February 2013 - openSUSE Security Announce

[security-announce] SUSE-SU-2013:0373-1: critical: Security update for flash-player
by opensuse-security＠opensuse.org 28 Feb '13

28 Feb '13

SUSE Security Update: Security update for flash-player ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0373-1 Rating: critical References: #806415 Cross-References: CVE-2013-0504 CVE-2013-0643 CVE-2013-0648 Affected Products: SUSE Linux Enterprise Desktop 11 SP2 SUSE Linux Enterprise Desktop 10 SP4 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. It includes one version update. Description: flash-player has been updated to 11.2.202.273 security update, which fixes several critical security bugs that could have been used by remote attackers to execute code. (CVE-2013-0504, CVE-2013-0643, CVE-2013-0648) More information can be found on: https://www.adobe.com/support/security/bulletins/apsb13-08.h tml <https://www.adobe.com/support/security/bulletins/apsb13-08. html> Security Issue references: * CVE-2013-0504 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0504 > * CVE-2013-0643 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0643 > * CVE-2013-0648 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0648 > Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp2-flash-player-7431 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64) [New Version: 11.2.202.273]: flash-player-11.2.202.273-0.3.1 flash-player-gnome-11.2.202.273-0.3.1 flash-player-kde4-11.2.202.273-0.3.1 - SUSE Linux Enterprise Desktop 10 SP4 (i586) [New Version: 11.2.202.273]: flash-player-11.2.202.273-0.5.1 References: http://support.novell.com/security/cve/CVE-2013-0504.html http://support.novell.com/security/cve/CVE-2013-0643.html http://support.novell.com/security/cve/CVE-2013-0648.html https://bugzilla.novell.com/806415 http://download.novell.com/patch/finder/?keywords=3b0ce797a974270691c8512e9… http://download.novell.com/patch/finder/?keywords=a0a5cec2633ced7db377f4730… -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] openSUSE-SU-2013:0370-1: critical: flash-player: Update to 11.2.202.243
by opensuse-security＠opensuse.org 28 Feb '13

28 Feb '13

openSUSE Security Update: flash-player: Update to 11.2.202.243 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2013:0370-1 Rating: critical References: #784168 Cross-References: CVE-2012-5252 CVE-2012-5256 CVE-2012-5260 CVE-2012-5264 CVE-2012-5268 CVE-2012-5272 CVE-2012-5248 CVE-2012-5249 CVE-2012-5250 CVE-2012-5251 CVE-2012-5253 CVE-2012-5254 CVE-2012-5255 CVE-2012-5257 CVE-2012-5258 CVE-2012-5259 CVE-2012-5261 CVE-2012-5262 CVE-2012-5263 CVE-2012-5265 CVE-2012-5266 CVE-2012-5267 CVE-2012-5269 CVE-2012-5270 CVE-2012-5271 Affected Products: openSUSE 12.2:NonFree ______________________________________________________________________________ An update that fixes 25 vulnerabilities is now available. Description: Flash Player was updated to 11.2.202.243 * CVE-2012-5248, CVE-2012-5249, CVE-2012-5250, CVE-2012-5251, CVE-2012-5252, CVE-2012-5253, CVE-2012-5254, CVE-2012-5255, CVE-2012-5256, CVE-2012-5257, CVE-2012-5258, CVE-2012-5259, CVE-2012-5260, CVE-2012-5261, CVE-2012-5262, CVE-2012-5263, CVE-2012-5264, CVE-2012-5265, CVE-2012-5266, CVE-2012-5267, CVE-2012-5268, CVE-2012-5269, CVE-2012-5270, CVE-2012-5271, CVE-2012-5272 Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 12.2:NonFree: zypper in -t patch openSUSE-2012-697 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 12.2:NonFree (i586 x86_64): flash-player-11.2.202.243-1.6.1 flash-player-gnome-11.2.202.243-1.6.1 flash-player-kde4-11.2.202.243-1.6.1 References: http://support.novell.com/security/cve/ CVE-2012-5252.html http://support.novell.com/security/cve/ CVE-2012-5256.html http://support.novell.com/security/cve/ CVE-2012-5260.html http://support.novell.com/security/cve/ CVE-2012-5264.html http://support.novell.com/security/cve/ CVE-2012-5268.html http://support.novell.com/security/cve/ CVE-2012-5272.html http://support.novell.com/security/cve/CVE-2012-5248.html http://support.novell.com/security/cve/CVE-2012-5249.html http://support.novell.com/security/cve/CVE-2012-5250.html http://support.novell.com/security/cve/CVE-2012-5251.html http://support.novell.com/security/cve/CVE-2012-5253.html http://support.novell.com/security/cve/CVE-2012-5254.html http://support.novell.com/security/cve/CVE-2012-5255.html http://support.novell.com/security/cve/CVE-2012-5257.html http://support.novell.com/security/cve/CVE-2012-5258.html http://support.novell.com/security/cve/CVE-2012-5259.html http://support.novell.com/security/cve/CVE-2012-5261.html http://support.novell.com/security/cve/CVE-2012-5262.html http://support.novell.com/security/cve/CVE-2012-5263.html http://support.novell.com/security/cve/CVE-2012-5265.html http://support.novell.com/security/cve/CVE-2012-5266.html http://support.novell.com/security/cve/CVE-2012-5267.html http://support.novell.com/security/cve/CVE-2012-5269.html http://support.novell.com/security/cve/CVE-2012-5270.html http://support.novell.com/security/cve/CVE-2012-5271.html https://bugzilla.novell.com/784168 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] openSUSE-SU-2013:0368-1: critical: update for flash-player
by opensuse-security＠opensuse.org 28 Feb '13

28 Feb '13

openSUSE Security Update: update for flash-player ______________________________________________________________________________ Announcement ID: openSUSE-SU-2013:0368-1 Rating: critical References: #794062 Cross-References: CVE-2012-5676 CVE-2012-5677 CVE-2012-5678 Affected Products: openSUSE 12.2:NonFree ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This version upgrade of flash-player fixed multiple unspecified code execution vulnerabiliies. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 12.2:NonFree: zypper in -t patch openSUSE-2012-849 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 12.2:NonFree (i586 x86_64): flash-player-11.2.202.258-1.14.1 flash-player-gnome-11.2.202.258-1.14.1 flash-player-kde4-11.2.202.258-1.14.1 References: http://support.novell.com/security/cve/CVE-2012-5676.html http://support.novell.com/security/cve/CVE-2012-5677.html http://support.novell.com/security/cve/CVE-2012-5678.html https://bugzilla.novell.com/794062 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] openSUSE-SU-2013:0279-2: critical: flash-player to 11.2.202.262
by opensuse-security＠opensuse.org 28 Feb '13

28 Feb '13

openSUSE Security Update: flash-player to 11.2.202.262 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2013:0279-2 Rating: critical References: #802809 Cross-References: CVE-2013-0633 CVE-2013-0634 Affected Products: openSUSE 12.2:NonFree ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: Adobe Flash Player was updated to 11.2.202.262 to fix various security issues and bugs. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 12.2:NonFree: zypper in -t patch openSUSE-2013-111 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 12.2:NonFree (i586 x86_64): flash-player-11.2.202.262-1.22.1 flash-player-gnome-11.2.202.262-1.22.1 flash-player-kde4-11.2.202.262-1.22.1 References: http://support.novell.com/security/cve/CVE-2013-0633.html http://support.novell.com/security/cve/CVE-2013-0634.html https://bugzilla.novell.com/802809 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] openSUSE-SU-2013:0295-2: critical: flash-player: update to 11.2.202.270
by opensuse-security＠opensuse.org 28 Feb '13

28 Feb '13

openSUSE Security Update: flash-player: update to 11.2.202.270 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2013:0295-2 Rating: critical References: #803485 Cross-References: CVE-2013-0637 CVE-2013-0638 CVE-2013-0639 CVE-2013-0642 CVE-2013-0644 CVE-2013-0645 CVE-2013-0647 CVE-2013-0649 CVE-2013-1365 CVE-2013-1366 CVE-2013-1367 CVE-2013-1368 CVE-2013-1369 CVE-2013-1370 CVE-2013-1372 CVE-2013-1373 CVE-2013-1374 Affected Products: openSUSE 12.2:NonFree ______________________________________________________________________________ An update that fixes 17 vulnerabilities is now available. Description: Adobe Flash Player was updated to 11.2.202.270: (bnc#803485) * APSB13-05, CVE-2013-1372, CVE-2013-0645, CVE-2013-1373, CVE-2013-1369, CVE-2013-1370, CVE-2013-1366, CVE-2013-0649, CVE-2013-1365, CVE-2013-1374, CVE-2013-1368, CVE-2013-0642, CVE-2013-0644, CVE-2013-0647, CVE-2013-1367, CVE-2013-0639, CVE-2013-0638, CVE-2013-0637 More information can be found on: http://www.adobe.com/support/security/bulletins/apsb13-05.ht ml Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 12.2:NonFree: zypper in -t patch openSUSE-2013-119 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 12.2:NonFree (i586 x86_64): flash-player-11.2.202.270-1.26.1 flash-player-gnome-11.2.202.270-1.26.1 flash-player-kde4-11.2.202.270-1.26.1 References: http://support.novell.com/security/cve/CVE-2013-0637.html http://support.novell.com/security/cve/CVE-2013-0638.html http://support.novell.com/security/cve/CVE-2013-0639.html http://support.novell.com/security/cve/CVE-2013-0642.html http://support.novell.com/security/cve/CVE-2013-0644.html http://support.novell.com/security/cve/CVE-2013-0645.html http://support.novell.com/security/cve/CVE-2013-0647.html http://support.novell.com/security/cve/CVE-2013-0649.html http://support.novell.com/security/cve/CVE-2013-1365.html http://support.novell.com/security/cve/CVE-2013-1366.html http://support.novell.com/security/cve/CVE-2013-1367.html http://support.novell.com/security/cve/CVE-2013-1368.html http://support.novell.com/security/cve/CVE-2013-1369.html http://support.novell.com/security/cve/CVE-2013-1370.html http://support.novell.com/security/cve/CVE-2013-1372.html http://support.novell.com/security/cve/CVE-2013-1373.html http://support.novell.com/security/cve/CVE-2013-1374.html https://bugzilla.novell.com/803485 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] openSUSE-SU-2013:0367-1: important: flash-player: Update to 11.2.202.251
by opensuse-security＠opensuse.org 28 Feb '13

28 Feb '13

openSUSE Security Update: flash-player: Update to 11.2.202.251 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2013:0367-1 Rating: important References: #788450 Cross-References: CVE-2012-5274 CVE-2012-5275 CVE-2012-5276 CVE-2012-5277 CVE-2012-5278 CVE-2012-5279 CVE-2012-5280 Affected Products: openSUSE 12.2:NonFree ______________________________________________________________________________ An update that fixes 7 vulnerabilities is now available. Description: Flash Player was updated to 11.2.202.251 (bnc#788450), fixing severe security issues: * CVE-2012-5274, CVE-2012-5275, CVE-2012-5276, CVE-2012-5277, CVE-2012-5278, CVE-2012-5279, CVE-2012-5280 Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 12.2:NonFree: zypper in -t patch openSUSE-2012-776 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 12.2:NonFree (i586 x86_64): flash-player-11.2.202.251-1.10.1 flash-player-gnome-11.2.202.251-1.10.1 flash-player-kde4-11.2.202.251-1.10.1 References: http://support.novell.com/security/cve/CVE-2012-5274.html http://support.novell.com/security/cve/CVE-2012-5275.html http://support.novell.com/security/cve/CVE-2012-5276.html http://support.novell.com/security/cve/CVE-2012-5277.html http://support.novell.com/security/cve/CVE-2012-5278.html http://support.novell.com/security/cve/CVE-2012-5279.html http://support.novell.com/security/cve/CVE-2012-5280.html https://bugzilla.novell.com/788450 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] openSUSE-SU-2013:0359-2: critical: flash-player to 11.2.202.273
by opensuse-security＠opensuse.org 28 Feb '13

28 Feb '13

openSUSE Security Update: flash-player to 11.2.202.273 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2013:0359-2 Rating: critical References: #806415 Cross-References: CVE-2013-0504 CVE-2013-0643 CVE-2013-0648 Affected Products: openSUSE 12.3:NonFree openSUSE 12.2:NonFree ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: Flash Player was updated to 11.2.202.273 to fix critical security issues: (bnc#806415) * APSB13-08, CVE-2013-0504, CVE-2013-0643, CVE-2013-0648 More information can be found on: https://www.adobe.com/support/security/bulletins/apsb13-08.h tml Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 12.3:NonFree: zypper in -t patch openSUSE-2013-162 - openSUSE 12.2:NonFree: zypper in -t patch openSUSE-2013-162 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 12.3:NonFree (i586 x86_64): flash-player-11.2.202.273-2.8.1 flash-player-gnome-11.2.202.273-2.8.1 flash-player-kde4-11.2.202.273-2.8.1 - openSUSE 12.2:NonFree (i586 x86_64): flash-player-11.2.202.273-1.30.1 flash-player-gnome-11.2.202.273-1.30.1 flash-player-kde4-11.2.202.273-1.30.1 References: http://support.novell.com/security/cve/CVE-2013-0504.html http://support.novell.com/security/cve/CVE-2013-0643.html http://support.novell.com/security/cve/CVE-2013-0648.html https://bugzilla.novell.com/806415 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] openSUSE-SU-2013:0335-2: critical: acroread to 9.5.4
by opensuse-security＠opensuse.org 28 Feb '13

28 Feb '13

openSUSE Security Update: acroread to 9.5.4 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2013:0335-2 Rating: critical References: #803939 Cross-References: CVE-2013-0640 CVE-2013-0641 Affected Products: openSUSE 12.2:NonFree ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: acroread was updated to 9.5.4 to fix remote code execution problems. (CVE-2013-0640, CVE-2013-0641) More information can be found on: http://www.adobe.com/support/security/bulletins/apsb13-07.ht ml Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 12.2:NonFree: zypper in -t patch openSUSE-2013-151 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 12.2:NonFree (noarch): acroread-cmaps-9.4.1-3.8.1 acroread-fonts-ja-9.4.1-3.8.1 acroread-fonts-ko-9.4.1-3.8.1 acroread-fonts-zh_CN-9.4.1-3.8.1 acroread-fonts-zh_TW-9.4.1-3.8.1 - openSUSE 12.2:NonFree (i586): acroread-9.5.4-3.8.1 acroread-browser-plugin-9.5.4-3.8.1 References: http://support.novell.com/security/cve/CVE-2013-0640.html http://support.novell.com/security/cve/CVE-2013-0641.html https://bugzilla.novell.com/803939 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] openSUSE-SU-2013:0362-1: critical: flash-player to 11.2.202.238
by opensuse-security＠opensuse.org 28 Feb '13

