May 2013 - openSUSE Security Announce - openSUSE Mailing Lists

[security-announce] SUSE-SU-2013:0851-1: important: Security update for icedtea-web
by opensuse-security＠opensuse.org 31 May '13

31 May '13

SUSE Security Update: Security update for icedtea-web ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0851-1 Rating: important References: #818768 Cross-References: CVE-2012-3422 CVE-2012-3423 CVE-2013-1926 CVE-2013-1927 Affected Products: SUSE Linux Enterprise Desktop 11 SP2 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. It includes one version update. Description: This update of icedtea-web fixes several bugs and security issues. Security Issue references: * CVE-2013-1926 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1926 > * CVE-2013-1927 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1927 > * CVE-2012-3422 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3422 > * CVE-2012-3423 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3423 > Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp2-icedtea-web-7742 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64) [New Version: 1.4]: icedtea-web-1.4-0.5.1 References: http://support.novell.com/security/cve/CVE-2012-3422.html http://support.novell.com/security/cve/CVE-2012-3423.html http://support.novell.com/security/cve/CVE-2013-1926.html http://support.novell.com/security/cve/CVE-2013-1927.html https://bugzilla.novell.com/818768 http://download.novell.com/patch/finder/?keywords=54cbb275b064b07a56d2e955c… -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE-SU-2013:0850-1: important: Security update for Mozilla Firefox
by opensuse-security＠opensuse.org 31 May '13

31 May '13

SUSE Security Update: Security update for Mozilla Firefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0850-1 Rating: important References: #819204 Affected Products: SUSE Linux Enterprise Server 11 SP1 for VMware LTSS SUSE Linux Enterprise Server 11 SP1 LTSS ______________________________________________________________________________ An update that contains security fixes can now be installed. It includes four new package versions. Description: Mozilla Firefox has been updated to the17.0.6ESR security version upgrade as a LTSS roll up release. * MFSA 2013-30: Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. Olli Pettay, Jesse Ruderman, Boris Zbarsky, Christian Holler, Milan Sreckovic, and Joe Drew reported memory safety problems and crashes that affect Firefox ESR 17, and Firefox 19. (CVE-2013-0788) * MFSA 2013-31 / CVE-2013-0800: Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team used the Address Sanitizer tool to discover an out-of-bounds write in Cairo graphics library. When certain values are passed to it during rendering, Cairo attempts to use negative boundaries or sizes for boxes, leading to a potentially exploitable crash in some instances. * MFSA 2013-32 / CVE-2013-0799: Security researcher Frederic Hoguin discovered that the Mozilla Maintenance Service on Windows was vulnerable to a buffer overflow. This system is used to update software without invoking the User Account Control (UAC) prompt. The Mozilla Maintenance Service is configured to allow unprivileged users to start it with arbitrary arguments. By manipulating the data passed in these arguments, an attacker can execute arbitrary code with the system privileges used by the service. This issue requires local file system access to be exploitable. * MFSA 2013-34 / CVE-2013-0797: Security researcher Ash reported an issue with the Mozilla Updater. The Mozilla Updater can be made to load a malicious local DLL file in a privileged context through either the Mozilla Maintenance Service or independently on systems that do not use the service. This occurs when the DLL file is placed in a specific location on the local system before the Mozilla Updater is run. Local file system access is necessary in order for this issue to be exploitable. * MFSA 2013-35 / CVE-2013-0796: Security researcher miaubiz used the Address Sanitizer tool to discover a crash in WebGL rendering when memory is freed that has not previously been allocated. This issue only affects Linux users who have Intel Mesa graphics drivers. The resulting crash could be potentially exploitable. * MFSA 2013-36 / CVE-2013-0795: Security researcher Cody Crews reported a mechanism to use the cloneNode method to bypass System Only Wrappers (SOW) and clone a protected node. This allows violation of the browser's same origin policy and could also lead to privilege escalation and the execution of arbitrary code. * MFSA 2013-37 / CVE-2013-0794: Security researcher shutdown reported a method for removing the origin indication on tab-modal dialog boxes in combination with browser navigation. This could allow an attacker's dialog to overlay a page and show another site's content. This can be used for phishing by allowing users to enter data into a modal prompt dialog on an attacking, site while appearing to be from the displayed site. * MFSA 2013-38 / CVE-2013-0793: Security researcher Mariusz Mlynski reported a method to use browser navigations through history to load an arbitrary website with that page's baseURI property pointing to another site instead of the seemingly loaded one. The user will continue to see the incorrect site in the addressbar of the browser. This allows for a cross-site scripting (XSS) attack or the theft of data through a phishing attack. * MFSA 2013-39 / CVE-2013-0792: Mozilla community member Tobias Schula reported that if gfx.color_management.enablev4 preference is enabled manually in about:config, some grayscale PNG images will be rendered incorrectly and cause memory corruption during PNG decoding when certain color profiles are in use. A crafted PNG image could use this flaw to leak data through rendered images drawing from random memory. By default, this preference is not enabled. * MFSA 2013-40 / CVE-2013-0791: Mozilla community member Ambroz Bizjak reported an out-of-bounds array read in the CERT_DecodeCertPackage function of the Network Security Services (NSS) libary when decoding a certificate. When this occurs, it will lead to memory corruption and a non-exploitable crash. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP1 for VMware LTSS: zypper in -t patch slessp1-firefox-20130516-7755 - SUSE Linux Enterprise Server 11 SP1 LTSS: zypper in -t patch slessp1-firefox-20130516-7755 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP1 for VMware LTSS (i586 x86_64) [New Version: 17.0.6esr,3.14.3 and 4.9.6]: MozillaFirefox-17.0.6esr-0.4.1 MozillaFirefox-translations-17.0.6esr-0.4.1 libfreebl3-3.14.3-0.4.3.1 mozilla-nspr-4.9.6-0.3.1 mozilla-nss-3.14.3-0.4.3.1 mozilla-nss-tools-3.14.3-0.4.3.1 - SUSE Linux Enterprise Server 11 SP1 for VMware LTSS (x86_64) [New Version: 3.14.3 and 4.9.6]: libfreebl3-32bit-3.14.3-0.4.3.1 mozilla-nspr-32bit-4.9.6-0.3.1 mozilla-nss-32bit-3.14.3-0.4.3.1 - SUSE Linux Enterprise Server 11 SP1 LTSS (i586 s390x x86_64) [New Version: 17.0.6esr,3.14.3,4.9.6 and 7]: MozillaFirefox-17.0.6esr-0.4.1 MozillaFirefox-branding-SLED-7-0.6.9.20 MozillaFirefox-translations-17.0.6esr-0.4.1 libfreebl3-3.14.3-0.4.3.1 mozilla-nspr-4.9.6-0.3.1 mozilla-nss-3.14.3-0.4.3.1 mozilla-nss-tools-3.14.3-0.4.3.1 - SUSE Linux Enterprise Server 11 SP1 LTSS (s390x x86_64) [New Version: 3.14.3 and 4.9.6]: libfreebl3-32bit-3.14.3-0.4.3.1 mozilla-nspr-32bit-4.9.6-0.3.1 mozilla-nss-32bit-3.14.3-0.4.3.1 References: https://bugzilla.novell.com/819204 http://download.novell.com/patch/finder/?keywords=237c6316d58c29602f03bb36b… -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] openSUSE-SU-2013:0847-1: important: kernel: security and bugfix update
by opensuse-security＠opensuse.org 31 May '13

