openSUSE Security Announce May 2015

security-announce@lists.opensuse.org

1 participants
28 discussions

[security-announce] SUSE-SU-2015:0960-1: important: Security update for MozillaFirefox
by opensuse-security＠opensuse.org 28 May '15

28 May '15

SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0960-1 Rating: important References: #930622 Cross-References: CVE-2015-0797 CVE-2015-2708 CVE-2015-2709 CVE-2015-2710 CVE-2015-2713 CVE-2015-2716 Affected Products: SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that fixes 6 vulnerabilities is now available. Description: This update to Firefox 31.7.0 ESR (bsc#930622) fixes the following issues: * MFSA 2015-46/CVE-2015-2708/CVE-2015-2709 (bmo#1120655, bmo#1143299, bmo#1151139, bmo#1152177, bmo#1111251, bmo#1117977, bmo#1128064, bmo#1135066, bmo#1143194, bmo#1146101, bmo#1149526, bmo#1153688, bmo#1155474) Miscellaneous memory safety hazards (rv:38.0 / rv:31.7) * MFSA 2015-47/CVE-2015-0797 (bmo#1080995) Buffer overflow parsing H.264 video with Linux Gstreamer * MFSA 2015-48/CVE-2015-2710 (bmo#1149542) Buffer overflow with SVG content and CSS * MFSA 2015-51/CVE-2015-2713 (bmo#1153478) Use-after-free during text processing with vertical text enabled * MFSA 2015-54/CVE-2015-2716 (bmo#1140537) Buffer overflow when parsing compressed XML Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2015-217=1 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-217=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-217=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): MozillaFirefox-debuginfo-31.7.0esr-34.1 MozillaFirefox-debugsource-31.7.0esr-34.1 MozillaFirefox-devel-31.7.0esr-34.1 - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): MozillaFirefox-31.7.0esr-34.1 MozillaFirefox-debuginfo-31.7.0esr-34.1 MozillaFirefox-debugsource-31.7.0esr-34.1 MozillaFirefox-translations-31.7.0esr-34.1 - SUSE Linux Enterprise Desktop 12 (x86_64): MozillaFirefox-31.7.0esr-34.1 MozillaFirefox-debuginfo-31.7.0esr-34.1 MozillaFirefox-debugsource-31.7.0esr-34.1 MozillaFirefox-translations-31.7.0esr-34.1 References: https://www.suse.com/security/cve/CVE-2015-0797.html https://www.suse.com/security/cve/CVE-2015-2708.html https://www.suse.com/security/cve/CVE-2015-2709.html https://www.suse.com/security/cve/CVE-2015-2710.html https://www.suse.com/security/cve/CVE-2015-2713.html https://www.suse.com/security/cve/CVE-2015-2716.html https://bugzilla.suse.com/930622 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE-SU-2015:0946-1: important: Security update for MySQL
by opensuse-security＠opensuse.org 26 May '15