28 Feb '13

openSUSE Security Update: flash-player to 11.2.202.238 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2013:0362-1 Rating: critical References: #775986 Cross-References: CVE-2012-1535 Affected Products: openSUSE 12.2:NonFree ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: Adobe Flash Player was updated to 11.2.202.238 fixing various bugs and security issues. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 12.2:NonFree: zypper in -t patch openSUSE-2012-519 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 12.2:NonFree (i586 x86_64): flash-player-11.2.202.238-2.3.1 flash-player-gnome-11.2.202.238-2.3.1 flash-player-kde4-11.2.202.238-2.3.1 References: http://support.novell.com/security/cve/CVE-2012-1535.html https://bugzilla.novell.com/775986 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] openSUSE-SU-2013:0360-1: critical: flash-player to 11.2.202.273
by opensuse-security＠opensuse.org 28 Feb '13

28 Feb '13

openSUSE Security Update: flash-player to 11.2.202.273 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2013:0360-1 Rating: critical References: #806415 Cross-References: CVE-2013-0504 CVE-2013-0643 CVE-2013-0648 Affected Products: openSUSE 11.4 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: Flash Player was updated to 11.2.202.273 to fix critical security issues: (bnc#806415) * APSB13-08, CVE-2013-0504, CVE-2013-0643, CVE-2013-0648 More information can be found on: https://www.adobe.com/support/security/bulletins/apsb13-08.h tml Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 11.4: zypper in -t patch 2013-32 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 11.4 (i586 x86_64): flash-player-11.2.202.273-51.1 flash-player-gnome-11.2.202.273-51.1 flash-player-kde4-11.2.202.273-51.1 References: http://support.novell.com/security/cve/CVE-2013-0504.html http://support.novell.com/security/cve/CVE-2013-0643.html http://support.novell.com/security/cve/CVE-2013-0648.html https://bugzilla.novell.com/806415 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] openSUSE-SU-2013:0359-1: critical: flash-player to 11.2.202.273
by opensuse-security＠opensuse.org 28 Feb '13

28 Feb '13

openSUSE Security Update: flash-player to 11.2.202.273 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2013:0359-1 Rating: critical References: #806415 Cross-References: CVE-2013-0504 CVE-2013-0643 CVE-2013-0648 Affected Products: openSUSE 12.1 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: Flash Player was updated to 11.2.202.273 to fix critical security issues: (bnc#806415) * APSB13-08, CVE-2013-0504, CVE-2013-0643, CVE-2013-0648 More information can be found on: https://www.adobe.com/support/security/bulletins/apsb13-08.h tml Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 12.1: zypper in -t patch openSUSE-2013-162 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 12.1 (i586 x86_64): flash-player-11.2.202.273-54.1 flash-player-gnome-11.2.202.273-54.1 flash-player-kde4-11.2.202.273-54.1 References: http://support.novell.com/security/cve/CVE-2013-0504.html http://support.novell.com/security/cve/CVE-2013-0643.html http://support.novell.com/security/cve/CVE-2013-0648.html https://bugzilla.novell.com/806415 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE-SU-2013:0349-1: important: Security update for acroread
by opensuse-security＠opensuse.org 26 Feb '13

26 Feb '13

SUSE Security Update: Security update for acroread ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0349-1 Rating: important References: #803939 Cross-References: CVE-2013-0640 CVE-2013-0641 Affected Products: SUSE Linux Enterprise Desktop 11 SP2 SUSE Linux Enterprise Desktop 10 SP4 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. It includes two new package versions. Description: Acrobat Reader has been updated to 9.5.4 which fixes two critical security issues where attackers supplying PDFs could have caused code execution with acrobat. (CVE-2013-0640, CVE-2013-0641) More information can be found on: https://www.adobe.com/support/security/bulletins/apsb13-07.h tml <https://www.adobe.com/support/security/bulletins/apsb13-07. html> Security Issue references: * CVE-2013-0640 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0640 > * CVE-2013-0641 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0641 > Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp2-acroread-7397 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Desktop 11 SP2 (noarch): acroread-cmaps-9.4.6-0.4.3.1 acroread-fonts-ja-9.4.6-0.4.3.1 acroread-fonts-ko-9.4.6-0.4.3.1 acroread-fonts-zh_CN-9.4.6-0.4.3.1 acroread-fonts-zh_TW-9.4.6-0.4.3.1 - SUSE Linux Enterprise Desktop 11 SP2 (i586) [New Version: 9.5.4]: acroread-9.5.4-0.3.1 - SUSE Linux Enterprise Desktop 10 SP4 (noarch) [New Version: 9.4.6]: acroread-cmaps-9.4.6-0.6.60 acroread-fonts-ja-9.4.6-0.6.60 acroread-fonts-ko-9.4.6-0.6.60 acroread-fonts-zh_CN-9.4.6-0.6.60 acroread-fonts-zh_TW-9.4.6-0.6.60 - SUSE Linux Enterprise Desktop 10 SP4 (i586) [New Version: 9.5.4]: acroread-9.5.4-0.6.1 References: http://support.novell.com/security/cve/CVE-2013-0640.html http://support.novell.com/security/cve/CVE-2013-0641.html https://bugzilla.novell.com/803939 http://download.novell.com/patch/finder/?keywords=17a0fef06860e9576e12a10f4… http://download.novell.com/patch/finder/?keywords=8900cb8f67a730308586567ea… -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] openSUSE-SU-2013:0342-1: critical: acroread to 9.5.4
by opensuse-security＠opensuse.org 25 Feb '13

25 Feb '13

openSUSE Security Update: acroread to 9.5.4 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2013:0342-1 Rating: critical References: #803939 Cross-References: CVE-2013-0640 CVE-2013-0641 Affected Products: openSUSE 11.4 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: acroread was updated to 9.5.4 to fix remote code execution problems. (CVE-2013-0640, CVE-2013-0641) More information can be found on: http://www.adobe.com/support/security/bulletins/apsb13-07.ht ml Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 11.4: zypper in -t patch 2013-31 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 11.4 (i586): acroread-9.5.4-14.1 acroread-browser-plugin-9.5.4-14.1 References: http://support.novell.com/security/cve/CVE-2013-0640.html http://support.novell.com/security/cve/CVE-2013-0641.html https://bugzilla.novell.com/803939 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE-SU-2013:0341-1: important: Security update for Linux kernel
by opensuse-security＠opensuse.org 25 Feb '13

25 Feb '13

SUSE Security Update: Security update for Linux kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0341-1 Rating: important References: #779577 #803056 #804154 Cross-References: CVE-2013-0871 Affected Products: SUSE Linux Enterprise Server 11 SP2 for VMware SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise High Availability Extension 11 SP2 SUSE Linux Enterprise Desktop 11 SP2 SLE 11 SERVER Unsupported Extras ______________________________________________________________________________ An update that solves one vulnerability and has two fixes is now available. It includes one version update. Description: The SUSE Linux Enterprise 11 SP2 kernel has been updated to fix two issues: One severe security issue: * CVE-2013-0871: A race condition in ptrace(2) could be used by local attackers to crash the kernel and/or execute code in kernel context. One severe regression issue: * A regression in UNIX domain socket credential passing. The default disabling of passing credentials caused regression in some software packages that did not expect this. One major software package affected by this was the Open Enterprise Server stack. Security Issue reference: * CVE-2013-0871 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0871 > Indications: Everyone using the Linux Kernel on x86_64 architecture should update. Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP2 for VMware: zypper in -t patch slessp2-kernel-7370 slessp2-kernel-7374 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp2-kernel-7370 slessp2-kernel-7371 slessp2-kernel-7372 slessp2-kernel-7373 slessp2-kernel-7374 - SUSE Linux Enterprise High Availability Extension 11 SP2: zypper in -t patch sleshasp2-kernel-7370 sleshasp2-kernel-7371 sleshasp2-kernel-7372 sleshasp2-kernel-7373 sleshasp2-kernel-7374 - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp2-kernel-7370 sledsp2-kernel-7374 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64) [New Version: 3.0.58]: kernel-default-3.0.58-0.6.6.1 kernel-default-base-3.0.58-0.6.6.1 kernel-default-devel-3.0.58-0.6.6.1 kernel-source-3.0.58-0.6.6.1 kernel-syms-3.0.58-0.6.6.1 kernel-trace-3.0.58-0.6.6.1 kernel-trace-base-3.0.58-0.6.6.1 kernel-trace-devel-3.0.58-0.6.6.1 kernel-xen-devel-3.0.58-0.6.6.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (x86_64): xen-kmp-trace-4.1.3_06_3.0.58_0.6.6-0.7.22 - SUSE Linux Enterprise Server 11 SP2 for VMware (i586) [New Version: 3.0.58]: kernel-pae-3.0.58-0.6.6.1 kernel-pae-base-3.0.58-0.6.6.1 kernel-pae-devel-3.0.58-0.6.6.1 - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 3.0.58]: kernel-default-3.0.58-0.6.6.1 kernel-default-base-3.0.58-0.6.6.1 kernel-default-devel-3.0.58-0.6.6.1 kernel-source-3.0.58-0.6.6.1 kernel-syms-3.0.58-0.6.6.1 kernel-trace-3.0.58-0.6.6.1 kernel-trace-base-3.0.58-0.6.6.1 kernel-trace-devel-3.0.58-0.6.6.1 - SUSE Linux Enterprise Server 11 SP2 (i586 x86_64) [New Version: 3.0.58]: kernel-ec2-3.0.58-0.6.6.1 kernel-ec2-base-3.0.58-0.6.6.1 kernel-ec2-devel-3.0.58-0.6.6.1 kernel-xen-3.0.58-0.6.6.1 kernel-xen-base-3.0.58-0.6.6.1 kernel-xen-devel-3.0.58-0.6.6.1 - SUSE Linux Enterprise Server 11 SP2 (x86_64): xen-kmp-default-4.1.3_06_3.0.58_0.6.6-0.7.22 xen-kmp-trace-4.1.3_06_3.0.58_0.6.6-0.7.22 - SUSE Linux Enterprise Server 11 SP2 (s390x) [New Version: 3.0.58]: kernel-default-man-3.0.58-0.6.6.1 - SUSE Linux Enterprise Server 11 SP2 (ppc64) [New Version: 3.0.58]: kernel-ppc64-3.0.58-0.6.6.1 kernel-ppc64-base-3.0.58-0.6.6.1 kernel-ppc64-devel-3.0.58-0.6.6.1 - SUSE Linux Enterprise Server 11 SP2 (i586) [New Version: 3.0.58]: kernel-pae-3.0.58-0.6.6.1 kernel-pae-base-3.0.58-0.6.6.1 kernel-pae-devel-3.0.58-0.6.6.1 - SUSE Linux Enterprise High Availability Extension 11 SP2 (i586 ia64 ppc64 s390x x86_64): cluster-network-kmp-default-1.4_3.0.58_0.6.6-2.18.22 cluster-network-kmp-trace-1.4_3.0.58_0.6.6-2.18.22 gfs2-kmp-default-2_3.0.58_0.6.6-0.7.56 gfs2-kmp-trace-2_3.0.58_0.6.6-0.7.56 ocfs2-kmp-default-1.6_3.0.58_0.6.6-0.11.21 ocfs2-kmp-trace-1.6_3.0.58_0.6.6-0.11.21 - SUSE Linux Enterprise High Availability Extension 11 SP2 (i586 x86_64): cluster-network-kmp-xen-1.4_3.0.58_0.6.6-2.18.22 gfs2-kmp-xen-2_3.0.58_0.6.6-0.7.56 ocfs2-kmp-xen-1.6_3.0.58_0.6.6-0.11.21 - SUSE Linux Enterprise High Availability Extension 11 SP2 (ppc64): cluster-network-kmp-ppc64-1.4_3.0.58_0.6.6-2.18.22 gfs2-kmp-ppc64-2_3.0.58_0.6.6-0.7.56 ocfs2-kmp-ppc64-1.6_3.0.58_0.6.6-0.11.21 - SUSE Linux Enterprise High Availability Extension 11 SP2 (i586): cluster-network-kmp-pae-1.4_3.0.58_0.6.6-2.18.22 gfs2-kmp-pae-2_3.0.58_0.6.6-0.7.56 ocfs2-kmp-pae-1.6_3.0.58_0.6.6-0.11.21 - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64) [New Version: 3.0.58]: kernel-default-3.0.58-0.6.6.1 kernel-default-base-3.0.58-0.6.6.1 kernel-default-devel-3.0.58-0.6.6.1 kernel-default-extra-3.0.58-0.6.6.1 kernel-source-3.0.58-0.6.6.1 kernel-syms-3.0.58-0.6.6.1 kernel-trace-3.0.58-0.6.6.1 kernel-trace-base-3.0.58-0.6.6.1 kernel-trace-devel-3.0.58-0.6.6.1 kernel-trace-extra-3.0.58-0.6.6.1 kernel-xen-3.0.58-0.6.6.1 kernel-xen-base-3.0.58-0.6.6.1 kernel-xen-devel-3.0.58-0.6.6.1 kernel-xen-extra-3.0.58-0.6.6.1 - SUSE Linux Enterprise Desktop 11 SP2 (x86_64): xen-kmp-default-4.1.3_06_3.0.58_0.6.6-0.7.22 xen-kmp-trace-4.1.3_06_3.0.58_0.6.6-0.7.22 - SUSE Linux Enterprise Desktop 11 SP2 (i586) [New Version: 3.0.58]: kernel-pae-3.0.58-0.6.6.1 kernel-pae-base-3.0.58-0.6.6.1 kernel-pae-devel-3.0.58-0.6.6.1 kernel-pae-extra-3.0.58-0.6.6.1 - SLE 11 SERVER Unsupported Extras (i586 ia64 ppc64 s390x x86_64): ext4-writeable-kmp-default-0_3.0.58_0.6.6-0.14.37 ext4-writeable-kmp-trace-0_3.0.58_0.6.6-0.14.37 kernel-default-extra-3.0.58-0.6.6.1 - SLE 11 SERVER Unsupported Extras (i586 x86_64): ext4-writeable-kmp-xen-0_3.0.58_0.6.6-0.14.37 kernel-xen-extra-3.0.58-0.6.6.1 - SLE 11 SERVER Unsupported Extras (ppc64): ext4-writeable-kmp-ppc64-0_3.0.58_0.6.6-0.14.37 kernel-ppc64-extra-3.0.58-0.6.6.1 - SLE 11 SERVER Unsupported Extras (i586): ext4-writeable-kmp-pae-0_3.0.58_0.6.6-0.14.37 kernel-pae-extra-3.0.58-0.6.6.1 References: http://support.novell.com/security/cve/CVE-2013-0871.html https://bugzilla.novell.com/779577 https://bugzilla.novell.com/803056 https://bugzilla.novell.com/804154 http://download.novell.com/patch/finder/?keywords=10037186d0231f1a32ce51a56… http://download.novell.com/patch/finder/?keywords=49bc84a534c4dc27924ba16b7… http://download.novell.com/patch/finder/?keywords=79a6a6374f12b65c28a80b9c0… http://download.novell.com/patch/finder/?keywords=8ef06ed5ef2eb5e3a97dc48a7… http://download.novell.com/patch/finder/?keywords=97d109043a69111836aa0f3a9… http://download.novell.com/patch/finder/?keywords=b76bb20a0aae353c64f4c71f7… http://download.novell.com/patch/finder/?keywords=c0204c021417aeea941406c9d… http://download.novell.com/patch/finder/?keywords=cc29ce8b00fa8115f7ca7a138… http://download.novell.com/patch/finder/?keywords=d4af3accfd03bb3e5b258483f… http://download.novell.com/patch/finder/?keywords=e4b8bfc420a27b3e521d1a76a… -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] openSUSE-SU-2013:0335-1: critical: acroread to 9.5.4
by opensuse-security＠opensuse.org 25 Feb '13

