SUSE Security Update: Security update for MozillaFirefox
______________________________________________________________________________
Announcement ID: SUSE-SU-2015:0960-1
Rating: important
References: #930622
Cross-References: CVE-2015-0797 CVE-2015-2708 CVE-2015-2709
CVE-2015-2710 CVE-2015-2713 CVE-2015-2716
Affected Products:
SUSE Linux Enterprise Software Development Kit 12
SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Desktop 12
______________________________________________________________________________
An update that fixes 6 vulnerabilities is now available.
Description:
This update to Firefox 31.7.0 ESR (bsc#930622) fixes the following issues:
* MFSA 2015-46/CVE-2015-2708/CVE-2015-2709 (bmo#1120655, bmo#1143299,
bmo#1151139, bmo#1152177, bmo#1111251, bmo#1117977, bmo#1128064,
bmo#1135066, bmo#1143194, bmo#1146101, bmo#1149526, bmo#1153688,
bmo#1155474) Miscellaneous memory safety hazards (rv:38.0 / rv:31.7)
* MFSA 2015-47/CVE-2015-0797 (bmo#1080995) Buffer overflow parsing H.264
video with Linux Gstreamer
* MFSA 2015-48/CVE-2015-2710 (bmo#1149542) Buffer overflow with SVG
content and CSS
* MFSA 2015-51/CVE-2015-2713 (bmo#1153478) Use-after-free during text
processing with vertical text enabled
* MFSA 2015-54/CVE-2015-2716 (bmo#1140537) Buffer overflow when parsing
compressed XML
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Software Development Kit 12:
zypper in -t patch SUSE-SLE-SDK-12-2015-217=1
- SUSE Linux Enterprise Server 12:
zypper in -t patch SUSE-SLE-SERVER-12-2015-217=1
- SUSE Linux Enterprise Desktop 12:
zypper in -t patch SUSE-SLE-DESKTOP-12-2015-217=1
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64):
MozillaFirefox-debuginfo-31.7.0esr-34.1
MozillaFirefox-debugsource-31.7.0esr-34.1
MozillaFirefox-devel-31.7.0esr-34.1
- SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64):
MozillaFirefox-31.7.0esr-34.1
MozillaFirefox-debuginfo-31.7.0esr-34.1
MozillaFirefox-debugsource-31.7.0esr-34.1
MozillaFirefox-translations-31.7.0esr-34.1
- SUSE Linux Enterprise Desktop 12 (x86_64):
MozillaFirefox-31.7.0esr-34.1
MozillaFirefox-debuginfo-31.7.0esr-34.1
MozillaFirefox-debugsource-31.7.0esr-34.1
MozillaFirefox-translations-31.7.0esr-34.1
References:
https://www.suse.com/security/cve/CVE-2015-0797.htmlhttps://www.suse.com/security/cve/CVE-2015-2708.htmlhttps://www.suse.com/security/cve/CVE-2015-2709.htmlhttps://www.suse.com/security/cve/CVE-2015-2710.htmlhttps://www.suse.com/security/cve/CVE-2015-2713.htmlhttps://www.suse.com/security/cve/CVE-2015-2716.htmlhttps://bugzilla.suse.com/930622
--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org
SUSE Security Update: Security update for Xen
______________________________________________________________________________
Announcement ID: SUSE-SU-2015:0944-1
Rating: important
References: #910441 #927967 #929339
Cross-References: CVE-2015-3340 CVE-2015-3456
Affected Products:
SUSE Linux Enterprise Server 11 SP2 LTSS
______________________________________________________________________________
An update that solves two vulnerabilities and has one
errata is now available.
Description:
Xen was updated to fix two security issues and a bug:
* CVE-2015-3456: A buffer overflow in the floppy drive emulation,
which could be used to carry out denial of service attacks or
potential code execution against the host. This vulnerability is
also known as VENOM.