26 May '15

SUSE Security Update: Security update for MySQL ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0946-1 Rating: important References: #922043 #927623 Cross-References: CVE-2014-3569 CVE-2014-3570 CVE-2014-3571 CVE-2014-3572 CVE-2014-8275 CVE-2015-0204 CVE-2015-0205 CVE-2015-0206 CVE-2015-0405 CVE-2015-0423 CVE-2015-0433 CVE-2015-0438 CVE-2015-0439 CVE-2015-0441 CVE-2015-0498 CVE-2015-0499 CVE-2015-0500 CVE-2015-0501 CVE-2015-0503 CVE-2015-0505 CVE-2015-0506 CVE-2015-0507 CVE-2015-0508 CVE-2015-0511 CVE-2015-2305 CVE-2015-2566 CVE-2015-2567 CVE-2015-2568 CVE-2015-2571 CVE-2015-2573 CVE-2015-2576 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes 31 vulnerabilities is now available. It includes one version update. Description: MySQL was updated to version 5.5.43 to fix several security and non security issues: * CVEs fixed: CVE-2014-3569, CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204, CVE-2015-0205, CVE-2015-0206, CVE-2015-0405, CVE-2015-0423, CVE-2015-0433, CVE-2015-0438, CVE-2015-0439, CVE-2015-0441, CVE-2015-0498, CVE-2015-0499, CVE-2015-0500, CVE-2015-0501, CVE-2015-0503, CVE-2015-0505, CVE-2015-0506, CVE-2015-0507, CVE-2015-0508, CVE-2015-0511, CVE-2015-2566, CVE-2015-2567, CVE-2015-2568, CVE-2015-2571, CVE-2015-2573, CVE-2015-2576. * Fix integer overflow in regcomp (Henry Spencer's regex library) for excessively long pattern strings. (bnc#922043, CVE-2015-2305) For a comprehensive list of changes, refer to http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-43.html <http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-43.html> . Security Issues: * CVE-2014-3569 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3569> * CVE-2014-3570 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3570> * CVE-2014-3571 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3571> * CVE-2014-3572 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3572> * CVE-2014-8275 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8275> * CVE-2015-0204 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204> * CVE-2015-0205 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0205> * CVE-2015-0206 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0206> * CVE-2015-0405 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0405> * CVE-2015-0423 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0423> * CVE-2015-0433 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0433> * CVE-2015-0438 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0438> * CVE-2015-0439 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0439> * CVE-2015-0441 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0441> * CVE-2015-0498 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0498> * CVE-2015-0499 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0499> * CVE-2015-0500 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0500> * CVE-2015-0501 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0501> * CVE-2015-0503 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0503> * CVE-2015-0505 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0505> * CVE-2015-0506 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0506> * CVE-2015-0507 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0507> * CVE-2015-0508 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0508> * CVE-2015-0511 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0511> * CVE-2015-2566 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2566> * CVE-2015-2567 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2567> * CVE-2015-2568 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2568> * CVE-2015-2571 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2571> * CVE-2015-2573 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2573> * CVE-2015-2576 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2576> * CVE-2015-2305 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2305> Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-libmysql55client18=10661 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-libmysql55client18=10661 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-libmysql55client18=10661 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-libmysql55client18=10661 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (ppc64 s390x x86_64): libmysql55client_r18-32bit-5.5.43-0.7.3 libmysqlclient_r15-32bit-5.0.96-0.6.20 - SUSE Linux Enterprise Software Development Kit 11 SP3 (ia64): libmysql55client_r18-x86-5.5.43-0.7.3 libmysqlclient_r15-x86-5.0.96-0.6.20 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64) [New Version: 5.5.43]: libmysql55client18-5.5.43-0.7.3 libmysql55client_r18-5.5.43-0.7.3 libmysqlclient15-5.0.96-0.6.20 libmysqlclient_r15-5.0.96-0.6.20 mysql-5.5.43-0.7.3 mysql-client-5.5.43-0.7.3 mysql-tools-5.5.43-0.7.3 - SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64) [New Version: 5.5.43]: libmysql55client18-32bit-5.5.43-0.7.3 libmysqlclient15-32bit-5.0.96-0.6.20 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New Version: 5.5.43]: libmysql55client18-5.5.43-0.7.3 libmysql55client_r18-5.5.43-0.7.3 libmysqlclient15-5.0.96-0.6.20 libmysqlclient_r15-5.0.96-0.6.20 mysql-5.5.43-0.7.3 mysql-client-5.5.43-0.7.3 mysql-tools-5.5.43-0.7.3 - SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64) [New Version: 5.5.43]: libmysql55client18-32bit-5.5.43-0.7.3 libmysqlclient15-32bit-5.0.96-0.6.20 - SUSE Linux Enterprise Server 11 SP3 (ia64) [New Version: 5.5.43]: libmysql55client18-x86-5.5.43-0.7.3 libmysqlclient15-x86-5.0.96-0.6.20 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64) [New Version: 5.5.43]: libmysql55client18-5.5.43-0.7.3 libmysql55client_r18-5.5.43-0.7.3 libmysqlclient15-5.0.96-0.6.20 libmysqlclient_r15-5.0.96-0.6.20 mysql-5.5.43-0.7.3 mysql-client-5.5.43-0.7.3 - SUSE Linux Enterprise Desktop 11 SP3 (x86_64) [New Version: 5.5.43]: libmysql55client18-32bit-5.5.43-0.7.3 libmysql55client_r18-32bit-5.5.43-0.7.3 libmysqlclient15-32bit-5.0.96-0.6.20 libmysqlclient_r15-32bit-5.0.96-0.6.20 References: https://www.suse.com/security/cve/CVE-2014-3569.html https://www.suse.com/security/cve/CVE-2014-3570.html https://www.suse.com/security/cve/CVE-2014-3571.html https://www.suse.com/security/cve/CVE-2014-3572.html https://www.suse.com/security/cve/CVE-2014-8275.html https://www.suse.com/security/cve/CVE-2015-0204.html https://www.suse.com/security/cve/CVE-2015-0205.html https://www.suse.com/security/cve/CVE-2015-0206.html https://www.suse.com/security/cve/CVE-2015-0405.html https://www.suse.com/security/cve/CVE-2015-0423.html https://www.suse.com/security/cve/CVE-2015-0433.html https://www.suse.com/security/cve/CVE-2015-0438.html https://www.suse.com/security/cve/CVE-2015-0439.html https://www.suse.com/security/cve/CVE-2015-0441.html https://www.suse.com/security/cve/CVE-2015-0498.html https://www.suse.com/security/cve/CVE-2015-0499.html https://www.suse.com/security/cve/CVE-2015-0500.html https://www.suse.com/security/cve/CVE-2015-0501.html https://www.suse.com/security/cve/CVE-2015-0503.html https://www.suse.com/security/cve/CVE-2015-0505.html https://www.suse.com/security/cve/CVE-2015-0506.html https://www.suse.com/security/cve/CVE-2015-0507.html https://www.suse.com/security/cve/CVE-2015-0508.html https://www.suse.com/security/cve/CVE-2015-0511.html https://www.suse.com/security/cve/CVE-2015-2305.html https://www.suse.com/security/cve/CVE-2015-2566.html https://www.suse.com/security/cve/CVE-2015-2567.html https://www.suse.com/security/cve/CVE-2015-2568.html https://www.suse.com/security/cve/CVE-2015-2571.html https://www.suse.com/security/cve/CVE-2015-2573.html https://www.suse.com/security/cve/CVE-2015-2576.html https://bugzilla.suse.com/922043 https://bugzilla.suse.com/927623 https://download.suse.com/patch/finder/?keywords=bf7ed7fc98aa76bac61b9bec76… -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE-SU-2015:0944-1: important: Security update for Xen
by opensuse-security＠opensuse.org 26 May '15

