May 2018 - openSUSE Security Announce - openSUSE Mailing Lists

[security-announce] openSUSE-SU-2018:1385-1: important: Security update for opencv
by opensuse-security＠opensuse.org 23 May '18

23 May '18

openSUSE Security Update: Security update for opencv ______________________________________________________________________________ Announcement ID: openSUSE-SU-2018:1385-1 Rating: important References: #1033152 #1052451 #1052454 #1052455 #1052456 #1052457 #1052459 #1052461 #1052462 #1052465 #1054019 #1054020 #1054021 #1054984 #1057146 Cross-References: CVE-2016-1516 CVE-2017-12597 CVE-2017-12598 CVE-2017-12599 CVE-2017-12600 CVE-2017-12601 CVE-2017-12602 CVE-2017-12603 CVE-2017-12604 CVE-2017-12605 CVE-2017-12606 CVE-2017-12862 CVE-2017-12863 CVE-2017-12864 CVE-2017-14136 Affected Products: openSUSE Leap 42.3 ______________________________________________________________________________ An update that fixes 15 vulnerabilities is now available. Description: This update for opencv fixes the following issues: Security issues fixed: - CVE-2016-1516: OpenCV had a double free issue that allowed attackers to execute arbitrary code. (boo#1033152) - CVE-2017-14136: OpenCV had an out-of-bounds write error in the function FillColorRow1 in utils.cpp when reading an image file by using cv::imread. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-12597. (boo#1057146) - CVE-2017-12606: OpenCV had an out-of-bounds write error in the function FillColorRow4 in utils.cpp when reading an image file by using cv::imread. (boo#1052451) - CVE-2017-12604: OpenCV had an out-of-bounds write error in the FillUniColor function in utils.cpp when reading an image file by using cv::imread. (boo#1052454) - CVE-2017-12603: OpenCV had an invalid write in the cv::RLByteStream::getBytes function in modules/imgcodecs/src/bitstrm.cpp when reading an image file by using cv::imread, as demonstrated by the 2-opencv-heapoverflow-fseek test case. (boo#1052455) - CVE-2017-12602: OpenCV had a denial of service (memory consumption) issue, as demonstrated by the 10-opencv-dos-memory-exhaust test case. (boo#1052456) - CVE-2017-12601: OpenCV had a buffer overflow in the cv::BmpDecoder::readData function in modules/imgcodecs/src/grfmt_bmp.cpp when reading an image file by using cv::imread, as demonstrated by the 4-buf-overflow-readData-memcpy test case. (boo#1052457) - CVE-2017-12600: OpenCV had a denial of service (CPU consumption) issue, as demonstrated by the 11-opencv-dos-cpu-exhaust test case. (boo#1052459) - CVE-2017-12599: OpenCV had an out-of-bounds read error in the function icvCvt_BGRA2BGR_8u_C4C3R when reading an image file by using cv::imread. (boo#1052461) - CVE-2017-12598: OpenCV had an out-of-bounds read error in the cv::RBaseStream::readBlock function in modules/imgcodecs/src/bitstrm.cpp when reading an image file by using cv::imread, as demonstrated by the 8-opencv-invalid-read-fread test case. (boo#1052462) - CVE-2017-12597: OpenCV had an out-of-bounds write error in the function FillColorRow1 in utils.cpp when reading an image file by using cv::imread. (boo#1052465) - CVE-2017-12864: In opencv/modules/imgcodecs/src/grfmt_pxm.cpp, function