* CVE-2015-3340: Xen did not initialize certain fields, which allowed
certain remote service domains to obtain sensitive information from
memory via a (1) XEN_DOMCTL_gettscinfo or (2)
XEN_SYSCTL_getdomaininfolist request.
* An exception in setCPUAffinity when restoring guests. (bsc#910441)
Security Issues:
* CVE-2015-3456
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3456>
* CVE-2015-3340
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3340>
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Server 11 SP2 LTSS:
zypper in -t patch slessp2-xen=10685
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Linux Enterprise Server 11 SP2 LTSS (i586 x86_64):
xen-devel-4.1.6_08-0.11.1
xen-kmp-default-4.1.6_08_3.0.101_0.7.29-0.11.1
xen-kmp-trace-4.1.6_08_3.0.101_0.7.29-0.11.1
xen-libs-4.1.6_08-0.11.1
xen-tools-domU-4.1.6_08-0.11.1
- SUSE Linux Enterprise Server 11 SP2 LTSS (x86_64):
xen-4.1.6_08-0.11.1
xen-doc-html-4.1.6_08-0.11.1
xen-doc-pdf-4.1.6_08-0.11.1
xen-libs-32bit-4.1.6_08-0.11.1
xen-tools-4.1.6_08-0.11.1
- SUSE Linux Enterprise Server 11 SP2 LTSS (i586):
xen-kmp-pae-4.1.6_08_3.0.101_0.7.29-0.11.1
References:
https://www.suse.com/security/cve/CVE-2015-3340.htmlhttps://www.suse.com/security/cve/CVE-2015-3456.htmlhttps://bugzilla.suse.com/910441https://bugzilla.suse.com/927967https://bugzilla.suse.com/929339https://download.suse.com/patch/finder/?keywords=8be2bb05e7093a3facd3bc07a9…
--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org
SUSE Security Update: Security update for KVM
______________________________________________________________________________
Announcement ID: SUSE-SU-2015:0943-1
Rating: important
References: #834196 #929339
Cross-References: CVE-2015-3456
Affected Products:
SUSE Linux Enterprise Server 11 SP2 LTSS
______________________________________________________________________________
An update that solves one vulnerability and has one errata
is now available.
Description:
KVM was updated to fix the following issues:
* CVE-2015-3456: A buffer overflow in the floppy drive emulation,
which could be used to carry out denial of service attacks or
potential code execution against the host. This vulnerability is
also known as VENOM.
* Validate VMDK4 version field so we don't process versions we know
nothing about. (bsc#834196)
Security Issues:
* CVE-2015-3456
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3456>
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Server 11 SP2 LTSS:
zypper in -t patch slessp2-kvm=10682
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Linux Enterprise Server 11 SP2 LTSS (i586 x86_64):
kvm-0.15.1-0.29.1
References:
https://www.suse.com/security/cve/CVE-2015-3456.htmlhttps://bugzilla.suse.com/834196https://bugzilla.suse.com/929339https://download.suse.com/patch/finder/?keywords=8fa4cd2e0df2fbbbef8a56f272…
--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org
SUSE Security Update: Security update for Xen
______________________________________________________________________________
Announcement ID: SUSE-SU-2015:0889-2
Rating: important
References: #929339
Cross-References: CVE-2015-3456
Affected Products:
SUSE Linux Enterprise Server 10 SP4 LTSS
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
Xen was updated to fix a buffer overflow in the floppy drive emulation,
which could be used to carry out denial of service attacks or potential
code execution against the host. This vulnerability is also known as
VENOM. (CVE-2015-3456)
Security Issues:
* CVE-2015-3456
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3456>
Package List:
- SUSE Linux Enterprise Server 10 SP4 LTSS (i586 x86_64):
xen-3.2.3_17040_46-0.15.1
xen-devel-3.2.3_17040_46-0.15.1
xen-doc-html-3.2.3_17040_46-0.15.1
xen-doc-pdf-3.2.3_17040_46-0.15.1
xen-doc-ps-3.2.3_17040_46-0.15.1
xen-kmp-debug-3.2.3_17040_46_2.6.16.60_0.132.1-0.15.1
xen-kmp-default-3.2.3_17040_46_2.6.16.60_0.132.1-0.15.1
xen-kmp-kdump-3.2.3_17040_46_2.6.16.60_0.132.1-0.15.1
xen-kmp-smp-3.2.3_17040_46_2.6.16.60_0.132.1-0.15.1
xen-libs-3.2.3_17040_46-0.15.1
xen-tools-3.2.3_17040_46-0.15.1
xen-tools-domU-3.2.3_17040_46-0.15.1
xen-tools-ioemu-3.2.3_17040_46-0.15.1
- SUSE Linux Enterprise Server 10 SP4 LTSS (x86_64):
xen-libs-32bit-3.2.3_17040_46-0.15.1
- SUSE Linux Enterprise Server 10 SP4 LTSS (i586):
xen-kmp-bigsmp-3.2.3_17040_46_2.6.16.60_0.132.1-0.15.1
xen-kmp-kdumppae-3.2.3_17040_46_2.6.16.60_0.132.1-0.15.1
xen-kmp-vmi-3.2.3_17040_46_2.6.16.60_0.132.1-0.15.1
xen-kmp-vmipae-3.2.3_17040_46_2.6.16.60_0.132.1-0.15.1
References:
https://www.suse.com/security/cve/CVE-2015-3456.htmlhttps://bugzilla.suse.com/929339https://download.suse.com/patch/finder/?keywords=114b7cce479b39879add5cf193…
--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org
SUSE Security Update: Security update for Xen
______________________________________________________________________________
Announcement ID: SUSE-SU-2015:0940-1
Rating: important
References: #927967 #929339
Cross-References: CVE-2015-3340 CVE-2015-3456
Affected Products:
SUSE Linux Enterprise Server 11 SP1 LTSS
______________________________________________________________________________
An update that fixes two vulnerabilities is now available.
Description:
Xen was updated to fix two security issues:
* CVE-2015-3456: A buffer overflow in the floppy drive emulation,
which could be used to carry out denial of service attacks or
potential code execution against the host. This vulnerability is
also known as VENOM.
* CVE-2015-3340: An information leak through XEN_DOMCTL_gettscinfo().
(XSA-132)
Security Issues:
* CVE-2015-3456
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3456>
* CVE-2015-3340
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3340>
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Server 11 SP1 LTSS:
zypper in -t patch slessp1-xen=10684
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Linux Enterprise Server 11 SP1 LTSS (i586 x86_64):
xen-4.0.3_21548_18-0.21.1
xen-doc-html-4.0.3_21548_18-0.21.1
xen-doc-pdf-4.0.3_21548_18-0.21.1
xen-kmp-default-4.0.3_21548_18_2.6.32.59_0.19-0.21.1
xen-kmp-trace-4.0.3_21548_18_2.6.32.59_0.19-0.21.1
xen-libs-4.0.3_21548_18-0.21.1
xen-tools-4.0.3_21548_18-0.21.1
xen-tools-domU-4.0.3_21548_18-0.21.1
- SUSE Linux Enterprise Server 11 SP1 LTSS (i586):
xen-kmp-pae-4.0.3_21548_18_2.6.32.59_0.19-0.21.1
References:
https://www.suse.com/security/cve/CVE-2015-3340.htmlhttps://www.suse.com/security/cve/CVE-2015-3456.htmlhttps://bugzilla.suse.com/927967https://bugzilla.suse.com/929339https://download.suse.com/patch/finder/?keywords=aee7c643a4c4513e4350b80ada…
--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org
SUSE Security Update: Security update for KVM
______________________________________________________________________________
Announcement ID: SUSE-SU-2015:0929-1
Rating: important
References: #877642 #877645 #929339
Cross-References: CVE-2014-0222 CVE-2014-0223 CVE-2015-3456
Affected Products:
SUSE Linux Enterprise Server 11 SP1 LTSS
______________________________________________________________________________
An update that fixes three vulnerabilities is now
available. It includes one version update.