25 Feb '13

openSUSE Security Update: acroread to 9.5.4 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2013:0335-1 Rating: critical References: #803939 Cross-References: CVE-2013-0640 CVE-2013-0641 Affected Products: openSUSE 12.1 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: acroread was updated to 9.5.4 to fix remote code execution problems. (CVE-2013-0640, CVE-2013-0641) More information can be found on: http://www.adobe.com/support/security/bulletins/apsb13-07.ht ml Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 12.1: zypper in -t patch openSUSE-2013-151 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 12.1 (noarch): acroread-cmaps-9.4.1-3.17.1 acroread-fonts-ja-9.4.1-3.17.1 acroread-fonts-ko-9.4.1-3.17.1 acroread-fonts-zh_CN-9.4.1-3.17.1 acroread-fonts-zh_TW-9.4.1-3.17.1 - openSUSE 12.1 (i586): acroread-9.5.4-3.17.1 acroread-browser-plugin-9.5.4-3.17.1 References: http://support.novell.com/security/cve/CVE-2013-0640.html http://support.novell.com/security/cve/CVE-2013-0641.html https://bugzilla.novell.com/803939 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE-SU-2013:0328-1: important: Security update for Java
by opensuse-security＠opensuse.org 22 Feb '13

22 Feb '13

SUSE Security Update: Security update for Java ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0328-1 Rating: important References: #804654 Affected Products: SUSE Linux Enterprise Desktop 11 SP2 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: java-1_6_0-openjdk has been updated to IcedTea 1.12.3 (bnc#804654) which contains security and bugfixes: * Security fixes o S8006446: Restrict MBeanServer access (CVE-2013-1486) o S8006777: Improve TLS handling of invalid messages Lucky 13 (CVE-2013-0169) o S8007688: Blacklist known bad certificate (issued by DigiCert) * Backports o S8007393: Possible race condition after JDK-6664509 o S8007611: logging behavior in applet changed * Bug fixes o PR1319: Support GIF lib v5. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp2-java-1_6_0-openjdk-7385 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64): java-1_6_0-openjdk-1.6.0.0_b27.1.12.3-0.2.1 java-1_6_0-openjdk-demo-1.6.0.0_b27.1.12.3-0.2.1 java-1_6_0-openjdk-devel-1.6.0.0_b27.1.12.3-0.2.1 References: https://bugzilla.novell.com/804654 http://download.novell.com/patch/finder/?keywords=f8727e2d72c81a958750085c7… -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE-SU-2013:0326-1: important: Security update for Samba
by opensuse-security＠opensuse.org 22 Feb '13

22 Feb '13

SUSE Security Update: Security update for Samba ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0326-1 Rating: important References: #783384 #786677 #791183 #792340 #799641 #800982 Cross-References: CVE-2013-0213 CVE-2013-0214 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Server 11 SP2 for VMware SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Desktop 11 SP2 ______________________________________________________________________________ An update that solves two vulnerabilities and has four fixes is now available. Description: The Samba Web Administration Tool (SWAT) in Samba versions 3.0.x to 4.0.1 was affected by a cross-site request forgery (CVE-2013-0214) and a click-jacking attack (CVE-2013-0213). This has been fixed. Security Issue references: * CVE-2013-0213 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0213 > * CVE-2013-0214 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0214 > Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp2-cifs-mount-7292 - SUSE Linux Enterprise Server 11 SP2 for VMware: zypper in -t patch slessp2-cifs-mount-7292 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp2-cifs-mount-7292 - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp2-cifs-mount-7292 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64): libldb-devel-3.6.3-0.30.1 libnetapi-devel-3.6.3-0.30.1 libnetapi0-3.6.3-0.30.1 libsmbclient-devel-3.6.3-0.30.1 libsmbsharemodes-devel-3.6.3-0.30.1 libsmbsharemodes0-3.6.3-0.30.1 libtalloc-devel-3.6.3-0.30.1 libtdb-devel-3.6.3-0.30.1 libtevent-devel-3.6.3-0.30.1 libwbclient-devel-3.6.3-0.30.1 samba-devel-3.6.3-0.30.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64): ldapsmb-1.34b-12.30.1 libldb1-3.6.3-0.30.1 libsmbclient0-3.6.3-0.30.1 libtalloc1-3.4.3-1.42.11 libtalloc2-3.6.3-0.30.1 libtdb1-3.6.3-0.30.1 libtevent0-3.6.3-0.30.1 libwbclient0-3.6.3-0.30.1 samba-3.6.3-0.30.1 samba-client-3.6.3-0.30.1 samba-krb-printing-3.6.3-0.30.1 samba-winbind-3.6.3-0.30.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (x86_64): libsmbclient0-32bit-3.6.3-0.30.1 libtalloc1-32bit-3.4.3-1.42.11 libtalloc2-32bit-3.6.3-0.30.1 libtdb1-32bit-3.6.3-0.30.1 libwbclient0-32bit-3.6.3-0.30.1 samba-32bit-3.6.3-0.30.1 samba-client-32bit-3.6.3-0.30.1 samba-winbind-32bit-3.6.3-0.30.1 - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64): ldapsmb-1.34b-12.30.1 libldb1-3.6.3-0.30.1 libsmbclient0-3.6.3-0.30.1 libtalloc1-3.4.3-1.42.11 libtalloc2-3.6.3-0.30.1 libtdb1-3.6.3-0.30.1 libtevent0-3.6.3-0.30.1 libwbclient0-3.6.3-0.30.1 samba-3.6.3-0.30.1 samba-client-3.6.3-0.30.1 samba-krb-printing-3.6.3-0.30.1 samba-winbind-3.6.3-0.30.1 - SUSE Linux Enterprise Server 11 SP2 (ppc64 s390x x86_64): libsmbclient0-32bit-3.6.3-0.30.1 libtalloc1-32bit-3.4.3-1.42.11 libtalloc2-32bit-3.6.3-0.30.1 libtdb1-32bit-3.6.3-0.30.1 libwbclient0-32bit-3.6.3-0.30.1 samba-32bit-3.6.3-0.30.1 samba-client-32bit-3.6.3-0.30.1 samba-winbind-32bit-3.6.3-0.30.1 - SUSE Linux Enterprise Server 11 SP2 (ia64): libsmbclient0-x86-3.6.3-0.30.1 libtalloc1-x86-3.4.3-1.42.11 libtalloc2-x86-3.6.3-0.30.1 libtdb1-x86-3.6.3-0.30.1 libwbclient0-x86-3.6.3-0.30.1 samba-client-x86-3.6.3-0.30.1 samba-winbind-x86-3.6.3-0.30.1 samba-x86-3.6.3-0.30.1 - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64): libldb1-3.6.3-0.30.1 libsmbclient0-3.6.3-0.30.1 libtalloc1-3.4.3-1.42.11 libtalloc2-3.6.3-0.30.1 libtdb1-3.6.3-0.30.1 libtevent0-3.6.3-0.30.1 libwbclient0-3.6.3-0.30.1 samba-3.6.3-0.30.1 samba-client-3.6.3-0.30.1 samba-krb-printing-3.6.3-0.30.1 samba-winbind-3.6.3-0.30.1 - SUSE Linux Enterprise Desktop 11 SP2 (x86_64): libldb1-32bit-3.6.3-0.30.1 libsmbclient0-32bit-3.6.3-0.30.1 libtalloc1-32bit-3.4.3-1.42.11 libtalloc2-32bit-3.6.3-0.30.1 libtdb1-32bit-3.6.3-0.30.1 libtevent0-32bit-3.6.3-0.30.1 libwbclient0-32bit-3.6.3-0.30.1 samba-32bit-3.6.3-0.30.1 samba-client-32bit-3.6.3-0.30.1 samba-winbind-32bit-3.6.3-0.30.1 References: http://support.novell.com/security/cve/CVE-2013-0213.html http://support.novell.com/security/cve/CVE-2013-0214.html https://bugzilla.novell.com/783384 https://bugzilla.novell.com/786677 https://bugzilla.novell.com/791183 https://bugzilla.novell.com/792340 https://bugzilla.novell.com/799641 https://bugzilla.novell.com/800982 http://download.novell.com/patch/finder/?keywords=cdf3a69eb9b0ec60da7dfbb42… -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE-SU-2013:0325-1: important: Security update for Samba
by opensuse-security＠opensuse.org 22 Feb '13

22 Feb '13

SUSE Security Update: Security update for Samba ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0325-1 Rating: important References: #754443 #764577 #783384 #799641 #800982 Cross-References: CVE-2013-0213 CVE-2013-0214 Affected Products: SUSE Linux Enterprise Server 10 SP4 SUSE Linux Enterprise Desktop 10 SP4 SLE SDK 10 SP4 ______________________________________________________________________________ An update that solves two vulnerabilities and has three fixes is now available. Description: The Samba Web Administration Tool (SWAT) in Samba versions 3.0.x to 4.0.1 was affected by a cross-site request forgery (CVE-2013-0214) and a click-jacking attack (CVE-2013-0213). This has been fixed. Additionally a bug in mount.cifs has been fixed which could have lead to file disclosure (CVE-2012-1586). Also a uninitialized memory read bug in talloc_free() has been fixed. (bnc#764577). Security Issue references: * CVE-2013-0213 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0213 > * CVE-2013-0214 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0214 > Package List: - SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc s390x x86_64): cifs-mount-3.0.36-0.13.24.1 ldapsmb-1.34b-25.13.24.1 libmsrpc-3.0.36-0.13.24.1 libmsrpc-devel-3.0.36-0.13.24.1 libsmbclient-3.0.36-0.13.24.1 libsmbclient-devel-3.0.36-0.13.24.1 samba-3.0.36-0.13.24.1 samba-client-3.0.36-0.13.24.1 samba-krb-printing-3.0.36-0.13.24.1 samba-python-3.0.36-0.13.24.1 samba-vscan-0.3.6b-43.13.24.1 samba-winbind-3.0.36-0.13.24.1 - SUSE Linux Enterprise Server 10 SP4 (s390x x86_64): libsmbclient-32bit-3.0.36-0.13.24.1 samba-32bit-3.0.36-0.13.24.1 samba-client-32bit-3.0.36-0.13.24.1 samba-winbind-32bit-3.0.36-0.13.24.1 - SUSE Linux Enterprise Server 10 SP4 (noarch): samba-doc-3.0.36-0.12.24.1 - SUSE Linux Enterprise Server 10 SP4 (ia64): libsmbclient-x86-3.0.36-0.13.24.1 samba-client-x86-3.0.36-0.13.24.1 samba-winbind-x86-3.0.36-0.13.24.1 samba-x86-3.0.36-0.13.24.1 - SUSE Linux Enterprise Server 10 SP4 (ppc): libsmbclient-64bit-3.0.36-0.13.24.1 samba-64bit-3.0.36-0.13.24.1 samba-client-64bit-3.0.36-0.13.24.1 samba-winbind-64bit-3.0.36-0.13.24.1 - SUSE Linux Enterprise Desktop 10 SP4 (i586 x86_64): cifs-mount-3.0.36-0.13.24.1 ldapsmb-1.34b-25.13.24.1 libsmbclient-3.0.36-0.13.24.1 libsmbclient-devel-3.0.36-0.13.24.1 samba-3.0.36-0.13.24.1 samba-client-3.0.36-0.13.24.1 samba-krb-printing-3.0.36-0.13.24.1 samba-vscan-0.3.6b-43.13.24.1 samba-winbind-3.0.36-0.13.24.1 - SUSE Linux Enterprise Desktop 10 SP4 (x86_64): libsmbclient-32bit-3.0.36-0.13.24.1 samba-32bit-3.0.36-0.13.24.1 samba-client-32bit-3.0.36-0.13.24.1 samba-winbind-32bit-3.0.36-0.13.24.1 - SUSE Linux Enterprise Desktop 10 SP4 (noarch): samba-doc-3.0.36-0.12.24.1 - SLE SDK 10 SP4 (i586 ia64 ppc s390x x86_64): libmsrpc-3.0.36-0.13.24.1 libmsrpc-devel-3.0.36-0.13.24.1 libsmbclient-devel-3.0.36-0.13.24.1 libsmbsharemodes-3.0.36-0.13.24.1 libsmbsharemodes-devel-3.0.36-0.13.24.1 samba-python-3.0.36-0.13.24.1 References: http://support.novell.com/security/cve/CVE-2013-0213.html http://support.novell.com/security/cve/CVE-2013-0214.html https://bugzilla.novell.com/754443 https://bugzilla.novell.com/764577 https://bugzilla.novell.com/783384 https://bugzilla.novell.com/799641 https://bugzilla.novell.com/800982 http://download.novell.com/patch/finder/?keywords=1d50d01aa74b22f0c8645692c… -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] openSUSE-SU-2013:0323-1: important: Mozilla: February 2013 update round (Firefox 19)
by opensuse-security＠opensuse.org 22 Feb '13

