openSUSE Security Update: Security update for patch ______________________________________________________________________________ Announcement ID: openSUSE-SU-2015:0199-1 Rating: moderate References: #904519 #913678 Cross-References: CVE-2015-1196 Affected Products: openSUSE 13.2 openSUSE 13.1 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update fixes the following security issue: + Security fix for a directory traversal flaw when handling git-style patches. This could allow an attacker to overwrite arbitrary files by applying a specially crafted patch. [boo#913678] [CVE-2015-1196] This update fixes the following issues: + When a file isn't being deleted because the file contents don't match the patch, the resulting message is now "Not deleting file ... as content differs from patch" instead of "File ... is not empty after patch; not deleting". + Function names in hunks (from diff -p) are now preserved in reject files [boo#904519] Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.2: zypper in -t patch openSUSE-2015-98 - openSUSE 13.1: zypper in -t patch openSUSE-2015-98 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.2 (i586 x86_64): patch-2.7.3-7.4.1 patch-debuginfo-2.7.3-7.4.1 patch-debugsource-2.7.3-7.4.1 - openSUSE 13.1 (i586 x86_64): patch-2.7.3-4.4.1 patch-debuginfo-2.7.3-4.4.1 patch-debugsource-2.7.3-4.4.1 References: http://support.novell.com/security/cve/CVE-2015-1196.html https://bugzilla.suse.com/show_bug.cgi?id=904519 https://bugzilla.suse.com/show_bug.cgi?id=913678