openSUSE Security Update: Security update for opencv
______________________________________________________________________________
Announcement ID: openSUSE-SU-2018:1385-1
Rating: important
References: #1033152 #1052451 #1052454 #1052455 #1052456
#1052457 #1052459 #1052461 #1052462 #1052465
#1054019 #1054020 #1054021 #1054984 #1057146
Cross-References: CVE-2016-1516 CVE-2017-12597 CVE-2017-12598
CVE-2017-12599 CVE-2017-12600 CVE-2017-12601
CVE-2017-12602 CVE-2017-12603 CVE-2017-12604
CVE-2017-12605 CVE-2017-12606 CVE-2017-12862
CVE-2017-12863 CVE-2017-12864 CVE-2017-14136
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________
An update that fixes 15 vulnerabilities is now available.
Description:
This update for opencv fixes the following issues:
Security issues fixed:
- CVE-2016-1516: OpenCV had a double free issue that allowed attackers to
execute arbitrary code. (boo#1033152)
- CVE-2017-14136: OpenCV had an out-of-bounds write error in the function
FillColorRow1 in utils.cpp when reading an image file by using
cv::imread. NOTE: this vulnerability exists because of an incomplete fix
for CVE-2017-12597. (boo#1057146)
- CVE-2017-12606: OpenCV had an out-of-bounds write error in the function
FillColorRow4 in utils.cpp when reading an image file by using
cv::imread. (boo#1052451)
- CVE-2017-12604: OpenCV had an out-of-bounds write error in the
FillUniColor function in utils.cpp when reading an image file by using
cv::imread. (boo#1052454)
- CVE-2017-12603: OpenCV had an invalid write in the
cv::RLByteStream::getBytes function in modules/imgcodecs/src/bitstrm.cpp
when reading an image file by using cv::imread, as demonstrated by the
2-opencv-heapoverflow-fseek test case. (boo#1052455)
- CVE-2017-12602: OpenCV had a denial of service (memory consumption)
issue, as demonstrated by the 10-opencv-dos-memory-exhaust test case.
(boo#1052456)
- CVE-2017-12601: OpenCV had a buffer overflow in the
cv::BmpDecoder::readData function in modules/imgcodecs/src/grfmt_bmp.cpp
when reading an image file by using cv::imread, as demonstrated by the
4-buf-overflow-readData-memcpy test case. (boo#1052457)
- CVE-2017-12600: OpenCV had a denial of service (CPU consumption) issue,
as demonstrated by the 11-opencv-dos-cpu-exhaust test case. (boo#1052459)
- CVE-2017-12599: OpenCV had an out-of-bounds read error in the function
icvCvt_BGRA2BGR_8u_C4C3R when reading an image file by using cv::imread.
(boo#1052461)
- CVE-2017-12598: OpenCV had an out-of-bounds read error in the
cv::RBaseStream::readBlock function in modules/imgcodecs/src/bitstrm.cpp
when reading an image file by using cv::imread, as demonstrated by the
8-opencv-invalid-read-fread test case. (boo#1052462)
- CVE-2017-12597: OpenCV had an out-of-bounds write error in the function
FillColorRow1 in utils.cpp when reading an image file by using
cv::imread. (boo#1052465)
- CVE-2017-12864: In opencv/modules/imgcodecs/src/grfmt_pxm.cpp, function
ReadNumber did not checkout the input length, which lead to integer
overflow. If the image is from remote, may lead to remote code execution
or denial of service. (boo#1054019)
- CVE-2017-12863: In opencv/modules/imgcodecs/src/grfmt_pxm.cpp, function
PxMDecoder::readData has an integer overflow when calculate src_pitch.