31 May '13

openSUSE Security Update: kernel: security and bugfix update ______________________________________________________________________________ Announcement ID: openSUSE-SU-2013:0847-1 Rating: important References: #806138 #806976 #806980 #808829 #809748 #813735 #815745 #819519 #819789 Cross-References: CVE-2013-0913 CVE-2013-1767 CVE-2013-1774 CVE-2013-1796 CVE-2013-1797 CVE-2013-1798 CVE-2013-2094 Affected Products: openSUSE 12.1 ______________________________________________________________________________ An update that solves 7 vulnerabilities and has two fixes is now available. Description: The openSUSE 12.1 kernel was updated to fix a severe secrutiy issue and various bugs. Security issues fixed: CVE-2013-2094: The perf_swevent_init function in kernel/events/core.c in the Linux kernel used an incorrect integer data type, which allowed local users to gain privileges via a crafted perf_event_open system call. CVE-2013-1774: The chase_port function in drivers/usb/serial/io_ti.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) via an attempted /dev/ttyUSB read or write operation on a disconnected Edgeport USB serial converter. CVE-2013-1928: The do_video_set_spu_palette function in fs/compat_ioctl.c in the Linux kernel lacked a certain error check, which might have allowed local users to obtain sensitive information from kernel stack memory via a crafted VIDEO_SET_SPU_PALETTE ioctl call on a /dev/dvb device. CVE-2013-1796: The kvm_set_msr_common function in arch/x86/kvm/x86.c in the Linux kernel did not ensure a required time_page alignment during an MSR_KVM_SYSTEM_TIME operation, which allowed guest OS users to cause a denial of service (buffer overflow and host OS memory corruption) or possibly have unspecified other impact via a crafted application. CVE-2013-1797: Use-after-free vulnerability in arch/x86/kvm/x86.c in the Linux kernel allowed guest OS users to cause a denial of service (host OS memory corruption) or possibly have unspecified other impact via a crafted application that triggers use of a guest physical address (GPA) in (1) movable or (2) removable memory during an MSR_KVM_SYSTEM_TIME kvm_set_msr_common operation. CVE-2013-1798: The ioapic_read_indirect function in virt/kvm/ioapic.c in the Linux kernel did not properly handle a certain combination of invalid IOAPIC_REG_SELECT and IOAPIC_REG_WINDOW operations, which allowed guest OS users to obtain sensitive information from host OS memory or cause a denial of service (host OS OOPS) via a crafted application. CVE-2013-1767: Use-after-free vulnerability in the shmem_remount_fs function in mm/shmem.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (system crash) by remounting a tmpfs filesystem without specifying a required mpol (aka mempolicy) mount option. CVE-2013-0913: Integer overflow in drivers/gpu/drm/i915/i915_gem_execbuffer.c in the i915 driver in the Direct Rendering Manager (DRM) subsystem in the Linux kernel allowed local users to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted application that triggers many relocation copies, and potentially leads to a race condition. Bugs fixed: - qlge: fix dma map leak when the last chunk is not allocated (bnc#819519). - TTY: fix atime/mtime regression (bnc#815745). - fs/compat_ioctl.c: VIDEO_SET_SPU_PALETTE missing error check (bnc#813735). - USB: io_ti: Fix NULL dereference in chase_port() (bnc#806976, CVE-2013-1774). - KVM: Convert MSR_KVM_SYSTEM_TIME to use gfn_to_hva_cache_init (bnc#806980 CVE-2013-1797). - KVM: Fix bounds checking in ioapic indirect register read (bnc#806980 CVE-2013-1798). - KVM: Fix for buffer overflow in handling of MSR_KVM_SYSTEM_TIME (bnc#806980 CVE-2013-1796). - kabi/severities: Allow kvm module abi changes - modules are self consistent - loopdev: fix a deadlock (bnc#809748). - block: use i_size_write() in bd_set_size() (bnc#809748). - drm/i915: bounds check execbuffer relocation count (bnc#808829,CVE-2013-0913). - tmpfs: fix use-after-free of mempolicy object (bnc#806138, CVE-2013-1767). Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 12.1: zypper in -t patch openSUSE-2013-454 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 12.1 (i586 x86_64): kernel-debug-3.1.10-1.23.1.g8645a72 kernel-debug-base-3.1.10-1.23.1.g8645a72 kernel-debug-base-debuginfo-3.1.10-1.23.1.g8645a72 kernel-debug-debuginfo-3.1.10-1.23.1.g8645a72 kernel-debug-debugsource-3.1.10-1.23.1.g8645a72 kernel-debug-devel-3.1.10-1.23.1.g8645a72 kernel-debug-devel-debuginfo-3.1.10-1.23.1.g8645a72 kernel-default-3.1.10-1.23.1.g8645a72 kernel-default-base-3.1.10-1.23.1.g8645a72 kernel-default-base-debuginfo-3.1.10-1.23.1.g8645a72 kernel-default-debuginfo-3.1.10-1.23.1.g8645a72 kernel-default-debugsource-3.1.10-1.23.1.g8645a72 kernel-default-devel-3.1.10-1.23.1.g8645a72 kernel-default-devel-debuginfo-3.1.10-1.23.1.g8645a72 kernel-desktop-3.1.10-1.23.1.g8645a72 kernel-desktop-base-3.1.10-1.23.1.g8645a72 kernel-desktop-base-debuginfo-3.1.10-1.23.1.g8645a72 kernel-desktop-debuginfo-3.1.10-1.23.1.g8645a72 kernel-desktop-debugsource-3.1.10-1.23.1.g8645a72 kernel-desktop-devel-3.1.10-1.23.1.g8645a72 kernel-desktop-devel-debuginfo-3.1.10-1.23.1.g8645a72 kernel-ec2-3.1.10-1.23.1.g8645a72 kernel-ec2-base-3.1.10-1.23.1.g8645a72 kernel-ec2-base-debuginfo-3.1.10-1.23.1.g8645a72 kernel-ec2-debuginfo-3.1.10-1.23.1.g8645a72 kernel-ec2-debugsource-3.1.10-1.23.1.g8645a72 kernel-ec2-devel-3.1.10-1.23.1.g8645a72 kernel-ec2-devel-debuginfo-3.1.10-1.23.1.g8645a72 kernel-ec2-extra-3.1.10-1.23.1.g8645a72 kernel-ec2-extra-debuginfo-3.1.10-1.23.1.g8645a72 kernel-syms-3.1.10-1.23.1.g8645a72 kernel-trace-3.1.10-1.23.1.g8645a72 kernel-trace-base-3.1.10-1.23.1.g8645a72 kernel-trace-base-debuginfo-3.1.10-1.23.1.g8645a72 kernel-trace-debuginfo-3.1.10-1.23.1.g8645a72 kernel-trace-debugsource-3.1.10-1.23.1.g8645a72 kernel-trace-devel-3.1.10-1.23.1.g8645a72 kernel-trace-devel-debuginfo-3.1.10-1.23.1.g8645a72 kernel-vanilla-3.1.10-1.23.1.g8645a72 kernel-vanilla-base-3.1.10-1.23.1.g8645a72 kernel-vanilla-base-debuginfo-3.1.10-1.23.1.g8645a72 kernel-vanilla-debuginfo-3.1.10-1.23.1.g8645a72 kernel-vanilla-debugsource-3.1.10-1.23.1.g8645a72 kernel-vanilla-devel-3.1.10-1.23.1.g8645a72 kernel-vanilla-devel-debuginfo-3.1.10-1.23.1.g8645a72 kernel-xen-3.1.10-1.23.1.g8645a72 kernel-xen-base-3.1.10-1.23.1.g8645a72 kernel-xen-base-debuginfo-3.1.10-1.23.1.g8645a72 kernel-xen-debuginfo-3.1.10-1.23.1.g8645a72 kernel-xen-debugsource-3.1.10-1.23.1.g8645a72 kernel-xen-devel-3.1.10-1.23.1.g8645a72 kernel-xen-devel-debuginfo-3.1.10-1.23.1.g8645a72 - openSUSE 12.1 (noarch): kernel-devel-3.1.10-1.23.1.g8645a72 kernel-docs-3.1.10-1.23.2.g8645a72 kernel-source-3.1.10-1.23.1.g8645a72 kernel-source-vanilla-3.1.10-1.23.1.g8645a72 - openSUSE 12.1 (i586): kernel-pae-3.1.10-1.23.1.g8645a72 kernel-pae-base-3.1.10-1.23.1.g8645a72 kernel-pae-base-debuginfo-3.1.10-1.23.1.g8645a72 kernel-pae-debuginfo-3.1.10-1.23.1.g8645a72 kernel-pae-debugsource-3.1.10-1.23.1.g8645a72 kernel-pae-devel-3.1.10-1.23.1.g8645a72 kernel-pae-devel-debuginfo-3.1.10-1.23.1.g8645a72 References: http://support.novell.com/security/cve/CVE-2013-0913.html http://support.novell.com/security/cve/CVE-2013-1767.html http://support.novell.com/security/cve/CVE-2013-1774.html http://support.novell.com/security/cve/CVE-2013-1796.html http://support.novell.com/security/cve/CVE-2013-1797.html http://support.novell.com/security/cve/CVE-2013-1798.html http://support.novell.com/security/cve/CVE-2013-2094.html https://bugzilla.novell.com/806138 https://bugzilla.novell.com/806976 https://bugzilla.novell.com/806980 https://bugzilla.novell.com/808829 https://bugzilla.novell.com/809748 https://bugzilla.novell.com/813735 https://bugzilla.novell.com/815745 https://bugzilla.novell.com/819519 https://bugzilla.novell.com/819789 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE-SU-2013:0845-1: critical: Security update for Linux kernel
by opensuse-security＠opensuse.org 31 May '13

