April 2014 - openSUSE Updates - openSUSE Mailing Lists

openSUSE-SU-2014:0530-1: moderate: update for curl
by opensuse-security＠opensuse.org 15 Apr '14

15 Apr '14

openSUSE Security Update: update for curl ______________________________________________________________________________ Announcement ID: openSUSE-SU-2014:0530-1 Rating: moderate References: #868627 #868629 Cross-References: CVE-2014-0138 CVE-2014-0139 CVE-2014-138 CVE-2014-139 Affected Products: openSUSE 11.4 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: Curl was updated to fix following problems: CVE-2014-0138: libcurl wrong re-use of connections CVE-2014-0139: libcurl IP address wildcard certificate validation Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 11.4: zypper in -t patch 2014-47 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 11.4 (i586 x86_64): curl-7.21.2-45.1 curl-debuginfo-7.21.2-45.1 libcurl-devel-7.21.2-45.1 libcurl4-7.21.2-45.1 - openSUSE 11.4 (x86_64): libcurl4-32bit-7.21.2-45.1 libcurl4-debuginfo-32bit-7.21.2-45.1 - openSUSE 11.4 (ia64): libcurl4-debuginfo-x86-7.21.2-45.1 libcurl4-x86-7.21.2-45.1 - openSUSE 11.4 (i586): libcurl4-debuginfo-7.21.2-45.1 References: http://support.novell.com/security/cve/CVE-2014-0138.html http://support.novell.com/security/cve/CVE-2014-0139.html http://support.novell.com/security/cve/CVE-2014-138.html http://support.novell.com/security/cve/CVE-2014-139.html https://bugzilla.novell.com/868627 https://bugzilla.novell.com/868629

1 0

openSUSE-SU-2014:0528-1: moderate: update for jakarta-commons-fileupload
by opensuse-security＠opensuse.org 15 Apr '14

15 Apr '14

openSUSE Security Update: update for jakarta-commons-fileupload ______________________________________________________________________________ Announcement ID: openSUSE-SU-2014:0528-1 Rating: moderate References: #862781 Cross-References: CVE-2014-0050 Affected Products: openSUSE 12.3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This jakarta-commons-fileupload update fixes the follwoing security and non security issues: - bnc#862781: Fixed buffer overflow and resulting DoS (CVE-2014-0050). - Removed gcj part and deprecated macros. - Moved from jpackage-utils to javapackage-tools. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 12.3: zypper in -t patch openSUSE-2014-297 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 12.3 (noarch): jakarta-commons-fileupload-1.1.1-114.8.1 jakarta-commons-fileupload-javadoc-1.1.1-114.8.1 References: http://support.novell.com/security/cve/CVE-2014-0050.html https://bugzilla.novell.com/862781

1 0

openSUSE-SU-2014:0527-1: moderate: update for jakarta-commons-fileupload
by opensuse-security＠opensuse.org 15 Apr '14

15 Apr '14

openSUSE Security Update: update for jakarta-commons-fileupload ______________________________________________________________________________ Announcement ID: openSUSE-SU-2014:0527-1 Rating: moderate References: #862781 Cross-References: CVE-2014-0050 Affected Products: openSUSE 13.1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This jakarta-commons-fileupload update fixes the follwoing security issue: - bnc#862781: Fixed buffer overflow and resulting DoS (CVE-2014-0050). Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.1: zypper in -t patch openSUSE-2014-298 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.1 (noarch): jakarta-commons-fileupload-1.1.1-117.121.1 jakarta-commons-fileupload-javadoc-1.1.1-117.121.1 References: http://support.novell.com/security/cve/CVE-2014-0050.html https://bugzilla.novell.com/862781

1 0

openSUSE-SU-2014:0526-1: moderate: update for couchdb
by opensuse-security＠opensuse.org 15 Apr '14

15 Apr '14

openSUSE Security Update: update for couchdb ______________________________________________________________________________ Announcement ID: openSUSE-SU-2014:0526-1 Rating: moderate References: #871111 Cross-References: CVE-2014-2668 Affected Products: openSUSE 13.1 openSUSE 12.3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This couchdb update fixes one security issue: - bnc#871111: Fixed remote denial of service via /_uuids that allowed remote attackers to cause CPU and memory consumption. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.1: zypper in -t patch openSUSE-2014-299 - openSUSE 12.3: zypper in -t patch openSUSE-2014-299 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.1 (i586 x86_64): couchdb-1.3.0-2.4.1 couchdb-debuginfo-1.3.0-2.4.1 couchdb-debugsource-1.3.0-2.4.1 - openSUSE 12.3 (i586 x86_64): couchdb-1.2.0-6.4.1 couchdb-debuginfo-1.2.0-6.4.1 couchdb-debugsource-1.2.0-6.4.1 References: http://support.novell.com/security/cve/CVE-2014-2668.html https://bugzilla.novell.com/871111