Description:
KVM was updated to fix the following security issues:
* CVE-2015-3456: Buffer overflow in the floppy drive emulation, which
could be used to carry out denial of service attacks or potential
code execution against the host. This vulnerability is also known as
VENOM.
* CVE-2014-0222: Integer overflow in the qcow_open function in
block/qcow.c in QEMU allowed remote attackers to cause a denial of
service (crash) via a large L2 table in a QCOW version 1 image.
* CVE-2014-0223: Integer overflow in the qcow_open function in
block/qcow.c in QEMU allowed local users to cause a denial of
service (crash) and possibly execute arbitrary code via a large
image size, which triggers a buffer overflow or out-of-bounds read.
Security Issues:
* CVE-2015-3456
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3456>
* CVE-2014-0222
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0222>
* CVE-2014-0223
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0223>
Special Instructions and Notes:
Please reboot the system after installing this update.
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Server 11 SP1 LTSS:
zypper in -t patch slessp1-kvm=10683
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Linux Enterprise Server 11 SP1 LTSS (i586 x86_64) [New Version: 0.12.5]:
kvm-0.12.5-1.26.1
References:
https://www.suse.com/security/cve/CVE-2014-0222.htmlhttps://www.suse.com/security/cve/CVE-2014-0223.htmlhttps://www.suse.com/security/cve/CVE-2015-3456.htmlhttps://bugzilla.suse.com/877642https://bugzilla.suse.com/877645https://bugzilla.suse.com/929339https://download.suse.com/patch/finder/?keywords=a793805e5c8b31d54aefde0380…
--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org
SUSE Security Update: Security update for SUSE Manager Server 1.7
______________________________________________________________________________
Announcement ID: SUSE-SU-2015:0928-1
Rating: important
References: #799068 #809927 #814954 #864246 #870159 #879904
#881111 #896238 #896244 #898426 #900956 #901108
#902915 #903723 #906850 #912886 #922525
Cross-References: CVE-2014-7811 CVE-2014-7812 CVE-2014-8162
Affected Products:
SUSE Manager 1.7 for SLE 11 SP2
______________________________________________________________________________
An update that solves three vulnerabilities and has 14
fixes is now available. It includes 9 new package versions.
Description:
This collective update for SUSE Manager 1.7 provides several fixes and
enhancements.
smdba:
* Space reclamation caused ORA-00942 (table or view does not exist).
(bsc#906850)
* Optimized space reclamation for Oracle.
* Implement fully hot operations for PostgreSQL.
* System check breaks backup and other configuration.
* Implement rotating PostgreSQL backup feature. (bsc#896244)
* Set PostgreSQL max connections to the same value as for Oracle.
sm-ncc-sync-data:
* Add ATI and nVidia channels for SLED11-SP3. (bsc#901108)
spacecmd:
* Fix call to setCustomOptions(). (bsc#879904)
spacewalk-backend:
* Fix encoding of submit message.
* Trigger generation of metadata if the repository contains no
packages. (bsc#870159)
spacewalk-branding:
* Update default Spacewalk entitlement certificate.
spacewalk-java:
* Introduce improved parser for xmlrpc. (CVE-2014-8162, bsc#922525)
* Fix more cross-site scripting bugs. (CVE-2014-7811, bsc#902915)
* Ffix CVE audit in case of multiversion package installed and patch
in multi channels. (bsc#903723)
* Fix automatic configuration file deployment via snippet. (bsc#898426)
* Download CSV button does not export all columns ("Base Channel"
missing). (bsc#896238)
* Fix cross-site scripting in system-group. (CVE-2014-7812, bsc#912886)
spacewalk-setup:
* Fix XML RPC API External Entities file disclosure. (CVE-2014-8162,
bsc#922525)
* No activation if db population should be skipped. (bsc#900956)
susemanager-schema:
* Fix evr_t schema upgrade. (bsc#881111)
susemanager:
* Add tool to update the spacewalk public cert in the DB.