31 May '13

SUSE Security Update: Security update for Linux kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0845-1 Rating: critical References: #821560 Cross-References: CVE-2013-2850 Affected Products: SUSE Linux Enterprise Server 11 SP2 for VMware SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Real Time 11 SP2 SUSE Linux Enterprise High Availability Extension 11 SP2 SUSE Linux Enterprise Desktop 11 SP2 SLE 11 SERVER Unsupported Extras ______________________________________________________________________________ An update that fixes one vulnerability is now available. It includes two new package versions. Description: The SUSE Linux Enterprise 11 SP2 Realtime kernel has been updated to fix a critical security issue. * CVE-2013-2850: Incorrect strncpy usage in the network listening part of the iscsi target driver could have been used by remote attackers to crash the kernel or execute code. This required the iscsi target running on the machine and the attacker able to make a network connection to it (aka not filtered by firewalls). Security Issue reference: * CVE-2013-2850 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2850 > Indications: Everyone using the Real Time Linux Kernel on x86_64 architecture should update. Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP2 for VMware: zypper in -t patch slessp2-kernel-7763 slessp2-kernel-7767 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp2-kernel-7763 slessp2-kernel-7764 slessp2-kernel-7765 slessp2-kernel-7766 slessp2-kernel-7767 - SUSE Linux Enterprise Real Time 11 SP2: zypper in -t patch slertesp2-kernel-7774 - SUSE Linux Enterprise High Availability Extension 11 SP2: zypper in -t patch sleshasp2-kernel-7763 sleshasp2-kernel-7764 sleshasp2-kernel-7765 sleshasp2-kernel-7766 sleshasp2-kernel-7767 - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp2-kernel-7763 sledsp2-kernel-7767 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64) [New Version: 3.0.74]: kernel-default-3.0.74-0.6.10.1 kernel-default-base-3.0.74-0.6.10.1 kernel-default-devel-3.0.74-0.6.10.1 kernel-source-3.0.74-0.6.10.1 kernel-syms-3.0.74-0.6.10.1 kernel-trace-3.0.74-0.6.10.1 kernel-trace-base-3.0.74-0.6.10.1 kernel-trace-devel-3.0.74-0.6.10.1 kernel-xen-devel-3.0.74-0.6.10.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (x86_64): xen-kmp-trace-4.1.4_02_3.0.74_0.6.10-0.5.32 - SUSE Linux Enterprise Server 11 SP2 for VMware (i586) [New Version: 3.0.74]: kernel-pae-3.0.74-0.6.10.1 kernel-pae-base-3.0.74-0.6.10.1 kernel-pae-devel-3.0.74-0.6.10.1 - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 3.0.74]: kernel-default-3.0.74-0.6.10.1 kernel-default-base-3.0.74-0.6.10.1 kernel-default-devel-3.0.74-0.6.10.1 kernel-source-3.0.74-0.6.10.1 kernel-syms-3.0.74-0.6.10.1 kernel-trace-3.0.74-0.6.10.1 kernel-trace-base-3.0.74-0.6.10.1 kernel-trace-devel-3.0.74-0.6.10.1 - SUSE Linux Enterprise Server 11 SP2 (i586 x86_64) [New Version: 3.0.74]: kernel-ec2-3.0.74-0.6.10.1 kernel-ec2-base-3.0.74-0.6.10.1 kernel-ec2-devel-3.0.74-0.6.10.1 kernel-xen-3.0.74-0.6.10.1 kernel-xen-base-3.0.74-0.6.10.1 kernel-xen-devel-3.0.74-0.6.10.1 - SUSE Linux Enterprise Server 11 SP2 (x86_64): xen-kmp-default-4.1.4_02_3.0.74_0.6.10-0.5.32 xen-kmp-trace-4.1.4_02_3.0.74_0.6.10-0.5.32 - SUSE Linux Enterprise Server 11 SP2 (s390x) [New Version: 3.0.74]: kernel-default-man-3.0.74-0.6.10.1 - SUSE Linux Enterprise Server 11 SP2 (ppc64) [New Version: 3.0.74]: kernel-ppc64-3.0.74-0.6.10.1 kernel-ppc64-base-3.0.74-0.6.10.1 kernel-ppc64-devel-3.0.74-0.6.10.1 - SUSE Linux Enterprise Server 11 SP2 (i586) [New Version: 3.0.74]: kernel-pae-3.0.74-0.6.10.1 kernel-pae-base-3.0.74-0.6.10.1 kernel-pae-devel-3.0.74-0.6.10.1 - SUSE Linux Enterprise Real Time 11 SP2 (x86_64) [New Version: 3.0.74.rt98]: cluster-network-kmp-rt-1.4_3.0.74_rt98_0.6.6-2.18.42 cluster-network-kmp-rt_trace-1.4_3.0.74_rt98_0.6.6-2.18.42 drbd-kmp-rt-8.4.2_3.0.74_rt98_0.6.6-0.6.6.33 drbd-kmp-rt_trace-8.4.2_3.0.74_rt98_0.6.6-0.6.6.33 iscsitarget-kmp-rt-1.4.20_3.0.74_rt98_0.6.6-0.23.39 iscsitarget-kmp-rt_trace-1.4.20_3.0.74_rt98_0.6.6-0.23.39 kernel-rt-3.0.74.rt98-0.6.6.1 