26 May '15

SUSE Security Update: Security update for Xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0944-1 Rating: important References: #910441 #927967 #929339 Cross-References: CVE-2015-3340 CVE-2015-3456 Affected Products: SUSE Linux Enterprise Server 11 SP2 LTSS ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: Xen was updated to fix two security issues and a bug: * CVE-2015-3456: A buffer overflow in the floppy drive emulation, which could be used to carry out denial of service attacks or potential code execution against the host. This vulnerability is also known as VENOM. * CVE-2015-3340: Xen did not initialize certain fields, which allowed certain remote service domains to obtain sensitive information from memory via a (1) XEN_DOMCTL_gettscinfo or (2) XEN_SYSCTL_getdomaininfolist request. * An exception in setCPUAffinity when restoring guests. (bsc#910441) Security Issues: * CVE-2015-3456 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3456> * CVE-2015-3340 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3340> Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP2 LTSS: zypper in -t patch slessp2-xen=10685 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP2 LTSS (i586 x86_64): xen-devel-4.1.6_08-0.11.1 xen-kmp-default-4.1.6_08_3.0.101_0.7.29-0.11.1 xen-kmp-trace-4.1.6_08_3.0.101_0.7.29-0.11.1 xen-libs-4.1.6_08-0.11.1 xen-tools-domU-4.1.6_08-0.11.1 - SUSE Linux Enterprise Server 11 SP2 LTSS (x86_64): xen-4.1.6_08-0.11.1 xen-doc-html-4.1.6_08-0.11.1 xen-doc-pdf-4.1.6_08-0.11.1 xen-libs-32bit-4.1.6_08-0.11.1 xen-tools-4.1.6_08-0.11.1 - SUSE Linux Enterprise Server 11 SP2 LTSS (i586): xen-kmp-pae-4.1.6_08_3.0.101_0.7.29-0.11.1 References: https://www.suse.com/security/cve/CVE-2015-3340.html https://www.suse.com/security/cve/CVE-2015-3456.html https://bugzilla.suse.com/910441 https://bugzilla.suse.com/927967 https://bugzilla.suse.com/929339 https://download.suse.com/patch/finder/?keywords=8be2bb05e7093a3facd3bc07a9… -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE-SU-2015:0943-1: important: Security update for KVM
by opensuse-security＠opensuse.org 26 May '15