If the image is from remote, may lead to remote code execution or denial
of service. (boo#1054020)
- CVE-2017-12862: In modules/imgcodecs/src/grfmt_pxm.cpp, the length of
buffer AutoBuffer _src is small than expected, which will cause copy
buffer overflow later. If the image is from remote, may lead to remote
code execution or denial of service. (boo#1054021)
- CVE-2017-12605: OpenCV had an out-of-bounds write error in the
FillColorRow8 function in utils.cpp when reading an image file by using
cv::imread. (boo#1054984)
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 42.3:
zypper in -t patch openSUSE-2018-492=1
Package List:
- openSUSE Leap 42.3 (x86_64):
libopencv-qt56_3-3.1.0-4.6.1
libopencv-qt56_3-debuginfo-3.1.0-4.6.1
libopencv3_1-3.1.0-4.6.1
libopencv3_1-debuginfo-3.1.0-4.6.1
opencv-3.1.0-4.6.1
opencv-debuginfo-3.1.0-4.6.1
opencv-debugsource-3.1.0-4.6.1
opencv-devel-3.1.0-4.6.1
opencv-doc-3.1.0-4.6.1
opencv-qt5-3.1.0-4.6.1
opencv-qt5-debuginfo-3.1.0-4.6.1
opencv-qt5-debugsource-3.1.0-4.6.1
opencv-qt5-devel-3.1.0-4.6.1
opencv-qt5-doc-3.1.0-4.6.1
python-opencv-3.1.0-4.6.1
python-opencv-debuginfo-3.1.0-4.6.1
python-opencv-qt5-3.1.0-4.6.1
python-opencv-qt5-debuginfo-3.1.0-4.6.1
python3-opencv-3.1.0-4.6.1
python3-opencv-debuginfo-3.1.0-4.6.1
python3-opencv-qt5-3.1.0-4.6.1
python3-opencv-qt5-debuginfo-3.1.0-4.6.1
References:
https://www.suse.com/security/cve/CVE-2016-1516.htmlhttps://www.suse.com/security/cve/CVE-2017-12597.htmlhttps://www.suse.com/security/cve/CVE-2017-12598.htmlhttps://www.suse.com/security/cve/CVE-2017-12599.htmlhttps://www.suse.com/security/cve/CVE-2017-12600.htmlhttps://www.suse.com/security/cve/CVE-2017-12601.htmlhttps://www.suse.com/security/cve/CVE-2017-12602.htmlhttps://www.suse.com/security/cve/CVE-2017-12603.htmlhttps://www.suse.com/security/cve/CVE-2017-12604.htmlhttps://www.suse.com/security/cve/CVE-2017-12605.htmlhttps://www.suse.com/security/cve/CVE-2017-12606.htmlhttps://www.suse.com/security/cve/CVE-2017-12862.htmlhttps://www.suse.com/security/cve/CVE-2017-12863.htmlhttps://www.suse.com/security/cve/CVE-2017-12864.htmlhttps://www.suse.com/security/cve/CVE-2017-14136.htmlhttps://bugzilla.suse.com/1033152https://bugzilla.suse.com/1052451https://bugzilla.suse.com/1052454https://bugzilla.suse.com/1052455https://bugzilla.suse.com/1052456https://bugzilla.suse.com/1052457https://bugzilla.suse.com/1052459https://bugzilla.suse.com/1052461https://bugzilla.suse.com/1052462https://bugzilla.suse.com/1052465https://bugzilla.suse.com/1054019https://bugzilla.suse.com/1054020https://bugzilla.suse.com/1054021https://bugzilla.suse.com/1054984https://bugzilla.suse.com/1057146
--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org
openSUSE Security Update: Security update for pdns
______________________________________________________________________________
Announcement ID: openSUSE-SU-2018:1384-1
Rating: moderate
References: #1092540
Cross-References: CVE-2018-1046
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for pdns fixes the following issue:
- CVE-2018-1046: An issue has been found in the dnsreplay tool provided
with PowerDNS Authoritative, where replaying a specially crafted PCAP
file can trigger a stack-based buffer
overflow, leading to a crash and potentially arbitrary code execution.