ReadNumber did not checkout the input length, which lead to integer overflow. If the image is from remote, may lead to remote code execution or denial of service. (boo#1054019) - CVE-2017-12863: In opencv/modules/imgcodecs/src/grfmt_pxm.cpp, function PxMDecoder::readData has an integer overflow when calculate src_pitch. If the image is from remote, may lead to remote code execution or denial of service. (boo#1054020) - CVE-2017-12862: In modules/imgcodecs/src/grfmt_pxm.cpp, the length of buffer AutoBuffer _src is small than expected, which will cause copy buffer overflow later. If the image is from remote, may lead to remote code execution or denial of service. (boo#1054021) - CVE-2017-12605: OpenCV had an out-of-bounds write error in the FillColorRow8 function in utils.cpp when reading an image file by using cv::imread. (boo#1054984) Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 42.3: zypper in -t patch openSUSE-2018-492=1 Package List: - openSUSE Leap 42.3 (x86_64): libopencv-qt56_3-3.1.0-4.6.1 libopencv-qt56_3-debuginfo-3.1.0-4.6.1 libopencv3_1-3.1.0-4.6.1 libopencv3_1-debuginfo-3.1.0-4.6.1 opencv-3.1.0-4.6.1 opencv-debuginfo-3.1.0-4.6.1 opencv-debugsource-3.1.0-4.6.1 opencv-devel-3.1.0-4.6.1 opencv-doc-3.1.0-4.6.1 opencv-qt5-3.1.0-4.6.1 opencv-qt5-debuginfo-3.1.0-4.6.1 opencv-qt5-debugsource-3.1.0-4.6.1 opencv-qt5-devel-3.1.0-4.6.1 opencv-qt5-doc-3.1.0-4.6.1 python-opencv-3.1.0-4.6.1 python-opencv-debuginfo-3.1.0-4.6.1 python-opencv-qt5-3.1.0-4.6.1 python-opencv-qt5-debuginfo-3.1.0-4.6.1 python3-opencv-3.1.0-4.6.1 python3-opencv-debuginfo-3.1.0-4.6.1 python3-opencv-qt5-3.1.0-4.6.1 python3-opencv-qt5-debuginfo-3.1.0-4.6.1 References: https://www.suse.com/security/cve/CVE-2016-1516.html https://www.suse.com/security/cve/CVE-2017-12597.html https://www.suse.com/security/cve/CVE-2017-12598.html https://www.suse.com/security/cve/CVE-2017-12599.html https://www.suse.com/security/cve/CVE-2017-12600.html https://www.suse.com/security/cve/CVE-2017-12601.html https://www.suse.com/security/cve/CVE-2017-12602.html https://www.suse.com/security/cve/CVE-2017-12603.html https://www.suse.com/security/cve/CVE-2017-12604.html https://www.suse.com/security/cve/CVE-2017-12605.html https://www.suse.com/security/cve/CVE-2017-12606.html https://www.suse.com/security/cve/CVE-2017-12862.html https://www.suse.com/security/cve/CVE-2017-12863.html https://www.suse.com/security/cve/CVE-2017-12864.html https://www.suse.com/security/cve/CVE-2017-14136.html https://bugzilla.suse.com/1033152 https://bugzilla.suse.com/1052451 https://bugzilla.suse.com/1052454 https://bugzilla.suse.com/1052455 https://bugzilla.suse.com/1052456 https://bugzilla.suse.com/1052457 https://bugzilla.suse.com/1052459 https://bugzilla.suse.com/1052461 https://bugzilla.suse.com/1052462 https://bugzilla.suse.com/1052465 https://bugzilla.suse.com/1054019 https://bugzilla.suse.com/1054020 https://bugzilla.suse.com/1054021 https://bugzilla.suse.com/1054984 https://bugzilla.suse.com/1057146 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] openSUSE-SU-2018:1384-1: moderate: Security update for pdns
by opensuse-security＠opensuse.org 23 May '18