26 May '15

SUSE Security Update: Security update for KVM ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0943-1 Rating: important References: #834196 #929339 Cross-References: CVE-2015-3456 Affected Products: SUSE Linux Enterprise Server 11 SP2 LTSS ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: KVM was updated to fix the following issues: * CVE-2015-3456: A buffer overflow in the floppy drive emulation, which could be used to carry out denial of service attacks or potential code execution against the host. This vulnerability is also known as VENOM. * Validate VMDK4 version field so we don't process versions we know nothing about. (bsc#834196) Security Issues: * CVE-2015-3456 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3456> Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP2 LTSS: zypper in -t patch slessp2-kvm=10682 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP2 LTSS (i586 x86_64): kvm-0.15.1-0.29.1 References: https://www.suse.com/security/cve/CVE-2015-3456.html https://bugzilla.suse.com/834196 https://bugzilla.suse.com/929339 https://download.suse.com/patch/finder/?keywords=8fa4cd2e0df2fbbbef8a56f272… -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE-SU-2015:0889-2: important: Security update for Xen
by opensuse-security＠opensuse.org 26 May '15

26 May '15

SUSE Security Update: Security update for Xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0889-2 Rating: important References: #929339 Cross-References: CVE-2015-3456 Affected Products: SUSE Linux Enterprise Server 10 SP4 LTSS ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: Xen was updated to fix a buffer overflow in the floppy drive emulation, which could be used to carry out denial of service attacks or potential code execution against the host. This vulnerability is also known as VENOM. (CVE-2015-3456) Security Issues: * CVE-2015-3456 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3456> Package List: - SUSE Linux Enterprise Server 10 SP4 LTSS (i586 x86_64): xen-3.2.3_17040_46-0.15.1 xen-devel-3.2.3_17040_46-0.15.1 xen-doc-html-3.2.3_17040_46-0.15.1 xen-doc-pdf-3.2.3_17040_46-0.15.1 xen-doc-ps-3.2.3_17040_46-0.15.1 xen-kmp-debug-3.2.3_17040_46_2.6.16.60_0.132.1-0.15.1 xen-kmp-default-3.2.3_17040_46_2.6.16.60_0.132.1-0.15.1 xen-kmp-kdump-3.2.3_17040_46_2.6.16.60_0.132.1-0.15.1 xen-kmp-smp-3.2.3_17040_46_2.6.16.60_0.132.1-0.15.1 xen-libs-3.2.3_17040_46-0.15.1 xen-tools-3.2.3_17040_46-0.15.1 xen-tools-domU-3.2.3_17040_46-0.15.1 xen-tools-ioemu-3.2.3_17040_46-0.15.1 - SUSE Linux Enterprise Server 10 SP4 LTSS (x86_64): xen-libs-32bit-3.2.3_17040_46-0.15.1 - SUSE Linux Enterprise Server 10 SP4 LTSS (i586): xen-kmp-bigsmp-3.2.3_17040_46_2.6.16.60_0.132.1-0.15.1 xen-kmp-kdumppae-3.2.3_17040_46_2.6.16.60_0.132.1-0.15.1 xen-kmp-vmi-3.2.3_17040_46_2.6.16.60_0.132.1-0.15.1 xen-kmp-vmipae-3.2.3_17040_46_2.6.16.60_0.132.1-0.15.1 References: https://www.suse.com/security/cve/CVE-2015-3456.html https://bugzilla.suse.com/929339 https://download.suse.com/patch/finder/?keywords=114b7cce479b39879add5cf193… -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE-SU-2015:0940-1: important: Security update for Xen
by opensuse-security＠opensuse.org 26 May '15