This buffer overflow only occurs when the -ecs-stamp
option of dnsreplay is used. (boo#1092540)
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 42.3:
zypper in -t patch openSUSE-2018-491=1
Package List:
- openSUSE Leap 42.3 (x86_64):
pdns-4.0.3-12.1
pdns-backend-geoip-4.0.3-12.1
pdns-backend-geoip-debuginfo-4.0.3-12.1
pdns-backend-godbc-4.0.3-12.1
pdns-backend-godbc-debuginfo-4.0.3-12.1
pdns-backend-ldap-4.0.3-12.1
pdns-backend-ldap-debuginfo-4.0.3-12.1
pdns-backend-lua-4.0.3-12.1
pdns-backend-lua-debuginfo-4.0.3-12.1
pdns-backend-mydns-4.0.3-12.1
pdns-backend-mydns-debuginfo-4.0.3-12.1
pdns-backend-mysql-4.0.3-12.1
pdns-backend-mysql-debuginfo-4.0.3-12.1
pdns-backend-postgresql-4.0.3-12.1
pdns-backend-postgresql-debuginfo-4.0.3-12.1
pdns-backend-remote-4.0.3-12.1
pdns-backend-remote-debuginfo-4.0.3-12.1
pdns-backend-sqlite3-4.0.3-12.1
pdns-backend-sqlite3-debuginfo-4.0.3-12.1
pdns-debuginfo-4.0.3-12.1
pdns-debugsource-4.0.3-12.1
References:
https://www.suse.com/security/cve/CVE-2018-1046.htmlhttps://bugzilla.suse.com/1092540
--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org
openSUSE Security Update: Security update for wget
______________________________________________________________________________
Announcement ID: openSUSE-SU-2018:1383-1
Rating: moderate
References: #1092061
Cross-References: CVE-2018-0494
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for wget fixes the following issues:
- CVE-2018-0494: Fixed a cookie injection vulnerability by checking for
and joining continuation lines. (bsc#1092061)
This update was imported from the SUSE:SLE-12:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 42.3:
zypper in -t patch openSUSE-2018-488=1
Package List:
- openSUSE Leap 42.3 (i586 x86_64):
wget-1.14-15.1
wget-debuginfo-1.14-15.1
wget-debugsource-1.14-15.1
References:
https://www.suse.com/security/cve/CVE-2018-0494.htmlhttps://bugzilla.suse.com/1092061
--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org
openSUSE Security Update: Security update for openjpeg2
______________________________________________________________________________
Announcement ID: openSUSE-SU-2018:1381-1
Rating: moderate
References: #1066713 #1072124 #1072125
Cross-References: CVE-2015-1239 CVE-2017-171479 CVE-2017-17479
CVE-2017-17480
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________
An update that fixes four vulnerabilities is now available.
Description:
This update for openjpeg2 fixes the following security issues:
- CVE-2015-1239: A double free vulnerability in the j2k_read_ppm_v3
function allowed remote attackers to cause a denial of service (crash)
(bsc#1066713)
- CVE-2017-17479: A stack-based buffer overflow in the pgxtoimage function
in jpwl/convert.c could crash the converter. (bsc#1072125)
- CVE-2017-17480: A stack-based buffer overflow in the pgxtovolume
function in jp3d/convert.c could crash the converter. (bsc#1072124)
This update was imported from the SUSE:SLE-12-SP2:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 42.3:
zypper in -t patch openSUSE-2018-490=1
Package List:
- openSUSE Leap 42.3 (i586 x86_64):
libopenjp2-7-2.1.0-22.1
libopenjp2-7-debuginfo-2.1.0-22.1
openjpeg2-2.1.0-22.1
openjpeg2-debuginfo-2.1.0-22.1
openjpeg2-debugsource-2.1.0-22.1
openjpeg2-devel-2.1.0-22.1
- openSUSE Leap 42.3 (x86_64):
libopenjp2-7-32bit-2.1.0-22.1
libopenjp2-7-debuginfo-32bit-2.1.0-22.1
References:
https://www.suse.com/security/cve/CVE-2015-1239.htmlhttps://www.suse.com/security/cve/CVE-2017-171479.htmlhttps://www.suse.com/security/cve/CVE-2017-17479.htmlhttps://www.suse.com/security/cve/CVE-2017-17480.htmlhttps://bugzilla.suse.com/1066713https://bugzilla.suse.com/1072124https://bugzilla.suse.com/1072125
--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org
openSUSE Security Update: Security update for qemu
______________________________________________________________________________
Announcement ID: openSUSE-SU-2018:1380-1
Rating: important
References: #1070615 #1092885
Cross-References: CVE-2018-3639
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________
An update that solves one vulnerability and has one errata
is now available.
Description:
This update for qemu fixes several issues.
This security issue was fixed:
- CVE-2018-3639: Spectre v4 vulnerability mitigation support for KVM
guests (bsc#1092885).
