openSUSE Security Announce February 2015

security-announce@lists.opensuse.org

2 participants
36 discussions

[security-announce] SUSE-SU-2015:0392-1: important: Security update for java-1_6_0-ibm
by opensuse-security＠opensuse.org 27 Feb '15

27 Feb '15

SUSE Security Update: Security update for java-1_6_0-ibm ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0392-1 Rating: important References: #592934 #891700 #901223 #904889 #916265 #916266 Cross-References: CVE-2014-8891 CVE-2014-8892 Affected Products: SUSE Linux Enterprise Server 11 SP2 LTSS SUSE Linux Enterprise Server 11 SP1 LTSS ______________________________________________________________________________ An update that solves two vulnerabilities and has four fixes is now available. Description: java-1_6_0-ibm has been updated to version 1.6.0_sr16.3 to fix 30 security issues: * CVE-2014-8891: Unspecified vulnerability (bnc#916266) * CVE-2014-8892: Unspecified vulnerability (bnc#916265) * CVE-2014-3065: Unspecified vulnerability in IBM Java Runtime Environment (JRE) 7 R1 before SR2 (7.1.2.0), 7 before SR8 (7.0.8.0), 6 R1 before SR8 FP2 (6.1.8.2), 6 before SR16 FP2 (6.0.16.2), and before SR16 FP8 (5.0.16.8) allowed local users to execute arbitrary code via vectors related to the shared classes cache (bnc#904889). * CVE-2014-3566: The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, used nondeterministic CBC padding, which made it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue (bnc#901223). * CVE-2014-6513: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allowed remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT (bnc#904889). * CVE-2014-6503: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allowed remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-4288, CVE-2014-6493, and CVE-2014-6532 (bnc#904889). * CVE-2014-6532: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allowed remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-4288, CVE-2014-6493, and CVE-2014-6503 (bnc#904889). * CVE-2014-4288: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allowed remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-6493, CVE-2014-6503, and CVE-2014-6532 (bnc#904889). * CVE-2014-6493: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allowed remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-4288, CVE-2014-6503, and CVE-2014-6532 (bnc#904889). * CVE-2014-6492: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20, when running on Firefox, allowed remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment (bnc#904889). * CVE-2014-6458: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allowed local users to affect confidentiality, integrity, and availability via unknown vectors related to Deployment (bnc#904889). * CVE-2014-6466: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20, when running on Internet Explorer, allowed local users to affect confidentiality, integrity, and availability via unknown vectors related to Deployment (bnc#904889). * CVE-2014-6506: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allowed remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries (bnc#904889). * CVE-2014-6515: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allowed remote attackers to affect integrity via unknown vectors related to Deployment (bnc#904889). * CVE-2014-6511: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20 allowed remote attackers to affect confidentiality via unknown vectors related to 2D (bnc#904889). * CVE-2014-6531: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allowed remote attackers to affect confidentiality via unknown vectors related to Libraries (bnc#904889). * CVE-2014-6512: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit R27.8.3 and R28.3.3 allowed remote attackers to affect integrity via unknown vectors related to Libraries (bnc#904889). * CVE-2014-6457: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit R27.8.3, and R28.3.3 allowed remote attackers to affect confidentiality and integrity via vectors related to JSSE (bnc#904889). * CVE-2014-6502: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allowed remote attackers to affect integrity via unknown vectors related to Libraries (bnc#904889). * CVE-2014-6558: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit R27.8.3 and JRockit R28.3.3 allowed remote attackers to affect integrity via unknown vectors related to Security (bnc#904889). * CVE-2014-4227: Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allowed remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment (bnc#891700). * CVE-2014-4262: Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allowed remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries (bnc#891700). * CVE-2014-4219: Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allowed remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot (bnc#891700). * CVE-2014-4209: Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allowed remote attackers to affect confidentiality and integrity via vectors related to JMX (bnc#891700). * CVE-2014-4268: Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allowed remote attackers to affect confidentiality via unknown vectors related to Swing (bnc#891700). * CVE-2014-4218: Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allowed remote attackers to affect integrity via unknown vectors related to Libraries (bnc#891700). * CVE-2014-4252: Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allowed remote attackers to affect confidentiality via unknown vectors related to Security (bnc#891700). * CVE-2014-4265: Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allowed remote attackers to affect integrity via unknown vectors related to Deployment (bnc#891700). * CVE-2014-4263: Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5, and JRockit R27.8.2 and R28.3.2, allowed remote attackers to affect confidentiality and integrity via unknown vectors related to "Diffie-Hellman key agreement (bnc#891700). * CVE-2014-4244: Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5, and JRockit R27.8.2 and JRockit R28.3.2, allowed remote attackers to affect confidentiality and integrity via unknown vectors related to Security (bnc#891700). This non-security bug has also been fixed: * Fix update-alternatives list (bnc#592934) Security Issues: * CVE-2014-8892 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8892> * CVE-2014-8891 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8891> Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP2 LTSS: zypper in -t patch slessp2-java-1_6_0-ibm=10353 - SUSE Linux Enterprise Server 11 SP1 LTSS: zypper in -t patch slessp1-java-1_6_0-ibm=10354 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP2 LTSS (i586 s390x x86_64): java-1_6_0-ibm-1.6.0_sr16.3-0.4.5 java-1_6_0-ibm-devel-1.6.0_sr16.3-0.4.5 java-1_6_0-ibm-fonts-1.6.0_sr16.3-0.4.5 java-1_6_0-ibm-jdbc-1.6.0_sr16.3-0.4.5 - SUSE Linux Enterprise Server 11 SP2 LTSS (i586 x86_64): java-1_6_0-ibm-plugin-1.6.0_sr16.3-0.4.5 - SUSE Linux Enterprise Server 11 SP2 LTSS (i586): java-1_6_0-ibm-alsa-1.6.0_sr16.3-0.4.5 - SUSE Linux Enterprise Server 11 SP1 LTSS (i586 s390x x86_64): java-1_6_0-ibm-1.6.0_sr16.3-0.4.5 java-1_6_0-ibm-fonts-1.6.0_sr16.3-0.4.5 java-1_6_0-ibm-jdbc-1.6.0_sr16.3-0.4.5 - SUSE Linux Enterprise Server 11 SP1 LTSS (i586 x86_64): java-1_6_0-ibm-plugin-1.6.0_sr16.3-0.4.5 - SUSE Linux Enterprise Server 11 SP1 LTSS (i586): java-1_6_0-ibm-alsa-1.6.0_sr16.3-0.4.5 References: http://support.novell.com/security/cve/CVE-2014-8891.html http://support.novell.com/security/cve/CVE-2014-8892.html https://bugzilla.suse.com/592934 https://bugzilla.suse.com/891700 https://bugzilla.suse.com/901223 https://bugzilla.suse.com/904889 https://bugzilla.suse.com/916265 https://bugzilla.suse.com/916266 http://download.suse.com/patch/finder/?keywords=96da2c614827c23087d5b86b253… http://download.suse.com/patch/finder/?keywords=cfef74a50dd3fd4a378c3d05db3… -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE-SU-2015:0386-1: important: Security update for Samba
by opensuse-security＠opensuse.org 27 Feb '15

27 Feb '15

SUSE Security Update: Security update for Samba ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0386-1 Rating: important References: #872912 #882356 #883870 #886193 #898031 #899558 #913001 #917376 Cross-References: CVE-2015-0240 Affected Products: SUSE Linux Enterprise Server 11 SP2 LTSS ______________________________________________________________________________ An update that solves one vulnerability and has 7 fixes is now available. Description: Samba has been updated to fix one security issue: * CVE-2015-0240: Don't call talloc_free on an uninitialized pointer (bnc#917376). Additionally, these non-security issues have been fixed: * Realign the winbind request structure following require_membership_of field expansion (bnc#913001). * Reuse connections derived from DFS referrals (bso#10123, fate#316512). * Set domain/workgroup based on authentication callback value (bso#11059). * Fix spoolss error response marshalling (bso#10984). * Fix spoolss EnumJobs and GetJob responses (bso#10905, bnc#898031). * Fix handling of bad EnumJobs levels (bso#10898). * Fix small memory-leak in the background print process (bnc#899558). * Prune idle or hung connections older than "winbind request timeout" (bso#3204, bnc#872912). * Build: disable mmap on s390 systems (bnc#886193, bnc#882356). * Only update the printer share inventory when needed (bnc#883870). * Avoid double-free in get_print_db_byname (bso#10699). Security Issues: * CVE-2015-0240 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0240> Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP2 LTSS: zypper in -t patch slessp2-cifs-mount=10346 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP2 LTSS (i586 s390x x86_64): ldapsmb-1.34b-12.33.43.1 libldb1-3.6.3-0.33.43.1 libsmbclient0-3.6.3-0.33.43.1 libtalloc1-3.4.3-1.54.39 libtalloc2-3.6.3-0.33.43.1 libtdb1-3.6.3-0.33.43.1 libtevent0-3.6.3-0.33.43.1 libwbclient0-3.6.3-0.33.43.1 samba-3.6.3-0.33.43.1 samba-client-3.6.3-0.33.43.1 samba-krb-printing-3.6.3-0.33.43.1 samba-winbind-3.6.3-0.33.43.1 - SUSE Linux Enterprise Server 11 SP2 LTSS (s390x x86_64): libsmbclient0-32bit-3.6.3-0.33.43.1 libtalloc1-32bit-3.4.3-1.54.39 libtalloc2-32bit-3.6.3-0.33.43.1 libtdb1-32bit-3.6.3-0.33.43.1 libtevent0-32bit-3.6.3-0.33.43.1 libwbclient0-32bit-3.6.3-0.33.43.1 samba-32bit-3.6.3-0.33.43.1 samba-client-32bit-3.6.3-0.33.43.1 samba-winbind-32bit-3.6.3-0.33.43.1 - SUSE Linux Enterprise Server 11 SP2 LTSS (noarch): samba-doc-3.6.3-0.33.43.1 References: http://support.novell.com/security/cve/CVE-2015-0240.html https://bugzilla.suse.com/872912 https://bugzilla.suse.com/882356 https://bugzilla.suse.com/883870 https://bugzilla.suse.com/886193 https://bugzilla.suse.com/898031 https://bugzilla.suse.com/899558 https://bugzilla.suse.com/913001 https://bugzilla.suse.com/917376 http://download.suse.com/patch/finder/?keywords=d8d66713b0b31cf585ddfd4a751… -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] openSUSE-SU-2015:0382-1: important: Security update for snack
by opensuse-security＠opensuse.org 26 Feb '15