26 May '15

SUSE Security Update: Security update for Xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0940-1 Rating: important References: #927967 #929339 Cross-References: CVE-2015-3340 CVE-2015-3456 Affected Products: SUSE Linux Enterprise Server 11 SP1 LTSS ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: Xen was updated to fix two security issues: * CVE-2015-3456: A buffer overflow in the floppy drive emulation, which could be used to carry out denial of service attacks or potential code execution against the host. This vulnerability is also known as VENOM. * CVE-2015-3340: An information leak through XEN_DOMCTL_gettscinfo(). (XSA-132) Security Issues: * CVE-2015-3456 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3456> * CVE-2015-3340 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3340> Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP1 LTSS: zypper in -t patch slessp1-xen=10684 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP1 LTSS (i586 x86_64): xen-4.0.3_21548_18-0.21.1 xen-doc-html-4.0.3_21548_18-0.21.1 xen-doc-pdf-4.0.3_21548_18-0.21.1 xen-kmp-default-4.0.3_21548_18_2.6.32.59_0.19-0.21.1 xen-kmp-trace-4.0.3_21548_18_2.6.32.59_0.19-0.21.1 xen-libs-4.0.3_21548_18-0.21.1 xen-tools-4.0.3_21548_18-0.21.1 xen-tools-domU-4.0.3_21548_18-0.21.1 - SUSE Linux Enterprise Server 11 SP1 LTSS (i586): xen-kmp-pae-4.0.3_21548_18_2.6.32.59_0.19-0.21.1 References: https://www.suse.com/security/cve/CVE-2015-3340.html https://www.suse.com/security/cve/CVE-2015-3456.html https://bugzilla.suse.com/927967 https://bugzilla.suse.com/929339 https://download.suse.com/patch/finder/?keywords=aee7c643a4c4513e4350b80ada… -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE-SU-2015:0929-1: important: Security update for KVM
by opensuse-security＠opensuse.org 22 May '15

22 May '15

SUSE Security Update: Security update for KVM ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0929-1 Rating: important References: #877642 #877645 #929339 Cross-References: CVE-2014-0222 CVE-2014-0223 CVE-2015-3456 Affected Products: SUSE Linux Enterprise Server 11 SP1 LTSS ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. It includes one version update. Description: KVM was updated to fix the following security issues: * CVE-2015-3456: Buffer overflow in the floppy drive emulation, which could be used to carry out denial of service attacks or potential code execution against the host. This vulnerability is also known as VENOM. * CVE-2014-0222: Integer overflow in the qcow_open function in block/qcow.c in QEMU allowed remote attackers to cause a denial of service (crash) via a large L2 table in a QCOW version 1 image. * CVE-2014-0223: Integer overflow in the qcow_open function in block/qcow.c in QEMU allowed local users to cause a denial of service (crash) and possibly execute arbitrary code via a large image size, which triggers a buffer overflow or out-of-bounds read. Security Issues: * CVE-2015-3456 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3456> * CVE-2014-0222 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0222> * CVE-2014-0223 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0223> Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP1 LTSS: zypper in -t patch slessp1-kvm=10683 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP1 LTSS (i586 x86_64) [New Version: 0.12.5]: kvm-0.12.5-1.26.1 References: https://www.suse.com/security/cve/CVE-2014-0222.html https://www.suse.com/security/cve/CVE-2014-0223.html https://www.suse.com/security/cve/CVE-2015-3456.html https://bugzilla.suse.com/877642 https://bugzilla.suse.com/877645 https://bugzilla.suse.com/929339 https://download.suse.com/patch/finder/?keywords=a793805e5c8b31d54aefde0380… -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE-SU-2015:0928-1: important: Security update for SUSE Manager Server 1.7
by opensuse-security＠opensuse.org 22 May '15