23 May '18

openSUSE Security Update: Security update for pdns ______________________________________________________________________________ Announcement ID: openSUSE-SU-2018:1384-1 Rating: moderate References: #1092540 Cross-References: CVE-2018-1046 Affected Products: openSUSE Leap 42.3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for pdns fixes the following issue: - CVE-2018-1046: An issue has been found in the dnsreplay tool provided with PowerDNS Authoritative, where replaying a specially crafted PCAP file can trigger a stack-based buffer overflow, leading to a crash and potentially arbitrary code execution. This buffer overflow only occurs when the -ecs-stamp option of dnsreplay is used. (boo#1092540) Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 42.3: zypper in -t patch openSUSE-2018-491=1 Package List: - openSUSE Leap 42.3 (x86_64): pdns-4.0.3-12.1 pdns-backend-geoip-4.0.3-12.1 pdns-backend-geoip-debuginfo-4.0.3-12.1 pdns-backend-godbc-4.0.3-12.1 pdns-backend-godbc-debuginfo-4.0.3-12.1 pdns-backend-ldap-4.0.3-12.1 pdns-backend-ldap-debuginfo-4.0.3-12.1 pdns-backend-lua-4.0.3-12.1 pdns-backend-lua-debuginfo-4.0.3-12.1 pdns-backend-mydns-4.0.3-12.1 pdns-backend-mydns-debuginfo-4.0.3-12.1 pdns-backend-mysql-4.0.3-12.1 pdns-backend-mysql-debuginfo-4.0.3-12.1 pdns-backend-postgresql-4.0.3-12.1 pdns-backend-postgresql-debuginfo-4.0.3-12.1 pdns-backend-remote-4.0.3-12.1 pdns-backend-remote-debuginfo-4.0.3-12.1 pdns-backend-sqlite3-4.0.3-12.1 pdns-backend-sqlite3-debuginfo-4.0.3-12.1 pdns-debuginfo-4.0.3-12.1 pdns-debugsource-4.0.3-12.1 References: https://www.suse.com/security/cve/CVE-2018-1046.html https://bugzilla.suse.com/1092540 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] openSUSE-SU-2018:1383-1: moderate: Security update for wget
by opensuse-security＠opensuse.org 23 May '18

23 May '18

openSUSE Security Update: Security update for wget ______________________________________________________________________________ Announcement ID: openSUSE-SU-2018:1383-1 Rating: moderate References: #1092061 Cross-References: CVE-2018-0494 Affected Products: openSUSE Leap 42.3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for wget fixes the following issues: - CVE-2018-0494: Fixed a cookie injection vulnerability by checking for and joining continuation lines. (bsc#1092061) This update was imported from the SUSE:SLE-12:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 42.3: zypper in -t patch openSUSE-2018-488=1 Package List: - openSUSE Leap 42.3 (i586 x86_64): wget-1.14-15.1 wget-debuginfo-1.14-15.1 wget-debugsource-1.14-15.1 References: https://www.suse.com/security/cve/CVE-2018-0494.html https://bugzilla.suse.com/1092061 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] openSUSE-SU-2018:1381-1: moderate: Security update for openjpeg2
by opensuse-security＠opensuse.org 23 May '18

23 May '18

openSUSE Security Update: Security update for openjpeg2 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2018:1381-1 Rating: moderate References: #1066713 #1072124 #1072125 Cross-References: CVE-2015-1239 CVE-2017-171479 CVE-2017-17479 CVE-2017-17480 Affected Products: openSUSE Leap 42.3 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for openjpeg2 fixes the following security issues: - CVE-2015-1239: A double free vulnerability in the j2k_read_ppm_v3 function allowed remote attackers to cause a denial of service (crash) (bsc#1066713) - CVE-2017-17479: A stack-based buffer overflow in the pgxtoimage function in jpwl/convert.c could crash the converter. (bsc#1072125) - CVE-2017-17480: A stack-based buffer overflow in the pgxtovolume function in jp3d/convert.c could crash the converter. (bsc#1072124) This update was imported from the SUSE:SLE-12-SP2:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 42.3: zypper in -t patch openSUSE-2018-490=1 Package List: - openSUSE Leap 42.3 (i586 x86_64): libopenjp2-7-2.1.0-22.1 libopenjp2-7-debuginfo-2.1.0-22.1 openjpeg2-2.1.0-22.1 openjpeg2-debuginfo-2.1.0-22.1 openjpeg2-debugsource-2.1.0-22.1 openjpeg2-devel-2.1.0-22.1 - openSUSE Leap 42.3 (x86_64): libopenjp2-7-32bit-2.1.0-22.1 libopenjp2-7-debuginfo-32bit-2.1.0-22.1 References: https://www.suse.com/security/cve/CVE-2015-1239.html https://www.suse.com/security/cve/CVE-2017-171479.html https://www.suse.com/security/cve/CVE-2017-17479.html https://www.suse.com/security/cve/CVE-2017-17480.html https://bugzilla.suse.com/1066713 https://bugzilla.suse.com/1072124 https://bugzilla.suse.com/1072125 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] openSUSE-SU-2018:1380-1: important: Security update for qemu
by opensuse-security＠opensuse.org 23 May '18