kernel-rt-base-3.0.74.rt98-0.6.6.1 kernel-rt-devel-3.0.74.rt98-0.6.6.1 kernel-rt_trace-3.0.74.rt98-0.6.6.1 kernel-rt_trace-base-3.0.74.rt98-0.6.6.1 kernel-rt_trace-devel-3.0.74.rt98-0.6.6.1 kernel-source-rt-3.0.74.rt98-0.6.6.1 kernel-syms-rt-3.0.74.rt98-0.6.6.1 lttng-modules-kmp-rt-2.0.4_3.0.74_rt98_0.6.6-0.7.33 lttng-modules-kmp-rt_trace-2.0.4_3.0.74_rt98_0.6.6-0.7.33 ocfs2-kmp-rt-1.6_3.0.74_rt98_0.6.6-0.11.41 ocfs2-kmp-rt_trace-1.6_3.0.74_rt98_0.6.6-0.11.41 ofed-kmp-rt-1.5.2_3.0.74_rt98_0.6.6-0.28.28.13 ofed-kmp-rt_trace-1.5.2_3.0.74_rt98_0.6.6-0.28.28.13 - SUSE Linux Enterprise High Availability Extension 11 SP2 (i586 ia64 ppc64 s390x x86_64): cluster-network-kmp-default-1.4_3.0.74_0.6.10-2.18.41 cluster-network-kmp-trace-1.4_3.0.74_0.6.10-2.18.41 gfs2-kmp-default-2_3.0.74_0.6.10-0.7.73 gfs2-kmp-trace-2_3.0.74_0.6.10-0.7.73 ocfs2-kmp-default-1.6_3.0.74_0.6.10-0.11.40 ocfs2-kmp-trace-1.6_3.0.74_0.6.10-0.11.40 - SUSE Linux Enterprise High Availability Extension 11 SP2 (i586 x86_64): cluster-network-kmp-xen-1.4_3.0.74_0.6.10-2.18.41 gfs2-kmp-xen-2_3.0.74_0.6.10-0.7.73 ocfs2-kmp-xen-1.6_3.0.74_0.6.10-0.11.40 - SUSE Linux Enterprise High Availability Extension 11 SP2 (ppc64): cluster-network-kmp-ppc64-1.4_3.0.74_0.6.10-2.18.41 gfs2-kmp-ppc64-2_3.0.74_0.6.10-0.7.73 ocfs2-kmp-ppc64-1.6_3.0.74_0.6.10-0.11.40 - SUSE Linux Enterprise High Availability Extension 11 SP2 (i586): cluster-network-kmp-pae-1.4_3.0.74_0.6.10-2.18.41 gfs2-kmp-pae-2_3.0.74_0.6.10-0.7.73 ocfs2-kmp-pae-1.6_3.0.74_0.6.10-0.11.40 - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64) [New Version: 3.0.74]: kernel-default-3.0.74-0.6.10.1 kernel-default-base-3.0.74-0.6.10.1 kernel-default-devel-3.0.74-0.6.10.1 kernel-default-extra-3.0.74-0.6.10.1 kernel-source-3.0.74-0.6.10.1 kernel-syms-3.0.74-0.6.10.1 kernel-trace-3.0.74-0.6.10.1 kernel-trace-base-3.0.74-0.6.10.1 kernel-trace-devel-3.0.74-0.6.10.1 kernel-trace-extra-3.0.74-0.6.10.1 kernel-xen-3.0.74-0.6.10.1 kernel-xen-base-3.0.74-0.6.10.1 kernel-xen-devel-3.0.74-0.6.10.1 kernel-xen-extra-3.0.74-0.6.10.1 - SUSE Linux Enterprise Desktop 11 SP2 (x86_64): xen-kmp-default-4.1.4_02_3.0.74_0.6.10-0.5.32 xen-kmp-trace-4.1.4_02_3.0.74_0.6.10-0.5.32 - SUSE Linux Enterprise Desktop 11 SP2 (i586) [New Version: 3.0.74]: kernel-pae-3.0.74-0.6.10.1 kernel-pae-base-3.0.74-0.6.10.1 kernel-pae-devel-3.0.74-0.6.10.1 kernel-pae-extra-3.0.74-0.6.10.1 - SLE 11 SERVER Unsupported Extras (i586 ia64 ppc64 s390x x86_64): ext4-writeable-kmp-default-0_3.0.74_0.6.10-0.14.54 ext4-writeable-kmp-trace-0_3.0.74_0.6.10-0.14.54 kernel-default-extra-3.0.74-0.6.10.1 - SLE 11 SERVER Unsupported Extras (i586 x86_64): ext4-writeable-kmp-xen-0_3.0.74_0.6.10-0.14.54 kernel-xen-extra-3.0.74-0.6.10.1 - SLE 11 SERVER Unsupported Extras (ppc64): ext4-writeable-kmp-ppc64-0_3.0.74_0.6.10-0.14.54 kernel-ppc64-extra-3.0.74-0.6.10.1 - SLE 11 SERVER Unsupported Extras (i586): ext4-writeable-kmp-pae-0_3.0.74_0.6.10-0.14.54 kernel-pae-extra-3.0.74-0.6.10.1 References: http://support.novell.com/security/cve/CVE-2013-2850.html https://bugzilla.novell.com/821560 http://download.novell.com/patch/finder/?keywords=1f8963a7f578dbd3743c6e749… http://download.novell.com/patch/finder/?keywords=1fa05cb548ccbbeeea9efebd4… http://download.novell.com/patch/finder/?keywords=225f7ae7a37b1e0e7bd41b438… http://download.novell.com/patch/finder/?keywords=29e265518fcdbbd0e187fc660… http://download.novell.com/patch/finder/?keywords=365c32bbb93a197470729827f… http://download.novell.com/patch/finder/?keywords=3e5a351af7e06b418ea159423… http://download.novell.com/patch/finder/?keywords=97af1d7309a1c1d5e0b7c4b2c… http://download.novell.com/patch/finder/?keywords=b6673cd99832cf4abdaec62c3… http://download.novell.com/patch/finder/?keywords=e5565b72804c88529236aa3cf… http://download.novell.com/patch/finder/?keywords=ee98822d63fdbce81547edff1… http://download.novell.com/patch/finder/?keywords=f0453d05d3e6fd02abf10b3df… -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE-SU-2013:0843-1: important: Security update for Mozilla Firefox
by opensuse-security＠opensuse.org 28 May '13