22 May '15

SUSE Security Update: Security update for SUSE Manager Server 1.7 ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0928-1 Rating: important References: #799068 #809927 #814954 #864246 #870159 #879904 #881111 #896238 #896244 #898426 #900956 #901108 #902915 #903723 #906850 #912886 #922525 Cross-References: CVE-2014-7811 CVE-2014-7812 CVE-2014-8162 Affected Products: SUSE Manager 1.7 for SLE 11 SP2 ______________________________________________________________________________ An update that solves three vulnerabilities and has 14 fixes is now available. It includes 9 new package versions. Description: This collective update for SUSE Manager 1.7 provides several fixes and enhancements. smdba: * Space reclamation caused ORA-00942 (table or view does not exist). (bsc#906850) * Optimized space reclamation for Oracle. * Implement fully hot operations for PostgreSQL. * System check breaks backup and other configuration. * Implement rotating PostgreSQL backup feature. (bsc#896244) * Set PostgreSQL max connections to the same value as for Oracle. sm-ncc-sync-data: * Add ATI and nVidia channels for SLED11-SP3. (bsc#901108) spacecmd: * Fix call to setCustomOptions(). (bsc#879904) spacewalk-backend: * Fix encoding of submit message. * Trigger generation of metadata if the repository contains no packages. (bsc#870159) spacewalk-branding: * Update default Spacewalk entitlement certificate. spacewalk-java: * Introduce improved parser for xmlrpc. (CVE-2014-8162, bsc#922525) * Fix more cross-site scripting bugs. (CVE-2014-7811, bsc#902915) * Ffix CVE audit in case of multiversion package installed and patch in multi channels. (bsc#903723) * Fix automatic configuration file deployment via snippet. (bsc#898426) * Download CSV button does not export all columns ("Base Channel" missing). (bsc#896238) * Fix cross-site scripting in system-group. (CVE-2014-7812, bsc#912886) spacewalk-setup: * Fix XML RPC API External Entities file disclosure. (CVE-2014-8162, bsc#922525) * No activation if db population should be skipped. (bsc#900956) susemanager-schema: * Fix evr_t schema upgrade. (bsc#881111) susemanager: * Add tool to update the spacewalk public cert in the DB. * Fix the test for the mirror credentials. (bsc#864246) How to apply this update: 1. Log in as root user to the SUSE Manager server. 2. Stop the Spacewalk service: spacewalk-service stop 3. Apply the patch using either zypper patch or YaST Online Update. 4. Upgrade the database schema with spacewalk-schema-upgrade 5. Start the Spacewalk service: spacewalk-service start Security Issues: * CVE-2014-7811 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7811> * CVE-2014-7812 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7812> * CVE-2014-8162 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8162> Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Manager 1.7 for SLE 11 SP2: zypper in -t patch sleman17sp2-sm-ncc-sync-data=10671 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Manager 1.7 for SLE 11 SP2 (x86_64) [New Version: 1.5,1.7.1.13,1.7.30,1.7.38.34 and 1.7.7.12]: smdba-1.5-0.6.2.1 spacecmd-1.7.7.12-0.5.1 spacewalk-backend-1.7.38.34-0.5.1 spacewalk-backend-app-1.7.38.34-0.5.1 spacewalk-backend-applet-1.7.38.34-0.5.1 spacewalk-backend-config-files-1.7.38.34-0.5.1 spacewalk-backend-config-files-common-1.7.38.34-0.5.1 spacewalk-backend-config-files-tool-1.7.38.34-0.5.1 spacewalk-backend-iss-1.7.38.34-0.5.1 spacewalk-backend-iss-export-1.7.38.34-0.5.1 spacewalk-backend-libs-1.7.38.34-0.5.1 spacewalk-backend-package-push-server-1.7.38.34-0.5.1 spacewalk-backend-server-1.7.38.34-0.5.1 spacewalk-backend-sql-1.7.38.34-0.5.1 spacewalk-backend-sql-oracle-1.7.38.34-0.5.1 spacewalk-backend-sql-postgresql-1.7.38.34-0.5.1 spacewalk-backend-tools-1.7.38.34-0.5.1 spacewalk-backend-xml-export-libs-1.7.38.34-0.5.1 spacewalk-backend-xmlrpc-1.7.38.34-0.5.1 spacewalk-backend-xp-1.7.38.34-0.5.1 spacewalk-branding-1.7.1.13-0.5.1 susemanager-1.7.30-0.5.2 susemanager-tools-1.7.30-0.5.2 - SUSE Manager 1.7 for SLE 11 SP2 (noarch) [New Version: 1.7.21,1.7.54.34,1.7.56.24 and 1.7.9.12]: sm-ncc-sync-data-1.7.21-0.5.1 spacewalk-java-1.7.54.34-0.5.1 spacewalk-java-config-1.7.54.34-0.5.1 spacewalk-java-lib-1.7.54.34-0.5.1 spacewalk-java-oracle-1.7.54.34-0.5.1 spacewalk-java-postgresql-1.7.54.34-0.5.1 spacewalk-setup-1.7.9.12-0.5.1 spacewalk-taskomatic-1.7.54.34-0.5.1 susemanager-schema-1.7.56.24-0.7.1 References: https://www.suse.com/security/cve/CVE-2014-7811.html https://www.suse.com/security/cve/CVE-2014-7812.html https://www.suse.com/security/cve/CVE-2014-8162.html https://bugzilla.suse.com/799068 https://bugzilla.suse.com/809927 https://bugzilla.suse.com/814954 https://bugzilla.suse.com/864246 https://bugzilla.suse.com/870159 https://bugzilla.suse.com/879904 https://bugzilla.suse.com/881111 https://bugzilla.suse.com/896238 https://bugzilla.suse.com/896244 https://bugzilla.suse.com/898426 https://bugzilla.suse.com/900956 https://bugzilla.suse.com/901108 https://bugzilla.suse.com/902915 https://bugzilla.suse.com/903723 https://bugzilla.suse.com/906850 https://bugzilla.suse.com/912886 https://bugzilla.suse.com/922525 https://download.suse.com/patch/finder/?keywords=8028a25587947641ad45132e49… -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE-SU-2015:0927-1: important: Security update for Xen
by opensuse-security＠opensuse.org 22 May '15

