February 2013 - openSUSE Security Announce

[security-announce] openSUSE-SU-2013:0280-1: important: ruby on rails to 2.3.16
by opensuse-security＠opensuse.org 12 Feb '13

12 Feb '13

openSUSE Security Update: ruby on rails to 2.3.16 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2013:0280-1 Rating: important References: #766792 #775649 #775653 #796712 #797449 #797452 #798452 #798458 #800320 Cross-References: CVE-2012-2695 CVE-2012-5664 CVE-2013-0155 CVE-2013-0156 CVE-2013-0333 Affected Products: openSUSE 11.4 ______________________________________________________________________________ An update that solves 5 vulnerabilities and has four fixes is now available. Description: This update updates the RubyOnRails 2.3 stack to 2.3.16. Security and bugfixes were done, foremost: CVE-2013-0333: A JSON sql/code injection problem was fixed. CVE-2012-5664: A SQL Injection Vulnerability in Active Record was fixed. CVE-2012-2695: A SQL injection via nested hashes in conditions was fixed. CVE-2013-0155: Unsafe Query Generation Risk in Ruby on Rails was fixed. CVE-2013-0156: Multiple vulnerabilities in parameter parsing in Action Pack were fixed. CVE-2012-5664: options hashes should only be extracted if there are extra parameters CVE-2012-2695: Fix SQL injection via nested hashes in conditions CVE-2013-0156: Hash.from_xml raises when it encounters type="symbol" or type="yaml". Use Hash.from_trusted_xml to parse this XM Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 11.4: zypper in -t patch 2013-21 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 11.4 (i586 x86_64): rubygem-actionmailer-2_3-2.3.16-0.16.1 rubygem-actionmailer-2_3-doc-2.3.16-0.16.1 rubygem-actionmailer-2_3-testsuite-2.3.16-0.16.1 rubygem-actionpack-2_3-2.3.16-0.23.1 rubygem-actionpack-2_3-doc-2.3.16-0.23.1 rubygem-actionpack-2_3-testsuite-2.3.16-0.23.1 rubygem-activerecord-2_3-2.3.16-0.19.1 rubygem-activerecord-2_3-doc-2.3.16-0.19.1 rubygem-activerecord-2_3-testsuite-2.3.16-0.19.1 rubygem-activeresource-2_3-2.3.16-0.16.1 rubygem-activeresource-2_3-doc-2.3.16-0.16.1 rubygem-activeresource-2_3-testsuite-2.3.16-0.16.1 rubygem-activesupport-2_3-2.3.16-0.16.1 rubygem-activesupport-2_3-doc-2.3.16-0.16.1 rubygem-rack-1.1.5-0.8.1 rubygem-rails-2_3-2.3.16-0.12.1 rubygem-rails-2_3-doc-2.3.16-0.12.1 - openSUSE 11.4 (noarch): rubygem-actionmailer-2.3.16-0.6.1 rubygem-actionpack-2.3.16-0.6.1 rubygem-activerecord-2.3.16-0.6.1 rubygem-activeresource-2.3.16-0.6.1 rubygem-activesupport-2.3.16-0.6.1 rubygem-rails-2.3.16-0.6.1 References: http://support.novell.com/security/cve/CVE-2012-2695.html http://support.novell.com/security/cve/CVE-2012-5664.html http://support.novell.com/security/cve/CVE-2013-0155.html http://support.novell.com/security/cve/CVE-2013-0156.html http://support.novell.com/security/cve/CVE-2013-0333.html https://bugzilla.novell.com/766792 https://bugzilla.novell.com/775649 https://bugzilla.novell.com/775653 https://bugzilla.novell.com/796712 https://bugzilla.novell.com/797449 https://bugzilla.novell.com/797452 https://bugzilla.novell.com/798452 https://bugzilla.novell.com/798458 https://bugzilla.novell.com/800320 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] openSUSE-SU-2013:0279-1: critical: flash-player to 11.2.202.262
by opensuse-security＠opensuse.org 12 Feb '13