23 May '18

openSUSE Security Update: Security update for qemu ______________________________________________________________________________ Announcement ID: openSUSE-SU-2018:1380-1 Rating: important References: #1070615 #1092885 Cross-References: CVE-2018-3639 Affected Products: openSUSE Leap 42.3 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for qemu fixes several issues. This security issue was fixed: - CVE-2018-3639: Spectre v4 vulnerability mitigation support for KVM guests (bsc#1092885). Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis. This patch permits the new x86 cpu feature flag named "ssbd" to be presented to the guest, given that the host has this feature, and KVM exposes it to the guest as well. For this feature to be enabled please use the qemu commandline -cpu $MODEL,+spec-ctrl,+ssbd so the guest OS can take advantage of the feature. spec-ctrl and ssbd support is also required in the host. This non-security issue was fixed: - bsc#1070615: Add new look up path "sys/class/tpm" for tpm cancel path This update was imported from the SUSE:SLE-12-SP3:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 42.3: zypper in -t patch openSUSE-2018-489=1 Package List: - openSUSE Leap 42.3 (i586 x86_64): qemu-linux-user-2.9.1-44.1 qemu-linux-user-debuginfo-2.9.1-44.1 qemu-linux-user-debugsource-2.9.1-44.1 - openSUSE Leap 42.3 (noarch): qemu-ipxe-1.0.0-44.1 qemu-seabios-1.10.2-44.1 qemu-sgabios-8-44.1 qemu-vgabios-1.10.2-44.1 - openSUSE Leap 42.3 (x86_64): qemu-2.9.1-44.1 qemu-arm-2.9.1-44.1 qemu-arm-debuginfo-2.9.1-44.1 qemu-block-curl-2.9.1-44.1 qemu-block-curl-debuginfo-2.9.1-44.1 qemu-block-dmg-2.9.1-44.1 qemu-block-dmg-debuginfo-2.9.1-44.1 qemu-block-iscsi-2.9.1-44.1 qemu-block-iscsi-debuginfo-2.9.1-44.1 qemu-block-rbd-2.9.1-44.1 qemu-block-rbd-debuginfo-2.9.1-44.1 qemu-block-ssh-2.9.1-44.1 qemu-block-ssh-debuginfo-2.9.1-44.1 qemu-debugsource-2.9.1-44.1 qemu-extra-2.9.1-44.1 qemu-extra-debuginfo-2.9.1-44.1 qemu-guest-agent-2.9.1-44.1 qemu-guest-agent-debuginfo-2.9.1-44.1 qemu-ksm-2.9.1-44.1 qemu-kvm-2.9.1-44.1 qemu-lang-2.9.1-44.1 qemu-ppc-2.9.1-44.1 qemu-ppc-debuginfo-2.9.1-44.1 qemu-s390-2.9.1-44.1 qemu-s390-debuginfo-2.9.1-44.1 qemu-testsuite-2.9.1-44.1 qemu-tools-2.9.1-44.1 qemu-tools-debuginfo-2.9.1-44.1 qemu-x86-2.9.1-44.1 qemu-x86-debuginfo-2.9.1-44.1 References: https://www.suse.com/security/cve/CVE-2018-3639.html https://bugzilla.suse.com/1070615 https://bugzilla.suse.com/1092885 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] openSUSE-SU-2018:1361-1: important: Security update for Mozilla Thunderbird
by opensuse-security＠opensuse.org 21 May '18

