From sle-updates at lists.suse.com Mon Mar 3 06:04:10 2014 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 3 Mar 2014 14:04:10 +0100 (CET) Subject: SUSE-SU-2014:0318-1: moderate: Security update for libvirt Message-ID: <20140303130410.F17303213C@maintenance.suse.de> SUSE Security Update: Security update for libvirt ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0318-1 Rating: moderate References: #817407 #857492 #858817 Cross-References: CVE-2013-6458 CVE-2014-1447 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. It includes one version update. Description: This update fixes the following one non-security and two security issues with libvirt: * bnc#817407: Fixing device assignment problem with Broadcom 57810 NIC to Guest OS. * bnc#857492: qemu job usage issue in several API leading to libvirtd crash (CVE-2013-6458) * bnc#858817: denial of service with keepalive (CVE-2014-1447) Security Issue references: * CVE-2014-1447 * CVE-2013-6458 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-libvirt-8886 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-libvirt-8886 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-libvirt-8886 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New Version: 1.0.5.9]: libvirt-devel-1.0.5.9-0.7.1 - SUSE Linux Enterprise Software Development Kit 11 SP3 (x86_64) [New Version: 1.0.5.9]: libvirt-devel-32bit-1.0.5.9-0.7.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New Version: 1.0.5.9]: libvirt-1.0.5.9-0.7.1 libvirt-client-1.0.5.9-0.7.1 libvirt-doc-1.0.5.9-0.7.1 libvirt-lock-sanlock-1.0.5.9-0.7.1 libvirt-python-1.0.5.9-0.7.1 - SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64) [New Version: 1.0.5.9]: libvirt-client-32bit-1.0.5.9-0.7.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64) [New Version: 1.0.5.9]: libvirt-1.0.5.9-0.7.1 libvirt-client-1.0.5.9-0.7.1 libvirt-doc-1.0.5.9-0.7.1 libvirt-python-1.0.5.9-0.7.1 - SUSE Linux Enterprise Desktop 11 SP3 (x86_64) [New Version: 1.0.5.9]: libvirt-client-32bit-1.0.5.9-0.7.1 References: http://support.novell.com/security/cve/CVE-2013-6458.html http://support.novell.com/security/cve/CVE-2014-1447.html https://bugzilla.novell.com/817407 https://bugzilla.novell.com/857492 https://bugzilla.novell.com/858817 http://download.novell.com/patch/finder/?keywords=c88f0c46e6587677dfe5467186124acd From sle-updates at lists.suse.com Mon Mar 3 17:04:14 2014 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 4 Mar 2014 01:04:14 +0100 (CET) Subject: SUSE-SU-2014:0319-1: critical: Security update for gnutls Message-ID: <20140304000414.5B1A032126@maintenance.suse.de> SUSE Security Update: Security update for gnutls ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0319-1 Rating: critical References: #835760 #865804 #865993 Cross-References: CVE-2009-5138 CVE-2014-0092 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise High Availability Extension 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: The GnuTLS library received a critical security fix and other updates: * CVE-2014-0092: The X.509 certificate verification had incorrect error handling, which could lead to broken certificates marked as being valid. * CVE-2009-5138: A verification problem in handling V1 certificates could also lead to V1 certificates incorrectly being handled. Additionally a memory leak in PSK authentication has been fixed (bnc#835760). Security Issue references: * CVE-2014-0092 * CVE-2009-5138 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-gnutls-8949 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-gnutls-8949 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-gnutls-8949 - SUSE Linux Enterprise High Availability Extension 11 SP3: zypper in -t patch slehasp3-gnutls-8949 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-gnutls-8949 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64): libgnutls-devel-2.4.1-24.39.49.1 libgnutls-extra-devel-2.4.1-24.39.49.1 libgnutls-extra26-2.4.1-24.39.49.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): gnutls-2.4.1-24.39.49.1 libgnutls-extra26-2.4.1-24.39.49.1 libgnutls26-2.4.1-24.39.49.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64): libgnutls26-32bit-2.4.1-24.39.49.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): gnutls-2.4.1-24.39.49.1 libgnutls-extra26-2.4.1-24.39.49.1 libgnutls26-2.4.1-24.39.49.1 - SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64): libgnutls26-32bit-2.4.1-24.39.49.1 - SUSE Linux Enterprise Server 11 SP3 (ia64): libgnutls26-x86-2.4.1-24.39.49.1 - SUSE Linux Enterprise High Availability Extension 11 SP3 (i586 ia64 ppc64 s390x x86_64): libgnutls-extra26-2.4.1-24.39.49.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): gnutls-2.4.1-24.39.49.1 libgnutls26-2.4.1-24.39.49.1 - SUSE Linux Enterprise Desktop 11 SP3 (x86_64): libgnutls26-32bit-2.4.1-24.39.49.1 References: http://support.novell.com/security/cve/CVE-2009-5138.html http://support.novell.com/security/cve/CVE-2014-0092.html https://bugzilla.novell.com/835760 https://bugzilla.novell.com/865804 https://bugzilla.novell.com/865993 http://download.novell.com/patch/finder/?keywords=404ba85fa44d8b2dcaf3de46ba2acaaf From sle-updates at lists.suse.com Mon Mar 3 17:04:49 2014 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 4 Mar 2014 01:04:49 +0100 (CET) Subject: SUSE-SU-2014:0320-1: critical: Security update for gnutls Message-ID: <20140304000449.7F9653213C@maintenance.suse.de> SUSE Security Update: Security update for gnutls ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0320-1 Rating: critical References: #536809 #554084 #659128 #739898 #753301 #754223 #802651 #821818 #865804 #865993 Cross-References: CVE-2009-5138 CVE-2011-4108 CVE-2012-0390 CVE-2012-1569 CVE-2012-1573 CVE-2013-0169 CVE-2013-1619 CVE-2013-2116 CVE-2014-0092 Affected Products: SUSE Linux Enterprise Server 10 SP3 LTSS ______________________________________________________________________________ An update that solves 9 vulnerabilities and has one errata is now available. Description: The GnuTLS library received a critical security fix and other updates: * CVE-2014-0092: The X.509 certificate verification had incorrect error handling, which could lead to broken certificates marked as being valid. * CVE-2009-5138: A verification problem in handling V1 certificates could also lead to V1 certificates incorrectly being handled. * CVE-2013-2116: The _gnutls_ciphertext2compressed function in lib/gnutls_cipher.c in GnuTLS allowed remote attackers to cause a denial of service (buffer over-read and crash) via a crafted padding length. * CVE-2013-1619: The TLS implementation in GnuTLS did not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169. (Lucky13) * CVE-2012-1569: The asn1_get_length_der function in decoding.c in GNU Libtasn1 , as used in GnuTLS did not properly handle certain large length values, which allowed remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly have unspecified other impact via a crafted ASN.1 structure. * CVE-2012-1573: gnutls_cipher.c in libgnutls in GnuTLS did not properly handle data encrypted with a block cipher, which allowed remote attackers to cause a denial of service (heap memory corruption and application crash) via a crafted record, as demonstrated by a crafted GenericBlockCipher structure. * CVE-2012-0390: The DTLS implementation in GnuTLS executed certain error-handling code only if there is a specific relationship between a padding length and the ciphertext size, which made it easier for remote attackers to recover partial plaintext via a timing side-channel attack, a related issue to CVE-2011-4108. Also some non security bugs have been fixed: * Did some more s390x size_t vs int fixes. (bnc#536809, bnc#659128) * re-enabled "legacy negotiation" (bnc#554084) * fix safe-renegotiation for sle10sp3 and sle10sp4 bug (bnc#554084) * fix bug bnc#536809, fix gnutls-cli to abort connection after detecting a bad certificate Security Issue references: * CVE-2009-5138 * CVE-2011-4108 * CVE-2012-0390 * CVE-2012-1569 * CVE-2012-1573 * CVE-2013-0169 * CVE-2013-1619 * CVE-2013-2116 * CVE-2014-0092 Package List: - SUSE Linux Enterprise Server 10 SP3 LTSS (i586 s390x x86_64): gnutls-1.2.10-13.38.1 gnutls-devel-1.2.10-13.38.1 - SUSE Linux Enterprise Server 10 SP3 LTSS (s390x x86_64): gnutls-32bit-1.2.10-13.38.1 gnutls-devel-32bit-1.2.10-13.38.1 References: http://support.novell.com/security/cve/CVE-2009-5138.html http://support.novell.com/security/cve/CVE-2011-4108.html http://support.novell.com/security/cve/CVE-2012-0390.html http://support.novell.com/security/cve/CVE-2012-1569.html http://support.novell.com/security/cve/CVE-2012-1573.html http://support.novell.com/security/cve/CVE-2013-0169.html http://support.novell.com/security/cve/CVE-2013-1619.html http://support.novell.com/security/cve/CVE-2013-2116.html http://support.novell.com/security/cve/CVE-2014-0092.html https://bugzilla.novell.com/536809 https://bugzilla.novell.com/554084 https://bugzilla.novell.com/659128 https://bugzilla.novell.com/739898 https://bugzilla.novell.com/753301 https://bugzilla.novell.com/754223 https://bugzilla.novell.com/802651 https://bugzilla.novell.com/821818 https://bugzilla.novell.com/865804 https://bugzilla.novell.com/865993 http://download.novell.com/patch/finder/?keywords=3be1f1e8cc06d24d3e6d4ba2c4abdea4 From sle-updates at lists.suse.com Mon Mar 3 17:06:48 2014 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 4 Mar 2014 01:06:48 +0100 (CET) Subject: SUSE-SU-2014:0321-1: critical: Security update for gnutls Message-ID: <20140304000648.46A463213C@maintenance.suse.de> SUSE Security Update: Security update for gnutls ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0321-1 Rating: critical References: #865804 #865993 Cross-References: CVE-2014-0092 Affected Products: SUSE Linux Enterprise Server 10 SP4 LTSS ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: The GnuTLS library received a critical security fix and other updates: * CVE-2014-0092: The X.509 certificate verification had incorrect error handling, which could lead to broken certificates marked as being valid. * CVE-2009-5138: A verification problem in handling V1 certificates could also lead to V1 certificates incorrectly being handled. Security Issue references: * CVE-2014-0092 Package List: - SUSE Linux Enterprise Server 10 SP4 LTSS (i586 s390x x86_64): gnutls-1.2.10-13.38.1 gnutls-devel-1.2.10-13.38.1 - SUSE Linux Enterprise Server 10 SP4 LTSS (s390x x86_64): gnutls-32bit-1.2.10-13.38.1 gnutls-devel-32bit-1.2.10-13.38.1 References: http://support.novell.com/security/cve/CVE-2014-0092.html https://bugzilla.novell.com/865804 https://bugzilla.novell.com/865993 http://download.novell.com/patch/finder/?keywords=37d0e9642492b343b6f431f0fecb7b5b From sle-updates at lists.suse.com Mon Mar 3 17:07:12 2014 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 4 Mar 2014 01:07:12 +0100 (CET) Subject: SUSE-SU-2014:0322-1: critical: Security update for gnutls Message-ID: <20140304000712.DB4213213C@maintenance.suse.de> SUSE Security Update: Security update for gnutls ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0322-1 Rating: critical References: #760265 #802651 #821818 #835760 #865804 #865993 Cross-References: CVE-2009-5138 CVE-2013-1619 CVE-2013-2116 CVE-2014-0092 Affected Products: SUSE Linux Enterprise Server 11 SP1 LTSS ______________________________________________________________________________ An update that solves four vulnerabilities and has two fixes is now available. Description: The GnuTLS library received a critical security fix and other updates: * CVE-2014-0092: The X.509 certificate verification had incorrect error handling, which could lead to broken certificates marked as being valid. * CVE-2009-5138: A verification problem in handling V1 certificates could also lead to V1 certificates incorrectly being handled. * CVE-2013-2116: The _gnutls_ciphertext2compressed function in lib/gnutls_cipher.c in GnuTLS allowed remote attackers to cause a denial of service (buffer over-read and crash) via a crafted padding length. * CVE-2013-1619: Timing attacks against hashing of padding was fixed which might have allowed disclosure of keys. (Lucky13 attack). Also the following non-security bugs have been fixed: * gnutls doesn't like root CAs without Basic Constraints. Permit V1 Certificate Authorities properly (bnc#760265) * memory leak in PSK authentication (bnc#835760) Security Issue references: * CVE-2014-0092 * CVE-2009-5138 * CVE-2013-2116 * CVE-2013-1619 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP1 LTSS: zypper in -t patch slessp1-gnutls-8951 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP1 LTSS (i586 s390x x86_64): gnutls-2.4.1-24.39.49.1 libgnutls-extra26-2.4.1-24.39.49.1 libgnutls26-2.4.1-24.39.49.1 - SUSE Linux Enterprise Server 11 SP1 LTSS (s390x x86_64): libgnutls26-32bit-2.4.1-24.39.49.1 References: http://support.novell.com/security/cve/CVE-2009-5138.html http://support.novell.com/security/cve/CVE-2013-1619.html http://support.novell.com/security/cve/CVE-2013-2116.html http://support.novell.com/security/cve/CVE-2014-0092.html https://bugzilla.novell.com/760265 https://bugzilla.novell.com/802651 https://bugzilla.novell.com/821818 https://bugzilla.novell.com/835760 https://bugzilla.novell.com/865804 https://bugzilla.novell.com/865993 http://download.novell.com/patch/finder/?keywords=356cafe0671e679ac89f61fb768aa876 From sle-updates at lists.suse.com Mon Mar 3 17:08:19 2014 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 4 Mar 2014 01:08:19 +0100 (CET) Subject: SUSE-SU-2014:0323-1: critical: Security update for gnutls Message-ID: <20140304000819.B6BE03213C@maintenance.suse.de> SUSE Security Update: Security update for gnutls ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0323-1 Rating: critical References: #835760 #865804 #865993 Cross-References: CVE-2014-0092 Affected Products: SUSE Linux Enterprise Server 11 SP2 LTSS ______________________________________________________________________________ An update that solves one vulnerability and has two fixes is now available. Description: The GnuTLS library received a critical security fix and other updates: * CVE-2014-0092: The X.509 certificate verification had incorrect error handling, which could lead to broken certificates marked as being valid. * CVE-2009-5138: A verification problem in handling V1 certificates could also lead to V1 certificates incorrectly being handled. Additionally, a memory leak in PSK authentication was fixed. bnc#835760 Security Issues: * CVE-2014-0092 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP2 LTSS: zypper in -t patch slessp2-gnutls-8950 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP2 LTSS (i586 s390x x86_64): gnutls-2.4.1-24.39.49.1 libgnutls-extra26-2.4.1-24.39.49.1 libgnutls26-2.4.1-24.39.49.1 - SUSE Linux Enterprise Server 11 SP2 LTSS (s390x x86_64): libgnutls26-32bit-2.4.1-24.39.49.1 References: http://support.novell.com/security/cve/CVE-2014-0092.html https://bugzilla.novell.com/835760 https://bugzilla.novell.com/865804 https://bugzilla.novell.com/865993 http://download.novell.com/patch/finder/?keywords=b548d1e9d587491bc78588fee9939590 From sle-updates at lists.suse.com Tue Mar 4 10:04:10 2014 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 4 Mar 2014 18:04:10 +0100 (CET) Subject: SUSE-SU-2014:0324-1: critical: Security update for gnutls Message-ID: <20140304170410.341BF3213E@maintenance.suse.de> SUSE Security Update: Security update for gnutls ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0324-1 Rating: critical References: #865804 Cross-References: CVE-2014-0092 Affected Products: SUSE CORE 9 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: The GnuTLS library received a critical security fix: * CVE-2014-0092: The X.509 certificate verification had incorrect error handling, which could lead to broken certificates marked as being valid. Security Issue reference: * CVE-2014-0092 Package List: - SUSE CORE 9 (i586 s390 s390x x86_64): gnutls-1.0.8-26.30 gnutls-devel-1.0.8-26.30 References: http://support.novell.com/security/cve/CVE-2014-0092.html https://bugzilla.novell.com/865804 http://download.novell.com/patch/finder/?keywords=f0ade0f71a1461cdf632f942531d7d41 From sle-updates at lists.suse.com Wed Mar 5 16:04:10 2014 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 6 Mar 2014 00:04:10 +0100 (CET) Subject: SUSE-RU-2014:0330-1: moderate: Recommended update for libopenssl Message-ID: <20140305230410.BDE213213E@maintenance.suse.de> SUSE Recommended Update: Recommended update for libopenssl ______________________________________________________________________________ Announcement ID: SUSE-RU-2014:0330-1 Rating: moderate References: #859228 #859924 #860332 #862181 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that has four recommended fixes can now be installed. Description: This update brings various enhancements for OpenSSL: * IPv6 support was added to the openssl s_client and s_server command line tool. (bnc#859228) * The openssl command line tool now checks certificates by default against /etc/ssl/certs (this can be changed via the -CApath option). (bnc#860332) * The Elliptic Curve Diffie-Hellman key exchange selector was enabled and can be selected by kECDHE, kECDH, ECDH tags in the SSL cipher string. (bnc#859924) * If an optional "openssl1" command line tool is installed in parallel, c_rehash uses it to generate certificate hashes in both OpenSSL 0 and OpenSSL 1 style. This allows parallel usage of OpenSSL 0.9.8j and OpenSSL 1.x client libraries with a shared certificate store. (bnc#862181) Patch Instructions: To install this SUSE Recommended Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-libopenssl-devel-8905 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-libopenssl-devel-8905 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-libopenssl-devel-8905 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-libopenssl-devel-8905 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64): libopenssl-devel-0.9.8j-0.52.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): libopenssl0_9_8-0.9.8j-0.52.1 libopenssl0_9_8-hmac-0.9.8j-0.52.1 openssl-0.9.8j-0.52.1 openssl-doc-0.9.8j-0.52.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64): libopenssl0_9_8-32bit-0.9.8j-0.52.1 libopenssl0_9_8-hmac-32bit-0.9.8j-0.52.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): libopenssl0_9_8-0.9.8j-0.52.1 libopenssl0_9_8-hmac-0.9.8j-0.52.1 openssl-0.9.8j-0.52.1 openssl-doc-0.9.8j-0.52.1 - SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64): libopenssl0_9_8-32bit-0.9.8j-0.52.1 libopenssl0_9_8-hmac-32bit-0.9.8j-0.52.1 - SUSE Linux Enterprise Server 11 SP3 (ia64): libopenssl0_9_8-x86-0.9.8j-0.52.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): libopenssl0_9_8-0.9.8j-0.52.1 openssl-0.9.8j-0.52.1 - SUSE Linux Enterprise Desktop 11 SP3 (x86_64): libopenssl0_9_8-32bit-0.9.8j-0.52.1 References: https://bugzilla.novell.com/859228 https://bugzilla.novell.com/859924 https://bugzilla.novell.com/860332 https://bugzilla.novell.com/862181 http://download.novell.com/patch/finder/?keywords=c71a5e505ced419ba7f97300d7586066 From sle-updates at lists.suse.com Wed Mar 5 17:04:12 2014 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 6 Mar 2014 01:04:12 +0100 (CET) Subject: SUSE-SU-2014:0331-1: moderate: Security update for openssl-certs Message-ID: <20140306000412.9E48532126@maintenance.suse.de> SUSE Security Update: Security update for openssl-certs ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0331-1 Rating: moderate References: #860581 #865080 Affected Products: SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that contains security fixes can now be installed. It includes one version update. Description: The openssl-certs package was updated to match the certificates contained in the Mozilla NSS 3.15.4 release. Following changes were done to the list of root CAs: * Added: ACCVRAIZ1.pem (Spain) (all trusts) * Added: SG_TRUST_SERVICES_RACINE.pem (Singapore) (email signing only) * Added: TWCA_Global_Root_CA.pem (Taiwanese) (all trusts) * Removed: Wells_Fargo_Root_CA.pem If openssl1 is available as a command line tool, also certificate hashes for openssl1 are created (bnc#860581). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-openssl-certs-8924 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-openssl-certs-8924 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-openssl-certs-8924 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP3 for VMware (noarch) [New Version: 1.96]: openssl-certs-1.96-0.4.1 - SUSE Linux Enterprise Server 11 SP3 (noarch) [New Version: 1.96]: openssl-certs-1.96-0.4.1 - SUSE Linux Enterprise Desktop 11 SP3 (noarch) [New Version: 1.96]: openssl-certs-1.96-0.4.1 References: https://bugzilla.novell.com/860581 https://bugzilla.novell.com/865080 http://download.novell.com/patch/finder/?keywords=2e6212dfd06bf5b40fad9f634955a6d6 From sle-updates at lists.suse.com Thu Mar 6 11:04:10 2014 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 6 Mar 2014 19:04:10 +0100 (CET) Subject: SUSE-SU-2014:0331-2: moderate: Security update for openssl-certs Message-ID: <20140306180410.A57AC3213E@maintenance.suse.de> SUSE Security Update: Security update for openssl-certs ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0331-2 Rating: moderate References: #860581 #865080 Affected Products: SUSE Linux Enterprise Server 11 SP1 LTSS ______________________________________________________________________________ An update that contains security fixes can now be installed. It includes one version update. Description: The openssl-certs package was updated to match the certificates contained in the Mozilla NSS 3.15.4 release. The following changes were done to the list of root CAs: * Added: ACCVRAIZ1.pem (Spain) (all trusts) * Added: SG_TRUST_SERVICES_RACINE.pem (Singapore) (email signing only) * Added: TWCA_Global_Root_CA.pem (Taiwanese) (all trusts) * Removed: Wells_Fargo_Root_CA.pem Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP1 LTSS: zypper in -t patch slessp1-openssl-certs-8925 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP1 LTSS (noarch) [New Version: 1.96]: openssl-certs-1.96-0.4.1 References: https://bugzilla.novell.com/860581 https://bugzilla.novell.com/865080 http://download.novell.com/patch/finder/?keywords=167c39cc4cd691b0946588c6a949d4bc From sle-updates at lists.suse.com Thu Mar 6 11:04:34 2014 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 6 Mar 2014 19:04:34 +0100 (CET) Subject: SUSE-SU-2014:0335-1: moderate: Security update for openssl-certs Message-ID: <20140306180434.8E8FE32148@maintenance.suse.de> SUSE Security Update: Security update for openssl-certs ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0335-1 Rating: moderate References: #854367 #865080 Affected Products: SUSE Linux Enterprise Server 10 SP3 LTSS ______________________________________________________________________________ An update that contains security fixes can now be installed. It includes one version update. Description: The openssl-certs package was updated to match the certificates contained in the Mozilla NSS 3.15.4 release. The following changes were done to the list of root CAs: Distrust a sub-ca that issued google.com certificates. "Distrusted AC DG Tresor SSL" (bnc#854367) Lots of CA updates from Mozilla: Changes done in 1.96: * new: ACCVRAIZ1.pem (Spain) (all trusts) * new: SG_TRUST_SERVICES_RACINE.pem (Singapore) (email signing only) * new: TWCA_Global_Root_CA.pem (Taiwanese) (all trusts) * removed: Wells_Fargo_Root_CA.pem Changes done in 1.95: * new: CA_Disig_Root_R1:2.9.0.195.3.154.238.80.144.110.40.crt server auth, code signing, email signing * new: CA_Disig_Root_R2:2.9.0.146.184.136.219.176.138.193.99.crt server auth, code signing, email signing * new: China_Internet_Network_Information_Center_EV_Certificates_Ro ot:2.4.72.159.0.1.crt server auth * changed: Digital_Signature_Trust_Co._Global_CA_1:2.4.54.112.21.150.cr t removed code signing and server auth abilities * changed: Digital_Signature_Trust_Co._Global_CA_3:2.4.54.110.211.206.c rt removed code signing and server auth abilities * new: D-TRUST_Root_Class_3_CA_2_2009:2.3.9.131.243.crt server auth * new: D-TRUST_Root_Class_3_CA_2_EV_2009:2.3.9.131.244.crt server auth * removed: Entrust.net_Premium_2048_Secure_Server_CA:2.4.56.99.185.102. crt * new: Entrust.net_Premium_2048_Secure_Server_CA:2.4.56.99.222.248. crt I think the missing flags were adjusted. * removed: Equifax_Secure_eBusiness_CA_2:2.4.55.112.207.181.crt * new: PSCProcert:2.1.11.crt server auth, code signing, email signing * new: Swisscom_Root_CA_2:2.16.30.158.40.232.72.242.229.239.195.124 .74.30.90.24.103.182.crt server auth, code signing, email signing * new: Swisscom_Root_EV_CA_2:2.17.0.242.250.100.226.116.99.211.141. 253.16.29.4.31.118.202.88.crt server auth, code signing * changed: TC_TrustCenter_Universal_CA_III:2.14.99.37.0.1.0.2.20.141.51 .21.2.228.108.244.crt removed all abilities * new: TURKTRUST_Certificate_Services_Provider_Root_2007:2.1.1.crt server auth, code signing * changed: TWCA_Root_Certification_Authority:2.1.1.crt added code signing ability * new "EE Certification Centre Root CA" * new "T-TeleSec GlobalRoot Class 3" * revoke mis-issued intermediate CAs from TURKTRUST Package List: - SUSE Linux Enterprise Server 10 SP3 LTSS (noarch) [New Version: 1.96]: openssl-certs-1.96-0.6.1 References: https://bugzilla.novell.com/854367 https://bugzilla.novell.com/865080 http://download.novell.com/patch/finder/?keywords=f0610a9486969ce5d9a86b8f225d4c83 From sle-updates at lists.suse.com Thu Mar 6 11:04:59 2014 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 6 Mar 2014 19:04:59 +0100 (CET) Subject: SUSE-RU-2014:0336-1: Recommended update for sg3_utils Message-ID: <20140306180459.DFA463213E@maintenance.suse.de> SUSE Recommended Update: Recommended update for sg3_utils ______________________________________________________________________________ Announcement ID: SUSE-RU-2014:0336-1 Rating: low References: #829642 #846660 #852420 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that has three recommended fixes can now be installed. Description: This update for sg3_utils provides the following fixes and enhancements: * Update to rescan-scsi-bus.sh to improve scanning of DMMP devices. (bnc#846660) * Update sg_xcopy to version 0.39 for invoking XCOPY on NetApp FAS LUs. (bnc#852420) Patch Instructions: To install this SUSE Recommended Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-sg3_utils-8854 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-sg3_utils-8854 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-sg3_utils-8854 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-sg3_utils-8854 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64): sg3_utils-devel-1.35-0.13.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): sg3_utils-1.35-0.13.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): sg3_utils-1.35-0.13.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): sg3_utils-1.35-0.13.1 References: https://bugzilla.novell.com/829642 https://bugzilla.novell.com/846660 https://bugzilla.novell.com/852420 http://download.novell.com/patch/finder/?keywords=52da74655ffe299b6e0ced20412aa44a From sle-updates at lists.suse.com Fri Mar 7 00:04:11 2014 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 7 Mar 2014 08:04:11 +0100 (CET) Subject: SUSE-SU-2014:0337-1: moderate: Security update for python Message-ID: <20140307070411.197F63213E@maintenance.suse.de> SUSE Security Update: Security update for python ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0337-1 Rating: moderate References: #834601 #847135 #856836 #859068 Cross-References: CVE-2013-4073 CVE-2013-4238 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that solves two vulnerabilities and has two fixes is now available. It includes one version update. Description: This update for Python fixes the following security issues: * bnc#834601: SSL module does not handle certificates that contain hostnames with NULL bytes. (CVE-2013-4238) * bnc#856836: Various stdlib read flaws. (CVE-2013-1752) Additionally, the following non-security issues have been fixed: * bnc#859068: Turn off OpenSSL's aggressive optimizations that conflict with Python's GC. * bnc#847135: Setting fips=1 at boot time causes problems with Python due to MD5 usage. Security Issue references: * CVE-2013-4073 * CVE-2013-4238 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-python-201402-8892 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-python-201402-8892 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-python-201402-8892 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-python-201402-8892 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New Version: 2.6.9]: python-devel-2.6.9-0.25.1 - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 x86_64) [New Version: 2.6.9]: python-demo-2.6.9-0.25.1 python-gdbm-2.6.9-0.25.1 python-idle-2.6.9-0.25.1 python-tk-2.6.9-0.25.1 - SUSE Linux Enterprise Software Development Kit 11 SP3 (x86_64) [New Version: 2.6.9]: python-32bit-2.6.9-0.25.1 - SUSE Linux Enterprise Software Development Kit 11 SP3 (noarch): python-doc-2.6-8.25.1 python-doc-pdf-2.6-8.25.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64) [New Version: 2.6.9]: libpython2_6-1_0-2.6.9-0.25.1 python-2.6.9-0.25.1 python-base-2.6.9-0.25.1 python-curses-2.6.9-0.25.1 python-demo-2.6.9-0.25.1 python-gdbm-2.6.9-0.25.1 python-idle-2.6.9-0.25.1 python-tk-2.6.9-0.25.1 python-xml-2.6.9-0.25.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64) [New Version: 2.6.9]: libpython2_6-1_0-32bit-2.6.9-0.25.1 python-32bit-2.6.9-0.25.1 python-base-32bit-2.6.9-0.25.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (noarch): python-doc-2.6-8.25.1 python-doc-pdf-2.6-8.25.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New Version: 2.6.9]: libpython2_6-1_0-2.6.9-0.25.1 python-2.6.9-0.25.1 python-base-2.6.9-0.25.1 python-curses-2.6.9-0.25.1 python-demo-2.6.9-0.25.1 python-gdbm-2.6.9-0.25.1 python-idle-2.6.9-0.25.1 python-tk-2.6.9-0.25.1 python-xml-2.6.9-0.25.1 - SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64) [New Version: 2.6.9]: libpython2_6-1_0-32bit-2.6.9-0.25.1 python-32bit-2.6.9-0.25.1 python-base-32bit-2.6.9-0.25.1 - SUSE Linux Enterprise Server 11 SP3 (noarch): python-doc-2.6-8.25.1 python-doc-pdf-2.6-8.25.1 - SUSE Linux Enterprise Server 11 SP3 (ia64) [New Version: 2.6.9]: libpython2_6-1_0-x86-2.6.9-0.25.1 python-base-x86-2.6.9-0.25.1 python-x86-2.6.9-0.25.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64) [New Version: 2.6.9]: libpython2_6-1_0-2.6.9-0.25.1 python-2.6.9-0.25.1 python-base-2.6.9-0.25.1 python-curses-2.6.9-0.25.1 python-devel-2.6.9-0.25.1 python-tk-2.6.9-0.25.1 python-xml-2.6.9-0.25.1 - SUSE Linux Enterprise Desktop 11 SP3 (x86_64) [New Version: 2.6.9]: libpython2_6-1_0-32bit-2.6.9-0.25.1 python-base-32bit-2.6.9-0.25.1 References: http://support.novell.com/security/cve/CVE-2013-4073.html http://support.novell.com/security/cve/CVE-2013-4238.html https://bugzilla.novell.com/834601 https://bugzilla.novell.com/847135 https://bugzilla.novell.com/856836 https://bugzilla.novell.com/859068 http://download.novell.com/patch/finder/?keywords=42ff793a6c97cf815ab3c182277c671e From sle-updates at lists.suse.com Fri Mar 7 12:04:11 2014 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 7 Mar 2014 20:04:11 +0100 (CET) Subject: SUSE-SU-2014:0331-3: moderate: Security update for openssl-certs Message-ID: <20140307190411.6E5033213E@maintenance.suse.de> SUSE Security Update: Security update for openssl-certs ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0331-3 Rating: moderate References: #860581 #865080 Affected Products: SUSE Linux Enterprise Server 11 SP2 LTSS ______________________________________________________________________________ An update that contains security fixes can now be installed. It includes one version update. Description: The openssl-certs package was updated to match the certificates contained in the Mozilla NSS 3.15.4 release. The following changes were done to the list of root CAs: * Added: ACCVRAIZ1.pem (Spain) (all trusts) * Added: SG_TRUST_SERVICES_RACINE.pem (Singapore) (email signing only) * Added: TWCA_Global_Root_CA.pem (Taiwanese) (all trusts) * Removed: Wells_Fargo_Root_CA.pem. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP2 LTSS: zypper in -t patch slessp2-openssl-certs-8926 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP2 LTSS (noarch) [New Version: 1.96]: openssl-certs-1.96-0.4.1 References: https://bugzilla.novell.com/860581 https://bugzilla.novell.com/865080 http://download.suse.com/patch/finder/?keywords=184f2d261c544ca20c7d42188da346bf From sle-updates at lists.suse.com Fri Mar 7 16:04:11 2014 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 8 Mar 2014 00:04:11 +0100 (CET) Subject: SUSE-SU-2014:0342-1: moderate: Security update for openssl-certs Message-ID: <20140307230411.BBE2C3213E@maintenance.suse.de> SUSE Security Update: Security update for openssl-certs ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0342-1 Rating: moderate References: #796628 #854367 #865080 Affected Products: SUSE Linux Enterprise Server 10 SP4 LTSS ______________________________________________________________________________ An update that contains security fixes can now be installed. It includes one version update. Description: The openssl-certs package was updated to match the certificates contained in the Mozilla NSS 3.15.4 release. Following changes were done to the list of root CAs: * Distrust a sub-ca ("AC DG Tresor SSL") that issued google.com certificates. (bnc#854367) Many CA updates from Mozilla: Changes from upstream version 1.96: * Added: ACCVRAIZ1.pem (Spain) (all trusts) * Added: SG_TRUST_SERVICES_RACINE.pem (Singapore) (email signing only) * Added: TWCA_Global_Root_CA.pem (Taiwanese) (all trusts) * Removed: Wells_Fargo_Root_CA.pem. Changes from upstream version 1.95: * Added: CA_Disig_Root_R1:2.9.0.195.3.154.238.80.144.110.40.crt (server auth, code signing, email signing) * Added: CA_Disig_Root_R2:2.9.0.146.184.136.219.176.138.193.99.crt (server auth, code signing, email signing) * Added: China_Internet_Network_Information_Center_EV_Certificates_Ro ot:2.4.72.159.0.1.crt (server auth) * Changed: Digital_Signature_Trust_Co._Global_CA_1:2.4.54.112.21.150.cr t (removed code signing and server auth abilities) * Changed: Digital_Signature_Trust_Co._Global_CA_3:2.4.54.110.211.206.c rt (removed code signing and server auth abilities) * Added: D-TRUST_Root_Class_3_CA_2_2009:2.3.9.131.243.crt (server auth) * Added: D-TRUST_Root_Class_3_CA_2_EV_2009:2.3.9.131.244.crt (server auth) * Removed: Entrust.net_Premium_2048_Secure_Server_CA:2.4.56.99.185.102. crt * Added: Entrust.net_Premium_2048_Secure_Server_CA:2.4.56.99.222.248. crt * Removed: Equifax_Secure_eBusiness_CA_2:2.4.55.112.207.181.crt * Added: PSCProcert:2.1.11.crt (server auth, code signing, email signing) * Added: Swisscom_Root_CA_2:2.16.30.158.40.232.72.242.229.239.195.124 .74.30.90.24.103.182.crt (server auth, code signing, email signing) * Added: Swisscom_Root_EV_CA_2:2.17.0.242.250.100.226.116.99.211.141. 253.16.29.4.31.118.202.88.crt (server auth, code signing) * Changed: TC_TrustCenter_Universal_CA_III:2.14.99.37.0.1.0.2.20.141.51 .21.2.228.108.244.crt (removed all abilities) * Added: TURKTRUST_Certificate_Services_Provider_Root_2007:2.1.1.crt (server auth, code signing) * Changed: TWCA_Root_Certification_Authority:2.1.1.crt (added code signing ability) * Added: "EE Certification Centre Root CA" * Added: "T-TeleSec GlobalRoot Class 3" * Revoked mis-issued intermediate CAs from TURKTRUST. Package List: - SUSE Linux Enterprise Server 10 SP4 LTSS (noarch) [New Version: 1.96]: openssl-certs-1.96-0.18.1 References: https://bugzilla.novell.com/796628 https://bugzilla.novell.com/854367 https://bugzilla.novell.com/865080 http://download.suse.com/patch/finder/?keywords=f7c987a3f49ff0257e2766cd50e3a0ca From sle-updates at lists.suse.com Tue Mar 11 11:04:13 2014 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 11 Mar 2014 18:04:13 +0100 (CET) Subject: SUSE-RU-2014:0355-1: moderate: Recommended update for pidgin-otr Message-ID: <20140311170413.A437532159@maintenance.suse.de> SUSE Recommended Update: Recommended update for pidgin-otr ______________________________________________________________________________ Announcement ID: SUSE-RU-2014:0355-1 Rating: moderate References: #809052 Affected Products: SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for pidgin-otr fixes authentication of OTR messaging when using the Groupwise Instant Messaging protocol. Patch Instructions: To install this SUSE Recommended Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-pidgin-otr-8960 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): pidgin-otr-3.2.0-1.42.2 References: https://bugzilla.novell.com/809052 http://download.suse.com/patch/finder/?keywords=95d74f1c3053bd5d55da460f61f612d7 From sle-updates at lists.suse.com Tue Mar 11 17:04:14 2014 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 12 Mar 2014 00:04:14 +0100 (CET) Subject: SUSE-RU-2014:0356-1: Recommended update for microcode_ctl Message-ID: <20140311230414.99A0732159@maintenance.suse.de> SUSE Recommended Update: Recommended update for microcode_ctl ______________________________________________________________________________ Announcement ID: SUSE-RU-2014:0356-1 Rating: low References: #865828 Affected Products: SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update provides Intel's CPU microcode version 20140122. Patch Instructions: To install this SUSE Recommended Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-microcode_ctl-8954 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-microcode_ctl-8954 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-microcode_ctl-8954 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): microcode_ctl-1.17-102.70.1 - SUSE Linux Enterprise Server 11 SP3 (i586 x86_64): microcode_ctl-1.17-102.70.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): microcode_ctl-1.17-102.70.1 References: https://bugzilla.novell.com/865828 http://download.suse.com/patch/finder/?keywords=aa1b2d4b61b1720a5e25609a3fee6474 From sle-updates at lists.suse.com Wed Mar 12 19:04:12 2014 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 13 Mar 2014 02:04:12 +0100 (CET) Subject: SUSE-SU-2014:0359-1: moderate: Security update for ImageMagick Message-ID: <20140313010412.BEC683213C@maintenance.suse.de> SUSE Security Update: Security update for ImageMagick ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0359-1 Rating: moderate References: #863838 Cross-References: CVE-2014-1947 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: The image converter program and library set of ImageMagick received an update that fixes a buffer overflow when handling PSD images. Security Issue reference: * CVE-2014-1947 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-ImageMagick-8978 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-ImageMagick-8978 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-ImageMagick-8978 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-ImageMagick-8978 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64): ImageMagick-6.4.3.6-7.28.1 ImageMagick-devel-6.4.3.6-7.28.1 libMagick++-devel-6.4.3.6-7.28.1 libMagick++1-6.4.3.6-7.28.1 libMagickWand1-6.4.3.6-7.28.1 perl-PerlMagick-6.4.3.6-7.28.1 - SUSE Linux Enterprise Software Development Kit 11 SP3 (ppc64 s390x x86_64): libMagickWand1-32bit-6.4.3.6-7.28.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): libMagickCore1-6.4.3.6-7.28.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64): libMagickCore1-32bit-6.4.3.6-7.28.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): libMagickCore1-6.4.3.6-7.28.1 - SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64): libMagickCore1-32bit-6.4.3.6-7.28.