26 Feb '15

openSUSE Security Update: Security update for snack ______________________________________________________________________________ Announcement ID: openSUSE-SU-2015:0382-1 Rating: important References: #793860 Cross-References: CVE-2012-6303 Affected Products: openSUSE 13.2 openSUSE 13.1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: snack was updated to fix one security issue. This security issue was fixed: - CVE-2012-6303: Heap-based buffer overflow in the GetWavHeader function in generic/jkSoundFile.c in the Snack Sound Toolkit, as used in WaveSurfer 1.8.8p4, allowed remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large chunk size in a WAV file (bnc#793860). Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.2: zypper in -t patch openSUSE-2015-183=1 - openSUSE 13.1: zypper in -t patch openSUSE-2015-183=1 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.2 (i586 x86_64): snack-2.2.10-212.4.1 snack-debuginfo-2.2.10-212.4.1 snack-debugsource-2.2.10-212.4.1 - openSUSE 13.1 (i586 x86_64): snack-2.2.10-210.4.1 snack-debuginfo-2.2.10-210.4.1 snack-debugsource-2.2.10-210.4.1 References: http://support.novell.com/security/cve/CVE-2012-6303.html https://bugzilla.suse.com/793860 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE-SU-2015:0376-1: important: Security update for java-1_5_0-ibm
by opensuse-security＠opensuse.org 25 Feb '15

25 Feb '15

SUSE Security Update: Security update for java-1_5_0-ibm ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0376-1 Rating: important References: #891699 #901223 #901239 #904889 #916265 #916266 Cross-References: CVE-2014-8891 CVE-2014-8892 Affected Products: SUSE Linux Enterprise Server 10 SP4 LTSS ______________________________________________________________________________ An update that solves two vulnerabilities and has four fixes is now available. Description: java-1_5_0-ibm has been updated to fix 19 security issues: * CVE-2014-8891: Unspecified vulnerability (bnc#916266). * CVE-2014-8892: Unspecified vulnerability (bnc#916265). * CVE-2014-3065: Unspecified vulnerability in IBM Java Runtime Environment (JRE) 7 R1 before SR2 (7.1.2.0), 7 before SR8 (7.0.8.0), 6 R1 before SR8 FP2 (6.1.8.2), 6 before SR16 FP2 (6.0.16.2), and before SR16 FP8 (5.0.16.8) allows local users to execute arbitrary code via vectors related to the shared classes cache (bnc#904889). * CVE-2014-3566: The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue (bnc#901223). * CVE-2014-6506: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries (bnc#901239). * CVE-2014-6511: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality via unknown vectors related to 2D (bnc#901239). * CVE-2014-6531: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect confidentiality via unknown vectors related to Libraries (bnc#901239). * CVE-2014-6512: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit R27.8.3 and R28.3.3 allows remote attackers to affect integrity via unknown vectors related to Libraries (bnc#901239). * CVE-2014-6457: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit R27.8.3, and R28.3.3 allows remote attackers to affect confidentiality and integrity via vectors related to JSSE (bnc#901239). * CVE-2014-6502: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect integrity via unknown vectors related to Libraries (bnc#901239). * CVE-2014-6558: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit R27.8.3 and JRockit R28.3.3 allows remote attackers to affect integrity via unknown vectors related to Security (bnc#901239). * CVE-2014-4262: Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries (bnc#891699). * CVE-2014-4219: Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot (bnc#891699). * CVE-2014-4209: Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality and integrity via vectors related to JMX (bnc#891699). * CVE-2014-4268: Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality via unknown vectors related to Swing (bnc#891699). * CVE-2014-4218: Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect integrity via unknown vectors related to Libraries (bnc#891699). * CVE-2014-4252: Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality via unknown vectors related to Security (bnc#891699). * CVE-2014-4263: Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5, and JRockit R27.8.2 and R28.3.2, allows remote attackers to affect confidentiality and integrity via unknown vectors related to "Diffie-Hellman key agreement (bnc#891699). * CVE-2014-4244: Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5, and JRockit R27.8.2 and JRockit R28.3.2, allows remote attackers to affect confidentiality and integrity via unknown vectors related to Security (bnc#891699). Security Issues: * CVE-2014-8892 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8892> * CVE-2014-8891 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8891> Package List: - SUSE Linux Enterprise Server 10 SP4 LTSS (i586 s390x x86_64): java-1_5_0-ibm-1.5.0_sr16.9-0.6.1 java-1_5_0-ibm-devel-1.5.0_sr16.9-0.6.1 java-1_5_0-ibm-fonts-1.5.0_sr16.9-0.6.1 - SUSE Linux Enterprise Server 10 SP4 LTSS (s390x x86_64): java-1_5_0-ibm-32bit-1.5.0_sr16.9-0.6.1 java-1_5_0-ibm-devel-32bit-1.5.0_sr16.9-0.6.1 - SUSE Linux Enterprise Server 10 SP4 LTSS (x86_64): java-1_5_0-ibm-alsa-32bit-1.5.0_sr16.9-0.6.1 - SUSE Linux Enterprise Server 10 SP4 LTSS (i586): java-1_5_0-ibm-alsa-1.5.0_sr16.9-0.6.1 java-1_5_0-ibm-jdbc-1.5.0_sr16.9-0.6.1 java-1_5_0-ibm-plugin-1.5.0_sr16.9-0.6.1 References: http://support.novell.com/security/cve/CVE-2014-8891.html http://support.novell.com/security/cve/CVE-2014-8892.html https://bugzilla.suse.com/891699 https://bugzilla.suse.com/901223 https://bugzilla.suse.com/901239 https://bugzilla.suse.com/904889 https://bugzilla.suse.com/916265 https://bugzilla.suse.com/916266 http://download.suse.com/patch/finder/?keywords=2c3b79e944e87fd633df27d6879… -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE-SU-2015:0343-2: important: Security update for java-1_6_0-ibm
by opensuse-security＠opensuse.org 25 Feb '15

25 Feb '15

1 0

[security-announce] openSUSE-SU-2015:0375-1: important: Security update for samba
by opensuse-security＠opensuse.org 25 Feb '15