1 0

openSUSE-RU-2014:0522-1: logrotate: Fix a bug where empty RUN_UPDATEDB_AS="" caused cron fail with unknown arguments if the compat values were empty
by maintenance＠opensuse.org 14 Apr '14

14 Apr '14

openSUSE Recommended Update: logrotate: Fix a bug where empty RUN_UPDATEDB_AS="" caused cron fail with unknown arguments if the compat values were empty ______________________________________________________________________________ Announcement ID: openSUSE-RU-2014:0522-1 Rating: low References: Affected Products: openSUSE 13.1 ______________________________________________________________________________ An update that has 0 recommended fixes can now be installed. Description: This update fixes the following issue with logrotate: - Fix a bug where empty RUN_UPDATEDB_AS="" caused cron fail with unknown arguments if the compat values were empty. Patch Instructions: To install this openSUSE Recommended Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.1: zypper in -t patch openSUSE-2014-296 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.1 (i586 x86_64): mlocate-0.26-4.13.1 mlocate-debuginfo-0.26-4.13.1 mlocate-debugsource-0.26-4.13.1 - openSUSE 13.1 (noarch): mlocate-lang-0.26-4.13.1 References:

1 0

openSUSE-RU-2014:0521-1: moderate: apache2: fix multiple issues with mod_dav and, by extension, Subversion
by maintenance＠opensuse.org 14 Apr '14

14 Apr '14

openSUSE Recommended Update: apache2: fix multiple issues with mod_dav and, by extension, Subversion ______________________________________________________________________________ Announcement ID: openSUSE-RU-2014:0521-1 Rating: moderate References: #864308 Affected Products: openSUSE 13.1 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update fixes multiple issues with mod_dav and, by extension, Subversion in Apache2 (bnc#864308) Patch Instructions: To install this openSUSE Recommended Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.1: zypper in -t patch openSUSE-2014-295 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.1 (i586 x86_64): apache2-2.4.6-6.19.2 apache2-debuginfo-2.4.6-6.19.2 apache2-debugsource-2.4.6-6.19.2 apache2-devel-2.4.6-6.19.2 apache2-event-2.4.6-6.19.2 apache2-event-debuginfo-2.4.6-6.19.2 apache2-example-pages-2.4.6-6.19.2 apache2-prefork-2.4.6-6.19.2 apache2-prefork-debuginfo-2.4.6-6.19.2 apache2-utils-2.4.6-6.19.2 apache2-utils-debuginfo-2.4.6-6.19.2 apache2-worker-2.4.6-6.19.2 apache2-worker-debuginfo-2.4.6-6.19.2 - openSUSE 13.1 (noarch): apache2-doc-2.4.6-6.19.2 References: https://bugzilla.novell.com/864308

1 0

openSUSE-SU-2014:0520-1: moderate: update for flash-player
by opensuse-security＠opensuse.org 14 Apr '14

14 Apr '14

openSUSE Security Update: update for flash-player ______________________________________________________________________________ Announcement ID: openSUSE-SU-2014:0520-1 Rating: moderate References: #872692 Cross-References: CVE-2014-0506 CVE-2014-0507 CVE-2014-0508 CVE-2014-0509 Affected Products: openSUSE 11.4 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This flash-player update fixes several security issues: - bnc#872692: Security update to 11.2.202.350: * APSB14-09, CVE-2014-0506, CVE-2014-0507, CVE-2014-0508,CVE-2014-0509 Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 11.4: zypper in -t patch 2014-46 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 11.4 (i586 x86_64): flash-player-11.2.202.350-103.1 flash-player-gnome-11.2.202.350-103.1 flash-player-kde4-11.2.202.350-103.1 References: http://support.novell.com/security/cve/CVE-2014-0506.html http://support.novell.com/security/cve/CVE-2014-0507.html http://support.novell.com/security/cve/CVE-2014-0508.html http://support.novell.com/security/cve/CVE-2014-0509.html https://bugzilla.novell.com/872692

1 0

openSUSE-SU-2014:0518-1: moderate: update for python
by opensuse-security＠opensuse.org 11 Apr '14