21 May '18

openSUSE Security Update: Security update for Mozilla Thunderbird ______________________________________________________________________________ Announcement ID: openSUSE-SU-2018:1361-1 Rating: important References: #1092548 #1093152 Cross-References: CVE-2018-5150 CVE-2018-5154 CVE-2018-5155 CVE-2018-5159 CVE-2018-5161 CVE-2018-5162 CVE-2018-5168 CVE-2018-5170 CVE-2018-5174 CVE-2018-5178 CVE-2018-5183 CVE-2018-5184 CVE-2018-5185 Affected Products: openSUSE Leap 42.3 openSUSE Leap 15.0 ______________________________________________________________________________ An update that fixes 13 vulnerabilities is now available. Description: This update for Mozilla Thunderbird to version 52.8 fixes the following issues: Security issues fixed (MFSA 2018-13, boo#1092548): - CVE-2018-5183: Backport critical security fixes in Skia - CVE-2018-5154: Use-after-free with SVG animations and clip paths - CVE-2018-5155: Use-after-free with SVG animations and text paths - CVE-2018-5159: Integer overflow and out-of-bounds write in Skia - CVE-2018-5168: Lightweight themes can be installed without user interaction - CVE-2018-5178: Buffer overflow during UTF-8 to Unicode string conversion through legacy extension - CVE-2018-5150: Memory safety bugs fixed in Firefox 60, Firefox ESR 52.8, and Thunderbird 52.8 - CVE-2018-5161: Hang via malformed headers (bsc#1093970) - CVE-2018-5162: Encrypted mail leaks plaintext through src attribute (bsc#1093971) - CVE-2018-5170: Filename spoofing for external attachments (bsc#1093972) - CVE-2018-5184: Full plaintext recovery in S/MIME via chosen-ciphertext attack (bsc#1093969) - CVE-2018-5185: Leaking plaintext through HTML forms (bsc#1093973) Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 42.3: zypper in -t patch openSUSE-2018-486=1 - openSUSE Leap 15.0: zypper in -t patch openSUSE-2018-486=1 Package List: - openSUSE Leap 42.3 (x86_64): MozillaThunderbird-52.8-63.1 MozillaThunderbird-buildsymbols-52.8-63.1 MozillaThunderbird-debuginfo-52.8-63.1 MozillaThunderbird-debugsource-52.8-63.1 MozillaThunderbird-devel-52.8-63.1 MozillaThunderbird-translations-common-52.8-63.1 MozillaThunderbird-translations-other-52.8-63.1 - openSUSE Leap 15.0 (x86_64): MozillaThunderbird-52.8-lp150.3.3.2 MozillaThunderbird-buildsymbols-52.8-lp150.3.3.2 MozillaThunderbird-debuginfo-52.8-lp150.3.3.2 MozillaThunderbird-debugsource-52.8-lp150.3.3.2 MozillaThunderbird-devel-52.8-lp150.3.3.2 MozillaThunderbird-translations-common-52.8-lp150.3.3.2 MozillaThunderbird-translations-other-52.8-lp150.3.3.2 References: https://www.suse.com/security/cve/CVE-2018-5150.html https://www.suse.com/security/cve/CVE-2018-5154.html https://www.suse.com/security/cve/CVE-2018-5155.html https://www.suse.com/security/cve/CVE-2018-5159.html https://www.suse.com/security/cve/CVE-2018-5161.html https://www.suse.com/security/cve/CVE-2018-5162.html https://www.suse.com/security/cve/CVE-2018-5168.html https://www.suse.com/security/cve/CVE-2018-5170.html https://www.suse.com/security/cve/CVE-2018-5174.html https://www.suse.com/security/cve/CVE-2018-5178.html https://www.suse.com/security/cve/CVE-2018-5183.html https://www.suse.com/security/cve/CVE-2018-5184.html https://www.suse.com/security/cve/CVE-2018-5185.html https://bugzilla.suse.com/1092548 https://bugzilla.suse.com/1093152 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] openSUSE-SU-2018:1360-1: moderate: Security update for lilypond
by opensuse-security＠opensuse.org 21 May '18