25 Feb '15

openSUSE Security Update: Security update for samba ______________________________________________________________________________ Announcement ID: openSUSE-SU-2015:0375-1 Rating: important References: #914279 #917376 Cross-References: CVE-2014-8143 CVE-2015-0240 Affected Products: openSUSE 13.2 openSUSE 13.1 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: samba was updated to fix two security issues. These security issues were fixed: - CVE-2015-0240: Ensure we don't call talloc_free on an uninitialized pointer (bnc#917376). - CVE-2014-8143: Samba 4.0.x before 4.0.24, 4.1.x before 4.1.16, and 4.2.x before 4.2rc4, when an Active Directory Domain Controller (AD DC) is configured, allowed remote authenticated users to set the LDB userAccountControl UF_SERVER_TRUST_ACCOUNT bit, and consequently gain privileges, by leveraging delegation of authority for user-account or computer-account creation (bnc#914279). Several non-security issues were fixed, please refer to the changes file. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.2: zypper in -t patch openSUSE-2015-179=1 - openSUSE 13.1: zypper in -t patch openSUSE-2015-179=1 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.2 (i586 x86_64): libdcerpc-atsvc-devel-4.1.17-5.1 libdcerpc-atsvc0-4.1.17-5.1 libdcerpc-atsvc0-debuginfo-4.1.17-5.1 libdcerpc-binding0-4.1.17-5.1 libdcerpc-binding0-debuginfo-4.1.17-5.1 libdcerpc-devel-4.1.17-5.1 libdcerpc-samr-devel-4.1.17-5.1 libdcerpc-samr0-4.1.17-5.1 libdcerpc-samr0-debuginfo-4.1.17-5.1 libdcerpc0-4.1.17-5.1 libdcerpc0-debuginfo-4.1.17-5.1 libgensec-devel-4.1.17-5.1 libgensec0-4.1.17-5.1 libgensec0-debuginfo-4.1.17-5.1 libndr-devel-4.1.17-5.1 libndr-krb5pac-devel-4.1.17-5.1 libndr-krb5pac0-4.1.17-5.1 libndr-krb5pac0-debuginfo-4.1.17-5.1 libndr-nbt-devel-4.1.17-5.1 libndr-nbt0-4.1.17-5.1 libndr-nbt0-debuginfo-4.1.17-5.1 libndr-standard-devel-4.1.17-5.1 libndr-standard0-4.1.17-5.1 libndr-standard0-debuginfo-4.1.17-5.1 libndr0-4.1.17-5.1 libndr0-debuginfo-4.1.17-5.1 libnetapi-devel-4.1.17-5.1 libnetapi0-4.1.17-5.1 libnetapi0-debuginfo-4.1.17-5.1 libpdb-devel-4.1.17-5.1 libpdb0-4.1.17-5.1 libpdb0-debuginfo-4.1.17-5.1 libregistry-devel-4.1.17-5.1 libregistry0-4.1.17-5.1 libregistry0-debuginfo-4.1.17-5.1 libsamba-credentials-devel-4.1.17-5.1 libsamba-credentials0-4.1.17-5.1 libsamba-credentials0-debuginfo-4.1.17-5.1 libsamba-hostconfig-devel-4.1.17-5.1 libsamba-hostconfig0-4.1.17-5.1 libsamba-hostconfig0-debuginfo-4.1.17-5.1 libsamba-policy-devel-4.1.17-5.1 libsamba-policy0-4.1.17-5.1 libsamba-policy0-debuginfo-4.1.17-5.1 libsamba-util-devel-4.1.17-5.1 libsamba-util0-4.1.17-5.1 libsamba-util0-debuginfo-4.1.17-5.1 libsamdb-devel-4.1.17-5.1 libsamdb0-4.1.17-5.1 libsamdb0-debuginfo-4.1.17-5.1 libsmbclient-devel-4.1.17-5.1 libsmbclient-raw-devel-4.1.17-5.1 libsmbclient-raw0-4.1.17-5.1 libsmbclient-raw0-debuginfo-4.1.17-5.1 libsmbclient0-4.1.17-5.1 libsmbclient0-debuginfo-4.1.17-5.1 libsmbconf-devel-4.1.17-5.1 libsmbconf0-4.1.17-5.1 libsmbconf0-debuginfo-4.1.17-5.1 libsmbldap-devel-4.1.17-5.1 libsmbldap0-4.1.17-5.1 libsmbldap0-debuginfo-4.1.17-5.1 libsmbsharemodes-devel-4.1.17-5.1 libsmbsharemodes0-4.1.17-5.1 libsmbsharemodes0-debuginfo-4.1.17-5.1 libtevent-util-devel-4.1.17-5.1 libtevent-util0-4.1.17-5.1 libtevent-util0-debuginfo-4.1.17-5.1 libwbclient-devel-4.1.17-5.1 libwbclient0-4.1.17-5.1 libwbclient0-debuginfo-4.1.17-5.1 samba-4.1.17-5.1 samba-client-4.1.17-5.1 samba-client-debuginfo-4.1.17-5.1 samba-core-devel-4.1.17-5.1 samba-debuginfo-4.1.17-5.1 samba-debugsource-4.1.17-5.1 samba-libs-4.1.17-5.1 samba-libs-debuginfo-4.1.17-5.1 samba-pidl-4.1.17-5.1 samba-python-4.1.17-5.1 samba-python-debuginfo-4.1.17-5.1 samba-test-4.1.17-5.1 samba-test-debuginfo-4.1.17-5.1 samba-test-devel-4.1.17-5.1 samba-winbind-4.1.17-5.1 samba-winbind-debuginfo-4.1.17-5.1 - openSUSE 13.2 (x86_64): libdcerpc-atsvc0-32bit-4.1.17-5.1 libdcerpc-atsvc0-debuginfo-32bit-4.1.17-5.1 libdcerpc-binding0-32bit-4.1.17-5.1 libdcerpc-binding0-debuginfo-32bit-4.1.17-5.1 libdcerpc-samr0-32bit-4.1.17-5.1 libdcerpc-samr0-debuginfo-32bit-4.1.17-5.1 libdcerpc0-32bit-4.1.17-5.1 libdcerpc0-debuginfo-32bit-4.1.17-5.1 libgensec0-32bit-4.1.17-5.1 libgensec0-debuginfo-32bit-4.1.17-5.1 libndr-krb5pac0-32bit-4.1.17-5.1 libndr-krb5pac0-debuginfo-32bit-4.1.17-5.1 libndr-nbt0-32bit-4.1.17-5.1 libndr-nbt0-debuginfo-32bit-4.1.17-5.1 libndr-standard0-32bit-4.1.17-5.1 libndr-standard0-debuginfo-32bit-4.1.17-5.1 libndr0-32bit-4.1.17-5.1 libndr0-debuginfo-32bit-4.1.17-5.1 libnetapi0-32bit-4.1.17-5.1 libnetapi0-debuginfo-32bit-4.1.17-5.1 libpdb0-32bit-4.1.17-5.1 libpdb0-debuginfo-32bit-4.1.17-5.1 libregistry0-32bit-4.1.17-5.1 libregistry0-debuginfo-32bit-4.1.17-5.1 libsamba-credentials0-32bit-4.1.17-5.1 libsamba-credentials0-debuginfo-32bit-4.1.17-5.1 libsamba-hostconfig0-32bit-4.1.17-5.1 libsamba-hostconfig0-debuginfo-32bit-4.1.17-5.1 libsamba-policy0-32bit-4.1.17-5.1 libsamba-policy0-debuginfo-32bit-4.1.17-5.1 libsamba-util0-32bit-4.1.17-5.1 libsamba-util0-debuginfo-32bit-4.1.17-5.1 libsamdb0-32bit-4.1.17-5.1 libsamdb0-debuginfo-32bit-4.1.17-5.1 libsmbclient-raw0-32bit-4.1.17-5.1 libsmbclient-raw0-debuginfo-32bit-4.1.17-5.1 libsmbclient0-32bit-4.1.17-5.1 libsmbclient0-debuginfo-32bit-4.1.17-5.1 libsmbconf0-32bit-4.1.17-5.1 libsmbconf0-debuginfo-32bit-4.1.17-5.1 libsmbldap0-32bit-4.1.17-5.1 libsmbldap0-debuginfo-32bit-4.1.17-5.1 libtevent-util0-32bit-4.1.17-5.1 libtevent-util0-debuginfo-32bit-4.1.17-5.1 libwbclient0-32bit-4.1.17-5.1 libwbclient0-debuginfo-32bit-4.1.17-5.1 samba-32bit-4.1.17-5.1 samba-client-32bit-4.1.17-5.1 samba-client-debuginfo-32bit-4.1.17-5.1 