html https://bugzilla.suse.com/1160551 From sle-security-updates at lists.suse.com Mon May 18 04:17:17 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 18 May 2020 12:17:17 +0200 (CEST) Subject: SUSE-SU-2020:1293-1: moderate: Security update for openexr Message-ID: <20200518101717.51F0EFE29@maintenance.suse.de> SUSE Security Update: Security update for openexr ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1293-1 Rating: moderate References: #1146648 #1169549 #1169573 #1169574 #1169575 #1169576 #1169578 #1169580 Cross-References: CVE-2020-11758 CVE-2020-11760 CVE-2020-11761 CVE-2020-11762 CVE-2020-11763 CVE-2020-11764 CVE-2020-11765 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Desktop Applications 15-SP1 ______________________________________________________________________________ An update that solves 7 vulnerabilities and has one errata is now available. Description: This update for openexr provides the following fix: Security issues fixed: - CVE-2020-11765: Fixed an off-by-one error in use of the ImfXdr.h read function by DwaCompressor:Classifier:Classifier (bsc#1169575). - CVE-2020-11764: Fixed an out-of-bounds write in copyIntoFrameBuffer in ImfMisc.cpp (bsc#1169574). - CVE-2020-11763: Fixed an out-of-bounds read and write, as demonstrated by ImfTileOffsets.cpp (bsc#1169576). - CVE-2020-11762: Fixed an out-of-bounds read and write in DwaCompressor:uncompress in ImfDwaCompressor.cpp when handling the UNKNOWN compression case (bsc#1169549). - CVE-2020-11761: Fixed an out-of-bounds read during Huffman uncompression, as demonstrated by FastHufDecoder:refill in ImfFastHuf.cpp (bsc#1169578). - CVE-2020-11760: Fixed an out-of-bounds read during RLE uncompression in rleUncompress in ImfRle.cpp (bsc#1169580). - CVE-2020-11758: Fixed an out-of-bounds read in ImfOptimizedPixelReading.h (bsc#1169573). Non-security issue fixed: - Enable tests when building the package on x86_64. (bsc#1146648) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-1293=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP1-2020-1293=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): openexr-2.2.1-3.14.1 openexr-debuginfo-2.2.1-3.14.1 openexr-debugsource-2.2.1-3.14.1 openexr-doc-2.2.1-3.14.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): libIlmImf-2_2-23-32bit-2.2.1-3.14.1 libIlmImf-2_2-23-32bit-debuginfo-2.2.1-3.14.1 libIlmImfUtil-2_2-23-32bit-2.2.1-3.14.1 libIlmImfUtil-2_2-23-32bit-debuginfo-2.2.1-3.14.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (aarch64 ppc64le s390x x86_64): libIlmImf-2_2-23-2.2.1-3.14.1 libIlmImf-2_2-23-debuginfo-2.2.1-3.14.1 libIlmImfUtil-2_2-23-2.2.1-3.14.1 libIlmImfUtil-2_2-23-debuginfo-2.2.1-3.14.1 openexr-debuginfo-2.2.1-3.14.1 openexr-debugsource-2.2.1-3.14.1 openexr-devel-2.2.1-3.14.1 References: https://www.suse.com/security/cve/CVE-2020-11758.html https://www.suse.com/security/cve/CVE-2020-11760.html https://www.suse.com/security/cve/CVE-2020-11761.html https://www.suse.com/security/cve/CVE-2020-11762.html https://www.suse.com/security/cve/CVE-2020-11763.html https://www.suse.com/security/cve/CVE-2020-11764.html https://www.suse.com/security/cve/CVE-2020-11765.html https://bugzilla.suse.com/1146648 https://bugzilla.suse.com/1169549 https://bugzilla.suse.com/1169573 https://bugzilla.suse.com/1169574 https://bugzilla.suse.com/1169575 https://bugzilla.suse.com/1169576 https://bugzilla.suse.com/1169578 https://bugzilla.suse.com/1169580 From sle-security-updates at lists.suse.com Mon May 18 04:18:04 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 18 May 2020 12:18:04 +0200 (CEST) Subject: SUSE-SU-2020:1297-1: moderate: Security update for libvpx Message-ID: <20200518101804.B08A5FE0F@maintenance.suse.de> SUSE Security Update: Security update for libvpx ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1297-1 Rating: moderate References: #1166066 Cross-References: CVE-2020-0034 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Desktop Applications 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for libvpx fixes the following issues: - CVE-2020-0034: Fixed an out-of-bounds read on truncated key frames (bsc#1166066). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-1297=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP1-2020-1297=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1297=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): libvpx-debugsource-1.6.1-6.6.8 vpx-tools-1.6.1-6.6.8 vpx-tools-debuginfo-1.6.1-6.6.8 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): libvpx4-32bit-1.6.1-6.6.8 libvpx4-32bit-debuginfo-1.6.1-6.6.8 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (aarch64 ppc64le s390x x86_64): libvpx-debugsource-1.6.1-6.6.8 libvpx-devel-1.6.1-6.6.8 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): libvpx-debugsource-1.6.1-6.6.8 libvpx4-1.6.1-6.6.8 libvpx4-debuginfo-1.6.1-6.6.8 References: https://www.suse.com/security/cve/CVE-2020-0034.html https://bugzilla.suse.com/1166066 From sle-security-updates at lists.suse.com Mon May 18 04:18:52 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 18 May 2020 12:18:52 +0200 (CEST) Subject: SUSE-SU-2020:1292-1: moderate: Security update for openexr Message-ID: <20200518101852.EC0CDFE0F@maintenance.suse.de> SUSE Security Update: Security update for openexr ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1292-1 Rating: moderate References: #1146648 #1169573 #1169574 #1169576 #1169580 Cross-References: CVE-2020-11758 CVE-2020-11760 CVE-2020-11763 CVE-2020-11764 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP5 SUSE Linux Enterprise Workstation Extension 12-SP4 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 ______________________________________________________________________________ An update that solves four vulnerabilities and has one errata is now available. Description: This update for openexr provides the following fix: Security issues fixed: - CVE-2020-11764: Fixed an out-of-bounds write in copyIntoFrameBuffer in ImfMisc.cpp (bsc#1169574). - CVE-2020-11763: Fixed an out-of-bounds read and write, as demonstrated by ImfTileOffsets.cpp (bsc#1169576). - CVE-2020-11758: Fixed an out-of-bounds read in ImfOptimizedPixelReading.h (bsc#1169573). - CVE-2020-11760: Fixed an out-of-bounds read during RLE uncompression in rleUncompress in ImfRle.cpp (bsc#1169580). Non-security issue fixed: - Enable tests when building the package on x86_64. (bsc#1146648) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP5: zypper in -t patch SUSE-SLE-WE-12-SP5-2020-1292=1 - SUSE Linux Enterprise Workstation Extension 12-SP4: zypper in -t patch SUSE-SLE-WE-12-SP4-2020-1292=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-1292=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-1292=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1292=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1292=1 Package List: - SUSE Linux Enterprise Workstation Extension 12-SP5 (x86_64): libIlmImf-Imf_2_1-21-32bit-2.1.0-6.20.1 libIlmImf-Imf_2_1-21-debuginfo-32bit-2.1.0-6.20.1 openexr-debugsource-2.1.0-6.20.1 - SUSE Linux Enterprise Workstation Extension 12-SP4 (x86_64): libIlmImf-Imf_2_1-21-32bit-2.1.0-6.20.1 libIlmImf-Imf_2_1-21-debuginfo-32bit-2.1.0-6.20.1 openexr-debugsource-2.1.0-6.20.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): openexr-debuginfo-2.1.0-6.20.1 openexr-debugsource-2.1.0-6.20.1 openexr-devel-2.1.0-6.20.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): openexr-debuginfo-2.1.0-6.20.1 openexr-debugsource-2.1.0-6.20.1 openexr-devel-2.1.0-6.20.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libIlmImf-Imf_2_1-21-2.1.0-6.20.1 libIlmImf-Imf_2_1-21-debuginfo-2.1.0-6.20.1 openexr-2.1.0-6.20.1 openexr-debuginfo-2.1.0-6.20.1 openexr-debugsource-2.1.0-6.20.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): libIlmImf-Imf_2_1-21-2.1.0-6.20.1 libIlmImf-Imf_2_1-21-debuginfo-2.1.0-6.20.1 openexr-2.1.0-6.20.1 openexr-debuginfo-2.1.0-6.20.1 openexr-debugsource-2.1.0-6.20.1 References: https://www.suse.com/security/cve/CVE-2020-11758.html https://www.suse.com/security/cve/CVE-2020-11760.html https://www.suse.com/security/cve/CVE-2020-11763.html https://www.suse.com/security/cve/CVE-2020-11764.html https://bugzilla.suse.com/1146648 https://bugzilla.suse.com/1169573 https://bugzilla.suse.com/1169574 https://bugzilla.suse.com/1169576 https://bugzilla.suse.com/1169580 From sle-security-updates at lists.suse.com Mon May 18 04:19:45 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 18 May 2020 12:19:45 +0200 (CEST) Subject: SUSE-SU-2020:1295-1: moderate: Security update for git Message-ID: <20200518101945.59C94FE0F@maintenance.suse.de> SUSE Security Update: Security update for git ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1295-1 Rating: moderate References: #1149792 #1168930 #1169605 #1169786 #1169936 #1170302 #1170741 #1170939 Cross-References: CVE-2020-11008 CVE-2020-5260 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that solves two vulnerabilities and has 6 fixes is now available. Description: This update for git to 2.26.2 fixes the following issues: Security issue fixed: - CVE-2020-11008: Specially crafted URLs may have tricked the credentials helper to providing credential information that is not appropriate for the protocol in use and host being contacted (bsc#1169936). Non-security issue fixed: - Fixed git-daemon not starting after conversion from sysvinit to systemd service (bsc#1169605). - Enabled access for git-daemon in firewall configuration (bsc#1170302). - Fixed problems with recent switch to protocol v2, which caused fetches transferring unreasonable amount of data (bsc#1170741). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-1295=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-1295=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-1295=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-1295=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-1295=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-1295=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-1295=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2020-1295=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1295=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1295=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-1295=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-1295=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-1295=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-1295=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2020-1295=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-1295=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-1295=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): git-core-2.26.2-27.36.1 git-core-debuginfo-2.26.2-27.36.1 git-debugsource-2.26.2-27.36.1 - SUSE OpenStack Cloud 8 (x86_64): git-2.26.2-27.36.1 git-core-2.26.2-27.36.1 git-core-debuginfo-2.26.2-27.36.1 git-debugsource-2.26.2-27.36.1 - SUSE OpenStack Cloud 7 (s390x x86_64): git-core-2.26.2-27.36.1 git-core-debuginfo-2.26.2-27.36.1 git-debugsource-2.26.2-27.36.1 - SUSE OpenStack Cloud 7 (noarch): git-doc-2.26.2-27.36.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): git-2.26.2-27.36.1 git-arch-2.26.2-27.36.1 git-core-2.26.2-27.36.1 git-core-debuginfo-2.26.2-27.36.1 git-cvs-2.26.2-27.36.1 git-daemon-2.26.2-27.36.1 git-daemon-debuginfo-2.26.2-27.36.1 git-debugsource-2.26.2-27.36.1 git-email-2.26.2-27.36.1 git-gui-2.26.2-27.36.1 git-svn-2.26.2-27.36.1 git-svn-debuginfo-2.26.2-27.36.1 git-web-2.26.2-27.36.1 gitk-2.26.2-27.36.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (noarch): git-doc-2.26.2-27.36.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): git-2.26.2-27.36.1 git-arch-2.26.2-27.36.1 git-core-2.26.2-27.36.1 git-core-debuginfo-2.26.2-27.36.1 git-cvs-2.26.2-27.36.1 git-daemon-2.26.2-27.36.1 git-daemon-debuginfo-2.26.2-27.36.1 git-debugsource-2.26.2-27.36.1 git-email-2.26.2-27.36.1 git-gui-2.26.2-27.36.1 git-svn-2.26.2-27.36.1 git-svn-debuginfo-2.26.2-27.36.1 git-web-2.26.2-27.36.1 gitk-2.26.2-27.36.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (noarch): git-doc-2.26.2-27.36.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): git-core-2.26.2-27.36.1 git-core-debuginfo-2.26.2-27.36.1 git-debugsource-2.26.2-27.36.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): git-core-2.26.2-27.36.1 git-core-debuginfo-2.26.2-27.36.1 git-debugsource-2.26.2-27.36.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (noarch): git-doc-2.26.2-27.36.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): git-core-2.26.2-27.36.1 git-core-debuginfo-2.26.2-27.36.1 git-debugsource-2.26.2-27.36.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (noarch): git-doc-2.26.2-27.36.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): git-core-2.26.2-27.36.1 git-core-debuginfo-2.26.2-27.36.1 git-debugsource-2.26.2-27.36.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): git-core-2.26.2-27.36.1 git-core-debuginfo-2.26.2-27.36.1 git-debugsource-2.26.2-27.36.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): git-core-2.26.2-27.36.1 git-core-debuginfo-2.26.2-27.36.1 git-debugsource-2.26.2-27.36.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): git-core-2.26.2-27.36.1 git-core-debuginfo-2.26.2-27.36.1 git-debugsource-2.26.2-27.36.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): git-core-2.26.2-27.36.1 git-core-debuginfo-2.26.2-27.36.1 git-debugsource-2.26.2-27.36.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (noarch): git-doc-2.26.2-27.36.1 - SUSE Linux Enterprise Server 12-SP2-BCL (noarch): git-doc-2.26.2-27.36.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): git-core-2.26.2-27.36.1 git-core-debuginfo-2.26.2-27.36.1 git-debugsource-2.26.2-27.36.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): git-core-2.26.2-27.36.1 git-core-debuginfo-2.26.2-27.36.1 git-debugsource-2.26.2-27.36.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (noarch): git-doc-2.26.2-27.36.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): git-core-2.26.2-27.36.1 git-core-debuginfo-2.26.2-27.36.1 git-debugsource-2.26.2-27.36.1 - HPE Helion Openstack 8 (x86_64): git-2.26.2-27.36.1 git-core-2.26.2-27.36.1 git-core-debuginfo-2.26.2-27.36.1 git-debugsource-2.26.2-27.36.1 References: https://www.suse.com/security/cve/CVE-2020-11008.html https://www.suse.com/security/cve/CVE-2020-5260.html https://bugzilla.suse.com/1149792 https://bugzilla.suse.com/1168930 https://bugzilla.suse.com/1169605 https://bugzilla.suse.com/1169786 https://bugzilla.suse.com/1169936 https://bugzilla.suse.com/1170302 https://bugzilla.suse.com/1170741 https://bugzilla.suse.com/1170939 From sle-security-updates at lists.suse.com Mon May 18 04:20:41 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 18 May 2020 12:20:41 +0200 (CEST) Subject: SUSE-SU-2020:1301-1: important: Security update for mailman Message-ID: <20200518102041.2F080FE29@maintenance.suse.de> SUSE Security Update: Security update for mailman ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1301-1 Rating: important References: #1167068 #1170558 #1171363 #682920 Cross-References: CVE-2020-12108 CVE-2020-12137 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that solves two vulnerabilities and has two fixes is now available. Description: This update for mailman fixes the following issues: Security issue fixed: - CVE-2020-12108: Fixed a content injection bug (bsc#1171363). - CVE-2020-12137: Fixed a XSS vulnerability caused by MIME type confusion (bsc#1170558). Non-security issue fixed: - Fixed rights and ownership on /var/lib/mailman/archives (bsc#1167068). - Don't default to invalid hosts for DEFAULT_EMAIL_HOST (bsc#682920). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-1301=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-1301=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-1301=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-1301=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-1301=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2020-1301=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1301=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1301=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-1301=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-1301=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-1301=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-1301=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2020-1301=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-1301=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-1301=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): mailman-2.1.17-3.20.1 mailman-debuginfo-2.1.17-3.20.1 mailman-debugsource-2.1.17-3.20.1 - SUSE OpenStack Cloud 8 (x86_64): mailman-2.1.17-3.20.1 mailman-debuginfo-2.1.17-3.20.1 mailman-debugsource-2.1.17-3.20.1 - SUSE OpenStack Cloud 7 (s390x x86_64): mailman-2.1.17-3.20.1 mailman-debuginfo-2.1.17-3.20.1 mailman-debugsource-2.1.17-3.20.