* Fix the test for the mirror credentials. (bsc#864246)
How to apply this update:
1. Log in as root user to the SUSE Manager server. 2. Stop the Spacewalk
service: spacewalk-service stop 3. Apply the patch using either zypper
patch or YaST Online Update. 4. Upgrade the database schema with
spacewalk-schema-upgrade 5. Start the Spacewalk service: spacewalk-service
start
Security Issues:
* CVE-2014-7811
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7811>
* CVE-2014-7812
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7812>
* CVE-2014-8162
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8162>
Special Instructions and Notes:
Please reboot the system after installing this update.
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Manager 1.7 for SLE 11 SP2:
zypper in -t patch sleman17sp2-sm-ncc-sync-data=10671
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Manager 1.7 for SLE 11 SP2 (x86_64) [New Version: 1.5,1.7.1.13,1.7.30,1.7.38.34 and 1.7.7.12]:
smdba-1.5-0.6.2.1
spacecmd-1.7.7.12-0.5.1
spacewalk-backend-1.7.38.34-0.5.1
spacewalk-backend-app-1.7.38.34-0.5.1
spacewalk-backend-applet-1.7.38.34-0.5.1
spacewalk-backend-config-files-1.7.38.34-0.5.1
spacewalk-backend-config-files-common-1.7.38.34-0.5.1
spacewalk-backend-config-files-tool-1.7.38.34-0.5.1
spacewalk-backend-iss-1.7.38.34-0.5.1
spacewalk-backend-iss-export-1.7.38.34-0.5.1
spacewalk-backend-libs-1.7.38.34-0.5.1
spacewalk-backend-package-push-server-1.7.38.34-0.5.1
spacewalk-backend-server-1.7.38.34-0.5.1
spacewalk-backend-sql-1.7.38.34-0.5.1
spacewalk-backend-sql-oracle-1.7.38.34-0.5.1
spacewalk-backend-sql-postgresql-1.7.38.34-0.5.1
spacewalk-backend-tools-1.7.38.34-0.5.1
spacewalk-backend-xml-export-libs-1.7.38.34-0.5.1
spacewalk-backend-xmlrpc-1.7.38.34-0.5.1
spacewalk-backend-xp-1.7.38.34-0.5.1
spacewalk-branding-1.7.1.13-0.5.1
susemanager-1.7.30-0.5.2
susemanager-tools-1.7.30-0.5.2
- SUSE Manager 1.7 for SLE 11 SP2 (noarch) [New Version: 1.7.21,1.7.54.34,1.7.56.24 and 1.7.9.12]:
sm-ncc-sync-data-1.7.21-0.5.1
spacewalk-java-1.7.54.34-0.5.1
spacewalk-java-config-1.7.54.34-0.5.1
spacewalk-java-lib-1.7.54.34-0.5.1
spacewalk-java-oracle-1.7.54.34-0.5.1
spacewalk-java-postgresql-1.7.54.34-0.5.1
spacewalk-setup-1.7.9.12-0.5.1
spacewalk-taskomatic-1.7.54.34-0.5.1
susemanager-schema-1.7.56.24-0.7.1
References:
https://www.suse.com/security/cve/CVE-2014-7811.htmlhttps://www.suse.com/security/cve/CVE-2014-7812.htmlhttps://www.suse.com/security/cve/CVE-2014-8162.htmlhttps://bugzilla.suse.com/799068https://bugzilla.suse.com/809927https://bugzilla.suse.com/814954https://bugzilla.suse.com/864246https://bugzilla.suse.com/870159https://bugzilla.suse.com/879904https://bugzilla.suse.com/881111https://bugzilla.suse.com/896238https://bugzilla.suse.com/896244https://bugzilla.suse.com/898426https://bugzilla.suse.com/900956https://bugzilla.suse.com/901108https://bugzilla.suse.com/902915https://bugzilla.suse.com/903723https://bugzilla.suse.com/906850https://bugzilla.suse.com/912886https://bugzilla.suse.com/922525https://download.suse.com/patch/finder/?keywords=8028a25587947641ad45132e49…
--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org
SUSE Security Update: Security update for Xen
______________________________________________________________________________
Announcement ID: SUSE-SU-2015:0927-1
Rating: important
References: #910441 #927967 #929339
Cross-References: CVE-2015-3456
Affected Products:
SUSE Linux Enterprise Software Development Kit 11 SP3
SUSE Linux Enterprise Server 11 SP3
SUSE Linux Enterprise Desktop 11 SP3
______________________________________________________________________________
An update that solves one vulnerability and has two fixes
is now available.