21 May '18

openSUSE Security Update: Security update for lilypond ______________________________________________________________________________ Announcement ID: openSUSE-SU-2018:1360-1 Rating: moderate References: #1041090 #1093056 Cross-References: CVE-2018-10992 Affected Products: openSUSE Leap 42.3 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for lilypond fixes the following issues: - CVE-2018-10992: lilypond: Does not validate strings before launching the program specified by the BROWSER environment variable, which allows remote attackers to conduct argument-injection attacks (bsc#1093056) - packages do not build reproducibly from unsorted input (bsc#1041090) Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 42.3: zypper in -t patch openSUSE-2018-487=1 Package List: - openSUSE Leap 42.3 (x86_64): lilypond-2.18.2-7.3.1 lilypond-debuginfo-2.18.2-7.3.1 lilypond-debugsource-2.18.2-7.3.1 - openSUSE Leap 42.3 (noarch): lilypond-century-schoolbook-l-fonts-2.18.2-7.3.1 lilypond-doc-2.18.2-7.3.1 lilypond-doc-cs-2.18.2-7.3.1 lilypond-doc-de-2.18.2-7.3.1 lilypond-doc-es-2.18.2-7.3.1 lilypond-doc-fr-2.18.2-7.3.1 lilypond-doc-hu-2.18.2-7.3.1 lilypond-doc-it-2.18.2-7.3.1 lilypond-doc-ja-2.18.2-7.3.1 lilypond-doc-nl-2.18.2-7.3.1 lilypond-doc-zh-2.18.2-7.3.1 lilypond-emmentaler-fonts-2.18.2-7.3.1 lilypond-fonts-common-2.18.2-7.3.1 References: https://www.suse.com/security/cve/CVE-2018-10992.html https://bugzilla.suse.com/1041090 https://bugzilla.suse.com/1093056 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] openSUSE-SU-2018:1359-1: important: Security update for Mozilla Thunderbird
by opensuse-security＠opensuse.org 21 May '18

21 May '18

openSUSE Security Update: Security update for Mozilla Thunderbird ______________________________________________________________________________ Announcement ID: openSUSE-SU-2018:1359-1 Rating: important References: #1092548 #1093152 Cross-References: CVE-2018-5150 CVE-2018-5154 CVE-2018-5155 CVE-2018-5159 CVE-2018-5161 CVE-2018-5162 CVE-2018-5168 CVE-2018-5170 CVE-2018-5174 CVE-2018-5178 CVE-2018-5183 CVE-2018-5184 CVE-2018-5185 Affected Products: SUSE Package Hub for SUSE Linux Enterprise 12 ______________________________________________________________________________ An update that fixes 13 vulnerabilities is now available. Description: This update for Mozilla Thunderbird to version 52.8 fixes the following issues: Security issues fixed (MFSA 2018-13, boo#1092548): - CVE-2018-5183: Backport critical security fixes in Skia - CVE-2018-5154: Use-after-free with SVG animations and clip paths - CVE-2018-5155: Use-after-free with SVG animations and text paths - CVE-2018-5159: Integer overflow and out-of-bounds write in Skia - CVE-2018-5168: Lightweight themes can be installed without user interaction - CVE-2018-5178: Buffer overflow during UTF-8 to Unicode string conversion through legacy extension - CVE-2018-5150: Memory safety bugs fixed in Firefox 60, Firefox ESR 52.8, and Thunderbird 52.8 - CVE-2018-5161: Hang via malformed headers (bsc#1093970) - CVE-2018-5162: Encrypted mail leaks plaintext through src attribute (bsc#1093971) - CVE-2018-5170: Filename spoofing for external attachments (bsc#1093972) - CVE-2018-5184: Full plaintext recovery in S/MIME via chosen-ciphertext attack (bsc#1093969) - CVE-2018-5185: Leaking plaintext through HTML forms (bsc#1093973) Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Package Hub for SUSE Linux Enterprise 12: zypper in -t patch openSUSE-2018-486=1 Package List: - SUSE Package Hub for SUSE Linux Enterprise 12 (x86_64): MozillaThunderbird-52.8-60.1 MozillaThunderbird-buildsymbols-52.8-60.1 MozillaThunderbird-debuginfo-52.8-60.1 MozillaThunderbird-debugsource-52.8-60.1 MozillaThunderbird-devel-52.8-60.1 MozillaThunderbird-translations-common-52.8-60.1 MozillaThunderbird-translations-other-52.8-60.1 References: https://www.suse.com/security/cve/CVE-2018-5150.html https://www.suse.com/security/cve/CVE-2018-5154.html https://www.suse.com/security/cve/CVE-2018-5155.html https://www.suse.com/security/cve/CVE-2018-5159.html https://www.suse.com/security/cve/CVE-2018-5161.html https://www.suse.com/security/cve/CVE-2018-5162.html https://www.suse.com/security/cve/CVE-2018-5168.html https://www.suse.com/security/cve/CVE-2018-5170.html https://www.suse.com/security/cve/CVE-2018-5174.html https://www.suse.com/security/cve/CVE-2018-5178.html https://www.suse.com/security/cve/CVE-2018-5183.html https://www.suse.com/security/cve/CVE-2018-5184.html https://www.suse.com/security/cve/CVE-2018-5185.html https://bugzilla.suse.com/1092548 https://bugzilla.suse.com/1093152 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] openSUSE-SU-2018:1348-1: moderate: Security update for ghostscript
by opensuse-security＠opensuse.org 19 May '18