samba-debuginfo-32bit-4.1.17-5.1 samba-libs-32bit-4.1.17-5.1 samba-libs-debuginfo-32bit-4.1.17-5.1 samba-winbind-32bit-4.1.17-5.1 samba-winbind-debuginfo-32bit-4.1.17-5.1 - openSUSE 13.2 (noarch): samba-doc-4.1.17-5.1 - openSUSE 13.1 (i586 x86_64): libdcerpc-atsvc-devel-4.1.17-3.30.1 libdcerpc-atsvc0-4.1.17-3.30.1 libdcerpc-atsvc0-debuginfo-4.1.17-3.30.1 libdcerpc-binding0-4.1.17-3.30.1 libdcerpc-binding0-debuginfo-4.1.17-3.30.1 libdcerpc-devel-4.1.17-3.30.1 libdcerpc-samr-devel-4.1.17-3.30.1 libdcerpc-samr0-4.1.17-3.30.1 libdcerpc-samr0-debuginfo-4.1.17-3.30.1 libdcerpc0-4.1.17-3.30.1 libdcerpc0-debuginfo-4.1.17-3.30.1 libgensec-devel-4.1.17-3.30.1 libgensec0-4.1.17-3.30.1 libgensec0-debuginfo-4.1.17-3.30.1 libndr-devel-4.1.17-3.30.1 libndr-krb5pac-devel-4.1.17-3.30.1 libndr-krb5pac0-4.1.17-3.30.1 libndr-krb5pac0-debuginfo-4.1.17-3.30.1 libndr-nbt-devel-4.1.17-3.30.1 libndr-nbt0-4.1.17-3.30.1 libndr-nbt0-debuginfo-4.1.17-3.30.1 libndr-standard-devel-4.1.17-3.30.1 libndr-standard0-4.1.17-3.30.1 libndr-standard0-debuginfo-4.1.17-3.30.1 libndr0-4.1.17-3.30.1 libndr0-debuginfo-4.1.17-3.30.1 libnetapi-devel-4.1.17-3.30.1 libnetapi0-4.1.17-3.30.1 libnetapi0-debuginfo-4.1.17-3.30.1 libpdb-devel-4.1.17-3.30.1 libpdb0-4.1.17-3.30.1 libpdb0-debuginfo-4.1.17-3.30.1 libregistry-devel-4.1.17-3.30.1 libregistry0-4.1.17-3.30.1 libregistry0-debuginfo-4.1.17-3.30.1 libsamba-credentials-devel-4.1.17-3.30.1 libsamba-credentials0-4.1.17-3.30.1 libsamba-credentials0-debuginfo-4.1.17-3.30.1 libsamba-hostconfig-devel-4.1.17-3.30.1 libsamba-hostconfig0-4.1.17-3.30.1 libsamba-hostconfig0-debuginfo-4.1.17-3.30.1 libsamba-policy-devel-4.1.17-3.30.1 libsamba-policy0-4.1.17-3.30.1 libsamba-policy0-debuginfo-4.1.17-3.30.1 libsamba-util-devel-4.1.17-3.30.1 libsamba-util0-4.1.17-3.30.1 libsamba-util0-debuginfo-4.1.17-3.30.1 libsamdb-devel-4.1.17-3.30.1 libsamdb0-4.1.17-3.30.1 libsamdb0-debuginfo-4.1.17-3.30.1 libsmbclient-devel-4.1.17-3.30.1 libsmbclient-raw-devel-4.1.17-3.30.1 libsmbclient-raw0-4.1.17-3.30.1 libsmbclient-raw0-debuginfo-4.1.17-3.30.1 libsmbclient0-4.1.17-3.30.1 libsmbclient0-debuginfo-4.1.17-3.30.1 libsmbconf-devel-4.1.17-3.30.1 libsmbconf0-4.1.17-3.30.1 libsmbconf0-debuginfo-4.1.17-3.30.1 libsmbldap-devel-4.1.17-3.30.1 libsmbldap0-4.1.17-3.30.1 libsmbldap0-debuginfo-4.1.17-3.30.1 libsmbsharemodes-devel-4.1.17-3.30.1 libsmbsharemodes0-4.1.17-3.30.1 libsmbsharemodes0-debuginfo-4.1.17-3.30.1 libtevent-util-devel-4.1.17-3.30.1 libtevent-util0-4.1.17-3.30.1 libtevent-util0-debuginfo-4.1.17-3.30.1 libwbclient-devel-4.1.17-3.30.1 libwbclient0-4.1.17-3.30.1 libwbclient0-debuginfo-4.1.17-3.30.1 samba-4.1.17-3.30.1 samba-client-4.1.17-3.30.1 samba-client-debuginfo-4.1.17-3.30.1 samba-core-devel-4.1.17-3.30.1 samba-debuginfo-4.1.17-3.30.1 samba-debugsource-4.1.17-3.30.1 samba-libs-4.1.17-3.30.1 samba-libs-debuginfo-4.1.17-3.30.1 samba-pidl-4.1.17-3.30.1 samba-python-4.1.17-3.30.1 samba-python-debuginfo-4.1.17-3.30.1 samba-test-4.1.17-3.30.1 samba-test-debuginfo-4.1.17-3.30.1 samba-test-devel-4.1.17-3.30.1 samba-winbind-4.1.17-3.30.1 samba-winbind-debuginfo-4.1.17-3.30.1 - openSUSE 13.1 (x86_64): libdcerpc-atsvc0-32bit-4.1.17-3.30.1 libdcerpc-atsvc0-debuginfo-32bit-4.1.17-3.30.1 libdcerpc-binding0-32bit-4.1.17-3.30.1 libdcerpc-binding0-debuginfo-32bit-4.1.17-3.30.1 libdcerpc-samr0-32bit-4.1.17-3.30.1 libdcerpc-samr0-debuginfo-32bit-4.1.17-3.30.1 libdcerpc0-32bit-4.1.17-3.30.1 libdcerpc0-debuginfo-32bit-4.1.17-3.30.1 libgensec0-32bit-4.1.17-3.30.1 libgensec0-debuginfo-32bit-4.1.17-3.30.1 libndr-krb5pac0-32bit-4.1.17-3.30.1 libndr-krb5pac0-debuginfo-32bit-4.1.17-3.30.1 libndr-nbt0-32bit-4.1.17-3.30.1 libndr-nbt0-debuginfo-32bit-4.1.17-3.30.1 libndr-standard0-32bit-4.1.17-3.30.1 libndr-standard0-debuginfo-32bit-4.1.17-3.30.1 libndr0-32bit-4.1.17-3.30.1 libndr0-debuginfo-32bit-4.1.17-3.30.1 libnetapi0-32bit-4.1.17-3.30.1 libnetapi0-debuginfo-32bit-4.1.17-3.30.1 libpdb0-32bit-4.1.17-3.30.1 libpdb0-debuginfo-32bit-4.1.17-3.30.1 libregistry0-32bit-4.1.17-3.30.1 libregistry0-debuginfo-32bit-4.1.17-3.30.1 libsamba-credentials0-32bit-4.1.17-3.30.1 libsamba-credentials0-debuginfo-32bit-4.1.17-3.30.1 libsamba-hostconfig0-32bit-4.1.17-3.30.1 libsamba-hostconfig0-debuginfo-32bit-4.1.17-3.30.1 libsamba-policy0-32bit-4.1.17-3.30.1 libsamba-policy0-debuginfo-32bit-4.1.17-3.30.1 libsamba-util0-32bit-4.1.17-3.30.1 libsamba-util0-debuginfo-32bit-4.1.17-3.30.1 libsamdb0-32bit-4.1.17-3.30.1 libsamdb0-debuginfo-32bit-4.1.17-3.30.1 libsmbclient-raw0-32bit-4.1.17-3.30.1 libsmbclient-raw0-debuginfo-32bit-4.1.17-3.30.1 libsmbclient0-32bit-4.1.17-3.30.1 libsmbclient0-debuginfo-32bit-4.1.17-3.30.1 libsmbconf0-32bit-4.1.17-3.30.1 libsmbconf0-debuginfo-32bit-4.1.17-3.30.1 libsmbldap0-32bit-4.1.17-3.30.1 libsmbldap0-debuginfo-32bit-4.1.17-3.30.1 libtevent-util0-32bit-4.1.17-3.30.1 libtevent-util0-debuginfo-32bit-4.1.17-3.30.1 libwbclient0-32bit-4.1.17-3.30.1 libwbclient0-debuginfo-32bit-4.1.17-3.30.1 samba-32bit-4.1.17-3.30.1 samba-client-32bit-4.1.17-3.30.1 samba-client-debuginfo-32bit-4.1.17-3.30.1 samba-debuginfo-32bit-4.1.17-3.30.1 samba-libs-32bit-4.1.17-3.30.1 samba-libs-debuginfo-32bit-4.1.17-3.30.1 samba-winbind-32bit-4.1.17-3.30.1 samba-winbind-debuginfo-32bit-4.1.17-3.30.1 - openSUSE 13.1 (noarch): samba-doc-4.1.17-3.30.1 References: http://support.novell.com/security/cve/CVE-2014-8143.html http://support.novell.com/security/cve/CVE-2015-0240.html https://bugzilla.suse.com/914279 https://bugzilla.suse.com/917376 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE-SU-2015:0371-1: important: Security update for Samba
by opensuse-security＠opensuse.org 25 Feb '15