28 May '13

SUSE Security Update: Security update for Mozilla Firefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0843-1 Rating: important References: #755821 #792432 #819204 Cross-References: CVE-2013-0788 CVE-2013-0791 CVE-2013-0792 CVE-2013-0793 CVE-2013-0794 CVE-2013-0795 CVE-2013-0796 CVE-2013-0797 CVE-2013-0799 CVE-2013-0800 Affected Products: SUSE Linux Enterprise Server 10 SP4 SUSE Linux Enterprise Desktop 10 SP4 SLE SDK 10 SP4 ______________________________________________________________________________ An update that fixes 10 vulnerabilities is now available. It includes one version update. Description: Mozilla Firefox has been updated to the 17.0.6ESR security release. * MFSA 2013-30: Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. Olli Pettay, Jesse Ruderman, Boris Zbarsky, Christian Holler, Milan Sreckovic, and Joe Drew reported memory safety problems and crashes that affect Firefox ESR 17, and Firefox 19. (CVE-2013-0788) * MFSA 2013-31 / CVE-2013-0800: Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team used the Address Sanitizer tool to discover an out-of-bounds write in Cairo graphics library. When certain values are passed to it during rendering, Cairo attempts to use negative boundaries or sizes for boxes, leading to a potentially exploitable crash in some instances. * MFSA 2013-32 / CVE-2013-0799: Security researcher Frederic Hoguin discovered that the Mozilla Maintenance Service on Windows was vulnerable to a buffer overflow. This system is used to update software without invoking the User Account Control (UAC) prompt. The Mozilla Maintenance Service is configured to allow unprivileged users to start it with arbitrary arguments. By manipulating the data passed in these arguments, an attacker can execute arbitrary code with the system privileges used by the service. This issue requires local file system access to be exploitable. * MFSA 2013-34 / CVE-2013-0797: Security researcher Ash reported an issue with the Mozilla Updater. The Mozilla Updater can be made to load a malicious local DLL file in a privileged context through either the Mozilla Maintenance Service or independently on systems that do not use the service. This occurs when the DLL file is placed in a specific location on the local system before the Mozilla Updater is run. Local file system access is necessary in order for this issue to be exploitable. * MFSA 2013-35 / CVE-2013-0796: Security researcher miaubiz used the Address Sanitizer tool to discover a crash in WebGL rendering when memory is freed that has not previously been allocated. This issue only affects Linux users who have Intel Mesa graphics drivers. The resulting crash could be potentially exploitable. * MFSA 2013-36 / CVE-2013-0795: Security researcher Cody Crews reported a mechanism to use the cloneNode method to bypass System Only Wrappers (SOW) and clone a protected node. This allows violation of the browser's same origin policy and could also lead to privilege escalation and the execution of arbitrary code. * MFSA 2013-37 / CVE-2013-0794: Security researcher shutdown reported a method for removing the origin indication on tab-modal dialog boxes in combination with browser navigation. This could allow an attacker's dialog to overlay a page and show another site's content. This can be used for phishing by allowing users to enter data into a modal prompt dialog on an attacking, site while appearing to be from the displayed site. * MFSA 2013-38 / CVE-2013-0793: Security researcher Mariusz Mlynski reported a method to use browser navigations through history to load an arbitrary website with that page's baseURI property pointing to another site instead of the seemingly loaded one. The user will continue to see the incorrect site in the addressbar of the browser. This allows for a cross-site scripting (XSS) attack or the theft of data through a phishing attack. * MFSA 2013-39 / CVE-2013-0792: Mozilla community member Tobias Schula reported that if gfx.color_management.enablev4 preference is enabled manually in about:config, some grayscale PNG images will be rendered incorrectly and cause memory corruption during PNG decoding when certain color profiles are in use. A crafted PNG image could use this flaw to leak data through rendered images drawing from random memory. By default, this preference is not enabled. * MFSA 2013-40 / CVE-2013-0791: Mozilla community member Ambroz Bizjak reported an out-of-bounds array read in the CERT_DecodeCertPackage function of the Network Security Services (NSS) libary when decoding a certificate. When this occurs, it will lead to memory corruption and a non-exploitable crash. Security Issue references: * CVE-2013-0788 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0788 > * CVE-2013-0791 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0791 > * CVE-2013-0792 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0792 > * CVE-2013-0793 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0793 > * CVE-2013-0794 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0794 > * CVE-2013-0795 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0795 > * CVE-2013-0796 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0796 > * CVE-2013-0797 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0797 > * CVE-2013-0799 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0799 > * CVE-2013-0800 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0800 > Package List: - SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc s390x) [New Version: 17.0.6esr]: MozillaFirefox-17.0.6esr-0.8.1 MozillaFirefox-translations-17.0.6esr-0.8.1 - SUSE Linux Enterprise Desktop 10 SP4 (i586) [New Version: 17.0.6esr]: MozillaFirefox-17.0.6esr-0.8.1 MozillaFirefox-translations-17.0.6esr-0.8.1 - SLE SDK 10 SP4 (i586 ia64 ppc s390x): MozillaFirefox-branding-upstream-17.0.6esr-0.8.1 References: http://support.novell.com/security/cve/CVE-2013-0788.html http://support.novell.com/security/cve/CVE-2013-0791.html http://support.novell.com/security/cve/CVE-2013-0792.html http://support.novell.com/security/cve/CVE-2013-0793.html http://support.novell.com/security/cve/CVE-2013-0794.html http://support.novell.com/security/cve/CVE-2013-0795.html http://support.novell.com/security/cve/CVE-2013-0796.html http://support.novell.com/security/cve/CVE-2013-0797.html http://support.novell.com/security/cve/CVE-2013-0799.html http://support.novell.com/security/cve/CVE-2013-0800.html https://bugzilla.novell.com/755821 https://bugzilla.novell.com/792432 https://bugzilla.novell.com/819204 http://download.novell.com/patch/finder/?keywords=e59d3899bcb89883ea3648e8d… -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE-SU-2013:0842-1: important: Security update for Mozilla Firefox
by opensuse-security＠opensuse.org 28 May '13

