SUSE Security Update: Security update for java-1_7_1-ibm
______________________________________________________________________________
Announcement ID: SUSE-SU-2017:3455-1
Rating: important
References: #1070162
Cross-References: CVE-2016-10165 CVE-2016-9841 CVE-2017-10281
CVE-2017-10285 CVE-2017-10293 CVE-2017-10295
CVE-2017-10345 CVE-2017-10346 CVE-2017-10347
CVE-2017-10348 CVE-2017-10349 CVE-2017-10350
CVE-2017-10355 CVE-2017-10356 CVE-2017-10357
CVE-2017-10388
Affected Products:
SUSE OpenStack Cloud 6
SUSE Linux Enterprise Software Development Kit 12-SP3
SUSE Linux Enterprise Software Development Kit 12-SP2
SUSE Linux Enterprise Server for SAP 12-SP1
SUSE Linux Enterprise Server 12-SP3
SUSE Linux Enterprise Server 12-SP2
SUSE Linux Enterprise Server 12-SP1-LTSS
SUSE Linux Enterprise Server 12-LTSS
______________________________________________________________________________
An update that fixes 16 vulnerabilities is now available.
Description:
This update for java-1_7_1-ibm fixes the following issues:
- Security update to version 7.1.4.15 [bsc#1070162]
* CVE-2017-10349: "Vulnerability in the Java SE, Java SE Embedded,
JRockit component of Oracle Java SE (subcomponent: Serialization).
Supported versions that are affected are Java SE: 6u161, 7u151, 8u144
and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to
exploit vulnerability allows unauthenticated attacker with network
access via multiple protocols to compromise Java SE, Java SE Embedded,
JRockit. Successful attacks require human interaction from a person
other than the attacker. Successful attacks of this vulnerability can
result in unauthorized ability to cause a partial denial of service
(partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This
vulnerability can be exploited through sandboxed Java Web Start
applications and sandboxed Java applets. It can also be exploited by
supplying data to APIs in the specified Component without using
sandboxed Java Web Start applications or sandboxed Java applets, such
as through a web service. CVSS 3.0 Base Score 3.1 (Availability
impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)."
* CVE-2017-10348: "Vulnerability in the Java SE, Java SE Embedded,
JRockit component of Oracle Java SE (subcomponent: Serialization).
Supported versions that are affected are Java SE: 6u161, 7u151, 8u144
and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to
exploit vulnerability allows unauthenticated attacker with network
access via multiple protocols to compromise Java SE, Java SE Embedded,
JRockit. Successful attacks require human interaction from a person
other than the attacker. Successful attacks of this vulnerability can
result in unauthorized ability to cause a partial denial of service
(partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This
vulnerability can be exploited through sandboxed Java Web Start
applications and sandboxed Java applets. It can also be exploited by
supplying data to APIs in the specified Component without using
sandboxed Java Web Start applications or sandboxed Java applets, such
as through a web service. CVSS 3.0 Base Score 3.1 (Availability
impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)."
* CVE-2017-10388: "Vulnerability in the Java SE, Java SE Embedded,
JRockit component of Oracle Java SE (subcomponent: Serialization).
Supported versions that are affected are Java SE: 6u161, 7u151, 8u144
and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to
exploit vulnerability allows unauthenticated attacker with network
access via multiple protocols to compromise Java SE, Java SE Embedded,
JRockit. Successful attacks require human interaction from a person
other than the attacker. Successful attacks of this vulnerability can
result in unauthorized ability to cause a partial denial of service
(partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This
vulnerability can be exploited through sandboxed Java Web Start
applications and sandboxed Java applets. It can also be exploited by
supplying data to APIs in the specified Component without using
sandboxed Java Web Start applications or sandboxed Java applets, such
as through a web service. CVSS 3.0 Base Score 3.1 (Availability
impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)."
* CVE-2016-9841: "Vulnerability in the Java SE, Java SE Embedded,
JRockit component of Oracle Java SE (subcomponent: Serialization).
Supported versions that are affected are Java SE: 6u161, 7u151, 8u144
and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to
exploit vulnerability allows unauthenticated attacker with network
access via multiple protocols to compromise Java SE, Java SE Embedded,
JRockit. Successful attacks require human interaction from a person
other than the attacker. Successful attacks of this vulnerability can
result in unauthorized ability to cause a partial denial of service
(partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This
vulnerability can be exploited through sandboxed Java Web Start
applications and sandboxed Java applets. It can also be exploited by
supplying data to APIs in the specified Component without using
sandboxed Java Web Start applications or sandboxed Java applets, such
as through a web service. CVSS 3.0 Base Score 3.1 (Availability
impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)."
* CVE-2017-10293: "Vulnerability in the Java SE, Java SE Embedded,
JRockit component of Oracle Java SE (subcomponent: Serialization).
Supported versions that are affected are Java SE: 6u161, 7u151, 8u144
and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to
exploit vulnerability allows unauthenticated attacker with network
access via multiple protocols to compromise Java SE, Java SE Embedded,
JRockit. Successful attacks require human interaction from a person
other than the attacker. Successful attacks of this vulnerability can
result in unauthorized ability to cause a partial denial of service
(partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This
vulnerability can be exploited through sandboxed Java Web Start
applications and sandboxed Java applets. It can also be exploited by
supplying data to APIs in the specified Component without using
sandboxed Java Web Start applications or sandboxed Java applets, such
as through a web service. CVSS 3.0 Base Score 3.1 (Availability
impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)."
* CVE-2017-10345: "Vulnerability in the Java SE, Java SE Embedded,
JRockit component of Oracle Java SE (subcomponent: Serialization).
Supported versions that are affected are Java SE: 6u161, 7u151, 8u144
and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to
exploit vulnerability allows unauthenticated attacker with network
access via multiple protocols to compromise Java SE, Java SE Embedded,
JRockit. Successful attacks require human interaction from a person
other than the attacker. Successful attacks of this vulnerability can
result in unauthorized ability to cause a partial denial of service
(partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This
vulnerability can be exploited through sandboxed Java Web Start
applications and sandboxed Java applets. It can also be exploited by
supplying data to APIs in the specified Component without using
sandboxed Java Web Start applications or sandboxed Java applets, such
as through a web service. CVSS 3.0 Base Score 3.1 (Availability
impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)."
* CVE-2017-10350: "Vulnerability in the Java SE, Java SE Embedded,
JRockit component of Oracle Java SE (subcomponent: Serialization).