11 Apr '14

openSUSE Security Update: update for python ______________________________________________________________________________ Announcement ID: openSUSE-SU-2014:0518-1 Rating: moderate References: #863741 Cross-References: CVE-2014-1912 Affected Products: openSUSE 12.3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This python updated fixes the following security issue: - bnc#863741: Fixed potential buffer overflow in socket.recvfrom_into (CVE-2014-1912). Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 12.3: zypper in -t patch openSUSE-2014-289 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 12.3 (i586 x86_64): libpython2_7-1_0-2.7.3-10.12.1 libpython2_7-1_0-debuginfo-2.7.3-10.12.1 python-2.7.3-10.12.1 python-base-2.7.3-10.12.1 python-base-debuginfo-2.7.3-10.12.1 python-base-debugsource-2.7.3-10.12.1 python-curses-2.7.3-10.12.1 python-curses-debuginfo-2.7.3-10.12.1 python-debuginfo-2.7.3-10.12.1 python-debugsource-2.7.3-10.12.1 python-demo-2.7.3-10.12.1 python-devel-2.7.3-10.12.1 python-gdbm-2.7.3-10.12.1 python-gdbm-debuginfo-2.7.3-10.12.1 python-idle-2.7.3-10.12.1 python-tk-2.7.3-10.12.1 python-tk-debuginfo-2.7.3-10.12.1 python-xml-2.7.3-10.12.1 python-xml-debuginfo-2.7.3-10.12.1 - openSUSE 12.3 (x86_64): libpython2_7-1_0-32bit-2.7.3-10.12.1 libpython2_7-1_0-debuginfo-32bit-2.7.3-10.12.1 python-32bit-2.7.3-10.12.1 python-base-32bit-2.7.3-10.12.1 python-base-debuginfo-32bit-2.7.3-10.12.1 python-debuginfo-32bit-2.7.3-10.12.1 - openSUSE 12.3 (noarch): python-doc-2.7-10.12.1 python-doc-pdf-2.7-10.12.1 References: http://support.novell.com/security/cve/CVE-2014-1912.html https://bugzilla.novell.com/863741

1 0

openSUSE-SU-2014:0517-1: moderate: xinetd for tcpmux service
by opensuse-security＠opensuse.org 11 Apr '14

11 Apr '14

openSUSE Security Update: xinetd for tcpmux service ______________________________________________________________________________ Announcement ID: openSUSE-SU-2014:0517-1 Rating: moderate References: #762294 #844230 #855685 Cross-References: CVE-2012-0862 CVE-2013-4342 Affected Products: openSUSE 13.1 openSUSE 12.3 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: xinetd was updated to receive security fixes and a bug fix. Security issues fixed: * CVE-2013-4342 (bnc#844230) - xinetd ignored user and group directives for tcpmux services * CVE-2012-0862 (bnc#762294) - xinetd enabled all services when tcp multiplexing is used Also added support for setting maximum number of open files (bnc#855685). Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.1: zypper in -t patch openSUSE-2014-292 - openSUSE 12.3: zypper in -t patch openSUSE-2014-292 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.1 (i586 x86_64): xinetd-2.3.15-2.8.1 xinetd-debuginfo-2.3.15-2.8.1 xinetd-debugsource-2.3.15-2.8.1 - openSUSE 12.3 (i586 x86_64): xinetd-2.3.14-163.4.1 xinetd-debuginfo-2.3.14-163.4.1 xinetd-debugsource-2.3.14-163.4.1 References: http://support.novell.com/security/cve/CVE-2012-0862.html http://support.novell.com/security/cve/CVE-2013-4342.html https://bugzilla.novell.com/762294 https://bugzilla.novell.com/844230 https://bugzilla.novell.com/855685

1 0

openSUSE-SU-2014:0516-1: moderate: nagios: fixed a buffer overflow
by opensuse-security＠opensuse.org 11 Apr '14

11 Apr '14

openSUSE Security Update: nagios: fixed a buffer overflow ______________________________________________________________________________ Announcement ID: openSUSE-SU-2014:0516-1 Rating: moderate References: #864843 Cross-References: CVE-2014-1878 Affected Products: openSUSE 13.1 openSUSE 12.3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: Nagios was updated to fix a stack-based buffer overflow in the cmd_submitf function in the CGI handler. (CVE-2014-1878) Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.1: zypper in -t patch openSUSE-2014-291 - openSUSE 12.3: zypper in -t patch openSUSE-2014-291 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.1 (i586 x86_64): nagios-3.5.1-3.9.1 nagios-debugsource-3.5.1-3.9.1 nagios-devel-3.5.1-3.9.1 nagios-www-3.5.1-3.9.1 nagios-www-dch-3.5.1-3.9.1 nagios-www-debuginfo-3.5.1-3.9.1 - openSUSE 12.3 (i586 x86_64): nagios-3.5.0-2.18.1 nagios-debuginfo-3.5.0-2.18.1 nagios-debugsource-3.5.0-2.18.1 nagios-devel-3.5.0-2.18.1 nagios-www-3.5.0-2.18.1 nagios-www-dch-3.5.0-2.18.1 nagios-www-debuginfo-3.5.0-2.18.1 References: http://support.novell.com/security/cve/CVE-2014-1878.html https://bugzilla.novell.com/864843

1 0

openSUSE-SU-2014:0515-1: moderate: update for rubygem-rack-ssl
by opensuse-security＠opensuse.org 11 Apr '14