19 May '18

openSUSE Security Update: Security update for ghostscript ______________________________________________________________________________ Announcement ID: openSUSE-SU-2018:1348-1 Rating: moderate References: #1090099 Cross-References: CVE-2018-10194 Affected Products: openSUSE Leap 42.3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for ghostscript fixes the following issues: - CVE-2018-10194: A stack-based buffer overflow was fixed in gdevpdts.c (bsc#1090099) This update was imported from the SUSE:SLE-12:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 42.3: zypper in -t patch openSUSE-2018-479=1 Package List: - openSUSE Leap 42.3 (i586 x86_64): ghostscript-9.15-14.6.1 ghostscript-debuginfo-9.15-14.6.1 ghostscript-debugsource-9.15-14.6.1 ghostscript-devel-9.15-14.6.1 ghostscript-mini-9.15-14.6.1 ghostscript-mini-debuginfo-9.15-14.6.1 ghostscript-mini-debugsource-9.15-14.6.1 ghostscript-mini-devel-9.15-14.6.1 ghostscript-x11-9.15-14.6.1 ghostscript-x11-debuginfo-9.15-14.6.1 References: https://www.suse.com/security/cve/CVE-2018-10194.html https://bugzilla.suse.com/1090099 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] openSUSE-SU-2018:1347-1: moderate: Security update for enigmail
by opensuse-security＠opensuse.org 19 May '18

19 May '18

openSUSE Security Update: Security update for enigmail ______________________________________________________________________________ Announcement ID: openSUSE-SU-2018:1347-1 Rating: moderate References: #1093151 #1093152 Cross-References: CVE-2017-17688 CVE-2017-17689 Affected Products: openSUSE Leap 15.0 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for enigmail fixes multiple issues. Security issues fixed: - CVE-2017-17688: CFB gadget attacks allowed to exfiltrate plaintext out of encrypted emails. enigmail now fails on GnuPG integrity check warnings for old Algorithms (bsc#1093151) - CVE-2017-17689: CBC gadget attacks allows to exfiltrate plaintext out of encrypted emails (bsc#1093152) Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.0: zypper in -t patch openSUSE-2018-474=1 Package List: - openSUSE Leap 15.0 (x86_64): enigmail-2.0.4-lp150.2.3.1 References: https://www.suse.com/security/cve/CVE-2017-17688.html https://www.suse.com/security/cve/CVE-2017-17689.html https://bugzilla.suse.com/1093151 https://bugzilla.suse.com/1093152 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0