Supported versions that are affected are Java SE: 6u161, 7u151, 8u144
and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to
exploit vulnerability allows unauthenticated attacker with network
access via multiple protocols to compromise Java SE, Java SE Embedded,
JRockit. Successful attacks require human interaction from a person
other than the attacker. Successful attacks of this vulnerability can
result in unauthorized ability to cause a partial denial of service
(partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This
vulnerability can be exploited through sandboxed Java Web Start
applications and sandboxed Java applets. It can also be exploited by
supplying data to APIs in the specified Component without using
sandboxed Java Web Start applications or sandboxed Java applets, such
as through a web service. CVSS 3.0 Base Score 3.1 (Availability
impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)."
* CVE-2017-10356: "Vulnerability in the Java SE, Java SE Embedded,
JRockit component of Oracle Java SE (subcomponent: Serialization).
Supported versions that are affected are Java SE: 6u161, 7u151, 8u144
and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to
exploit vulnerability allows unauthenticated attacker with network
access via multiple protocols to compromise Java SE, Java SE Embedded,
JRockit. Successful attacks require human interaction from a person
other than the attacker. Successful attacks of this vulnerability can
result in unauthorized ability to cause a partial denial of service
(partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This
vulnerability can be exploited through sandboxed Java Web Start
applications and sandboxed Java applets. It can also be exploited by
supplying data to APIs in the specified Component without using
sandboxed Java Web Start applications or sandboxed Java applets, such
as through a web service. CVSS 3.0 Base Score 3.1 (Availability
impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)."
* CVE-2017-10357: "Vulnerability in the Java SE, Java SE Embedded,
JRockit component of Oracle Java SE (subcomponent: Serialization).
Supported versions that are affected are Java SE: 6u161, 7u151, 8u144
and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to
exploit vulnerability allows unauthenticated attacker with network
access via multiple protocols to compromise Java SE, Java SE Embedded,
JRockit. Successful attacks require human interaction from a person
other than the attacker. Successful attacks of this vulnerability can
result in unauthorized ability to cause a partial denial of service
(partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This
vulnerability can be exploited through sandboxed Java Web Start
applications and sandboxed Java applets. It can also be exploited by
supplying data to APIs in the specified Component without using
sandboxed Java Web Start applications or sandboxed Java applets, such
as through a web service. CVSS 3.0 Base Score 3.1 (Availability
impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)."
* CVE-2017-10347: "Vulnerability in the Java SE, Java SE Embedded,
JRockit component of Oracle Java SE (subcomponent: Serialization).
Supported versions that are affected are Java SE: 6u161, 7u151, 8u144
and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to
exploit vulnerability allows unauthenticated attacker with network
access via multiple protocols to compromise Java SE, Java SE Embedded,
JRockit. Successful attacks require human interaction from a person
other than the attacker. Successful attacks of this vulnerability can
result in unauthorized ability to cause a partial denial of service
(partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This
vulnerability can be exploited through sandboxed Java Web Start
applications and sandboxed Java applets. It can also be exploited by
supplying data to APIs in the specified Component without using
sandboxed Java Web Start applications or sandboxed Java applets, such
as through a web service. CVSS 3.0 Base Score 3.1 (Availability
impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)."
* CVE-2017-10355: "Vulnerability in the Java SE, Java SE Embedded,
JRockit component of Oracle Java SE (subcomponent: Serialization).
Supported versions that are affected are Java SE: 6u161, 7u151, 8u144
and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to
exploit vulnerability allows unauthenticated attacker with network
access via multiple protocols to compromise Java SE, Java SE Embedded,
JRockit. Successful attacks require human interaction from a person
other than the attacker. Successful attacks of this vulnerability can
result in unauthorized ability to cause a partial denial of service
(partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This
vulnerability can be exploited through sandboxed Java Web Start
applications and sandboxed Java applets. It can also be exploited by
supplying data to APIs in the specified Component without using
sandboxed Java Web Start applications or sandboxed Java applets, such
as through a web service. CVSS 3.0 Base Score 3.1 (Availability
impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)."
* CVE-2017-10285: "Vulnerability in the Java SE, Java SE Embedded,
JRockit component of Oracle Java SE (subcomponent: Serialization).
Supported versions that are affected are Java SE: 6u161, 7u151, 8u144
and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to
exploit vulnerability allows unauthenticated attacker with network
access via multiple protocols to compromise Java SE, Java SE Embedded,
JRockit. Successful attacks require human interaction from a person
other than the attacker. Successful attacks of this vulnerability can
result in unauthorized ability to cause a partial denial of service
(partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This
vulnerability can be exploited through sandboxed Java Web Start
applications and sandboxed Java applets. It can also be exploited by
supplying data to APIs in the specified Component without using
sandboxed Java Web Start applications or sandboxed Java applets, such
as through a web service. CVSS 3.0 Base Score 3.1 (Availability
impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)."
* CVE-2017-10281: "Vulnerability in the Java SE, Java SE Embedded,
JRockit component of Oracle Java SE (subcomponent: Serialization).
Supported versions that are affected are Java SE: 6u161, 7u151, 8u144
and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to
exploit vulnerability allows unauthenticated attacker with network
access via multiple protocols to compromise Java SE, Java SE Embedded,
JRockit. Successful attacks require human interaction from a person
other than the attacker. Successful attacks of this vulnerability can
result in unauthorized ability to cause a partial denial of service
(partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This
vulnerability can be exploited through sandboxed Java Web Start
applications and sandboxed Java applets. It can also be exploited by
supplying data to APIs in the specified Component without using
sandboxed Java Web Start applications or sandboxed Java applets, such
as through a web service. CVSS 3.0 Base Score 3.1 (Availability
impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)."
* CVE-2017-10295: "Vulnerability in the Java SE, Java SE Embedded,
JRockit component of Oracle Java SE (subcomponent: Serialization).
Supported versions that are affected are Java SE: 6u161, 7u151, 8u144
and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to
exploit vulnerability allows unauthenticated attacker with network
access via multiple protocols to compromise Java SE, Java SE Embedded,
JRockit. Successful attacks require human interaction from a person
other than the attacker. Successful attacks of this vulnerability can
result in unauthorized ability to cause a partial denial of service
(partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This
vulnerability can be exploited through sandboxed Java Web Start
applications and sandboxed Java applets. It can also be exploited by
supplying data to APIs in the specified Component without using
sandboxed Java Web Start applications or sandboxed Java applets, such
as through a web service. CVSS 3.0 Base Score 3.1 (Availability
impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)."