22 May '15

SUSE Security Update: Security update for Xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0927-1 Rating: important References: #910441 #927967 #929339 Cross-References: CVE-2015-3456 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that solves one vulnerability and has two fixes is now available. Description: Xen was updated to fix two security issues and a bug: * CVE-2015-3456: A buffer overflow in the floppy drive emulation, which could be used to carry out denial of service attacks or potential code execution against the host. This vulnerability is also known as VENOM. * CVE-2015-3340: Xen did not initialize certain fields, which allowed certain remote service domains to obtain sensitive information from memory via a (1) XEN_DOMCTL_gettscinfo or (2) XEN_SYSCTL_getdomaininfolist request. * An exception in setCPUAffinity when restoring guests. (bsc#910441) Security Issues: * CVE-2015-3456 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3456> * CVE-2015-3340 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3340> Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-xen=10673 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-xen=10673 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-xen=10673 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 x86_64): xen-devel-4.2.5_06-0.7.1 - SUSE Linux Enterprise Server 11 SP3 (i586 x86_64): xen-kmp-default-4.2.5_06_3.0.101_0.47.52-0.7.1 xen-libs-4.2.5_06-0.7.1 xen-tools-domU-4.2.5_06-0.7.1 - SUSE Linux Enterprise Server 11 SP3 (x86_64): xen-4.2.5_06-0.7.1 xen-doc-html-4.2.5_06-0.7.1 xen-doc-pdf-4.2.5_06-0.7.1 xen-libs-32bit-4.2.5_06-0.7.1 xen-tools-4.2.5_06-0.7.1 - SUSE Linux Enterprise Server 11 SP3 (i586): xen-kmp-pae-4.2.5_06_3.0.101_0.47.52-0.7.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): xen-kmp-default-4.2.5_06_3.0.101_0.47.52-0.7.1 xen-libs-4.2.5_06-0.7.1 xen-tools-domU-4.2.5_06-0.7.1 - SUSE Linux Enterprise Desktop 11 SP3 (x86_64): xen-4.2.5_06-0.7.1 xen-doc-html-4.2.5_06-0.7.1 xen-doc-pdf-4.2.5_06-0.7.1 xen-libs-32bit-4.2.5_06-0.7.1 xen-tools-4.2.5_06-0.7.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586): xen-kmp-pae-4.2.5_06_3.0.101_0.47.52-0.7.1 References: https://www.suse.com/security/cve/CVE-2015-3456.html https://bugzilla.suse.com/910441 https://bugzilla.suse.com/927967 https://bugzilla.suse.com/929339 https://download.suse.com/patch/finder/?keywords=beaa1b0c2d4c1d543469208fc4… -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE-SU-2015:0923-1: important: Security update for xen
by opensuse-security＠opensuse.org 21 May '15