22 Feb '13

openSUSE Security Update: Mozilla: February 2013 update round (Firefox 19) ______________________________________________________________________________ Announcement ID: openSUSE-SU-2013:0323-1 Rating: important References: #796895 #804248 Cross-References: CVE-2013-0765 CVE-2013-0772 CVE-2013-0773 CVE-2013-0774 CVE-2013-0775 CVE-2013-0776 CVE-2013-0777 CVE-2013-0778 CVE-2013-0779 CVE-2013-0780 CVE-2013-0781 CVE-2013-0782 CVE-2013-0783 Affected Products: openSUSE 12.2 openSUSE 12.1 ______________________________________________________________________________ An update that fixes 13 vulnerabilities is now available. Description: MozillaFirefox was updated to Firefox 19.0 (bnc#804248) MozillaThunderbird was updated to Thunderbird 17.0.3 (bnc#804248) seamonkey was updated to SeaMonkey 2.16 (bnc#804248) xulrunner was updated to 17.0.3esr (bnc#804248) chmsee was updated to version 2.0. Changes in MozillaFirefox 19.0: * MFSA 2013-21/CVE-2013-0783/2013-0784 Miscellaneous memory safety hazards * MFSA 2013-22/CVE-2013-0772 (bmo#801366) Out-of-bounds read in image rendering * MFSA 2013-23/CVE-2013-0765 (bmo#830614) Wrapped WebIDL objects can be wrapped again * MFSA 2013-24/CVE-2013-0773 (bmo#809652) Web content bypass of COW and SOW security wrappers * MFSA 2013-25/CVE-2013-0774 (bmo#827193) Privacy leak in JavaScript Workers * MFSA 2013-26/CVE-2013-0775 (bmo#831095) Use-after-free in nsImageLoadingContent * MFSA 2013-27/CVE-2013-0776 (bmo#796475) Phishing on HTTPS connection through malicious proxy * MFSA 2013-28/CVE-2013-0780/CVE-2013-0782/CVE-2013-0777/ CVE-2013-0778/CVE-2013-0779/CVE-2013-0781 Use-after-free, out of bounds read, and buffer overflow issues found using Address Sanitizer - removed obsolete patches * mozilla-webrtc.patch * mozilla-gstreamer-803287.patch - added patch to fix session restore window order (bmo#712763) - update to Firefox 18.0.2 * blocklist and CTP updates * fixes in JS engine - update to Firefox 18.0.1 * blocklist updates * backed out bmo#677092 (removed patch) * fixed problems involving HTTP proxy transactions - Fix WebRTC to build on powerpc Changes in MozillaThunderbird: - update to Thunderbird 17.0.3 (bnc#804248) * MFSA 2013-21/CVE-2013-0783 Miscellaneous memory safety hazards * MFSA 2013-24/CVE-2013-0773 (bmo#809652) Web content bypass of COW and SOW security wrappers * MFSA 2013-25/CVE-2013-0774 (bmo#827193) Privacy leak in JavaScript Workers * MFSA 2013-26/CVE-2013-0775 (bmo#831095) Use-after-free in nsImageLoadingContent * MFSA 2013-27/CVE-2013-0776 (bmo#796475) Phishing on HTTPS connection through malicious proxy * MFSA 2013-28/CVE-2013-0780/CVE-2013-0782 Use-after-free, out of bounds read, and buffer overflow issues found using Address Sanitizer - update Enigmail to 1.5.1 * The release fixes the regressions found in the past few weeks Changes in seamonkey: - update to SeaMonkey 2.16 (bnc#804248) * MFSA 2013-21/CVE-2013-0783/2013-0784 Miscellaneous memory safety hazards * MFSA 2013-22/CVE-2013-0772 (bmo#801366) Out-of-bounds read in image rendering * MFSA 2013-23/CVE-2013-0765 (bmo#830614) Wrapped WebIDL objects can be wrapped again * MFSA 2013-24/CVE-2013-0773 (bmo#809652) Web content bypass of COW and SOW security wrappers * MFSA 2013-25/CVE-2013-0774 (bmo#827193) Privacy leak in JavaScript Workers * MFSA 2013-26/CVE-2013-0775 (bmo#831095) Use-after-free in nsImageLoadingContent * MFSA 2013-27/CVE-2013-0776 (bmo#796475) Phishing on HTTPS connection through malicious proxy * MFSA 2013-28/CVE-2013-0780/CVE-2013-0782/CVE-2013-0777/ CVE-2013-0778/CVE-2013-0779/CVE-2013-0781 Use-after-free, out of bounds read, and buffer overflow issues found using Address Sanitizer - removed obsolete patches * mozilla-webrtc.patch * mozilla-gstreamer-803287.patch - update to SeaMonkey 2.15.2 * Applications could not be removed from the "Application details" dialog under Preferences, Helper Applications (bmo#826771). * View / Message Body As could show menu items out of context (bmo#831348) - update to SeaMonkey 2.15.1 * backed out bmo#677092 (removed patch) * fixed problems involving HTTP proxy transactions - backed out restartless language packs as it broke multi-locale setup (bmo#677092, bmo#818468) Changes in xulrunner: - update to 17.0.3esr (bnc#804248) * MFSA 2013-21/CVE-2013-0783 Miscellaneous memory safety hazards * MFSA 2013-24/CVE-2013-0773 (bmo#809652) Web content bypass of COW and SOW security wrappers * MFSA 2013-25/CVE-2013-0774 (bmo#827193) Privacy leak in JavaScript Workers * MFSA 2013-26/CVE-2013-0775 (bmo#831095) Use-after-free in nsImageLoadingContent * MFSA 2013-27/CVE-2013-0776 (bmo#796475) Phishing on HTTPS connection through malicious proxy * MFSA 2013-28/CVE-2013-0780/CVE-2013-0782 Use-after-free, out of bounds read, and buffer overflow issues found using Address Sanitizer Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 12.2: zypper in -t patch openSUSE-2013-141 - openSUSE 12.1: zypper in -t patch openSUSE-2013-141 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 12.2 (i586 x86_64): MozillaFirefox-19.0-2.33.1 MozillaFirefox-branding-upstream-19.0-2.33.1 MozillaFirefox-buildsymbols-19.0-2.33.1 MozillaFirefox-debuginfo-19.0-2.33.1 MozillaFirefox-debugsource-19.0-2.33.1 MozillaFirefox-devel-19.0-2.33.1 MozillaFirefox-translations-common-19.0-2.33.1 MozillaFirefox-translations-other-19.0-2.33.1 MozillaThunderbird-17.0.3-49.31.1 MozillaThunderbird-buildsymbols-17.0.3-49.31.1 MozillaThunderbird-debuginfo-17.0.3-49.31.1 MozillaThunderbird-debugsource-17.0.3-49.31.1 MozillaThunderbird-devel-17.0.3-49.31.1 MozillaThunderbird-devel-debuginfo-17.0.3-49.31.1 MozillaThunderbird-translations-common-17.0.3-49.31.1 MozillaThunderbird-translations-other-17.0.3-49.31.1 chmsee-2.0-2.14.3 chmsee-debuginfo-2.0-2.14.3 chmsee-debugsource-2.0-2.14.3 enigmail-1.5.1+17.0.3-49.31.1 enigmail-debuginfo-1.5.1+17.0.3-49.31.1 mozilla-js-17.0.3-2.30.1 mozilla-js-debuginfo-17.0.3-2.30.1 seamonkey-2.16-2.34.2 seamonkey-debuginfo-2.16-2.34.2 seamonkey-debugsource-2.16-2.34.2 seamonkey-dom-inspector-2.16-2.34.2 seamonkey-irc-2.16-2.34.2 seamonkey-translations-common-2.16-2.34.2 seamonkey-translations-other-2.16-2.34.2 seamonkey-venkman-2.16-2.34.2 xulrunner-17.0.3-2.30.1 xulrunner-buildsymbols-17.0.3-2.30.1 xulrunner-debuginfo-17.0.3-2.30.1 xulrunner-debugsource-17.0.3-2.30.1 xulrunner-devel-17.0.3-2.30.1 xulrunner-devel-debuginfo-17.0.3-2.30.1 - openSUSE 12.2 (x86_64): mozilla-js-32bit-17.0.3-2.30.1 mozilla-js-debuginfo-32bit-17.0.3-2.30.1 xulrunner-32bit-17.0.3-2.30.1 xulrunner-debuginfo-32bit-17.0.3-2.30.1 - openSUSE 12.1 (i586 x86_64): MozillaFirefox-19.0-2.62.1 MozillaFirefox-branding-upstream-19.0-2.62.1 MozillaFirefox-buildsymbols-19.0-2.62.1 MozillaFirefox-debuginfo-19.0-2.62.1 MozillaFirefox-debugsource-19.0-2.62.1 MozillaFirefox-devel-19.0-2.62.1 MozillaFirefox-translations-common-19.0-2.62.1 MozillaFirefox-translations-other-19.0-2.62.1 MozillaThunderbird-17.0.3-33.51.1 MozillaThunderbird-buildsymbols-17.0.3-33.51.1 MozillaThunderbird-debuginfo-17.0.3-33.51.1 MozillaThunderbird-debugsource-17.0.3-33.51.1 MozillaThunderbird-devel-17.0.3-33.51.1 MozillaThunderbird-devel-debuginfo-17.0.3-33.51.1 MozillaThunderbird-translations-common-17.0.3-33.51.1 MozillaThunderbird-translations-other-17.0.3-33.51.1 chmsee-2.0-2.32.3 chmsee-debuginfo-2.0-2.32.3 chmsee-debugsource-2.0-2.32.3 enigmail-1.5.1+17.0.3-33.51.1 enigmail-debuginfo-1.5.1+17.0.3-33.51.1 mozilla-js-17.0.3-2.57.1 mozilla-js-debuginfo-17.0.3-2.57.1 seamonkey-2.16-2.53.1 seamonkey-debuginfo-2.16-2.53.1 seamonkey-debugsource-2.16-2.53.1 seamonkey-dom-inspector-2.16-2.53.1 seamonkey-irc-2.16-2.53.1 seamonkey-translations-common-2.16-2.53.1 seamonkey-translations-other-2.16-2.53.1 seamonkey-venkman-2.16-2.53.1 xulrunner-17.0.3-2.57.1 xulrunner-buildsymbols-17.0.3-2.57.1 xulrunner-debuginfo-17.0.3-2.57.1 xulrunner-debugsource-17.0.3-2.57.1 xulrunner-devel-17.0.3-2.57.1 xulrunner-devel-debuginfo-17.0.3-2.57.1 - openSUSE 12.1 (x86_64): mozilla-js-32bit-17.0.3-2.57.1 mozilla-js-debuginfo-32bit-17.0.3-2.57.1 xulrunner-32bit-17.0.3-2.57.1 xulrunner-debuginfo-32bit-17.0.3-2.57.1 - openSUSE 12.1 (ia64): mozilla-js-debuginfo-x86-17.0.3-2.57.1 mozilla-js-x86-17.0.3-2.57.1 xulrunner-debuginfo-x86-17.0.3-2.57.1 xulrunner-x86-17.0.3-2.57.1 References: http://support.novell.com/security/cve/CVE-2013-0765.html http://support.novell.com/security/cve/CVE-2013-0772.html http://support.novell.com/security/cve/CVE-2013-0773.html http://support.novell.com/security/cve/CVE-2013-0774.html http://support.novell.com/security/cve/CVE-2013-0775.html http://support.novell.com/security/cve/CVE-2013-0776.html http://support.novell.com/security/cve/CVE-2013-0777.html http://support.novell.com/security/cve/CVE-2013-0778.html http://support.novell.com/security/cve/CVE-2013-0779.html http://support.novell.com/security/cve/CVE-2013-0780.html http://support.novell.com/security/cve/CVE-2013-0781.html http://support.novell.com/security/cve/CVE-2013-0782.html http://support.novell.com/security/cve/CVE-2013-0783.html https://bugzilla.novell.com/796895 https://bugzilla.novell.com/804248 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE-SU-2013:0320-1: important: Security update for libvirt
by opensuse-security＠opensuse.org 21 Feb '13

21 Feb '13

SUSE Security Update: Security update for libvirt ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0320-1 Rating: important References: #782311 #800976 Cross-References: CVE-2013-0170 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Desktop 11 SP2 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: libvirt was updated to fix the following security issue: * A flaw was found in the way message freeing on connection cleanup was handled under certain error conditions. A remote user able to issue commands to libvirt daemon could use this flaw to crash libvirtd or, potentially, escalate their privilages to that of libvirtd process. (CVE-2013-0170) Also following bug has been fixed: * Add managedSave functions to legacy xen driver bnc#782311 Security Issue reference: * CVE-2013-0170 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0170 > Indications: Everyone should install this update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp2-libvirt-7310 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp2-libvirt-7310 - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp2-libvirt-7310 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64): libvirt-devel-0.9.6-0.25.1 - SUSE Linux Enterprise Software Development Kit 11 SP2 (x86_64): libvirt-devel-32bit-0.9.6-0.25.1 - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64): libvirt-0.9.6-0.25.1 libvirt-client-0.9.6-0.25.1 libvirt-doc-0.9.6-0.25.1 libvirt-python-0.9.6-0.25.1 - SUSE Linux Enterprise Server 11 SP2 (ppc64 s390x x86_64): libvirt-client-32bit-0.9.6-0.25.1 - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64): libvirt-0.9.6-0.25.1 libvirt-client-0.9.6-0.25.1 libvirt-doc-0.9.6-0.25.1 libvirt-python-0.9.6-0.25.1 - SUSE Linux Enterprise Desktop 11 SP2 (x86_64): libvirt-client-32bit-0.9.6-0.25.1 References: http://support.novell.com/security/cve/CVE-2013-0170.html https://bugzilla.novell.com/782311 https://bugzilla.novell.com/800976 http://download.novell.com/patch/finder/?keywords=f032a56a63abda0090da8ca02… -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE-SU-2013:0315-1: important: Security update for Java 1.6.0
by opensuse-security＠opensuse.org 20 Feb '13

20 Feb '13

SUSE Security Update: Security update for Java 1.6.0 ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0315-1 Rating: important References: #494536 #792951 #801972 Affected Products: SUSE Linux Enterprise Desktop 11 SP2 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: java-1_6_0-openjdk based on Icedtea6-1.12.2 was released, fixing various security issues: New in release 1.12.2 (2012-02-03): * Security fixes o S6563318, CVE-2013-0424: RMI data sanitization o S6664509, CVE-2013-0425: Add logging context o S6664528, CVE-2013-0426: Find log level matching its name or value given at construction time o S6776941: CVE-2013-0427: Improve thread pool shutdown o S7141694, CVE-2013-0429: Improving CORBA internals o S7173145: Improve in-memory representation of splashscreens o S7186945: Unpack200 improvement o S7186946: Refine unpacker resource usage o S7186948: Improve Swing data validation o S7186952, CVE-2013-0432: Improve clipboard access o S7186954: Improve connection performance o S7186957: Improve Pack200 data validation o S7192392, CVE-2013-0443: Better validation of client keys o S7192393, CVE-2013-0440: Better Checking of order of TLS Messages o S7192977, CVE-2013-0442: Issue in toolkit thread o S7197546, CVE-2013-0428: (proxy) Reflect about creating reflective proxies o S7200491: Tighten up JTable layout code o S7200500: Launcher better input validation o S7201064: Better dialogue checking o S7201066, CVE-2013-0441: Change modifiers on unused fields o S7201068, CVE-2013-0435: Better handling of UI elements o S7201070: Serialization to conform to protocol o S7201071, CVE-2013-0433: InetSocketAddress serialization issue o S8000210: Improve JarFile code quality o S8000537, CVE-2013-0450: Contextualize RequiredModelMBean class o S8000540, CVE-2013-1475: Improve IIOP type reuse management o S8000631, CVE-2013-1476: Restrict access to class constructor o S8001235, CVE-2013-0434: Improve JAXP HTTP handling o S8001242: Improve RMI HTTP conformance o S8001307: Modify ACC_SUPER behavior o S8001972, CVE-2013-1478: Improve image processing o S8002325, CVE-2013-1480: Improve management of images * Backports o S7010849: 5/5 Extraneous javac source/target options when building sa-jdi o S8004341: Two JCK tests fails with 7u11 b06 o S8005615: Java Logger fails to load tomcat logger implementation (JULI) * Bug fixes o PR1297: cacao and jamvm parallel unpack failures o PR1301: PR1171 causes builds of Zero to fail Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp2-java-1_6_0-openjdk-7332 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64): java-1_6_0-openjdk-1.6.0.0_b27.1.12.2-0.2.1 java-1_6_0-openjdk-demo-1.6.0.0_b27.1.12.2-0.2.1 java-1_6_0-openjdk-devel-1.6.0.0_b27.1.12.2-0.2.1 References: https://bugzilla.novell.com/494536 https://bugzilla.novell.com/792951 https://bugzilla.novell.com/801972 http://download.novell.com/patch/finder/?keywords=3d24d3eb8bd24ecde9576c270… -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] openSUSE-SU-2013:0312-1: important: java-1_6_0-openjdk to 1.12.1
by opensuse-security＠opensuse.org 19 Feb '13