25 Feb '15

SUSE Security Update: Security update for Samba ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0371-1 Rating: important References: #872912 #898031 #899558 #913001 #917376 Cross-References: CVE-2015-0240 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that solves one vulnerability and has four fixes is now available. Description: Samba has been updated to fix one security issue: * CVE-2015-0240: Don't call talloc_free on an uninitialized pointer (bnc#917376). Additionally, these non-security issues have been fixed: * Realign the winbind request structure following require_membership_of field expansion (bnc#913001). * Reuse connections derived from DFS referrals (bso#10123, fate#316512). * Set domain/workgroup based on authentication callback value (bso#11059). * Fix spoolss error response marshalling (bso#10984). * Fix spoolss EnumJobs and GetJob responses (bso#10905, bnc#898031). * Fix handling of bad EnumJobs levels (bso#10898). * Fix small memory-leak in the background print process; (bnc#899558). * Prune idle or hung connections older than "winbind request timeout" (bso#3204, bnc#872912). Security Issues: * CVE-2015-0240 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0240> Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-samba-20150217=10321 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-samba-20150217=10321 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-samba-20150217=10321 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-samba-20150217=10321 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64): libldb-devel-3.6.3-0.56.1 libnetapi-devel-3.6.3-0.56.1 libnetapi0-3.6.3-0.56.1 libsmbclient-devel-3.6.3-0.56.1 libsmbsharemodes-devel-3.6.3-0.56.1 libsmbsharemodes0-3.6.3-0.56.1 libtalloc-devel-3.6.3-0.56.1 libtdb-devel-3.6.3-0.56.1 libtevent-devel-3.6.3-0.56.1 libwbclient-devel-3.6.3-0.56.1 samba-devel-3.6.3-0.56.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): ldapsmb-1.34b-12.56.1 libldb1-3.6.3-0.56.1 libsmbclient0-3.6.3-0.56.1 libtalloc2-3.6.3-0.56.1 libtdb1-3.6.3-0.56.1 libtevent0-3.6.3-0.56.1 libwbclient0-3.6.3-0.56.1 samba-3.6.3-0.56.1 samba-client-3.6.3-0.56.1 samba-krb-printing-3.6.3-0.56.1 samba-winbind-3.6.3-0.56.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64): libsmbclient0-32bit-3.6.3-0.56.1 libtalloc2-32bit-3.6.3-0.56.1 libtdb1-32bit-3.6.3-0.56.1 libtevent0-32bit-3.6.3-0.56.1 libwbclient0-32bit-3.6.3-0.56.1 samba-32bit-3.6.3-0.56.1 samba-client-32bit-3.6.3-0.56.1 samba-winbind-32bit-3.6.3-0.56.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (noarch): samba-doc-3.6.3-0.56.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): ldapsmb-1.34b-12.56.1 libldb1-3.6.3-0.56.1 libsmbclient0-3.6.3-0.56.1 libtalloc2-3.6.3-0.56.1 libtdb1-3.6.3-0.56.1 libtevent0-3.6.3-0.56.1 libwbclient0-3.6.3-0.56.1 samba-3.6.3-0.56.1 samba-client-3.6.3-0.56.1 samba-krb-printing-3.6.3-0.56.1 samba-winbind-3.6.3-0.56.1 - SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64): libsmbclient0-32bit-3.6.3-0.56.1 libtalloc2-32bit-3.6.3-0.56.1 libtdb1-32bit-3.6.3-0.56.1 libtevent0-32bit-3.6.3-0.56.1 libwbclient0-32bit-3.6.3-0.56.1 samba-32bit-3.6.3-0.56.1 samba-client-32bit-3.6.3-0.56.1 samba-winbind-32bit-3.6.3-0.56.1 - SUSE Linux Enterprise Server 11 SP3 (noarch): samba-doc-3.6.3-0.56.1 - SUSE Linux Enterprise Server 11 SP3 (ia64): libsmbclient0-x86-3.6.3-0.56.1 libtalloc2-x86-3.6.3-0.56.1 libtdb1-x86-3.6.3-0.56.1 libwbclient0-x86-3.6.3-0.56.1 samba-client-x86-3.6.3-0.56.1 samba-winbind-x86-3.6.3-0.56.1 samba-x86-3.6.3-0.56.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): libldb1-3.6.3-0.56.1 libsmbclient0-3.6.3-0.56.1 libtalloc2-3.6.3-0.56.1 libtdb1-3.6.3-0.56.1 libtevent0-3.6.3-0.56.1 libwbclient0-3.6.3-0.56.1 samba-3.6.3-0.56.1 samba-client-3.6.3-0.56.1 samba-krb-printing-3.6.3-0.56.1 samba-winbind-3.6.3-0.56.1 - SUSE Linux Enterprise Desktop 11 SP3 (x86_64): libldb1-32bit-3.6.3-0.56.1 libsmbclient0-32bit-3.6.3-0.56.1 libtalloc2-32bit-3.6.3-0.56.1 libtdb1-32bit-3.6.3-0.56.1 libtevent0-32bit-3.6.3-0.56.1 libwbclient0-32bit-3.6.3-0.56.1 samba-32bit-3.6.3-0.56.1 samba-client-32bit-3.6.3-0.56.1 samba-winbind-32bit-3.6.3-0.56.1 - SUSE Linux Enterprise Desktop 11 SP3 (noarch): samba-doc-3.6.3-0.56.1 References: http://support.novell.com/security/cve/CVE-2015-0240.html https://bugzilla.suse.com/872912 https://bugzilla.suse.com/898031 https://bugzilla.suse.com/899558 https://bugzilla.suse.com/913001 https://bugzilla.suse.com/917376 http://download.suse.com/patch/finder/?keywords=ef17b59d6389957b18b3a77d2e9… -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE-SU-2015:0365-1: important: Security update for php5
by opensuse-security＠opensuse.org 24 Feb '15

24 Feb '15

SUSE Security Update: Security update for php5 ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0365-1 Rating: important References: #907519 #910659 #911664 #914690 Cross-References: CVE-2014-8142 CVE-2014-9427 CVE-2015-0231 CVE-2015-0232 Affected Products: SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Module for Web Scripting 12 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: php5 was updated to fix four security issues. These security issues were fixed: - CVE-2015-0231: Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allowed remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate numerical keys within the serialized properties of an object. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-8142 (bnc#910659). - CVE-2014-9427: sapi/cgi/cgi_main.c in the CGI component in PHP through 5.4.36, 5.5.x through 5.5.20, and 5.6.x through 5.6.4, when mmap is used to read a .php file, did not properly consider the mapping's length during processing of an invalid file that begins with a # character and lacks a newline character, which caused an out-of-bounds read and might (1) allow remote attackers to obtain sensitive information from php-cgi process memory by leveraging the ability to upload a .php file or (2) trigger unexpected code execution if a valid PHP script is present in memory locations adjacent to the mapping (bnc#911664). - CVE-2015-0232: The exif_process_unicode function in ext/exif/exif.c in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allowed remote attackers to execute arbitrary code or cause a denial of service (uninitialized pointer free and application crash) via crafted EXIF data in a JPEG image (bnc#914690). - CVE-2014-8142: Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allowed remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys within the serialized properties of an object, a different vulnerability than CVE-2004-1019 (bnc#910659). Additionally a fix was included that protects against a possible NULL pointer use (bnc#910659). This non-security issue was fixed: - php53 ignored default_socket_timeout on outgoing SSL connection (bnc#907519). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2015-94=1 - SUSE Linux Enterprise Module for Web Scripting 12: zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2015-94=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): php5-debuginfo-5.5.14-11.3 php5-debugsource-5.5.14-11.3 php5-devel-5.5.14-11.3 - SUSE Linux Enterprise Module for Web Scripting 12 (ppc64le s390x x86_64): apache2-mod_php5-5.5.14-11.3 apache2-mod_php5-debuginfo-5.5.14-11.3 php5-5.5.14-11.3 php5-bcmath-5.5.14-11.3 php5-bcmath-debuginfo-5.5.14-11.3 php5-bz2-5.5.14-11.3 php5-bz2-debuginfo-5.5.14-11.3 php5-calendar-5.5.14-11.3 php5-calendar-debuginfo-5.5.14-11.3 php5-ctype-5.5.14-11.3 php5-ctype-debuginfo-5.5.14-11.3 php5-curl-5.5.14-11.3 php5-curl-debuginfo-5.5.14-11.3 php5-dba-5.5.14-11.3 php5-dba-debuginfo-5.5.14-11.3 php5-debuginfo-5.5.14-11.3 php5-debugsource-5.5.14-11.3 php5-dom-5.5.14-11.3 php5-dom-debuginfo-5.5.14-11.3 php5-enchant-5.5.14-11.3 php5-enchant-debuginfo-5.5.14-11.3 php5-exif-5.5.14-11.3 php5-exif-debuginfo-5.5.14-11.3 php5-fastcgi-5.5.14-11.3 php5-fastcgi-debuginfo-5.5.14-11.3 php5-fileinfo-5.5.14-11.3 php5-fileinfo-debuginfo-5.5.14-11.3 php5-fpm-5.5.14-11.3 php5-fpm-debuginfo-5.5.14-11.3 php5-ftp-5.5.14-11.3 php5-ftp-debuginfo-5.5.14-11.3 php5-gd-5.5.14-11.3 php5-gd-debuginfo-5.5.14-11.3 php5-gettext-5.5.14-11.3 php5-gettext-debuginfo-5.5.14-11.3 php5-gmp-5.5.14-11.3 php5-gmp-debuginfo-5.5.14-11.3 php5-iconv-5.5.14-11.3 php5-iconv-debuginfo-5.5.14-11.3 php5-intl-5.5.14-11.3 php5-intl-debuginfo-5.5.14-11.3 php5-json-5.5.14-11.3 php5-json-debuginfo-5.5.14-11.3 php5-ldap-5.5.14-11.3 php5-ldap-debuginfo-5.5.14-11.3 php5-mbstring-5.5.14-11.3 php5-mbstring-debuginfo-5.5.14-11.3 php5-mcrypt-5.5.14-11.3 php5-mcrypt-debuginfo-5.5.14-11.3 php5-mysql-5.5.14-11.3 php5-mysql-debuginfo-5.5.14-11.3 php5-odbc-5.5.14-11.3 php5-odbc-debuginfo-5.5.14-11.3 php5-openssl-5.5.14-11.3 php5-openssl-debuginfo-5.5.14-11.3 php5-pcntl-5.5.14-11.3 php5-pcntl-debuginfo-5.5.14-11.3 php5-pdo-5.5.14-11.3 php5-pdo-debuginfo-5.5.14-11.3 php5-pgsql-5.5.14-11.3 php5-pgsql-debuginfo-5.5.14-11.3 php5-pspell-5.5.14-11.3 php5-pspell-debuginfo-5.5.14-11.3 php5-shmop-5.5.14-11.3 php5-shmop-debuginfo-5.5.14-11.3 php5-snmp-5.5.14-11.3 php5-snmp-debuginfo-5.5.14-11.3 php5-soap-5.5.14-11.3 php5-soap-debuginfo-5.5.14-11.3 php5-sockets-5.5.14-11.3 php5-sockets-debuginfo-5.5.14-11.3 php5-sqlite-5.5.14-11.3 php5-sqlite-debuginfo-5.5.14-11.3 php5-suhosin-5.5.14-11.3 php5-suhosin-debuginfo-5.5.14-11.3 php5-sysvmsg-5.5.14-11.3 php5-sysvmsg-debuginfo-5.5.14-11.3 php5-sysvsem-5.5.14-11.3 php5-sysvsem-debuginfo-5.5.14-11.3 php5-sysvshm-5.5.14-11.3 php5-sysvshm-debuginfo-5.5.14-11.3 php5-tokenizer-5.5.14-11.3 php5-tokenizer-debuginfo-5.5.14-11.3 php5-wddx-5.5.14-11.3 php5-wddx-debuginfo-5.5.14-11.3 php5-xmlreader-5.5.14-11.3 php5-xmlreader-debuginfo-5.5.14-11.3 php5-xmlrpc-5.5.14-11.3 php5-xmlrpc-debuginfo-5.5.14-11.3 php5-xmlwriter-5.5.14-11.3 php5-xmlwriter-debuginfo-5.5.14-11.3 php5-xsl-5.5.14-11.3 php5-xsl-debuginfo-5.5.14-11.3 php5-zip-5.5.14-11.3 php5-zip-debuginfo-5.5.14-11.3 php5-zlib-5.5.14-11.3 php5-zlib-debuginfo-5.5.14-11.3 - SUSE Linux Enterprise Module for Web Scripting 12 (noarch): php5-pear-5.5.14-11.3 References: http://support.novell.com/security/cve/CVE-2014-8142.html http://support.novell.com/security/cve/CVE-2014-9427.html http://support.novell.com/security/cve/CVE-2015-0231.html http://support.novell.com/security/cve/CVE-2015-0232.html https://bugzilla.suse.com/907519 https://bugzilla.suse.com/910659 https://bugzilla.suse.com/911664 https://bugzilla.suse.com/914690 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE-SU-2015:0353-1: important: Security update for samba
by opensuse-security＠opensuse.org 23 Feb '15