11 Apr '14

openSUSE Security Update: update for rubygem-rack-ssl ______________________________________________________________________________ Announcement ID: openSUSE-SU-2014:0515-1 Rating: moderate References: #869162 Cross-References: CVE-2014-2538 Affected Products: openSUSE 13.1 openSUSE 12.3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This rubygem-rack-ssl updated fixes the following security issue: - bnc#869162: Fixed XSS in error page (CVE-2014-2538). Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.1: zypper in -t patch openSUSE-2014-293 - openSUSE 12.3: zypper in -t patch openSUSE-2014-293 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.1 (i586 x86_64): rubygem-rack-ssl-1.3.3-2.4.1 rubygem-rack-ssl-doc-1.3.3-2.4.1 - openSUSE 12.3 (i586 x86_64): rubygem-rack-ssl-1.3.2-6.4.1 rubygem-rack-ssl-doc-1.3.2-6.4.1 References: http://support.novell.com/security/cve/CVE-2014-2538.html https://bugzilla.novell.com/869162

1 0

openSUSE-RU-2014:0514-1: moderate: curl
by maintenance＠opensuse.org 11 Apr '14

11 Apr '14

openSUSE Recommended Update: curl ______________________________________________________________________________ Announcement ID: openSUSE-RU-2014:0514-1 Rating: moderate References: #868627 #868629 Affected Products: openSUSE 13.1 openSUSE 12.3 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: curl was updated to fix two security issues: * CVE-2014-0138: wrong re-use of connections * CVE-2014-0139: IP address wildcard certificate validation Patch Instructions: To install this openSUSE Recommended Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.1: zypper in -t patch openSUSE-2014-290 - openSUSE 12.3: zypper in -t patch openSUSE-2014-290 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.1 (i586 x86_64): curl-7.32.0-2.16.1 curl-debuginfo-7.32.0-2.16.1 curl-debugsource-7.32.0-2.16.1 libcurl-devel-7.32.0-2.16.1 libcurl4-7.32.0-2.16.1 libcurl4-debuginfo-7.32.0-2.16.1 - openSUSE 13.1 (x86_64): libcurl4-32bit-7.32.0-2.16.1 libcurl4-debuginfo-32bit-7.32.0-2.16.1 - openSUSE 12.3 (i586 x86_64): curl-7.28.1-4.33.1 curl-debuginfo-7.28.1-4.33.1 curl-debugsource-7.28.1-4.33.1 libcurl-devel-7.28.1-4.33.1 libcurl4-7.28.1-4.33.1 libcurl4-debuginfo-7.28.1-4.33.1 - openSUSE 12.3 (x86_64): libcurl4-32bit-7.28.1-4.33.1 libcurl4-debuginfo-32bit-7.28.1-4.33.1 References: http://support.novell.com/security/cve/CVE-2014-0138.html http://support.novell.com/security/cve/CVE-2014-0139.html https://bugzilla.novell.com/868627 https://bugzilla.novell.com/868629

1 0

openSUSE-SU-2014:0513-1: CVE-2014-0128: squid can crash when SSLBump is used in combination with range requests.
by opensuse-security＠opensuse.org 11 Apr '14

11 Apr '14

openSUSE Security Update: CVE-2014-0128: squid can crash when SSLBump is used in combination with range requests. ______________________________________________________________________________ Announcement ID: openSUSE-SU-2014:0513-1 Rating: low References: #867533 Cross-References: CVE-2014-0128 Affected Products: openSUSE 11.4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: The SSLBump feature acts as TLS/SSL termination for clients. If this feature is enabled, squid can crash with range requests, leading to a potential Denial of Service condition. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 11.4: zypper in -t patch openSUSE-2014-288 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 11.4 (i586 x86_64): squid3-3.1.23-23.1 squid3-debuginfo-3.1.23-23.1 squid3-debugsource-3.1.23-23.1 References: http://support.novell.com/security/cve/CVE-2014-0128.html https://bugzilla.novell.com/867533

1 0

openSUSE-RU-2014:0509-1: important: rubygem-activesupport-3_2: Fixes conflict with the last update
by maintenance＠opensuse.org 10 Apr '14

10 Apr '14

openSUSE Recommended Update: rubygem-activesupport-3_2: Fixes conflict with the last update ______________________________________________________________________________ Announcement ID: openSUSE-RU-2014:0509-1 Rating: important References: #871017 Affected Products: openSUSE 13.1 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update fixes the following issue with rubygem-activesupport-3_2: -bnc#871017: fixes that openSUSE-2014-185 cannot be installed due to wrong dependency on rubygem-activesupport-3_2-3.2.13-3.10.1.x86_64 Patch Instructions: To install this openSUSE Recommended Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.1: zypper in -t patch openSUSE-2014-287 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.1 (i586 x86_64): rubygem-activesupport-3_2-3.2.13-3.14.1 rubygem-activesupport-3_2-doc-3.2.13-3.14.1 References: https://bugzilla.novell.com/871017

1 0

openSUSE-RU-2014:0508-1: vim: Re-enabled X clipboard support
by maintenance＠opensuse.org 10 Apr '14