19 Feb '13

openSUSE Security Update: java-1_6_0-openjdk to 1.12.1 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2013:0312-1 Rating: important References: #801972 Cross-References: CVE-2013-0424 CVE-2013-0425 CVE-2013-0426 CVE-2013-0427 CVE-2013-0428 CVE-2013-0429 CVE-2013-0432 CVE-2013-0433 CVE-2013-0434 CVE-2013-0435 CVE-2013-0440 CVE-2013-0441 CVE-2013-0442 CVE-2013-0443 CVE-2013-0450 CVE-2013-1475 CVE-2013-1476 Affected Products: openSUSE 11.4 ______________________________________________________________________________ An update that fixes 17 vulnerabilities is now available. Description: OpenJDK (java-1_6_0-openjdk) was updated to 1.12.1 to fix bugs and security issues (bnc#801972) * Security fixes (on top of 1.12.0) - S6563318, CVE-2013-0424: RMI data sanitization - S6664509, CVE-2013-0425: Add logging context - S6664528, CVE-2013-0426: Find log level matching its name or value given at construction time - S6776941: CVE-2013-0427: Improve thread pool shutdown - S7141694, CVE-2013-0429: Improving CORBA internals - S7173145: Improve in-memory representation of splashscreens - S7186945: Unpack200 improvement - S7186946: Refine unpacker resource usage - S7186948: Improve Swing data validation - S7186952, CVE-2013-0432: Improve clipboard access - S7186954: Improve connection performance - S7186957: Improve Pack200 data validation - S7192392, CVE-2013-0443: Better validation of client keys - S7192393, CVE-2013-0440: Better Checking of order of TLS Messages - S7192977, CVE-2013-0442: Issue in toolkit thread - S7197546, CVE-2013-0428: (proxy) Reflect about creating reflective proxies - S7200491: Tighten up JTable layout code - S7200500: Launcher better input validation - S7201064: Better dialogue checking - S7201066, CVE-2013-0441: Change modifiers on unused fields - S7201068, CVE-2013-0435: Better handling of UI elements - S7201070: Serialization to conform to protocol - S7201071, CVE-2013-0433: InetSocketAddress serialization issue - S8000210: Improve JarFile code quality - S8000537, CVE-2013-0450: Contextualize RequiredModelMBean class - S8000540, CVE-2013-1475: Improve IIOP type reuse management - S8000631, CVE-2013-1476: Restrict access to class constructor - S8001235, CVE-2013-0434: Improve JAXP HTTP handling Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 11.4: zypper in -t patch 2013-27 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 11.4 (i586 x86_64): java-1_6_0-openjdk-1.6.0.0_b27.1.12.1-25.1 java-1_6_0-openjdk-debuginfo-1.6.0.0_b27.1.12.1-25.1 java-1_6_0-openjdk-debugsource-1.6.0.0_b27.1.12.1-25.1 java-1_6_0-openjdk-demo-1.6.0.0_b27.1.12.1-25.1 java-1_6_0-openjdk-demo-debuginfo-1.6.0.0_b27.1.12.1-25.1 java-1_6_0-openjdk-devel-1.6.0.0_b27.1.12.1-25.1 java-1_6_0-openjdk-devel-debuginfo-1.6.0.0_b27.1.12.1-25.1 java-1_6_0-openjdk-javadoc-1.6.0.0_b27.1.12.1-25.1 java-1_6_0-openjdk-src-1.6.0.0_b27.1.12.1-25.1 References: http://support.novell.com/security/cve/CVE-2013-0424.html http://support.novell.com/security/cve/CVE-2013-0425.html http://support.novell.com/security/cve/CVE-2013-0426.html http://support.novell.com/security/cve/CVE-2013-0427.html http://support.novell.com/security/cve/CVE-2013-0428.html http://support.novell.com/security/cve/CVE-2013-0429.html http://support.novell.com/security/cve/CVE-2013-0432.html http://support.novell.com/security/cve/CVE-2013-0433.html http://support.novell.com/security/cve/CVE-2013-0434.html http://support.novell.com/security/cve/CVE-2013-0435.html http://support.novell.com/security/cve/CVE-2013-0440.html http://support.novell.com/security/cve/CVE-2013-0441.html http://support.novell.com/security/cve/CVE-2013-0442.html http://support.novell.com/security/cve/CVE-2013-0443.html http://support.novell.com/security/cve/CVE-2013-0450.html http://support.novell.com/security/cve/CVE-2013-1475.html http://support.novell.com/security/cve/CVE-2013-1476.html https://bugzilla.novell.com/801972 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] openSUSE-SU-2013:0308-1: important: java-1_6_0-openjdk to 1.12.2
by opensuse-security＠opensuse.org 19 Feb '13

19 Feb '13

openSUSE Security Update: java-1_6_0-openjdk to 1.12.2 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2013:0308-1 Rating: important References: #801972 Cross-References: CVE-2013-0424 CVE-2013-0425 CVE-2013-0426 CVE-2013-0427 CVE-2013-0428 CVE-2013-0429 CVE-2013-0432 CVE-2013-0433 CVE-2013-0434 CVE-2013-0435 CVE-2013-0440 CVE-2013-0441 CVE-2013-0442 CVE-2013-0443 CVE-2013-0450 CVE-2013-1475 CVE-2013-1476 Affected Products: openSUSE 12.1 ______________________________________________________________________________ An update that fixes 17 vulnerabilities is now available. Description: OpenJDK (java-1_6_0-openjdk) was updated to 1.12.2 to fix bugs and security issues (bnc#801972) * Security fixes (on top of 1.12.0) - S6563318, CVE-2013-0424: RMI data sanitization - S6664509, CVE-2013-0425: Add logging context - S6664528, CVE-2013-0426: Find log level matching its name or value given at construction time - S6776941: CVE-2013-0427: Improve thread pool shutdown - S7141694, CVE-2013-0429: Improving CORBA internals - S7173145: Improve in-memory representation of splashscreens - S7186945: Unpack200 improvement - S7186946: Refine unpacker resource usage - S7186948: Improve Swing data validation - S7186952, CVE-2013-0432: Improve clipboard access - S7186954: Improve connection performance - S7186957: Improve Pack200 data validation - S7192392, CVE-2013-0443: Better validation of client keys - S7192393, CVE-2013-0440: Better Checking of order of TLS Messages - S7192977, CVE-2013-0442: Issue in toolkit thread - S7197546, CVE-2013-0428: (proxy) Reflect about creating reflective proxies - S7200491: Tighten up JTable layout code - S7200500: Launcher better input validation - S7201064: Better dialogue checking - S7201066, CVE-2013-0441: Change modifiers on unused fields - S7201068, CVE-2013-0435: Better handling of UI elements - S7201070: Serialization to conform to protocol - S7201071, CVE-2013-0433: InetSocketAddress serialization issue - S8000210: Improve JarFile code quality - S8000537, CVE-2013-0450: Contextualize RequiredModelMBean class - S8000540, CVE-2013-1475: Improve IIOP type reuse management - S8000631, CVE-2013-1476: Restrict access to class constructor - S8001235, CVE-2013-0434: Improve JAXP HTTP handling Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 12.1: zypper in -t patch openSUSE-2013-131 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 12.1 (i586 x86_64): java-1_6_0-openjdk-1.6.0.0_b27.1.12.2-24.1 java-1_6_0-openjdk-debuginfo-1.6.0.0_b27.1.12.2-24.1 java-1_6_0-openjdk-debugsource-1.6.0.0_b27.1.12.2-24.1 java-1_6_0-openjdk-demo-1.6.0.0_b27.1.12.2-24.1 java-1_6_0-openjdk-demo-debuginfo-1.6.0.0_b27.1.12.2-24.1 java-1_6_0-openjdk-devel-1.6.0.0_b27.1.12.2-24.1 java-1_6_0-openjdk-devel-debuginfo-1.6.0.0_b27.1.12.2-24.1 java-1_6_0-openjdk-javadoc-1.6.0.0_b27.1.12.2-24.1 java-1_6_0-openjdk-src-1.6.0.0_b27.1.12.2-24.1 References: http://support.novell.com/security/cve/CVE-2013-0424.html http://support.novell.com/security/cve/CVE-2013-0425.html http://support.novell.com/security/cve/CVE-2013-0426.html http://support.novell.com/security/cve/CVE-2013-0427.html http://support.novell.com/security/cve/CVE-2013-0428.html http://support.novell.com/security/cve/CVE-2013-0429.html http://support.novell.com/security/cve/CVE-2013-0432.html http://support.novell.com/security/cve/CVE-2013-0433.html http://support.novell.com/security/cve/CVE-2013-0434.html http://support.novell.com/security/cve/CVE-2013-0435.html http://support.novell.com/security/cve/CVE-2013-0440.html http://support.novell.com/security/cve/CVE-2013-0441.html http://support.novell.com/security/cve/CVE-2013-0442.html http://support.novell.com/security/cve/CVE-2013-0443.html http://support.novell.com/security/cve/CVE-2013-0450.html http://support.novell.com/security/cve/CVE-2013-1475.html http://support.novell.com/security/cve/CVE-2013-1476.html https://bugzilla.novell.com/801972 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE-SU-2013:0306-1: important: Security update for Mozilla Firefox
by opensuse-security＠opensuse.org 18 Feb '13

18 Feb '13

SUSE Security Update: Security update for Mozilla Firefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0306-1 Rating: important References: #666101 #681836 #684069 #712248 #769762 #796895 Affected Products: SUSE Linux Enterprise Server 10 SP3 LTSS ______________________________________________________________________________ An update that contains security fixes can now be installed. It includes three new package versions. Description: Mozilla Firefox is updated to the 10.0.12ESR version. This is a roll-up update for LTSS. It fixes a lot of security issues and bugs. 10.0.12ESR fixes specifically: * MFSA 2013-01: Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. Christoph Diehl, Christian Holler, Mats Palmgren, and Chiaki Ishikawa reported memory safety problems and crashes that affect Firefox ESR 10, Firefox ESR 17, and Firefox 17. (CVE-2013-0769) Bill Gianopoulos, Benoit Jacob, Christoph Diehl, Christian Holler, Gary Kwong, Robert O'Callahan, and Scoobidiver reported memory safety problems and crashes that affect Firefox ESR 17 and Firefox 17. (CVE-2013-0749) Jesse Ruderman, Christian Holler, Julian Seward, and Scoobidiver reported memory safety problems and crashes that affect Firefox 17. (CVE-2013-0770) * MFSA 2013-02: Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team discovered a series critically rated of use-after-free, out of bounds read, and buffer overflow issues using the Address Sanitizer tool in shipped software. These issues are potentially exploitable, allowing for remote code execution. We would also like to thank Abhishek for reporting three additional user-after-free and out of bounds read flaws introduced during Firefox development that were fixed before general release. The following issue has been fixed in Firefox 18: o Global-buffer-overflow in CharDistributionAnalysis::HandleOneChar (CVE-2013-0760) The following issues has been fixed in Firefox 18, ESR 17.0.1, and ESR 10.0.12: o Heap-use-after-free in imgRequest::OnStopFrame (CVE-2013-0762) o Heap-use-after-free in ~nsHTMLEditRules (CVE-2013-0766) o Out of bounds read in nsSVGPathElement::GetPathLengthScale (CVE-2013-0763) o Heap-buffer-overflow in gfxTextRun::ShrinkToLigatureBoundaries (CVE-2013-0771) The following issue has been fixed in Firefox 18 and in the earlier ESR 10.0.11 release: o Heap-buffer-overflow in nsWindow::OnExposeEvent (CVE-2012-5829) * MFSA 2013-03: Security researcher miaubiz used the Address Sanitizer tool to discover a buffer overflow in Canvas when specific bad height and width values were given through HTML. This could lead to a potentially exploitable crash. (CVE-2013-0768) Miaubiz also found a potentially exploitable crash when 2D and 3D content was mixed which was introduced during Firefox development and fixed before general release. * MFSA 2013-04: Security researcher Masato Kinugawa found a flaw in which the displayed URL values within the addressbar can be spoofed by a page during loading. This allows for phishing attacks where a malicious page can spoof the identify of another site. (CVE-2013-0759) * MFSA 2013-05: Using the Address Sanitizer tool, security researcher Atte Kettunen from OUSPG discovered that the combination of large numbers of columns and column groups in a table could cause the array containing the columns during rendering to overwrite itself. This can lead to a user-after-free causing a potentially exploitable crash. (CVE-2013-0744) * MFSA 2013-06: Mozilla developer Wesley Johnston reported that when there are two or more iframes on the same HTML page, an iframe is able to see the touch events and their targets that occur within the other iframes on the page. If the iframes are from the same origin, they can also access the properties and methods of the targets of other iframes but same-origin policy (SOP) restricts access across domains. This allows for information leakage and possibilities for cross-site scripting (XSS) if another vulnerability can be used to get around SOP restrictions. (CVE-2013-0751) * MFSA 2013-07: Mozilla community member Jerry Baker reported a crashing issue found through Thunderbird when downloading messages over a Secure Sockets Layer (SSL) connection. This was caused by a bug in the networking code assuming that secure connections were entirely handled on the socket transport thread when they can occur on a variety of threads. The resulting crash was potentially exploitable. (CVE-2013-0764) * MFSA 2013-08: Mozilla developer Olli Pettay discovered that the AutoWrapperChanger class fails to keep some javascript objects alive during garbage collection. This can lead to an exploitable crash allowing for arbitrary code execution. (CVE-2013-0745) * MFSA 2013-09: Mozilla developer Boris Zbarsky reported reported a problem where jsval-returning quickstubs fail to wrap their return values, causing a compartment mismatch. This mismatch can cause garbage collection to occur incorrectly and lead to a potentially exploitable crash. (CVE-2013-0746) * MFSA 2013-10: Mozilla security researcher Jesse Ruderman reported that events in the plugin handler can be manipulated by web content to bypass same-origin policy (SOP) restrictions. This can allow for clickjacking on malicious web pages. (CVE-2013-0747) * MFSA 2013-11: Mozilla security researcher Jesse Ruderman discovered that using the toString function of XBL objects can lead to inappropriate information leakage by revealing the address space layout instead of just the ID of the object. This layout information could potentially be used to bypass ASLR and other security protections. (CVE-2013-0748) * MFSA 2013-12: Security researcher pa_kt reported a flaw via TippingPoint's Zero Day Initiative that an integer overflow is possible when calculating the length for a Javascript string concatenation, which is then used for memory allocation. This results in a buffer overflow, leading to a potentially exploitable memory corruption. (CVE-2013-0750) * MFSA 2013-13: Security researcher Sviatoslav Chagaev reported that when using an XBL file containing multiple XML bindings with SVG content, a memory corruption can occur. In concern with remote XUL, this can lead to an exploitable crash. (CVE-2013-0752) * MFSA 2013-14: Security researcher Mariusz Mlynski reported that it is possible to change the prototype of an object and bypass Chrome Object Wrappers (COW) to gain access to chrome privileged functions. This could allow for arbitrary code execution. (CVE-2013-0757) * MFSA 2013-15: Security researcher Mariusz Mlynski reported that it is possible to open a chrome privileged web page through plugin objects through interaction with SVG elements. This could allow for arbitrary code execution. (CVE-2013-0758) * MFSA 2013-16: Security researcher regenrecht reported, via TippingPoint's Zero Day Initiative, a use-after-free in XMLSerializer by the exposing of serializeToStream to web content. This can lead to arbitrary code execution when exploited. (CVE-2013-0753) * MFSA 2013-17: Security researcher regenrecht reported, via TippingPoint's Zero Day Initiative, a use-after-free within the ListenerManager when garbage collection is forced after data in listener objects have been allocated in some circumstances. This results in a use-after-free which can lead to arbitrary code execution. (CVE-2013-0754) * MFSA 2013-18: Security researcher regenrecht reported, via TippingPoint's Zero Day Initiative, a use-after-free using the domDoc pointer within Vibrate library. This can lead to arbitrary code execution when exploited. (CVE-2013-0755) * MFSA 2013-19: Security researcher regenrecht reported, via TippingPoint's Zero Day Initiative, a garbage collection flaw in Javascript Proxy objects. This can lead to a use-after-free leading to arbitrary code execution. (CVE-2013-0756) * MFSA 2013-20: Google reported to Mozilla that TURKTRUST, a certificate authority in Mozilla's root program, had mis-issued two intermediate certificates to customers. The issue was not specific to Firefox but there was evidence that one of the certificates was used for man-in-the-middle (MITM) traffic management of domain names that the customer did not legitimately own or control. This issue was resolved by revoking the trust for these specific mis-issued certificates. (CVE-2013-0743) Indications: Everyone using Firefox should update. Package List: - SUSE Linux Enterprise Server 10 SP3 LTSS (i586 s390x x86_64) [New Version: 3.14.1 and 4.9.4]: firefox3-cairo-1.2.4-0.8.5 firefox3-gtk2-2.10.6-0.12.21 firefox3-pango-1.14.5-0.12.178 mozilla-nspr-4.9.4-0.6.1 mozilla-nspr-devel-4.9.4-0.6.1 mozilla-nss-3.14.1-0.6.1 mozilla-nss-devel-3.14.1-0.6.1 mozilla-nss-tools-3.14.1-0.6.1 - SUSE Linux Enterprise Server 10 SP3 LTSS (s390x x86_64) [New Version: 3.14.1 and 4.9.4]: firefox3-cairo-32bit-1.2.4-0.8.5 firefox3-gtk2-32bit-2.10.6-0.12.21 firefox3-pango-32bit-1.14.5-0.12.178 mozilla-nspr-32bit-4.9.4-0.6.1 mozilla-nss-32bit-3.14.1-0.6.1 - SUSE Linux Enterprise Server 10 SP3 LTSS (i586 s390x) [New Version: 7]: MozillaFirefox-10.0.12-0.6.3 MozillaFirefox-branding-SLED-7-0.8.46 MozillaFirefox-translations-10.0.12-0.6.3 References: https://bugzilla.novell.com/666101 https://bugzilla.novell.com/681836 https://bugzilla.novell.com/684069 https://bugzilla.novell.com/712248 https://bugzilla.novell.com/769762 https://bugzilla.novell.com/796895 http://download.novell.com/patch/finder/?keywords=8d645904d43fff2d5195e42ae… -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] openSUSE-SU-2013:0298-1: critical: flash-player: update to 11.2.202.270
by opensuse-security＠opensuse.org 14 Feb '13