12 Feb '13

openSUSE Security Update: flash-player to 11.2.202.262 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2013:0279-1 Rating: critical References: #802809 Cross-References: CVE-2013-0633 CVE-2013-0634 Affected Products: openSUSE 12.1 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: Adobe Flash Player was updated to 11.2.202.262 to fix various security issues and bugs. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 12.1: zypper in -t patch openSUSE-2013-111 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 12.1 (i586 x86_64): flash-player-11.2.202.262-46.1 flash-player-gnome-11.2.202.262-46.1 flash-player-kde4-11.2.202.262-46.1 References: http://support.novell.com/security/cve/CVE-2013-0633.html http://support.novell.com/security/cve/CVE-2013-0634.html https://bugzilla.novell.com/802809 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] openSUSE-SU-2013:0278-1: important: ruby on rails to 2.3.16
by opensuse-security＠opensuse.org 12 Feb '13

12 Feb '13

openSUSE Security Update: ruby on rails to 2.3.16 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2013:0278-1 Rating: important References: #766792 #775649 #775653 #796712 #797449 #797452 #798452 #798458 #800320 Cross-References: CVE-2012-2695 CVE-2012-5664 CVE-2013-0155 CVE-2013-0156 CVE-2013-0333 Affected Products: openSUSE 12.2 openSUSE 12.1 ______________________________________________________________________________ An update that solves 5 vulnerabilities and has four fixes is now available. Description: This update updates the RubyOnRails 2.3 stack to 2.3.16, also this update updates the RubyOnRails 3.2 stack to 3.2.11. Security and bugfixes were done, foremost: CVE-2013-0333: A JSON sql/code injection problem was fixed. CVE-2012-5664: A SQL Injection Vulnerability in Active Record was fixed. CVE-2012-2695: A SQL injection via nested hashes in conditions was fixed. CVE-2013-0155: Unsafe Query Generation Risk in Ruby on Rails was fixed. CVE-2013-0156: Multiple vulnerabilities in parameter parsing in Action Pack were fixed. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 12.2: zypper in -t patch openSUSE-2013-106 - openSUSE 12.1: zypper in -t patch openSUSE-2013-106 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 12.2 (i586 x86_64): rubygem-actionmailer-2_3-2.3.16-2.5.3 rubygem-actionmailer-2_3-doc-2.3.16-2.5.3 rubygem-actionmailer-2_3-testsuite-2.3.16-2.5.3 rubygem-actionmailer-3_2-3.2.11-2.9.5 rubygem-actionmailer-3_2-doc-3.2.11-2.9.5 rubygem-actionpack-2_3-2.3.16-2.13.3 rubygem-actionpack-2_3-doc-2.3.16-2.13.3 rubygem-actionpack-2_3-testsuite-2.3.16-2.13.3 rubygem-actionpack-3_2-3.2.11-3.9.4 rubygem-actionpack-3_2-doc-3.2.11-3.9.4 rubygem-activemodel-3_2-3.2.11-2.9.2 rubygem-activemodel-3_2-doc-3.2.11-2.9.2 rubygem-activerecord-2_3-2.3.16-2.9.2 rubygem-activerecord-2_3-doc-2.3.16-2.9.2 rubygem-activerecord-2_3-testsuite-2.3.16-2.9.2 rubygem-activerecord-3_2-3.2.11-2.9.1 rubygem-activerecord-3_2-doc-3.2.11-2.9.1 rubygem-activeresource-2_3-2.3.16-2.5.2 