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): mailman-2.1.17-3.20.1 mailman-debuginfo-2.1.17-3.20.1 mailman-debugsource-2.1.17-3.20.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): mailman-2.1.17-3.20.1 mailman-debuginfo-2.1.17-3.20.1 mailman-debugsource-2.1.17-3.20.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): mailman-2.1.17-3.20.1 mailman-debuginfo-2.1.17-3.20.1 mailman-debugsource-2.1.17-3.20.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): mailman-2.1.17-3.20.1 mailman-debuginfo-2.1.17-3.20.1 mailman-debugsource-2.1.17-3.20.1 - SUSE Linux Enterprise Server 12-SP4 (ppc64le s390x x86_64): mailman-2.1.17-3.20.1 mailman-debuginfo-2.1.17-3.20.1 mailman-debugsource-2.1.17-3.20.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (ppc64le s390x x86_64): mailman-2.1.17-3.20.1 mailman-debuginfo-2.1.17-3.20.1 mailman-debugsource-2.1.17-3.20.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): mailman-2.1.17-3.20.1 mailman-debuginfo-2.1.17-3.20.1 mailman-debugsource-2.1.17-3.20.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): mailman-2.1.17-3.20.1 mailman-debuginfo-2.1.17-3.20.1 mailman-debugsource-2.1.17-3.20.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): mailman-2.1.17-3.20.1 mailman-debuginfo-2.1.17-3.20.1 mailman-debugsource-2.1.17-3.20.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): mailman-2.1.17-3.20.1 mailman-debuginfo-2.1.17-3.20.1 mailman-debugsource-2.1.17-3.20.1 - SUSE Enterprise Storage 5 (x86_64): mailman-2.1.17-3.20.1 mailman-debuginfo-2.1.17-3.20.1 mailman-debugsource-2.1.17-3.20.1 - HPE Helion Openstack 8 (x86_64): mailman-2.1.17-3.20.1 mailman-debuginfo-2.1.17-3.20.1 mailman-debugsource-2.1.17-3.20.1 References: https://www.suse.com/security/cve/CVE-2020-12108.html https://www.suse.com/security/cve/CVE-2020-12137.html https://bugzilla.suse.com/1167068 https://bugzilla.suse.com/1170558 https://bugzilla.suse.com/1171363 https://bugzilla.suse.com/682920 From sle-security-updates at lists.suse.com Mon May 18 04:21:28 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 18 May 2020 12:21:28 +0200 (CEST) Subject: SUSE-SU-2020:1296-1: moderate: Security update for autoyast2 Message-ID: <20200518102128.4BE80FE29@maintenance.suse.de> SUSE Security Update: Security update for autoyast2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1296-1 Rating: moderate References: #1109310 #1133045 #1140711 #1164105 #1168123 #1168281 #1170082 Cross-References: CVE-2019-18905 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that solves one vulnerability and has 6 fixes is now available. Description: This update for autoyast2 to version 4.1.15 fixes the following issues: Security issue fixed: - CVE-2019-18905: Removed all "--gpg-auto-import-keys" options from zypper commands (bsc#1140711). Non-security issue fixed: - Fix desktop files updating some icons and groups (bsc#1168123). - Restored some missing icons (bsc#1168123, bsc#1109310 and bsc#1168281). - Service for init scripts: Try to start "network-online.target" before starting the autoyast init scripts in order to get a working network (bsc#1164105). - Always re-probe storage after pre-scripts (bsc#1170082, bsc#1133045). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1296=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch): autoyast2-4.1.15-3.13.1 autoyast2-installation-4.1.15-3.13.1 References: https://www.suse.com/security/cve/CVE-2019-18905.html https://bugzilla.suse.com/1109310 https://bugzilla.suse.com/1133045 https://bugzilla.suse.com/1140711 https://bugzilla.suse.com/1164105 https://bugzilla.suse.com/1168123 https://bugzilla.suse.com/1168281 https://bugzilla.suse.com/1170082 From sle-security-updates at lists.suse.com Mon May 18 04:22:17 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 18 May 2020 12:22:17 +0200 (CEST) Subject: SUSE-SU-2020:1300-1: important: Security update for gstreamer-plugins-base Message-ID: <20200518102217.6FEBAFE29@maintenance.suse.de> SUSE Security Update: Security update for gstreamer-plugins-base ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1300-1 Rating: important References: #1133375 Cross-References: CVE-2019-9928 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP2 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Desktop Applications 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for gstreamer-plugins-base fixes the following issue: Security issue fixed: - CVE-2019-9928: Fixed a heap-based overflow in the rtsp connection parser (bsc#1133375). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-1300=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-1300=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP2: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP2-2020-1300=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-1300=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP1-2020-1300=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1300=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1300=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1300=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): gstreamer-plugins-base-1.12.5-3.3.1 gstreamer-plugins-base-debuginfo-1.12.5-3.3.1 gstreamer-plugins-base-debugsource-1.12.5-3.3.1 libgstallocators-1_0-0-1.12.5-3.3.1 libgstallocators-1_0-0-debuginfo-1.12.5-3.3.1 libgstapp-1_0-0-1.12.5-3.3.1 libgstapp-1_0-0-debuginfo-1.12.5-3.3.1 libgstaudio-1_0-0-1.12.5-3.3.1 libgstaudio-1_0-0-debuginfo-1.12.5-3.3.1 libgstfft-1_0-0-1.12.5-3.3.1 libgstfft-1_0-0-debuginfo-1.12.5-3.3.1 libgstpbutils-1_0-0-1.12.5-3.3.1 libgstpbutils-1_0-0-debuginfo-1.12.5-3.3.1 libgstriff-1_0-0-1.12.5-3.3.1 libgstriff-1_0-0-debuginfo-1.12.5-3.3.1 libgstrtp-1_0-0-1.12.5-3.3.1 libgstrtp-1_0-0-debuginfo-1.12.5-3.3.1 libgstrtsp-1_0-0-1.12.5-3.3.1 libgstrtsp-1_0-0-debuginfo-1.12.5-3.3.1 libgstsdp-1_0-0-1.12.5-3.3.1 libgstsdp-1_0-0-debuginfo-1.12.5-3.3.1 libgsttag-1_0-0-1.12.5-3.3.1 libgsttag-1_0-0-debuginfo-1.12.5-3.3.1 libgstvideo-1_0-0-1.12.5-3.3.1 libgstvideo-1_0-0-debuginfo-1.12.5-3.3.1 - SUSE Linux Enterprise Server for SAP 15 (noarch): gstreamer-plugins-base-lang-1.12.5-3.3.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): gstreamer-plugins-base-1.12.5-3.3.1 gstreamer-plugins-base-debuginfo-1.12.5-3.3.1 gstreamer-plugins-base-debugsource-1.12.5-3.3.1 libgstallocators-1_0-0-1.12.5-3.3.1 libgstallocators-1_0-0-debuginfo-1.12.5-3.3.1 libgstapp-1_0-0-1.12.5-3.3.1 libgstapp-1_0-0-debuginfo-1.12.5-3.3.1 libgstaudio-1_0-0-1.12.5-3.3.1 libgstaudio-1_0-0-debuginfo-1.12.5-3.3.1 libgstfft-1_0-0-1.12.5-3.3.1 libgstfft-1_0-0-debuginfo-1.12.5-3.3.1 libgstpbutils-1_0-0-1.12.5-3.3.1 libgstpbutils-1_0-0-debuginfo-1.12.5-3.3.1 libgstriff-1_0-0-1.12.5-3.3.1 libgstriff-1_0-0-debuginfo-1.12.5-3.3.1 libgstrtp-1_0-0-1.12.5-3.3.1 libgstrtp-1_0-0-debuginfo-1.12.5-3.3.1 libgstrtsp-1_0-0-1.12.5-3.3.1 libgstrtsp-1_0-0-debuginfo-1.12.5-3.3.1 libgstsdp-1_0-0-1.12.5-3.3.1 libgstsdp-1_0-0-debuginfo-1.12.5-3.3.1 libgsttag-1_0-0-1.12.5-3.3.1 libgsttag-1_0-0-debuginfo-1.12.5-3.3.1 libgstvideo-1_0-0-1.12.5-3.3.1 libgstvideo-1_0-0-debuginfo-1.12.5-3.3.1 - SUSE Linux Enterprise Server 15-LTSS (noarch): gstreamer-plugins-base-lang-1.12.5-3.3.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP2 (aarch64 ppc64le s390x x86_64): typelib-1_0-GstFft-1_0-1.12.5-3.3.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): gstreamer-plugins-base-debuginfo-1.12.5-3.3.1 gstreamer-plugins-base-debugsource-1.12.5-3.3.1 gstreamer-plugins-base-doc-1.12.5-3.3.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): gstreamer-plugins-base-32bit-1.12.5-3.3.1 gstreamer-plugins-base-32bit-debuginfo-1.12.5-3.3.1 gstreamer-plugins-base-devel-32bit-1.12.5-3.3.1 libgstallocators-1_0-0-32bit-1.12.5-3.3.1 libgstallocators-1_0-0-32bit-debuginfo-1.12.5-3.3.1 libgstapp-1_0-0-32bit-1.12.5-3.3.1 libgstapp-1_0-0-32bit-debuginfo-1.12.5-3.3.1 libgstaudio-1_0-0-32bit-1.12.5-3.3.1 libgstaudio-1_0-0-32bit-debuginfo-1.12.5-3.3.1 libgstfft-1_0-0-32bit-1.12.5-3.3.1 libgstfft-1_0-0-32bit-debuginfo-1.12.5-3.3.1 libgstpbutils-1_0-0-32bit-1.12.5-3.3.1 libgstpbutils-1_0-0-32bit-debuginfo-1.12.5-3.3.1 libgstriff-1_0-0-32bit-1.12.5-3.3.1 libgstriff-1_0-0-32bit-debuginfo-1.12.5-3.3.1 libgstrtp-1_0-0-32bit-1.12.5-3.3.1 libgstrtp-1_0-0-32bit-debuginfo-1.12.5-3.3.1 libgstrtsp-1_0-0-32bit-1.12.5-3.3.1 libgstrtsp-1_0-0-32bit-debuginfo-1.12.5-3.3.1 libgstsdp-1_0-0-32bit-1.12.5-3.3.1 libgstsdp-1_0-0-32bit-debuginfo-1.12.5-3.3.1 libgsttag-1_0-0-32bit-1.12.5-3.3.1 libgsttag-1_0-0-32bit-debuginfo-1.12.5-3.3.1 libgstvideo-1_0-0-32bit-1.12.5-3.3.1 libgstvideo-1_0-0-32bit-debuginfo-1.12.5-3.3.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (aarch64 ppc64le s390x x86_64): gstreamer-plugins-base-debuginfo-1.12.5-3.3.1 gstreamer-plugins-base-debugsource-1.12.5-3.3.1 gstreamer-plugins-base-devel-1.12.5-3.3.1 typelib-1_0-GstAllocators-1_0-1.12.5-3.3.1 typelib-1_0-GstApp-1_0-1.12.5-3.3.1 typelib-1_0-GstAudio-1_0-1.12.5-3.3.1 typelib-1_0-GstFft-1_0-1.12.5-3.3.1 typelib-1_0-GstPbutils-1_0-1.12.5-3.3.1 typelib-1_0-GstRtp-1_0-1.12.5-3.3.1 typelib-1_0-GstRtsp-1_0-1.12.5-3.3.1 typelib-1_0-GstSdp-1_0-1.12.5-3.3.1 typelib-1_0-GstTag-1_0-1.12.5-3.3.1 typelib-1_0-GstVideo-1_0-1.12.5-3.3.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): gstreamer-plugins-base-1.12.5-3.3.1 gstreamer-plugins-base-debuginfo-1.12.5-3.3.1 gstreamer-plugins-base-debugsource-1.12.5-3.3.1 libgstallocators-1_0-0-1.12.5-3.3.1 libgstallocators-1_0-0-debuginfo-1.12.5-3.3.1 libgstapp-1_0-0-1.12.5-3.3.1 libgstapp-1_0-0-debuginfo-1.12.5-3.3.1 libgstaudio-1_0-0-1.12.5-3.3.1 libgstaudio-1_0-0-debuginfo-1.12.5-3.3.1 libgstfft-1_0-0-1.12.5-3.3.1 libgstfft-1_0-0-debuginfo-1.12.5-3.3.1 libgstpbutils-1_0-0-1.12.5-3.3.1 libgstpbutils-1_0-0-debuginfo-1.12.5-3.3.1 libgstriff-1_0-0-1.12.5-3.3.1 libgstriff-1_0-0-debuginfo-1.12.5-3.3.1 libgstrtp-1_0-0-1.12.5-3.3.1 libgstrtp-1_0-0-debuginfo-1.12.5-3.3.1 libgstrtsp-1_0-0-1.12.5-3.3.1 libgstrtsp-1_0-0-debuginfo-1.12.5-3.3.1 libgstsdp-1_0-0-1.12.5-3.3.1 libgstsdp-1_0-0-debuginfo-1.12.5-3.3.1 libgsttag-1_0-0-1.12.5-3.3.1 libgsttag-1_0-0-debuginfo-1.12.5-3.3.1 libgstvideo-1_0-0-1.12.5-3.3.1 libgstvideo-1_0-0-debuginfo-1.12.5-3.3.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch): gstreamer-plugins-base-lang-1.12.5-3.3.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): gstreamer-plugins-base-1.12.5-3.3.1 gstreamer-plugins-base-debuginfo-1.12.5-3.3.1 gstreamer-plugins-base-debugsource-1.12.5-3.3.1 libgstallocators-1_0-0-1.12.5-3.3.1 libgstallocators-1_0-0-debuginfo-1.12.5-3.3.1 libgstapp-1_0-0-1.12.5-3.3.1 libgstapp-1_0-0-debuginfo-1.12.5-3.3.1 libgstaudio-1_0-0-1.12.5-3.3.1 libgstaudio-1_0-0-debuginfo-1.12.5-3.3.1 libgstfft-1_0-0-1.12.5-3.3.1 libgstfft-1_0-0-debuginfo-1.12.5-3.3.1 libgstpbutils-1_0-0-1.12.5-3.3.1 libgstpbutils-1_0-0-debuginfo-1.12.5-3.3.1 libgstriff-1_0-0-1.12.5-3.3.1 libgstriff-1_0-0-debuginfo-1.12.5-3.3.1 libgstrtp-1_0-0-1.12.5-3.3.1 libgstrtp-1_0-0-debuginfo-1.12.5-3.3.1 libgstrtsp-1_0-0-1.12.5-3.3.1 libgstrtsp-1_0-0-debuginfo-1.12.5-3.3.1 libgstsdp-1_0-0-1.12.5-3.3.1 libgstsdp-1_0-0-debuginfo-1.12.5-3.3.1 libgsttag-1_0-0-1.12.5-3.3.1 libgsttag-1_0-0-debuginfo-1.12.5-3.3.1 libgstvideo-1_0-0-1.12.5-3.3.1 libgstvideo-1_0-0-debuginfo-1.12.5-3.3.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): gstreamer-plugins-base-lang-1.12.5-3.3.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): gstreamer-plugins-base-1.12.5-3.3.1 gstreamer-plugins-base-debuginfo-1.12.5-3.3.1 gstreamer-plugins-base-debugsource-1.12.5-3.3.1 libgstallocators-1_0-0-1.12.5-3.3.1 libgstallocators-1_0-0-debuginfo-1.12.5-3.3.1 libgstapp-1_0-0-1.12.5-3.3.1 libgstapp-1_0-0-debuginfo-1.12.5-3.3.1 libgstaudio-1_0-0-1.12.5-3.3.1 libgstaudio-1_0-0-debuginfo-1.12.5-3.3.1 libgstfft-1_0-0-1.12.5-3.3.1 libgstfft-1_0-0-debuginfo-1.12.5-3.3.1 libgstpbutils-1_0-0-1.12.5-3.3.1 libgstpbutils-1_0-0-debuginfo-1.12.5-3.3.1 libgstriff-1_0-0-1.12.5-3.3.1 libgstriff-1_0-0-debuginfo-1.12.5-3.3.1 libgstrtp-1_0-0-1.12.5-3.3.1 libgstrtp-1_0-0-debuginfo-1.12.5-3.3.1 libgstrtsp-1_0-0-1.12.5-3.3.1 libgstrtsp-1_0-0-debuginfo-1.12.5-3.3.1 libgstsdp-1_0-0-1.12.5-3.3.1 libgstsdp-1_0-0-debuginfo-1.12.5-3.3.1 libgsttag-1_0-0-1.12.5-3.3.1 libgsttag-1_0-0-debuginfo-1.12.5-3.3.1 libgstvideo-1_0-0-1.12.5-3.3.1 libgstvideo-1_0-0-debuginfo-1.12.5-3.3.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): gstreamer-plugins-base-lang-1.12.5-3.3.1 References: https://www.suse.com/security/cve/CVE-2019-9928.html https://bugzilla.suse.com/1133375 From sle-security-updates at lists.suse.com Tue May 19 10:13:19 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 19 May 2020 18:13:19 +0200 (CEST) Subject: SUSE-SU-2020:1335-1: moderate: Security update for dpdk Message-ID: <20200519161320.00650FCEE@maintenance.suse.de> SUSE Security Update: Security update for dpdk ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1335-1 Rating: moderate References: #1171477 Cross-References: CVE-2020-10722 CVE-2020-10723 CVE-2020-10724 CVE-2020-10725 CVE-2020-10726 Affected Products: SUSE Linux Enterprise Module for Server Applications 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: This update for dpdk fixes the following issues: Security issues fixed: - CVE-2020-10722: Fixed an integer overflow in vhost_user_set_log_base() (bsc#1171477). - CVE-2020-10723: Fixed an integer truncation in vhost_user_check_and_alloc_queue_pair() (bsc#1171477). - CVE-2020-10724: Fixed a missing inputs validation in Vhost-crypto (bsc#1171477). - CVE-2020-10725: Fixed a segfault caused by invalid virtio descriptors sent from a malicious guest (bsc#1171477). - CVE-2020-10726: Fixed a denial-of-service caused by VHOST_USER_GET_INFLIGHT_FD message flooding (bsc#1171477). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP1-2020-1335=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-1335=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15-SP1 (aarch64 ppc64le x86_64): dpdk-18.11.3-4.6.2 dpdk-debuginfo-18.11.3-4.6.2 dpdk-debugsource-18.11.3-4.6.2 dpdk-devel-18.11.3-4.6.2 dpdk-devel-debuginfo-18.11.3-4.6.2 dpdk-kmp-default-18.11.3_k4.12.14_197.40-4.6.2 dpdk-kmp-default-debuginfo-18.11.3_k4.12.14_197.40-4.6.2 dpdk-tools-18.11.3-4.6.2 dpdk-tools-debuginfo-18.11.3-4.6.2 libdpdk-18_11-18.11.3-4.6.2 libdpdk-18_11-debuginfo-18.11.3-4.6.2 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le x86_64): dpdk-debuginfo-18.11.3-4.6.2 dpdk-debugsource-18.11.3-4.6.2 dpdk-examples-18.11.3-4.6.2 dpdk-examples-debuginfo-18.11.3-4.6.2 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (noarch): dpdk-doc-18.11.3-4.6.2 References: https://www.suse.com/security/cve/CVE-2020-10722.html https://www.suse.com/security/cve/CVE-2020-10723.html https://www.suse.com/security/cve/CVE-2020-10724.html https://www.suse.com/security/cve/CVE-2020-10725.html https://www.suse.com/security/cve/CVE-2020-10726.html https://bugzilla.suse.com/1171477 From sle-security-updates at lists.suse.com Tue May 19 10:14:13 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 19 May 2020 18:14:13 +0200 (CEST) Subject: SUSE-SU-2020:1338-1: moderate: Security update for rpmlint Message-ID: <20200519161413.CFBBDFCEE@maintenance.suse.de> SUSE Security Update: Security update for rpmlint ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1338-1 Rating: moderate References: #1129452 #1169365 Affected Products: SUSE Linux Enterprise Module for Development Tools 15-SP1 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update for rpmlint fixes the following issues: - whitelist certmonger (bsc#1169365, bsc#1129452) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP1-2020-1338=1 Package List: - SUSE Linux Enterprise Module for Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): rpmlint-mini-1.10-7.8.1 rpmlint-mini-debuginfo-1.10-7.8.1 rpmlint-mini-debugsource-1.10-7.8.1 References: https://bugzilla.suse.com/1129452 https://bugzilla.suse.com/1169365 From sle-security-updates at lists.suse.com Tue May 19 10:15:11 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 19 May 2020 18:15:11 +0200 (CEST) Subject: SUSE-SU-2020:1339-1: moderate: Security update for python Message-ID: <20200519161511.D2943FCEE@maintenance.suse.de> SUSE Security Update: Security update for python ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1339-1 Rating: moderate References: #1155094 #1162825 Cross-References: CVE-2019-18348 CVE-2019-9674 Affected Products: SUSE Linux Enterprise Module for Python2 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Desktop Applications 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for python fixes the following issues: Security issues fixed: - CVE-2019-18348: Fixed a CRLF injection via the host part of the url passed to urlopen(). Now an InvalidURL exception is raised (bsc#1155094). - CVE-2019-9674: Improved the documentation to reflect the dangers of zip-bombs (bsc#1162825). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Python2 15-SP1: zypper in -t patch SUSE-SLE-Module-Python2-15-SP1-2020-1339=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-1339=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP1-2020-1339=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1339=1 Package List: - SUSE Linux Enterprise Module for Python2 15-SP1 (aarch64 ppc64le s390x x86_64): python-base-debuginfo-2.7.17-7.38.1 python-base-debugsource-2.7.17-7.38.1 python-curses-2.7.17-7.38.1 python-curses-debuginfo-2.7.17-7.38.1 python-debuginfo-2.7.17-7.38.1 python-debugsource-2.7.17-7.38.1 python-devel-2.7.17-7.38.1 python-gdbm-2.7.17-7.38.1 python-gdbm-debuginfo-2.7.17-7.38.1 python-xml-2.7.17-7.38.1 python-xml-debuginfo-2.7.17-7.38.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): python-debuginfo-2.7.17-7.38.1 python-debugsource-2.7.17-7.38.1 python-demo-2.7.17-7.38.1 python-idle-2.7.17-7.38.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): libpython2_7-1_0-32bit-2.7.17-7.38.1 libpython2_7-1_0-32bit-debuginfo-2.7.17-7.38.1 python-32bit-2.7.17-7.38.1 python-32bit-debuginfo-2.7.17-7.38.1 python-base-32bit-2.7.17-7.38.1 python-base-32bit-debuginfo-2.7.17-7.38.1 python-base-debugsource-2.7.17-7.38.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (noarch): python-doc-2.7.17-7.38.1 python-doc-pdf-2.7.17-7.38.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (aarch64 ppc64le s390x x86_64): python-debuginfo-2.7.17-7.38.1 python-debugsource-2.7.17-7.38.1 python-tk-2.7.17-7.38.1 python-tk-debuginfo-2.7.17-7.38.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): libpython2_7-1_0-2.7.17-7.38.1 libpython2_7-1_0-debuginfo-2.7.17-7.38.1 python-2.7.17-7.38.1 python-base-2.7.17-7.38.1 python-base-debuginfo-2.7.17-7.38.1 python-base-debugsource-2.7.17-7.38.1 python-debuginfo-2.7.17-7.38.1 python-debugsource-2.7.17-7.38.1 References: https://www.suse.com/security/cve/CVE-2019-18348.html https://www.suse.com/security/cve/CVE-2019-9674.html https://bugzilla.suse.com/1155094 https://bugzilla.suse.com/1162825 From sle-security-updates at lists.suse.com Tue May 19 10:16:06 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 19 May 2020 18:16:06 +0200 (CEST) Subject: SUSE-SU-2020:1337-1: moderate: Security update for openconnect Message-ID: <20200519161606.C9ECDFCC1@maintenance.suse.de> SUSE Security Update: Security update for openconnect ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1337-1 Rating: moderate References: #1170452 Cross-References: CVE-2020-12105 Affected Products: SUSE Linux Enterprise Workstation Extension 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for openconnect fixes the following issues: Security issue fixed: - CVE-2020-12105: Fixed the improper handling of negative return values from X509_check_ function calls that might have allowed MITM attacks (bsc#1170452). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 15-SP1: zypper in -t patch SUSE-SLE-Product-WE-15-SP1-2020-1337=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-1337=1 Package List: - SUSE Linux Enterprise Workstation Extension 15-SP1 (x86_64): openconnect-7.08-6.6.1 openconnect-debuginfo-7.08-6.6.1 openconnect-debugsource-7.08-6.6.1 openconnect-devel-7.08-6.6.1 - SUSE Linux Enterprise Workstation Extension 15-SP1 (noarch): openconnect-lang-7.08-6.6.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): openconnect-debuginfo-7.08-6.6.1 openconnect-debugsource-7.08-6.6.1 openconnect-doc-7.08-6.6.1 References: https://www.suse.com/security/cve/CVE-2020-12105.html https://bugzilla.suse.com/1170452 From sle-security-updates at lists.suse.com Tue May 19 10:20:21 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 19 May 2020 18:20:21 +0200 (CEST) Subject: SUSE-SU-2020:1334-1: moderate: Security update for dpdk Message-ID: <20200519162021.75413FCC1@maintenance.suse.de> SUSE Security Update: Security update for dpdk ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1334-1 Rating: moderate References: #1171477 Cross-References: CVE-2020-10722 CVE-2020-10723 CVE-2020-10724 CVE-2020-10725 CVE-2020-10726 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: This update for dpdk fixes the following issues: Security issues fixed: - CVE-2020-10722: Fixed an integer overflow in vhost_user_set_log_base() (bsc#1171477). - CVE-2020-10723: Fixed an integer truncation in vhost_user_check_and_alloc_queue_pair() (bsc#1171477). - CVE-2020-10724: Fixed a missing inputs validation in Vhost-crypto (bsc#1171477). - CVE-2020-10725: Fixed a segfault caused by invalid virtio descriptors sent from a malicious guest (bsc#1171477). - CVE-2020-10726: Fixed a denial-of-service caused by VHOST_USER_GET_INFLIGHT_FD message flooding (bsc#1171477). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-1334=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-1334=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1334=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1334=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): dpdk-18.11.3-3.19.2 dpdk-debuginfo-18.11.3-3.19.2 dpdk-debugsource-18.11.3-3.19.2 dpdk-devel-18.11.3-3.19.2 dpdk-devel-debuginfo-18.11.3-3.19.2 dpdk-kmp-default-18.11.3_k4.12.14_150.47-3.19.2 dpdk-kmp-default-debuginfo-18.11.3_k4.12.14_150.47-3.19.2 dpdk-tools-18.11.3-3.19.2 dpdk-tools-debuginfo-18.11.3-3.19.2 libdpdk-18_11-18.11.3-3.19.2 libdpdk-18_11-debuginfo-18.11.3-3.19.2 - SUSE Linux Enterprise Server 15-LTSS (aarch64): dpdk-18.11.3-3.19.2 dpdk-debuginfo-18.11.3-3.19.2 dpdk-debugsource-18.11.3-3.19.2 dpdk-devel-18.11.3-3.19.2 dpdk-devel-debuginfo-18.11.3-3.19.2 dpdk-kmp-default-18.11.3_k4.12.14_150.47-3.19.2 dpdk-kmp-default-debuginfo-18.11.3_k4.12.14_150.47-3.19.2 dpdk-thunderx-18.11.3-3.19.2 dpdk-thunderx-debuginfo-18.11.3-3.19.2 dpdk-thunderx-debugsource-18.11.3-3.19.2 dpdk-thunderx-devel-18.11.3-3.19.2 dpdk-thunderx-devel-debuginfo-18.11.3-3.19.2 dpdk-thunderx-kmp-default-18.11.3_k4.12.14_150.47-3.19.2 dpdk-thunderx-kmp-default-debuginfo-18.11.3_k4.12.14_150.47-3.19.2 dpdk-tools-18.11.3-3.19.2 dpdk-tools-debuginfo-18.11.3-3.19.2 libdpdk-18_11-18.11.3-3.19.2 libdpdk-18_11-debuginfo-18.11.3-3.19.2 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): dpdk-18.11.3-3.19.2 dpdk-debuginfo-18.11.3-3.19.2 dpdk-debugsource-18.11.3-3.19.2 dpdk-devel-18.11.3-3.19.2 dpdk-devel-debuginfo-18.11.3-3.19.2 dpdk-kmp-default-18.11.3_k4.12.14_150.47-3.19.2 dpdk-kmp-default-debuginfo-18.11.3_k4.12.14_150.47-3.19.2 dpdk-tools-18.11.3-3.19.2 dpdk-tools-debuginfo-18.11.3-3.19.2 libdpdk-18_11-18.11.3-3.19.2 libdpdk-18_11-debuginfo-18.11.3-3.19.2 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64): dpdk-thunderx-18.11.3-3.19.2 dpdk-thunderx-debuginfo-18.11.3-3.19.2 dpdk-thunderx-debugsource-18.11.3-3.19.2 dpdk-thunderx-devel-18.11.3-3.19.2 dpdk-thunderx-devel-debuginfo-18.11.3-3.19.2 dpdk-thunderx-kmp-default-18.11.3_k4.12.14_150.47-3.19.2 dpdk-thunderx-kmp-default-debuginfo-18.11.3_k4.12.14_150.47-3.19.2 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): dpdk-18.11.3-3.19.2 dpdk-debuginfo-18.11.3-3.19.2 dpdk-debugsource-18.11.3-3.19.2 dpdk-devel-18.11.3-3.19.2 dpdk-devel-debuginfo-18.11.3-3.19.2 dpdk-kmp-default-18.11.3_k4.12.14_150.47-3.19.2 dpdk-kmp-default-debuginfo-18.11.3_k4.12.14_150.47-3.19.2 dpdk-tools-18.11.3-3.19.2 dpdk-tools-debuginfo-18.11.3-3.19.2 libdpdk-18_11-18.11.3-3.19.2 libdpdk-18_11-debuginfo-18.11.3-3.19.2 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64): dpdk-thunderx-18.11.3-3.19.2 dpdk-thunderx-debuginfo-18.11.3-3.19.2 dpdk-thunderx-debugsource-18.11.3-3.19.2 dpdk-thunderx-devel-18.11.3-3.19.2 dpdk-thunderx-devel-debuginfo-18.11.3-3.19.2 dpdk-thunderx-kmp-default-18.11.3_k4.12.14_150.47-3.19.2 dpdk-thunderx-kmp-default-debuginfo-18.11.3_k4.12.14_150.47-3.19.2 References: https://www.suse.com/security/cve/CVE-2020-10722.html https://www.suse.com/security/cve/CVE-2020-10723.html https://www.suse.com/security/cve/CVE-2020-10724.html https://www.suse.com/security/cve/CVE-2020-10725.html https://www.suse.com/security/cve/CVE-2020-10726.html https://bugzilla.suse.com/1171477 From sle-security-updates at lists.suse.com Wed May 20 10:13:34 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 20 May 2020 18:13:34 +0200 (CEST) Subject: SUSE-SU-2020:1351-1: moderate: Security update for ant Message-ID: <20200520161334.9144EFCC1@maintenance.suse.de> SUSE Security Update: Security update for ant ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1351-1 Rating: moderate References: #1100053 #1133997 #1134001 Cross-References: CVE-2018-10886 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 ______________________________________________________________________________ An update that solves one vulnerability and has two fixes is now available. Description: This update for ant fixes the following issues: Security issue fixed: - CVE-2018-10886: Fixed a path traversal vulnerability in malformed zip file paths, which allowed arbitrary file writes and could potentially lead to code execution (bsc#1100053). Non-security issues fixed: - Add rhino to the ant-apache-bsf optional tasks (bsc#1134001). - Remove jakarta-commons-logging dependencies (bsc#1133997). - Use apache-commons-logging in optional tasks Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-1351=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-1351=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1351=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1351=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (noarch): ant-1.9.4-3.6.1 ant-antlr-1.9.4-3.6.1 ant-apache-bcel-1.9.4-3.6.1 ant-apache-bsf-1.9.4-3.6.1 ant-apache-log4j-1.9.4-3.6.1 ant-apache-oro-1.9.4-3.6.1 ant-apache-regexp-1.9.4-3.6.1 ant-apache-resolver-1.9.4-3.6.1 ant-commons-logging-1.9.4-3.6.1 ant-javadoc-1.9.4-3.6.1 ant-javamail-1.9.4-3.6.1 ant-jdepend-1.9.4-3.6.1 ant-jmf-1.9.4-3.6.1 ant-junit-1.9.4-3.6.1 ant-manual-1.9.4-3.6.1 ant-scripts-1.9.4-3.6.1 ant-swing-1.9.4-3.6.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (noarch): ant-1.9.4-3.6.1 ant-antlr-1.9.4-3.6.1 ant-apache-bcel-1.9.4-3.6.1 ant-apache-bsf-1.9.4-3.6.1 ant-apache-log4j-1.9.4-3.6.1 ant-apache-oro-1.9.4-3.6.1 ant-apache-regexp-1.9.4-3.6.1 ant-apache-resolver-1.9.4-3.6.1 ant-commons-logging-1.9.4-3.6.1 ant-javadoc-1.9.4-3.6.1 ant-javamail-1.9.4-3.6.1 ant-jdepend-1.9.4-3.6.1 ant-jmf-1.9.4-3.6.1 ant-junit-1.9.4-3.6.1 ant-manual-1.9.4-3.6.1 ant-scripts-1.9.4-3.6.1 ant-swing-1.9.4-3.6.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): ant-1.9.4-3.6.1 - SUSE Linux Enterprise Server 12-SP4 (noarch): ant-1.9.4-3.6.1 References: https://www.suse.com/security/cve/CVE-2018-10886.html https://bugzilla.suse.com/1100053 https://bugzilla.suse.com/1133997 https://bugzilla.suse.com/1134001 From sle-security-updates at lists.suse.com Wed May 20 10:14:43 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 20 May 2020 18:14:43 +0200 (CEST) Subject: SUSE-SU-2020:1353-1: moderate: Security update for freetype2 Message-ID: <20200520161443.95987FCEE@maintenance.suse.de> SUSE Security Update: Security update for freetype2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1353-1 Rating: moderate References: #1079603 #1091109 Cross-References: CVE-2018-6942 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for freetype2 to version 2.10.1 fixes the following issues: Security issue fixed: - CVE-2018-6942: Fixed a NULL pointer dereference within ttinerp.c (bsc#1079603). Non-security issues fixed: - Update to version 2.10.1 * The bytecode hinting of OpenType variation fonts was flawed, since the data in the `CVAR' table wasn't correctly applied. * Auto-hinter support for Mongolian. * The handling of the default character in PCF fonts as introduced in version 2.10.0 was partially broken, causing premature abortion of charmap iteration for many fonts. * If `FT_Set_Named_Instance' was called with the same arguments twice in a row, the function returned an incorrect error code the second time. * Direct rendering using FT_RASTER_FLAG_DIRECT crashed (bug introduced in version 2.10.0). * Increased precision while computing OpenType font variation instances. * The flattening algorithm of cubic Bezier curves was slightly changed to make it faster. This can cause very subtle rendering changes, which aren't noticeable by the eye, however. * The auto-hinter now disables hinting if there are blue zones defined for a `style' (i.e., a certain combination of a script and its related typographic features) but the font doesn't contain any characters needed to set up at least one blue zone. - Add tarball signatures and freetype2.keyring - Update to version 2.10.0 * A bunch of new functions has been added to access and process COLR/CPAL data of OpenType fonts with color-layered glyphs. * As a GSoC 2018 project, Nikhil Ramakrishnan completely overhauled and modernized the API reference. * The logic for computing the global ascender, descender, and height of OpenType fonts has been slightly adjusted for consistency. * `TT_Set_MM_Blend' could fail if called repeatedly with the same arguments. * The precision of handling deltas in Variation Fonts has been increased.The problem did only show up with multidimensional designspaces. * New function `FT_Library_SetLcdGeometry' to set up the geometry of LCD subpixels. * FreeType now uses the `defaultChar' property of PCF fonts to set the glyph for the undefined character at glyph index 0 (as FreeType already does for all other supported font formats). As a consequence, the order of glyphs of a PCF font if accessed with FreeType can be different now compared to previous versions. This change doesn't affect PCF font access with cmaps. * `FT_Select_Charmap' has been changed to allow parameter value `FT_ENCODING_NONE', which is valid for BDF, PCF, and Windows FNT formats to access built-in cmaps that don't have a predefined `FT_Encoding' value. * A previously reserved field in the `FT_GlyphSlotRec' structure now holds the glyph index. * The usual round of fuzzer bug fixes to better reject malformed fonts. * `FT_Outline_New_Internal' and `FT_Outline_Done_Internal' have been removed.These two functions were public by oversight only and were never documented. * A new function `FT_Error_String' returns descriptions of error codes if configuration macro FT_CONFIG_OPTION_ERROR_STRINGS is defined. * `FT_Set_MM_WeightVector' and `FT_Get_MM_WeightVector' are new functions limited to Adobe MultiMaster fonts to directly set and get the weight vector. - Enable subpixel rendering with infinality config: - Re-enable freetype-config, there is just too many fallouts. - Update to version 2.9.1 * Type 1 fonts containing flex features were not rendered correctly (bug introduced in version 2.9). * CVE-2018-6942: Older FreeType versions can crash with certain malformed variation fonts. * Bug fix: Multiple calls to `FT_Get_MM_Var' returned garbage. * Emboldening of bitmaps didn't work correctly sometimes, showing various artifacts (bug introduced in version 2.8.1). * The auto-hinter script ranges have been updated for Unicode 11. No support for new scripts have been added, however, with the exception of Georgian Mtavruli. - freetype-config is now deprecated by upstream and not enabled by default. - Update to version 2.10.1 * The `ftmulti' demo program now supports multiple hidden axes with the same name tag. * `ftview', `ftstring', and `ftgrid' got a `-k' command line option to emulate a sequence of keystrokes at start-up. * `ftview', `ftstring', and `ftgrid' now support screen dumping to a PNG file. * The bytecode debugger, `ttdebug', now supports variation TrueType fonts; a variation font instance can be selected with the new `-d' command line option. - Add tarball signatures and freetype2.keyring - Update to version 2.10.0 * The `ftdump' demo program has new options `-c' and `-C' to display charmaps in compact and detailed format, respectively. Option `-V' has been removed. * The `ftview', `ftstring', and `ftgrid' demo programs use a new command line option `-d' to specify the program window's width, height, and color depth. * The `ftview' demo program now displays red boxes for zero-width glyphs. * `ftglyph' has limited support to display fonts with color-layered glyphs.This will be improved later on. * `ftgrid' can now display bitmap fonts also. * The `ttdebug' demo program has a new option `-f' to select a member of a TrueType collection (TTC). * Other various improvements to the demo programs. - Remove "Supplements: fonts-config" to avoid accidentally pulling in Qt dependencies on some non-Qt based desktops.(bsc#1091109) fonts-config is fundamental but ft2demos seldom installs by end users. only fonts-config maintainers/debuggers may use ft2demos along to debug some issues. - Update to version 2.9.1 * No changelog upstream. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1353=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): freetype2-debugsource-2.10.1-4.3.1 freetype2-devel-2.10.1-4.3.1 libfreetype6-2.10.1-4.3.1 libfreetype6-debuginfo-2.10.1-4.3.