10 Apr '14

openSUSE Recommended Update: vim: Re-enabled X clipboard support ______________________________________________________________________________ Announcement ID: openSUSE-RU-2014:0508-1 Rating: low References: #853072 Affected Products: openSUSE 13.1 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This Update fixes following issue for vim: -bnc#853072: Re-enabled X clipboard support Patch Instructions: To install this openSUSE Recommended Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.1: zypper in -t patch openSUSE-2014-285 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.1 (i586 x86_64): gvim-7.4.052-4.1 gvim-debuginfo-7.4.052-4.1 vim-7.4.052-4.1 vim-debuginfo-7.4.052-4.1 vim-debugsource-7.4.052-4.1 - openSUSE 13.1 (noarch): vim-data-7.4.052-4.1 References: https://bugzilla.novell.com/853072

1 0

openSUSE-RU-2014:0507-1: pesign: Fixes restriction of -u option. Has no longer to be in the end of the command
by maintenance＠opensuse.org 10 Apr '14

10 Apr '14

openSUSE Recommended Update: pesign: Fixes restriction of -u option. Has no longer to be in the end of the command ______________________________________________________________________________ Announcement ID: openSUSE-RU-2014:0507-1 Rating: low References: #871339 Affected Products: openSUSE 13.1 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This Update fixes the following issue with pesing: -bnc#871339: Fixes restriction of -u option. Has no longer to be in the end of the command Patch Instructions: To install this openSUSE Recommended Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.1: zypper in -t patch openSUSE-2014-283 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.1 (i586 x86_64): pesign-0.106-3.4.1 pesign-debuginfo-0.106-3.4.1 pesign-debugsource-0.106-3.4.1 References: https://bugzilla.novell.com/871339

1 0

openSUSE-RU-2014:0506-1: yast2-iscsi-client: Fixes yast2 refusing to use a non-standard iqn
by maintenance＠opensuse.org 10 Apr '14

10 Apr '14

openSUSE Recommended Update: yast2-iscsi-client: Fixes yast2 refusing to use a non-standard iqn ______________________________________________________________________________ Announcement ID: openSUSE-RU-2014:0506-1 Rating: low References: #868220 Affected Products: openSUSE 13.1 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update fixes following issue with yast2-iscsi-client: - bnc#868220: yast2 refuses to use a non-standard iqn Patch Instructions: To install this openSUSE Recommended Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.1: zypper in -t patch openSUSE-2014-282 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.1 (noarch): yast2-iscsi-client-3.0.1-2.4.1 References: https://bugzilla.novell.com/868220

1 0

openSUSE-RU-2014:0505-1: logrotate: Added return error when nomissingok is specified and the log path doesn't exist.
by maintenance＠opensuse.org 10 Apr '14

10 Apr '14

openSUSE Recommended Update: logrotate: Added return error when nomissingok is specified and the log path doesn't exist. ______________________________________________________________________________ Announcement ID: openSUSE-RU-2014:0505-1 Rating: low References: #871217 Affected Products: openSUSE 13.1 openSUSE 12.3 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update fixes following issue with logrotate: - bnc#871217: Added return error when nomissingok is specified and the log path doesn't exist Patch Instructions: To install this openSUSE Recommended Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.1: zypper in -t patch openSUSE-2014-286 - openSUSE 12.3: zypper in -t patch openSUSE-2014-286 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.1 (i586 x86_64): logrotate-3.8.7-4.8.1 logrotate-debuginfo-3.8.7-4.8.1 logrotate-debugsource-3.8.7-4.8.1 - openSUSE 12.3 (i586 x86_64): logrotate-3.8.1-20.12.1 logrotate-debuginfo-3.8.1-20.12.1 logrotate-debugsource-3.8.1-20.12.1 References: https://bugzilla.novell.com/871217

1 0

openSUSE-RU-2014:0504-1: util-linux: Added Patch to identify partitions on which bcache is installed to allow bcache-tools to operate on boot
by maintenance＠opensuse.org 10 Apr '14

10 Apr '14

openSUSE Recommended Update: util-linux: Added Patch to identify partitions on which bcache is installed to allow bcache-tools to operate on boot ______________________________________________________________________________ Announcement ID: openSUSE-RU-2014:0504-1 Rating: low References: #871606 Affected Products: openSUSE 13.1 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update fixes following issue with util-linux - bnc#871606: Added Patch to identify partitions on which bcache is installed to allow bcache-tools to operate on boot Patch Instructions: To install this openSUSE Recommended Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.1: zypper in -t patch openSUSE-2014-284 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.1 (i586 x86_64): libblkid-devel-2.23.2-10.1 libblkid1-2.23.2-10.1 libblkid1-debuginfo-2.23.2-10.1 libmount-devel-2.23.2-10.1 libmount1-2.23.2-10.1 libmount1-debuginfo-2.23.2-10.1 libuuid-devel-2.23.2-10.1 libuuid1-2.23.2-10.1 libuuid1-debuginfo-2.23.2-10.1 util-linux-2.23.2-10.1 util-linux-debuginfo-2.23.2-10.1 util-linux-debugsource-2.23.2-10.1 uuidd-2.23.2-10.1 uuidd-debuginfo-2.23.2-10.1 - openSUSE 13.1 (x86_64): libblkid-devel-32bit-2.23.2-10.1 libblkid1-32bit-2.23.2-10.1 libblkid1-debuginfo-32bit-2.23.2-10.1 libmount-devel-32bit-2.23.2-10.1 libmount1-32bit-2.23.2-10.1 libmount1-debuginfo-32bit-2.23.2-10.1 libuuid-devel-32bit-2.23.2-10.1 libuuid1-32bit-2.23.2-10.1 libuuid1-debuginfo-32bit-2.23.2-10.1 - openSUSE 13.1 (noarch): util-linux-lang-2.23.2-10.1 References: https://bugzilla.novell.com/871606