* CVE-2017-10346: "Vulnerability in the Java SE, Java SE Embedded,
JRockit component of Oracle Java SE (subcomponent: Serialization).
Supported versions that are affected are Java SE: 6u161, 7u151, 8u144
and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to
exploit vulnerability allows unauthenticated attacker with network
access via multiple protocols to compromise Java SE, Java SE Embedded,
JRockit. Successful attacks require human interaction from a person
other than the attacker. Successful attacks of this vulnerability can
result in unauthorized ability to cause a partial denial of service
(partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This
vulnerability can be exploited through sandboxed Java Web Start
applications and sandboxed Java applets. It can also be exploited by
supplying data to APIs in the specified Component without using
sandboxed Java Web Start applications or sandboxed Java applets, such
as through a web service. CVSS 3.0 Base Score 3.1 (Availability
impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)."
* CVE-2016-10165: "Vulnerability in the Java SE, Java SE Embedded,
JRockit component of Oracle Java SE (subcomponent: Serialization).
Supported versions that are affected are Java SE: 6u161, 7u151, 8u144
and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to
exploit vulnerability allows unauthenticated attacker with network
access via multiple protocols to compromise Java SE, Java SE Embedded,
JRockit. Successful attacks require human interaction from a person
other than the attacker. Successful attacks of this vulnerability can
result in unauthorized ability to cause a partial denial of service
(partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This
vulnerability can be exploited through sandboxed Java Web Start
applications and sandboxed Java applets. It can also be exploited by
supplying data to APIs in the specified Component without using
sandboxed Java Web Start applications or sandboxed Java applets, such
as through a web service. CVSS 3.0 Base Score 3.1 (Availability
impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)."
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE OpenStack Cloud 6:
zypper in -t patch SUSE-OpenStack-Cloud-6-2017-2160=1
- SUSE Linux Enterprise Software Development Kit 12-SP3:
zypper in -t patch SUSE-SLE-SDK-12-SP3-2017-2160=1
- SUSE Linux Enterprise Software Development Kit 12-SP2:
zypper in -t patch SUSE-SLE-SDK-12-SP2-2017-2160=1
- SUSE Linux Enterprise Server for SAP 12-SP1:
zypper in -t patch SUSE-SLE-SAP-12-SP1-2017-2160=1
- SUSE Linux Enterprise Server 12-SP3:
zypper in -t patch SUSE-SLE-SERVER-12-SP3-2017-2160=1
- SUSE Linux Enterprise Server 12-SP2:
zypper in -t patch SUSE-SLE-SERVER-12-SP2-2017-2160=1
- SUSE Linux Enterprise Server 12-SP1-LTSS:
zypper in -t patch SUSE-SLE-SERVER-12-SP1-2017-2160=1
- SUSE Linux Enterprise Server 12-LTSS:
zypper in -t patch SUSE-SLE-SERVER-12-2017-2160=1
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE OpenStack Cloud 6 (x86_64):
java-1_7_1-ibm-1.7.1_sr4.15-38.8.1
java-1_7_1-ibm-alsa-1.7.1_sr4.15-38.8.1
java-1_7_1-ibm-devel-1.7.1_sr4.15-38.8.1
java-1_7_1-ibm-jdbc-1.7.1_sr4.15-38.8.1
java-1_7_1-ibm-plugin-1.7.1_sr4.15-38.8.1
- SUSE Linux Enterprise Software Development Kit 12-SP3 (ppc64le s390x x86_64):
java-1_7_1-ibm-devel-1.7.1_sr4.15-38.8.1
- SUSE Linux Enterprise Software Development Kit 12-SP2 (ppc64le s390x x86_64):
java-1_7_1-ibm-devel-1.7.1_sr4.15-38.8.1
- SUSE Linux Enterprise Server for SAP 12-SP1 (ppc64le x86_64):
java-1_7_1-ibm-1.7.1_sr4.15-38.8.1
java-1_7_1-ibm-devel-1.7.1_sr4.15-38.8.1
java-1_7_1-ibm-jdbc-1.7.1_sr4.15-38.8.1
- SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64):
java-1_7_1-ibm-alsa-1.7.1_sr4.15-38.8.1
java-1_7_1-ibm-plugin-1.7.1_sr4.15-38.8.1
- SUSE Linux Enterprise Server 12-SP3 (ppc64le s390x x86_64):
java-1_7_1-ibm-1.7.1_sr4.15-38.8.1
java-1_7_1-ibm-jdbc-1.7.1_sr4.15-38.8.1
- SUSE Linux Enterprise Server 12-SP3 (x86_64):
java-1_7_1-ibm-alsa-1.7.1_sr4.15-38.8.1
java-1_7_1-ibm-plugin-1.7.1_sr4.15-38.8.1
- SUSE Linux Enterprise Server 12-SP2 (ppc64le s390x x86_64):
java-1_7_1-ibm-1.7.1_sr4.15-38.8.1
java-1_7_1-ibm-jdbc-1.7.1_sr4.15-38.8.1
- SUSE Linux Enterprise Server 12-SP2 (x86_64):
java-1_7_1-ibm-alsa-1.7.1_sr4.15-38.8.1
java-1_7_1-ibm-plugin-1.7.1_sr4.15-38.8.1
- SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64):
java-1_7_1-ibm-1.7.1_sr4.15-38.8.1
java-1_7_1-ibm-devel-1.7.1_sr4.15-38.8.1
java-1_7_1-ibm-jdbc-1.7.1_sr4.15-38.8.1
- SUSE Linux Enterprise Server 12-SP1-LTSS (x86_64):
java-1_7_1-ibm-alsa-1.7.1_sr4.15-38.8.1
java-1_7_1-ibm-plugin-1.7.1_sr4.15-38.8.1
- SUSE Linux Enterprise Server 12-LTSS (ppc64le s390x x86_64):
java-1_7_1-ibm-1.7.1_sr4.15-38.8.1
java-1_7_1-ibm-devel-1.7.1_sr4.15-38.8.1
java-1_7_1-ibm-jdbc-1.7.1_sr4.15-38.8.1
- SUSE Linux Enterprise Server 12-LTSS (x86_64):
java-1_7_1-ibm-alsa-1.7.1_sr4.15-38.8.1
java-1_7_1-ibm-plugin-1.7.1_sr4.15-38.8.1
References:
https://www.suse.com/security/cve/CVE-2016-10165.htmlhttps://www.suse.com/security/cve/CVE-2016-9841.htmlhttps://www.suse.com/security/cve/CVE-2017-10281.htmlhttps://www.suse.com/security/cve/CVE-2017-10285.htmlhttps://www.suse.com/security/cve/CVE-2017-10293.htmlhttps://www.suse.com/security/cve/CVE-2017-10295.htmlhttps://www.suse.com/security/cve/CVE-2017-10345.htmlhttps://www.suse.com/security/cve/CVE-2017-10346.htmlhttps://www.suse.com/security/cve/CVE-2017-10347.htmlhttps://www.suse.com/security/cve/CVE-2017-10348.htmlhttps://www.suse.com/security/cve/CVE-2017-10349.htmlhttps://www.suse.com/security/cve/CVE-2017-10350.htmlhttps://www.suse.com/security/cve/CVE-2017-10355.htmlhttps://www.suse.com/security/cve/CVE-2017-10356.htmlhttps://www.suse.com/security/cve/CVE-2017-10357.htmlhttps://www.suse.com/security/cve/CVE-2017-10388.htmlhttps://bugzilla.suse.com/1070162
--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org
openSUSE Security Update: Security update for phpMyAdmin
______________________________________________________________________________
Announcement ID: openSUSE-SU-2017:3451-1
Rating: important
References: #1074066
Affected Products:
SUSE Package Hub for SUSE Linux Enterprise 12
______________________________________________________________________________
An update that contains security fixes can now be installed.