Systems with microprocessors utilizing speculative execution and
speculative execution of memory reads before the addresses of all prior
memory writes are known may allow unauthorized disclosure of information
to an attacker with local user access via a side-channel analysis.
This patch permits the new x86 cpu feature flag named "ssbd" to be
presented to the guest, given that the host has this feature, and KVM
exposes it to the guest as well.
For this feature to be enabled please use the qemu commandline
-cpu $MODEL,+spec-ctrl,+ssbd so the guest OS can take advantage of the
feature.
spec-ctrl and ssbd support is also required in the host.
This non-security issue was fixed:
- bsc#1070615: Add new look up path "sys/class/tpm" for tpm cancel path
This update was imported from the SUSE:SLE-12-SP3:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 42.3:
zypper in -t patch openSUSE-2018-489=1
Package List:
- openSUSE Leap 42.3 (i586 x86_64):
qemu-linux-user-2.9.1-44.1
qemu-linux-user-debuginfo-2.9.1-44.1
qemu-linux-user-debugsource-2.9.1-44.1
- openSUSE Leap 42.3 (noarch):
qemu-ipxe-1.0.0-44.1
qemu-seabios-1.10.2-44.1
qemu-sgabios-8-44.1
qemu-vgabios-1.10.2-44.1
- openSUSE Leap 42.3 (x86_64):
qemu-2.9.1-44.1
qemu-arm-2.9.1-44.1
qemu-arm-debuginfo-2.9.1-44.1
qemu-block-curl-2.9.1-44.1
qemu-block-curl-debuginfo-2.9.1-44.1
qemu-block-dmg-2.9.1-44.1
qemu-block-dmg-debuginfo-2.9.1-44.1
qemu-block-iscsi-2.9.1-44.1
qemu-block-iscsi-debuginfo-2.9.1-44.1
qemu-block-rbd-2.9.1-44.1
qemu-block-rbd-debuginfo-2.9.1-44.1
qemu-block-ssh-2.9.1-44.1
qemu-block-ssh-debuginfo-2.9.1-44.1
qemu-debugsource-2.9.1-44.1
qemu-extra-2.9.1-44.1
qemu-extra-debuginfo-2.9.1-44.1
qemu-guest-agent-2.9.1-44.1
qemu-guest-agent-debuginfo-2.9.1-44.1
qemu-ksm-2.9.1-44.1
qemu-kvm-2.9.1-44.1
qemu-lang-2.9.1-44.1
qemu-ppc-2.9.1-44.1
qemu-ppc-debuginfo-2.9.1-44.1
qemu-s390-2.9.1-44.1
qemu-s390-debuginfo-2.9.1-44.1
qemu-testsuite-2.9.1-44.1
qemu-tools-2.9.1-44.1
qemu-tools-debuginfo-2.9.1-44.1
qemu-x86-2.9.1-44.1
qemu-x86-debuginfo-2.9.1-44.1
References:
https://www.suse.com/security/cve/CVE-2018-3639.htmlhttps://bugzilla.suse.com/1070615https://bugzilla.suse.com/1092885
--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org
openSUSE Security Update: Security update for Mozilla Thunderbird
______________________________________________________________________________
Announcement ID: openSUSE-SU-2018:1361-1
Rating: important
References: #1092548 #1093152
Cross-References: CVE-2018-5150 CVE-2018-5154 CVE-2018-5155
CVE-2018-5159 CVE-2018-5161 CVE-2018-5162
CVE-2018-5168 CVE-2018-5170 CVE-2018-5174
CVE-2018-5178 CVE-2018-5183 CVE-2018-5184
CVE-2018-5185
Affected Products:
openSUSE Leap 42.3
openSUSE Leap 15.0
______________________________________________________________________________
An update that fixes 13 vulnerabilities is now available.