28 May '13

SUSE Security Update: Security update for Mozilla Firefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0842-1 Rating: important References: #792432 #819204 Cross-References: CVE-2013-0788 CVE-2013-0791 CVE-2013-0792 CVE-2013-0793 CVE-2013-0794 CVE-2013-0795 CVE-2013-0796 CVE-2013-0797 CVE-2013-0799 CVE-2013-0800 Affected Products: SUSE Linux Enterprise Server 11 SP2 for VMware SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Desktop 11 SP2 ______________________________________________________________________________ An update that fixes 10 vulnerabilities is now available. It includes one version update. Description: Mozilla Firefox has been updated to the17.0.6ESR security release. * MFSA 2013-30: Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. Olli Pettay, Jesse Ruderman, Boris Zbarsky, Christian Holler, Milan Sreckovic, and Joe Drew reported memory safety problems and crashes that affect Firefox ESR 17, and Firefox 19. (CVE-2013-0788) * MFSA 2013-31 / CVE-2013-0800: Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team used the Address Sanitizer tool to discover an out-of-bounds write in Cairo graphics library. When certain values are passed to it during rendering, Cairo attempts to use negative boundaries or sizes for boxes, leading to a potentially exploitable crash in some instances. * MFSA 2013-32 / CVE-2013-0799: Security researcher Frederic Hoguin discovered that the Mozilla Maintenance Service on Windows was vulnerable to a buffer overflow. This system is used to update software without invoking the User Account Control (UAC) prompt. The Mozilla Maintenance Service is configured to allow unprivileged users to start it with arbitrary arguments. By manipulating the data passed in these arguments, an attacker can execute arbitrary code with the system privileges used by the service. This issue requires local file system access to be exploitable. * MFSA 2013-34 / CVE-2013-0797: Security researcher Ash reported an issue with the Mozilla Updater. The Mozilla Updater can be made to load a malicious local DLL file in a privileged context through either the Mozilla Maintenance Service or independently on systems that do not use the service. This occurs when the DLL file is placed in a specific location on the local system before the Mozilla Updater is run. Local file system access is necessary in order for this issue to be exploitable. * MFSA 2013-35 / CVE-2013-0796: Security researcher miaubiz used the Address Sanitizer tool to discover a crash in WebGL rendering when memory is freed that has not previously been allocated. This issue only affects Linux users who have Intel Mesa graphics drivers. The resulting crash could be potentially exploitable. * MFSA 2013-36 / CVE-2013-0795: Security researcher Cody Crews reported a mechanism to use the cloneNode method to bypass System Only Wrappers (SOW) and clone a protected node. This allows violation of the browser's same origin policy and could also lead to privilege escalation and the execution of arbitrary code. * MFSA 2013-37 / CVE-2013-0794: Security researcher shutdown reported a method for removing the origin indication on tab-modal dialog boxes in combination with browser navigation. This could allow an attacker's dialog to overlay a page and show another site's content. This can be used for phishing by allowing users to enter data into a modal prompt dialog on an attacking, site while appearing to be from the displayed site. * MFSA 2013-38 / CVE-2013-0793: Security researcher Mariusz Mlynski reported a method to use browser navigations through history to load an arbitrary website with that page's baseURI property pointing to another site instead of the seemingly loaded one. The user will continue to see the incorrect site in the addressbar of the browser. This allows for a cross-site scripting (XSS) attack or the theft of data through a phishing attack. * MFSA 2013-39 / CVE-2013-0792: Mozilla community member Tobias Schula reported that if gfx.color_management.enablev4 preference is enabled manually in about:config, some grayscale PNG images will be rendered incorrectly and cause memory corruption during PNG decoding when certain color profiles are in use. A crafted PNG image could use this flaw to leak data through rendered images drawing from random memory. By default, this preference is not enabled. * MFSA 2013-40 / CVE-2013-0791: Mozilla community member Ambroz Bizjak reported an out-of-bounds array read in the CERT_DecodeCertPackage function of the Network Security Services (NSS) libary when decoding a certificate. When this occurs, it will lead to memory corruption and a non-exploitable crash. Security Issue references: * CVE-2013-0788 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0788 > * CVE-2013-0791 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0791 > * CVE-2013-0792 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0792 > * CVE-2013-0793 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0793 > * CVE-2013-0794 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0794 > * CVE-2013-0795 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0795 > * CVE-2013-0796 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0796 > * CVE-2013-0797 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0797 > * CVE-2013-0799 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0799 > * CVE-2013-0800 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0800 > Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP2 for VMware: zypper in -t patch slessp2-firefox-20130516-7741 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp2-firefox-20130516-7741 - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp2-firefox-20130516-7741 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64) [New Version: 17.0.6esr]: MozillaFirefox-17.0.6esr-0.4.1 MozillaFirefox-translations-17.0.6esr-0.4.1 - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 17.0.6esr]: MozillaFirefox-17.0.6esr-0.4.1 MozillaFirefox-translations-17.0.6esr-0.4.1 - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64) [New Version: 17.0.6esr]: MozillaFirefox-17.0.6esr-0.4.1 MozillaFirefox-translations-17.0.6esr-0.4.1 References: http://support.novell.com/security/cve/CVE-2013-0788.html http://support.novell.com/security/cve/CVE-2013-0791.html http://support.novell.com/security/cve/CVE-2013-0792.html http://support.novell.com/security/cve/CVE-2013-0793.html http://support.novell.com/security/cve/CVE-2013-0794.html http://support.novell.com/security/cve/CVE-2013-0795.html http://support.novell.com/security/cve/CVE-2013-0796.html http://support.novell.com/security/cve/CVE-2013-0797.html http://support.novell.com/security/cve/CVE-2013-0799.html http://support.novell.com/security/cve/CVE-2013-0800.html https://bugzilla.novell.com/792432 https://bugzilla.novell.com/819204 http://download.novell.com/patch/finder/?keywords=8490ea4a8a40b0f85e4394150… -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE-SU-2013:0841-1: important: Security update for SUSE Manager
by opensuse-security＠opensuse.org 28 May '13

28 May '13

SUSE Security Update: Security update for SUSE Manager ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0841-1 Rating: important References: #819365 Cross-References: CVE-2013-2056 Affected Products: SUSE Manager 1.7 for SLE 11 SP2 SUSE Manager 1.2 for SLE 11 SP1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. It includes one version update. Description: spacewalk-backend has been updated to fix an authentication checking problem. (bnc#819365, CVE-2013-2056) Security Issue reference: * CVE-2013-2056 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2056 > Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Manager 1.7 for SLE 11 SP2: zypper in -t patch sleman17sp2-spacewalk-backend-7746 - SUSE Manager 1.2 for SLE 11 SP1: zypper in -t patch sleman12sp1-spacewalk-backend-7748 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Manager 1.7 for SLE 11 SP2 (x86_64) [New Version: 1.7.38.24]: spacewalk-backend-1.7.38.24-0.7.1 spacewalk-backend-app-1.7.38.24-0.7.1 spacewalk-backend-applet-1.7.38.24-0.7.1 spacewalk-backend-config-files-1.7.38.24-0.7.1 spacewalk-backend-config-files-common-1.7.38.24-0.7.1 spacewalk-backend-config-files-tool-1.7.38.24-0.7.1 spacewalk-backend-iss-1.7.38.24-0.7.1 spacewalk-backend-iss-export-1.7.38.24-0.7.1 spacewalk-backend-libs-1.7.38.24-0.7.1 spacewalk-backend-package-push-server-1.7.38.24-0.7.1 spacewalk-backend-server-1.7.38.24-0.7.1 spacewalk-backend-sql-1.7.38.24-0.7.1 spacewalk-backend-sql-oracle-1.7.38.24-0.7.1 spacewalk-backend-sql-postgresql-1.7.38.24-0.7.1 spacewalk-backend-tools-1.7.38.24-0.7.1 spacewalk-backend-xml-export-libs-1.7.38.24-0.7.1 spacewalk-backend-xmlrpc-1.7.38.24-0.7.1 spacewalk-backend-xp-1.7.38.24-0.7.1 - SUSE Manager 1.2 for SLE 11 SP1 (x86_64): spacewalk-backend-1.2.74-0.60.1 spacewalk-backend-app-1.2.74-0.60.1 spacewalk-backend-applet-1.2.74-0.60.1 spacewalk-backend-config-files-1.2.74-0.60.1 spacewalk-backend-config-files-common-1.2.74-0.60.1 spacewalk-backend-config-files-tool-1.2.74-0.60.1 spacewalk-backend-iss-1.2.74-0.60.1 spacewalk-backend-iss-export-1.2.74-0.60.1 spacewalk-backend-libs-1.2.74-0.60.1 spacewalk-backend-package-push-server-1.2.74-0.60.1 spacewalk-backend-server-1.2.74-0.60.1 spacewalk-backend-sql-1.2.74-0.60.1 spacewalk-backend-sql-oracle-1.2.74-0.60.1 spacewalk-backend-tools-1.2.74-0.60.1 spacewalk-backend-xml-export-libs-1.2.74-0.60.1 spacewalk-backend-xmlrpc-1.2.74-0.60.1 spacewalk-backend-xp-1.2.74-0.60.1 References: http://support.novell.com/security/cve/CVE-2013-2056.html https://bugzilla.novell.com/819365 http://download.novell.com/patch/finder/?keywords=26e847ac77c8ff404f27e1077… http://download.novell.com/patch/finder/?keywords=8e4d137510d878e6c1ce78859… -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE-SU-2013:0835-1: important: Security update for IBM Java
by opensuse-security＠opensuse.org 27 May '13