Description:
This update for phpMyAdmin to version 4.7.7 fixes a security issue and
bugs.
The following vulnerability was fixed:
- By deceiving a user to click on a crafted URL, it was possible to
perform harmful database
operations (bsc#1074066, PMASA-2017-09)
This update also contains all upstream improvements and bugfixes in
version 4.7.7:
- various display and UI fixes
- PHP error fixes
- Improved deteciton of MySQL server needing SSL connections
- Support JSON datatype on MariaDB 10.2.7 and newer
- Fix constructing ALTER query with AFTER
- Fix changing password on MariaDB cluster
Patch Instructions:
To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Package Hub for SUSE Linux Enterprise 12:
zypper in -t patch openSUSE-2017-1421=1
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Package Hub for SUSE Linux Enterprise 12 (noarch):
phpMyAdmin-4.7.7-14.1
References:
https://bugzilla.suse.com/1074066
--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org
openSUSE Security Update: Security update for phpMyAdmin
______________________________________________________________________________
Announcement ID: openSUSE-SU-2017:3448-1
Rating: important
References: #1074066
Affected Products:
openSUSE Leap 42.3
openSUSE Leap 42.2
______________________________________________________________________________
An update that contains security fixes can now be installed.
Description:
This update for phpMyAdmin to version 4.7.7 fixes a security issue and
bugs.
The following vulnerability was fixed:
- By deceiving a user to click on a crafted URL, it was possible to
perform harmful database
operations (bsc#1074066, PMASA-2017-09)
This update also contains all upstream improvements and bugfixes in
version 4.7.7:
- various display and UI fixes
- PHP error fixes
- Improved deteciton of MySQL server needing SSL connections
- Support JSON datatype on MariaDB 10.2.7 and newer
- Fix constructing ALTER query with AFTER
- Fix changing password on MariaDB cluster
Patch Instructions:
To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- openSUSE Leap 42.3:
zypper in -t patch openSUSE-2017-1421=1
- openSUSE Leap 42.2:
zypper in -t patch openSUSE-2017-1421=1
To bring your system up-to-date, use "zypper patch".
Package List:
- openSUSE Leap 42.3 (noarch):
phpMyAdmin-4.7.7-6.1
- openSUSE Leap 42.2 (noarch):
phpMyAdmin-4.7.7-33.12.1
References:
https://bugzilla.suse.com/1074066
--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org
SUSE Security Update: Security update for java-1_7_1-ibm
______________________________________________________________________________
Announcement ID: SUSE-SU-2017:3440-1
Rating: important
References: #1070162
Cross-References: CVE-2016-10165 CVE-2016-9841 CVE-2017-10281
CVE-2017-10285 CVE-2017-10293 CVE-2017-10295
CVE-2017-10345 CVE-2017-10346 CVE-2017-10347
CVE-2017-10348 CVE-2017-10349 CVE-2017-10350
CVE-2017-10355 CVE-2017-10356 CVE-2017-10357
CVE-2017-10388
Affected Products:
SUSE Linux Enterprise Software Development Kit 11-SP4
SUSE Linux Enterprise Server 11-SP4
______________________________________________________________________________
An update that fixes 16 vulnerabilities is now available.
Description:
This update for java-1_7_1-ibm fixes the following issues:
* CVE-2017-10349: "Vulnerability in the Java SE, Java SE Embedded, JRockit
component of Oracle Java SE (subcomponent: Serialization). Supported
versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java
SE Embedded: 8u144; JRockit: R28.3.15. Difficult to exploit
vulnerability allows unauthenticated attacker with network access via
multiple protocols to compromise Java SE, Java SE Embedded, JRockit.
Successful attacks require human interaction from a person other than
the attacker. Successful attacks of this vulnerability can result in
unauthorized ability to cause a partial denial of service (partial DOS)
of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be
exploited through sandboxed Java Web Start applications and sandboxed
Java applets. It can also be exploited by supplying data to APIs in the
specified Component without using sandboxed Java Web Start applications
or sandboxed Java applets, such as through a web service. CVSS 3.0 Base
Score 3.1 (Availability impacts). CVSS Vector:
(CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)."
* CVE-2017-10348: "Vulnerability in the Java SE, Java SE Embedded, JRockit
component of Oracle Java SE (subcomponent: Serialization). Supported
versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java
SE Embedded: 8u144; JRockit: R28.3.15. Difficult to exploit
vulnerability allows unauthenticated attacker with network access via
multiple protocols to compromise Java SE, Java SE Embedded, JRockit.
Successful attacks require human interaction from a person other than
the attacker. Successful attacks of this vulnerability can result in
unauthorized ability to cause a partial denial of service (partial DOS)
of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be
exploited through sandboxed Java Web Start applications and sandboxed
Java applets. It can also be exploited by supplying data to APIs in the
specified Component without using sandboxed Java Web Start applications
or sandboxed Java applets, such as through a web service. CVSS 3.0 Base
Score 3.1 (Availability impacts). CVSS Vector:
(CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)."