14 Feb '13

openSUSE Security Update: flash-player: update to 11.2.202.270 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2013:0298-1 Rating: critical References: #803485 Cross-References: CVE-2013-0637 CVE-2013-0638 CVE-2013-0639 CVE-2013-0642 CVE-2013-0644 CVE-2013-0645 CVE-2013-0647 CVE-2013-0649 CVE-2013-1365 CVE-2013-1366 CVE-2013-1367 CVE-2013-1368 CVE-2013-1369 CVE-2013-1370 CVE-2013-1372 CVE-2013-1373 CVE-2013-1374 Affected Products: openSUSE 11.4 ______________________________________________________________________________ An update that fixes 17 vulnerabilities is now available. Description: Adobe Flash Player was updated to 11.2.202.270: (bnc#803485) * APSB13-05, CVE-2013-1372, CVE-2013-0645, CVE-2013-1373, CVE-2013-1369, CVE-2013-1370, CVE-2013-1366, CVE-2013-0649, CVE-2013-1365, CVE-2013-1374, CVE-2013-1368, CVE-2013-0642, CVE-2013-0644, CVE-2013-0647, CVE-2013-1367, CVE-2013-0639, CVE-2013-0638, CVE-2013-0637 More information can be found on: http://www.adobe.com/support/security/bulletins/apsb13-05.ht ml Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 11.4: zypper in -t patch 2013-25 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 11.4 (i586 x86_64): flash-player-11.2.202.270-47.1 flash-player-gnome-11.2.202.270-47.1 flash-player-kde4-11.2.202.270-47.1 References: http://support.novell.com/security/cve/CVE-2013-0637.html http://support.novell.com/security/cve/CVE-2013-0638.html http://support.novell.com/security/cve/CVE-2013-0639.html http://support.novell.com/security/cve/CVE-2013-0642.html http://support.novell.com/security/cve/CVE-2013-0644.html http://support.novell.com/security/cve/CVE-2013-0645.html http://support.novell.com/security/cve/CVE-2013-0647.html http://support.novell.com/security/cve/CVE-2013-0649.html http://support.novell.com/security/cve/CVE-2013-1365.html http://support.novell.com/security/cve/CVE-2013-1366.html http://support.novell.com/security/cve/CVE-2013-1367.html http://support.novell.com/security/cve/CVE-2013-1368.html http://support.novell.com/security/cve/CVE-2013-1369.html http://support.novell.com/security/cve/CVE-2013-1370.html http://support.novell.com/security/cve/CVE-2013-1372.html http://support.novell.com/security/cve/CVE-2013-1373.html http://support.novell.com/security/cve/CVE-2013-1374.html https://bugzilla.novell.com/803485 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE-SU-2013:0296-1: critical: Security update for flash-player
by opensuse-security＠opensuse.org 14 Feb '13

14 Feb '13

SUSE Security Update: Security update for flash-player ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0296-1 Rating: critical References: #803485 Cross-References: CVE-2013-0637 CVE-2013-0638 CVE-2013-0639 CVE-2013-0642 CVE-2013-0644 CVE-2013-0645 CVE-2013-0647 CVE-2013-0649 CVE-2013-1365 CVE-2013-1366 CVE-2013-1367 CVE-2013-1368 CVE-2013-1369 CVE-2013-1370 CVE-2013-1372 CVE-2013-1373 CVE-2013-1374 Affected Products: SUSE Linux Enterprise Desktop 11 SP2 SUSE Linux Enterprise Desktop 10 SP4 ______________________________________________________________________________ An update that fixes 17 vulnerabilities is now available. It includes one version update. Description: This update for flash-player to version 11.2.202.270, tracked as ABSP13-05 <ttp://www.adobe.com/support/security/bulletins/apsb13-05.ht ml> , contains fixes for the following security issues: * Several buffer overflow vulnerabilities that could lead to code execution. (CVE-2013-0642 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0642 > , CVE-2013-0645 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0645 > , CVE-2013-1365 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1365 > , CVE-2013-1366 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1366 > , CVE-2013-1367 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1367 > , CVE-2013-1368 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1368 > , CVE-2013-1369 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1369 > , CVE-2013-1370 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1370 > , CVE-2013-1372 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1372 > , CVE-2013-1373 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1373 > ) * Use-after-free vulnerabilities that could lead to code execution. ( CVE-2013-0644 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0644 > , CVE-2013-0649 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0649 > , CVE-2013-1374 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1374 > ) * An integer overflow vulnerability that could lead to code execution. ( CVE-2013-0639 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0639 > ) * Two memory corruption vulnerabilities that could lead to code execution. (CVE-2013-0638 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0638 > , CVE-2013-0647 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0647 > ) * An information disclosure vulnerability. (CVE-2013-0637 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0637 > ) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp2-flash-player-7338 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64) [New Version: 11.2.202.270]: flash-player-11.2.202.270-0.3.1 flash-player-gnome-11.2.202.270-0.3.1 flash-player-kde4-11.2.202.270-0.3.1 - SUSE Linux Enterprise Desktop 10 SP4 (i586) [New Version: 11.2.202.270]: flash-player-11.2.202.270-0.5.1 References: http://support.novell.com/security/cve/CVE-2013-0637.html http://support.novell.com/security/cve/CVE-2013-0638.html http://support.novell.com/security/cve/CVE-2013-0639.html http://support.novell.com/security/cve/CVE-2013-0642.html http://support.novell.com/security/cve/CVE-2013-0644.html http://support.novell.com/security/cve/CVE-2013-0645.html http://support.novell.com/security/cve/CVE-2013-0647.html http://support.novell.com/security/cve/CVE-2013-0649.html http://support.novell.com/security/cve/CVE-2013-1365.html http://support.novell.com/security/cve/CVE-2013-1366.html http://support.novell.com/security/cve/CVE-2013-1367.html http://support.novell.com/security/cve/CVE-2013-1368.html http://support.novell.com/security/cve/CVE-2013-1369.html http://support.novell.com/security/cve/CVE-2013-1370.html http://support.novell.com/security/cve/CVE-2013-1372.html http://support.novell.com/security/cve/CVE-2013-1373.html http://support.novell.com/security/cve/CVE-2013-1374.html https://bugzilla.novell.com/803485 http://download.novell.com/patch/finder/?keywords=3c1e2d8109d0393f30c137f2f… http://download.novell.com/patch/finder/?keywords=bd904e708bb0e01638db2f0e3… -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] openSUSE-SU-2013:0295-1: critical: flash-player: update to 11.2.202.270
by opensuse-security＠opensuse.org 14 Feb '13

14 Feb '13

openSUSE Security Update: flash-player: update to 11.2.202.270 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2013:0295-1 Rating: critical References: #803485 Cross-References: CVE-2013-0637 CVE-2013-0638 CVE-2013-0639 CVE-2013-0642 CVE-2013-0644 CVE-2013-0645 CVE-2013-0647 CVE-2013-0649 CVE-2013-1365 CVE-2013-1366 CVE-2013-1367 CVE-2013-1368 CVE-2013-1369 CVE-2013-1370 CVE-2013-1372 CVE-2013-1373 CVE-2013-1374 Affected Products: openSUSE 12.1 ______________________________________________________________________________ An update that fixes 17 vulnerabilities is now available. Description: Adobe Flash Player was updated to 11.2.202.270: (bnc#803485) * APSB13-05, CVE-2013-1372, CVE-2013-0645, CVE-2013-1373, CVE-2013-1369, CVE-2013-1370, CVE-2013-1366, CVE-2013-0649, CVE-2013-1365, CVE-2013-1374, CVE-2013-1368, CVE-2013-0642, CVE-2013-0644, CVE-2013-0647, CVE-2013-1367, CVE-2013-0639, CVE-2013-0638, CVE-2013-0637 More information can be found on: http://www.adobe.com/support/security/bulletins/apsb13-05.ht ml Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 12.1: zypper in -t patch openSUSE-2013-119 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 12.1 (i586 x86_64): flash-player-11.2.202.270-50.1 flash-player-gnome-11.2.202.270-50.1 flash-player-kde4-11.2.202.270-50.1 References: http://support.novell.com/security/cve/CVE-2013-0637.html http://support.novell.com/security/cve/CVE-2013-0638.html http://support.novell.com/security/cve/CVE-2013-0639.html http://support.novell.com/security/cve/CVE-2013-0642.html http://support.novell.com/security/cve/CVE-2013-0644.html http://support.novell.com/security/cve/CVE-2013-0645.html http://support.novell.com/security/cve/CVE-2013-0647.html http://support.novell.com/security/cve/CVE-2013-0649.html http://support.novell.com/security/cve/CVE-2013-1365.html http://support.novell.com/security/cve/CVE-2013-1366.html http://support.novell.com/security/cve/CVE-2013-1367.html http://support.novell.com/security/cve/CVE-2013-1368.html http://support.novell.com/security/cve/CVE-2013-1369.html http://support.novell.com/security/cve/CVE-2013-1370.html http://support.novell.com/security/cve/CVE-2013-1372.html http://support.novell.com/security/cve/CVE-2013-1373.html http://support.novell.com/security/cve/CVE-2013-1374.html https://bugzilla.novell.com/803485 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE-SU-2013:0292-1: important: Security update for MozillaFirefox
by opensuse-security＠opensuse.org 13 Feb '13