27 May '13

SUSE Security Update: Security update for IBM Java ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0835-1 Rating: important References: #592934 #819288 Cross-References: CVE-2013-0401 CVE-2013-1491 CVE-2013-1537 CVE-2013-1540 CVE-2013-1557 CVE-2013-1563 CVE-2013-1569 CVE-2013-2383 CVE-2013-2384 CVE-2013-2394 CVE-2013-2417 CVE-2013-2418 CVE-2013-2419 CVE-2013-2420 CVE-2013-2422 CVE-2013-2424 CVE-2013-2429 CVE-2013-2430 CVE-2013-2432 CVE-2013-2433 CVE-2013-2435 CVE-2013-2440 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Server 11 SP2 for VMware SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Server 10 SP4 SUSE Linux Enterprise Java 11 SP2 SUSE Linux Enterprise Java 10 SP4 ______________________________________________________________________________ An update that fixes 22 vulnerabilities is now available. Description: IBM Java 1.6.0 has been updated to SR13-FP2 fixing bugs and security issues. [http://www.ibm.com/developerworks/java/jdk/alerts/)(http:// www.ibm.com/developerworks/java/jdk/alerts/) Security Issue references: * CVE-2013-2422 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2422 > * CVE-2013-1491 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1491 > * CVE-2013-2435 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2435 > * CVE-2013-2420 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2420 > * CVE-2013-2432 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2432 > * CVE-2013-1569 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1569 > * CVE-2013-2384 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2384 > * CVE-2013-2383 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2383 > * CVE-2013-1557 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1557 > * CVE-2013-1537 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1537 > * CVE-2013-2440 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2440 > * CVE-2013-2429 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2429 > * CVE-2013-2430 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2430 > * CVE-2013-1563 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1563 > * CVE-2013-2394 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2394 > * CVE-2013-0401 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0401 > * CVE-2013-2424 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2424 > * CVE-2013-2419 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2419 > * CVE-2013-2417 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2417 > * CVE-2013-2418 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2418 > * CVE-2013-1540 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1540 > * CVE-2013-2433 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2433 > Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp2-java-1_6_0-ibm-7744 - SUSE Linux Enterprise Server 11 SP2 for VMware: zypper in -t patch slessp2-java-1_6_0-ibm-7744 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp2-java-1_6_0-ibm-7744 - SUSE Linux Enterprise Java 11 SP2: zypper in -t patch slejsp2-java-1_6_0-ibm-7744 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ppc64 s390x x86_64): java-1_6_0-ibm-devel-1.6.0_sr13.2-0.3.1 - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 x86_64): java-1_6_0-ibm-1.6.0_sr13.2-0.3.1 java-1_6_0-ibm-fonts-1.6.0_sr13.2-0.3.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64): java-1_6_0-ibm-1.6.0_sr13.2-0.3.1 java-1_6_0-ibm-fonts-1.6.0_sr13.2-0.3.1 java-1_6_0-ibm-jdbc-1.6.0_sr13.2-0.3.1 java-1_6_0-ibm-plugin-1.6.0_sr13.2-0.3.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (i586): java-1_6_0-ibm-alsa-1.6.0_sr13.2-0.3.1 - SUSE Linux Enterprise Server 11 SP2 (i586 ppc64 s390x x86_64): java-1_6_0-ibm-1.6.0_sr13.2-0.3.1 java-1_6_0-ibm-fonts-1.6.0_sr13.2-0.3.1 java-1_6_0-ibm-jdbc-1.6.0_sr13.2-0.3.1 - SUSE Linux Enterprise Server 11 SP2 (i586 x86_64): java-1_6_0-ibm-plugin-1.6.0_sr13.2-0.3.1 - SUSE Linux Enterprise Server 11 SP2 (i586): java-1_6_0-ibm-alsa-1.6.0_sr13.2-0.3.1 - SUSE Linux Enterprise Server 10 SP4 (i586 ppc s390x x86_64): java-1_6_0-ibm-1.6.0_sr13.2-0.8.1 java-1_6_0-ibm-devel-1.6.0_sr13.2-0.8.1 java-1_6_0-ibm-fonts-1.6.0_sr13.2-0.8.1 java-1_6_0-ibm-jdbc-1.6.0_sr13.2-0.8.1 - SUSE Linux Enterprise Server 10 SP4 (i586 ppc x86_64): java-1_6_0-ibm-plugin-1.6.0_sr13.2-0.8.1 - SUSE Linux Enterprise Server 10 SP4 (s390x x86_64): java-1_6_0-ibm-32bit-1.6.0_sr13.2-0.8.1 java-1_6_0-ibm-devel-32bit-1.6.0_sr13.2-0.8.1 - SUSE Linux Enterprise Server 10 SP4 (x86_64): java-1_6_0-ibm-alsa-32bit-1.6.0_sr13.2-0.8.1 java-1_6_0-ibm-plugin-32bit-1.6.0_sr13.2-0.8.1 - SUSE Linux Enterprise Server 10 SP4 (i586): java-1_6_0-ibm-alsa-1.6.0_sr13.2-0.8.1 - SUSE Linux Enterprise Server 10 SP4 (ppc): java-1_6_0-ibm-64bit-1.6.0_sr13.2-0.8.1 - SUSE Linux Enterprise Java 11 SP2 (i586 ppc64 s390x x86_64): java-1_6_0-ibm-1.6.0_sr13.2-0.3.1 java-1_6_0-ibm-devel-1.6.0_sr13.2-0.3.1 java-1_6_0-ibm-fonts-1.6.0_sr13.2-0.3.1 java-1_6_0-ibm-jdbc-1.6.0_sr13.2-0.3.1 - SUSE Linux Enterprise Java 11 SP2 (i586 x86_64): java-1_6_0-ibm-plugin-1.6.0_sr13.2-0.3.1 - SUSE Linux Enterprise Java 11 SP2 (i586): java-1_6_0-ibm-alsa-1.6.0_sr13.2-0.3.1 - SUSE Linux Enterprise Java 10 SP4 (x86_64): java-1_6_0-ibm-1.6.0_sr13.2-0.8.1 java-1_6_0-ibm-devel-1.6.0_sr13.2-0.8.1 java-1_6_0-ibm-fonts-1.6.0_sr13.2-0.8.1 java-1_6_0-ibm-jdbc-1.6.0_sr13.2-0.8.1 java-1_6_0-ibm-plugin-1.6.0_sr13.2-0.8.1 References: http://support.novell.com/security/cve/CVE-2013-0401.html http://support.novell.com/security/cve/CVE-2013-1491.html http://support.novell.com/security/cve/CVE-2013-1537.html http://support.novell.com/security/cve/CVE-2013-1540.html http://support.novell.com/security/cve/CVE-2013-1557.html http://support.novell.com/security/cve/CVE-2013-1563.html http://support.novell.com/security/cve/CVE-2013-1569.html http://support.novell.com/security/cve/CVE-2013-2383.html http://support.novell.com/security/cve/CVE-2013-2384.html http://support.novell.com/security/cve/CVE-2013-2394.html http://support.novell.com/security/cve/CVE-2013-2417.html http://support.novell.com/security/cve/CVE-2013-2418.html http://support.novell.com/security/cve/CVE-2013-2419.html http://support.novell.com/security/cve/CVE-2013-2420.html http://support.novell.com/security/cve/CVE-2013-2422.html http://support.novell.com/security/cve/CVE-2013-2424.html http://support.novell.com/security/cve/CVE-2013-2429.html http://support.novell.com/security/cve/CVE-2013-2430.html http://support.novell.com/security/cve/CVE-2013-2432.html http://support.novell.com/security/cve/CVE-2013-2433.html http://support.novell.com/security/cve/CVE-2013-2435.html http://support.novell.com/security/cve/CVE-2013-2440.html https://bugzilla.novell.com/592934 https://bugzilla.novell.com/819288 http://download.novell.com/patch/finder/?keywords=123f16c9260c506ce9b108372… http://download.novell.com/patch/finder/?keywords=518ce3eb76af52a81202b66ab… -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] openSUSE-SU-2013:0834-1: important: MozillaThunderbird: update to 17.0.6
by opensuse-security＠opensuse.org 27 May '13