* CVE-2017-10388: "Vulnerability in the Java SE, Java SE Embedded, JRockit
component of Oracle Java SE (subcomponent: Serialization). Supported
versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java
SE Embedded: 8u144; JRockit: R28.3.15. Difficult to exploit
vulnerability allows unauthenticated attacker with network access via
multiple protocols to compromise Java SE, Java SE Embedded, JRockit.
Successful attacks require human interaction from a person other than
the attacker. Successful attacks of this vulnerability can result in
unauthorized ability to cause a partial denial of service (partial DOS)
of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be
exploited through sandboxed Java Web Start applications and sandboxed
Java applets. It can also be exploited by supplying data to APIs in the
specified Component without using sandboxed Java Web Start applications
or sandboxed Java applets, such as through a web service. CVSS 3.0 Base
Score 3.1 (Availability impacts). CVSS Vector:
(CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)."
* CVE-2016-9841: "Vulnerability in the Java SE, Java SE Embedded, JRockit
component of Oracle Java SE (subcomponent: Serialization). Supported
versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java
SE Embedded: 8u144; JRockit: R28.3.15. Difficult to exploit
vulnerability allows unauthenticated attacker with network access via
multiple protocols to compromise Java SE, Java SE Embedded, JRockit.
Successful attacks require human interaction from a person other than
the attacker. Successful attacks of this vulnerability can result in
unauthorized ability to cause a partial denial of service (partial DOS)
of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be
exploited through sandboxed Java Web Start applications and sandboxed
Java applets. It can also be exploited by supplying data to APIs in the
specified Component without using sandboxed Java Web Start applications
or sandboxed Java applets, such as through a web service. CVSS 3.0 Base
Score 3.1 (Availability impacts). CVSS Vector:
(CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)."
* CVE-2017-10293: "Vulnerability in the Java SE, Java SE Embedded, JRockit
component of Oracle Java SE (subcomponent: Serialization). Supported
versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java
SE Embedded: 8u144; JRockit: R28.3.15. Difficult to exploit
vulnerability allows unauthenticated attacker with network access via
multiple protocols to compromise Java SE, Java SE Embedded, JRockit.
Successful attacks require human interaction from a person other than
the attacker. Successful attacks of this vulnerability can result in
unauthorized ability to cause a partial denial of service (partial DOS)
of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be
exploited through sandboxed Java Web Start applications and sandboxed
Java applets. It can also be exploited by supplying data to APIs in the
specified Component without using sandboxed Java Web Start applications
or sandboxed Java applets, such as through a web service. CVSS 3.0 Base
Score 3.1 (Availability impacts). CVSS Vector:
(CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)."
* CVE-2017-10345: "Vulnerability in the Java SE, Java SE Embedded, JRockit
component of Oracle Java SE (subcomponent: Serialization). Supported
versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java
SE Embedded: 8u144; JRockit: R28.3.15. Difficult to exploit
vulnerability allows unauthenticated attacker with network access via
multiple protocols to compromise Java SE, Java SE Embedded, JRockit.
Successful attacks require human interaction from a person other than
the attacker. Successful attacks of this vulnerability can result in
unauthorized ability to cause a partial denial of service (partial DOS)
of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be
exploited through sandboxed Java Web Start applications and sandboxed
Java applets. It can also be exploited by supplying data to APIs in the
specified Component without using sandboxed Java Web Start applications
or sandboxed Java applets, such as through a web service. CVSS 3.0 Base
Score 3.1 (Availability impacts). CVSS Vector:
(CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)."
* CVE-2017-10350: "Vulnerability in the Java SE, Java SE Embedded, JRockit
component of Oracle Java SE (subcomponent: Serialization). Supported
versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java
SE Embedded: 8u144; JRockit: R28.3.15. Difficult to exploit
vulnerability allows unauthenticated attacker with network access via
multiple protocols to compromise Java SE, Java SE Embedded, JRockit.
Successful attacks require human interaction from a person other than
the attacker. Successful attacks of this vulnerability can result in
unauthorized ability to cause a partial denial of service (partial DOS)
of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be
exploited through sandboxed Java Web Start applications and sandboxed
Java applets. It can also be exploited by supplying data to APIs in the
specified Component without using sandboxed Java Web Start applications
or sandboxed Java applets, such as through a web service. CVSS 3.0 Base
Score 3.1 (Availability impacts). CVSS Vector:
(CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)."
* CVE-2017-10356: "Vulnerability in the Java SE, Java SE Embedded, JRockit
component of Oracle Java SE (subcomponent: Serialization). Supported
versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java
SE Embedded: 8u144; JRockit: R28.3.15. Difficult to exploit
vulnerability allows unauthenticated attacker with network access via
multiple protocols to compromise Java SE, Java SE Embedded, JRockit.
Successful attacks require human interaction from a person other than
the attacker. Successful attacks of this vulnerability can result in
unauthorized ability to cause a partial denial of service (partial DOS)
of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be
exploited through sandboxed Java Web Start applications and sandboxed
Java applets. It can also be exploited by supplying data to APIs in the
specified Component without using sandboxed Java Web Start applications
or sandboxed Java applets, such as through a web service. CVSS 3.0 Base
Score 3.1 (Availability impacts). CVSS Vector:
(CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)."
* CVE-2017-10357: "Vulnerability in the Java SE, Java SE Embedded, JRockit
component of Oracle Java SE (subcomponent: Serialization). Supported
versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java
SE Embedded: 8u144; JRockit: R28.3.15. Difficult to exploit
vulnerability allows unauthenticated attacker with network access via
multiple protocols to compromise Java SE, Java SE Embedded, JRockit.
Successful attacks require human interaction from a person other than
the attacker. Successful attacks of this vulnerability can result in
unauthorized ability to cause a partial denial of service (partial DOS)
of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be
exploited through sandboxed Java Web Start applications and sandboxed
Java applets. It can also be exploited by supplying data to APIs in the
specified Component without using sandboxed Java Web Start applications
or sandboxed Java applets, such as through a web service. CVSS 3.0 Base
Score 3.1 (Availability impacts). CVSS Vector:
(CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)."
* CVE-2017-10347: "Vulnerability in the Java SE, Java SE Embedded, JRockit
component of Oracle Java SE (subcomponent: Serialization). Supported
versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java
SE Embedded: 8u144; JRockit: R28.3.15. Difficult to exploit
vulnerability allows unauthenticated attacker with network access via
multiple protocols to compromise Java SE, Java SE Embedded, JRockit.