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (x86_64): libfreetype6-32bit-2.10.1-4.3.1 libfreetype6-32bit-debuginfo-2.10.1-4.3.1 References: https://www.suse.com/security/cve/CVE-2018-6942.html https://bugzilla.suse.com/1079603 https://bugzilla.suse.com/1091109 From sle-security-updates at lists.suse.com Wed May 20 10:16:37 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 20 May 2020 18:16:37 +0200 (CEST) Subject: SUSE-SU-2020:1352-1: moderate: Security update for ant Message-ID: <20200520161637.C7B85FCEE@maintenance.suse.de> SUSE Security Update: Security update for ant ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1352-1 Rating: moderate References: #1100053 #1133997 #1134001 Cross-References: CVE-2018-10886 Affected Products: SUSE Linux Enterprise Module for Development Tools 15-SP1 ______________________________________________________________________________ An update that solves one vulnerability and has two fixes is now available. Description: This update for ant fixes the following issues: Security issue fixed: - CVE-2018-10886: Fixed a path traversal vulnerability in malformed zip file paths, which allowed arbitrary file writes and could potentially lead to code execution (bsc#1100053). Non-security issues fixed: - Add rhino to the ant-apache-bsf optional tasks (bsc#1134001). - Remove jakarta-commons-logging dependencies (bsc#1133997). - Use apache-commons-logging in optional tasks Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP1-2020-1352=1 Package List: - SUSE Linux Enterprise Module for Development Tools 15-SP1 (noarch): ant-1.9.10-3.6.1 ant-antlr-1.9.10-3.6.1 ant-apache-bcel-1.9.10-3.6.1 ant-apache-bsf-1.9.10-3.6.1 ant-apache-log4j-1.9.10-3.6.1 ant-apache-oro-1.9.10-3.6.1 ant-apache-regexp-1.9.10-3.6.1 ant-apache-resolver-1.9.10-3.6.1 ant-commons-logging-1.9.10-3.6.1 ant-javamail-1.9.10-3.6.1 ant-jdepend-1.9.10-3.6.1 ant-jmf-1.9.10-3.6.1 ant-junit-1.9.10-3.6.1 ant-manual-1.9.10-3.6.1 ant-scripts-1.9.10-3.6.1 ant-swing-1.9.10-3.6.1 References: https://www.suse.com/security/cve/CVE-2018-10886.html https://bugzilla.suse.com/1100053 https://bugzilla.suse.com/1133997 https://bugzilla.suse.com/1134001 From sle-security-updates at lists.suse.com Wed May 20 10:17:46 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 20 May 2020 18:17:46 +0200 (CEST) Subject: SUSE-SU-2020:1350-1: important: Security update for bind Message-ID: <20200520161746.A74A4FCC1@maintenance.suse.de> SUSE Security Update: Security update for bind ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1350-1 Rating: important References: #1161168 #1171740 Cross-References: CVE-2020-8616 CVE-2020-8617 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for bind fixes the following issues: Security issues fixed: - CVE-2020-8616: Fixed the insufficient limit on the number of fetches performed when processing referrals (bsc#1171740). - CVE-2020-8617: Fixed a logic error in code which checks TSIG validity (bsc#1171740). Non-security issue fixed: - Fixed an invalid string comparison in the handling of cookie-secrets (bsc#1161168). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-1350=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-1350=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1350=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1350=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): bind-debuginfo-9.11.2-3.17.1 bind-debugsource-9.11.2-3.17.1 bind-devel-9.11.2-3.17.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): bind-debuginfo-9.11.2-3.17.1 bind-debugsource-9.11.2-3.17.1 bind-devel-9.11.2-3.17.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): bind-9.11.2-3.17.1 bind-chrootenv-9.11.2-3.17.1 bind-debuginfo-9.11.2-3.17.1 bind-debugsource-9.11.2-3.17.1 bind-utils-9.11.2-3.17.1 bind-utils-debuginfo-9.11.2-3.17.1 libbind9-160-9.11.2-3.17.1 libbind9-160-debuginfo-9.11.2-3.17.1 libdns169-9.11.2-3.17.1 libdns169-debuginfo-9.11.2-3.17.1 libirs160-9.11.2-3.17.1 libirs160-debuginfo-9.11.2-3.17.1 libisc166-9.11.2-3.17.1 libisc166-debuginfo-9.11.2-3.17.1 libisccc160-9.11.2-3.17.1 libisccc160-debuginfo-9.11.2-3.17.1 libisccfg160-9.11.2-3.17.1 libisccfg160-debuginfo-9.11.2-3.17.1 liblwres160-9.11.2-3.17.1 liblwres160-debuginfo-9.11.2-3.17.1 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): libisc166-32bit-9.11.2-3.17.1 libisc166-debuginfo-32bit-9.11.2-3.17.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): bind-doc-9.11.2-3.17.1 python-bind-9.11.2-3.17.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): bind-9.11.2-3.17.1 bind-chrootenv-9.11.2-3.17.1 bind-debuginfo-9.11.2-3.17.1 bind-debugsource-9.11.2-3.17.1 bind-utils-9.11.2-3.17.1 bind-utils-debuginfo-9.11.2-3.17.1 libbind9-160-9.11.2-3.17.1 libbind9-160-debuginfo-9.11.2-3.17.1 libdns169-9.11.2-3.17.1 libdns169-debuginfo-9.11.2-3.17.1 libirs160-9.11.2-3.17.1 libirs160-debuginfo-9.11.2-3.17.1 libisc166-9.11.2-3.17.1 libisc166-debuginfo-9.11.2-3.17.1 libisccc160-9.11.2-3.17.1 libisccc160-debuginfo-9.11.2-3.17.1 libisccfg160-9.11.2-3.17.1 libisccfg160-debuginfo-9.11.2-3.17.1 liblwres160-9.11.2-3.17.1 liblwres160-debuginfo-9.11.2-3.17.1 - SUSE Linux Enterprise Server 12-SP4 (s390x x86_64): libisc166-32bit-9.11.2-3.17.1 libisc166-debuginfo-32bit-9.11.2-3.17.1 - SUSE Linux Enterprise Server 12-SP4 (noarch): bind-doc-9.11.2-3.17.1 python-bind-9.11.2-3.17.1 References: https://www.suse.com/security/cve/CVE-2020-8616.html https://www.suse.com/security/cve/CVE-2020-8617.html https://bugzilla.suse.com/1161168 https://bugzilla.suse.com/1171740 From sle-security-updates at lists.suse.com Thu May 21 13:12:57 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 21 May 2020 21:12:57 +0200 (CEST) Subject: SUSE-SU-2020:1365-1: important: Security update for tomcat Message-ID: <20200521191257.A92E0FFC3@maintenance.suse.de> SUSE Security Update: Security update for tomcat ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1365-1 Rating: important References: #1171928 Cross-References: CVE-2020-9484 Affected Products: SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for tomcat fixes the following issues: - Update to Tomcat 9.0.35. See changelog at http://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.35_(markt ) * CVE-2020-9484 (bsc#1171928) Apache Tomcat Remote Code Execution via session persistence If an attacker was able to control the contents and name of a file on a server configured to use the PersistenceManager, then the attacker could have triggered a remote code execution via deserialization of the file under their control. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1365=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1365=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (noarch): tomcat-9.0.35-3.32.1 tomcat-admin-webapps-9.0.35-3.32.1 tomcat-docs-webapp-9.0.35-3.32.1 tomcat-el-3_0-api-9.0.35-3.32.1 tomcat-javadoc-9.0.35-3.32.1 tomcat-jsp-2_3-api-9.0.35-3.32.1 tomcat-lib-9.0.35-3.32.1 tomcat-servlet-4_0-api-9.0.35-3.32.1 tomcat-webapps-9.0.35-3.32.1 - SUSE Linux Enterprise Server 12-SP4 (noarch): tomcat-9.0.35-3.32.1 tomcat-admin-webapps-9.0.35-3.32.1 tomcat-docs-webapp-9.0.35-3.32.1 tomcat-el-3_0-api-9.0.35-3.32.1 tomcat-javadoc-9.0.35-3.32.1 tomcat-jsp-2_3-api-9.0.35-3.32.1 tomcat-lib-9.0.35-3.32.1 tomcat-servlet-4_0-api-9.0.35-3.32.1 tomcat-webapps-9.0.35-3.32.1 References: https://www.suse.com/security/cve/CVE-2020-9484.html https://bugzilla.suse.com/1171928 From sle-security-updates at lists.suse.com Thu May 21 13:13:49 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 21 May 2020 21:13:49 +0200 (CEST) Subject: SUSE-SU-2020:1363-1: important: Security update for tomcat Message-ID: <20200521191349.565B8FFC3@maintenance.suse.de> SUSE Security Update: Security update for tomcat ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1363-1 Rating: important References: #1171928 Cross-References: CVE-2020-9484 Affected Products: SUSE Linux Enterprise Module for Web Scripting 15-SP1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for tomcat fixes the following issues: - Update to Tomcat 9.0.35. See changelog at http://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.35_(markt ) * CVE-2020-9484 (bsc#1171928) Apache Tomcat Remote Code Execution via session persistence If an attacker was able to control the contents and name of a file on a server configured to use the PersistenceManager, then the attacker could have triggered a remote code execution via deserialization of the file under their control. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Web Scripting 15-SP1: zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-SP1-2020-1363=1 Package List: - SUSE Linux Enterprise Module for Web Scripting 15-SP1 (noarch): tomcat-9.0.35-4.30.2 tomcat-admin-webapps-9.0.35-4.30.2 tomcat-el-3_0-api-9.0.35-4.30.2 tomcat-jsp-2_3-api-9.0.35-4.30.2 tomcat-lib-9.0.35-4.30.2 tomcat-servlet-4_0-api-9.0.35-4.30.2 tomcat-webapps-9.0.35-4.30.2 References: https://www.suse.com/security/cve/CVE-2020-9484.html https://bugzilla.suse.com/1171928 From sle-security-updates at lists.suse.com Thu May 21 13:14:42 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 21 May 2020 21:14:42 +0200 (CEST) Subject: SUSE-SU-2020:1364-1: important: Security update for tomcat Message-ID: <20200521191442.7323EFFC3@maintenance.suse.de> SUSE Security Update: Security update for tomcat ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1364-1 Rating: important References: #1171928 Cross-References: CVE-2020-9484 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for tomcat fixes the following issues: - Update to Tomcat 9.0.35. See changelog at http://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.35_(markt ) * CVE-2020-9484 (bsc#1171928) Apache Tomcat Remote Code Execution via session persistence If an attacker was able to control the contents and name of a file on a server configured to use the PersistenceManager, then the attacker could have triggered a remote code execution via deserialization of the file under their control. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-1364=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-1364=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1364=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1364=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (noarch): tomcat-9.0.35-3.52.2 tomcat-admin-webapps-9.0.35-3.52.2 tomcat-el-3_0-api-9.0.35-3.52.2 tomcat-jsp-2_3-api-9.0.35-3.52.2 tomcat-lib-9.0.35-3.52.2 tomcat-servlet-4_0-api-9.0.35-3.52.2 tomcat-webapps-9.0.35-3.52.2 - SUSE Linux Enterprise Server 15-LTSS (noarch): tomcat-9.0.35-3.52.2 tomcat-admin-webapps-9.0.35-3.52.2 tomcat-el-3_0-api-9.0.35-3.52.2 tomcat-jsp-2_3-api-9.0.35-3.52.2 tomcat-lib-9.0.35-3.52.2 tomcat-servlet-4_0-api-9.0.35-3.52.2 tomcat-webapps-9.0.35-3.52.2 - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): tomcat-9.0.35-3.52.2 tomcat-admin-webapps-9.0.35-3.52.2 tomcat-el-3_0-api-9.0.35-3.52.2 tomcat-jsp-2_3-api-9.0.35-3.52.2 tomcat-lib-9.0.35-3.52.2 tomcat-servlet-4_0-api-9.0.35-3.52.2 tomcat-webapps-9.0.35-3.52.2 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): tomcat-9.0.35-3.52.2 tomcat-admin-webapps-9.0.35-3.52.2 tomcat-el-3_0-api-9.0.35-3.52.2 tomcat-jsp-2_3-api-9.0.35-3.52.2 tomcat-lib-9.0.35-3.52.2 tomcat-servlet-4_0-api-9.0.35-3.52.2 tomcat-webapps-9.0.35-3.52.2 References: https://www.suse.com/security/cve/CVE-2020-9484.html https://bugzilla.suse.com/1171928 From sle-security-updates at lists.suse.com Fri May 22 04:13:26 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 22 May 2020 12:13:26 +0200 (CEST) Subject: SUSE-SU-2020:1380-1: important: Security update for dovecot23 Message-ID: <20200522101326.B0EE9FFC7@maintenance.suse.de> SUSE Security Update: Security update for dovecot23 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1380-1 Rating: important References: #1171456 #1171457 #1171458 Cross-References: CVE-2020-10957 CVE-2020-10958 CVE-2020-10967 Affected Products: SUSE Linux Enterprise Module for Server Applications 15-SP1 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for dovecot23 to 2.3.10 fixes the following issues: Security issues fixed: - CVE-2020-10957: Fixed a crash caused by malformed NOOP commands (bsc#1171457). - CVE-2020-10958: Fixed a use-after-free when receiving too many newlines (bsc#1171458). - CVE-2020-10967: Fixed a crash in the lmtp and submission components caused by mails with empty quoted localparts (bsc#1171456). Non-security issues fixed: - The update to 2.3.10 fixes several bugs. Please refer to https://dovecot.org/doc/NEWS for a complete list of changes. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP1-2020-1380=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15-SP1 (aarch64 ppc64le s390x x86_64): dovecot23-2.3.10-11.1 dovecot23-backend-mysql-2.3.10-11.1 dovecot23-backend-mysql-debuginfo-2.3.10-11.1 dovecot23-backend-pgsql-2.3.10-11.1 dovecot23-backend-pgsql-debuginfo-2.3.10-11.1 dovecot23-backend-sqlite-2.3.10-11.1 dovecot23-backend-sqlite-debuginfo-2.3.10-11.1 dovecot23-debuginfo-2.3.10-11.1 dovecot23-debugsource-2.3.10-11.1 dovecot23-devel-2.3.10-11.1 dovecot23-fts-2.3.10-11.1 dovecot23-fts-debuginfo-2.3.10-11.1 dovecot23-fts-lucene-2.3.10-11.1 dovecot23-fts-lucene-debuginfo-2.3.10-11.1 dovecot23-fts-solr-2.3.10-11.1 dovecot23-fts-solr-debuginfo-2.3.10-11.1 dovecot23-fts-squat-2.3.10-11.1 dovecot23-fts-squat-debuginfo-2.3.10-11.1 References: https://www.suse.com/security/cve/CVE-2020-10957.html https://www.suse.com/security/cve/CVE-2020-10958.html https://www.suse.com/security/cve/CVE-2020-10967.html https://bugzilla.suse.com/1171456 https://bugzilla.suse.com/1171457 https://bugzilla.suse.com/1171458 From sle-security-updates at lists.suse.com Fri May 22 04:14:34 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 22 May 2020 12:14:34 +0200 (CEST) Subject: SUSE-SU-2020:1379-1: important: Security update for dovecot23 Message-ID: <20200522101434.91410FFC7@maintenance.suse.de> SUSE Security Update: Security update for dovecot23 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1379-1 Rating: important References: #1171456 #1171457 #1171458 Cross-References: CVE-2020-10957 CVE-2020-10958 CVE-2020-10967 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for dovecot23 fixes the following issues: Security issues fixed: - CVE-2020-10957: Fixed a crash caused by malformed NOOP commands (bsc#1171457). - CVE-2020-10958: Fixed a use-after-free when receiving too many newlines (bsc#1171458). - CVE-2020-10967: Fixed a crash in the lmtp and submission components caused by mails with empty quoted localparts (bsc#1171456). Non-security issues fixed: - The update to 2.3.10 fixes several bugs. Please refer to https://dovecot.org/doc/NEWS for a complete list of changes. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-1379=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-1379=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1379=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1379=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): dovecot23-2.3.10-4.22.1 dovecot23-backend-mysql-2.3.10-4.22.1 dovecot23-backend-mysql-debuginfo-2.3.10-4.22.1 dovecot23-backend-pgsql-2.3.10-4.22.1 dovecot23-backend-pgsql-debuginfo-2.3.10-4.22.1 dovecot23-backend-sqlite-2.3.10-4.22.1 dovecot23-backend-sqlite-debuginfo-2.3.10-4.22.1 dovecot23-debuginfo-2.3.10-4.22.1 dovecot23-debugsource-2.3.10-4.22.1 dovecot23-devel-2.3.10-4.22.1 dovecot23-fts-2.3.10-4.22.1 dovecot23-fts-debuginfo-2.3.10-4.22.1 dovecot23-fts-lucene-2.3.10-4.22.1 dovecot23-fts-lucene-debuginfo-2.3.10-4.22.1 dovecot23-fts-solr-2.3.10-4.22.1 dovecot23-fts-solr-debuginfo-2.3.10-4.22.1 dovecot23-fts-squat-2.3.10-4.22.1 dovecot23-fts-squat-debuginfo-2.3.10-4.22.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): dovecot23-2.3.10-4.22.1 dovecot23-backend-mysql-2.3.10-4.22.1 dovecot23-backend-mysql-debuginfo-2.3.10-4.22.1 dovecot23-backend-pgsql-2.3.10-4.22.1 dovecot23-backend-pgsql-debuginfo-2.3.10-4.22.1 dovecot23-backend-sqlite-2.3.10-4.22.1 dovecot23-backend-sqlite-debuginfo-2.3.10-4.22.1 dovecot23-debuginfo-2.3.10-4.22.1 dovecot23-debugsource-2.3.10-4.22.1 dovecot23-devel-2.3.10-4.22.1 dovecot23-fts-2.3.10-4.22.1 dovecot23-fts-debuginfo-2.3.10-4.22.1 dovecot23-fts-lucene-2.3.10-4.22.1 dovecot23-fts-lucene-debuginfo-2.3.10-4.22.1 dovecot23-fts-solr-2.3.10-4.22.1 dovecot23-fts-solr-debuginfo-2.3.10-4.22.1 dovecot23-fts-squat-2.3.10-4.22.1 dovecot23-fts-squat-debuginfo-2.3.10-4.22.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): dovecot23-2.3.10-4.22.1 dovecot23-backend-mysql-2.3.10-4.22.1 dovecot23-backend-mysql-debuginfo-2.3.10-4.22.1 dovecot23-backend-pgsql-2.3.10-4.22.1 dovecot23-backend-pgsql-debuginfo-2.3.10-4.22.1 dovecot23-backend-sqlite-2.3.10-4.22.1 dovecot23-backend-sqlite-debuginfo-2.3.10-4.22.1 dovecot23-debuginfo-2.3.10-4.22.1 dovecot23-debugsource-2.3.10-4.22.1 dovecot23-devel-2.3.10-4.22.1 dovecot23-fts-2.3.10-4.22.1 dovecot23-fts-debuginfo-2.3.10-4.22.1 dovecot23-fts-lucene-2.3.10-4.22.1 dovecot23-fts-lucene-debuginfo-2.3.10-4.22.1 dovecot23-fts-solr-2.3.10-4.22.1 dovecot23-fts-solr-debuginfo-2.3.10-4.22.1 dovecot23-fts-squat-2.3.10-4.22.1 dovecot23-fts-squat-debuginfo-2.3.10-4.22.