Description:
This update for Mozilla Thunderbird to version 52.8 fixes the following
issues:
Security issues fixed (MFSA 2018-13, boo#1092548):
- CVE-2018-5183: Backport critical security fixes in Skia
- CVE-2018-5154: Use-after-free with SVG animations and clip paths
- CVE-2018-5155: Use-after-free with SVG animations and text paths
- CVE-2018-5159: Integer overflow and out-of-bounds write in Skia
- CVE-2018-5168: Lightweight themes can be installed without user
interaction
- CVE-2018-5178: Buffer overflow during UTF-8 to Unicode string conversion
through legacy extension
- CVE-2018-5150: Memory safety bugs fixed in Firefox 60, Firefox ESR 52.8,
and Thunderbird 52.8
- CVE-2018-5161: Hang via malformed headers (bsc#1093970)
- CVE-2018-5162: Encrypted mail leaks plaintext through src attribute
(bsc#1093971)
- CVE-2018-5170: Filename spoofing for external attachments (bsc#1093972)
- CVE-2018-5184: Full plaintext recovery in S/MIME via chosen-ciphertext
attack (bsc#1093969)
- CVE-2018-5185: Leaking plaintext through HTML forms (bsc#1093973)
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 42.3:
zypper in -t patch openSUSE-2018-486=1
- openSUSE Leap 15.0:
zypper in -t patch openSUSE-2018-486=1
Package List:
- openSUSE Leap 42.3 (x86_64):
MozillaThunderbird-52.8-63.1
MozillaThunderbird-buildsymbols-52.8-63.1
MozillaThunderbird-debuginfo-52.8-63.1
MozillaThunderbird-debugsource-52.8-63.1
MozillaThunderbird-devel-52.8-63.1
MozillaThunderbird-translations-common-52.8-63.1
MozillaThunderbird-translations-other-52.8-63.1
- openSUSE Leap 15.0 (x86_64):
MozillaThunderbird-52.8-lp150.3.3.2
MozillaThunderbird-buildsymbols-52.8-lp150.3.3.2
MozillaThunderbird-debuginfo-52.8-lp150.3.3.2
MozillaThunderbird-debugsource-52.8-lp150.3.3.2
MozillaThunderbird-devel-52.8-lp150.3.3.2
MozillaThunderbird-translations-common-52.8-lp150.3.3.2
MozillaThunderbird-translations-other-52.8-lp150.3.3.2
References:
https://www.suse.com/security/cve/CVE-2018-5150.htmlhttps://www.suse.com/security/cve/CVE-2018-5154.htmlhttps://www.suse.com/security/cve/CVE-2018-5155.htmlhttps://www.suse.com/security/cve/CVE-2018-5159.htmlhttps://www.suse.com/security/cve/CVE-2018-5161.htmlhttps://www.suse.com/security/cve/CVE-2018-5162.htmlhttps://www.suse.com/security/cve/CVE-2018-5168.htmlhttps://www.suse.com/security/cve/CVE-2018-5170.htmlhttps://www.suse.com/security/cve/CVE-2018-5174.htmlhttps://www.suse.com/security/cve/CVE-2018-5178.htmlhttps://www.suse.com/security/cve/CVE-2018-5183.htmlhttps://www.suse.com/security/cve/CVE-2018-5184.htmlhttps://www.suse.com/security/cve/CVE-2018-5185.htmlhttps://bugzilla.suse.com/1092548https://bugzilla.suse.com/1093152
--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org
openSUSE Security Update: Security update for lilypond
______________________________________________________________________________
Announcement ID: openSUSE-SU-2018:1360-1
Rating: moderate
References: #1041090 #1093056
Cross-References: CVE-2018-10992
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________
An update that solves one vulnerability and has one errata
is now available.