Successful attacks require human interaction from a person other than
the attacker. Successful attacks of this vulnerability can result in
unauthorized ability to cause a partial denial of service (partial DOS)
of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be
exploited through sandboxed Java Web Start applications and sandboxed
Java applets. It can also be exploited by supplying data to APIs in the
specified Component without using sandboxed Java Web Start applications
or sandboxed Java applets, such as through a web service. CVSS 3.0 Base
Score 3.1 (Availability impacts). CVSS Vector:
(CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)."
* CVE-2017-10355: "Vulnerability in the Java SE, Java SE Embedded, JRockit
component of Oracle Java SE (subcomponent: Serialization). Supported
versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java
SE Embedded: 8u144; JRockit: R28.3.15. Difficult to exploit
vulnerability allows unauthenticated attacker with network access via
multiple protocols to compromise Java SE, Java SE Embedded, JRockit.
Successful attacks require human interaction from a person other than
the attacker. Successful attacks of this vulnerability can result in
unauthorized ability to cause a partial denial of service (partial DOS)
of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be
exploited through sandboxed Java Web Start applications and sandboxed
Java applets. It can also be exploited by supplying data to APIs in the
specified Component without using sandboxed Java Web Start applications
or sandboxed Java applets, such as through a web service. CVSS 3.0 Base
Score 3.1 (Availability impacts). CVSS Vector:
(CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)."
* CVE-2017-10285: "Vulnerability in the Java SE, Java SE Embedded, JRockit
component of Oracle Java SE (subcomponent: Serialization). Supported
versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java
SE Embedded: 8u144; JRockit: R28.3.15. Difficult to exploit
vulnerability allows unauthenticated attacker with network access via
multiple protocols to compromise Java SE, Java SE Embedded, JRockit.
Successful attacks require human interaction from a person other than
the attacker. Successful attacks of this vulnerability can result in
unauthorized ability to cause a partial denial of service (partial DOS)
of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be
exploited through sandboxed Java Web Start applications and sandboxed
Java applets. It can also be exploited by supplying data to APIs in the
specified Component without using sandboxed Java Web Start applications
or sandboxed Java applets, such as through a web service. CVSS 3.0 Base
Score 3.1 (Availability impacts). CVSS Vector:
(CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)."
* CVE-2017-10281: "Vulnerability in the Java SE, Java SE Embedded, JRockit
component of Oracle Java SE (subcomponent: Serialization). Supported
versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java
SE Embedded: 8u144; JRockit: R28.3.15. Difficult to exploit
vulnerability allows unauthenticated attacker with network access via
multiple protocols to compromise Java SE, Java SE Embedded, JRockit.
Successful attacks require human interaction from a person other than
the attacker. Successful attacks of this vulnerability can result in
unauthorized ability to cause a partial denial of service (partial DOS)
of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be
exploited through sandboxed Java Web Start applications and sandboxed
Java applets. It can also be exploited by supplying data to APIs in the
specified Component without using sandboxed Java Web Start applications
or sandboxed Java applets, such as through a web service. CVSS 3.0 Base
Score 3.1 (Availability impacts). CVSS Vector:
(CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)."
* CVE-2017-10295: "Vulnerability in the Java SE, Java SE Embedded, JRockit
component of Oracle Java SE (subcomponent: Serialization). Supported
versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java
SE Embedded: 8u144; JRockit: R28.3.15. Difficult to exploit
vulnerability allows unauthenticated attacker with network access via
multiple protocols to compromise Java SE, Java SE Embedded, JRockit.
Successful attacks require human interaction from a person other than
the attacker. Successful attacks of this vulnerability can result in
unauthorized ability to cause a partial denial of service (partial DOS)
of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be
exploited through sandboxed Java Web Start applications and sandboxed
Java applets. It can also be exploited by supplying data to APIs in the
specified Component without using sandboxed Java Web Start applications
or sandboxed Java applets, such as through a web service. CVSS 3.0 Base
Score 3.1 (Availability impacts). CVSS Vector:
(CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)."
* CVE-2017-10346: "Vulnerability in the Java SE, Java SE Embedded, JRockit
component of Oracle Java SE (subcomponent: Serialization). Supported
versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java
SE Embedded: 8u144; JRockit: R28.3.15. Difficult to exploit
vulnerability allows unauthenticated attacker with network access via
multiple protocols to compromise Java SE, Java SE Embedded, JRockit.
Successful attacks require human interaction from a person other than
the attacker. Successful attacks of this vulnerability can result in
unauthorized ability to cause a partial denial of service (partial DOS)
of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be
exploited through sandboxed Java Web Start applications and sandboxed
Java applets. It can also be exploited by supplying data to APIs in the
specified Component without using sandboxed Java Web Start applications
or sandboxed Java applets, such as through a web service. CVSS 3.0 Base
Score 3.1 (Availability impacts). CVSS Vector:
(CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)."
* CVE-2016-10165: "Vulnerability in the Java SE, Java SE Embedded, JRockit
component of Oracle Java SE (subcomponent: Serialization). Supported
versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java
SE Embedded: 8u144; JRockit: R28.3.15. Difficult to exploit
vulnerability allows unauthenticated attacker with network access via
multiple protocols to compromise Java SE, Java SE Embedded, JRockit.
Successful attacks require human interaction from a person other than
the attacker. Successful attacks of this vulnerability can result in
unauthorized ability to cause a partial denial of service (partial DOS)
of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be
exploited through sandboxed Java Web Start applications and sandboxed
Java applets. It can also be exploited by supplying data to APIs in the
specified Component without using sandboxed Java Web Start applications
or sandboxed Java applets, such as through a web service. CVSS 3.0 Base
Score 3.1 (Availability impacts). CVSS Vector:
(CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)."