rubygem-activeresource-2_3-doc-2.3.16-2.5.2 rubygem-activeresource-2_3-testsuite-2.3.16-2.5.2 rubygem-activeresource-3_2-3.2.11-2.9.1 rubygem-activeresource-3_2-doc-3.2.11-2.9.1 rubygem-activesupport-2_3-2.3.16-3.9.1 rubygem-activesupport-2_3-doc-2.3.16-3.9.1 rubygem-activesupport-3_2-3.2.11-2.9.1 rubygem-activesupport-3_2-doc-3.2.11-2.9.1 rubygem-rack-1_1-1.1.5-6.5.1 rubygem-rack-1_1-doc-1.1.5-6.5.1 rubygem-rack-1_1-testsuite-1.1.5-6.5.1 rubygem-rack-1_2-1.2.7-2.5.1 rubygem-rack-1_2-doc-1.2.7-2.5.1 rubygem-rack-1_2-testsuite-1.2.7-2.5.1 rubygem-rack-1_3-1.3.9-2.5.1 rubygem-rack-1_3-doc-1.3.9-2.5.1 rubygem-rack-1_3-testsuite-1.3.9-2.5.1 rubygem-rack-1_4-1.4.1-2.5.1 rubygem-rack-1_4-doc-1.4.1-2.5.1 rubygem-rack-1_4-testsuite-1.4.1-2.5.1 rubygem-rails-2_3-2.3.16-3.5.1 rubygem-rails-2_3-doc-2.3.16-3.5.1 rubygem-rails-3_2-3.2.11-2.9.1 rubygem-rails-3_2-doc-3.2.11-2.9.1 rubygem-railties-3_2-3.2.11-2.9.1 rubygem-railties-3_2-doc-3.2.11-2.9.1 rubygem-sprockets-2_2-2.2.2-2.2 rubygem-sprockets-2_2-doc-2.2.2-2.2 - openSUSE 12.2 (noarch): rubygem-actionmailer-2.3.16-2.5.1 rubygem-actionpack-2.3.16-2.5.1 rubygem-activerecord-2.3.16-3.5.1 rubygem-activeresource-2.3.16-3.5.1 rubygem-activesupport-2.3.16-3.5.1 rubygem-rails-2.3.16-3.5.1 - openSUSE 12.1 (i586 x86_64): rubygem-actionmailer-2_3-2.3.16-3.9.3 rubygem-actionmailer-2_3-doc-2.3.16-3.9.3 rubygem-actionmailer-2_3-testsuite-2.3.16-3.9.3 rubygem-actionpack-2_3-2.3.16-3.16.2 rubygem-actionpack-2_3-doc-2.3.16-3.16.2 rubygem-actionpack-2_3-testsuite-2.3.16-3.16.2 rubygem-activerecord-2_3-2.3.16-3.12.2 rubygem-activerecord-2_3-doc-2.3.16-3.12.2 rubygem-activerecord-2_3-testsuite-2.3.16-3.12.2 rubygem-activeresource-2_3-2.3.16-3.9.2 rubygem-activeresource-2_3-doc-2.3.16-3.9.2 rubygem-activeresource-2_3-testsuite-2.3.16-3.9.2 rubygem-activesupport-2_3-2.3.16-3.13.1 rubygem-activesupport-2_3-doc-2.3.16-3.13.1 rubygem-rack-1_1-1.1.5-3.5.1 rubygem-rack-1_1-doc-1.1.5-3.5.1 rubygem-rack-1_1-testsuite-1.1.5-3.5.1 rubygem-rails-2_3-2.3.16-3.9.1 rubygem-rails-2_3-doc-2.3.16-3.9.1 - openSUSE 12.1 (noarch): rubygem-actionmailer-2.3.16-2.7.1 rubygem-actionpack-2.3.16-2.7.1 rubygem-activerecord-2.3.16-2.7.1 rubygem-activeresource-2.3.16-2.7.1 rubygem-activesupport-2.3.16-2.7.1 rubygem-rails-2.3.16-2.7.1 References: http://support.novell.com/security/cve/CVE-2012-2695.html http://support.novell.com/security/cve/CVE-2012-5664.html http://support.novell.com/security/cve/CVE-2013-0155.html http://support.novell.com/security/cve/CVE-2013-0156.html http://support.novell.com/security/cve/CVE-2013-0333.html https://bugzilla.novell.com/766792 https://bugzilla.novell.com/775649 https://bugzilla.novell.com/775653 https://bugzilla.novell.com/796712 https://bugzilla.novell.com/797449 https://bugzilla.novell.com/797452 https://bugzilla.novell.com/798452 https://bugzilla.novell.com/798458 https://bugzilla.novell.com/800320 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] openSUSE-SU-2013:0275-1: important: update for libvirt
by opensuse-security＠opensuse.org 12 Feb '13