23 Feb '15

SUSE Security Update: Security update for samba ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0353-1 Rating: important References: #872912 #873922 #876312 #889175 #898031 #908627 #913238 #917376 Cross-References: CVE-2015-0240 Affected Products: SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that solves one vulnerability and has 7 fixes is now available. Description: samba was updated to fix one security issue. This security issue was fixed: - CVE-2015-0240: Don't call talloc_free on an uninitialized pointer (bnc#917376). These non-security issues were fixed: - Fix vfs_snapper DBus string handling (bso#11055, bnc#913238). - Fix libsmbclient DFS referral handling. + Reuse connections derived from DFS referrals (bso#10123). + Set domain/workgroup based on authentication callback value (bso#11059). - pam_winbind: Fix warn_pwd_expire implementation (bso#9056). - nsswitch: Fix soname of linux nss_*.so.2 modules (bso#9299). - Fix profiles tool (bso#9629). - s3-lib: Do not require a password with --use-ccache (bso#10279). - s4:dsdb/rootdse: Expand extended dn values with the AS_SYSTEM control (bso#10949). - s4-rpc: dnsserver: Fix enumeration of IPv4 and IPv6 addresses (bso#10952). - s3:smb2_server: Allow reauthentication without signing (bso#10958). - s3-smbclient: Return success if we listed the shares (bso#10960). - s3-smbstatus: Fix exit code of profile output (bso#10961). - libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does (bso#10966). - s3: smbd/modules: Fix *allocate* calls to follow POSIX error return convention (bso#10982). - Fix 'domain join' by adding 'drsuapi.DsBindInfoFallBack' attribute 'supported_extensions' (bso#11006). - idl:drsuapi: Manage all possible lengths of drsuapi_DsBindInfo (bso#11006). - winbind: Retry LogonControl RPC in ping-dc after session expiration (bso#11034). - yast2-samba-client should be able to specify osName and osVer on AD domain join (bnc#873922). - Lookup FSRVP share snums at runtime rather than storing them persistently (bnc#908627). - Specify soft dependency for network-online.target in Winbind systemd service file (bnc#889175). - Fix spoolss error response marshalling; (bso#10984). - pidl/wscript: Remove --with-perl-* options; revert buildtools/wafadmin/ Tools/perl.py back to upstream state (bso#10472). - s4-dns: Add support for BIND 9.10 (bso#10620). - nmbd fails to accept "--piddir" option; (bso#10711). - S3: source3/smbd/process.c::srv_send_smb() returns true on the error path (bso#10880). - vfs_glusterfs: Remove "integer fd" code and store the glfs pointers (bso#10889). - s3-nmbd: Fix netbios name truncation (bso#10896). - spoolss: Fix handling of bad EnumJobs levels (bso#10898). - spoolss: Fix jobid in level 3 EnumJobs response; (bso#10905). - s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). - s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). - pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). - s3-keytab: Fix keytab array NULL termination; (bso#10933). - Cleanup add_string_to_array and usage; (bso#10942). - Remove and cleanup shares and registry state associated with externally deleted snaphots exposed as shadow copies; (bnc#876312). - Use the upstream tar ball, as signature verification is now able to handle compressed archives. - Fix leak when closing file descriptor returned from dirfd; (bso#10918). - Fix spoolss EnumJobs and GetJob responses; (bso#10905); (bnc#898031). + Fix handling of bad EnumJobs levels; (bso#10898). - Remove dependency on gpg-offline as signature checking is implemented in the source validator. - s3-libnet: Add libnet_join_get_machine_spns(); (bso#9984). - s3-libnet: Make sure we do not overwrite precreated SPNs; (bso#9984). - s3-libads: Add all machine account principals to the keytab; (bso#9985). - s3: winbindd: Old NT Domain code sets struct winbind_domain->alt_name to be NULL. Ensure this is safe with modern AD-DCs; (bso#10717). - Fix unstrcpy; (bso#10735). - pthreadpool: Slightly serialize jobs; (bso#10779). - s3: smbd: streams - Ensure share mode validation ignores internal opens (op_mid == 0); (bso#10797). - s3: smbd:open_file: Open logic fix; Use a more natural check; (bso#10809). - vfs_media_harmony: Fix a crash bug; (bso#10813). - docs: Mention incompatibility between kernel oplocks and streams_xattr; (bso#10814). - nmbd: Send waiting status to systemd; (bso#10816). - libcli: Fix a segfault calling smbXcli_req_set_pending() on NULL; (bso#10817). - nsswitch: Skip groups we were not able to map; (bso#10824). - s3-winbindd: Use correct realm for trusted domains in idmap child; (bso#10826). - s3: nmbd: Ensure the main nmbd process doesn't create zombies; (bso#10830). - s3: lib: Signal handling - ensure smbrun and change password code save and restore existing SIGCHLD handlers; (bso#10831). - idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). - s3-winbindd: Do not use domain SID from LookupSids for Sids2UnixIDs call; (bso#10838). - s3: smb2cli: Query info return length check was reversed; (bso#10848). - registry: Don't leave dangling transactions; (bso#10860). - Prune idle or hung connections older than "winbind request timeout"; (bso#3204); (bnc#872912). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2015-91=1 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-91=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-91=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): libdcerpc-atsvc-devel-4.1.12-16.1 libdcerpc-atsvc0-4.1.12-16.1 libdcerpc-atsvc0-debuginfo-4.1.12-16.1 libdcerpc-devel-4.1.12-16.1 libdcerpc-samr-devel-4.1.12-16.1 libdcerpc-samr0-4.1.12-16.1 libdcerpc-samr0-debuginfo-4.1.12-16.1 libgensec-devel-4.1.12-16.1 libndr-devel-4.1.12-16.1 libndr-krb5pac-devel-4.1.12-16.1 libndr-nbt-devel-4.1.12-16.1 libndr-standard-devel-4.1.12-16.1 libnetapi-devel-4.1.12-16.1 libpdb-devel-4.1.12-16.1 libregistry-devel-4.1.12-16.1 libsamba-credentials-devel-4.1.12-16.1 libsamba-hostconfig-devel-4.1.12-16.1 libsamba-policy-devel-4.1.12-16.1 libsamba-policy0-4.1.12-16.1 libsamba-policy0-debuginfo-4.1.12-16.1 libsamba-util-devel-4.1.12-16.1 libsamdb-devel-4.1.12-16.1 libsmbclient-devel-4.1.12-16.1 libsmbclient-raw-devel-4.1.12-16.1 libsmbconf-devel-4.1.12-16.1 libsmbldap-devel-4.1.12-16.1 libsmbsharemodes-devel-4.1.12-16.1 libsmbsharemodes0-4.1.12-16.1 libsmbsharemodes0-debuginfo-4.1.12-16.1 libtevent-util-devel-4.1.12-16.1 libwbclient-devel-4.1.12-16.1 samba-core-devel-4.1.12-16.1 samba-debuginfo-4.1.12-16.1 samba-debugsource-4.1.12-16.1 samba-test-devel-4.1.12-16.1 - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): libdcerpc-binding0-4.1.12-16.1 libdcerpc-binding0-debuginfo-4.1.12-16.1 libdcerpc0-4.1.12-16.1 libdcerpc0-debuginfo-4.1.12-16.1 libgensec0-4.1.12-16.1 libgensec0-debuginfo-4.1.12-16.1 libndr-krb5pac0-4.1.12-16.1 libndr-krb5pac0-debuginfo-4.1.12-16.1 