13 Feb '13

SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0292-1 Rating: important References: #796895 Affected Products: SUSE Linux Enterprise Server 11 SP1 for VMware LTSS SUSE Linux Enterprise Server 11 SP1 LTSS ______________________________________________________________________________ An update that contains security fixes can now be installed. It includes four new package versions. Description: Mozilla Firefox was updated to the 10.0.12ESR release for LTSS. * MFSA 2013-01: Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. o Christoph Diehl, Christian Holler, Mats Palmgren, and Chiaki Ishikawa reported memory safety problems and crashes that affect Firefox ESR 10, Firefox ESR 17, and Firefox 17. ( CVE-2013-0769 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0769 > ) o Bill Gianopoulos, Benoit Jacob, Christoph Diehl, Christian Holler, Gary Kwong, Robert O'Callahan, and Scoobidiver reported memory safety problems and crashes that affect Firefox ESR 17 and Firefox 17. (CVE-2013-0749 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0749 > ) o Jesse Ruderman, Christian Holler, Julian Seward, and Scoobidiver reported memory safety problems and crashes that affect Firefox 17. (CVE-2013-0770 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0770 > ) * MFSA 2013-02: Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team discovered a series critically rated of use-after-free, out of bounds read, and buffer overflow issues using the Address Sanitizer tool in shipped software. These issues are potentially exploitable, allowing for remote code execution. We would also like to thank Abhishek for reporting three additional user-after-free and out of bounds read flaws introduced during Firefox development that were fixed before general release. The following issue was fixed in Firefox 18: o Global-buffer-overflow in CharDistributionAnalysis::HandleOneChar (CVE-2013-0760 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0760 > ) The following issues were fixed in Firefox 18, ESR 17.0.1, and ESR 10.0.12: o Heap-use-after-free in imgRequest::OnStopFrame (CVE-2013-0762 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0762 > ) o Heap-use-after-free in ~nsHTMLEditRules (CVE-2013-0766 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0766 > ) o Out of bounds read in nsSVGPathElement::GetPathLengthScale ( CVE-2013-0767 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0767 > ) The following issues were fixed in Firefox 18 and ESR 17.0.1: o Heap-use-after-free in mozilla::TrackUnionStream::EndTrack ( CVE-2013-0761 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0761 > ) o Heap-use-after-free in Mesa, triggerable by resizing a WebGL canvas (CVE-2013-0763 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0763 > ) o Heap-buffer-overflow in gfxTextRun::ShrinkToLigatureBoundaries (CVE-2013-0771 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0771 > ) The following issue was fixed in Firefox 18 and in the earlier ESR 10.0.11 release: o Heap-buffer-overflow in nsWindow::OnExposeEvent (CVE-2012-5829 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5829 > ) * MFSA 2013-03: Security researcher miaubiz used the Address Sanitizer tool to discover a buffer overflow in Canvas when specific bad height and width values were given through HTML. This could lead to a potentially exploitable crash. (CVE-2013-0768 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0768 > ) Miaubiz also found a potentially exploitable crash when 2D and 3D content was mixed which was introduced during Firefox development and fixed before general release. * MFSA 2013-04: Security researcher Masato Kinugawa found a flaw in which the displayed URL values within the addressbar can be spoofed by a page during loading. This allows for phishing attacks where a malicious page can spoof the identify of another site. ( CVE-2013-0759 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0759 > ) * MFSA 2013-05: Using the Address Sanitizer tool, security researcher Atte Kettunen from OUSPG discovered that the combination of large numbers of columns and column groups in a table could cause the array containing the columns during rendering to overwrite itself. This can lead to a user-after-free causing a potentially exploitable crash. ( CVE-2013-0744 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0744 > ) * MFSA 2013-06: Mozilla developer Wesley Johnston reported that when there are two or more iframes on the same HTML page, an iframe is able to see the touch events and their targets that occur within the other iframes on the page. If the iframes are from the same origin, they can also access the properties and methods of the targets of other iframes but same-origin policy (SOP) restricts access across domains. This allows for information leakage and possibilities for cross-site scripting (XSS) if another vulnerability can be used to get around SOP restrictions. (CVE-2013-0751 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0751 > ) * MFSA 2013-07: Mozilla community member Jerry Baker reported a crashing issue found through Thunderbird when downloading messages over a Secure Sockets Layer (SSL) connection. This was caused by a bug in the networking code assuming that secure connections were entirely handled on the socket transport thread when they can occur on a variety of threads. The resulting crash was potentially exploitable. (CVE-2013-0764 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0764 > ) * MFSA 2013-08: Mozilla developer Olli Pettay discovered that the AutoWrapperChanger class fails to keep some javascript objects alive during garbage collection. This can lead to an exploitable crash allowing for arbitrary code execution. (CVE-2013-0745 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0745 > ) * MFSA 2013-09: Mozilla developer Boris Zbarsky reported reported a problem where jsval-returning quickstubs fail to wrap their return values, causing a compartment mismatch. This mismatch can cause garbage collection to occur incorrectly and lead to a potentially exploitable crash. (CVE-2013-0746 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0746 > ) * MFSA 2013-10: Mozilla security researcher Jesse Ruderman reported that events in the plugin handler can be manipulated by web content to bypass same-origin policy (SOP) restrictions. This can allow for clickjacking on malicious web pages. (CVE-2013-0747 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0747 > ) * MFSA 2013-11: Mozilla security researcher Jesse Ruderman discovered that using the toString function of XBL objects can lead to inappropriate information leakage by revealing the address space layout instead of just the ID of the object. This layout information could potentially be used to bypass ASLR and other security protections. (CVE-2013-0748 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0748 > ) * MFSA 2013-12: Security researcher pa_kt reported a flaw via TippingPoint's Zero Day Initiative that an integer overflow is possible when calculating the length for a Javascript string concatenation, which is then used for memory allocation. This results in a buffer overflow, leading to a potentially exploitable memory corruption. (CVE-2013-0750 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0750 > ) * MFSA 2013-13: Security researcher Sviatoslav Chagaev reported that when using an XBL file containing multiple XML bindings with SVG content, a memory corruption can occur. In concern with remote XUL, this can lead to an exploitable crash. (CVE-2013-0752 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0752 > ) * MFSA 2013-14: Security researcher Mariusz Mlynski reported that it is possible to change the prototype of an object and bypass Chrome Object Wrappers (COW) to gain access to chrome privileged functions. This could allow for arbitrary code execution. (CVE-2013-0757 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0757 > ) * MFSA 2013-15: Security researcher Mariusz Mlynski reported that it is possible to open a chrome privileged web page through plugin objects through interaction with SVG elements. This could allow for arbitrary code execution. (CVE-2013-0758 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0758 > ) * MFSA 2013-16: Security researcher regenrecht reported, via TippingPoint's Zero Day Initiative, a use-after-free in XMLSerializer by the exposing of serializeToStream to web content. This can lead to arbitrary code execution when exploited. (CVE-2013-0753 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0753 > ) * MFSA 2013-17: Security researcher regenrecht reported, via TippingPoint's Zero Day Initiative, a use-after-free within the ListenerManager when garbage collection is forced after data in listener objects have been allocated in some circumstances. This results in a use-after-free which can lead to arbitrary code execution. (CVE-2013-0754 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0754 > ) * MFSA 2013-18: Security researcher regenrecht reported, via TippingPoint's Zero Day Initiative, a use-after-free using the domDoc pointer within Vibrate library. This can lead to arbitrary code execution when exploited. (CVE-2013-0755 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0755 > ) * MFSA 2013-19: Security researcher regenrecht reported, via TippingPoint's Zero Day Initiative, a garbage collection flaw in Javascript Proxy objects. This can lead to a use-after-free leading to arbitrary code execution. (CVE-2013-0756 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0756 > ) * MFSA 2013-20: Google reported to Mozilla that TURKTRUST, a certificate authority in Mozilla's root program, had mis-issued two intermediate certificates to customers. The issue was not specific to Firefox but there was evidence that one of the certificates was used for man-in-the-middle (MITM) traffic management of domain names that the customer did not legitimately own or control. This issue was resolved by revoking the trust for these specific mis-issued certificates. (CVE-2013-0743 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0743 > ) Indications: Everyone should install this update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP1 for VMware LTSS: zypper in -t patch slessp1-firefox-201302-7318 - SUSE Linux Enterprise Server 11 SP1 LTSS: zypper in -t patch slessp1-firefox-201302-7318 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP1 for VMware LTSS (i586 x86_64) [New Version: 10.0.12,3.14.1,4.9.4 and 7]: MozillaFirefox-10.0.12-0.4.3 MozillaFirefox-branding-SLES-for-VMware-7-0.4.2.102 MozillaFirefox-translations-10.0.12-0.4.3 libfreebl3-3.14.1-0.3.1 mozilla-nspr-4.9.4-0.3.1 mozilla-nss-3.14.1-0.3.1 mozilla-nss-tools-3.14.1-0.3.1 - SUSE Linux Enterprise Server 11 SP1 for VMware LTSS (x86_64) [New Version: 3.14.1 and 4.9.4]: libfreebl3-32bit-3.14.1-0.3.1 mozilla-nspr-32bit-4.9.4-0.3.1 mozilla-nss-32bit-3.14.1-0.3.1 - SUSE Linux Enterprise Server 11 SP1 LTSS (i586 s390x x86_64) [New Version: 10.0.12,3.14.1,4.9.4 and 7]: MozillaFirefox-10.0.12-0.4.3 MozillaFirefox-branding-SLED-7-0.6.7.103 MozillaFirefox-translations-10.0.12-0.4.3 libfreebl3-3.14.1-0.3.1 mozilla-nspr-4.9.4-0.3.1 mozilla-nss-3.14.1-0.3.1 mozilla-nss-tools-3.14.1-0.3.1 - SUSE Linux Enterprise Server 11 SP1 LTSS (s390x x86_64) [New Version: 3.14.1 and 4.9.4]: libfreebl3-32bit-3.14.1-0.3.1 mozilla-nspr-32bit-4.9.4-0.3.1 mozilla-nss-32bit-3.14.1-0.3.1 References: https://bugzilla.novell.com/796895 http://download.novell.com/patch/finder/?keywords=b16b31709d6161048a780e6c9… -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE-SU-2013:0288-1: critical: Security update for flash-player
by opensuse-security＠opensuse.org 12 Feb '13

12 Feb '13

SUSE Security Update: Security update for flash-player ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0288-1 Rating: critical References: #802809 Cross-References: CVE-2013-0633 CVE-2013-0634 Affected Products: SUSE Linux Enterprise Desktop 11 SP2 SUSE Linux Enterprise Desktop 10 SP4 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. It includes one version update. Description: Adobe Flash Player was updated to release 11.2.202.262, fixing bugs and security issues. (CVE-2013-0633 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0633 > , CVE-2013-0634 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0634 > ) More information can be found at http://www.adobe.com/support/security/bulletins/apsb13-04.ht ml <http://www.adobe.com/support/security/bulletins/apsb13-04.h tml> Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp2-flash-player-7326 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64) [New Version: 11.2.202.262]: flash-player-11.2.202.262-0.3.1 flash-player-gnome-11.2.202.262-0.3.1 flash-player-kde4-11.2.202.262-0.3.1 - SUSE Linux Enterprise Desktop 10 SP4 (i586) [New Version: 11.2.202.262]: flash-player-11.2.202.262-0.5.1 References: http://support.novell.com/security/cve/CVE-2013-0633.html http://support.novell.com/security/cve/CVE-2013-0634.html https://bugzilla.novell.com/802809 http://download.novell.com/patch/finder/?keywords=048b4e48a8d9af16008045b1c… http://download.novell.com/patch/finder/?keywords=e0f14c54bb47715b016d8d14c… -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] openSUSE-SU-2013:0284-1: critical: flash-player to 11.2.202.262
by opensuse-security＠opensuse.org 12 Feb '13

12 Feb '13

openSUSE Security Update: flash-player to 11.2.202.262 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2013:0284-1 Rating: critical References: #802809 Cross-References: CVE-2013-0633 CVE-2013-0634 Affected Products: openSUSE 11.4 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: Adobe Flash Player was updated to 11.2.202.262 to fix various security issues and bugs. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 11.4: zypper in -t patch 2013-22 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 11.4 (i586 x86_64): flash-player-11.2.202.262-43.1 flash-player-gnome-11.2.202.262-43.1 flash-player-kde4-11.2.202.262-43.1 References: http://support.novell.com/security/cve/CVE-2013-0633.html http://support.novell.com/security/cve/CVE-2013-0634.html https://bugzilla.novell.com/802809 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] openSUSE-SU-2013:0280-1: important: ruby on rails to 2.3.16
by opensuse-security＠opensuse.org 12 Feb '13

12 Feb '13

openSUSE Security Update: ruby on rails to 2.3.16 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2013:0280-1 Rating: important References: #766792 #775649 #775653 #796712 #797449 #797452 #798452 #798458 #800320 Cross-References: CVE-2012-2695 CVE-2012-5664 CVE-2013-0155 CVE-2013-0156 CVE-2013-0333 Affected Products: openSUSE 11.4 ______________________________________________________________________________ An update that solves 5 vulnerabilities and has four fixes is now available. Description: This update updates the RubyOnRails 2.3 stack to 2.3.16. Security and bugfixes were done, foremost: CVE-2013-0333: A JSON sql/code injection problem was fixed. CVE-2012-5664: A SQL Injection Vulnerability in Active Record was fixed. CVE-2012-2695: A SQL injection via nested hashes in conditions was fixed. CVE-2013-0155: Unsafe Query Generation Risk in Ruby on Rails was fixed. CVE-2013-0156: Multiple vulnerabilities in parameter parsing in Action Pack were fixed. CVE-2012-5664: options hashes should only be extracted if there are extra parameters CVE-2012-2695: Fix SQL injection via nested hashes in conditions CVE-2013-0156: Hash.from_xml raises when it encounters type="symbol" or type="yaml". Use Hash.from_trusted_xml to parse this XM Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 11.4: zypper in -t patch 2013-21 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 11.4 (i586 x86_64): rubygem-actionmailer-2_3-2.3.16-0.16.1 rubygem-actionmailer-2_3-doc-2.3.16-0.16.1 rubygem-actionmailer-2_3-testsuite-2.3.16-0.16.1 rubygem-actionpack-2_3-2.3.16-0.23.1 rubygem-actionpack-2_3-doc-2.3.16-0.23.1 rubygem-actionpack-2_3-testsuite-2.3.16-0.23.1 rubygem-activerecord-2_3-2.3.16-0.19.1 rubygem-activerecord-2_3-doc-2.3.16-0.19.1 rubygem-activerecord-2_3-testsuite-2.3.16-0.19.1 rubygem-activeresource-2_3-2.3.16-0.16.1 rubygem-activeresource-2_3-doc-2.3.16-0.16.1 rubygem-activeresource-2_3-testsuite-2.3.16-0.16.1 rubygem-activesupport-2_3-2.3.16-0.16.1 rubygem-activesupport-2_3-doc-2.3.16-0.16.1 rubygem-rack-1.1.5-0.8.1 rubygem-rails-2_3-2.3.16-0.12.1 rubygem-rails-2_3-doc-2.3.16-0.12.1 - openSUSE 11.4 (noarch): rubygem-actionmailer-2.3.16-0.6.1 rubygem-actionpack-2.3.16-0.6.1 rubygem-activerecord-2.3.16-0.6.1 rubygem-activeresource-2.3.16-0.6.1 rubygem-activesupport-2.3.16-0.6.1 rubygem-rails-2.3.16-0.6.1 References: http://support.novell.com/security/cve/CVE-2012-2695.html http://support.novell.com/security/cve/CVE-2012-5664.html http://support.novell.com/security/cve/CVE-2013-0155.html http://support.novell.com/security/cve/CVE-2013-0156.html http://support.novell.com/security/cve/CVE-2013-0333.html https://bugzilla.novell.com/766792 https://bugzilla.novell.com/775649 https://bugzilla.novell.com/775653 https://bugzilla.novell.com/796712 https://bugzilla.novell.com/797449 https://bugzilla.novell.com/797452 https://bugzilla.novell.com/798452 https://bugzilla.novell.com/798458 https://bugzilla.novell.com/800320 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] openSUSE-SU-2013:0279-1: critical: flash-player to 11.2.202.262
by opensuse-security＠opensuse.org 12 Feb '13

12 Feb '13

openSUSE Security Update: flash-player to 11.2.202.262 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2013:0279-1 Rating: critical References: #802809 Cross-References: CVE-2013-0633 CVE-2013-0634 Affected Products: openSUSE 12.1 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: Adobe Flash Player was updated to 11.2.202.262 to fix various security issues and bugs. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 12.1: zypper in -t patch openSUSE-2013-111 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 12.1 (i586 x86_64): flash-player-11.2.202.262-46.1 flash-player-gnome-11.2.202.262-46.1 flash-player-kde4-11.2.202.262-46.1 References: http://support.novell.com/security/cve/CVE-2013-0633.html http://support.novell.com/security/cve/CVE-2013-0634.html https://bugzilla.novell.com/802809 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] openSUSE-SU-2013:0278-1: important: ruby on rails to 2.3.16
by opensuse-security＠opensuse.org 12 Feb '13