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): dovecot23-2.3.10-4.22.1 dovecot23-backend-mysql-2.3.10-4.22.1 dovecot23-backend-mysql-debuginfo-2.3.10-4.22.1 dovecot23-backend-pgsql-2.3.10-4.22.1 dovecot23-backend-pgsql-debuginfo-2.3.10-4.22.1 dovecot23-backend-sqlite-2.3.10-4.22.1 dovecot23-backend-sqlite-debuginfo-2.3.10-4.22.1 dovecot23-debuginfo-2.3.10-4.22.1 dovecot23-debugsource-2.3.10-4.22.1 dovecot23-devel-2.3.10-4.22.1 dovecot23-fts-2.3.10-4.22.1 dovecot23-fts-debuginfo-2.3.10-4.22.1 dovecot23-fts-lucene-2.3.10-4.22.1 dovecot23-fts-lucene-debuginfo-2.3.10-4.22.1 dovecot23-fts-solr-2.3.10-4.22.1 dovecot23-fts-solr-debuginfo-2.3.10-4.22.1 dovecot23-fts-squat-2.3.10-4.22.1 dovecot23-fts-squat-debuginfo-2.3.10-4.22.1 References: https://www.suse.com/security/cve/CVE-2020-10957.html https://www.suse.com/security/cve/CVE-2020-10958.html https://www.suse.com/security/cve/CVE-2020-10967.html https://bugzilla.suse.com/1171456 https://bugzilla.suse.com/1171457 https://bugzilla.suse.com/1171458 From sle-security-updates at lists.suse.com Fri May 22 04:15:35 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 22 May 2020 12:15:35 +0200 (CEST) Subject: SUSE-SU-2020:1381-1: moderate: Security update for memcached Message-ID: <20200522101535.CD99BFFC7@maintenance.suse.de> SUSE Security Update: Security update for memcached ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1381-1 Rating: moderate References: #1133817 #1149110 Cross-References: CVE-2019-11596 CVE-2019-15026 Affected Products: SUSE Linux Enterprise Module for Server Applications 15-SP1 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for memcached fixes the following issues: Security issue fixed: - CVE-2019-11596: Fixed a NULL pointer dereference in process_lru_command (bsc#1133817). - CVE-2019-15026: Fixed a stack-based buffer over-read (bsc#1149110). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP1-2020-1381=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15-SP1 (aarch64 ppc64le s390x x86_64): memcached-1.5.6-4.5.30 memcached-debuginfo-1.5.6-4.5.30 memcached-debugsource-1.5.6-4.5.30 memcached-devel-1.5.6-4.5.30 References: https://www.suse.com/security/cve/CVE-2019-11596.html https://www.suse.com/security/cve/CVE-2019-15026.html https://bugzilla.suse.com/1133817 https://bugzilla.suse.com/1149110 From sle-security-updates at lists.suse.com Fri May 22 04:16:28 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 22 May 2020 12:16:28 +0200 (CEST) Subject: SUSE-SU-2020:1383-1: important: Security update for dom4j Message-ID: <20200522101628.C61C0FFC3@maintenance.suse.de> SUSE Security Update: Security update for dom4j ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1383-1 Rating: important References: #1169760 Cross-References: CVE-2020-10683 Affected Products: SUSE Linux Enterprise Module for SUSE Manager Server 4.0 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for dom4j fixes the following issues: - CVE-2020-10683: Fixed an XML External Entity vulnerability in default SAX parser (bsc#1169760). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.0-2020-1383=1 Package List: - SUSE Linux Enterprise Module for SUSE Manager Server 4.0 (noarch): dom4j-1.6.1-4.9.4 References: https://www.suse.com/security/cve/CVE-2020-10683.html https://bugzilla.suse.com/1169760 From sle-security-updates at lists.suse.com Fri May 22 04:17:14 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 22 May 2020 12:17:14 +0200 (CEST) Subject: SUSE-SU-2020:1382-1: important: Security update for dom4j Message-ID: <20200522101714.3233DFFC3@maintenance.suse.de> SUSE Security Update: Security update for dom4j ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1382-1 Rating: important References: #1169760 Cross-References: CVE-2020-10683 Affected Products: SUSE Manager Server 3.2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for dom4j fixes the following issues: - CVE-2020-10683: Fixed an XML External Entity vulnerability in default SAX parser (bsc#1169760). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 3.2: zypper in -t patch SUSE-SUSE-Manager-Server-3.2-2020-1382=1 Package List: - SUSE Manager Server 3.2 (noarch): dom4j-1.6.1-27.7.2 References: https://www.suse.com/security/cve/CVE-2020-10683.html https://bugzilla.suse.com/1169760 From sle-security-updates at lists.suse.com Fri May 22 10:12:56 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 22 May 2020 18:12:56 +0200 (CEST) Subject: SUSE-SU-2020:14375-1: important: Security update for tomcat6 Message-ID: <20200522161256.01D2AFFC7@maintenance.suse.de> SUSE Security Update: Security update for tomcat6 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:14375-1 Rating: important References: #1136085 #1159723 #1171928 Cross-References: CVE-2019-0221 CVE-2019-12418 CVE-2020-9484 Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for tomcat6 fixes the following issues: CVE-2020-9484 (bsc#1171928) Apache Tomcat Remote Code Execution via session persistence If an attacker was able to control the contents and name of a file on a server configured to use the PersistenceManager, then the attacker could have triggered a remote code execution via deserialization of the file under their control. CVE-2019-12418 (bsc#1159723) Local privilege escalation by manipulating the RMI registry and performing a man-in-the-middle attack When Tomcat is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files was able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker could then use these credentials to access the JMX interface and gain complete control over the Tomcat instance. CVE-2019-0221 (bsc#1136085) The SSI printenv command echoed user provided data without escaping, which made it vulnerable to XSS. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-tomcat6-14375=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-tomcat6-14375=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (noarch): tomcat6-6.0.53-0.57.16.1 tomcat6-admin-webapps-6.0.53-0.57.16.1 tomcat6-docs-webapp-6.0.53-0.57.16.1 tomcat6-javadoc-6.0.53-0.57.16.1 tomcat6-jsp-2_1-api-6.0.53-0.57.16.1 tomcat6-lib-6.0.53-0.57.16.1 tomcat6-servlet-2_5-api-6.0.53-0.57.16.1 tomcat6-webapps-6.0.53-0.57.16.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (noarch): tomcat6-6.0.53-0.57.16.1 tomcat6-admin-webapps-6.0.53-0.57.16.1 tomcat6-docs-webapp-6.0.53-0.57.16.1 tomcat6-javadoc-6.0.53-0.57.16.1 tomcat6-jsp-2_1-api-6.0.53-0.57.16.1 tomcat6-lib-6.0.53-0.57.16.1 tomcat6-servlet-2_5-api-6.0.53-0.57.16.1 tomcat6-webapps-6.0.53-0.57.16.1 References: https://www.suse.com/security/cve/CVE-2019-0221.html https://www.suse.com/security/cve/CVE-2019-12418.html https://www.suse.com/security/cve/CVE-2020-9484.html https://bugzilla.suse.com/1136085 https://bugzilla.suse.com/1159723 https://bugzilla.suse.com/1171928 From sle-security-updates at lists.suse.com Fri May 22 10:13:56 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 22 May 2020 18:13:56 +0200 (CEST) Subject: SUSE-SU-2020:1392-1: important: Security update for salt Message-ID: <20200522161356.2EC53FFC7@maintenance.suse.de> SUSE Security Update: Security update for salt ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1392-1 Rating: important References: #1170595 Cross-References: CVE-2020-11651 CVE-2020-11652 Affected Products: SUSE Enterprise Storage 5 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for salt fixes the following issues: Security issues fixed: - CVE-2020-11651: Fixed the improper validation of method calls in salt-master, that could have allowed unauthenticated remote users to run arbitrary commands on salt minions (bsc#1170595). - CVE-2020-11652: Fixed an improper path sanitation in salt-master, that could have allowed authenticated users to access arbitrary directories (bsc#1170595). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-1392=1 Package List: - SUSE Enterprise Storage 5 (aarch64 x86_64): salt-2016.11.4-48.10.1 salt-api-2016.11.4-48.10.1 salt-master-2016.11.4-48.10.1 salt-minion-2016.11.4-48.10.1 References: https://www.suse.com/security/cve/CVE-2020-11651.html https://www.suse.com/security/cve/CVE-2020-11652.html https://bugzilla.suse.com/1170595 From sle-security-updates at lists.suse.com Fri May 22 12:42:44 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 22 May 2020 20:42:44 +0200 (CEST) Subject: SUSE-CU-2020:177-1: Security update of suse/sle15 Message-ID: <20200522184244.B7367FFC3@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:177-1 Container Tags : suse/sle15:15.0 , suse/sle15:15.0.4.22.206 Container Release : 4.22.206 Severity : important Type : security References : 1154661 1155271 1159314 1159928 1161517 1161521 1169512 1171173 1171422 1171872 CVE-2019-18218 CVE-2019-19956 CVE-2019-20388 CVE-2020-7595 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1267-1 Released: Wed May 13 11:58:58 2020 Summary: Recommended update for permissions Type: recommended Severity: important References: 1171173 This update for permissions fixes the following issue: - Remove setuid bit for newgidmap and newuidmap in paranoid profile. (bsc#1171173) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1290-1 Released: Fri May 15 16:39:59 2020 Summary: Recommended update for gnutls Type: recommended Severity: moderate References: 1171422 This update for gnutls fixes the following issues: - Add RSA 4096 key generation support in FIPS mode (bsc#1171422) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1294-1 Released: Mon May 18 07:38:36 2020 Summary: Security update for file Type: security Severity: moderate References: 1154661,1169512,CVE-2019-18218 This update for file fixes the following issues: Security issues fixed: - CVE-2019-18218: Fixed a heap-based buffer overflow in cdf_read_property_info() (bsc#1154661). Non-security issue fixed: - Fixed broken '--help' output (bsc#1169512). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1299-1 Released: Mon May 18 07:43:21 2020 Summary: Security update for libxml2 Type: security Severity: moderate References: 1159928,1161517,1161521,CVE-2019-19956,CVE-2019-20388,CVE-2020-7595 This update for libxml2 fixes the following issues: - CVE-2019-20388: Fixed a memory leak in xmlSchemaPreRun (bsc#1161521). - CVE-2019-19956: Fixed a memory leak (bsc#1159928). - CVE-2020-7595: Fixed an infinite loop in an EOF situation (bsc#1161517). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1328-1 Released: Mon May 18 17:16:04 2020 Summary: Recommended update for grep Type: recommended Severity: moderate References: 1155271 This update for grep fixes the following issues: - Update testsuite expectations, no functional changes (bsc#1155271) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1349-1 Released: Wed May 20 11:39:00 2020 Summary: Recommended update for libsolv Type: recommended Severity: moderate References: 1159314 This update for libsolv fixes the following issues: libsolv was updated to version 0.7.11: - fix solv_zchunk decoding error if large chunks are used (bsc#1159314) - treat retracted pathes as irrelevant - made add_update_target work with multiversion installs ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1362-1 Released: Thu May 21 09:31:43 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1171872 This update for libgcrypt fixes the following issues: - FIPS: RSA/DSA/ECC test_keys() print out debug messages only in debug mode (bsc#1171872) From sle-security-updates at lists.suse.com Fri May 22 12:48:31 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 22 May 2020 20:48:31 +0200 (CEST) Subject: SUSE-CU-2020:178-1: Security update of suse/sle15 Message-ID: <20200522184831.B81E1FFC3@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:178-1 Container Tags : suse/sle15:15.1 , suse/sle15:15.1.6.2.234 Container Release : 6.2.234 Severity : important Type : security References : 1154661 1155271 1159928 1161517 1161521 1169512 1171173 1171422 1171872 CVE-2019-18218 CVE-2019-19956 CVE-2019-20388 CVE-2020-7595 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1271-1 Released: Wed May 13 13:17:59 2020 Summary: Recommended update for permissions Type: recommended Severity: important References: 1171173 This update for permissions fixes the following issues: - Remove setuid bit for newgidmap and newuidmap in paranoid profile. (bsc#1171173) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1290-1 Released: Fri May 15 16:39:59 2020 Summary: Recommended update for gnutls Type: recommended Severity: moderate References: 1171422 This update for gnutls fixes the following issues: - Add RSA 4096 key generation support in FIPS mode (bsc#1171422) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1294-1 Released: Mon May 18 07:38:36 2020 Summary: Security update for file Type: security Severity: moderate References: 1154661,1169512,CVE-2019-18218 This update for file fixes the following issues: Security issues fixed: - CVE-2019-18218: Fixed a heap-based buffer overflow in cdf_read_property_info() (bsc#1154661). Non-security issue fixed: - Fixed broken '--help' output (bsc#1169512). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1299-1 Released: Mon May 18 07:43:21 2020 Summary: Security update for libxml2 Type: security Severity: moderate References: 1159928,1161517,1161521,CVE-2019-19956,CVE-2019-20388,CVE-2020-7595 This update for libxml2 fixes the following issues: - CVE-2019-20388: Fixed a memory leak in xmlSchemaPreRun (bsc#1161521). - CVE-2019-19956: Fixed a memory leak (bsc#1159928). - CVE-2020-7595: Fixed an infinite loop in an EOF situation (bsc#1161517). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1328-1 Released: Mon May 18 17:16:04 2020 Summary: Recommended update for grep Type: recommended Severity: moderate References: 1155271 This update for grep fixes the following issues: - Update testsuite expectations, no functional changes (bsc#1155271) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1361-1 Released: Thu May 21 09:31:18 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1171872 This update for libgcrypt fixes the following issues: - FIPS: RSA/DSA/ECC test_keys() print out debug messages only in debug mode (bsc#1171872) From sle-security-updates at lists.suse.com Mon May 25 07:13:12 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 25 May 2020 15:13:12 +0200 (CEST) Subject: SUSE-SU-2020:1396-1: moderate: Security update for zstd Message-ID: <20200525131312.9ACD9FFC3@maintenance.suse.de> SUSE Security Update: Security update for zstd ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1396-1 Rating: moderate References: #1082318 #1133297 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update for zstd fixes the following issues: - Fix for build error caused by wrong static libraries. (bsc#1133297) - Correction in spec file marking the license as documentation. (bsc#1082318) - Add new package for SLE-15. (jsc#ECO-1886) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1396=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): libzstd-devel-1.4.4-1.3.1 libzstd1-1.4.4-1.3.1 libzstd1-debuginfo-1.4.4-1.3.1 zstd-1.4.4-1.3.1 zstd-debuginfo-1.4.4-1.3.1 zstd-debugsource-1.4.4-1.3.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (x86_64): libzstd1-32bit-1.4.4-1.3.1 libzstd1-32bit-debuginfo-1.4.4-1.3.1 References: https://bugzilla.suse.com/1082318 https://bugzilla.suse.com/1133297 From sle-security-updates at lists.suse.com Mon May 25 13:16:00 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 25 May 2020 21:16:00 +0200 (CEST) Subject: SUSE-SU-2020:1409-1: moderate: Security update for libxslt Message-ID: <20200525191600.DBA83FFC7@maintenance.suse.de> SUSE Security Update: Security update for libxslt ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1409-1 Rating: moderate References: #1140095 #1140101 #1154609 Cross-References: CVE-2019-13117 CVE-2019-13118 CVE-2019-18197 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for libxslt fixes the following issues: Security issues fixed: - CVE-2019-13118: Fixed a read of uninitialized stack data (bsc#1140101). - CVE-2019-13117: Fixed a uninitialized read which allowed to discern whether a byte on the stack contains certain special characters (bsc#1140095). - CVE-2019-18197: Fixed a dangling pointer in xsltCopyText which may have led to information disclosure (bsc#1154609). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1409=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): libxslt-debugsource-1.1.32-3.8.24 libxslt-devel-1.1.32-3.8.24 libxslt-tools-1.1.32-3.8.24 libxslt-tools-debuginfo-1.1.32-3.8.24 libxslt1-1.1.32-3.8.24 libxslt1-debuginfo-1.1.32-3.8.24 References: https://www.suse.com/security/cve/CVE-2019-13117.html https://www.suse.com/security/cve/CVE-2019-13118.html https://www.suse.com/security/cve/CVE-2019-18197.html https://bugzilla.suse.com/1140095 https://bugzilla.suse.com/1140101 https://bugzilla.suse.com/1154609 From sle-security-updates at lists.suse.com Tue May 26 07:24:46 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 26 May 2020 15:24:46 +0200 (CEST) Subject: SUSE-SU-2020:1419-1: Security update for sysstat Message-ID: <20200526132446.3BE79FFC2@maintenance.suse.de> SUSE Security Update: Security update for sysstat ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1419-1 Rating: low References: #1159104 Cross-References: CVE-2019-19725 Affected Products: SUSE Linux Enterprise Module for Server Applications 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for sysstat fixes the following issues: - CVE-2019-19725: Fixed double free in check_file_actlst in sa_common.c (bsc#1159104). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP1-2020-1419=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1419=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15-SP1 (aarch64 ppc64le s390x x86_64): sysstat-debuginfo-12.0.2-3.21.18 sysstat-debugsource-12.0.2-3.21.18 sysstat-isag-12.0.2-3.21.18 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): sysstat-12.0.2-3.21.18 sysstat-debuginfo-12.0.2-3.21.18 sysstat-debugsource-12.0.2-3.21.18 References: https://www.suse.com/security/cve/CVE-2019-19725.html https://bugzilla.suse.com/1159104 From sle-security-updates at lists.suse.com Tue May 26 07:25:33 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 26 May 2020 15:25:33 +0200 (CEST) Subject: SUSE-SU-2020:1417-1: moderate: Security update for freetds Message-ID: <20200526132533.EC219FFC2@maintenance.suse.de> SUSE Security Update: Security update for freetds ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1417-1 Rating: moderate References: #1141132 Cross-References: CVE-2019-13508 Affected Products: SUSE Linux Enterprise Module for Server Applications 15-SP1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for freetds to 1.1.36 fixes the following issues: Security issue fixed: - CVE-2019-13508: Fixed a heap overflow that could have been caused by malicious servers sending UDT types over protocol version 5.0 (bsc#1141132). Non-security issues fixed: - Enabled Kerberos support - Version update to 1.1.36: * Default TDS protocol version is now "auto" * Improved UTF-8 performances * TDS Pool Server is enabled * MARS support is enabled * NTLMv2 is enabled * See NEWS and ChangeLog for a complete list of changes Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP1-2020-1417=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15-SP1 (aarch64 ppc64le s390x x86_64): freetds-debuginfo-1.1.36-3.3.1 freetds-debugsource-1.1.36-3.3.1 libct4-1.1.36-3.3.1 libct4-debuginfo-1.1.36-3.3.1 References: https://www.suse.com/security/cve/CVE-2019-13508.html https://bugzilla.suse.com/1141132 From sle-security-updates at lists.suse.com Tue May 26 07:28:16 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 26 May 2020 15:28:16 +0200 (CEST) Subject: SUSE-SU-2020:1420-1: Security update for jasper Message-ID: <20200526132816.CBF30FFC2@maintenance.suse.de> SUSE Security Update: Security update for jasper ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1420-1 Rating: low References: #1092115 Cross-References: CVE-2018-9154 Affected Products: SUSE Linux Enterprise Module for Desktop Applications 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for jasper fixes the following issues: - CVE-2018-9154: Fixed a potential denial of service in jpc_dec_process_sot() (bsc#1092115). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Desktop Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP1-2020-1420=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1420=1 Package List: - SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (aarch64 ppc64le s390x x86_64): jasper-debuginfo-2.0.14-3.11.8 jasper-debugsource-2.0.14-3.11.8 libjasper-devel-2.0.14-3.11.8 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): jasper-debuginfo-2.0.14-3.11.8 jasper-debugsource-2.0.14-3.11.8 libjasper4-2.0.14-3.11.8 libjasper4-debuginfo-2.0.14-3.11.8 References: https://www.suse.com/security/cve/CVE-2018-9154.html https://bugzilla.suse.com/1092115 From sle-security-updates at lists.suse.com Tue May 26 10:15:48 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 26 May 2020 18:15:48 +0200 (CEST) Subject: SUSE-SU-2020:1423-1: important: Security update for mariadb-connector-c Message-ID: <20200526161548.5377FFFC3@maintenance.suse.de> SUSE Security Update: Security update for mariadb-connector-c ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1423-1 Rating: important References: #1171550 Cross-References: CVE-2020-13249 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Server Applications 15-SP2 SUSE Linux Enterprise Module for Server Applications 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for mariadb-connector-c fixes the following issues: Security issue fixed: - CVE-2020-13249: Fixed an improper validation of OK packets received from clients (bsc#1171550). Non-security issues fixed: - Update to release 3.1.8 (bsc#1171550) * CONC-304: Rename the static library to libmariadb.a and other libmariadb files in a consistent manner * CONC-441: Default user name for C/C is wrong if login user is different from effective user * CONC-449: Check $MARIADB_HOME/my.cnf in addition to $MYSQL_HOME/my.cnf * CONC-457: mysql_list_processes crashes in unpack_fields * CONC-458: mysql_get_timeout_value crashes when used improper * CONC-464: Fix static build for auth_gssapi_client plugin Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-1423=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-1423=1 - SUSE Linux Enterprise Module for Server Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP2-2020-1423=1 - SUSE Linux Enterprise Module for Server Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP1-2020-1423=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2020-1423=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1423=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1423=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1423=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): libmariadb-devel-3.1.8-3.18.1 libmariadb-devel-debuginfo-3.1.8-3.18.1 libmariadb3-3.1.8-3.18.1 libmariadb3-debuginfo-3.1.8-3.18.1 libmariadb_plugins-3.1.8-3.18.1 libmariadb_plugins-debuginfo-3.1.8-3.18.1 libmariadbprivate-3.1.8-3.18.1 libmariadbprivate-debuginfo-3.1.8-3.18.1 mariadb-connector-c-debugsource-3.1.8-3.18.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): libmariadb-devel-3.1.8-3.18.1 libmariadb-devel-debuginfo-3.1.8-3.18.1 libmariadb3-3.1.8-3.18.1 libmariadb3-debuginfo-3.1.8-3.18.1 libmariadb_plugins-3.1.8-3.18.1 libmariadb_plugins-debuginfo-3.1.8-3.18.1 libmariadbprivate-3.1.8-3.18.1 libmariadbprivate-debuginfo-3.1.8-3.18.1 mariadb-connector-c-debugsource-3.1.8-3.18.1 - SUSE Linux Enterprise Module for Server Applications 15-SP2 (aarch64 ppc64le s390x x86_64): libmariadb-devel-3.1.8-3.18.1 libmariadb-devel-debuginfo-3.1.8-3.18.1 libmariadb_plugins-3.1.8-3.18.1 libmariadb_plugins-debuginfo-3.1.8-3.18.1 mariadb-connector-c-debugsource-3.1.8-3.18.1 - SUSE Linux Enterprise Module for Server Applications 15-SP1 (aarch64 ppc64le s390x x86_64): libmariadb-devel-3.1.8-3.18.1 libmariadb-devel-debuginfo-3.1.8-3.18.1 libmariadb_plugins-3.1.8-3.18.1 libmariadb_plugins-debuginfo-3.1.8-3.18.1 mariadb-connector-c-debugsource-3.1.8-3.18.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): libmariadb3-3.1.8-3.18.1 libmariadb3-debuginfo-3.1.8-3.18.1 libmariadbprivate-3.1.8-3.18.1 libmariadbprivate-debuginfo-3.1.8-3.18.1 mariadb-connector-c-debugsource-3.1.8-3.18.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): libmariadb3-3.1.8-3.18.1 libmariadb3-debuginfo-3.1.8-3.18.1 libmariadbprivate-3.1.8-3.18.1 libmariadbprivate-debuginfo-3.1.8-3.18.1 mariadb-connector-c-debugsource-3.1.8-3.18.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): libmariadb-devel-3.1.8-3.18.1 libmariadb-devel-debuginfo-3.1.8-3.18.1 libmariadb3-3.1.8-3.18.1 libmariadb3-debuginfo-3.1.8-3.18.1 libmariadb_plugins-3.1.8-3.18.1 libmariadb_plugins-debuginfo-3.1.8-3.18.1 libmariadbprivate-3.1.8-3.18.1 libmariadbprivate-debuginfo-3.1.8-3.18.1 mariadb-connector-c-debugsource-3.1.8-3.18.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): libmariadb-devel-3.1.8-3.18.1 libmariadb-devel-debuginfo-3.1.8-3.18.1 libmariadb3-3.1.8-3.18.1 libmariadb3-debuginfo-3.1.8-3.18.1 libmariadb_plugins-3.1.8-3.18.1 libmariadb_plugins-debuginfo-3.1.8-3.18.1 libmariadbprivate-3.1.8-3.18.1 libmariadbprivate-debuginfo-3.1.8-3.18.1 mariadb-connector-c-debugsource-3.1.8-3.18.1 References: https://www.suse.com/security/cve/CVE-2020-13249.html https://bugzilla.suse.com/1171550 From sle-security-updates at lists.suse.com Tue May 26 13:13:52 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 26 May 2020 21:13:52 +0200 (CEST) Subject: SUSE-SU-2020:1431-1: important: Security update for mariadb-connector-c Message-ID: <20200526191352.6851EFFC3@maintenance.suse.de> SUSE Security Update: Security update for mariadb-connector-c ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1431-1 Rating: important References: #1171550 Cross-References: CVE-2020-13249 Affected Products: SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for mariadb-connector-c fixes the following issues: Security issue fixed: - CVE-2020-13249: Fixed an improper validation of OK packets received from clients (bsc#1171550). Non-security issues fixed: - Update to release 3.1.8 (bsc#1171550) * CONC-304: Rename the static library to libmariadb.a and other libmariadb files in a consistent manner * CONC-441: Default user name for C/C is wrong if login user is different from effective user * CONC-449: Check $MARIADB_HOME/my.cnf in addition to $MYSQL_HOME/my.cnf * CONC-457: mysql_list_processes crashes in unpack_fields * CONC-458: mysql_get_timeout_value crashes when used improper * CONC-464: Fix static build for auth_gssapi_client plugin Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1431=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1431=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libmariadb3-3.1.8-2.15.1 libmariadb3-debuginfo-3.1.8-2.15.1 libmariadb_plugins-3.1.8-2.15.1 libmariadb_plugins-debuginfo-3.1.8-2.15.1 mariadb-connector-c-debugsource-3.1.8-2.15.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): libmariadb3-3.1.8-2.15.1 libmariadb3-debuginfo-3.1.8-2.15.1 libmariadb_plugins-3.1.8-2.15.1 libmariadb_plugins-debuginfo-3.1.8-2.15.1 mariadb-connector-c-debugsource-3.1.8-2.15.1 References: https://www.suse.com/security/cve/CVE-2020-13249.html https://bugzilla.suse.com/1171550 From sle-security-updates at lists.suse.com Tue May 26 13:14:38 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 26 May 2020 21:14:38 +0200 (CEST) Subject: SUSE-SU-2020:1430-1: important: Security update for dpdk Message-ID: <20200526191438.71974FFC3@maintenance.suse.de> SUSE Security Update: Security update for dpdk ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1430-1 Rating: important References: #1171477 #1171925 #1171930 Cross-References: CVE-2019-14818 CVE-2020-10722 CVE-2020-10723 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server 12-SP4 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for dpdk to 17.11.7 fixes the following issues: Security issues fixed: - CVE-2020-10722: Fixed an integer overflow in vhost_user_set_log_base() (bsc#1171477 bsc#1171930). - CVE-2020-10723: Fixed an integer truncation in vhost_user_check_and_alloc_queue_pair() (bsc#1171477). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-1430=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1430=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le x86_64): dpdk-debuginfo-17.11.7-5.6.2 dpdk-debugsource-17.11.7-5.6.2 dpdk-devel-17.11.7-5.6.2 dpdk-devel-debuginfo-17.11.7-5.6.2 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64): dpdk-thunderx-debuginfo-17.11.7-5.6.2 dpdk-thunderx-debugsource-17.11.7-5.6.2 dpdk-thunderx-devel-17.11.7-5.6.2 dpdk-thunderx-devel-debuginfo-17.11.7-5.6.2 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le x86_64): dpdk-17.11.7-5.6.2 dpdk-debuginfo-17.11.7-5.6.2 dpdk-debugsource-17.11.7-5.6.2 dpdk-tools-17.11.7-5.6.2 dpdk-tools-debuginfo-17.11.7-5.6.2 libdpdk-17_11-17.11.7-5.6.2 libdpdk-17_11-debuginfo-17.11.7-5.6.2 - SUSE Linux Enterprise Server 12-SP4 (aarch64): dpdk-thunderx-17.11.7-5.6.2 dpdk-thunderx-debuginfo-17.11.7-5.6.2 dpdk-thunderx-debugsource-17.11.7-5.6.2 dpdk-thunderx-kmp-default-17.11.7_k4.12.14_95.51-5.6.2 dpdk-thunderx-kmp-default-debuginfo-17.11.7_k4.12.14_95.51-5.6.2 - SUSE Linux Enterprise Server 12-SP4 (x86_64): dpdk-kmp-default-17.11.7_k4.12.14_95.51-5.6.2 dpdk-kmp-default-debuginfo-17.11.7_k4.12.14_95.51-5.6.2 References: https://www.suse.com/security/cve/CVE-2019-14818.html https://www.suse.com/security/cve/CVE-2020-10722.html https://www.suse.com/security/cve/CVE-2020-10723.html https://bugzilla.suse.com/1171477 https://bugzilla.suse.com/1171925 https://bugzilla.suse.com/1171930 From sle-security-updates at lists.suse.com Tue May 26 13:16:06 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 26 May 2020 21:16:06 +0200 (CEST) Subject: SUSE-SU-2020:1452-1: important: Security update for the Linux Kernel (Live Patch 4 for SLE 12 SP5) Message-ID: <20200526191606.D4E89FFC3@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 4 for SLE 12 SP5) ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1452-1 Rating: important References: #1165631 #1171252 #1171254 Cross-References: CVE-2020-12653 CVE-2020-12654 CVE-2020-1749 Affected Products: SUSE Linux Enterprise Module for Live Patching 15-SP1 SUSE Linux Enterprise Live Patching 12-SP5 SUSE Linux Enterprise Live Patching 12-SP4 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for the Linux Kernel 4.12.14-122_20 fixes several issues. The following security issues were fixed: - CVE-2020-12653: Fixed a buffer overflow in mwifiex_cmd_append_vsie_tlv() which could have allowed local users to gain privileges or cause a denial of service (bsc#1171254). - CVE-2020-12654: Fixed a heap-based buffer overflow in mwifiex_ret_wmm_get_status() which could have been triggered by a remote AP to trigger (bsc#1171252). - CVE-2020-1749: Fixed an improper implementation in some IPsec protocols where the data were sent unencrypted allowing an attacker to read them (bsc#1165631). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Live Patching 15-SP1: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP1-2020-1432=1 - SUSE Linux Enterprise Live Patching 12-SP5: zypper in -t patch SUSE-SLE-Live-Patching-12-SP5-2020-1452=1 - SUSE Linux Enterprise Live Patching 12-SP4: zypper in -t patch SUSE-SLE-Live-Patching-12-SP4-2020-1457=1 Package List: - SUSE Linux Enterprise Module for Live Patching 15-SP1 (ppc64le x86_64): kernel-livepatch-4_12_14-197_40-default-2-2.1 - SUSE Linux Enterprise Live Patching 12-SP5 (ppc64le s390x x86_64): kgraft-patch-4_12_14-122_20-default-2-2.1 - SUSE Linux Enterprise Live Patching 12-SP4 (ppc64le x86_64): kgraft-patch-4_12_14-95_51-default-2-2.1 References: https://www.suse.com/security/cve/CVE-2020-12653.html https://www.suse.com/security/cve/CVE-2020-12654.html https://www.suse.com/security/cve/CVE-2020-1749.html https://bugzilla.suse.com/1165631 https://bugzilla.suse.com/1171252 https://bugzilla.suse.com/1171254 From sle-security-updates at lists.suse.com Tue May 26 13:19:52 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 26 May 2020 21:19:52 +0200 (CEST) Subject: SUSE-SU-2020:1475-1: important: Security update for the Linux Kernel (Live Patch 34 for SLE 12 SP1) Message-ID: <20200526191952.01ED1FFC3@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 34 for SLE 12 SP1) ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1475-1 Rating: important References: #1171252 #1171254 Cross-References: CVE-2020-12653 CVE-2020-12654 Affected Products: SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Linux Enterprise Module for Live Patching 15-SP1 SUSE Linux Enterprise Module for Live Patching 15 SUSE Linux Enterprise Live Patching 12-SP5 SUSE Linux Enterprise Live Patching 12-SP4 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for the Linux Kernel 3.12.74-60_64_115 fixes several issues. The following security issues were fixed: - CVE-2020-12653: Fixed a buffer overflow in mwifiex_cmd_append_vsie_tlv() which could have allowed local users to gain privileges or cause a denial of service (bsc#1171254). - CVE-2020-12654: Fixed a heap-based buffer overflow in mwifiex_ret_wmm_get_status() which could have been triggered by a remote AP to trigger (bsc#1171252). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-1467=1 SUSE-SLE-SAP-12-SP3-2020-1468=1 SUSE-SLE-SAP-12-SP3-2020-1469=1 SUSE-SLE-SAP-12-SP3-2020-1470=1 SUSE-SLE-SAP-12-SP3-2020-1471=1 SUSE-SLE-SAP-12-SP3-2020-1472=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-1473=1 SUSE-SLE-SAP-12-SP2-2020-1474=1 SUSE-SLE-SAP-12-SP2-2020-1475=1 SUSE-SLE-SAP-12-SP2-2020-1476=1 SUSE-SLE-SAP-12-SP2-2020-1477=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2020-1478=1 SUSE-SLE-SAP-12-SP1-2020-1479=1 SUSE-SLE-SAP-12-SP1-2020-1480=1 SUSE-SLE-SAP-12-SP1-2020-1481=1 SUSE-SLE-SAP-12-SP1-2020-1482=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-1467=1 SUSE-SLE-SERVER-12-SP3-2020-1468=1 SUSE-SLE-SERVER-12-SP3-2020-1469=1 SUSE-SLE-SERVER-12-SP3-2020-1470=1 SUSE-SLE-SERVER-12-SP3-2020-1471=1 SUSE-SLE-SERVER-12-SP3-2020-1472=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-1473=1 SUSE-SLE-SERVER-12-SP2-2020-1474=1 SUSE-SLE-SERVER-12-SP2-2020-1475=1 SUSE-SLE-SERVER-12-SP2-2020-1476=1 SUSE-SLE-SERVER-12-SP2-2020-1477=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2020-1478=1 SUSE-SLE-SERVER-12-SP1-2020-1479=1 SUSE-SLE-SERVER-12-SP1-2020-1480=1 SUSE-SLE-SERVER-12-SP1-2020-1481=1 SUSE-SLE-SERVER-12-SP1-2020-1482=1 - SUSE Linux Enterprise Module for Live Patching 15-SP1: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP1-2020-1433=1 SUSE-SLE-Module-Live-Patching-15-SP1-2020-1434=1 SUSE-SLE-Module-Live-Patching-15-SP1-2020-1435=1 SUSE-SLE-Module-Live-Patching-15-SP1-2020-1436=1 SUSE-SLE-Module-Live-Patching-15-SP1-2020-1437=1 SUSE-SLE-Module-Live-Patching-15-SP1-2020-1438=1 SUSE-SLE-Module-Live-Patching-15-SP1-2020-1439=1 SUSE-SLE-Module-Live-Patching-15-SP1-2020-1440=1 SUSE-SLE-Module-Live-Patching-15-SP1-2020-1441=1 SUSE-SLE-Module-Live-Patching-15-SP1-2020-1442=1 SUSE-SLE-Module-Live-Patching-15-SP1-2020-1443=1 - SUSE Linux Enterprise Module for Live Patching 15: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-2020-1444=1 SUSE-SLE-Module-Live-Patching-15-2020-1445=1 SUSE-SLE-Module-Live-Patching-15-2020-1446=1 SUSE-SLE-Module-Live-Patching-15-2020-1447=1 SUSE-SLE-Module-Live-Patching-15-2020-1448=1 SUSE-SLE-Module-Live-Patching-15-2020-1449=1 SUSE-SLE-Module-Live-Patching-15-2020-1450=1 SUSE-SLE-Module-Live-Patching-15-2020-1451=1 - SUSE Linux Enterprise Live Patching 12-SP5: zypper in -t patch SUSE-SLE-Live-Patching-12-SP5-2020-1453=1 SUSE-SLE-Live-Patching-12-SP5-2020-1454=1 SUSE-SLE-Live-Patching-12-SP5-2020-1455=1 SUSE-SLE-Live-Patching-12-SP5-2020-1456=1 - SUSE Linux Enterprise Live Patching 12-SP4: zypper in -t patch SUSE-SLE-Live-Patching-12-SP4-2020-1458=1 SUSE-SLE-Live-Patching-12-SP4-2020-1459=1 SUSE-SLE-Live-Patching-12-SP4-2020-1460=1 SUSE-SLE-Live-Patching-12-SP4-2020-1461=1 SUSE-SLE-Live-Patching-12-SP4-2020-1462=1 SUSE-SLE-Live-Patching-12-SP4-2020-1463=1 SUSE-SLE-Live-Patching-12-SP4-2020-1464=1 SUSE-SLE-Live-Patching-12-SP4-2020-1465=1 SUSE-SLE-Live-Patching-12-SP4-2020-1466=1 Package List: - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): kgraft-patch-4_4_178-94_91-default-9-2.1 kgraft-patch-4_4_178-94_91-default-debuginfo-9-2.1 kgraft-patch-4_4_180-94_100-default-7-2.1 kgraft-patch-4_4_180-94_100-default-debuginfo-7-2.1 kgraft-patch-4_4_180-94_103-default-7-2.1 kgraft-patch-4_4_180-94_103-default-debuginfo-7-2.1 kgraft-patch-4_4_180-94_107-default-5-2.1 kgraft-patch-4_4_180-94_107-default-debuginfo-5-2.1 kgraft-patch-4_4_180-94_113-default-4-2.1 kgraft-patch-4_4_180-94_113-default-debuginfo-4-2.1 kgraft-patch-4_4_180-94_97-default-9-2.1 kgraft-patch-4_4_180-94_97-default-debuginfo-9-2.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): kgraft-patch-4_4_121-92_109-default-10-2.1 kgraft-patch-4_4_121-92_114-default-9-2.1 kgraft-patch-4_4_121-92_117-default-8-2.1 kgraft-patch-4_4_121-92_120-default-7-2.1 kgraft-patch-4_4_121-92_125-default-5-2.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): kgraft-patch-3_12_74-60_64_110-default-10-2.1 kgraft-patch-3_12_74-60_64_110-xen-10-2.1 kgraft-patch-3_12_74-60_64_115-default-9-2.1 kgraft-patch-3_12_74-60_64_115-xen-9-2.1 kgraft-patch-3_12_74-60_64_118-default-7-2.1 kgraft-patch-3_12_74-60_64_118-xen-7-2.1 kgraft-patch-3_12_74-60_64_121-default-7-2.1 kgraft-patch-3_12_74-60_64_121-xen-7-2.1 kgraft-patch-3_12_74-60_64_124-default-5-2.1 kgraft-patch-3_12_74-60_64_124-xen-5-2.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (ppc64le x86_64): kgraft-patch-4_4_178-94_91-default-9-2.1 kgraft-patch-4_4_178-94_91-default-debuginfo-9-2.1 kgraft-patch-4_4_180-94_100-default-7-2.1 kgraft-patch-4_4_180-94_100-default-debuginfo-7-2.1 kgraft-patch-4_4_180-94_103-default-7-2.1 kgraft-patch-4_4_180-94_103-default-debuginfo-7-2.1 kgraft-patch-4_4_180-94_107-default-5-2.1 kgraft-patch-4_4_180-94_107-default-debuginfo-5-2.1 kgraft-patch-4_4_180-94_113-default-4-2.1 kgraft-patch-4_4_180-94_113-default-debuginfo-4-2.1 kgraft-patch-4_4_180-94_97-default-9-2.1 kgraft-patch-4_4_180-94_97-default-debuginfo-9-2.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le x86_64): kgraft-patch-4_4_121-92_109-default-10-2.1 kgraft-patch-4_4_121-92_114-default-9-2.1 kgraft-patch-4_4_121-92_117-default-8-2.1 kgraft-patch-4_4_121-92_120-default-7-2.1 kgraft-patch-4_4_121-92_125-default-5-2.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (x86_64): kgraft-patch-3_12_74-60_64_110-default-10-2.1 kgraft-patch-3_12_74-60_64_110-xen-10-2.1 kgraft-patch-3_12_74-60_64_115-default-9-2.1 kgraft-patch-3_12_74-60_64_115-xen-9-2.1 kgraft-patch-3_12_74-60_64_118-default-7-2.1 kgraft-patch-3_12_74-60_64_118-xen-7-2.1 kgraft-patch-3_12_74-60_64_121-default-7-2.1 kgraft-patch-3_12_74-60_64_121-xen-7-2.1 kgraft-patch-3_12_74-60_64_124-default-5-2.1 kgraft-patch-3_12_74-60_64_124-xen-5-2.1 - SUSE Linux Enterprise Module for Live Patching 15-SP1 (ppc64le x86_64): kernel-livepatch-4_12_14-195-default-11-31.2 kernel-livepatch-4_12_14-197_10-default-7-2.1 kernel-livepatch-4_12_14-197_15-default-7-2.1 kernel-livepatch-4_12_14-197_18-default-6-2.1 kernel-livepatch-4_12_14-197_21-default-6-2.1 kernel-livepatch-4_12_14-197_26-default-4-2.1 kernel-livepatch-4_12_14-197_29-default-4-2.1 kernel-livepatch-4_12_14-197_34-default-3-2.1 kernel-livepatch-4_12_14-197_37-default-3-2.1 kernel-livepatch-4_12_14-197_4-default-10-2.1 kernel-livepatch-4_12_14-197_7-default-9-2.1 - SUSE Linux Enterprise Module for Live Patching 15 (ppc64le x86_64): kernel-livepatch-4_12_14-150_17-default-9-2.1 kernel-livepatch-4_12_14-150_17-default-debuginfo-9-2.1 kernel-livepatch-4_12_14-150_22-default-8-2.1 kernel-livepatch-4_12_14-150_22-default-debuginfo-8-2.1 kernel-livepatch-4_12_14-150_27-default-7-2.1 kernel-livepatch-4_12_14-150_27-default-debuginfo-7-2.1 kernel-livepatch-4_12_14-150_32-default-7-2.1 kernel-livepatch-4_12_14-150_32-default-debuginfo-7-2.1 kernel-livepatch-4_12_14-150_35-default-6-2.1 kernel-livepatch-4_12_14-150_35-default-debuginfo-6-2.1 kernel-livepatch-4_12_14-150_38-default-6-2.1 kernel-livepatch-4_12_14-150_38-default-debuginfo-6-2.1 kernel-livepatch-4_12_14-150_41-default-4-2.1 kernel-livepatch-4_12_14-150_41-default-debuginfo-4-2.1 kernel-livepatch-4_12_14-150_47-default-4-2.1 kernel-livepatch-4_12_14-150_47-default-debuginfo-4-2.1 - SUSE Linux Enterprise Live Patching 12-SP5 (ppc64le s390x x86_64): kgraft-patch-4_12_14-122_17-default-3-2.1 - SUSE Linux Enterprise Live Patching 12-SP5 (ppc64le x86_64): kgraft-patch-4_12_14-120-default-4-9.1 kgraft-patch-4_12_14-120-default-debuginfo-4-9.1 kgraft-patch-4_12_14-122_12-default-4-2.1 kgraft-patch-4_12_14-122_7-default-4-2.1 kgraft-patch-SLE12-SP5_Update_0-debugsource-4-9.1 - SUSE Linux Enterprise Live Patching 12-SP4 (ppc64le x86_64): kgraft-patch-4_12_14-95_16-default-9-2.1 kgraft-patch-4_12_14-95_19-default-8-2.1 kgraft-patch-4_12_14-95_24-default-7-2.1 kgraft-patch-4_12_14-95_29-default-7-2.1 kgraft-patch-4_12_14-95_32-default-6-2.1 kgraft-patch-4_12_14-95_37-default-5-2.1 kgraft-patch-4_12_14-95_40-default-4-2.1 kgraft-patch-4_12_14-95_45-default-4-2.1 kgraft-patch-4_12_14-95_48-default-3-2.1 References: https://www.suse.com/security/cve/CVE-2020-12653.html https://www.suse.com/security/cve/CVE-2020-12654.html https://bugzilla.suse.com/1171252 https://bugzilla.suse.com/1171254 From sle-security-updates at lists.suse.com Wed May 27 10:13:21 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 27 May 2020 18:13:21 +0200 (CEST) Subject: SUSE-SU-2020:1486-1: important: Security update for the Linux Kernel (Live Patch 34 for SLE 12 SP2) Message-ID: <20200527161321.7DFB1FFCE@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 34 for SLE 12 SP2) ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1486-1 Rating: important References: #1165631 #1171252 #1171254 Cross-References: CVE-2020-12653 CVE-2020-12654 CVE-2020-1749 Affected Products: SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP2-LTSS ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for the Linux Kernel 4.4.121-92_129 fixes several issues. The following security issues were fixed: - CVE-2020-12653: Fixed a buffer overflow in mwifiex_cmd_append_vsie_tlv() which could have allowed local users to gain privileges or cause a denial of service (bsc#1171254). - CVE-2020-12654: Fixed a heap-based buffer overflow in mwifiex_ret_wmm_get_status() which could have been triggered by a remote AP to trigger (bsc#1171252). - CVE-2020-1749: Fixed an improper implementation in some IPsec protocols where the data were sent unencrypted allowing an attacker to read them (bsc#1165631). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-1486=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-1486=1 Package List: - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): kgraft-patch-4_4_121-92_129-default-2-2.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le x86_64): kgraft-patch-4_4_121-92_129-default-2-2.1 References: https://www.suse.com/security/cve/CVE-2020-12653.html https://www.suse.com/security/cve/CVE-2020-12654.html https://www.suse.com/security/cve/CVE-2020-1749.html https://bugzilla.suse.com/1165631 https://bugzilla.suse.com/1171252 https://bugzilla.suse.com/1171254 From sle-security-updates at lists.suse.com Wed May 27 16:20:05 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 28 May 2020 00:20:05 +0200 (CEST) Subject: SUSE-SU-2020:1493-1: Security update for libmspack Message-ID: <20200527222005.AC872FFD2@maintenance.suse.de> SUSE Security Update: Security update for libmspack ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1493-1 Rating: low References: #1130489 #1141680 Cross-References: CVE-2019-1010305 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for libmspack fixes the following issues: Security issue fixed: - CVE-2019-1010305: Fixed a buffer overflow triggered by a crafted chm file which could have led to information disclosure (bsc#1141680). Other issue addressed: - Enable build-time tests (bsc#1130489) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1493=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): libmspack-debugsource-0.6-3.8.19 libmspack-devel-0.6-3.8.19 libmspack0-0.6-3.8.19 libmspack0-debuginfo-0.6-3.8.19 References: https://www.suse.com/security/cve/CVE-2019-1010305.html https://bugzilla.suse.com/1130489 https://bugzilla.suse.com/1141680 From sle-security-updates at lists.suse.com Thu May 28 07:13:05 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 28 May 2020 15:13:05 +0200 (CEST) Subject: SUSE-SU-2020:1497-1: important: Security update for tomcat Message-ID: <20200528131305.811C2FFCF@maintenance.suse.de> SUSE Security Update: Security update for tomcat ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1497-1 Rating: important References: #1136085 #1159723 #1159729 #1164825 #1171928 Cross-References: CVE-2019-0221 CVE-2019-12418 CVE-2019-17563 CVE-2019-17569 CVE-2020-9484 Affected Products: SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP1-LTSS ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: This update for tomcat fixes the following issues: CVE-2020-9484 (bsc#1171928) Apache Tomcat Remote Code Execution via session persistence If an attacker was able to control the contents and name of a file on a server configured to use the PersistenceManager, then the attacker could have triggered a remote code execution via deserialization of the file under their control. CVE-2019-12418 (bsc#1159723) Local privilege escalation by manipulating the RMI registry and performing a man-in-the-middle attack When Tomcat is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files was able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker could then use these credentials to access the JMX interface and gain complete control over the Tomcat instance. CVE-2019-0221 (bsc#1136085) The SSI printenv command echoed user provided data without escaping, which made it vulnerable to XSS. CVE-2019-17563 (bsc#1159729) When using FORM authentication there was a narrow window where an attacker could perform a session fixation attack. CVE-2019-17569 (bsc#1164825) Invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2020-1497=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2020-1497=1 Package List: - SUSE Linux Enterprise Server for SAP 12-SP1 (noarch): tomcat-8.0.53-10.43.1 tomcat-admin-webapps-8.0.53-10.43.1 tomcat-docs-webapp-8.0.53-10.43.1 tomcat-el-3_0-api-8.0.53-10.43.1 tomcat-javadoc-8.0.53-10.43.1 tomcat-jsp-2_3-api-8.0.53-10.43.1 tomcat-lib-8.0.53-10.43.1 tomcat-servlet-3_1-api-8.0.53-10.43.1 tomcat-webapps-8.0.53-10.43.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (noarch): tomcat-8.0.53-10.43.1 tomcat-admin-webapps-8.0.53-10.43.1 tomcat-docs-webapp-8.0.53-10.43.1 tomcat-el-3_0-api-8.0.53-10.43.1 tomcat-javadoc-8.0.53-10.43.1 tomcat-jsp-2_3-api-8.0.53-10.43.1 tomcat-lib-8.0.53-10.43.1 tomcat-servlet-3_1-api-8.0.53-10.43.1 tomcat-webapps-8.0.53-10.43.1 References: https://www.suse.com/security/cve/CVE-2019-0221.html https://www.suse.com/security/cve/CVE-2019-12418.html https://www.suse.com/security/cve/CVE-2019-17563.html https://www.suse.com/security/cve/CVE-2019-17569.html https://www.suse.com/security/cve/CVE-2020-9484.html https://bugzilla.suse.com/1136085 https://bugzilla.suse.com/1159723 https://bugzilla.suse.com/1159729 https://bugzilla.suse.com/1164825 https://bugzilla.suse.com/1171928 From sle-security-updates at lists.suse.com Thu May 28 07:14:39 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 28 May 2020 15:14:39 +0200 (CEST) Subject: SUSE-SU-2020:1498-1: important: Security update for tomcat Message-ID: <20200528131439.7A67CFFD1@maintenance.suse.de> SUSE Security Update: Security update for tomcat ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1498-1 Rating: important References: #1136085 #1159723 #1159729 #1164825 #1171928 Cross-References: CVE-2019-0221 CVE-2019-12418 CVE-2019-17563 CVE-2019-17569 CVE-2020-9484 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: This update for tomcat fixes the following issues: CVE-2020-9484 (bsc#1171928) Apache Tomcat Remote Code Execution via session persistence If an attacker was able to control the contents and name of a file on a server configured to use the PersistenceManager, then the attacker could have triggered a remote code execution via deserialization of the file under their control. CVE-2019-12418 (bsc#1159723) Local privilege escalation by manipulating the RMI registry and performing a man-in-the-middle attack When Tomcat is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files was able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker could then use these credentials to access the JMX interface and gain complete control over the Tomcat instance. CVE-2019-0221 (bsc#1136085) The SSI printenv command echoed user provided data without escaping, which made it vulnerable to XSS. CVE-2019-17563 (bsc#1159729) When using FORM authentication there was a narrow window where an attacker could perform a session fixation attack. CVE-2019-17569 (bsc#1164825) Invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-1498=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-1498=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-1498=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-1498=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-1498=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-1498=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-1498=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-1498=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-1498=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-1498=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-1498=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (noarch): tomcat-8.0.53-29.27.1 tomcat-admin-webapps-8.0.53-29.27.1 tomcat-docs-webapp-8.0.53-29.27.1 tomcat-el-3_0-api-8.0.53-29.27.1 tomcat-javadoc-8.0.53-29.27.1 tomcat-jsp-2_3-api-8.0.53-29.27.1 tomcat-lib-8.0.53-29.27.1 tomcat-servlet-3_1-api-8.0.53-29.27.1 tomcat-webapps-8.0.53-29.27.1 - SUSE OpenStack Cloud 8 (noarch): tomcat-8.0.53-29.27.1 tomcat-admin-webapps-8.0.53-29.27.1 tomcat-docs-webapp-8.0.53-29.27.1 tomcat-el-3_0-api-8.0.53-29.27.1 tomcat-javadoc-8.0.53-29.27.1 tomcat-jsp-2_3-api-8.0.53-29.27.1 tomcat-lib-8.0.53-29.27.1 tomcat-servlet-3_1-api-8.0.53-29.27.1 tomcat-webapps-8.0.53-29.27.1 - SUSE OpenStack Cloud 7 (noarch): tomcat-8.0.53-29.27.1 tomcat-admin-webapps-8.0.53-29.27.1 tomcat-docs-webapp-8.0.53-29.27.1 tomcat-el-3_0-api-8.0.53-29.27.1 tomcat-javadoc-8.0.53-29.27.1 tomcat-jsp-2_3-api-8.0.53-29.27.1 tomcat-lib-8.0.53-29.27.1 tomcat-servlet-3_1-api-8.0.53-29.27.1 tomcat-webapps-8.0.53-29.27.