Description:
Xen was updated to fix two security issues and a bug:
* CVE-2015-3456: A buffer overflow in the floppy drive emulation,
which could be used to carry out denial of service attacks or
potential code execution against the host. This vulnerability is
also known as VENOM.
* CVE-2015-3340: Xen did not initialize certain fields, which allowed
certain remote service domains to obtain sensitive information from
memory via a (1) XEN_DOMCTL_gettscinfo or (2)
XEN_SYSCTL_getdomaininfolist request.
* An exception in setCPUAffinity when restoring guests. (bsc#910441)
Security Issues:
* CVE-2015-3456
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3456>
* CVE-2015-3340
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3340>
Special Instructions and Notes:
Please reboot the system after installing this update.
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Software Development Kit 11 SP3:
zypper in -t patch sdksp3-xen=10673
- SUSE Linux Enterprise Server 11 SP3:
zypper in -t patch slessp3-xen=10673
- SUSE Linux Enterprise Desktop 11 SP3:
zypper in -t patch sledsp3-xen=10673
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 x86_64):
xen-devel-4.2.5_06-0.7.1
- SUSE Linux Enterprise Server 11 SP3 (i586 x86_64):
xen-kmp-default-4.2.5_06_3.0.101_0.47.52-0.7.1
xen-libs-4.2.5_06-0.7.1
xen-tools-domU-4.2.5_06-0.7.1
- SUSE Linux Enterprise Server 11 SP3 (x86_64):
xen-4.2.5_06-0.7.1
xen-doc-html-4.2.5_06-0.7.1
xen-doc-pdf-4.2.5_06-0.7.1
xen-libs-32bit-4.2.5_06-0.7.1
xen-tools-4.2.5_06-0.7.1
- SUSE Linux Enterprise Server 11 SP3 (i586):
xen-kmp-pae-4.2.5_06_3.0.101_0.47.52-0.7.1
- SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64):
xen-kmp-default-4.2.5_06_3.0.101_0.47.52-0.7.1
xen-libs-4.2.5_06-0.7.1
xen-tools-domU-4.2.5_06-0.7.1
- SUSE Linux Enterprise Desktop 11 SP3 (x86_64):
xen-4.2.5_06-0.7.1
xen-doc-html-4.2.5_06-0.7.1
xen-doc-pdf-4.2.5_06-0.7.1
xen-libs-32bit-4.2.5_06-0.7.1
xen-tools-4.2.5_06-0.7.1
- SUSE Linux Enterprise Desktop 11 SP3 (i586):
xen-kmp-pae-4.2.5_06_3.0.101_0.47.52-0.7.1
References:
https://www.suse.com/security/cve/CVE-2015-3456.htmlhttps://bugzilla.suse.com/910441https://bugzilla.suse.com/927967https://bugzilla.suse.com/929339https://download.suse.com/patch/finder/?keywords=beaa1b0c2d4c1d543469208fc4…
--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org
SUSE Security Update: Security update for xen
______________________________________________________________________________
Announcement ID: SUSE-SU-2015:0923-1
Rating: important
References: #922705 #922709 #927967 #929339
Cross-References: CVE-2015-2751 CVE-2015-2752 CVE-2015-3340
CVE-2015-3456
Affected Products:
SUSE Linux Enterprise Software Development Kit 12
SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Desktop 12
______________________________________________________________________________
An update that fixes four vulnerabilities is now available.