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): ImageMagick-6.4.3.6-7.28.1 libMagick++1-6.4.3.6-7.28.1 libMagickCore1-6.4.3.6-7.28.1 libMagickWand1-6.4.3.6-7.28.1 - SUSE Linux Enterprise Desktop 11 SP3 (x86_64): libMagickCore1-32bit-6.4.3.6-7.28.1 References: http://support.novell.com/security/cve/CVE-2014-1947.html https://bugzilla.novell.com/863838 http://download.suse.com/patch/finder/?keywords=6fc80c29f232e8bde0a66206d3bae9d6 From sle-updates at lists.suse.com Thu Mar 13 16:04:13 2014 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 13 Mar 2014 23:04:13 +0100 (CET) Subject: SUSE-OU-2014:0371-1: Optional update for java-1_6_0-ibm-devel, java-1_7_0-ibm-devel, mozilla-nss-devel Message-ID: <20140313220413.A285B3215C@maintenance.suse.de> SUSE Optional Update: Optional update for java-1_6_0-ibm-devel, java-1_7_0-ibm-devel, mozilla-nss-devel ______________________________________________________________________________ Announcement ID: SUSE-OU-2014:0371-1 Rating: low References: #865618 Affected Products: SUSE Linux Enterprise Server 11 SP2 LTSS ______________________________________________________________________________ An update that has one optional fix can now be installed. Description: This update provides the following development packages to satisfy dependencies of updates released for SLES 11-SP2 LTSS on systems that have the Software Development Kit (SDK) add-on installed: mozilla-nss-devel, java-1_6_0-ibm-devel and java-1_7_0-ibm-devel. Indications: Any user can apply this update. Patch Instructions: To install this SUSE Optional Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP2 LTSS: zypper in -t patch slessp2-devel-ltss-201403-8965 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP2 LTSS (i586 s390x x86_64): java-1_6_0-ibm-devel-1.6.0_sr15.1-0.6.1 java-1_7_0-ibm-devel-1.7.0_sr6.1-0.8.1 mozilla-nss-devel-3.15.4-0.4.2.1 References: https://bugzilla.novell.com/865618 http://download.suse.com/patch/finder/?keywords=f73df9cc9d47c76f6506fae80e58576f From sle-updates at lists.suse.com Thu Mar 13 17:04:10 2014 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 14 Mar 2014 00:04:10 +0100 (CET) Subject: SUSE-SU-2014:0372-1: important: Security update for Xen Message-ID: <20140313230410.957193215C@maintenance.suse.de> SUSE Security Update: Security update for Xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0372-1 Rating: important References: #831120 #833483 #842417 #846849 #848014 #849667 #849668 #853049 #860163 #860302 #861256 Cross-References: CVE-2013-2212 CVE-2013-4553 CVE-2013-4554 CVE-2013-6885 CVE-2014-1666 CVE-2014-1891 CVE-2014-1892 CVE-2014-1893 CVE-2014-1894 CVE-2014-1950 Affected Products: SUSE Linux Enterprise Server 11 SP2 LTSS ______________________________________________________________________________ An update that solves 10 vulnerabilities and has one errata is now available. Description: The SUSE Linux Enterprise Server 11 Service Pack 2 LTSS Xen hypervisor and toolset has been updated to fix various security issues and several bugs. The following security issues have been addressed: * XSA-88: CVE-2014-1950: Use-after-free vulnerability in the xc_cpupool_getinfo function in Xen 4.1.x through 4.3.x, when using a multithreaded toolstack, does not properly handle a failure by the xc_cpumap_alloc function, which allows local users with access to management functions to cause a denial of service (heap corruption) and possibly gain privileges via unspecified vectors. (bnc#861256) * XSA-87: CVE-2014-1666: The do_physdev_op function in Xen 4.1.5, 4.1.6.1, 4.2.2 through 4.2.3, and 4.3.x does not properly restrict access to the (1) PHYSDEVOP_prepare_msix and (2) PHYSDEVOP_release_msix operations, which allows local PV guests to cause a denial of service (host or guest malfunction) or possibly gain privileges via unspecified vectors. (bnc#860302) * XSA-84: CVE-2014-1894: Xen 3.2 (and presumably earlier) exhibit both problems with the overflow issue being present for more than just the suboperations listed above. (bnc#860163) * XSA-84: CVE-2014-1892 CVE-2014-1893: Xen 3.3 through 4.1, while not affected by the above overflow, have a different overflow issue on FLASK_{GET,SET}BOOL and expose unreasonably large memory allocation to aribitrary guests. (bnc#860163) * XSA-84: CVE-2014-1891: The FLASK_{GET,SET}BOOL, FLASK_USER and FLASK_CONTEXT_TO_SID suboperations of the flask hypercall are vulnerable to an integer overflow on the input size. The hypercalls attempt to allocate a buffer which is 1 larger than this size and is therefore vulnerable to integer overflow and an attempt to allocate then access a zero byte buffer. (bnc#860163) * XSA-82: CVE-2013-6885: The microcode on AMD 16h 00h through 0Fh processors does not properly handle the interaction between locked instructions and write-combined memory types, which allows local users to cause a denial of service (system hang) via a crafted application, aka the errata 793 issue. (bnc#853049) * XSA-76: CVE-2013-4554: Xen 3.0.3 through 4.1.x (possibly 4.1.6.1), 4.2.x (possibly 4.2.3), and 4.3.x (possibly 4.3.1) does not properly prevent access to hypercalls, which allows local guest users to gain privileges via a crafted application running in ring 1 or 2. (bnc#849668) * XSA-74: CVE-2013-4553: The XEN_DOMCTL_getmemlist hypercall in Xen 3.4.x through 4.3.x (possibly 4.3.1) does not always obtain the page_alloc_lock and mm_rwlock in the same order, which allows local guest administrators to cause a denial of service (host deadlock). (bnc#849667) * XSA-60: CVE-2013-2212: The vmx_set_uc_mode function in Xen 3.3 through 4.3, when disabling chaches, allows local HVM guests with access to memory mapped I/O regions to cause a denial of service (CPU consumption and possibly hypervisor or guest kernel panic) via a crafted GFN range. (bnc#831120) Also the following non-security bugs have been fixed: * Boot Failure with xen kernel in UEFI mode with error "No memory for trampoline" (bnc#833483) * Fixed Xen hypervisor panic on 8-blades nPar with 46-bit memory addressing. (bnc#848014) * In HP's UEFI x86_64 platform and sles11sp3 with xen environment, dom0 will soft lockup on multiple blades nPar. (bnc#842417) * Soft lockup with PCI passthrough and many VCPUs (bnc#846849) Security Issue references: * CVE-2013-2212 * CVE-2013-4553 * CVE-2013-4554 * CVE-2013-6885 * CVE-2014-1666 * CVE-2014-1891 * CVE-2014-1892 * CVE-2014-1893 * CVE-2014-1894 * CVE-2014-1950 Indications: Everyone using the Xen hypervisor should update. Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP2 LTSS: zypper in -t patch slessp2-xen-201402-8964 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP2 LTSS (i586 x86_64): xen-devel-4.1.6_06-0.5.1 xen-kmp-default-4.1.6_06_3.0.101_0.7.17-0.5.1 xen-kmp-trace-4.1.6_06_3.0.101_0.7.17-0.5.1 xen-libs-4.1.6_06-0.5.1 xen-tools-domU-4.1.6_06-0.5.1 - SUSE Linux Enterprise Server 11 SP2 LTSS (x86_64): xen-4.1.6_06-0.5.1 xen-doc-html-4.1.6_06-0.5.1 xen-doc-pdf-4.1.6_06-0.5.1 xen-libs-32bit-4.1.6_06-0.5.1 xen-tools-4.1.6_06-0.5.1 - SUSE Linux Enterprise Server 11 SP2 LTSS (i586): xen-kmp-pae-4.1.6_06_3.0.101_0.7.17-0.5.1 References: http://support.novell.com/security/cve/CVE-2013-2212.html http://support.novell.com/security/cve/CVE-2013-4553.html http://support.novell.com/security/cve/CVE-2013-4554.html http://support.novell.com/security/cve/CVE-2013-6885.html http://support.novell.com/security/cve/CVE-2014-1666.html http://support.novell.com/security/cve/CVE-2014-1891.html http://support.novell.com/security/cve/CVE-2014-1892.html http://support.novell.com/security/cve/CVE-2014-1893.html http://support.novell.com/security/cve/CVE-2014-1894.html http://support.novell.com/security/cve/CVE-2014-1950.html https://bugzilla.novell.com/831120 https://bugzilla.novell.com/833483 https://bugzilla.novell.com/842417 https://bugzilla.novell.com/846849 https://bugzilla.novell.com/848014 https://bugzilla.novell.com/849667 https://bugzilla.novell.com/849668 https://bugzilla.novell.com/853049 https://bugzilla.novell.com/860163 https://bugzilla.novell.com/860302 https://bugzilla.novell.com/861256 http://download.suse.com/patch/finder/?keywords=39ca3113e56362a1b6ff0a74f08124b2 From sle-updates at lists.suse.com Thu Mar 13 17:06:37 2014 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 14 Mar 2014 00:06:37 +0100 (CET) Subject: SUSE-SU-2014:0373-1: important: Security update for Xen Message-ID: <20140313230637.0A9983215E@maintenance.suse.de> SUSE Security Update: Security update for Xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0373-1 Rating: important References: #831120 #833251 #848014 #853048 #853049 #858311 #860092 #860163 #860165 #860300 #860302 #861256 #863297 Cross-References: CVE-2013-2212 CVE-2013-6400 CVE-2013-6885 CVE-2014-1642 CVE-2014-1666 CVE-2014-1891 CVE-2014-1892 CVE-2014-1893 CVE-2014-1894 CVE-2014-1895 CVE-2014-1896 CVE-2014-1950 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that solves 12 vulnerabilities and has one errata is now available. Description: The SUSE Linux Enterprise Server 11 Service Pack 3 Xen hypervisor and toolset has been updated to 4.2.4 to fix various bugs and security issues: The following security issues have been addressed: * XSA-60: CVE-2013-2212: The vmx_set_uc_mode function in Xen 3.3 through 4.3, when disabling chaches, allows local HVM guests with access to memory mapped I/O regions to cause a denial of service (CPU consumption and possibly hypervisor or guest kernel panic) via a crafted GFN range. (bnc#831120) * XSA-80: CVE-2013-6400: Xen 4.2.x and 4.3.x, when using Intel VT-d and a PCI device has been assigned, does not clear the flag that suppresses IOMMU TLB flushes when unspecified errors occur, which causes the TLB entries to not be flushed and allows local guest administrators to cause a denial of service (host crash) or gain privileges via unspecified vectors. (bnc#853048) * XSA-82: CVE-2013-6885: The microcode on AMD 16h 00h through 0Fh processors does not properly handle the interaction between locked instructions and write-combined memory types, which allows local users to cause a denial of service (system hang) via a crafted application, aka the errata 793 issue. (bnc#853049) * XSA-83: CVE-2014-1642: The IRQ setup in Xen 4.2.x and 4.3.x, when using device passthrough and configured to support a large number of CPUs, frees certain memory that may still be intended for use, which allows local guest administrators to cause a denial of service (memory corruption and hypervisor crash) and possibly execute arbitrary code via vectors related to an out-of-memory error that triggers a (1) use-after-free or (2) double free. (bnc#860092) * XSA-84: CVE-2014-1891: The FLASK_{GET,SET}BOOL, FLASK_USER and FLASK_CONTEXT_TO_SID suboperations of the flask hypercall are vulnerable to an integer overflow on the input size. The hypercalls attempt to allocate a buffer which is 1 larger than this size and is therefore vulnerable to integer overflow and an attempt to allocate then access a zero byte buffer. (bnc#860163) * XSA-84: CVE-2014-1892 CVE-2014-1893: Xen 3.3 through 4.1, while not affected by the above overflow, have a different overflow issue on FLASK_{GET,SET}BOOL and expose unreasonably large memory allocation to aribitrary guests. (bnc#860163) * XSA-84: CVE-2014-1894: Xen 3.2 (and presumably earlier) exhibit both problems with the overflow issue being present for more than just the suboperations listed above. (bnc#860163) * XSA-85: CVE-2014-1895: The FLASK_AVC_CACHESTAT hypercall, which provides access to per-cpu statistics on the Flask security policy, incorrectly validates the CPU for which statistics are being requested. (bnc#860165) * XSA-86: CVE-2014-1896: libvchan (a library for inter-domain communication) does not correctly handle unusual or malicious contents in the xenstore ring. A malicious guest can exploit this to cause a libvchan-using facility to read or write past the end of the ring. (bnc#860300) * XSA-87: CVE-2014-1666: The do_physdev_op function in Xen 4.1.5, 4.1.6.1, 4.2.2 through 4.2.3, and 4.3.x does not properly restrict access to the (1) PHYSDEVOP_prepare_msix and (2) PHYSDEVOP_release_msix operations, which allows local PV guests to cause a denial of service (host or guest malfunction) or possibly gain privileges via unspecified vectors. (bnc#860302) * XSA-88: CVE-2014-1950: Use-after-free vulnerability in the xc_cpupool_getinfo function in Xen 4.1.x through 4.3.x, when using a multithreaded toolstack, does not properly handle a failure by the xc_cpumap_alloc function, which allows local users with access to management functions to cause a denial of service (heap corruption) and possibly gain privileges via unspecified vectors. (bnc#861256) Also the following non-security bugs have been fixed: * Fixed boot problems with Xen kernel. "(XEN) setup 0000:00:18.0 for d0 failed (-19)" (bnc#858311) * Fixed Xen hypervisor panic on 8-blades nPar with 46-bit memory addressing. (bnc#848014) * Fixed Xen hypervisor panic in HP's UEFI x86_64 platform and with xen environment, in booting stage. (bnc#833251) * xend/pvscsi: recognize also SCSI CDROM devices (bnc#863297) * pygrub: Support (/dev/xvda) style disk specifications Security Issue references: * CVE-2013-2212 * CVE-2013-6400 * CVE-2013-6885 * CVE-2014-1642 * CVE-2014-1666 * CVE-2014-1891 * CVE-2014-1892 * CVE-2014-1893 * CVE-2014-1894 * CVE-2014-1895 * CVE-2014-1896 * CVE-2014-1950 Indications: Everyone using the Xen hypervisor should update. Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-xen-201402-8973 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-xen-201402-8973 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-xen-201402-8973 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 x86_64): xen-devel-4.2.4_02-0.7.1 - SUSE Linux Enterprise Server 11 SP3 (i586 x86_64): xen-kmp-default-4.2.4_02_3.0.101_0.15-0.7.1 xen-libs-4.2.4_02-0.7.1 xen-tools-domU-4.2.4_02-0.7.1 - SUSE Linux Enterprise Server 11 SP3 (x86_64): xen-4.2.4_02-0.7.1 xen-doc-html-4.2.4_02-0.7.1 xen-doc-pdf-4.2.4_02-0.7.1 xen-libs-32bit-4.2.4_02-0.7.1 xen-tools-4.2.4_02-0.7.1 - SUSE Linux Enterprise Server 11 SP3 (i586): xen-kmp-pae-4.2.4_02_3.0.101_0.15-0.7.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): xen-kmp-default-4.2.4_02_3.0.101_0.15-0.7.1 xen-libs-4.2.4_02-0.7.1 xen-tools-domU-4.2.4_02-0.7.1 - SUSE Linux Enterprise Desktop 11 SP3 (x86_64): xen-4.2.4_02-0.7.1 xen-doc-html-4.2.4_02-0.7.1 xen-doc-pdf-4.2.4_02-0.7.1 xen-libs-32bit-4.2.4_02-0.7.1 xen-tools-4.2.4_02-0.7.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586): xen-kmp-pae-4.2.4_02_3.0.101_0.15-0.7.1 References: http://support.novell.com/security/cve/CVE-2013-2212.html http://support.novell.com/security/cve/CVE-2013-6400.html http://support.novell.com/security/cve/CVE-2013-6885.html http://support.novell.com/security/cve/CVE-2014-1642.html http://support.novell.com/security/cve/CVE-2014-1666.html http://support.novell.com/security/cve/CVE-2014-1891.html http://support.novell.com/security/cve/CVE-2014-1892.html http://support.novell.com/security/cve/CVE-2014-1893.html http://support.novell.com/security/cve/CVE-2014-1894.html http://support.novell.com/security/cve/CVE-2014-1895.html http://support.novell.com/security/cve/CVE-2014-1896.html http://support.novell.com/security/cve/CVE-2014-1950.html https://bugzilla.novell.com/831120 https://bugzilla.novell.com/833251 https://bugzilla.novell.com/848014 https://bugzilla.novell.com/853048 https://bugzilla.novell.com/853049 https://bugzilla.novell.com/858311 https://bugzilla.novell.com/860092 https://bugzilla.novell.com/860163 https://bugzilla.novell.com/860165 https://bugzilla.novell.com/860300 https://bugzilla.novell.com/860302 https://bugzilla.novell.com/861256 https://bugzilla.novell.com/863297 http://download.suse.com/patch/finder/?keywords=5a8bffedb3efaf6c22dfa94d3dbd6a2a From sle-updates at lists.suse.com Thu Mar 13 17:09:00 2014 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 14 Mar 2014 00:09:00 +0100 (CET) Subject: SUSE-RU-2014:0374-1: Recommended update for ctags Message-ID: <20140313230900.2961D3215C@maintenance.suse.de> SUSE Recommended Update: Recommended update for ctags ______________________________________________________________________________ Announcement ID: SUSE-RU-2014:0374-1 Rating: low References: #843674 Affected Products: SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that has one recommended fix can now be installed. It includes one version update. Description: This update for ctags fixes an issue that could result in the creation of corrupted TAGS files when running etags(1) on large source repositories. Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Recommended Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-ctags-8942 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-ctags-8942 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-ctags-8942 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64) [New Version: 2013.10.2]: ctags-2013.10.2-0.3.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New Version: 2013.10.2]: ctags-2013.10.2-0.3.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64) [New Version: 2013.10.2]: ctags-2013.10.2-0.3.1 References: https://bugzilla.novell.com/843674 http://download.suse.com/patch/finder/?keywords=37917aa51cabb8fbe022f844f4f49cdb From sle-updates at lists.suse.com Thu Mar 13 19:04:12 2014 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 14 Mar 2014 02:04:12 +0100 (CET) Subject: SUSE-RU-2014:0375-1: Recommended update for multipath-tools Message-ID: <20140314010412.8B9BC3213E@maintenance.suse.de> SUSE Recommended Update: Recommended update for multipath-tools ______________________________________________________________________________ Announcement ID: SUSE-RU-2014:0375-1 Rating: low References: #830511 #831608 #834871 #839593 #845987 #846575 #846662 #854025 #854243 #854244 #855379 #860850 #861534 #862250 Affected Products: SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that has 14 recommended fixes can now be installed. Description: This collective update for multipath-tools provides the following fixes and enhancements: * Blacklist HP Virtual devices. (bnc#862250) * Save 'root_mpath' variable in mkinitrd. (bnc#854243) * Remove trailing spaces from sysfs attributes. (bnc#839593) * Allow whitespaces in CLI commands. (bnc#846575) * Set priority to '0' for PATH_BLOCKED or PATH_DOWN. (bnc#831608) * Update multipathd man page. (bnc#834871) * Do not issue a table reload on every check. (bnc#854244) * Use RTPG data in RDAC checker. (bnc#854244) * Reset timezone information on reconfigure. (bnc#830511) * Double uevent stacksize yet again. (bnc#855379) * Do not fail discovery on individual devices. (bnc#860850) * Filter for missing property in get_refwwid. (bnc#862250) * Do not flush multipath tables on shutdown. (bnc#854025) * Prefer deprecated 'getuid' callout. (bnc#861534) * Skip paths with empty wwid. (bnc#861534) * Correctly terminate string in strlcpy(). (bnc#861534) * Include defaults for HP P6300. (bnc#845987) * Update NetApp defaults. (bnc#846662) Patch Instructions: To install this SUSE Recommended Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-kpartx-8921 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-kpartx-8921 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-kpartx-8921 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): kpartx-0.4.9-0.95.1 multipath-tools-0.4.9-0.95.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): kpartx-0.4.9-0.95.1 multipath-tools-0.4.9-0.95.