12 Feb '13

openSUSE Security Update: ruby on rails to 2.3.16 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2013:0278-1 Rating: important References: #766792 #775649 #775653 #796712 #797449 #797452 #798452 #798458 #800320 Cross-References: CVE-2012-2695 CVE-2012-5664 CVE-2013-0155 CVE-2013-0156 CVE-2013-0333 Affected Products: openSUSE 12.2 openSUSE 12.1 ______________________________________________________________________________ An update that solves 5 vulnerabilities and has four fixes is now available. Description: This update updates the RubyOnRails 2.3 stack to 2.3.16, also this update updates the RubyOnRails 3.2 stack to 3.2.11. Security and bugfixes were done, foremost: CVE-2013-0333: A JSON sql/code injection problem was fixed. CVE-2012-5664: A SQL Injection Vulnerability in Active Record was fixed. CVE-2012-2695: A SQL injection via nested hashes in conditions was fixed. CVE-2013-0155: Unsafe Query Generation Risk in Ruby on Rails was fixed. CVE-2013-0156: Multiple vulnerabilities in parameter parsing in Action Pack were fixed. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 12.2: zypper in -t patch openSUSE-2013-106 - openSUSE 12.1: zypper in -t patch openSUSE-2013-106 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 12.2 (i586 x86_64): rubygem-actionmailer-2_3-2.3.16-2.5.3 rubygem-actionmailer-2_3-doc-2.3.16-2.5.3 rubygem-actionmailer-2_3-testsuite-2.3.16-2.5.3 rubygem-actionmailer-3_2-3.2.11-2.9.5 rubygem-actionmailer-3_2-doc-3.2.11-2.9.5 rubygem-actionpack-2_3-2.3.16-2.13.3 rubygem-actionpack-2_3-doc-2.3.16-2.13.3 rubygem-actionpack-2_3-testsuite-2.3.16-2.13.3 rubygem-actionpack-3_2-3.2.11-3.9.4 rubygem-actionpack-3_2-doc-3.2.11-3.9.4 rubygem-activemodel-3_2-3.2.11-2.9.2 rubygem-activemodel-3_2-doc-3.2.11-2.9.2 rubygem-activerecord-2_3-2.3.16-2.9.2 rubygem-activerecord-2_3-doc-2.3.16-2.9.2 rubygem-activerecord-2_3-testsuite-2.3.16-2.9.2 rubygem-activerecord-3_2-3.2.11-2.9.1 rubygem-activerecord-3_2-doc-3.2.11-2.9.1 rubygem-activeresource-2_3-2.3.16-2.5.2 rubygem-activeresource-2_3-doc-2.3.16-2.5.2 rubygem-activeresource-2_3-testsuite-2.3.16-2.5.2 rubygem-activeresource-3_2-3.2.11-2.9.1 rubygem-activeresource-3_2-doc-3.2.11-2.9.1 rubygem-activesupport-2_3-2.3.16-3.9.1 rubygem-activesupport-2_3-doc-2.3.16-3.9.1 rubygem-activesupport-3_2-3.2.11-2.9.1 rubygem-activesupport-3_2-doc-3.2.11-2.9.1 rubygem-rack-1_1-1.1.5-6.5.1 rubygem-rack-1_1-doc-1.1.5-6.5.1 rubygem-rack-1_1-testsuite-1.1.5-6.5.1 rubygem-rack-1_2-1.2.7-2.5.1 rubygem-rack-1_2-doc-1.2.7-2.5.1 rubygem-rack-1_2-testsuite-1.2.7-2.5.1 rubygem-rack-1_3-1.3.9-2.5.1 rubygem-rack-1_3-doc-1.3.9-2.5.1 rubygem-rack-1_3-testsuite-1.3.9-2.5.1 rubygem-rack-1_4-1.4.1-2.5.1 rubygem-rack-1_4-doc-1.4.1-2.5.1 rubygem-rack-1_4-testsuite-1.4.1-2.5.1 rubygem-rails-2_3-2.3.16-3.5.1 rubygem-rails-2_3-doc-2.3.16-3.5.1 rubygem-rails-3_2-3.2.11-2.9.1 rubygem-rails-3_2-doc-3.2.11-2.9.1 rubygem-railties-3_2-3.2.11-2.9.1 rubygem-railties-3_2-doc-3.2.11-2.9.1 rubygem-sprockets-2_2-2.2.2-2.2 rubygem-sprockets-2_2-doc-2.2.2-2.2 - openSUSE 12.2 (noarch): rubygem-actionmailer-2.3.16-2.5.1 rubygem-actionpack-2.3.16-2.5.1 rubygem-activerecord-2.3.16-3.5.1 rubygem-activeresource-2.3.16-3.5.1 rubygem-activesupport-2.3.16-3.5.1 rubygem-rails-2.3.16-3.5.1 - openSUSE 12.1 (i586 x86_64): rubygem-actionmailer-2_3-2.3.16-3.9.3 rubygem-actionmailer-2_3-doc-2.3.16-3.9.3 rubygem-actionmailer-2_3-testsuite-2.3.16-3.9.3 rubygem-actionpack-2_3-2.3.16-3.16.2 rubygem-actionpack-2_3-doc-2.3.16-3.16.2 rubygem-actionpack-2_3-testsuite-2.3.16-3.16.2 rubygem-activerecord-2_3-2.3.16-3.12.2 rubygem-activerecord-2_3-doc-2.3.16-3.12.2 rubygem-activerecord-2_3-testsuite-2.3.16-3.12.2 rubygem-activeresource-2_3-2.3.16-3.9.2 rubygem-activeresource-2_3-doc-2.3.16-3.9.2 rubygem-activeresource-2_3-testsuite-2.3.16-3.9.2 rubygem-activesupport-2_3-2.3.16-3.13.1 rubygem-activesupport-2_3-doc-2.3.16-3.13.1 rubygem-rack-1_1-1.1.5-3.5.1 rubygem-rack-1_1-doc-1.1.5-3.5.1 rubygem-rack-1_1-testsuite-1.1.5-3.5.1 rubygem-rails-2_3-2.3.16-3.9.1 rubygem-rails-2_3-doc-2.3.16-3.9.1 - openSUSE 12.1 (noarch): rubygem-actionmailer-2.3.16-2.7.1 rubygem-actionpack-2.3.16-2.7.1 rubygem-activerecord-2.3.16-2.7.1 rubygem-activeresource-2.3.16-2.7.1 rubygem-activesupport-2.3.16-2.7.1 rubygem-rails-2.3.16-2.7.1 References: http://support.novell.com/security/cve/CVE-2012-2695.html http://support.novell.com/security/cve/CVE-2012-5664.html http://support.novell.com/security/cve/CVE-2013-0155.html http://support.novell.com/security/cve/CVE-2013-0156.html http://support.novell.com/security/cve/CVE-2013-0333.html https://bugzilla.novell.com/766792 https://bugzilla.novell.com/775649 https://bugzilla.novell.com/775653 https://bugzilla.novell.com/796712 https://bugzilla.novell.com/797449 https://bugzilla.novell.com/797452 https://bugzilla.novell.com/798452 https://bugzilla.novell.com/798458 https://bugzilla.novell.com/800320 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] openSUSE-SU-2013:0275-1: important: update for libvirt
by opensuse-security＠opensuse.org 12 Feb '13

12 Feb '13

openSUSE Security Update: update for libvirt ______________________________________________________________________________ Announcement ID: openSUSE-SU-2013:0275-1 Rating: important References: #793900 #800976 Cross-References: CVE-2013-0170 Affected Products: openSUSE 12.2 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: - Update to libvirt 0.9.11.9 stable release - Fixes CVE-2013-0170 by including cherry picked master commit 46532e3e, bnc#800976 - Fix starting lxc VM e.g from OpenStack bnc#793900 and rh#858104 Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 12.2: zypper in -t patch openSUSE-2013-108 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 12.2 (i586 x86_64): libvirt-0.9.11.9-1.9.1 libvirt-client-0.9.11.9-1.9.1 libvirt-client-debuginfo-0.9.11.9-1.9.1 libvirt-debuginfo-0.9.11.9-1.9.1 libvirt-debugsource-0.9.11.9-1.9.1 libvirt-devel-0.9.11.9-1.9.1 libvirt-doc-0.9.11.9-1.9.1 libvirt-lock-sanlock-0.9.11.9-1.9.1 libvirt-lock-sanlock-debuginfo-0.9.11.9-1.9.1 libvirt-python-0.9.11.9-1.9.1 libvirt-python-debuginfo-0.9.11.9-1.9.1 - openSUSE 12.2 (x86_64): libvirt-client-32bit-0.9.11.9-1.9.1 libvirt-client-debuginfo-32bit-0.9.11.9-1.9.1 libvirt-devel-32bit-0.9.11.9-1.9.1 References: http://support.novell.com/security/cve/CVE-2013-0170.html https://bugzilla.novell.com/793900 https://bugzilla.novell.com/800976 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] openSUSE-SU-2013:0274-1: important: libvirt to fix use-after-free in virNetMessageFree()
by opensuse-security＠opensuse.org 12 Feb '13

12 Feb '13

openSUSE Security Update: libvirt to fix use-after-free in virNetMessageFree() ______________________________________________________________________________ Announcement ID: openSUSE-SU-2013:0274-1 Rating: important References: #772586 #773621 #773626 #780432 #800976 Cross-References: CVE-2012-4423 CVE-2013-0170 Affected Products: openSUSE 12.1 ______________________________________________________________________________ An update that solves two vulnerabilities and has three fixes is now available. Description: libvirt was updated to fix some bugs and security issues: Security issues fixed: - Fix crash on error paths of message dispatching, CVE-2013-0170 bnc#800976 - security: Fix libvirtd crash possibility CVE-2012-4423 bnc#780432 Also bugs were fixed: - qemu: Fix probing for guest capabilities bnc#772586 - xen-xm: Generate UUID if not specified bnc#773626 - xenParseXM: don't dereference NULL pointer when script is empty bnc#773621 Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 12.1: zypper in -t patch openSUSE-2013-105 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 12.1 (i586 x86_64): libvirt-0.9.6-3.13.1 libvirt-client-0.9.6-3.13.1 libvirt-client-debuginfo-0.9.6-3.13.1 libvirt-debuginfo-0.9.6-3.13.1 libvirt-debugsource-0.9.6-3.13.1 libvirt-devel-0.9.6-3.13.1 libvirt-doc-0.9.6-3.13.1 libvirt-python-0.9.6-3.13.1 libvirt-python-debuginfo-0.9.6-3.13.1 - openSUSE 12.1 (x86_64): libvirt-client-32bit-0.9.6-3.13.1 libvirt-client-debuginfo-32bit-0.9.6-3.13.1 libvirt-devel-32bit-0.9.6-3.13.1 - openSUSE 12.1 (ia64): libvirt-client-debuginfo-x86-0.9.6-3.13.1 libvirt-client-x86-0.9.6-3.13.1 References: http://support.novell.com/security/cve/CVE-2012-4423.html http://support.novell.com/security/cve/CVE-2013-0170.html https://bugzilla.novell.com/772586 https://bugzilla.novell.com/773621 https://bugzilla.novell.com/773626 https://bugzilla.novell.com/780432 https://bugzilla.novell.com/800976 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE-SU-2013:0262-1: important: Security update for MySQL
by opensuse-security＠opensuse.org 09 Feb '13

09 Feb '13

SUSE Security Update: Security update for MySQL ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0262-1 Rating: important References: #792444 Cross-References: CVE-2012-5611 CVE-2012-5612 CVE-2012-5613 CVE-2012-5615 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Server 11 SP2 for VMware SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Desktop 11 SP2 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. It includes one version update. Description: A stack-based buffer overflow in MySQL has been fixed that could have caused a Denial of Service or potentially allowed the execution of arbitrary code (CVE-2012-5611). Security Issue references: * CVE-2012-5615 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5615 > * CVE-2012-5615 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5615 > * CVE-2012-5613 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5613 > * CVE-2012-5612 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5612 > * CVE-2012-5611 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5611 > Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp2-libmysqlclient-devel-7251 - SUSE Linux Enterprise Server 11 SP2 for VMware: zypper in -t patch slessp2-libmysqlclient-devel-7251 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp2-libmysqlclient-devel-7251 - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp2-libmysqlclient-devel-7251 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 5.0.96]: libmysqlclient-devel-5.0.96-0.6.1 - SUSE Linux Enterprise Software Development Kit 11 SP2 (ppc64 s390x x86_64) [New Version: 5.0.96]: libmysqlclient_r15-32bit-5.0.96-0.6.1 - SUSE Linux Enterprise Software Development Kit 11 SP2 (ia64) [New Version: 5.0.96]: libmysqlclient_r15-x86-5.0.96-0.6.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64) [New Version: 5.0.96]: libmysqlclient15-5.0.96-0.6.1 libmysqlclient_r15-5.0.96-0.6.1 mysql-5.0.96-0.6.1 mysql-Max-5.0.96-0.6.1 mysql-client-5.0.96-0.6.1 mysql-tools-5.0.96-0.6.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (x86_64) [New Version: 5.0.96]: libmysqlclient15-32bit-5.0.96-0.6.1 - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 5.0.96]: libmysqlclient15-5.0.96-0.6.1 libmysqlclient_r15-5.0.96-0.6.1 mysql-5.0.96-0.6.1 mysql-Max-5.0.96-0.6.1 mysql-client-5.0.96-0.6.1 mysql-tools-5.0.96-0.6.1 - SUSE Linux Enterprise Server 11 SP2 (ppc64 s390x x86_64) [New Version: 5.0.96]: libmysqlclient15-32bit-5.0.96-0.6.1 - SUSE Linux Enterprise Server 11 SP2 (ia64) [New Version: 5.0.96]: libmysqlclient15-x86-5.0.96-0.6.1 - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64) [New Version: 5.0.96]: libmysqlclient15-5.0.96-0.6.1 libmysqlclient_r15-5.0.96-0.6.1 mysql-5.0.96-0.6.1 mysql-client-5.0.96-0.6.1 - SUSE Linux Enterprise Desktop 11 SP2 (x86_64) [New Version: 5.0.96]: libmysqlclient15-32bit-5.0.96-0.6.1 libmysqlclient_r15-32bit-5.0.96-0.6.1 References: http://support.novell.com/security/cve/CVE-2012-5611.html http://support.novell.com/security/cve/CVE-2012-5612.html http://support.novell.com/security/cve/CVE-2012-5613.html http://support.novell.com/security/cve/CVE-2012-5615.html https://bugzilla.novell.com/792444 http://download.novell.com/patch/finder/?keywords=2bcc2cee7b87c19c04bc8cce8… -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0