Description:
XEN was updated to fix two security issues and bugs.
Security issues fixed:
* CVE-2015-3340: Xen did not initialize certain fields, which allowed
certain remote service domains to obtain sensitive information from
memory via a (1) XEN_DOMCTL_gettscinfo or (2)
XEN_SYSCTL_getdomaininfolist request.
* CVE-2015-2751: Xen, when using toolstack disaggregation, allowed remote
domains with partial management control to cause a denial of service
(host lock) via unspecified domctl operations.
* CVE-2015-2752: The XEN_DOMCTL_memory_mapping hypercall in Xen, when
using a PCI passthrough device, was not preemptable, which allowed local
x86 HVM domain users to cause a denial of service (host CPU consumption)
via a crafted request to the device model (qemu-dm).
* CVE-2015-3456: Fixed a buffer overflow in the floppy drive emulation,
which could be used to denial of service attacks or potential code
execution against the host.
Bugs fixed:
- xentop: Fix memory leak on read failure
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Software Development Kit 12:
zypper in -t patch SUSE-SLE-SDK-12-2015-206=1
- SUSE Linux Enterprise Server 12:
zypper in -t patch SUSE-SLE-SERVER-12-2015-206=1
- SUSE Linux Enterprise Desktop 12:
zypper in -t patch SUSE-SLE-DESKTOP-12-2015-206=1
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Linux Enterprise Software Development Kit 12 (x86_64):
xen-debugsource-4.4.2_04-18.1
xen-devel-4.4.2_04-18.1
- SUSE Linux Enterprise Server 12 (x86_64):
xen-4.4.2_04-18.1
xen-debugsource-4.4.2_04-18.1
xen-doc-html-4.4.2_04-18.1
xen-kmp-default-4.4.2_04_k3.12.39_47-18.1
xen-kmp-default-debuginfo-4.4.2_04_k3.12.39_47-18.1
xen-libs-32bit-4.4.2_04-18.1
xen-libs-4.4.2_04-18.1
xen-libs-debuginfo-32bit-4.4.2_04-18.1
xen-libs-debuginfo-4.4.2_04-18.1
xen-tools-4.4.2_04-18.1
xen-tools-debuginfo-4.4.2_04-18.1
xen-tools-domU-4.4.2_04-18.1
xen-tools-domU-debuginfo-4.4.2_04-18.1
- SUSE Linux Enterprise Desktop 12 (x86_64):
xen-4.4.2_04-18.1
xen-debugsource-4.4.2_04-18.1
xen-kmp-default-4.4.2_04_k3.12.39_47-18.1
xen-kmp-default-debuginfo-4.4.2_04_k3.12.39_47-18.1
xen-libs-32bit-4.4.2_04-18.1
xen-libs-4.4.2_04-18.1
xen-libs-debuginfo-32bit-4.4.2_04-18.1
xen-libs-debuginfo-4.4.2_04-18.1
References:
https://www.suse.com/security/cve/CVE-2015-2751.htmlhttps://www.suse.com/security/cve/CVE-2015-2752.htmlhttps://www.suse.com/security/cve/CVE-2015-3340.htmlhttps://www.suse.com/security/cve/CVE-2015-3456.htmlhttps://bugzilla.suse.com/922705https://bugzilla.suse.com/922709https://bugzilla.suse.com/927967https://bugzilla.suse.com/929339
--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org