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): kpartx-0.4.9-0.95.1 multipath-tools-0.4.9-0.95.1 References: https://bugzilla.novell.com/830511 https://bugzilla.novell.com/831608 https://bugzilla.novell.com/834871 https://bugzilla.novell.com/839593 https://bugzilla.novell.com/845987 https://bugzilla.novell.com/846575 https://bugzilla.novell.com/846662 https://bugzilla.novell.com/854025 https://bugzilla.novell.com/854243 https://bugzilla.novell.com/854244 https://bugzilla.novell.com/855379 https://bugzilla.novell.com/860850 https://bugzilla.novell.com/861534 https://bugzilla.novell.com/862250 http://download.suse.com/patch/finder/?keywords=93f2659b352cf34d5cd04688c3e34135 From sle-updates at lists.suse.com Fri Mar 14 15:04:10 2014 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 14 Mar 2014 22:04:10 +0100 (CET) Subject: SUSE-YU-2014:0378-1: YOU update for libzypp, yast2-pkg-bindings, zypper Message-ID: <20140314210410.98D483207C@maintenance.suse.de> SUSE YOU Update: YOU update for libzypp, yast2-pkg-bindings, zypper ______________________________________________________________________________ Announcement ID: SUSE-YU-2014:0378-1 Rating: low References: #852943 #855845 #859160 #862471 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that has four YOU fixes can now be installed. It includes three new package versions. Description: This update for the Software Update Stack provides the following fixes and enhancements: libzypp: * Remove license text from test data. (bnc#862471) * Fix missing priority in RepoInfo::dumpAsXML. (bnc#855845) yast2-pkg-bindings: * Fix package disk usage computation. (bnc#852943) zypper: * Remove license text from test data. (bnc#862471) * Zypper must refresh CD/DVD if no raw metadata is present. (bnc#859160) * Don't read metadata from CD/DVD repo if --no-check was used. (bnc#859160) * Fix missing priority in RepoInfo::dumpAsXML. (bnc#855845) Special Instructions and Notes: This update triggers a restart of the software management stack. More updates will be available for installation after applying this update and restarting the application. This update triggers a restart of the software management stack. More updates will be available for installation after applying this update and restarting the application. This update triggers a restart of the software management stack. More updates will be available for installation after applying this update and restarting the application. This update triggers a restart of the software management stack. More updates will be available for installation after applying this update and restarting the application. Patch Instructions: To install this SUSE YOU Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-softwaremgmt-201403-8940 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-softwaremgmt-201403-8940 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-softwaremgmt-201403-8940 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-softwaremgmt-201403-8940 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New Version: 9.37.6]: libzypp-devel-9.37.6-0.7.1 - SUSE Linux Enterprise Software Development Kit 11 SP3 (noarch) [New Version: 2.17.59.1]: yast2-pkg-bindings-devel-doc-2.17.59.1-0.7.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64) [New Version: 1.6.314,2.17.59.1 and 9.37.6]: libzypp-9.37.6-0.7.1 yast2-pkg-bindings-2.17.59.1-0.7.1 zypper-1.6.314-0.7.2 zypper-log-1.6.314-0.7.2 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New Version: 1.6.314,2.17.59.1 and 9.37.6]: libzypp-9.37.6-0.7.1 yast2-pkg-bindings-2.17.59.1-0.7.1 zypper-1.6.314-0.7.2 zypper-log-1.6.314-0.7.2 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64) [New Version: 1.6.314,2.17.59.1 and 9.37.6]: libzypp-9.37.6-0.7.1 yast2-pkg-bindings-2.17.59.1-0.7.1 zypper-1.6.314-0.7.2 zypper-log-1.6.314-0.7.2 References: https://bugzilla.novell.com/852943 https://bugzilla.novell.com/855845 https://bugzilla.novell.com/859160 https://bugzilla.novell.com/862471 http://download.suse.com/patch/finder/?keywords=c5eb22b1a592a90d7aa81142acb2343c From sle-updates at lists.suse.com Mon Mar 17 17:04:11 2014 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 18 Mar 2014 00:04:11 +0100 (CET) Subject: SUSE-SU-2014:0387-1: important: Security update for flash-player Message-ID: <20140317230411.C1EBC32085@maintenance.suse.de> SUSE Security Update: Security update for flash-player ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0387-1 Rating: important References: #867808 Cross-References: CVE-2014-0503 CVE-2014-0504 Affected Products: SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. It includes one version update. Description: Adobe Flash Player was updated to version 11.2.202.346 to fix security issues: * CVE-2014-0503: A vulnerability that could be used to bypass the same origin policy was fixed. * CVE-2014-0504: A vulnerability that could be used to read the contents of the clipboard was fixed. More information can be found on: http://helpx.adobe.com/security/products/flash-player/apsb14 -08.html Security Issues references: * CVE-2014-0503 * CVE-2014-0504 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-flash-player-9012 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64) [New Version: 11.2.202.346]: flash-player-11.2.202.346-0.3.1 flash-player-gnome-11.2.202.346-0.3.1 flash-player-kde4-11.2.202.346-0.3.1 References: http://support.novell.com/security/cve/CVE-2014-0503.html http://support.novell.com/security/cve/CVE-2014-0504.html https://bugzilla.novell.com/867808 http://download.suse.com/patch/finder/?keywords=7b22f7ea669840f4d56e82cfb975440d From sle-updates at lists.suse.com Wed Mar 19 10:04:12 2014 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 19 Mar 2014 17:04:12 +0100 (CET) Subject: SUSE-SU-2014:0397-1: Security update for icedtea-web Message-ID: <20140319160412.174EA3209B@maintenance.suse.de> SUSE Security Update: Security update for icedtea-web ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0397-1 Rating: low References: #864364 Cross-References: CVE-2013-6493 Affected Products: SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. It includes one version update. Description: The OpenJDK Java Plugin IcedTea Web was released to fix a temporary file access problem. Changes: * Dialogs center on screen before becoming visible. * Support for u45 new manifest attributes (Application-Name). * Custom applet permission policies panel in itweb-settings control panel. * Plugin fixes: o PR1271: icedtea-web does not handle 'javascript:'-protocol URLs o RH976833: Multiple applets on one page cause deadlock o Enabled javaconsole. * Security fixes: o CVE-2013-6493/RH1010958: Insecure temporary file use flaw in LiveConnect implementation. * Additional fixes and changes: o Christmas splashscreen extension o Fixed classloading deadlocks o Cleaned code from warnings o Pipes moved to XDG runtime dir. Security Issue references: * CVE-2013-6493 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-icedtea-web-8974 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64) [New Version: 1.4.2]: icedtea-web-1.4.2-0.7.1 References: http://support.novell.com/security/cve/CVE-2013-6493.html https://bugzilla.novell.com/864364 http://download.suse.com/patch/finder/?keywords=6aa1fad869d16e905d455574f086e576 From sle-updates at lists.suse.com Wed Mar 19 15:04:11 2014 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 19 Mar 2014 22:04:11 +0100 (CET) Subject: SUSE-RU-2014:0400-1: Recommended update for tcsh Message-ID: <20140319210411.DF44932089@maintenance.suse.de> SUSE Recommended Update: Recommended update for tcsh ______________________________________________________________________________ Announcement ID: SUSE-RU-2014:0400-1 Rating: low References: #844752 Affected Products: SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for tcsh includes enhancements to speed up loading and saving the history file. Patch Instructions: To install this SUSE Recommended Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-tcsh-8938 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-tcsh-8938 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-tcsh-8938 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): tcsh-6.15.00-93.37.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): tcsh-6.15.00-93.37.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): tcsh-6.15.00-93.37.1 References: https://bugzilla.novell.com/844752 http://download.suse.com/patch/finder/?keywords=4d7f385bf13e4ec0efd07bc1657a7bc0 From sle-updates at lists.suse.com Wed Mar 19 16:04:10 2014 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 19 Mar 2014 23:04:10 +0100 (CET) Subject: SUSE-RU-2014:0401-1: Recommended update for star Message-ID: <20140319220410.D700632089@maintenance.suse.de> SUSE Recommended Update: Recommended update for star ______________________________________________________________________________ Announcement ID: SUSE-RU-2014:0401-1 Rating: low References: #858660 Affected Products: SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update fixes detection of gzip failures in star(1). Patch Instructions: To install this SUSE Recommended Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-star-9019 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-star-9019 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-star-9019 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): star-1.5final-28.23.25.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): star-1.5final-28.23.25.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): star-1.5final-28.23.25.1 References: https://bugzilla.novell.com/858660 http://download.suse.com/patch/finder/?keywords=a622f615548fdc02e9b3749fecd04023 From sle-updates at lists.suse.com Wed Mar 19 17:04:11 2014 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 20 Mar 2014 00:04:11 +0100 (CET) Subject: SUSE-RU-2014:0402-1: moderate: Recommended update for augeas Message-ID: <20140319230411.9289F32089@maintenance.suse.de> SUSE Recommended Update: Recommended update for augeas ______________________________________________________________________________ Announcement ID: SUSE-RU-2014:0402-1 Rating: moderate References: #849252 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for augeas fixes a memory corruption issue in libaugeas that could be triggered by rubygem-ruby-augeas and puppet. Patch Instructions: To install this SUSE Recommended Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-augeas-8979 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-augeas-8979 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-augeas-8979 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-augeas-8979 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64): augeas-devel-0.9.0-3.11.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): augeas-0.9.0-3.11.1 augeas-lenses-0.9.0-3.11.1 libaugeas0-0.9.0-3.11.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): augeas-0.9.0-3.11.1 augeas-lenses-0.9.0-3.11.1 libaugeas0-0.9.0-3.11.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): libaugeas0-0.9.0-3.11.1 References: https://bugzilla.novell.com/849252 http://download.suse.com/patch/finder/?keywords=716a8da183eca7e8a4caeaeed2a6b34a From sle-updates at lists.suse.com Wed Mar 19 17:04:27 2014 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 20 Mar 2014 00:04:27 +0100 (CET) Subject: SUSE-SU-2014:0403-1: moderate: Security update for libyaml Message-ID: <20140319230427.AC70632089@maintenance.suse.de> SUSE Security Update: Security update for libyaml ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0403-1 Rating: moderate References: #860617 Cross-References: CVE-2013-6393 Affected Products: SUSE Studio Onsite 1.3 SUSE Manager 1.7 for SLE 11 SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for libyaml fixes a heap based buffer overflow due to integer misuse. (CVE-2013-6393) Security Issue reference: * CVE-2013-6393 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Studio Onsite 1.3: zypper in -t patch slestso13-libyaml-0-2-8990 - SUSE Manager 1.7 for SLE 11 SP2: zypper in -t patch sleman17sp2-libyaml-0-2-8990 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Studio Onsite 1.3 (x86_64): libyaml-0-2-0.1.3-0.10.10.1 - SUSE Manager 1.7 for SLE 11 SP2 (x86_64): libyaml-0-2-0.1.3-0.10.10.1 References: http://support.novell.com/security/cve/CVE-2013-6393.html https://bugzilla.novell.com/860617 http://download.suse.com/patch/finder/?keywords=bddbea1b68cee145c6af1518d58b29b2 From sle-updates at lists.suse.com Thu Mar 20 06:04:10 2014 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 20 Mar 2014 13:04:10 +0100 (CET) Subject: SUSE-SU-2014:0411-1: important: Security update for Xen Message-ID: <20140320120410.72C8A3209B@maintenance.suse.de> SUSE Security Update: Security update for Xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0411-1 Rating: important References: #787163 #813673 #813677 #823011 #840592 #842511 #848657 #849668 #853049 Cross-References: CVE-2012-4544 CVE-2013-1917 CVE-2013-1920 CVE-2013-2194 CVE-2013-2195 CVE-2013-2196 CVE-2013-4355 CVE-2013-4368 CVE-2013-4494 CVE-2013-4554 CVE-2013-6885 Affected Products: SUSE Linux Enterprise Server 10 SP4 LTSS ______________________________________________________________________________ An update that fixes 11 vulnerabilities is now available. Description: The SUSE Linux Enterprise Server 10 Service Pack 4 LTSS Xen hypervisor and toolset have been updated to fix various security issues. The following security issues have been addressed: * XSA-82: CVE-2013-6885: The microcode on AMD 16h 00h through 0Fh processors does not properly handle the interaction between locked instructions and write-combined memory types, which allows local users to cause a denial of service (system hang) via a crafted application, aka the errata 793 issue. (bnc#853049) * XSA-76: CVE-2013-4554: Xen 3.0.3 through 4.1.x (possibly 4.1.6.1), 4.2.x (possibly 4.2.3), and 4.3.x (possibly 4.3.1) does not properly prevent access to hypercalls, which allows local guest users to gain privileges via a crafted application running in ring 1 or 2. (bnc#849668) * XSA-73: CVE-2013-4494: Xen before 4.1.x, 4.2.x, and 4.3.x does not take the page_alloc_lock and grant_table.lock in the same order, which allows local guest administrators with access to multiple vcpus to cause a denial of service (host deadlock) via unspecified vectors. (bnc#848657) * XSA-67: CVE-2013-4368: The outs instruction emulation in Xen 3.1.x, 4.2.x, 4.3.x, and earlier, when using FS: or GS: segment override, uses an uninitialized variable as a segment base, which allows local 64-bit PV guests to obtain sensitive information (hypervisor stack content) via unspecified vectors related to stale data in a segment register. (bnc#842511) * XSA-63: CVE-2013-4355: Xen 4.3.x and earlier does not properly handle certain errors, which allows local HVM guests to obtain hypervisor stack memory via a (1) port or (2) memory mapped I/O write or (3) other unspecified operations related to addresses without associated memory. (bnc#840592) * XSA-55: CVE-2013-2196: Multiple unspecified vulnerabilities in the Elf parser (libelf) in Xen 4.2.x and earlier allow local guest administrators with certain permissions to have an unspecified impact via a crafted kernel, related to "other problems" that are not CVE-2013-2194 or CVE-2013-2195. (bnc#823011) * XSA-55: CVE-2013-2195: The Elf parser (libelf) in Xen 4.2.x and earlier allow local guest administrators with certain permissions to have an unspecified impact via a crafted kernel, related to "pointer dereferences" involving unexpected calculations. (bnc#823011) * XSA-55: CVE-2013-2194: Multiple integer overflows in the Elf parser (libelf) in Xen 4.2.x and earlier allow local guest administrators with certain permissions to have an unspecified impact via a crafted kernel. (bnc#823011) * XSA-47: CVE-2013-1920: Xen 4.2.x, 4.1.x, and earlier, when the hypervisor is running "under memory pressure" and the Xen Security Module (XSM) is enabled, uses the wrong ordering of operations when extending the per-domain event channel tracking table, which causes a use-after-free and allows local guest kernels to inject arbitrary events and gain privileges via unspecified vectors. (bnc#813677) * XSA-44: CVE-2013-1917: Xen 3.1 through 4.x, when running 64-bit hosts on Intel CPUs, does not clear the NT flag when using an IRET after a SYSENTER instruction, which allows PV guest users to cause a denial of service (hypervisor crash) by triggering a #GP fault, which is not properly handled by another IRET instruction. (bnc#813673) * XSA-25: CVE-2012-4544: The PV domain builder in Xen 4.2 and earlier does not validate the size of the kernel or ramdisk (1) before or (2) after decompression, which allows local guest administrators to cause a denial of service (domain 0 memory consumption) via a crafted (a) kernel or (b) ramdisk. (bnc#787163) Security Issue references: * CVE-2012-4544 * CVE-2013-1917 * CVE-2013-1920 * CVE-2013-2194 * CVE-2013-2195 * CVE-2013-2196 * CVE-2013-4355 * CVE-2013-4368 * CVE-2013-4494 * CVE-2013-4554 * CVE-2013-6885 Indications: Everyone using the Xen hypervisor should update. Special Instructions and Notes: Please reboot the system after installing this update. Package List: - SUSE Linux Enterprise Server 10 SP4 LTSS (i586 x86_64): xen-3.2.3_17040_46-0.7.1 xen-devel-3.2.3_17040_46-0.7.1 xen-doc-html-3.2.3_17040_46-0.7.1 xen-doc-pdf-3.2.3_17040_46-0.7.1 xen-doc-ps-3.2.3_17040_46-0.7.1 xen-kmp-debug-3.2.3_17040_46_2.6.16.60_0.103.13-0.7.1 xen-kmp-default-3.2.3_17040_46_2.6.16.60_0.103.13-0.7.1 xen-kmp-kdump-3.2.3_17040_46_2.6.16.60_0.103.13-0.7.1 xen-kmp-smp-3.2.3_17040_46_2.6.16.60_0.103.13-0.7.1 xen-libs-3.2.3_17040_46-0.7.1 xen-tools-3.2.3_17040_46-0.7.1 xen-tools-domU-3.2.3_17040_46-0.7.1 xen-tools-ioemu-3.2.3_17040_46-0.7.1 - SUSE Linux Enterprise Server 10 SP4 LTSS (x86_64): xen-libs-32bit-3.2.3_17040_46-0.7.1 - SUSE Linux Enterprise Server 10 SP4 LTSS (i586): xen-kmp-bigsmp-3.2.3_17040_46_2.6.16.60_0.103.13-0.7.1 xen-kmp-kdumppae-3.2.3_17040_46_2.6.16.60_0.103.13-0.7.1 xen-kmp-vmi-3.2.3_17040_46_2.6.16.60_0.103.13-0.7.1 xen-kmp-vmipae-3.2.3_17040_46_2.6.16.60_0.103.13-0.7.1 References: http://support.novell.com/security/cve/CVE-2012-4544.html http://support.novell.com/security/cve/CVE-2013-1917.html http://support.novell.com/security/cve/CVE-2013-1920.html http://support.novell.com/security/cve/CVE-2013-2194.html http://support.novell.com/security/cve/CVE-2013-2195.html http://support.novell.com/security/cve/CVE-2013-2196.html http://support.novell.com/security/cve/CVE-2013-4355.html http://support.novell.com/security/cve/CVE-2013-4368.html http://support.novell.com/security/cve/CVE-2013-4494.html http://support.novell.com/security/cve/CVE-2013-4554.html http://support.novell.com/security/cve/CVE-2013-6885.html https://bugzilla.novell.com/787163 https://bugzilla.novell.com/813673 https://bugzilla.novell.com/813677 https://bugzilla.novell.com/823011 https://bugzilla.novell.com/840592 https://bugzilla.novell.com/842511 https://bugzilla.novell.com/848657 https://bugzilla.novell.com/849668 https://bugzilla.novell.com/853049 http://download.suse.com/patch/finder/?keywords=5877b583cb5aa03d08203d887cc47ee3 From sle-updates at lists.suse.com Thu Mar 20 17:04:11 2014 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 21 Mar 2014 00:04:11 +0100 (CET) Subject: SUSE-RU-2014:0412-1: important: Recommended update for OpenSSL Message-ID: <20140320230411.109003209B@maintenance.suse.de> SUSE Recommended Update: Recommended update for OpenSSL ______________________________________________________________________________ Announcement ID: SUSE-RU-2014:0412-1 Rating: important References: #866916 Affected Products: SUSE Linux Enterprise Server 10 SP4 LTSS ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: The TLS/SSL library OpenSSL was updated to provide support for SSL X.509 certificate hashes sha256, sha384 and sha512, which become more common. The Novell Update servers that host updates for SUSE Linux Enterprise will switch to these certificates in the near future. Package List: - SUSE Linux Enterprise Server 10 SP4 LTSS (i586 s390x x86_64): openssl-0.9.8a-18.78.5 openssl-devel-0.9.8a-18.78.5 openssl-doc-0.9.8a-18.78.5 - SUSE Linux Enterprise Server 10 SP4 LTSS (s390x x86_64): openssl-32bit-0.9.8a-18.78.5 openssl-devel-32bit-0.9.8a-18.78.5 References: https://bugzilla.novell.com/866916 http://download.suse.com/patch/finder/?keywords=03510a150b792af79ef9dfda303697e1 From sle-updates at lists.suse.com Thu Mar 20 23:04:08 2014 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 21 Mar 2014 06:04:08 +0100 (CET) Subject: SUSE-SU-2014:0413-1: moderate: Security update for libssh2 Message-ID: <20140321050408.CB5FE3209E@maintenance.suse.de> SUSE Security Update: Security update for libssh2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0413-1 Rating: moderate References: #866278 Cross-References: CVE-2014-0017 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update of libssh fixes the following security issue: * When libssh operates in server mode, the randomness pool was not switched on fork, so two pools could operate on the same randomness and could generate the same keys. Security Issue references: * CVE-2014-0017 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-libssh2-8982 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-libssh2-8982 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64): libssh2-0.2-5.20.