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Software Development Kit 11-SP4:
zypper in -t patch sdksp4-java-1_7_1-ibm-13387=1
- SUSE Linux Enterprise Server 11-SP4:
zypper in -t patch slessp4-java-1_7_1-ibm-13387=1
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ppc64 s390x x86_64):
java-1_7_1-ibm-devel-1.7.1_sr4.15-26.8.1
- SUSE Linux Enterprise Server 11-SP4 (i586 ppc64 s390x x86_64):
java-1_7_1-ibm-1.7.1_sr4.15-26.8.1
java-1_7_1-ibm-jdbc-1.7.1_sr4.15-26.8.1
- SUSE Linux Enterprise Server 11-SP4 (i586 x86_64):
java-1_7_1-ibm-alsa-1.7.1_sr4.15-26.8.1
java-1_7_1-ibm-plugin-1.7.1_sr4.15-26.8.1
References:
https://www.suse.com/security/cve/CVE-2016-10165.htmlhttps://www.suse.com/security/cve/CVE-2016-9841.htmlhttps://www.suse.com/security/cve/CVE-2017-10281.htmlhttps://www.suse.com/security/cve/CVE-2017-10285.htmlhttps://www.suse.com/security/cve/CVE-2017-10293.htmlhttps://www.suse.com/security/cve/CVE-2017-10295.htmlhttps://www.suse.com/security/cve/CVE-2017-10345.htmlhttps://www.suse.com/security/cve/CVE-2017-10346.htmlhttps://www.suse.com/security/cve/CVE-2017-10347.htmlhttps://www.suse.com/security/cve/CVE-2017-10348.htmlhttps://www.suse.com/security/cve/CVE-2017-10349.htmlhttps://www.suse.com/security/cve/CVE-2017-10350.htmlhttps://www.suse.com/security/cve/CVE-2017-10355.htmlhttps://www.suse.com/security/cve/CVE-2017-10356.htmlhttps://www.suse.com/security/cve/CVE-2017-10357.htmlhttps://www.suse.com/security/cve/CVE-2017-10388.htmlhttps://bugzilla.suse.com/1070162
--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org
SUSE Security Update: Security update for GraphicsMagick
______________________________________________________________________________
Announcement ID: SUSE-SU-2017:3435-1
Rating: important
References: #1050632 #1052450 #1054757 #1055214 #1056426
#1056429 #1057508 #1058485 #1058637 #1066003
#1067181 #1067184 #1067409
Cross-References: CVE-2016-7996 CVE-2017-11640 CVE-2017-12587
CVE-2017-12983 CVE-2017-13134 CVE-2017-13776
CVE-2017-13777 CVE-2017-14165 CVE-2017-14341
CVE-2017-14342 CVE-2017-15930 CVE-2017-16545
CVE-2017-16546 CVE-2017-16669
Affected Products:
SUSE Studio Onsite 1.3
SUSE Linux Enterprise Software Development Kit 11-SP4
SUSE Linux Enterprise Debuginfo 11-SP4
______________________________________________________________________________
An update that fixes 14 vulnerabilities is now available.
Description:
This update for GraphicsMagick fixes the following issues:
* CVE-2017-11640: NULL pointer deref in WritePTIFImage() in
coders/tiff.c could lead to denial of service [bsc#1050632]
* CVE-2017-14342: Memory exhaustion in ReadWPGImage in coders/wpg.c
could lead to denial of service [bsc#1058485]
* CVE-2017-14341: Infinite loop in the ReadWPGImage function could lead
to denial of service [bsc#1058637]
* CVE-2017-16546: Issue in ReadWPGImage function in coders/wpg.c could
lead to denial of service [bsc#1067181]
* CVE-2017-16545: The ReadWPGImage function in coders/wpg.c in
validation problems could lead to denial of service [bsc#1067184]
* CVE-2017-16669: coders/wpg.c allows remote attackers to cause a
denial of service via crafted file [bsc#1067409]
* CVE-2017-13776: denial of service issue in ReadXBMImage() in a
coders/xbm.c [bsc#1056429]
* CVE-2017-13777: denial of service issue in ReadXBMImage() in a
coders/xbm.c [bsc#1056426]
* CVE-2017-13134: heap-based buffer over-read in the function SFWScan in
coders/sfw.c could lead to denial of service via a crafted file
[bsc#1055214]
* CVE-2017-15930: Null Pointer dereference while transfering JPEG
scanlines could lead to denial of service [bsc#1066003]
* CVE-2017-12983: Heap-based buffer overflow in the ReadSFWImage
function in coders/sfw.c allows remote attackers to cause a denial of
service (application crash) or possibly have unspecified other impact
via a crafted file. [bsc#1054757]
* CVE-2017-14165: The ReadSUNImage function in coders/sun.c has an issue
where memory allocation is excessive because it depends only on a
length field in a header. This may lead to remote denial of service in
the MagickMalloc function in magick/memory.c. [bsc#1057508]
* CVE-2017-12587: Large loop vulnerability in the ReadPWPImage function
in coders\pwp.c. [bsc#1052450]
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Studio Onsite 1.3:
zypper in -t patch slestso13-GraphicsMagick-13386=1
- SUSE Linux Enterprise Software Development Kit 11-SP4:
zypper in -t patch sdksp4-GraphicsMagick-13386=1
- SUSE Linux Enterprise Debuginfo 11-SP4:
zypper in -t patch dbgsp4-GraphicsMagick-13386=1
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Studio Onsite 1.3 (x86_64):
GraphicsMagick-1.2.5-4.78.19.1
libGraphicsMagick2-1.2.5-4.78.19.1
- SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64):
GraphicsMagick-1.2.5-4.78.19.1
libGraphicsMagick2-1.2.5-4.78.19.1
perl-GraphicsMagick-1.2.5-4.78.19.1
- SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64):
GraphicsMagick-debuginfo-1.2.5-4.78.19.1
GraphicsMagick-debugsource-1.2.5-4.78.19.1
References:
https://www.suse.com/security/cve/CVE-2016-7996.htmlhttps://www.suse.com/security/cve/CVE-2017-11640.htmlhttps://www.suse.com/security/cve/CVE-2017-12587.htmlhttps://www.suse.com/security/cve/CVE-2017-12983.htmlhttps://www.suse.com/security/cve/CVE-2017-13134.htmlhttps://www.suse.com/security/cve/CVE-2017-13776.htmlhttps://www.suse.com/security/cve/CVE-2017-13777.htmlhttps://www.suse.com/security/cve/CVE-2017-14165.htmlhttps://www.suse.com/security/cve/CVE-2017-14341.htmlhttps://www.suse.com/security/cve/CVE-2017-14342.htmlhttps://www.suse.com/security/cve/CVE-2017-15930.htmlhttps://www.suse.com/security/cve/CVE-2017-16545.htmlhttps://www.suse.com/security/cve/CVE-2017-16546.htmlhttps://www.suse.com/security/cve/CVE-2017-16669.htmlhttps://bugzilla.suse.com/1050632https://bugzilla.suse.com/1052450https://bugzilla.suse.com/1054757https://bugzilla.suse.com/1055214https://bugzilla.suse.com/1056426https://bugzilla.suse.com/1056429https://bugzilla.suse.com/1057508https://bugzilla.suse.com/1058485https://bugzilla.suse.com/1058637https://bugzilla.suse.com/1066003https://bugzilla.suse.com/1067181https://bugzilla.suse.com/1067184https://bugzilla.suse.com/1067409
--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org
openSUSE Security Update: Security update for Mozilla Thunderbird
______________________________________________________________________________
Announcement ID: openSUSE-SU-2017:3434-1
Rating: important
References: #1074043 #1074044 #1074045 #1074046
Cross-References: CVE-2017-7829 CVE-2017-7846 CVE-2017-7847
CVE-2017-7848
Affected Products:
openSUSE Leap 42.3
openSUSE Leap 42.2
______________________________________________________________________________
An update that fixes four vulnerabilities is now available.