1 0

openSUSE-SU-2014:0501-1: important: chromium to 33.0.1750.152 stable release
by opensuse-security＠opensuse.org 09 Apr '14

09 Apr '14

openSUSE Security Update: chromium to 33.0.1750.152 stable release ______________________________________________________________________________ Announcement ID: openSUSE-SU-2014:0501-1 Rating: important References: #866959 Cross-References: CVE-2014-1700 CVE-2014-1701 CVE-2014-1702 CVE-2014-1703 CVE-2014-1704 CVE-2014-1705 CVE-2014-1713 CVE-2014-1714 CVE-2014-1715 Affected Products: openSUSE 13.1 openSUSE 12.3 ______________________________________________________________________________ An update that fixes 9 vulnerabilities is now available. Description: Chromium was updated to the 33.0.1750.152 stable channel uodate: - Security fixes: * CVE-2014-1713: Use-after-free in Blink bindings * CVE-2014-1714: Windows clipboard vulnerability * CVE-2014-1705: Memory corruption in V8 * CVE-2014-1715: Directory traversal issue Previous stable channel update 33.0.1750.149: - Security fixes: * CVE-2014-1700: Use-after-free in speech * CVE-2014-1701: UXSS in events * CVE-2014-1702: Use-after-free in web database * CVE-2014-1703: Potential sandbox escape due to a use-after-free in web sockets * CVE-2014-1704: Multiple vulnerabilities in V8 fixed in version 3.23.17.18 Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.1: zypper in -t patch openSUSE-2014-280 - openSUSE 12.3: zypper in -t patch openSUSE-2014-280 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.1 (i586 x86_64): chromedriver-33.0.1750.152-25.2 chromedriver-debuginfo-33.0.1750.152-25.2 chromium-33.0.1750.152-25.2 chromium-debuginfo-33.0.1750.152-25.2 chromium-debugsource-33.0.1750.152-25.2 chromium-desktop-gnome-33.0.1750.152-25.2 chromium-desktop-kde-33.0.1750.152-25.2 chromium-ffmpegsumo-33.0.1750.152-25.2 chromium-ffmpegsumo-debuginfo-33.0.1750.152-25.2 chromium-suid-helper-33.0.1750.152-25.2 chromium-suid-helper-debuginfo-33.0.1750.152-25.2 - openSUSE 12.3 (i586 x86_64): chromedriver-33.0.1750.152-1.33.2 chromedriver-debuginfo-33.0.1750.152-1.33.2 chromium-33.0.1750.152-1.33.2 chromium-debuginfo-33.0.1750.152-1.33.2 chromium-debugsource-33.0.1750.152-1.33.2 chromium-desktop-gnome-33.0.1750.152-1.33.2 chromium-desktop-kde-33.0.1750.152-1.33.2 chromium-ffmpegsumo-33.0.1750.152-1.33.2 chromium-ffmpegsumo-debuginfo-33.0.1750.152-1.33.2 chromium-suid-helper-33.0.1750.152-1.33.2 chromium-suid-helper-debuginfo-33.0.1750.152-1.33.2 References: http://support.novell.com/security/cve/CVE-2014-1700.html http://support.novell.com/security/cve/CVE-2014-1701.html http://support.novell.com/security/cve/CVE-2014-1702.html http://support.novell.com/security/cve/CVE-2014-1703.html http://support.novell.com/security/cve/CVE-2014-1704.html http://support.novell.com/security/cve/CVE-2014-1705.html http://support.novell.com/security/cve/CVE-2014-1713.html http://support.novell.com/security/cve/CVE-2014-1714.html http://support.novell.com/security/cve/CVE-2014-1715.html https://bugzilla.novell.com/866959

1 0

openSUSE-SU-2014:0500-1: moderate: libyaml: fixed heap overflow
by opensuse-security＠opensuse.org 09 Apr '14