12 Feb '13

openSUSE Security Update: update for libvirt ______________________________________________________________________________ Announcement ID: openSUSE-SU-2013:0275-1 Rating: important References: #793900 #800976 Cross-References: CVE-2013-0170 Affected Products: openSUSE 12.2 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: - Update to libvirt 0.9.11.9 stable release - Fixes CVE-2013-0170 by including cherry picked master commit 46532e3e, bnc#800976 - Fix starting lxc VM e.g from OpenStack bnc#793900 and rh#858104 Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 12.2: zypper in -t patch openSUSE-2013-108 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 12.2 (i586 x86_64): libvirt-0.9.11.9-1.9.1 libvirt-client-0.9.11.9-1.9.1 libvirt-client-debuginfo-0.9.11.9-1.9.1 libvirt-debuginfo-0.9.11.9-1.9.1 libvirt-debugsource-0.9.11.9-1.9.1 libvirt-devel-0.9.11.9-1.9.1 libvirt-doc-0.9.11.9-1.9.1 libvirt-lock-sanlock-0.9.11.9-1.9.1 libvirt-lock-sanlock-debuginfo-0.9.11.9-1.9.1 libvirt-python-0.9.11.9-1.9.1 libvirt-python-debuginfo-0.9.11.9-1.9.1 - openSUSE 12.2 (x86_64): libvirt-client-32bit-0.9.11.9-1.9.1 libvirt-client-debuginfo-32bit-0.9.11.9-1.9.1 libvirt-devel-32bit-0.9.11.9-1.9.1 References: http://support.novell.com/security/cve/CVE-2013-0170.html https://bugzilla.novell.com/793900 https://bugzilla.novell.com/800976 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] openSUSE-SU-2013:0274-1: important: libvirt to fix use-after-free in virNetMessageFree()
by opensuse-security＠opensuse.org 12 Feb '13

12 Feb '13

openSUSE Security Update: libvirt to fix use-after-free in virNetMessageFree() ______________________________________________________________________________ Announcement ID: openSUSE-SU-2013:0274-1 Rating: important References: #772586 #773621 #773626 #780432 #800976 Cross-References: CVE-2012-4423 CVE-2013-0170 Affected Products: openSUSE 12.1 ______________________________________________________________________________ An update that solves two vulnerabilities and has three fixes is now available. Description: libvirt was updated to fix some bugs and security issues: Security issues fixed: - Fix crash on error paths of message dispatching, CVE-2013-0170 bnc#800976 - security: Fix libvirtd crash possibility CVE-2012-4423 bnc#780432 Also bugs were fixed: - qemu: Fix probing for guest capabilities bnc#772586 - xen-xm: Generate UUID if not specified bnc#773626 - xenParseXM: don't dereference NULL pointer when script is empty bnc#773621 Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 12.1: zypper in -t patch openSUSE-2013-105 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 12.1 (i586 x86_64): libvirt-0.9.6-3.13.1 libvirt-client-0.9.6-3.13.1 libvirt-client-debuginfo-0.9.6-3.13.1 libvirt-debuginfo-0.9.6-3.13.1 libvirt-debugsource-0.9.6-3.13.1 libvirt-devel-0.9.6-3.13.1 libvirt-doc-0.9.6-3.13.1 libvirt-python-0.9.6-3.13.1 libvirt-python-debuginfo-0.9.6-3.13.1 - openSUSE 12.1 (x86_64): libvirt-client-32bit-0.9.6-3.13.1 libvirt-client-debuginfo-32bit-0.9.6-3.13.1 libvirt-devel-32bit-0.9.6-3.13.1 - openSUSE 12.1 (ia64): libvirt-client-debuginfo-x86-0.9.6-3.13.1 libvirt-client-x86-0.9.6-3.13.1 References: http://support.novell.com/security/cve/CVE-2012-4423.html http://support.novell.com/security/cve/CVE-2013-0170.html https://bugzilla.novell.com/772586 https://bugzilla.novell.com/773621 https://bugzilla.novell.com/773626 https://bugzilla.novell.com/780432 https://bugzilla.novell.com/800976 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE-SU-2013:0262-1: important: Security update for MySQL
by opensuse-security＠opensuse.org 09 Feb '13