Description:
This update for Mozilla Thunderbird to version 52.5.2 fixes the following
vulnerabilities:
- CVE-2017-7846: JavaScript Execution via RSS in mailbox:// origin
(bsc#1074043)
- CVE-2017-7847: Local path string can be leaked from RSS feed
(bsc#1074044)
- CVE-2017-7848: RSS Feed vulnerable to new line Injection (bsc#1074045)
- CVE-2017-7829: From address with encoded null character is cut off in
message header display (bsc#1074046)
Patch Instructions:
To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- openSUSE Leap 42.3:
zypper in -t patch openSUSE-2017-1419=1
- openSUSE Leap 42.2:
zypper in -t patch openSUSE-2017-1419=1
To bring your system up-to-date, use "zypper patch".
Package List:
- openSUSE Leap 42.3 (i586 x86_64):
MozillaThunderbird-52.5.2-53.1
MozillaThunderbird-buildsymbols-52.5.2-53.1
MozillaThunderbird-debuginfo-52.5.2-53.1
MozillaThunderbird-debugsource-52.5.2-53.1
MozillaThunderbird-devel-52.5.2-53.1
MozillaThunderbird-translations-common-52.5.2-53.1
MozillaThunderbird-translations-other-52.5.2-53.1
- openSUSE Leap 42.2 (i586 x86_64):
MozillaThunderbird-52.5.2-41.24.1
MozillaThunderbird-buildsymbols-52.5.2-41.24.1
MozillaThunderbird-debuginfo-52.5.2-41.24.1
MozillaThunderbird-debugsource-52.5.2-41.24.1
MozillaThunderbird-devel-52.5.2-41.24.1
MozillaThunderbird-translations-common-52.5.2-41.24.1
MozillaThunderbird-translations-other-52.5.2-41.24.1
References:
https://www.suse.com/security/cve/CVE-2017-7829.htmlhttps://www.suse.com/security/cve/CVE-2017-7846.htmlhttps://www.suse.com/security/cve/CVE-2017-7847.htmlhttps://www.suse.com/security/cve/CVE-2017-7848.htmlhttps://bugzilla.suse.com/1074043https://bugzilla.suse.com/1074044https://bugzilla.suse.com/1074045https://bugzilla.suse.com/1074046
--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org
openSUSE Security Update: Security update for Mozilla Thunderbird
______________________________________________________________________________
Announcement ID: openSUSE-SU-2017:3433-1
Rating: important
References: #1074043 #1074044 #1074045 #1074046
Cross-References: CVE-2017-7829 CVE-2017-7846 CVE-2017-7847
CVE-2017-7848
Affected Products:
SUSE Package Hub for SUSE Linux Enterprise 12
______________________________________________________________________________
An update that fixes four vulnerabilities is now available.
Description:
This update for Mozilla Thunderbird to version 52.5.2 fixes the following
vulnerabilities:
- CVE-2017-7846: JavaScript Execution via RSS in mailbox:// origin
(bsc#1074043)
- CVE-2017-7847: Local path string can be leaked from RSS feed
(bsc#1074044)
- CVE-2017-7848: RSS Feed vulnerable to new line Injection (bsc#1074045)
- CVE-2017-7829: From address with encoded null character is cut off in
message header display (bsc#1074046)
Patch Instructions:
To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Package Hub for SUSE Linux Enterprise 12:
zypper in -t patch openSUSE-2017-1419=1
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Package Hub for SUSE Linux Enterprise 12 (x86_64):
MozillaThunderbird-52.5.2-51.1
MozillaThunderbird-buildsymbols-52.5.2-51.1
MozillaThunderbird-debuginfo-52.5.2-51.1
MozillaThunderbird-debugsource-52.5.2-51.1
MozillaThunderbird-devel-52.5.2-51.1
MozillaThunderbird-translations-common-52.5.2-51.1
MozillaThunderbird-translations-other-52.5.2-51.1
References:
https://www.suse.com/security/cve/CVE-2017-7829.htmlhttps://www.suse.com/security/cve/CVE-2017-7846.htmlhttps://www.suse.com/security/cve/CVE-2017-7847.htmlhttps://www.suse.com/security/cve/CVE-2017-7848.htmlhttps://bugzilla.suse.com/1074043https://bugzilla.suse.com/1074044https://bugzilla.suse.com/1074045https://bugzilla.suse.com/1074046
--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org
openSUSE Security Update: Security update for enigmail
______________________________________________________________________________
Announcement ID: openSUSE-SU-2017:3427-1
Rating: important
References: #1073858
Affected Products:
openSUSE Leap 42.3
openSUSE Leap 42.2
______________________________________________________________________________
An update that contains security fixes can now be installed.
Description:
This update for enigmail to version 1.9.9 fixes the following issues
(boo#1073858):
* Enigmail could be coerced to use a malicious PGP public key with a
corresponding secret key controlled by an attacker
* Enigmail could have replayed encrypted content in partially encrypted
e-mails, allowing a plaintext leak
* Enigmail could be tricked into displaying incorrect signature
verification results
* Specially crafted content may cause denial of service
Patch Instructions:
To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- openSUSE Leap 42.3:
zypper in -t patch openSUSE-2017-1403=1
- openSUSE Leap 42.2:
zypper in -t patch openSUSE-2017-1403=1
To bring your system up-to-date, use "zypper patch".
Package List:
- openSUSE Leap 42.3 (i586 x86_64):
enigmail-1.9.9-9.1
- openSUSE Leap 42.2 (i586 x86_64):
enigmail-1.9.9-2.13.1
References:
https://bugzilla.suse.com/1073858
--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org