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): libssh2-0.2-5.20.1 References: http://support.novell.com/security/cve/CVE-2014-0017.html https://bugzilla.novell.com/866278 http://download.suse.com/patch/finder/?keywords=c5defdb274ad752516b657c99cbfbe26 From sle-updates at lists.suse.com Thu Mar 20 23:04:23 2014 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 21 Mar 2014 06:04:23 +0100 (CET) Subject: SUSE-SU-2014:0414-1: moderate: Security update for clamav Message-ID: <20140321050423.9411F3209E@maintenance.suse.de> SUSE Security Update: Security update for clamav ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0414-1 Rating: moderate References: #841815 #865883 Affected Products: SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that contains security fixes can now be installed. It includes one version update. Description: The antivirus scanner ClamAV has been updated to version 0.98.1, which includes the following fixes: * Code quality fixes in libclamav, clamd, sigtool, clamav-milter, clamconf, and clamdtop. * Code quality fixes in libclamav, libclamunrar and freshclam. * bb #8385: a PDF ASCII85Decode zero-length fix. * bb #7436: elf64 header early exit. * libclamav: SCAN_ALL mode fixes. * iso9660: iso_scan_file rewrite. Version 0.98.1 also implements support for new file types, and quality improvements, including Extraction, decompression, and scanning of files within the Extensible Archive (XAR)/Apple Disk Image (DMG) format, support for decompression and scanning of files in the "Xz" compression format. Additionally, improvements and fixes were done to extraction and scanning of OLE formats. An option to force all scanned data to disk was added. Various improvements to ClamAV configuration, support of third party libraries, and unit tests were done. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-clamav-9036 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-clamav-9036 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-clamav-9036 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64) [New Version: 0.98.1]: clamav-0.98.1-0.10.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New Version: 0.98.1]: clamav-0.98.1-0.10.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64) [New Version: 0.98.1]: clamav-0.98.1-0.10.1 References: https://bugzilla.novell.com/841815 https://bugzilla.novell.com/865883 http://download.suse.com/patch/finder/?keywords=1cf7396cf9fd4d3bd7faa89fe18c7661 From sle-updates at lists.suse.com Fri Mar 21 15:04:10 2014 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 21 Mar 2014 22:04:10 +0100 (CET) Subject: SUSE-RU-2014:0417-1: Recommended update for checkmedia Message-ID: <20140321210410.71FB03209B@maintenance.suse.de> SUSE Recommended Update: Recommended update for checkmedia ______________________________________________________________________________ Announcement ID: SUSE-RU-2014:0417-1 Rating: low References: #848535 Affected Products: SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update fixes checkmedia on big endian platforms such as IBM Power and s390x. Patch Instructions: To install this SUSE Recommended Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-checkmedia-8944 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-checkmedia-8944 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-checkmedia-8944 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): checkmedia-3.0-0.9.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): checkmedia-3.0-0.9.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): checkmedia-3.0-0.9.1 References: https://bugzilla.novell.com/848535 http://download.suse.com/patch/finder/?keywords=d8e240f266c9f02c17ed92b208f193a4 From sle-updates at lists.suse.com Fri Mar 21 16:04:14 2014 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 21 Mar 2014 23:04:14 +0100 (CET) Subject: SUSE-SU-2014:0418-1: important: Security update for MozillaFirefox Message-ID: <20140321220414.53D313209E@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0418-1 Rating: important References: #868603 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that contains security fixes can now be installed. It includes two new package versions. Description: Mozilla Firefox was updated to 24.4.0ESR release, fixing various security issues and bugs: * MFSA 2014-15: Mozilla developers and community identified identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. * Benoit Jacob, Olli Pettay, Jan Varga, Jan de Mooij, Jesse Ruderman, Dan Gohman, and Christoph Diehl reported memory safety problems and crashes that affect Firefox ESR 24.3 and Firefox 27. (CVE-2014-1493) * Gregor Wagner, Olli Pettay, Gary Kwong, Jesse Ruderman, Luke Wagner, Rob Fletcher, and Makoto Kato reported memory safety problems and crashes that affect Firefox 27. (CVE-2014-1494) * MFSA 2014-16 / CVE-2014-1496: Security researcher Ash reported an issue where the extracted files for updates to existing files are not read only during the update process. This allows for the potential replacement or modification of these files during the update process if a malicious application is present on the local system. * MFSA 2014-17 / CVE-2014-1497: Security researcher Atte Kettunen from OUSPG reported an out of bounds read during the decoding of WAV format audio files for playback. This could allow web content access to heap data as well as causing a crash. * MFSA 2014-18 / CVE-2014-1498: Mozilla developer David Keeler reported that the crypto.generateCRFMRequest method did not correctly validate the key type of the KeyParams argument when generating ec-dual-use requests. This could lead to a crash and a denial of service (DOS) attack. * MFSA 2014-19 / CVE-2014-1499: Mozilla developer Ehsan Akhgari reported a spoofing attack where the permission prompt for a WebRTC session can appear to be from a different site than its actual originating site if a timed navigation occurs during the prompt generation. This allows an attacker to potentially gain access to the webcam or microphone by masquerading as another site and gaining user permission through spoofing. * MFSA 2014-20 / CVE-2014-1500: Security researchers Tim Philipp Schaefers and Sebastian Neef, the team of Internetwache.org, reported a mechanism using JavaScript onbeforeunload events with page navigation to prevent users from closing a malicious page's tab and causing the browser to become unresponsive. This allows for a denial of service (DOS) attack due to resource consumption and blocks the ability of users to exit the application. * MFSA 2014-21 / CVE-2014-1501: Security researcher Alex Infuehr reported that on Firefox for Android it is possible to open links to local files from web content by selecting "Open Link in New Tab" from the context menu using the file: protocol. The web content would have to know the precise location of a malicious local file in order to exploit this issue. This issue does not affect Firefox on non-Android systems. * MFSA 2014-22 / CVE-2014-1502: Mozilla developer Jeff Gilbert discovered a mechanism where a malicious site with WebGL content could inject content from its context to that of another site's WebGL context, causing the second site to replace textures and similar content. This cannot be used to steal data but could be used to render arbitrary content in these limited circumstances. * MFSA 2014-23 / CVE-2014-1504: Security researcher Nicolas Golubovic reported that the Content Security Policy (CSP) of data: documents was not saved as part of session restore. If an attacker convinced a victim to open a document from a data: URL injected onto a page, this can lead to a Cross-Site Scripting (XSS) attack. The target page may have a strict CSP that protects against this XSS attack, but if the attacker induces a browser crash with another bug, an XSS attack would occur during session restoration, bypassing the CSP on the site. * MFSA 2014-26 / CVE-2014-1508: Security researcher Tyson Smith and Jesse Schwartzentruber of the BlackBerry Security Automated Analysis Team used the Address Sanitizer tool while fuzzing to discover an out-of-bounds read during polygon rendering in MathML. This can allow web content to potentially read protected memory addresses. In combination with previous techniques used for SVG timing attacks, this could allow for text values to be read across domains, leading to information disclosure. * MFSA 2014-27 / CVE-2014-1509: Security researcher John Thomson discovered a memory corruption in the Cairo graphics library during font rendering of a PDF file for display. This memory corruption leads to a potentially exploitable crash and to a denial of service (DOS). This issues is not able to be triggered in a default configuration and would require a malicious extension to be installed. * MFSA 2014-28 / CVE-2014-1505: Mozilla developer Robert O'Callahan reported a mechanism for timing attacks involving SVG filters and displacements input to feDisplacementMap. This allows displacements to potentially be correlated with values derived from content. This is similar to the previously reported techniques used for SVG timing attacks and could allow for text values to be read across domains, leading to information disclosure. * MFSA 2014-29 / CVE-2014-1510 / CVE-2014-1511: Security researcher Mariusz Mlynski, via TippingPoint's Pwn2Own contest, reported that it is possible for untrusted web content to load a chrome-privileged page by getting JavaScript-implemented WebIDL to call window.open(). A second bug allowed the bypassing of the popup-blocker without user interaction. Combined these two bugs allow an attacker to load a JavaScript URL that is executed with the full privileges of the browser, which allows arbitrary code execution. * MFSA 2014-30 / CVE-2014-1512: Security research firm VUPEN, via TippingPoint's Pwn2Own contest, reported that memory pressure during Garbage Collection could lead to memory corruption of TypeObjects in the JS engine, resulting in an exploitable use-after-free condition. * MFSA 2014-31 / CVE-2014-1513: Security researcher Jueri Aedla, via TippingPoint's Pwn2Own contest, reported that TypedArrayObject does not handle the case where ArrayBuffer objects are neutered, setting their length to zero while still in use. This leads to out-of-bounds reads and writes into the JavaScript heap, allowing for arbitrary code execution. * MFSA 2014-32 / CVE-2014-1514: Security researcher George Hotz, via TippingPoint's Pwn2Own contest, discovered an issue where values are copied from an array into a second, neutered array. This allows for an out-of-bounds write into memory, causing an exploitable crash leading to arbitrary code execution. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-firefox-201403-9049 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-firefox-201403-9049 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-firefox-201403-9049 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-firefox-201403-9049 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New Version: 4.10.4]: MozillaFirefox-devel-24.4.0esr-0.8.1 mozilla-nspr-devel-4.10.4-0.3.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64) [New Version: 24.4.0esr and 4.10.4]: MozillaFirefox-24.4.0esr-0.8.1 MozillaFirefox-translations-24.4.0esr-0.8.1 mozilla-nspr-4.10.4-0.3.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64) [New Version: 4.10.4]: mozilla-nspr-32bit-4.10.4-0.3.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New Version: 24.4.0esr and 4.10.4]: MozillaFirefox-24.4.0esr-0.8.1 MozillaFirefox-branding-SLED-24-0.7.23 MozillaFirefox-translations-24.4.0esr-0.8.1 mozilla-nspr-4.10.4-0.3.1 - SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64) [New Version: 4.10.4]: mozilla-nspr-32bit-4.10.4-0.3.1 - SUSE Linux Enterprise Server 11 SP3 (ia64) [New Version: 4.10.4]: mozilla-nspr-x86-4.10.4-0.3.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64) [New Version: 24.4.0esr and 4.10.4]: MozillaFirefox-24.4.0esr-0.8.1 MozillaFirefox-branding-SLED-24-0.7.23 MozillaFirefox-translations-24.4.0esr-0.8.1 mozilla-nspr-4.10.4-0.3.1 - SUSE Linux Enterprise Desktop 11 SP3 (x86_64) [New Version: 4.10.4]: mozilla-nspr-32bit-4.10.4-0.3.1 References: https://bugzilla.novell.com/868603 http://download.suse.com/patch/finder/?keywords=459a5273e5dbc348d118a48052078601 From sle-updates at lists.suse.com Mon Mar 24 17:04:11 2014 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 25 Mar 2014 00:04:11 +0100 (CET) Subject: SUSE-SU-2014:0430-1: Security update for rubygem-activerecord-2_3, rubygem-activesupport-2_3 Message-ID: <20140324230411.6B64E32063@maintenance.suse.de> SUSE Security Update: Security update for rubygem-activerecord-2_3, rubygem-activesupport-2_3 ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0430-1 Rating: low References: #864873 Affected Products: SUSE Cloud 3 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: Various Ruby gems were released where the unpacked tree was patched for the current security issues, but the included gem file (gem archive) was not adjusted. This update rolls the current updates to also include the fixes in the .gem files. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Cloud 3: zypper in -t patch sleclo30sp3-rails-fixgem-201402-8994 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Cloud 3 (x86_64): rubygem-activerecord-2_3-2.3.17-0.13.1 rubygem-activesupport-2_3-2.3.17-0.13.1 References: https://bugzilla.novell.com/864873 http://download.suse.com/patch/finder/?keywords=ecf51c02031e4d9b4d1d23dff1a4d2bf From sle-updates at lists.suse.com Mon Mar 24 19:04:11 2014 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 25 Mar 2014 02:04:11 +0100 (CET) Subject: SUSE-SU-2014:0431-1: moderate: Security update for wireshark Message-ID: <20140325010411.DD4E832063@maintenance.suse.de> SUSE Security Update: Security update for wireshark ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0431-1 Rating: moderate References: #856495 Cross-References: CVE-2013-7113 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. It includes one version update. Description: This update fixes a security problem in the BSSGP network protocol dissector that could crash wireshark. Security Issue reference: * CVE-2013-7113 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-wireshark-8977 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-wireshark-8977 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-wireshark-8977 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-wireshark-8977 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New Version: 1.8.12]: wireshark-devel-1.8.12-0.4.1 - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 x86_64) [New Version: 1.8.12]: wireshark-1.8.12-0.4.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64) [New Version: 1.8.12]: wireshark-1.8.12-0.4.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New Version: 1.8.12]: wireshark-1.8.12-0.4.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64) [New Version: 1.8.12]: wireshark-1.8.12-0.4.1 References: http://support.novell.com/security/cve/CVE-2013-7113.html https://bugzilla.novell.com/856495 http://download.suse.com/patch/finder/?keywords=dcc02410601eb1f37235341710a9a9cc From sle-updates at lists.suse.com Mon Mar 24 23:04:09 2014 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 25 Mar 2014 06:04:09 +0100 (CET) Subject: SUSE-RU-2014:0432-1: moderate: Recommended update for timezone Message-ID: <20140325050409.0CA573209E@maintenance.suse.de> SUSE Recommended Update: Recommended update for timezone ______________________________________________________________________________ Announcement ID: SUSE-RU-2014:0432-1 Rating: moderate References: #867679 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP2 LTSS SUSE Linux Enterprise Server 11 SP1 for VMware LTSS SUSE Linux Enterprise Server 11 SP1 LTSS SUSE Linux Enterprise Server 10 SP4 LTSS SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that has one recommended fix can now be installed. It includes one version update. Description: This update provides the latest timezone information for your system. The changes in detail are: * Turkey begins DST on 2014-03-31, not 2014-03-30 * Misc changes affecting past time stamps * An uninitialized-storage bug in 'localtime' has been fixed. Patch Instructions: To install this SUSE Recommended Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-timezone-2014a-9006 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-timezone-2014a-9006 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-timezone-2014a-9006 - SUSE Linux Enterprise Server 11 SP2 LTSS: zypper in -t patch slessp2-timezone-2014a-9007 - SUSE Linux Enterprise Server 11 SP1 for VMware LTSS: zypper in -t patch slessp1-timezone-2014a-9008 - SUSE Linux Enterprise Server 11 SP1 LTSS: zypper in -t patch slessp1-timezone-2014a-9008 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-timezone-2014a-9006 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (noarch) [New Version: 2014a]: timezone-java-2014a-0.7.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64) [New Version: 2014a]: timezone-2014a-0.7.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (noarch) [New Version: 2014a]: timezone-java-2014a-0.7.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New Version: 2014a]: timezone-2014a-0.7.1 - SUSE Linux Enterprise Server 11 SP3 (noarch) [New Version: 2014a]: timezone-java-2014a-0.7.1 - SUSE Linux Enterprise Server 11 SP2 LTSS (i586 s390x x86_64) [New Version: 2014a]: timezone-2014a-0.7.1 - SUSE Linux Enterprise Server 11 SP2 LTSS (noarch) [New Version: 2014a]: timezone-java-2014a-0.7.1 - SUSE Linux Enterprise Server 11 SP1 for VMware LTSS (i586 x86_64) [New Version: 2014a]: timezone-2014a-0.7.1 - SUSE Linux Enterprise Server 11 SP1 for VMware LTSS (noarch) [New Version: 2014a]: timezone-java-2014a-0.7.1 - SUSE Linux Enterprise Server 11 SP1 LTSS (i586 s390x x86_64) [New Version: 2014a]: timezone-2014a-0.7.1 - SUSE Linux Enterprise Server 11 SP1 LTSS (noarch) [New Version: 2014a]: timezone-java-2014a-0.7.1 - SUSE Linux Enterprise Server 10 SP4 LTSS (i586 s390x x86_64) [New Version: 2014a]: timezone-2014a-0.5.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64) [New Version: 2014a]: timezone-2014a-0.7.1 - SUSE Linux Enterprise Desktop 11 SP3 (noarch) [New Version: 2014a]: timezone-java-2014a-0.7.1 References: https://bugzilla.novell.com/867679 http://download.suse.com/patch/finder/?keywords=0b18383533f2a0cf32433f23f9ae2211 http://download.suse.com/patch/finder/?keywords=76c7915a3d3329273399537f6aa6d235 http://download.suse.com/patch/finder/?keywords=96ed50db5616f77a991be5e0e0126740 http://download.suse.com/patch/finder/?keywords=b46dad3485cf0b58c3cc3ccdf227e133 From sle-updates at lists.suse.com Tue Mar 25 12:04:09 2014 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 25 Mar 2014 19:04:09 +0100 (CET) Subject: SUSE-SU-2014:0444-1: important: Security update for openssl-certs Message-ID: <20140325180409.A8C173209E@maintenance.suse.de> SUSE Security Update: Security update for openssl-certs ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0444-1 Rating: important References: #860581 #865080 Affected Products: SUSE Manager 1.7 for SLE 11 SP2 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: The openssl-certs package was updated to match the certificates contained in the Mozilla NSS 3.15.4 release. Following changes were done to the list of root CAs: * Added: ACCVRAIZ1.pem (Spain) (all trusts) * Added: SG_TRUST_SERVICES_RACINE.pem (Singapore) (email signing only) * Added: TWCA_Global_Root_CA.pem (Taiwanese) (all trusts) * Removed: Wells_Fargo_Root_CA.pem. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Manager 1.7 for SLE 11 SP2: zypper in -t patch sleman17sp2-openssl-certs-9027 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Manager 1.7 for SLE 11 SP2 (noarch): openssl-certs-1.96-0.4.1 References: https://bugzilla.novell.com/860581 https://bugzilla.novell.com/865080 http://download.suse.com/patch/finder/?keywords=0fc080682c8b3aec82c1b6479ab84b28 From sle-updates at lists.suse.com Tue Mar 25 12:04:35 2014 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 25 Mar 2014 19:04:35 +0100 (CET) Subject: SUSE-SU-2014:0445-1: important: Security update for gnutls Message-ID: <20140325180435.5775D320A0@maintenance.suse.de> SUSE Security Update: Security update for gnutls ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0445-1 Rating: important References: #835760 #865804 #865993 Cross-References: CVE-2009-5138 CVE-2014-0092 Affected Products: SUSE Manager 1.7 for SLE 11 SP2 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: The GNUTLS library received a critical security fix and other updates: * CVE-2014-0092: The X.509 certificate verification had incorrect error handling, which could lead to broken certificates marked as being valid. * CVE-2009-5138: A verification problem in handling V1 certificates could also lead to V1 certificates incorrectly being handled. Additionally, a memory leak in PSK authentication was fixed. (bnc#835760) Security Issues references: * CVE-2014-0092 * CVE-2009-5138 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Manager 1.7 for SLE 11 SP2: zypper in -t patch sleman17sp2-gnutls-9028 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Manager 1.7 for SLE 11 SP2 (x86_64): gnutls-2.4.1-24.39.49.1 libgnutls-extra26-2.4.1-24.39.49.1 libgnutls26-2.4.1-24.39.49.1 libgnutls26-32bit-2.4.1-24.39.49.1 References: http://support.novell.com/security/cve/CVE-2009-5138.html http://support.novell.com/security/cve/CVE-2014-0092.html https://bugzilla.novell.com/835760 https://bugzilla.novell.com/865804 https://bugzilla.novell.com/865993 http://download.suse.com/patch/finder/?keywords=3b773e3f5ab3d47e4e64a79e947269b4 From sle-updates at lists.suse.com Tue Mar 25 16:04:11 2014 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 25 Mar 2014 23:04:11 +0100 (CET) Subject: SUSE-SU-2014:0446-1: important: Security update for Xen Message-ID: <20140325220411.82003320A0@maintenance.suse.de> SUSE Security Update: Security update for Xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0446-1 Rating: important References: #777628 #777890 #779212 #786516 #786517 #786519 #786520 #787163 #789944 #789945 #789948 #789950 #789951 #794316 #797031 #797523 #800275 #805094 #813673 #813675 #813677 #816156 #816159 #816163 #819416 #820917 #820919 #823011 #823608 #826882 #831120 #839596 #839618 #840592 #841766 #842511 #848657 #849667 #849668 #853049 #860163 Cross-References: CVE-2006-1056 CVE-2007-0998 CVE-2012-3497 CVE-2012-4411 CVE-2012-4535 CVE-2012-4537 CVE-2012-4538 CVE-2012-4539 CVE-2012-4544 CVE-2012-5510 CVE-2012-5511 CVE-2012-5513 CVE-2012-5514 CVE-2012-5515 CVE-2012-5634 CVE-2012-6075 CVE-2012-6333 CVE-2013-0153 CVE-2013-0154 CVE-2013-1432 CVE-2013-1442 CVE-2013-1917 CVE-2013-1918 CVE-2013-1919 CVE-2013-1920 CVE-2013-1952 CVE-2013-1964 CVE-2013-2072 CVE-2013-2076 CVE-2013-2077 CVE-2013-2194 CVE-2013-2195 CVE-2013-2196 CVE-2013-2211 CVE-2013-2212 CVE-2013-4329 CVE-2013-4355 CVE-2013-4361 CVE-2013-4368 CVE-2013-4494 CVE-2013-4553 CVE-2013-4554 CVE-2013-6885 CVE-2014-1891 CVE-2014-1892 CVE-2014-1893 CVE-2014-1894 Affected Products: SUSE Linux Enterprise Server 11 SP1 LTSS ______________________________________________________________________________ An update that fixes 47 vulnerabilities is now available. Description: The SUSE Linux Enterprise Server 11 Service Pack 1 LTSS Xen hypervisor and toolset have been updated to fix various security issues and some bugs. The following security issues have been addressed: * XSA-84: CVE-2014-1894: Xen 3.2 (and presumably earlier) exhibit both problems with the overflow issue being present for more than just the suboperations listed above. (bnc#860163) * XSA-84: CVE-2014-1892 CVE-2014-1893: Xen 3.3 through 4.1, while not affected by the above overflow, have a different overflow issue on FLASK_{GET,SET}BOOL and expose unreasonably large memory allocation to aribitrary guests. (bnc#860163) * XSA-84: CVE-2014-1891: The FLASK_{GET,SET}BOOL, FLASK_USER and FLASK_CONTEXT_TO_SID suboperations of the flask hypercall are vulnerable to an integer overflow on the input size. The hypercalls attempt to allocate a buffer which is 1 larger than this size and is therefore vulnerable to integer overflow and an attempt to allocate then access a zero byte buffer. (bnc#860163) * XSA-82: CVE-2013-6885: The microcode on AMD 16h 00h through 0Fh processors does not properly handle the interaction between locked instructions and write-combined memory types, which allows local users to cause a denial of service (system hang) via a crafted application, aka the errata 793 issue. (bnc#853049) * XSA-76: CVE-2013-4554: Xen 3.0.3 through 4.1.x (possibly 4.1.6.1), 4.2.x (possibly 4.2.3), and 4.3.x (possibly 4.3.1) does not properly prevent access to hypercalls, which allows local guest users to gain privileges via a crafted application running in ring 1 or 2. (bnc#849668) * XSA-74: CVE-2013-4553: The XEN_DOMCTL_getmemlist hypercall in Xen 3.4.x through 4.3.x (possibly 4.3.1) does not always obtain the page_alloc_lock and mm_rwlock in the same order, which allows local guest administrators to cause a denial of service (host deadlock). (bnc#849667) * XSA-73: CVE-2013-4494: Xen before 4.1.x, 4.2.x, and 4.3.x does not take the page_alloc_lock and grant_table.lock in the same order, which allows local guest administrators with access to multiple vcpus to cause a denial of service (host deadlock) via unspecified vectors. (bnc#848657) * XSA-67: CVE-2013-4368: The outs instruction emulation in Xen 3.1.x, 4.2.x, 4.3.x, and earlier, when using FS: or GS: segment override, uses an uninitialized variable as a segment base, which allows local 64-bit PV guests to obtain sensitive information (hypervisor stack content) via unspecified vectors related to stale data in a segment register. (bnc#842511) * XSA-66: CVE-2013-4361: The fbld instruction emulation in Xen 3.3.x through 4.3.x does not use the correct variable for the source effective address, which allows local HVM guests to obtain hypervisor stack information by reading the values used by the instruction. (bnc#841766) * XSA-63: CVE-2013-4355: Xen 4.3.x and earlier does not properly handle certain errors, which allows local HVM guests to obtain hypervisor stack memory via a (1) port or (2) memory mapped I/O write or (3) other unspecified operations related to addresses without associated memory. (bnc#840592) * XSA-62: CVE-2013-1442: Xen 4.0 through 4.3.x, when using AVX or LWP capable CPUs, does not properly clear previous data from registers when using an XSAVE or XRSTOR to extend the state components of a saved or restored vCPU after touching other restored extended registers, which allows local guest OSes to obtain sensitive information by reading the registers. (bnc#839596) * XSA-61: CVE-2013-4329: The xenlight library (libxl) in Xen 4.0.x through 4.2.x, when IOMMU is disabled, provides access to a busmastering-capable PCI passthrough device before the IOMMU setup is complete, which allows local HVM guest domains to gain privileges or cause a denial of service via a DMA instruction. (bnc#839618) * XSA-60: CVE-2013-2212: The vmx_set_uc_mode function in Xen 3.3 through 4.3, when disabling chaches, allows local HVM guests with access to memory mapped I/O regions to cause a denial of service (CPU consumption and possibly hypervisor or guest kernel panic) via a crafted GFN range. (bnc#831120) * XSA-58: CVE-2013-1918: Certain page table manipulation operations in Xen 4.1.x, 4.2.x, and earlier are not preemptible, which allows local PV kernels to cause a denial of service via vectors related to "deep page table traversal." (bnc#826882) * XSA-58: CVE-2013-1432: Xen 4.1.x and 4.2.x, when the XSA-45 patch is in place, does not properly maintain references on pages stored for deferred cleanup, which allows local PV guest kernels to cause a denial of service (premature page free and hypervisor crash) or possible gain privileges via unspecified vectors. (bnc#826882) * XSA-57: CVE-2013-2211: The libxenlight (libxl) toolstack library in Xen 4.0.x, 4.1.x, and 4.2.x uses weak permissions for xenstore keys for paravirtualised and emulated serial console devices, which allows local guest administrators to modify the xenstore value via unspecified vectors. (bnc#823608) * XSA-56: CVE-2013-2072: Buffer overflow in the Python bindings for the xc_vcpu_setaffinity call in Xen 4.0.x, 4.1.x, and 4.2.x allows local administrators with permissions to configure VCPU affinity to cause a denial of service (memory corruption and xend toolstack crash) and possibly gain privileges via a crafted cpumap. (bnc#819416) * XSA-55: CVE-2013-2196: Multiple unspecified vulnerabilities in the Elf parser (libelf) in Xen 4.2.x and earlier allow local guest administrators with certain permissions to have an unspecified impact via a crafted kernel, related to "other problems" that are not CVE-2013-2194 or CVE-2013-2195. (bnc#823011) * XSA-55: CVE-2013-2195: The Elf parser (libelf) in Xen 4.2.x and earlier allow local guest administrators with certain permissions to have an unspecified impact via a crafted kernel, related to "pointer dereferences" involving unexpected calculations. (bnc#823011) * XSA-55: CVE-2013-2194: Multiple integer overflows in the Elf parser (libelf) in Xen 4.2.x and earlier allow local guest administrators with certain permissions to have an unspecified impact via a crafted kernel. (bnc#823011) * XSA-53: CVE-2013-2077: Xen 4.0.x, 4.1.x, and 4.2.x does not properly restrict the contents of a XRSTOR, which allows local PV guest users to cause a denial of service (unhandled exception and hypervisor crash) via unspecified vectors. (bnc#820919) * XSA-52: CVE-2013-2076: Xen 4.0.x, 4.1.x, and 4.2.x, when running on AMD64 processors, only save/restore the FOP, FIP, and FDP x87 registers in FXSAVE/FXRSTOR when an exception is pending, which allows one domain to determine portions of the state of floating point instructions of other domains, which can be leveraged to obtain sensitive information such as cryptographic keys, a similar vulnerability to CVE-2006-1056. NOTE: this is the documented behavior of AMD64 processors, but it is inconsistent with Intel processors in a security-relevant fashion that was not addressed by the kernels. (bnc#820917) * XSA-50: CVE-2013-1964: Xen 4.0.x and 4.1.x incorrectly releases a grant reference when releasing a non-v1, non-transitive grant, which allows local guest administrators to cause a denial of service (host crash), obtain sensitive information, or possible have other impacts via unspecified vectors. (bnc#816156) * XSA-49: CVE-2013-1952: Xen 4.x, when using Intel VT-d for a bus mastering capable PCI device, does not properly check the source when accessing a bridge device's interrupt remapping table entries for MSI interrupts, which allows local guest domains to cause a denial of service (interrupt injection) via unspecified vectors. (bnc#816163) * XSA-47: CVE-2013-1920: Xen 4.2.x, 4.1.x, and earlier, when the hypervisor is running "under memory pressure" and the Xen Security Module (XSM) is enabled, uses the wrong ordering of operations when extending the per-domain event channel tracking table, which causes a use-after-free and allows local guest kernels to inject arbitrary events and gain privileges via unspecified vectors. (bnc#813677) * XSA-46: CVE-2013-1919: Xen 4.2.x and 4.1.x does not properly restrict access to IRQs, which allows local stub domain clients to gain access to IRQs and cause a denial of service via vectors related to "passed-through IRQs or PCI devices." (bnc#813675) * XSA-45: CVE-2013-1918: Certain page table manipulation operations in Xen 4.1.x, 4.2.x, and earlier are not preemptible, which allows local PV kernels to cause a denial of service via vectors related to "deep page table traversal." (bnc#816159) * XSA-44: CVE-2013-1917: Xen 3.1 through 4.x, when running 64-bit hosts on Intel CPUs, does not clear the NT flag when using an IRET after a SYSENTER instruction, which allows PV guest users to cause a denial of service (hypervisor crash) by triggering a #GP fault, which is not properly handled by another IRET instruction. (bnc#813673) * XSA-41: CVE-2012-6075: Buffer overflow in the e1000_receive function in the e1000 device driver (hw/e1000.c) in QEMU 1.3.0-rc2 and other versions, when the SBP and LPE flags are disabled, allows remote attackers to cause a denial of service (guest OS crash) and possibly execute arbitrary guest code via a large packet. (bnc#797523) * XSA-37: CVE-2013-0154: The get_page_type function in xen/arch/x86/mm.c in Xen 4.2, when debugging is enabled, allows local PV or HVM guest administrators to cause a denial of service (assertion failure and hypervisor crash) via unspecified vectors related to a hypercall. (bnc#797031) * XSA-36: CVE-2013-0153: The AMD IOMMU support in Xen 4.2.x, 4.1.x, 3.3, and other versions, when using AMD-Vi for PCI passthrough, uses the same interrupt remapping table for the host and all guests, which allows guests to cause a denial of service by injecting an interrupt into other guests. (bnc#800275) * XSA-33: CVE-2012-5634: Xen 4.2.x, 4.1.x, and 4.0, when using Intel VT-d for PCI passthrough, does not properly configure VT-d when supporting a device that is behind a legacy PCI Bridge, which allows local guests to cause a denial of service to other guests by injecting an interrupt. (bnc#794316) * XSA-31: CVE-2012-5515: The (1) XENMEM_decrease_reservation, (2) XENMEM_populate_physmap, and (3) XENMEM_exchange hypercalls in Xen 4.2 and earlier allow local guest administrators to cause a denial of service (long loop and hang) via a crafted extent_order value. (bnc#789950) * XSA-30: CVE-2012-5514: The guest_physmap_mark_populate_on_demand function in Xen 4.2 and earlier does not properly unlock the subject GFNs when checking if they are in use, which allows local guest HVM administrators to cause a denial of service (hang) via unspecified vectors. (bnc#789948) * XSA-29: CVE-2012-5513: The XENMEM_exchange handler in Xen 4.2 and earlier does not properly check the memory address, which allows local PV guest OS administrators to cause a denial of service (crash) or possibly gain privileges via unspecified vectors that overwrite memory in the hypervisor reserved range. (bnc#789951) * XSA-27: CVE-2012-6333: Multiple HVM control operations in Xen 3.4 through 4.2 allow local HVM guest OS administrators to cause a denial of service (physical CPU consumption) via a large input. (bnc#789944) * XSA-27: CVE-2012-5511: Stack-based buffer overflow in the dirty video RAM tracking functionality in Xen 3.4 through 4.1 allows local HVM guest OS administrators to cause a denial of service (crash) via a large bitmap image. (bnc#789944) * XSA-26: CVE-2012-5510: Xen 4.x, when downgrading the grant table version, does not properly remove the status page from the tracking list when freeing the page, which allows local guest OS administrators to cause a denial of service (hypervisor crash) via unspecified vectors. (bnc#789945) * XSA-25: CVE-2012-4544: The PV domain builder in Xen 4.2 and earlier does not validate the size of the kernel or ramdisk (1) before or (2) after decompression, which allows local guest administrators to cause a denial of service (domain 0 memory consumption) via a crafted (a) kernel or (b) ramdisk. (bnc#787163) * XSA-24: CVE-2012-4539: Xen 4.0 through 4.2, when running 32-bit x86 PV guests on 64-bit hypervisors, allows local guest OS administrators to cause a denial of service (infinite loop and hang or crash) via invalid arguments to GNTTABOP_get_status_frames, aka "Grant table hypercall infinite loop DoS vulnerability." (bnc#786520) * XSA-23: CVE-2012-4538: The HVMOP_pagetable_dying hypercall in Xen 4.0, 4.1, and 4.2 does not properly check the pagetable state when running on shadow pagetables, which allows a local HVM guest OS to cause a denial of service (hypervisor crash) via unspecified vectors. (bnc#786519) * XSA-22: CVE-2012-4537: Xen 3.4 through 4.2, and possibly earlier versions, does not properly synchronize the p2m and m2p tables when the set_p2m_entry function fails, which allows local HVM guest OS administrators to cause a denial of service (memory consumption and assertion failure), aka "Memory mapping failure DoS vulnerability." (bnc#786517) * XSA-20: CVE-2012-4535: Xen 3.4 through 4.2, and possibly earlier versions, allows local guest OS administrators to cause a denial of service (Xen infinite loop and physical CPU consumption) by setting a VCPU with an "inappropriate deadline." (bnc#786516) * XSA-19: CVE-2012-4411: The graphical console in Xen 4.0, 4.1 and 4.2 allows local OS guest administrators to obtain sensitive host resource information via the qemu monitor. NOTE: this might be a duplicate of CVE-2007-0998. (bnc#779212) * XSA-15: CVE-2012-3497: (1) TMEMC_SAVE_GET_CLIENT_WEIGHT, (2) TMEMC_SAVE_GET_CLIENT_CAP, (3) TMEMC_SAVE_GET_CLIENT_FLAGS and (4) TMEMC_SAVE_END in the Transcendent Memory (TMEM) in Xen 4.0, 4.1, and 4.2 allow local guest OS users to cause a denial of service (NULL pointer dereference or memory corruption and host crash) or possibly have other unspecified impacts via a NULL client id. (bnc#777890) Also the following non-security bugs have been fixed: * xen hot plug attach/detach fails modified blktap-pv-cdrom.patch. (bnc#805094) * guest "disappears" after live migration Updated block-dmmd script. (bnc#777628) Security Issues references: * CVE-2006-1056 * CVE-2007-0998 * CVE-2012-3497 * CVE-2012-4411 * CVE-2012-4535 * CVE-2012-4537 * CVE-2012-4538 * CVE-2012-4539 * CVE-2012-4544 * CVE-2012-5510 * CVE-2012-5511 * CVE-2012-5513 * CVE-2012-5514 * CVE-2012-5515 * CVE-2012-5634 * CVE-2012-6075 * CVE-2012-6333 * CVE-2013-0153 * CVE-2013-0154 * CVE-2013-1432 * CVE-2013-1442 * CVE-2013-1917 * CVE-2013-1918 * CVE-2013-1919 * CVE-2013-1920 * CVE-2013-1952 * CVE-2013-1964 * CVE-2013-2072 * CVE-2013-2076 * CVE-2013-2077 * CVE-2013-2194 * CVE-2013-2195 * CVE-2013-2196 * CVE-2013-2211 * CVE-2013-2212 * CVE-2013-4329 * CVE-2013-4355 * CVE-2013-4361 * CVE-2013-4368 * CVE-2013-4494 * CVE-2013-4553 * CVE-2013-4554 * CVE-2013-6885 * CVE-2014-1891 * CVE-2014-1892 * CVE-2014-1893 * CVE-2014-1894 Indications: Everyone using the Xen hypervisor should update. Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP1 LTSS: zypper in -t patch slessp1-xen-201402-8963 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP1 LTSS (i586 x86_64): xen-4.0.3_21548_16-0.5.1 xen-doc-html-4.0.3_21548_16-0.5.1 xen-doc-pdf-4.0.3_21548_16-0.5.1 xen-kmp-default-4.0.3_21548_16_2.6.32.59_0.9-0.5.1 xen-kmp-trace-4.0.3_21548_16_2.6.32.59_0.9-0.5.1 xen-libs-4.0.3_21548_16-0.5.1 xen-tools-4.0.3_21548_16-0.5.1 xen-tools-domU-4.0.3_21548_16-0.5.1 - SUSE Linux Enterprise Server 11 SP1 LTSS (i586): xen-kmp-pae-4.0.3_21548_16_2.6.32.59_0.9-0.5.1 References: http://support.novell.com/security/cve/CVE-2006-1056.html http://support.novell.com/security/cve/CVE-2007-0998.html http://support.novell.com/security/cve/CVE-2012-3497.html http://support.novell.com/security/cve/CVE-2012-4411.html http://support.novell.com/security/cve/CVE-2012-4535.html http://support.novell.com/security/cve/CVE-2012-4537.html http://support.novell.com/security/cve/CVE-2012-4538.html http://support.novell.com/security/cve/CVE-2012-4539.html http://support.novell.com/security/cve/CVE-2012-4544.html http://support.novell.com/security/cve/CVE-2012-5510.html http://support.novell.com/security/cve/CVE-2012-5511.html http://support.novell.com/security/cve/CVE-2012-5513.html http://support.novell.com/security/cve/CVE-2012-5514.html http://support.novell.com/security/cve/CVE-2012-5515.html http://support.novell.com/security/cve/CVE-2012-5634.html http://support.novell.com/security/cve/CVE-2012-6075.html http://support.novell.com/security/cve/CVE-2012-6333.html http://support.novell.com/security/cve/CVE-2013-0153.html http://support.novell.com/security/cve/CVE-2013-0154.html http://support.novell.com/security/cve/CVE-2013-1432.html http://support.novell.com/security/cve/CVE-2013-1442.html http://support.novell.com/security/cve/CVE-2013-1917.html http://support.novell.com/security/cve/CVE-2013-1918.html http://support.novell.com/security/cve/CVE-2013-1919.html http://support.novell.com/security/cve/CVE-2013-1920.html http://support.novell.com/security/cve/CVE-2013-1952.html http://support.novell.com/security/cve/CVE-2013-1964.html http://support.novell.com/security/cve/CVE-2013-2072.html http://support.novell.com/security/cve/CVE-2013-2076.html http://support.novell.com/security/cve/CVE-2013-2077.html http://support.novell.com/security/cve/CVE-2013-2194.html http://support.novell.com/security/cve/CVE-2013-2195.html http://support.novell.com/security/cve/CVE-2013-2196.html http://support.novell.com/security/cve/CVE-2013-2211.html http://support.novell.com/security/cve/CVE-2013-2212.html http://support.novell.com/security/cve/CVE-2013-4329.html http://support.novell.com/security/cve/CVE-2013-4355.html http://support.novell.com/security/cve/CVE-2013-4361.html http://support.novell.com/security/cve/CVE-2013-4368.html http://support.novell.com/security/cve/CVE-2013-4494.html http://support.novell.com/security/cve/CVE-2013-4553.html http://support.novell.com/security/cve/CVE-2013-4554.html http://support.novell.com/security/cve/CVE-2013-6885.html http://support.novell.com/security/cve/CVE-2014-1891.html http://support.novell.com/security/cve/CVE-2014-1892.html http://support.novell.com/security/cve/CVE-2014-1893.html http://support.novell.com/security/cve/CVE-2014-1894.html https://bugzilla.novell.com/777628 https://bugzilla.novell.com/777890 https://bugzilla.novell.com/779212 https://bugzilla.novell.com/786516 https://bugzilla.novell.com/786517 https://bugzilla.novell.com/786519 https://bugzilla.novell.com/786520 https://bugzilla.novell.com/787163 https://bugzilla.novell.com/789944 https://bugzilla.novell.com/789945 https://bugzilla.novell.com/789948 https://bugzilla.novell.com/789950 https://bugzilla.novell.com/789951 https://bugzilla.novell.com/794316 https://bugzilla.novell.com/797031 https://bugzilla.novell.com/797523 https://bugzilla.novell.com/800275 https://bugzilla.novell.com/805094 https://bugzilla.novell.com/813673 https://bugzilla.novell.com/813675 https://bugzilla.novell.com/813677 https://bugzilla.novell.com/816156 https://bugzilla.novell.com/816159 https://bugzilla.novell.com/816163 https://bugzilla.novell.com/819416 https://bugzilla.novell.com/820917 https://bugzilla.novell.com/820919 https://bugzilla.novell.com/823011 https://bugzilla.novell.com/823608 https://bugzilla.novell.com/826882 https://bugzilla.novell.com/831120 https://bugzilla.novell.com/839596 https://bugzilla.novell.com/839618 https://bugzilla.novell.com/840592 https://bugzilla.novell.com/841766 https://bugzilla.novell.com/842511 https://bugzilla.novell.com/848657 https://bugzilla.novell.com/849667 https://bugzilla.novell.com/849668 https://bugzilla.novell.com/853049 https://bugzilla.novell.com/860163 http://download.suse.com/patch/finder/?keywords=d46197780129fa94fee1eb1708143171 From sle-updates at lists.suse.com Tue Mar 25 17:04:10 2014 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 26 Mar 2014 00:04:10 +0100 (CET) Subject: SUSE-RU-2014:0447-1: Recommended update for studio-help Message-ID: <20140325230410.DB8F13209E@maintenance.suse.de> SUSE Recommended Update: Recommended update for studio-help ______________________________________________________________________________ Announcement ID: SUSE-RU-2014:0447-1 Rating: low References: #808381 Affected Products: SUSE Studio Onsite 1.3 ______________________________________________________________________________ An update that has one recommended fix can now be installed. It includes one version update. Description: This update provides the latest version of SUSE Studio Onsite documentation. The changes in detail are: * #808381: Fix outdated image types list in API documentation. Patch Instructions: To install this SUSE Recommended Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Studio Onsite 1.3: zypper in -t patch slestso13-studio-help-8943 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Studio Onsite 1.3 (noarch) [New Version: 1.3.16]: studio-help-1.3.16-0.5.1 References: https://bugzilla.novell.com/808381 http://download.suse.com/patch/finder/?keywords=4a29d9563497d8e81a4cfe8d69a1b5a2 From sle-updates at lists.suse.com Wed Mar 26 11:04:09 2014 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 26 Mar 2014 18:04:09 +0100 (CET) Subject: SUSE-SU-2014:0451-1: important: Security update for IBM Java 6 Message-ID: <20140326170409.2D33F320A0@maintenance.suse.de> SUSE Security Update: Security update for IBM Java 6 ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0451-1 Rating: important References: #862064 Cross-References: CVE-2013-5878 CVE-2013-5884 CVE-2013-5887 CVE-2013-5888 CVE-2013-5889 CVE-2013-5896 CVE-2013-5898 CVE-2013-5899 CVE-2013-5907 CVE-2013-5910 CVE-2014-0368 CVE-2014-0373 CVE-2014-0375 CVE-2014-0376 CVE-2014-0387 CVE-2014-0403 CVE-2014-0410 CVE-2014-0411 CVE-2014-0415 CVE-2014-0416 CVE-2014-0417 CVE-2014-0422 CVE-2014-0423 CVE-2014-0424 CVE-2014-0428 Affected Products: SUSE Manager 1.7 for SLE 11 SP2 ______________________________________________________________________________ An update that fixes 25 vulnerabilities is now available. Description: IBM Java 6 was updated to version SR15-FP1 which received security and bug fixes. More information at: http://www.ibm.com/developerworks/java/jdk/alerts/#Oracle_Ja nuary_14_2014_CPU Security Issue references: * CVE-2014-0428 * CVE-2014-0422 * CVE-2013-5907 * CVE-2014-0417 * CVE-2014-0373 * CVE-2014-0423 * CVE-2014-0376 * CVE-2014-0376 * CVE-2014-0416 * CVE-2014-0368 * CVE-2014-0411 * CVE-2014-0428 * CVE-2014-0422 * CVE-2013-5907 * CVE-2014-0415 * CVE-2014-0410 * CVE-2013-5889 * CVE-2014-0417 * CVE-2014-0387 * CVE-2014-0424 * CVE-2013-5878 * CVE-2014-0373 * CVE-2014-0375 * CVE-2014-0403 * CVE-2014-0423 * CVE-2014-0376 * CVE-2013-5910 * CVE-2013-5884 * CVE-2013-5896 * CVE-2014-0376 * CVE-2013-5899 * CVE-2014-0416 * CVE-2013-5887 * CVE-2014-0368 * CVE-2013-5888 * CVE-2013-5898 * CVE-2014-0411 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Manager 1.7 for SLE 11 SP2: zypper in -t patch sleman17sp2-java-1_6_0-ibm-9026 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Manager 1.7 for SLE 11 SP2 (x86_64): java-1_6_0-ibm-1.6.0_sr15.1-0.6.1 java-1_6_0-ibm-devel-1.6.0_sr15.1-0.6.1 java-1_6_0-ibm-fonts-1.6.0_sr15.1-0.6.1 java-1_6_0-ibm-jdbc-1.6.0_sr15.1-0.6.1 java-1_6_0-ibm-plugin-1.6.0_sr15.1-0.6.1 References: http://support.novell.com/security/cve/CVE-2013-5878.html http://support.novell.com/security/cve/CVE-2013-5884.html http://support.novell.com/security/cve/CVE-2013-5887.html http://support.novell.com/security/cve/CVE-2013-5888.html http://support.novell.com/security/cve/CVE-2013-5889.html http://support.novell.com/security/cve/CVE-2013-5896.html http://support.novell.com/security/cve/CVE-2013-5898.html http://support.novell.com/security/cve/CVE-2013-5899.html http://support.novell.com/security/cve/CVE-2013-5907.html http://support.novell.com/security/cve/CVE-2013-5910.html http://support.novell.com/security/cve/CVE-2014-0368.html http://support.novell.com/security/cve/CVE-2014-0373.html http://support.novell.com/security/cve/CVE-2014-0375.html http://support.novell.com/security/cve/CVE-2014-0376.html http://support.novell.com/security/cve/CVE-2014-0387.html http://support.novell.com/security/cve/CVE-2014-0403.html http://support.novell.com/security/cve/CVE-2014-0410.html http://support.novell.com/security/cve/CVE-2014-0411.html http://support.novell.com/security/cve/CVE-2014-0415.html http://support.novell.com/security/cve/CVE-2014-0416.html http://support.novell.com/security/cve/CVE-2014-0417.html http://support.novell.com/security/cve/CVE-2014-0422.html http://support.novell.com/security/cve/CVE-2014-0423.html http://support.novell.com/security/cve/CVE-2014-0424.html http://support.novell.com/security/cve/CVE-2014-0428.html https://bugzilla.novell.com/862064 http://download.suse.com/patch/finder/?keywords=30eb44893c8b38fb40f812d2cb00792d From sle-updates at lists.suse.com Wed Mar 26 17:04:09 2014 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 27 Mar 2014 00:04:09 +0100 (CET) Subject: SUSE-SU-2014:0452-1: important: Security update for crowbar-barclamp-network Message-ID: <20140326230409.381873209E@maintenance.suse.de> SUSE Security Update: Security update for crowbar-barclamp-network ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0452-1 Rating: important References: #864183 Cross-References: CVE-2014-0592 Affected Products: SUSE Cloud 3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for crowbar-barclamp-network fixes handling of security groups where new instances with floating IPs would not be protected by the firewall and could end up reachable from the outside. Security Issue reference: * CVE-2014-0592 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Cloud 3: zypper in -t patch sleclo30sp3-crowbar-barclamp-network-8957 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Cloud 3 (noarch): crowbar-barclamp-network-1.7+git.1392820032.ebfa91f-0.7.2 References: http://support.novell.com/security/cve/CVE-2014-0592.html https://bugzilla.novell.com/864183 http://download.suse.com/patch/finder/?keywords=7418b173a70ef35b0ea76128c0d94033 From sle-updates at lists.suse.com Wed Mar 26 17:04:24 2014 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 27 Mar 2014 00:04:24 +0100 (CET) Subject: SUSE-SU-2014:0453-1: moderate: Security update for openstack-glance Message-ID: <20140326230424.23B04320A0@maintenance.suse.de> SUSE Security Update: Security update for openstack-glance ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0453-1 Rating: moderate References: #863484 Cross-References: CVE-2014-1948 Affected Products: SUSE Cloud 3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. It includes one version update. Description: OpenStack Image Registry and Delivery Service (Glance) in SUSE Cloud 3 logged a URL containing the Swift store backend password when authentication fails and WARNING level logging is enabled, which allowed local users to obtain sensitive information by reading the log. Security Issue references: * CVE-2014-1948 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Cloud 3: zypper in -t patch sleclo30sp3-openstack-glance-8955 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Cloud 3 (x86_64) [New Version: 2013.2.3.dev1.g9d89b8e]: openstack-glance-2013.2.3.dev1.g9d89b8e-0.7.3 python-glance-2013.2.3.dev1.g9d89b8e-0.7.3 - SUSE Cloud 3 (noarch) [New Version: 2013.2.3.dev1.g9d89b8e]: openstack-glance-doc-2013.2.3.dev1.g9d89b8e-0.7.3 References: http://support.novell.com/security/cve/CVE-2014-1948.html https://bugzilla.novell.com/863484 http://download.suse.com/patch/finder/?keywords=021078b483b4a044adf82d968bd623e7 From sle-updates at lists.suse.com Thu Mar 27 06:04:11 2014 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 27 Mar 2014 13:04:11 +0100 (CET) Subject: SUSE-SU-2014:0456-1: moderate: Security update for libyaml Message-ID: <20140327120411.B2A5A3209E@maintenance.suse.de> SUSE Security Update: Security update for libyaml ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0456-1 Rating: moderate References: #860617 #868944 Cross-References: CVE-2013-6393 CVE-2014-2525 Affected Products: SUSE Studio Onsite 1.3 SUSE Manager 1.7 for SLE 11 SP2 SUSE Cloud 3 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for libyaml fixes two security issues. * A heap based buffer overflow due to integer misuse was fixed. (CVE-2013-6393) * A heap based overflow during XML parsing. (CVE-2014-2525) Security Issues references: * CVE-2013-6393 * CVE-2014-2525 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Studio Onsite 1.3: zypper in -t patch slestso13-libyaml-9042 - SUSE Manager 1.7 for SLE 11 SP2: zypper in -t patch sleman17sp2-libyaml-9042 - SUSE Cloud 3: zypper in -t patch sleclo30sp3-libyaml-9041 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Studio Onsite 1.3 (x86_64): libyaml-0-2-0.1.3-0.10.12.1 - SUSE Manager 1.7 for SLE 11 SP2 (x86_64): libyaml-0-2-0.1.3-0.10.12.1 - SUSE Cloud 3 (x86_64): libyaml-0-2-0.1.3-0.10.12.1 References: http://support.novell.com/security/cve/CVE-2013-6393.html http://support.novell.com/security/cve/CVE-2014-2525.html https://bugzilla.novell.com/860617 https://bugzilla.novell.com/868944 http://download.suse.com/patch/finder/?keywords=2718f1a58434090cde78d28c18a8cf43 http://download.suse.com/patch/finder/?keywords=e0ee402380bd691c0e7efeca142a821b From sle-updates at lists.suse.com Thu Mar 27 12:04:12 2014 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 27 Mar 2014 19:04:12 +0100 (CET) Subject: SUSE-SU-2014:0457-1: moderate: Security update for rubygem-actionpack-2_3 Message-ID: <20140327180412.1D68D3209F@maintenance.suse.de> SUSE Security Update: Security update for rubygem-actionpack-2_3 ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0457-1 Rating: moderate References: #864433 #864873 Cross-References: CVE-2014-0081 Affected Products: SUSE Cloud 3 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: Rubygem Actionpack was updated to fix a XSS vulnerability: * CVE-2014-0081: XSS Vulnerability in number_to_currency, number_to_percentage and number_to_human. Security Issue references: * CVE-2014-0081 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Cloud 3: zypper in -t patch sleclo30sp3-rubygem-actionpack-2_3-8992 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Cloud 3 (x86_64): rubygem-actionpack-2_3-2.3.17-0.15.2 References: http://support.novell.com/security/cve/CVE-2014-0081.html https://bugzilla.novell.com/864433 https://bugzilla.novell.com/864873 http://download.suse.com/patch/finder/?keywords=9b9011921df3adb378f95a881be52dc5 From sle-updates at lists.suse.com Thu Mar 27 17:04:10 2014 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 28 Mar 2014 00:04:10 +0100 (CET) Subject: SUSE-SU-2014:0458-1: moderate: Security update for rubygem-i18n-0_6 Message-ID: <20140327230410.F0BE33209F@maintenance.suse.de> SUSE Security Update: Security update for rubygem-i18n-0_6 ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0458-1 Rating: moderate References: #854166 #855139 #864873 Cross-References: CVE-2013-4492 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 ______________________________________________________________________________ An update that solves one vulnerability and has two fixes is now available. Description: rubygem-i18-0_6 was updated to fix a security issue: * Cross-site scripting (XSS) vulnerability in exceptions.rb in the i18n gem before 0.6.6 for Ruby allows remote attackers to inject arbitrary web script or HTML via a crafted I18n::MissingTranslationData.new call. Additionally the package requires ruby directly now, and also applies the security patch to the bundled .gem file. Security Issues references: * CVE-2013-4492 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-rubygem-i18n-0_6-8937 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64): rubygem-i18n-0_6-0.6.0-0.8.1 References: http://support.novell.com/security/cve/CVE-2013-4492.html https://bugzilla.novell.com/854166 https://bugzilla.novell.com/855139 https://bugzilla.novell.com/864873 http://download.suse.com/patch/finder/?keywords=890278b13a143713a36b9a9424992d47 From sle-updates at lists.suse.com Thu Mar 27 19:04:12 2014 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 28 Mar 2014 02:04:12 +0100 (CET) Subject: SUSE-SU-2014:0459-1: important: Security update for Linux Kernel Message-ID: <20140328010412.7515732072@maintenance.suse.de> SUSE Security Update: Security update for Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0459-1 Rating: important References: #599263 #827670 #833968 #844513 #846790 #847672 #852488 #852967 #853162 #853166 #853455 #854025 #854445 #855825 #855885 #856848 #857358 #857643 #858604 #859225 #859342 #861093 #862796 #862957 #863178 #863526 #864025 #864058 #864833 #864880 #865342 #865783 #866253 #866428 Cross-References: CVE-2013-4470 CVE-2013-6885 CVE-2013-7263 CVE-2013-7264 CVE-2013-7265 CVE-2014-0069 Affected Products: SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise High Availability Extension 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 SLE 11 SERVER Unsupported Extras ______________________________________________________________________________ An update that solves 6 vulnerabilities and has 28 fixes is now available. It includes one version update. Description: The SUSE Linux Enterprise 11 Service Pack 3 kernel was updated to fix various bugs and security issues. ------------------------------------------------------------ ------------ WARNING: If you are running KVM with PCI pass-through on a system with one of the following Intel chipsets: 5500 (revision 0x13), 5520 (revision 0x13) or X58 (revisions 0x12, 0x13, 0x22), please make sure to read the following support document before installing this update: https://www.suse.com/support/kb/doc.php?id=7014344 . You will have to update your KVM setup to no longer make use of PCI pass-through before rebooting to the updated kernel. ------------------------------------------------------------ ------------ The following security bugs were fixed: * CVE-2013-4470: The Linux kernel before 3.12, when UDP Fragmentation Offload (UFO) is enabled, does not properly initialize certain data structures, which allows local users to cause a denial of service (memory corruption and system crash) or possibly gain privileges via a crafted application that uses the UDP_CORK option in a setsockopt system call and sends both short and long packets, related to the ip_ufo_append_data function in net/ipv4/ip_output.c and the ip6_ufo_append_data function in net/ipv6/ip6_output.c. (bnc#847672) * CVE-2013-6885: The microcode on AMD 16h 00h through 0Fh processors does not properly handle the interaction between locked instructions and write-combined memory types, which allows local users to cause a denial of service (system hang) via a crafted application, aka the errata 793 issue. (bnc#852967) * CVE-2013-7263: The Linux kernel before 3.12.4 updates certain length values before ensuring that associated data structures have been initialized, which allows local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call, related to net/ipv4/ping.c, net/ipv4/raw.c, net/ipv4/udp.c, net/ipv6/raw.c, and net/ipv6/udp.c. (bnc#857643) * CVE-2013-7264: The l2tp_ip_recvmsg function in net/l2tp/l2tp_ip.c in the Linux kernel before 3.12.4 updates a certain length value before ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. (bnc#857643) * CVE-2013-7265: The pn_recvmsg function in net/phonet/datagram.c in the Linux kernel before 3.12.4 updates a certain length value before ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. (bnc#857643) * CVE-2014-0069: The cifs_iovec_write function in fs/cifs/file.c in the Linux kernel through 3.13.5 does not properly handle uncached write operations that copy fewer than the requested number of bytes, which allows local users to obtain sensitive information from kernel memory, cause a denial of service (memory corruption and system crash), or possibly gain privileges via a writev system call with a crafted pointer. (bnc#864025) The following non-security bugs were fixed: * kabi: protect symbols modified by bnc#864833 fix (bnc#864833). * mm: mempolicy: fix mbind_range() && vma_adjust() interaction (VM Functionality (bnc#866428)). * mm: merging memory blocks resets mempolicy (VM Functionality (bnc#866428)). * mm/page-writeback.c: do not count anon pages as dirtyable memory (High memory utilisation performance (bnc#859225)). * mm: vmscan: Do not force reclaim file pages until it exceeds anon (High memory utilisation performance (bnc#859225)). * mm: vmscan: fix endless loop in kswapd balancing (High memory utilisation performance (bnc#859225)). * mm: vmscan: Update rotated and scanned when force reclaimed (High memory utilisation performance (bnc#859225)). * mm: exclude memory less nodes from zone_reclaim (bnc#863526). * mm: fix return type for functions nr_free_*_pages kabi fixup (bnc#864058). * mm: fix return type for functions nr_free_*_pages (bnc#864058). * mm: swap: Use swapfiles in priority order (Use swap files in priority order (bnc#862957)). * x86: Save cr2 in NMI in case NMIs take a page fault (follow-up for patches.fixes/x86-Add-workaround-to-NMI-iret-woes.patch). * powerpc: Add VDSO version of getcpu (fate#316816, bnc#854445). * vmscan: change type of vm_total_pages to unsigned long (bnc#864058). * audit: dynamically allocate audit_names when not enough space is in the names array (bnc#857358). * audit: make filetype matching consistent with other filters (bnc#857358). * arch/x86/mm/srat: Skip NUMA_NO_NODE while parsing SLIT (bnc#863178). * hwmon: (coretemp) Fix truncated name of alarm attributes. * privcmd: allow preempting long running user-mode originating hypercalls (bnc#861093). * nohz: Check for nohz active instead of nohz enabled (bnc#846790). * nohz: Fix another inconsistency between CONFIG_NO_HZ=n and nohz=off (bnc#846790). * iommu/vt-d: add quirk for broken interrupt