09 Feb '13

SUSE Security Update: Security update for MySQL ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0262-1 Rating: important References: #792444 Cross-References: CVE-2012-5611 CVE-2012-5612 CVE-2012-5613 CVE-2012-5615 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Server 11 SP2 for VMware SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Desktop 11 SP2 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. It includes one version update. Description: A stack-based buffer overflow in MySQL has been fixed that could have caused a Denial of Service or potentially allowed the execution of arbitrary code (CVE-2012-5611). Security Issue references: * CVE-2012-5615 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5615 > * CVE-2012-5615 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5615 > * CVE-2012-5613 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5613 > * CVE-2012-5612 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5612 > * CVE-2012-5611 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5611 > Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp2-libmysqlclient-devel-7251 - SUSE Linux Enterprise Server 11 SP2 for VMware: zypper in -t patch slessp2-libmysqlclient-devel-7251 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp2-libmysqlclient-devel-7251 - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp2-libmysqlclient-devel-7251 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 5.0.96]: libmysqlclient-devel-5.0.96-0.6.1 - SUSE Linux Enterprise Software Development Kit 11 SP2 (ppc64 s390x x86_64) [New Version: 5.0.96]: libmysqlclient_r15-32bit-5.0.96-0.6.1 - SUSE Linux Enterprise Software Development Kit 11 SP2 (ia64) [New Version: 5.0.96]: libmysqlclient_r15-x86-5.0.96-0.6.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64) [New Version: 5.0.96]: libmysqlclient15-5.0.96-0.6.1 libmysqlclient_r15-5.0.96-0.6.1 mysql-5.0.96-0.6.1 mysql-Max-5.0.96-0.6.1 mysql-client-5.0.96-0.6.1 mysql-tools-5.0.96-0.6.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (x86_64) [New Version: 5.0.96]: libmysqlclient15-32bit-5.0.96-0.6.1 - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 5.0.96]: libmysqlclient15-5.0.96-0.6.1 libmysqlclient_r15-5.0.96-0.6.1 mysql-5.0.96-0.6.1 mysql-Max-5.0.96-0.6.1 mysql-client-5.0.96-0.6.1 mysql-tools-5.0.96-0.6.1 - SUSE Linux Enterprise Server 11 SP2 (ppc64 s390x x86_64) [New Version: 5.0.96]: libmysqlclient15-32bit-5.0.96-0.6.1 - SUSE Linux Enterprise Server 11 SP2 (ia64) [New Version: 5.0.96]: libmysqlclient15-x86-5.0.96-0.6.1 - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64) [New Version: 5.0.96]: libmysqlclient15-5.0.96-0.6.1 libmysqlclient_r15-5.0.96-0.6.1 mysql-5.0.96-0.6.1 mysql-client-5.0.96-0.6.1 - SUSE Linux Enterprise Desktop 11 SP2 (x86_64) [New Version: 5.0.96]: libmysqlclient15-32bit-5.0.96-0.6.1 libmysqlclient_r15-32bit-5.0.96-0.6.1 References: http://support.novell.com/security/cve/CVE-2012-5611.html http://support.novell.com/security/cve/CVE-2012-5612.html http://support.novell.com/security/cve/CVE-2012-5613.html http://support.novell.com/security/cve/CVE-2012-5615.html https://bugzilla.novell.com/792444 http://download.novell.com/patch/finder/?keywords=2bcc2cee7b87c19c04bc8cce8… -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0