libndr-nbt0-4.1.12-16.1 libndr-nbt0-debuginfo-4.1.12-16.1 libndr-standard0-4.1.12-16.1 libndr-standard0-debuginfo-4.1.12-16.1 libndr0-4.1.12-16.1 libndr0-debuginfo-4.1.12-16.1 libnetapi0-4.1.12-16.1 libnetapi0-debuginfo-4.1.12-16.1 libpdb0-4.1.12-16.1 libpdb0-debuginfo-4.1.12-16.1 libregistry0-4.1.12-16.1 libregistry0-debuginfo-4.1.12-16.1 libsamba-credentials0-4.1.12-16.1 libsamba-credentials0-debuginfo-4.1.12-16.1 libsamba-hostconfig0-4.1.12-16.1 libsamba-hostconfig0-debuginfo-4.1.12-16.1 libsamba-util0-4.1.12-16.1 libsamba-util0-debuginfo-4.1.12-16.1 libsamdb0-4.1.12-16.1 libsamdb0-debuginfo-4.1.12-16.1 libsmbclient-raw0-4.1.12-16.1 libsmbclient-raw0-debuginfo-4.1.12-16.1 libsmbclient0-4.1.12-16.1 libsmbclient0-debuginfo-4.1.12-16.1 libsmbconf0-4.1.12-16.1 libsmbconf0-debuginfo-4.1.12-16.1 libsmbldap0-4.1.12-16.1 libsmbldap0-debuginfo-4.1.12-16.1 libtevent-util0-4.1.12-16.1 libtevent-util0-debuginfo-4.1.12-16.1 libwbclient0-4.1.12-16.1 libwbclient0-debuginfo-4.1.12-16.1 samba-4.1.12-16.1 samba-client-4.1.12-16.1 samba-client-debuginfo-4.1.12-16.1 samba-debuginfo-4.1.12-16.1 samba-debugsource-4.1.12-16.1 samba-libs-4.1.12-16.1 samba-libs-debuginfo-4.1.12-16.1 samba-winbind-4.1.12-16.1 samba-winbind-debuginfo-4.1.12-16.1 - SUSE Linux Enterprise Server 12 (s390x x86_64): libdcerpc-binding0-32bit-4.1.12-16.1 libdcerpc-binding0-debuginfo-32bit-4.1.12-16.1 libdcerpc0-32bit-4.1.12-16.1 libdcerpc0-debuginfo-32bit-4.1.12-16.1 libgensec0-32bit-4.1.12-16.1 libgensec0-debuginfo-32bit-4.1.12-16.1 libndr-krb5pac0-32bit-4.1.12-16.1 libndr-krb5pac0-debuginfo-32bit-4.1.12-16.1 libndr-nbt0-32bit-4.1.12-16.1 libndr-nbt0-debuginfo-32bit-4.1.12-16.1 libndr-standard0-32bit-4.1.12-16.1 libndr-standard0-debuginfo-32bit-4.1.12-16.1 libndr0-32bit-4.1.12-16.1 libndr0-debuginfo-32bit-4.1.12-16.1 libnetapi0-32bit-4.1.12-16.1 libnetapi0-debuginfo-32bit-4.1.12-16.1 libpdb0-32bit-4.1.12-16.1 libpdb0-debuginfo-32bit-4.1.12-16.1 libsamba-credentials0-32bit-4.1.12-16.1 libsamba-credentials0-debuginfo-32bit-4.1.12-16.1 libsamba-hostconfig0-32bit-4.1.12-16.1 libsamba-hostconfig0-debuginfo-32bit-4.1.12-16.1 libsamba-util0-32bit-4.1.12-16.1 libsamba-util0-debuginfo-32bit-4.1.12-16.1 libsamdb0-32bit-4.1.12-16.1 libsamdb0-debuginfo-32bit-4.1.12-16.1 libsmbclient-raw0-32bit-4.1.12-16.1 libsmbclient-raw0-debuginfo-32bit-4.1.12-16.1 libsmbclient0-32bit-4.1.12-16.1 libsmbclient0-debuginfo-32bit-4.1.12-16.1 libsmbconf0-32bit-4.1.12-16.1 libsmbconf0-debuginfo-32bit-4.1.12-16.1 libsmbldap0-32bit-4.1.12-16.1 libsmbldap0-debuginfo-32bit-4.1.12-16.1 libtevent-util0-32bit-4.1.12-16.1 libtevent-util0-debuginfo-32bit-4.1.12-16.1 libwbclient0-32bit-4.1.12-16.1 libwbclient0-debuginfo-32bit-4.1.12-16.1 samba-32bit-4.1.12-16.1 samba-client-32bit-4.1.12-16.1 samba-client-debuginfo-32bit-4.1.12-16.1 samba-debuginfo-32bit-4.1.12-16.1 samba-libs-32bit-4.1.12-16.1 samba-libs-debuginfo-32bit-4.1.12-16.1 samba-winbind-32bit-4.1.12-16.1 samba-winbind-debuginfo-32bit-4.1.12-16.1 - SUSE Linux Enterprise Server 12 (noarch): samba-doc-4.1.12-16.1 - SUSE Linux Enterprise Desktop 12 (x86_64): libdcerpc-binding0-32bit-4.1.12-16.1 libdcerpc-binding0-4.1.12-16.1 libdcerpc-binding0-debuginfo-32bit-4.1.12-16.1 libdcerpc-binding0-debuginfo-4.1.12-16.1 libdcerpc0-32bit-4.1.12-16.1 libdcerpc0-4.1.12-16.1 libdcerpc0-debuginfo-32bit-4.1.12-16.1 libdcerpc0-debuginfo-4.1.12-16.1 libgensec0-32bit-4.1.12-16.1 libgensec0-4.1.12-16.1 libgensec0-debuginfo-32bit-4.1.12-16.1 libgensec0-debuginfo-4.1.12-16.1 libndr-krb5pac0-32bit-4.1.12-16.1 libndr-krb5pac0-4.1.12-16.1 libndr-krb5pac0-debuginfo-32bit-4.1.12-16.1 libndr-krb5pac0-debuginfo-4.1.12-16.1 libndr-nbt0-32bit-4.1.12-16.1 libndr-nbt0-4.1.12-16.1 libndr-nbt0-debuginfo-32bit-4.1.12-16.1 libndr-nbt0-debuginfo-4.1.12-16.1 libndr-standard0-32bit-4.1.12-16.1 libndr-standard0-4.1.12-16.1 libndr-standard0-debuginfo-32bit-4.1.12-16.1 libndr-standard0-debuginfo-4.1.12-16.1 libndr0-32bit-4.1.12-16.1 libndr0-4.1.12-16.1 libndr0-debuginfo-32bit-4.1.12-16.1 libndr0-debuginfo-4.1.12-16.1 libnetapi0-32bit-4.1.12-16.1 libnetapi0-4.1.12-16.1 libnetapi0-debuginfo-32bit-4.1.12-16.1 libnetapi0-debuginfo-4.1.12-16.1 libpdb0-32bit-4.1.12-16.1 libpdb0-4.1.12-16.1 libpdb0-debuginfo-32bit-4.1.12-16.1 libpdb0-debuginfo-4.1.12-16.1 libregistry0-4.1.12-16.1 libregistry0-debuginfo-4.1.12-16.1 libsamba-credentials0-32bit-4.1.12-16.1 libsamba-credentials0-4.1.12-16.1 libsamba-credentials0-debuginfo-32bit-4.1.12-16.1 libsamba-credentials0-debuginfo-4.1.12-16.1 libsamba-hostconfig0-32bit-4.1.12-16.1 libsamba-hostconfig0-4.1.12-16.1 libsamba-hostconfig0-debuginfo-32bit-4.1.12-16.1 libsamba-hostconfig0-debuginfo-4.1.12-16.1 libsamba-util0-32bit-4.1.12-16.1 libsamba-util0-4.1.12-16.1 libsamba-util0-debuginfo-32bit-4.1.12-16.1 libsamba-util0-debuginfo-4.1.12-16.1 libsamdb0-32bit-4.1.12-16.1 libsamdb0-4.1.12-16.1 libsamdb0-debuginfo-32bit-4.1.12-16.1 libsamdb0-debuginfo-4.1.12-16.1 libsmbclient-raw0-32bit-4.1.12-16.1 libsmbclient-raw0-4.1.12-16.1 libsmbclient-raw0-debuginfo-32bit-4.1.12-16.1 libsmbclient-raw0-debuginfo-4.1.12-16.1 libsmbclient0-32bit-4.1.12-16.1 libsmbclient0-4.1.12-16.1 libsmbclient0-debuginfo-32bit-4.1.12-16.1 libsmbclient0-debuginfo-4.1.12-16.1 libsmbconf0-32bit-4.1.12-16.1 libsmbconf0-4.1.12-16.1 libsmbconf0-debuginfo-32bit-4.1.12-16.1 libsmbconf0-debuginfo-4.1.12-16.1 libsmbldap0-32bit-4.1.12-16.1 libsmbldap0-4.1.12-16.1 libsmbldap0-debuginfo-32bit-4.1.12-16.1 libsmbldap0-debuginfo-4.1.12-16.1 libtevent-util0-32bit-4.1.12-16.1 libtevent-util0-4.1.12-16.1 libtevent-util0-debuginfo-32bit-4.1.12-16.1 libtevent-util0-debuginfo-4.1.12-16.1 libwbclient0-32bit-4.1.12-16.1 libwbclient0-4.1.12-16.1 libwbclient0-debuginfo-32bit-4.1.12-16.1 libwbclient0-debuginfo-4.1.12-16.1 samba-32bit-4.1.12-16.1 samba-4.1.12-16.1 samba-client-32bit-4.1.12-16.1 samba-client-4.1.12-16.1 samba-client-debuginfo-32bit-4.1.12-16.1 samba-client-debuginfo-4.1.12-16.1 samba-debuginfo-32bit-4.1.12-16.1 samba-debuginfo-4.1.12-16.1 samba-debugsource-4.1.12-16.1 samba-libs-32bit-4.1.12-16.1 samba-libs-4.1.12-16.1 samba-libs-debuginfo-32bit-4.1.12-16.1 samba-libs-debuginfo-4.1.12-16.1 samba-winbind-32bit-4.1.12-16.1 samba-winbind-4.1.12-16.1 samba-winbind-debuginfo-32bit-4.1.12-16.1 samba-winbind-debuginfo-4.1.12-16.1 - SUSE Linux Enterprise Desktop 12 (noarch): samba-doc-4.1.12-16.1 References: http://support.novell.com/security/cve/CVE-2015-0240.html https://bugzilla.suse.com/872912 https://bugzilla.suse.com/873922 https://bugzilla.suse.com/876312 https://bugzilla.suse.com/889175 https://bugzilla.suse.com/898031 https://bugzilla.suse.com/908627 https://bugzilla.suse.com/913238 https://bugzilla.suse.com/917376 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE-SU-2015:0345-1: important: Security update for java-1_6_0-ibm
by opensuse-security＠opensuse.org 21 Feb '15