remapping on 55XX chipsets (bnc#844513) * balloon: do not crash in HVM-with-PoD guests. * crypto: s390 - fix des and des3_ede ctr concurrency issue (bnc#862796, LTC#103744). * crypto: s390 - fix des and des3_ede cbc concurrency issue (bnc#862796, LTC#103743). * kernel: oops due to linkage stack instructions (bnc#862796, LTC#103860). * crypto: s390 - fix concurrency issue in aes-ctr mode (bnc#862796, LTC#103742). * dump: Fix dump memory detection (bnc#862796,LTC#103575). * net: change type of virtio_chan->p9_max_pages (bnc#864058). * inet: Avoid potential NULL peer dereference (bnc#864833). * inet: Hide route peer accesses behind helpers (bnc#864833). * inet: Pass inetpeer root into inet_getpeer*() interfaces (bnc#864833). * tcp: syncookies: reduce cookie lifetime to 128 seconds (bnc#833968). * tcp: syncookies: reduce mss table to four values (bnc#833968). * ipv6 routing, NLM_F_* flag support: REPLACE and EXCL flags support, warn about missing CREATE flag (bnc#865783). * ipv6: send router reachability probe if route has an unreachable gateway (bnc#853162). * sctp: Implement quick failover draft from tsvwg (bnc#827670). * ipvs: fix AF assignment in ip_vs_conn_new() (bnc#856848). * NFSD/sunrpc: avoid deadlock on TCP connection due to memory pressure (bnc#853455). * btrfs: bugfix collection * fs/nfsd: change type of max_delegations, nfsd_drc_max_mem and nfsd_drc_mem_used (bnc#864058). * fs/buffer.c: change type of max_buffer_heads to unsigned long (bnc#864058). * ncpfs: fix rmdir returns Device or resource busy (bnc#864880). * fs/fscache: Handle removal of unadded object to the fscache_object_list rb tree (bnc#855885). * scsi_dh_alua: fixup RTPG retry delay miscalculation (bnc#854025). * scsi_dh_alua: Simplify state machine (bnc#854025). * xhci: Fix resume issues on Renesas chips in Samsung laptops (bnc#866253). * bonding: disallow enslaving a bond to itself (bnc#599263). * USB: hub: handle -ETIMEDOUT during enumeration (bnc#855825). * dm-multipath: Do not stall on invalid ioctls (bnc#865342). * scsi_dh_alua: endless STPG retries for a failed LUN (bnc#865342). * net/mlx4_en: Fix pages never dma unmapped on rx (bnc#858604). * dlm: remove get_comm (bnc#827670). * dlm: Avoid LVB truncation (bnc#827670). * dlm: disable nagle for SCTP (bnc#827670). * dlm: retry failed SCTP sends (bnc#827670). * dlm: try other IPs when sctp init assoc fails (bnc#827670). * dlm: clear correct bit during sctp init failure handling (bnc#827670). * dlm: set sctp assoc id during setup (bnc#827670). * dlm: clear correct init bit during sctp setup (bnc#827670). * dlm: fix deadlock between dlm_send and dlm_controld (bnc#827670). * dlm: Fix return value from lockspace_busy() (bnc#827670). * Avoid occasional hang with NFS (bnc#852488). * mpt2sas: Fix unsafe using smp_processor_id() in preemptible (bnc#853166). * lockd: send correct lock when granting a delayed lock (bnc#859342). Security Issues references: * CVE-2013-4470 * CVE-2013-6885 * CVE-2013-7263 * CVE-2013-7264 * CVE-2013-7265 * CVE-2014-0069 Indications: Everyone using the Linux Kernel on x86_64 architecture should update. Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-kernel-9050 slessp3-kernel-9051 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-kernel-9045 slessp3-kernel-9046 slessp3-kernel-9047 slessp3-kernel-9050 slessp3-kernel-9051 - SUSE Linux Enterprise High Availability Extension 11 SP3: zypper in -t patch slehasp3-kernel-9045 slehasp3-kernel-9046 slehasp3-kernel-9047 slehasp3-kernel-9050 slehasp3-kernel-9051 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-kernel-9050 sledsp3-kernel-9051 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64) [New Version: 3.0.101]: kernel-default-3.0.101-0.18.1 kernel-default-base-3.0.101-0.18.1 kernel-default-devel-3.0.101-0.18.1 kernel-source-3.0.101-0.18.1 kernel-syms-3.0.101-0.18.1 kernel-trace-3.0.101-0.18.1 kernel-trace-base-3.0.101-0.18.1 kernel-trace-devel-3.0.101-0.18.1 kernel-xen-devel-3.0.101-0.18.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586) [New Version: 3.0.101]: kernel-pae-3.0.101-0.18.1 kernel-pae-base-3.0.101-0.18.1 kernel-pae-devel-3.0.101-0.18.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New Version: 3.0.101]: kernel-default-3.0.101-0.18.1 kernel-default-base-3.0.101-0.18.1 kernel-default-devel-3.0.101-0.18.1 kernel-source-3.0.101-0.18.1 kernel-syms-3.0.101-0.18.1 kernel-trace-3.0.101-0.18.1 kernel-trace-base-3.0.101-0.18.1 kernel-trace-devel-3.0.101-0.18.1 - SUSE Linux Enterprise Server 11 SP3 (i586 x86_64) [New Version: 3.0.101]: kernel-ec2-3.0.101-0.18.1 kernel-ec2-base-3.0.101-0.18.1 kernel-ec2-devel-3.0.101-0.18.1 kernel-xen-3.0.101-0.18.1 kernel-xen-base-3.0.101-0.18.1 kernel-xen-devel-3.0.101-0.18.1 xen-kmp-default-4.2.4_02_3.0.101_0.18-0.7.5 - SUSE Linux Enterprise Server 11 SP3 (s390x) [New Version: 3.0.101]: kernel-default-man-3.0.101-0.18.1 - SUSE Linux Enterprise Server 11 SP3 (ppc64) [New Version: 3.0.101]: kernel-ppc64-3.0.101-0.18.1 kernel-ppc64-base-3.0.101-0.18.1 kernel-ppc64-devel-3.0.101-0.18.1 - SUSE Linux Enterprise Server 11 SP3 (i586) [New Version: 3.0.101]: kernel-pae-3.0.101-0.18.1 kernel-pae-base-3.0.101-0.18.1 kernel-pae-devel-3.0.101-0.18.1 xen-kmp-pae-4.2.4_02_3.0.101_0.18-0.7.5 - SUSE Linux Enterprise High Availability Extension 11 SP3 (i586 ia64 ppc64 s390x x86_64): cluster-network-kmp-default-1.4_3.0.101_0.18-2.27.49 cluster-network-kmp-trace-1.4_3.0.101_0.18-2.27.49 gfs2-kmp-default-2_3.0.101_0.18-0.16.55 gfs2-kmp-trace-2_3.0.101_0.18-0.16.55 ocfs2-kmp-default-1.6_3.0.101_0.18-0.20.49 ocfs2-kmp-trace-1.6_3.0.101_0.18-0.20.49 - SUSE Linux Enterprise High Availability Extension 11 SP3 (i586 x86_64): cluster-network-kmp-xen-1.4_3.0.101_0.18-2.27.49 gfs2-kmp-xen-2_3.0.101_0.18-0.16.55 ocfs2-kmp-xen-1.6_3.0.101_0.18-0.20.49 - SUSE Linux Enterprise High Availability Extension 11 SP3 (ppc64): cluster-network-kmp-ppc64-1.4_3.0.101_0.18-2.27.49 gfs2-kmp-ppc64-2_3.0.101_0.18-0.16.55 ocfs2-kmp-ppc64-1.6_3.0.101_0.18-0.20.49 - SUSE Linux Enterprise High Availability Extension 11 SP3 (i586): cluster-network-kmp-pae-1.4_3.0.101_0.18-2.27.49 gfs2-kmp-pae-2_3.0.101_0.18-0.16.55 ocfs2-kmp-pae-1.6_3.0.101_0.18-0.20.49 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64) [New Version: 3.0.101]: kernel-default-3.0.101-0.18.1 kernel-default-base-3.0.101-0.18.1 kernel-default-devel-3.0.101-0.18.1 kernel-default-extra-3.0.101-0.18.1 kernel-source-3.0.101-0.18.1 kernel-syms-3.0.101-0.18.1 kernel-trace-devel-3.0.101-0.18.1 kernel-xen-3.0.101-0.18.1 kernel-xen-base-3.0.101-0.18.1 kernel-xen-devel-3.0.101-0.18.1 kernel-xen-extra-3.0.101-0.18.1 xen-kmp-default-4.2.4_02_3.0.101_0.18-0.7.5 - SUSE Linux Enterprise Desktop 11 SP3 (i586) [New Version: 3.0.101]: kernel-pae-3.0.101-0.18.1 kernel-pae-base-3.0.101-0.18.1 kernel-pae-devel-3.0.101-0.18.1 kernel-pae-extra-3.0.101-0.18.1 xen-kmp-pae-4.2.4_02_3.0.101_0.18-0.7.5 - SLE 11 SERVER Unsupported Extras (i586 ia64 ppc64 s390x x86_64): kernel-default-extra-3.0.101-0.18.1 - SLE 11 SERVER Unsupported Extras (i586 x86_64): kernel-xen-extra-3.0.101-0.18.1 - SLE 11 SERVER Unsupported Extras (ppc64): kernel-ppc64-extra-3.0.101-0.18.1 - SLE 11 SERVER Unsupported Extras (i586): kernel-pae-extra-3.0.101-0.18.1 References: http://support.novell.com/security/cve/CVE-2013-4470.html http://support.novell.com/security/cve/CVE-2013-6885.html http://support.novell.com/security/cve/CVE-2013-7263.html http://support.novell.com/security/cve/CVE-2013-7264.html http://support.novell.com/security/cve/CVE-2013-7265.html http://support.novell.com/security/cve/CVE-2014-0069.html https://bugzilla.novell.com/599263 https://bugzilla.novell.com/827670 https://bugzilla.novell.com/833968 https://bugzilla.novell.com/844513 https://bugzilla.novell.com/846790 https://bugzilla.novell.com/847672 https://bugzilla.novell.com/852488 https://bugzilla.novell.com/852967 https://bugzilla.novell.com/853162 https://bugzilla.novell.com/853166 https://bugzilla.novell.com/853455 https://bugzilla.novell.com/854025 https://bugzilla.novell.com/854445 https://bugzilla.novell.com/855825 https://bugzilla.novell.com/855885 https://bugzilla.novell.com/856848 https://bugzilla.novell.com/857358 https://bugzilla.novell.com/857643 https://bugzilla.novell.com/858604 https://bugzilla.novell.com/859225 https://bugzilla.novell.com/859342 https://bugzilla.novell.com/861093 https://bugzilla.novell.com/862796 https://bugzilla.novell.com/862957 https://bugzilla.novell.com/863178 https://bugzilla.novell.com/863526 https://bugzilla.novell.com/864025 https://bugzilla.novell.com/864058 https://bugzilla.novell.com/864833 https://bugzilla.novell.com/864880 https://bugzilla.novell.com/865342 https://bugzilla.novell.com/865783 https://bugzilla.novell.com/866253 https://bugzilla.novell.com/866428 http://download.suse.com/patch/finder/?keywords=0e36f5897fccb20ea48f7e58e74b2647 http://download.suse.com/patch/finder/?keywords=2bba527d042fa2524206bfe310bbd09d http://download.suse.com/patch/finder/?keywords=486aa2eada02c76d1cac74b15b7bc069 http://download.suse.com/patch/finder/?keywords=50402d33a8c1451b2166727adc144f74 http://download.suse.com/patch/finder/?keywords=7129036742186e61dc9c40e8d6898c51 http://download.suse.com/patch/finder/?keywords=7186c0ca1717924a99aab4250b1b0389 http://download.suse.com/patch/finder/?keywords=7ab3c7cf9fa1047f360fd862740f9f62 http://download.suse.com/patch/finder/?keywords=828b5201cfab14cc87d2e941056208ee http://download.suse.com/patch/finder/?keywords=aacac5b010d7cf23355177e902b2480a http://download.suse.com/patch/finder/?keywords=bf8427bba89958884290889fb5022f2b From sle-updates at lists.suse.com Fri Mar 28 11:04:10 2014 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 28 Mar 2014 18:04:10 +0100 (CET) Subject: SUSE-RU-2014:0460-1: Recommended update for mokutil Message-ID: <20140328170410.B32D4320A4@maintenance.suse.de> SUSE Recommended Update: Recommended update for mokutil ______________________________________________________________________________ Announcement ID: SUSE-RU-2014:0460-1 Rating: low References: #862797 Affected Products: SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update fixes an issue with logouts or reboots on UEFI systems. The cause was that mokutil used the wrong the UEFI Globally unique identifier (GUID), which is needed to access the UEFI db variable for checking the enrolled certificates. Indications: Everyone using UEFI should update. Patch Instructions: To install this SUSE Recommended Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-mokutil-9057 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-mokutil-9057 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-mokutil-9057 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64): mokutil-0.1.0-0.21.1 - SUSE Linux Enterprise Server 11 SP3 (x86_64): mokutil-0.1.0-0.21.1 - SUSE Linux Enterprise Desktop 11 SP3 (x86_64): mokutil-0.1.0-0.21.1 References: https://bugzilla.novell.com/862797 http://download.suse.com/patch/finder/?keywords=70a1f4d6dfb50979c919f3488d6dad75 From sle-updates at lists.suse.com Fri Mar 28 13:04:10 2014 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 28 Mar 2014 20:04:10 +0100 (CET) Subject: SUSE-SU-2014:0461-1: moderate: Security update for PostgreSQL 9.1 Message-ID: <20140328190410.B28E5320A4@maintenance.suse.de> SUSE Security Update: Security update for PostgreSQL 9.1 ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0461-1 Rating: moderate References: #864845 #864846 #864847 #864850 #864851 #864852 #864853 Cross-References: CVE-2014-0060 CVE-2014-0061 CVE-2014-0062 CVE-2014-0063 CVE-2014-0064 CVE-2014-0065 CVE-2014-0066 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes 7 vulnerabilities is now available. It includes one version update. Description: The PostgreSQL database server was updated to version 9.1.12 to fix various security issues: * Granting a role without ADMIN OPTION is supposed to prevent the grantee from adding or removing members from the granted role, but this restriction was easily bypassed by doing SET ROLE first. The security impact is mostly that a role member can revoke the access of others, contrary to the wishes of his grantor. Unapproved role member additions are a lesser concern, since an uncooperative role member could provide most of his rights to others anyway by creating views or SECURITY DEFINER functions. (CVE-2014-0060) * The primary role of PL validator functions is to be called implicitly during CREATE FUNCTION, but they are also normal SQL functions that a user can call explicitly. Calling a validator on a function actually written in some other language was not checked for and could be exploited for privilege-escalation purposes. The fix involves adding a call to a privilege-checking function in each validator function. Non-core procedural languages will also need to make this change to their own validator functions, if any. (CVE-2014-0061) * If the name lookups come to different conclusions due to concurrent activity, we might perform some parts of the DDL on a different table than other parts. At least in the case of CREATE INDEX, this can be used to cause the permissions checks to be performed against a different table than the index creation, allowing for a privilege escalation attack. (CVE-2014-0062) * The MAXDATELEN constant was too small for the longest possible value of type interval, allowing a buffer overrun in interval_out(). Although the datetime input functions were more careful about avoiding buffer overrun, the limit was short enough to cause them to reject some valid inputs, such as input containing a very long timezone name. The ecpg library contained these vulnerabilities along with some of its own. (CVE-2014-0063) * Several functions, mostly type input functions, calculated an allocation size without checking for overflow. If overflow did occur, a too-small buffer would be allocated and then written past. (CVE-2014-0064) * Use strlcpy() and related functions to provide a clear guarantee that fixed-size buffers are not overrun. Unlike the preceding items, it is unclear whether these cases really represent live issues, since in most cases there appear to be previous constraints on the size of the input string. Nonetheless it seems prudent to silence all Coverity warnings of this type. (CVE-2014-0065) * There are relatively few scenarios in which crypt() could return NULL, but contrib/chkpass would crash if it did. One practical case in which this could be an issue is if libc is configured to refuse to execute unapproved hashing algorithms (e.g., "FIPS mode"). (CVE-2014-0066) * Since the temporary server started by make check uses "trust" authentication, another user on the same machine could connect to it as database superuser, and then potentially exploit the privileges of the operating-system user who started the tests. A future release will probably incorporate changes in the testing procedure to prevent this risk, but some public discussion is needed first. So for the moment, just warn people against using make check when there are untrusted users on the same machine. (CVE-2014-0067) The complete list of bugs and more information can be found at: http://www.postgresql.org/docs/9.1/static/release-9-1-12.htm l Security Issues references: * CVE-2014-0060 * CVE-2014-0061 * CVE-2014-0062 * CVE-2014-0063 * CVE-2014-0064 * CVE-2014-0065 * CVE-2014-0066 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-libecpg6-8970 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-libecpg6-8970 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-libecpg6-8970 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-libecpg6-8970 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New Version: 9.1.12]: postgresql91-devel-9.1.12-0.3.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64) [New Version: 9.1.12]: libecpg6-9.1.12-0.3.1 libpq5-9.1.12-0.3.1 postgresql91-9.1.12-0.3.1 postgresql91-contrib-9.1.12-0.3.1 postgresql91-docs-9.1.12-0.3.1 postgresql91-server-9.1.12-0.3.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64) [New Version: 9.1.12]: libpq5-32bit-9.1.12-0.3.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New Version: 9.1.12]: libecpg6-9.1.12-0.3.1 libpq5-9.1.12-0.3.1 postgresql91-9.1.12-0.3.1 postgresql91-contrib-9.1.12-0.3.1 postgresql91-docs-9.1.12-0.3.1 postgresql91-server-9.1.12-0.3.1 - SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64) [New Version: 9.1.12]: libpq5-32bit-9.1.12-0.3.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64) [New Version: 9.1.12]: libecpg6-9.1.12-0.3.1 libpq5-9.1.12-0.3.1 postgresql91-9.1.12-0.3.1 postgresql91-docs-9.1.12-0.3.1 - SUSE Linux Enterprise Desktop 11 SP3 (x86_64) [New Version: 9.1.12]: libpq5-32bit-9.1.12-0.3.1 References: http://support.novell.com/security/cve/CVE-2014-0060.html http://support.novell.com/security/cve/CVE-2014-0061.html http://support.novell.com/security/cve/CVE-2014-0062.html http://support.novell.com/security/cve/CVE-2014-0063.html http://support.novell.com/security/cve/CVE-2014-0064.html http://support.novell.com/security/cve/CVE-2014-0065.html http://support.novell.com/security/cve/CVE-2014-0066.html https://bugzilla.novell.com/864845 https://bugzilla.novell.com/864846 https://bugzilla.novell.com/864847 https://bugzilla.novell.com/864850 https://bugzilla.novell.com/864851 https://bugzilla.novell.com/864852 https://bugzilla.novell.com/864853 http://download.suse.com/patch/finder/?keywords=e9bf55125376b211617f7b7eb984b251 From sle-updates at lists.suse.com Mon Mar 31 13:04:11 2014 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 31 Mar 2014 21:04:11 +0200 (CEST) Subject: SUSE-SU-2014:0466-1: moderate: Security update for xinetd Message-ID: <20140331190411.5CCCD320A6@maintenance.suse.de> SUSE Security Update: Security update for xinetd ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0466-1 Rating: moderate References: #762294 #844230 #855685 Cross-References: CVE-2012-0862 CVE-2013-4342 Affected Products: SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: The multiplexing system xinetd was updated to fix security issues and a bug. Security issues fixed: * CVE-2013-4342: xinetd ignores user and group directives for tcpmux services. * CVE-2012-0862: xinetd enables all services when tcp multiplexing is used. Bug fixed: * Services started by xinetd were limited to 1024 open file descriptors. (bnc#855685) Security Issues references: * CVE-2012-0862 * CVE-2013-4342 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-xinetd-9021 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-xinetd-9021 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-xinetd-9021 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): xinetd-2.3.14-130.133.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): xinetd-2.3.14-130.133.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): xinetd-2.3.14-130.133.1 References: http://support.novell.com/security/cve/CVE-2012-0862.html http://support.novell.com/security/cve/CVE-2013-4342.html https://bugzilla.novell.com/762294 https://bugzilla.novell.com/844230 https://bugzilla.novell.com/855685 http://download.suse.com/patch/finder/?keywords=82ad1668f5a536fb415b95faf253f10d From sle-updates at lists.suse.com Mon Mar 31 17:04:12 2014 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 1 Apr 2014 01:04:12 +0200 (CEST) Subject: SUSE-SU-2014:0467-1: moderate: Security update for libjansson Message-ID: <20140331230412.3AD94320A0@maintenance.suse.de> SUSE Security Update: Security update for libjansson ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0467-1 Rating: moderate References: #863301 Cross-References: CVE-2013-6401 Affected Products: SUSE Studio Onsite 1.3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: The JSON library libjansson was updated to fix a potential hash denial of service where remote attackers supplying JSON files to the library could exhaust compute resources. Security Issue references: * CVE-2013-6401 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Studio Onsite 1.3: zypper in -t patch slestso13-libjansson4-9005 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Studio Onsite 1.3 (x86_64): libjansson4-2.2.1-0.9.10.1 References: http://support.novell.com/security/cve/CVE-2013-6401.html https://bugzilla.novell.com/863301 http://download.suse.com/patch/finder/?keywords=987269c5067d9e87b3ad04d9df2da54c