27 May '13

openSUSE Security Update: MozillaThunderbird: update to 17.0.6 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2013:0834-1 Rating: important References: #819204 Cross-References: CVE-2013-0801 CVE-2013-1669 CVE-2013-1670 CVE-2013-1674 CVE-2013-1675 CVE-2013-1676 CVE-2013-1677 CVE-2013-1678 CVE-2013-1679 CVE-2013-1680 CVE-2013-1681 Affected Products: openSUSE 12.2 ______________________________________________________________________________ An update that fixes 11 vulnerabilities is now available. Description: MozillaThunderbird was updated to security update Thunderbird 17.0.6 (bnc#819204): * MFSA 2013-41/CVE-2013-0801/CVE-2013-1669 Miscellaneous memory safety hazards * MFSA 2013-42/CVE-2013-1670 (bmo#853709) Privileged access for content level constructor * MFSA 2013-46/CVE-2013-1674 (bmo#860971) Use-after-free with video and onresize event * MFSA 2013-47/CVE-2013-1675 (bmo#866825) Uninitialized functions in DOMSVGZoomEvent * MFSA 2013-48/CVE-2013-1676/CVE-2013-1677/CVE-2013-1678/ CVE-2013-1679/CVE-2013-1680/CVE-2013-1681 Memory corruption found using Address Sanitizer Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 12.2: zypper in -t patch openSUSE-2013-447 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 12.2 (i586 x86_64): MozillaThunderbird-17.0.6-49.43.1 MozillaThunderbird-buildsymbols-17.0.6-49.43.1 MozillaThunderbird-debuginfo-17.0.6-49.43.1 MozillaThunderbird-debugsource-17.0.6-49.43.1 MozillaThunderbird-devel-17.0.6-49.43.1 MozillaThunderbird-devel-debuginfo-17.0.6-49.43.1 MozillaThunderbird-translations-common-17.0.6-49.43.1 MozillaThunderbird-translations-other-17.0.6-49.43.1 enigmail-1.5.1+17.0.6-49.43.1 enigmail-debuginfo-1.5.1+17.0.6-49.43.1 References: http://support.novell.com/security/cve/CVE-2013-0801.html http://support.novell.com/security/cve/CVE-2013-1669.html http://support.novell.com/security/cve/CVE-2013-1670.html http://support.novell.com/security/cve/CVE-2013-1674.html http://support.novell.com/security/cve/CVE-2013-1675.html http://support.novell.com/security/cve/CVE-2013-1676.html http://support.novell.com/security/cve/CVE-2013-1677.html http://support.novell.com/security/cve/CVE-2013-1678.html http://support.novell.com/security/cve/CVE-2013-1679.html http://support.novell.com/security/cve/CVE-2013-1680.html http://support.novell.com/security/cve/CVE-2013-1681.html https://bugzilla.novell.com/819204 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] openSUSE-SU-2013:0831-1: important: xulrunner to 17.0.6esr
by opensuse-security＠opensuse.org 27 May '13

27 May '13

openSUSE Security Update: xulrunner to 17.0.6esr ______________________________________________________________________________ Announcement ID: openSUSE-SU-2013:0831-1 Rating: important References: #819204 Cross-References: CVE-2013-0801 CVE-2013-1669 CVE-2013-1670 CVE-2013-1674 CVE-2013-1675 CVE-2013-1676 CVE-2013-1677 CVE-2013-1678 CVE-2013-1679 CVE-2013-1680 CVE-2013-1681 Affected Products: openSUSE 12.2 ______________________________________________________________________________ An update that fixes 11 vulnerabilities is now available. Description: Mozilla xulrunner was updated to 17.0.6esr (bnc#819204) * MFSA 2013-41/CVE-2013-0801/CVE-2013-1669 Miscellaneous memory safety hazards * MFSA 2013-42/CVE-2013-1670 (bmo#853709) Privileged access for content level constructor * MFSA 2013-46/CVE-2013-1674 (bmo#860971) Use-after-free with video and onresize event * MFSA 2013-47/CVE-2013-1675 (bmo#866825) Uninitialized functions in DOMSVGZoomEvent * MFSA 2013-48/CVE-2013-1676/CVE-2013-1677/CVE-2013-1678/ CVE-2013-1679/CVE-2013-1680/CVE-2013-1681 Memory corruption found using Address Sanitizer Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 12.2: zypper in -t patch openSUSE-2013-448 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 12.2 (i586 x86_64): mozilla-js-17.0.6-2.42.1 mozilla-js-debuginfo-17.0.6-2.42.1 xulrunner-17.0.6-2.42.1 xulrunner-buildsymbols-17.0.6-2.42.1 xulrunner-debuginfo-17.0.6-2.42.1 xulrunner-debugsource-17.0.6-2.42.1 xulrunner-devel-17.0.6-2.42.1 xulrunner-devel-debuginfo-17.0.6-2.42.1 - openSUSE 12.2 (x86_64): mozilla-js-32bit-17.0.6-2.42.1 mozilla-js-debuginfo-32bit-17.0.6-2.42.1 xulrunner-32bit-17.0.6-2.42.1 xulrunner-debuginfo-32bit-17.0.6-2.42.1 References: http://support.novell.com/security/cve/CVE-2013-0801.html http://support.novell.com/security/cve/CVE-2013-1669.html http://support.novell.com/security/cve/CVE-2013-1670.html http://support.novell.com/security/cve/CVE-2013-1674.html http://support.novell.com/security/cve/CVE-2013-1675.html http://support.novell.com/security/cve/CVE-2013-1676.html http://support.novell.com/security/cve/CVE-2013-1677.html http://support.novell.com/security/cve/CVE-2013-1678.html http://support.novell.com/security/cve/CVE-2013-1679.html http://support.novell.com/security/cve/CVE-2013-1680.html http://support.novell.com/security/cve/CVE-2013-1681.html https://bugzilla.novell.com/819204 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0