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (noarch): tomcat-8.0.53-29.27.1 tomcat-admin-webapps-8.0.53-29.27.1 tomcat-docs-webapp-8.0.53-29.27.1 tomcat-el-3_0-api-8.0.53-29.27.1 tomcat-javadoc-8.0.53-29.27.1 tomcat-jsp-2_3-api-8.0.53-29.27.1 tomcat-lib-8.0.53-29.27.1 tomcat-servlet-3_1-api-8.0.53-29.27.1 tomcat-webapps-8.0.53-29.27.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (noarch): tomcat-8.0.53-29.27.1 tomcat-admin-webapps-8.0.53-29.27.1 tomcat-docs-webapp-8.0.53-29.27.1 tomcat-el-3_0-api-8.0.53-29.27.1 tomcat-javadoc-8.0.53-29.27.1 tomcat-jsp-2_3-api-8.0.53-29.27.1 tomcat-lib-8.0.53-29.27.1 tomcat-servlet-3_1-api-8.0.53-29.27.1 tomcat-webapps-8.0.53-29.27.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (noarch): tomcat-8.0.53-29.27.1 tomcat-admin-webapps-8.0.53-29.27.1 tomcat-docs-webapp-8.0.53-29.27.1 tomcat-el-3_0-api-8.0.53-29.27.1 tomcat-javadoc-8.0.53-29.27.1 tomcat-jsp-2_3-api-8.0.53-29.27.1 tomcat-lib-8.0.53-29.27.1 tomcat-servlet-3_1-api-8.0.53-29.27.1 tomcat-webapps-8.0.53-29.27.1 - SUSE Linux Enterprise Server 12-SP3-BCL (noarch): tomcat-8.0.53-29.27.1 tomcat-admin-webapps-8.0.53-29.27.1 tomcat-docs-webapp-8.0.53-29.27.1 tomcat-el-3_0-api-8.0.53-29.27.1 tomcat-javadoc-8.0.53-29.27.1 tomcat-jsp-2_3-api-8.0.53-29.27.1 tomcat-lib-8.0.53-29.27.1 tomcat-servlet-3_1-api-8.0.53-29.27.1 tomcat-webapps-8.0.53-29.27.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (noarch): tomcat-8.0.53-29.27.1 tomcat-admin-webapps-8.0.53-29.27.1 tomcat-docs-webapp-8.0.53-29.27.1 tomcat-el-3_0-api-8.0.53-29.27.1 tomcat-javadoc-8.0.53-29.27.1 tomcat-jsp-2_3-api-8.0.53-29.27.1 tomcat-lib-8.0.53-29.27.1 tomcat-servlet-3_1-api-8.0.53-29.27.1 tomcat-webapps-8.0.53-29.27.1 - SUSE Linux Enterprise Server 12-SP2-BCL (noarch): tomcat-8.0.53-29.27.1 tomcat-admin-webapps-8.0.53-29.27.1 tomcat-docs-webapp-8.0.53-29.27.1 tomcat-el-3_0-api-8.0.53-29.27.1 tomcat-javadoc-8.0.53-29.27.1 tomcat-jsp-2_3-api-8.0.53-29.27.1 tomcat-lib-8.0.53-29.27.1 tomcat-servlet-3_1-api-8.0.53-29.27.1 tomcat-webapps-8.0.53-29.27.1 - SUSE Enterprise Storage 5 (noarch): tomcat-8.0.53-29.27.1 tomcat-admin-webapps-8.0.53-29.27.1 tomcat-docs-webapp-8.0.53-29.27.1 tomcat-el-3_0-api-8.0.53-29.27.1 tomcat-javadoc-8.0.53-29.27.1 tomcat-jsp-2_3-api-8.0.53-29.27.1 tomcat-lib-8.0.53-29.27.1 tomcat-servlet-3_1-api-8.0.53-29.27.1 tomcat-webapps-8.0.53-29.27.1 - HPE Helion Openstack 8 (noarch): tomcat-8.0.53-29.27.1 tomcat-admin-webapps-8.0.53-29.27.1 tomcat-docs-webapp-8.0.53-29.27.1 tomcat-el-3_0-api-8.0.53-29.27.1 tomcat-javadoc-8.0.53-29.27.1 tomcat-jsp-2_3-api-8.0.53-29.27.1 tomcat-lib-8.0.53-29.27.1 tomcat-servlet-3_1-api-8.0.53-29.27.1 tomcat-webapps-8.0.53-29.27.1 References: https://www.suse.com/security/cve/CVE-2019-0221.html https://www.suse.com/security/cve/CVE-2019-12418.html https://www.suse.com/security/cve/CVE-2019-17563.html https://www.suse.com/security/cve/CVE-2019-17569.html https://www.suse.com/security/cve/CVE-2020-9484.html https://bugzilla.suse.com/1136085 https://bugzilla.suse.com/1159723 https://bugzilla.suse.com/1159729 https://bugzilla.suse.com/1164825 https://bugzilla.suse.com/1171928 From sle-security-updates at lists.suse.com Thu May 28 13:13:03 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 28 May 2020 21:13:03 +0200 (CEST) Subject: SUSE-SU-2020:1501-1: moderate: Security update for qemu Message-ID: <20200528191303.BEE95FFCF@maintenance.suse.de> SUSE Security Update: Security update for qemu ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1501-1 Rating: moderate References: #1123156 #1161066 #1163018 #1165776 #1166240 #1170940 Cross-References: CVE-2019-20382 CVE-2019-6778 CVE-2020-1711 CVE-2020-1983 CVE-2020-7039 CVE-2020-8608 Affected Products: SUSE Linux Enterprise Server 12-SP4 ______________________________________________________________________________ An update that fixes 6 vulnerabilities is now available. Description: This update for qemu fixes the following issues: Security issues fixed: - CVE-2020-1983: Fixed a use-after-free in the ip_reass function of slirp (bsc#1170940). - CVE-2019-20382: Fixed a potential DoS due to a memory leak in VNC disconnect (bsc#1165776). - CVE-2020-1711: Fixed a potential OOB access in the iSCSI client code (bsc#1166240). - CVE-2020-8608: Fixed a potential OOB access in slirp (bsc#1163018). - CVE-2020-7039: Fixed a potential OOB access in slirp (bsc#1161066). - Fixed multiple potential DoS issues in SLIRP, similar to CVE-2019-6778 (bsc#1123156). Non-security issue fixed: - Miscellaneous fixes to the in-package support documentation. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1501=1 Package List: - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): qemu-2.11.2-5.26.1 qemu-block-curl-2.11.2-5.26.1 qemu-block-curl-debuginfo-2.11.2-5.26.1 qemu-block-iscsi-2.11.2-5.26.1 qemu-block-iscsi-debuginfo-2.11.2-5.26.1 qemu-block-ssh-2.11.2-5.26.1 qemu-block-ssh-debuginfo-2.11.2-5.26.1 qemu-debugsource-2.11.2-5.26.1 qemu-guest-agent-2.11.2-5.26.1 qemu-guest-agent-debuginfo-2.11.2-5.26.1 qemu-lang-2.11.2-5.26.1 qemu-tools-2.11.2-5.26.1 qemu-tools-debuginfo-2.11.2-5.26.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 x86_64): qemu-block-rbd-2.11.2-5.26.1 qemu-block-rbd-debuginfo-2.11.2-5.26.1 - SUSE Linux Enterprise Server 12-SP4 (s390x x86_64): qemu-kvm-2.11.2-5.26.1 - SUSE Linux Enterprise Server 12-SP4 (ppc64le): qemu-ppc-2.11.2-5.26.1 qemu-ppc-debuginfo-2.11.2-5.26.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64): qemu-arm-2.11.2-5.26.1 qemu-arm-debuginfo-2.11.2-5.26.1 - SUSE Linux Enterprise Server 12-SP4 (noarch): qemu-ipxe-1.0.0+-5.26.1 qemu-seabios-1.11.0-5.26.1 qemu-sgabios-8-5.26.1 qemu-vgabios-1.11.0-5.26.1 - SUSE Linux Enterprise Server 12-SP4 (x86_64): qemu-x86-2.11.2-5.26.1 - SUSE Linux Enterprise Server 12-SP4 (s390x): qemu-s390-2.11.2-5.26.1 qemu-s390-debuginfo-2.11.2-5.26.1 References: https://www.suse.com/security/cve/CVE-2019-20382.html https://www.suse.com/security/cve/CVE-2019-6778.html https://www.suse.com/security/cve/CVE-2020-1711.html https://www.suse.com/security/cve/CVE-2020-1983.html https://www.suse.com/security/cve/CVE-2020-7039.html https://www.suse.com/security/cve/CVE-2020-8608.html https://bugzilla.suse.com/1123156 https://bugzilla.suse.com/1161066 https://bugzilla.suse.com/1163018 https://bugzilla.suse.com/1165776 https://bugzilla.suse.com/1166240 https://bugzilla.suse.com/1170940 From sle-security-updates at lists.suse.com Fri May 29 07:15:28 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 29 May 2020 15:15:28 +0200 (CEST) Subject: SUSE-SU-2020:1502-1: moderate: Security update for qemu Message-ID: <20200529131528.63844FFCF@maintenance.suse.de> SUSE Security Update: Security update for qemu ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1502-1 Rating: moderate References: #1158880 #1167816 #1170940 Cross-References: CVE-2020-1983 Affected Products: SUSE Linux Enterprise Module for Server Applications 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that solves one vulnerability and has two fixes is now available. Description: This update for qemu fixes the following issues: Security issue fixed: - CVE-2020-1983: Fixed a use-after-free in the ip_reass function of slirp (bsc#1170940). Non-security issues fixed: - Fixed an issue where limiting the memory bandwidth was not possible (bsc#1167816). - Fixed the issue that s390x could not read IPL channel program when using dasd as boot device (bsc#1158880). - Miscellaneous fixes to the in-package support documentation. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP1-2020-1502=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1502=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15-SP1 (aarch64 ppc64le s390x x86_64): qemu-3.1.1.1-9.21.4 qemu-block-curl-3.1.1.1-9.21.4 qemu-block-curl-debuginfo-3.1.1.1-9.21.4 qemu-block-iscsi-3.1.1.1-9.21.4 qemu-block-iscsi-debuginfo-3.1.1.1-9.21.4 qemu-block-rbd-3.1.1.1-9.21.4 qemu-block-rbd-debuginfo-3.1.1.1-9.21.4 qemu-block-ssh-3.1.1.1-9.21.4 qemu-block-ssh-debuginfo-3.1.1.1-9.21.4 qemu-debuginfo-3.1.1.1-9.21.4 qemu-debugsource-3.1.1.1-9.21.4 qemu-guest-agent-3.1.1.1-9.21.4 qemu-guest-agent-debuginfo-3.1.1.1-9.21.4 qemu-lang-3.1.1.1-9.21.4 - SUSE Linux Enterprise Module for Server Applications 15-SP1 (s390x x86_64): qemu-kvm-3.1.1.1-9.21.4 - SUSE Linux Enterprise Module for Server Applications 15-SP1 (aarch64): qemu-arm-3.1.1.1-9.21.4 qemu-arm-debuginfo-3.1.1.1-9.21.4 - SUSE Linux Enterprise Module for Server Applications 15-SP1 (ppc64le): qemu-ppc-3.1.1.1-9.21.4 qemu-ppc-debuginfo-3.1.1.1-9.21.4 - SUSE Linux Enterprise Module for Server Applications 15-SP1 (noarch): qemu-ipxe-1.0.0+-9.21.4 qemu-seabios-1.12.0-9.21.4 qemu-sgabios-8-9.21.4 qemu-vgabios-1.12.0-9.21.4 - SUSE Linux Enterprise Module for Server Applications 15-SP1 (x86_64): qemu-audio-alsa-3.1.1.1-9.21.4 qemu-audio-alsa-debuginfo-3.1.1.1-9.21.4 qemu-audio-oss-3.1.1.1-9.21.4 qemu-audio-oss-debuginfo-3.1.1.1-9.21.4 qemu-audio-pa-3.1.1.1-9.21.4 qemu-audio-pa-debuginfo-3.1.1.1-9.21.4 qemu-ui-curses-3.1.1.1-9.21.4 qemu-ui-curses-debuginfo-3.1.1.1-9.21.4 qemu-ui-gtk-3.1.1.1-9.21.4 qemu-ui-gtk-debuginfo-3.1.1.1-9.21.4 qemu-x86-3.1.1.1-9.21.4 qemu-x86-debuginfo-3.1.1.1-9.21.4 - SUSE Linux Enterprise Module for Server Applications 15-SP1 (s390x): qemu-s390-3.1.1.1-9.21.4 qemu-s390-debuginfo-3.1.1.1-9.21.4 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): qemu-debuginfo-3.1.1.1-9.21.4 qemu-debugsource-3.1.1.1-9.21.4 qemu-tools-3.1.1.1-9.21.4 qemu-tools-debuginfo-3.1.1.1-9.21.4 References: https://www.suse.com/security/cve/CVE-2020-1983.html https://bugzilla.suse.com/1158880 https://bugzilla.suse.com/1167816 https://bugzilla.suse.com/1170940 From sle-security-updates at lists.suse.com Fri May 29 13:15:45 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 29 May 2020 21:15:45 +0200 (CEST) Subject: SUSE-SU-2020:1511-1: important: Security update for java-11-openjdk Message-ID: <20200529191545.2A9C6FCEC@maintenance.suse.de> SUSE Security Update: Security update for java-11-openjdk ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1511-1 Rating: important References: #1167462 #1169511 Cross-References: CVE-2020-2754 CVE-2020-2755 CVE-2020-2756 CVE-2020-2757 CVE-2020-2767 CVE-2020-2773 CVE-2020-2778 CVE-2020-2781 CVE-2020-2800 CVE-2020-2803 CVE-2020-2805 CVE-2020-2816 CVE-2020-2830 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that fixes 13 vulnerabilities is now available. Description: This update for java-11-openjdk fixes the following issues: Java was updated to jdk-11.0.7+10 (April 2020 CPU, bsc#1169511). Security issues fixed: - CVE-2020-2754: Fixed an incorrect handling of regular expressions that could have resulted in denial of service (bsc#1169511). - CVE-2020-2755: Fixed an incorrect handling of regular expressions that could have resulted in denial of service (bsc#1169511). - CVE-2020-2756: Fixed an incorrect handling of regular expressions that could have resulted in denial of service (bsc#1169511). - CVE-2020-2757: Fixed an object deserialization issue that could have resulted in denial of service via crafted serialized input (bsc#1169511). - CVE-2020-2767: Fixed an incorrect handling of certificate messages during TLS handshakes (bsc#1169511). - CVE-2020-2773: Fixed the incorrect handling of exceptions thrown by unmarshalKeyInfo() and unmarshalXMLSignature() (bsc#1169511). - CVE-2020-2778: Fixed the incorrect handling of SSLParameters in setAlgorithmConstraints(), which could have been abused to override the defined systems security policy and lead to the use of weak crypto algorithms (bsc#1169511). - CVE-2020-2781: Fixed the incorrect re-use of single null TLS sessions (bsc#1169511). - CVE-2020-2800: Fixed an HTTP header injection issue caused by mishandling of CR/LF in header values (bsc#1169511). - CVE-2020-2803: Fixed a boundary check and type check issue that could have led to a sandbox bypass (bsc#1169511). - CVE-2020-2805: Fixed a boundary check and type check issue that could have led to a sandbox bypass (bsc#1169511). - CVE-2020-2816: Fixed an incorrect handling of application data packets during TLS handshakes (bsc#1169511). - CVE-2020-2830: Fixed an incorrect handling of regular expressions that could have resulted in denial of service (bsc#1169511). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-1511=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-1511=1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2: zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP2-2020-1511=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2020-1511=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1511=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1511=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1511=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): java-11-openjdk-11.0.7.0-3.42.4 java-11-openjdk-debuginfo-11.0.7.0-3.42.4 java-11-openjdk-debugsource-11.0.7.0-3.42.4 java-11-openjdk-demo-11.0.7.0-3.42.4 java-11-openjdk-devel-11.0.7.0-3.42.4 java-11-openjdk-headless-11.0.7.0-3.42.4 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): java-11-openjdk-11.0.7.0-3.42.4 java-11-openjdk-debuginfo-11.0.7.0-3.42.4 java-11-openjdk-debugsource-11.0.7.0-3.42.4 java-11-openjdk-demo-11.0.7.0-3.42.4 java-11-openjdk-devel-11.0.7.0-3.42.4 java-11-openjdk-headless-11.0.7.0-3.42.4 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 (noarch): java-11-openjdk-javadoc-11.0.7.0-3.42.4 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): java-11-openjdk-11.0.7.0-3.42.4 java-11-openjdk-debuginfo-11.0.7.0-3.42.4 java-11-openjdk-debugsource-11.0.7.0-3.42.4 java-11-openjdk-demo-11.0.7.0-3.42.4 java-11-openjdk-devel-11.0.7.0-3.42.4 java-11-openjdk-headless-11.0.7.0-3.42.4 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): java-11-openjdk-11.0.7.0-3.42.4 java-11-openjdk-debuginfo-11.0.7.0-3.42.4 java-11-openjdk-debugsource-11.0.7.0-3.42.4 java-11-openjdk-demo-11.0.7.0-3.42.4 java-11-openjdk-devel-11.0.7.0-3.42.4 java-11-openjdk-headless-11.0.7.0-3.42.4 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): java-11-openjdk-11.0.7.0-3.42.4 java-11-openjdk-debuginfo-11.0.7.0-3.42.4 java-11-openjdk-debugsource-11.0.7.0-3.42.4 java-11-openjdk-demo-11.0.7.0-3.42.4 java-11-openjdk-devel-11.0.7.0-3.42.4 java-11-openjdk-headless-11.0.7.0-3.42.4 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): java-11-openjdk-11.0.7.0-3.42.4 java-11-openjdk-debuginfo-11.0.7.0-3.42.4 java-11-openjdk-debugsource-11.0.7.0-3.42.4 java-11-openjdk-demo-11.0.7.0-3.42.4 java-11-openjdk-devel-11.0.7.0-3.42.4 java-11-openjdk-headless-11.0.7.0-3.42.4 References: https://www.suse.com/security/cve/CVE-2020-2754.html https://www.suse.com/security/cve/CVE-2020-2755.html https://www.suse.com/security/cve/CVE-2020-2756.html https://www.suse.com/security/cve/CVE-2020-2757.html https://www.suse.com/security/cve/CVE-2020-2767.html https://www.suse.com/security/cve/CVE-2020-2773.html https://www.suse.com/security/cve/CVE-2020-2778.html https://www.suse.com/security/cve/CVE-2020-2781.html https://www.suse.com/security/cve/CVE-2020-2800.html https://www.suse.com/security/cve/CVE-2020-2803.html https://www.suse.com/security/cve/CVE-2020-2805.html https://www.suse.com/security/cve/CVE-2020-2816.html https://www.suse.com/security/cve/CVE-2020-2830.html https://bugzilla.suse.com/1167462 https://bugzilla.suse.com/1169511 From sle-security-updates at lists.suse.com Fri May 29 13:16:40 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 29 May 2020 21:16:40 +0200 (CEST) Subject: SUSE-SU-2020:1505-1: moderate: Security update for file-roller Message-ID: <20200529191640.A3691FCEC@maintenance.suse.de> SUSE Security Update: Security update for file-roller ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1505-1 Rating: moderate References: #1169428 Cross-References: CVE-2020-11736 Affected Products: SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for file-roller fixes the following issues: Security issue fixed: - CVE-2020-11736: Fixed a directory traversal vulnerability due to improper checking whether a file's parent is an external symlink (bsc#1169428). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1505=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1505=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): file-roller-3.20.3-15.6.1 file-roller-debuginfo-3.20.3-15.6.1 file-roller-debugsource-3.20.3-15.6.1 nautilus-file-roller-3.20.3-15.6.1 nautilus-file-roller-debuginfo-3.20.3-15.6.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): file-roller-lang-3.20.3-15.6.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): file-roller-3.20.3-15.6.1 file-roller-debuginfo-3.20.3-15.6.1 file-roller-debugsource-3.20.3-15.6.1 nautilus-file-roller-3.20.3-15.6.1 nautilus-file-roller-debuginfo-3.20.3-15.6.1 - SUSE Linux Enterprise Server 12-SP4 (noarch): file-roller-lang-3.20.3-15.6.1 References: https://www.suse.com/security/cve/CVE-2020-11736.html https://bugzilla.suse.com/1169428