09 Apr '14

openSUSE Security Update: libyaml: fixed heap overflow ______________________________________________________________________________ Announcement ID: openSUSE-SU-2014:0500-1 Rating: moderate References: #868944 Cross-References: CVE-2014-2525 Affected Products: openSUSE 13.1 openSUSE 12.3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: libyaml was updated to fix a heap overflow during parsing. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.1: zypper in -t patch openSUSE-2014-281 - openSUSE 12.3: zypper in -t patch openSUSE-2014-281 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.1 (i586 x86_64): libyaml-0-2-0.1.4-2.12.1 libyaml-0-2-debuginfo-0.1.4-2.12.1 libyaml-debugsource-0.1.4-2.12.1 libyaml-devel-0.1.4-2.12.1 - openSUSE 12.3 (i586 x86_64): libyaml-0-2-0.1.3-11.12.1 libyaml-0-2-debuginfo-0.1.3-11.12.1 libyaml-debugsource-0.1.3-11.12.1 libyaml-devel-0.1.3-11.12.1 References: http://support.novell.com/security/cve/CVE-2014-2525.html https://bugzilla.novell.com/868944

1 0

openSUSE-SU-2014:0499-1: moderate: a2ps: fixed commandinjection in fixps
by opensuse-security＠opensuse.org 09 Apr '14

09 Apr '14

openSUSE Security Update: a2ps: fixed commandinjection in fixps ______________________________________________________________________________ Announcement ID: openSUSE-SU-2014:0499-1 Rating: moderate References: #871097 Cross-References: CVE-2014-0466 Affected Products: openSUSE 13.1 openSUSE 12.3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: a2ps was updated to fix a security issue: fixps called ghostscript without -dSAFER, enabling postscript files processed by fixps to execute code on the system. (CVE-2014-0466) Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.1: zypper in -t patch openSUSE-2014-279 - openSUSE 12.3: zypper in -t patch openSUSE-2014-279 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.1 (i586 x86_64): a2ps-4.13-1356.4.1 a2ps-debuginfo-4.13-1356.4.1 a2ps-debugsource-4.13-1356.4.1 a2ps-devel-4.13-1356.4.1 - openSUSE 12.3 (i586 x86_64): a2ps-4.13-1353.4.1 a2ps-debuginfo-4.13-1353.4.1 a2ps-debugsource-4.13-1353.4.1 a2ps-devel-4.13-1353.4.1 References: http://support.novell.com/security/cve/CVE-2014-0466.html https://bugzilla.novell.com/871097

1 0

openSUSE-SU-2014:0498-1: moderate: python3: security and bugfix update to 3.3.5
by opensuse-security＠opensuse.org 09 Apr '14

09 Apr '14

openSUSE Security Update: python3: security and bugfix update to 3.3.5 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2014:0498-1 Rating: moderate References: #856835 #856836 #863741 #869222 Cross-References: CVE-2013-1752 CVE-2013-1753 CVE-2013-4238 CVE-2013-7338 CVE-2014-1912 Affected Products: openSUSE 13.1 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: Python was updated to 3.3.5 fixing bugs and security issues: * bugfix-only release, closes several security bugs * CVE-2013-1752 (bnc#856836) - DoS flaws with unbounded reads from network * disable SSLv2 by default * DoS on maliciously crafted zip files (CVE-2013-7338, bnc#869222) * CGIHttpRequestHandler directory traversal * gzip decompression bomb in xmlrpc client (CVE-2013-1753, bnc#856835) xmlrpc_gzip_33.patch * potential buffer overflow in recvfrom_into (CVE-2014-1912, bnc#863741) * hundreds of non-security-related bugfixes Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.1: zypper in -t patch openSUSE-2014-278 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.1 (i586 x86_64): libpython3_3m1_0-3.3.5-5.4.1 libpython3_3m1_0-debuginfo-3.3.5-5.4.1 python3-3.3.5-5.4.1 python3-base-3.3.5-5.4.1 python3-base-debuginfo-3.3.5-5.4.1 python3-base-debugsource-3.3.5-5.4.1 python3-curses-3.3.5-5.4.1 python3-curses-debuginfo-3.3.5-5.4.1 python3-dbm-3.3.5-5.4.1 python3-dbm-debuginfo-3.3.5-5.4.1 python3-debuginfo-3.3.5-5.4.1 python3-debugsource-3.3.5-5.4.1 python3-devel-3.3.5-5.4.1 python3-devel-debuginfo-3.3.5-5.4.1 python3-idle-3.3.5-5.4.1 python3-testsuite-3.3.5-5.4.1 python3-testsuite-debuginfo-3.3.5-5.4.1 python3-tk-3.3.5-5.4.1 python3-tk-debuginfo-3.3.5-5.4.1 python3-tools-3.3.5-5.4.1 - openSUSE 13.1 (x86_64): libpython3_3m1_0-32bit-3.3.5-5.4.1 libpython3_3m1_0-debuginfo-32bit-3.3.5-5.4.1 python3-32bit-3.3.5-5.4.1 python3-base-32bit-3.3.5-5.4.1 python3-base-debuginfo-32bit-3.3.5-5.4.1 python3-debuginfo-32bit-3.3.5-5.4.1 - openSUSE 13.1 (noarch): python3-doc-3.3.5-5.4.1 python3-doc-pdf-3.3.5-5.4.1 References: http://support.novell.com/security/cve/CVE-2013-1752.html http://support.novell.com/security/cve/CVE-2013-1753.html http://support.novell.com/security/cve/CVE-2013-4238.html http://support.novell.com/security/cve/CVE-2013-7338.html http://support.novell.com/security/cve/CVE-2014-1912.html https://bugzilla.novell.com/856835 https://bugzilla.novell.com/856836 https://bugzilla.novell.com/863741 https://bugzilla.novell.com/869222