21 Feb '15

SUSE Security Update: Security update for java-1_6_0-ibm ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0345-1 Rating: important References: #901223 #901239 #904889 #916265 #916266 Cross-References: CVE-2014-8891 CVE-2014-8892 Affected Products: SUSE Linux Enterprise Server 10 SP4 LTSS ______________________________________________________________________________ An update that solves two vulnerabilities and has three fixes is now available. Description: java-1_6_0-ibm was updated to version 1.6.0_sr16.3 to fix 20 security issues: * CVE-2014-8891: Unspecified vulnerability (bnc#916266) * CVE-2014-8892: Unspecified vulnerability (bnc#916265) * CVE-2014-3065: Unspecified vulnerability in IBM Java Runtime Environment (JRE) 7 R1 before SR2 (7.1.2.0), 7 before SR8 (7.0.8.0), 6 R1 before SR8 FP2 (6.1.8.2), 6 before SR16 FP2 (6.0.16.2), and before SR16 FP8 (5.0.16.8) allows local users to execute arbitrary code via vectors related to the shared classes cache (bnc#904889). * CVE-2014-3566: The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue (bnc#901223). * CVE-2014-6513: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT (bnc#901239). * CVE-2014-6503: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-4288, CVE-2014-6493, and CVE-2014-6532 (bnc#901239). * CVE-2014-6532: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-4288, CVE-2014-6493, and CVE-2014-6503 (bnc#901239). * CVE-2014-4288: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-6493, CVE-2014-6503, and CVE-2014-6532 (bnc#901239). * CVE-2014-6493: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-4288, CVE-2014-6503, and CVE-2014-6532 (bnc#901239). * CVE-2014-6492: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20, when running on Firefox, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment (bnc#901239). * CVE-2014-6458: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Deployment (bnc#901239). * CVE-2014-6466: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20, when running on Internet Explorer, allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Deployment (bnc#901239). * CVE-2014-6506: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries (bnc#901239). * CVE-2014-6515: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect integrity via unknown vectors related to Deployment (bnc#901239). * CVE-2014-6511: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality via unknown vectors related to 2D (bnc#901239). * CVE-2014-6531: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect confidentiality via unknown vectors related to Libraries (bnc#901239). * CVE-2014-6512: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit R27.8.3 and R28.3.3 allows remote attackers to affect integrity via unknown vectors related to Libraries (bnc#901239). * CVE-2014-6457: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit R27.8.3, and R28.3.3 allows remote attackers to affect confidentiality and integrity via vectors related to JSSE (bnc#901239). * CVE-2014-6502: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect integrity via unknown vectors related to Libraries (bnc#901239). * CVE-2014-6558: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit R27.8.3 and JRockit R28.3.3 allows remote attackers to affect integrity via unknown vectors related to Security (bnc#901239). Security Issues: * CVE-2014-8892 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8892> * CVE-2014-8891 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8891> Package List: - SUSE Linux Enterprise Server 10 SP4 LTSS (i586 s390x x86_64): java-1_6_0-ibm-1.6.0_sr16.3-0.9.1 java-1_6_0-ibm-devel-1.6.0_sr16.3-0.9.1 java-1_6_0-ibm-fonts-1.6.0_sr16.3-0.9.1 java-1_6_0-ibm-jdbc-1.6.0_sr16.3-0.9.1 - SUSE Linux Enterprise Server 10 SP4 LTSS (s390x x86_64): java-1_6_0-ibm-32bit-1.6.0_sr16.3-0.9.1 java-1_6_0-ibm-devel-32bit-1.6.0_sr16.3-0.9.1 - SUSE Linux Enterprise Server 10 SP4 LTSS (i586 x86_64): java-1_6_0-ibm-plugin-1.6.0_sr16.3-0.9.1 - SUSE Linux Enterprise Server 10 SP4 LTSS (x86_64): java-1_6_0-ibm-alsa-32bit-1.6.0_sr16.3-0.9.1 java-1_6_0-ibm-plugin-32bit-1.6.0_sr16.3-0.9.1 - SUSE Linux Enterprise Server 10 SP4 LTSS (i586): java-1_6_0-ibm-alsa-1.6.0_sr16.3-0.9.1 References: http://support.novell.com/security/cve/CVE-2014-8891.html http://support.novell.com/security/cve/CVE-2014-8892.html https://bugzilla.suse.com/901223 https://bugzilla.suse.com/901239 https://bugzilla.suse.com/904889 https://bugzilla.suse.com/916265 https://bugzilla.suse.com/916266 http://download.suse.com/patch/finder/?keywords=a992e300008dd2cf884e0b1fa92… -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

openSUSE Security Announce February 2015