21 May '15

SUSE Security Update: Security update for xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0923-1 Rating: important References: #922705 #922709 #927967 #929339 Cross-References: CVE-2015-2751 CVE-2015-2752 CVE-2015-3340 CVE-2015-3456 Affected Products: SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: XEN was updated to fix two security issues and bugs. Security issues fixed: * CVE-2015-3340: Xen did not initialize certain fields, which allowed certain remote service domains to obtain sensitive information from memory via a (1) XEN_DOMCTL_gettscinfo or (2) XEN_SYSCTL_getdomaininfolist request. * CVE-2015-2751: Xen, when using toolstack disaggregation, allowed remote domains with partial management control to cause a denial of service (host lock) via unspecified domctl operations. * CVE-2015-2752: The XEN_DOMCTL_memory_mapping hypercall in Xen, when using a PCI passthrough device, was not preemptable, which allowed local x86 HVM domain users to cause a denial of service (host CPU consumption) via a crafted request to the device model (qemu-dm). * CVE-2015-3456: Fixed a buffer overflow in the floppy drive emulation, which could be used to denial of service attacks or potential code execution against the host. Bugs fixed: - xentop: Fix memory leak on read failure Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2015-206=1 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-206=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-206=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12 (x86_64): xen-debugsource-4.4.2_04-18.1 xen-devel-4.4.2_04-18.1 - SUSE Linux Enterprise Server 12 (x86_64): xen-4.4.2_04-18.1 xen-debugsource-4.4.2_04-18.1 xen-doc-html-4.4.2_04-18.1 xen-kmp-default-4.4.2_04_k3.12.39_47-18.1 xen-kmp-default-debuginfo-4.4.2_04_k3.12.39_47-18.1 xen-libs-32bit-4.4.2_04-18.1 xen-libs-4.4.2_04-18.1 xen-libs-debuginfo-32bit-4.4.2_04-18.1 xen-libs-debuginfo-4.4.2_04-18.1 xen-tools-4.4.2_04-18.1 xen-tools-debuginfo-4.4.2_04-18.1 xen-tools-domU-4.4.2_04-18.1 xen-tools-domU-debuginfo-4.4.2_04-18.1 - SUSE Linux Enterprise Desktop 12 (x86_64): xen-4.4.2_04-18.1 xen-debugsource-4.4.2_04-18.1 xen-kmp-default-4.4.2_04_k3.12.39_47-18.1 xen-kmp-default-debuginfo-4.4.2_04_k3.12.39_47-18.1 xen-libs-32bit-4.4.2_04-18.1 xen-libs-4.4.2_04-18.1 xen-libs-debuginfo-32bit-4.4.2_04-18.1 xen-libs-debuginfo-4.4.2_04-18.1 References: https://www.suse.com/security/cve/CVE-2015-2751.html https://www.suse.com/security/cve/CVE-2015-2752.html https://www.suse.com/security/cve/CVE-2015-3340.html https://www.suse.com/security/cve/CVE-2015-3456.html https://bugzilla.suse.com/922705 https://bugzilla.suse.com/922709 https://bugzilla.suse.com/927967 https://bugzilla.suse.com/929339 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

openSUSE Security Announce May 2015