1 0

openSUSE-SU-2014:0496-1: important: lighttpd to 1.4.35
by opensuse-security＠opensuse.org 08 Apr '14

08 Apr '14

openSUSE Security Update: lighttpd to 1.4.35 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2014:0496-1 Rating: important References: #867350 Cross-References: CVE-2014-2323 CVE-2014-2324 Affected Products: openSUSE 11.4 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: lighttpd was updated to version 1.4.35, fixing bugs and security issues: CVE-2014-2323: SQL injection vulnerability in mod_mysql_vhost.c in lighttpd allowed remote attackers to execute arbitrary SQL commands via the host name, related to request_check_hostname. CVE-2014-2323: Multiple directory traversal vulnerabilities in (1) mod_evhost and (2) mod_simple_vhost in lighttpd allowed remote attackers to read arbitrary files via a .. (dot dot) in the host name, related to request_check_hostname. More information can be found on the lighttpd advisory page: http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2 014_01.txt Other changes: * [network/ssl] fix build error if TLSEXT is disabled * [mod_fastcgi] fix use after free (only triggered if fastcgi debug is active) * [mod_rrdtool] fix invalid read (string not null terminated) * [mod_dirlisting] fix memory leak if pcre fails * [mod_fastcgi,mod_scgi] fix resource leaks on spawning backends * [mod_magnet] fix memory leak * add comments for switch fall throughs * remove logical dead code * [buffer] fix length check in buffer_is_equal_right_len * fix resource leaks in error cases on config parsing and other initializations * add force_assert() to enforce assertions as simple assert()s are disabled by -DNDEBUG (fixes #2546) * [mod_cml_lua] fix null pointer dereference * force assertion: setting FD_CLOEXEC must work (if available) * [network] check return value of lseek() * fix unchecked return values from stream_open/stat_cache_get_entry * [mod_webdav] fix logic error in handling file creation error * check length of unix domain socket filenames * fix SQL injection / host name validation (thx Jann Horn)for all the changes see /usr/share/doc/packages/lighttpd/NEWS Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 11.4: zypper in -t patch 2014-44 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 11.4 (i586 x86_64): lighttpd-1.4.35-41.1 lighttpd-debuginfo-1.4.35-41.1 lighttpd-debugsource-1.4.35-41.1 lighttpd-mod_cml-1.4.35-41.1 lighttpd-mod_cml-debuginfo-1.4.35-41.1 lighttpd-mod_geoip-1.4.35-41.1 lighttpd-mod_geoip-debuginfo-1.4.35-41.1 lighttpd-mod_magnet-1.4.35-41.1 lighttpd-mod_magnet-debuginfo-1.4.35-41.1 lighttpd-mod_mysql_vhost-1.4.35-41.1 lighttpd-mod_mysql_vhost-debuginfo-1.4.35-41.1 lighttpd-mod_rrdtool-1.4.35-41.1 lighttpd-mod_rrdtool-debuginfo-1.4.35-41.1 lighttpd-mod_trigger_b4_dl-1.4.35-41.1 lighttpd-mod_trigger_b4_dl-debuginfo-1.4.35-41.1 lighttpd-mod_webdav-1.4.35-41.1 lighttpd-mod_webdav-debuginfo-1.4.35-41.1 References: http://support.novell.com/security/cve/CVE-2014-2323.html http://support.novell.com/security/cve/CVE-2014-2324.html https://bugzilla.novell.com/867350

1 0

openSUSE-SU-2014:0495-1: moderate: file: fixed off-by-one errors
by opensuse-security＠opensuse.org 08 Apr '14

08 Apr '14

openSUSE Security Update: file: fixed off-by-one errors ______________________________________________________________________________ Announcement ID: openSUSE-SU-2014:0495-1 Rating: moderate References: #866750 Affected Products: openSUSE 11.4 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: The file magic scanning tool/library was updated to fix a off-by-one error in the last security fixes. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 11.4: zypper in -t patch 2014-45 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 11.4 (i586 x86_64): file-5.04-20.1 file-debuginfo-5.04-20.1 file-debugsource-5.04-20.1 file-devel-5.04-20.1 python-magic-5.04-20.1 python-magic-debuginfo-5.04-20.1 python-magic-debugsource-5.04-20.1 - openSUSE 11.4 (x86_64): file-32bit-5.04-20.1 file-debuginfo-32bit-5.04-20.1 - openSUSE 11.4 (ia64): file-debuginfo-x86-5.04-20.1 file-x86-5.04-20.1 References: https://bugzilla.novell.com/866750

1 0