Description:
This update for lilypond fixes the following issues:
- CVE-2018-10992: lilypond: Does not validate strings before launching
the program specified by the BROWSER environment variable, which
allows remote attackers to conduct argument-injection attacks
(bsc#1093056)
- packages do not build reproducibly from unsorted input (bsc#1041090)
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 42.3:
zypper in -t patch openSUSE-2018-487=1
Package List:
- openSUSE Leap 42.3 (x86_64):
lilypond-2.18.2-7.3.1
lilypond-debuginfo-2.18.2-7.3.1
lilypond-debugsource-2.18.2-7.3.1
- openSUSE Leap 42.3 (noarch):
lilypond-century-schoolbook-l-fonts-2.18.2-7.3.1
lilypond-doc-2.18.2-7.3.1
lilypond-doc-cs-2.18.2-7.3.1
lilypond-doc-de-2.18.2-7.3.1
lilypond-doc-es-2.18.2-7.3.1
lilypond-doc-fr-2.18.2-7.3.1
lilypond-doc-hu-2.18.2-7.3.1
lilypond-doc-it-2.18.2-7.3.1
lilypond-doc-ja-2.18.2-7.3.1
lilypond-doc-nl-2.18.2-7.3.1
lilypond-doc-zh-2.18.2-7.3.1
lilypond-emmentaler-fonts-2.18.2-7.3.1
lilypond-fonts-common-2.18.2-7.3.1
References:
https://www.suse.com/security/cve/CVE-2018-10992.htmlhttps://bugzilla.suse.com/1041090https://bugzilla.suse.com/1093056
--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org
openSUSE Security Update: Security update for Mozilla Thunderbird
______________________________________________________________________________
Announcement ID: openSUSE-SU-2018:1359-1
Rating: important
References: #1092548 #1093152
Cross-References: CVE-2018-5150 CVE-2018-5154 CVE-2018-5155
CVE-2018-5159 CVE-2018-5161 CVE-2018-5162
CVE-2018-5168 CVE-2018-5170 CVE-2018-5174
CVE-2018-5178 CVE-2018-5183 CVE-2018-5184
CVE-2018-5185
Affected Products:
SUSE Package Hub for SUSE Linux Enterprise 12
______________________________________________________________________________
An update that fixes 13 vulnerabilities is now available.
Description:
This update for Mozilla Thunderbird to version 52.8 fixes the following
issues:
Security issues fixed (MFSA 2018-13, boo#1092548):
- CVE-2018-5183: Backport critical security fixes in Skia
- CVE-2018-5154: Use-after-free with SVG animations and clip paths
- CVE-2018-5155: Use-after-free with SVG animations and text paths
- CVE-2018-5159: Integer overflow and out-of-bounds write in Skia
- CVE-2018-5168: Lightweight themes can be installed without user
interaction
- CVE-2018-5178: Buffer overflow during UTF-8 to Unicode string conversion
through legacy extension
- CVE-2018-5150: Memory safety bugs fixed in Firefox 60, Firefox ESR 52.8,
and Thunderbird 52.8
- CVE-2018-5161: Hang via malformed headers (bsc#1093970)
- CVE-2018-5162: Encrypted mail leaks plaintext through src attribute
(bsc#1093971)
- CVE-2018-5170: Filename spoofing for external attachments (bsc#1093972)
- CVE-2018-5184: Full plaintext recovery in S/MIME via chosen-ciphertext
attack (bsc#1093969)
- CVE-2018-5185: Leaking plaintext through HTML forms (bsc#1093973)
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- SUSE Package Hub for SUSE Linux Enterprise 12:
zypper in -t patch openSUSE-2018-486=1
Package List:
- SUSE Package Hub for SUSE Linux Enterprise 12 (x86_64):
MozillaThunderbird-52.8-60.1
MozillaThunderbird-buildsymbols-52.8-60.1
MozillaThunderbird-debuginfo-52.8-60.1
MozillaThunderbird-debugsource-52.8-60.1
MozillaThunderbird-devel-52.8-60.1
MozillaThunderbird-translations-common-52.8-60.1
MozillaThunderbird-translations-other-52.8-60.1
References:
https://www.suse.com/security/cve/CVE-2018-5150.htmlhttps://www.suse.com/security/cve/CVE-2018-5154.htmlhttps://www.suse.com/security/cve/CVE-2018-5155.htmlhttps://www.suse.com/security/cve/CVE-2018-5159.htmlhttps://www.suse.com/security/cve/CVE-2018-5161.htmlhttps://www.suse.com/security/cve/CVE-2018-5162.htmlhttps://www.suse.com/security/cve/CVE-2018-5168.htmlhttps://www.suse.com/security/cve/CVE-2018-5170.htmlhttps://www.suse.com/security/cve/CVE-2018-5174.htmlhttps://www.suse.com/security/cve/CVE-2018-5178.htmlhttps://www.suse.com/security/cve/CVE-2018-5183.htmlhttps://www.suse.com/security/cve/CVE-2018-5184.htmlhttps://www.suse.com/security/cve/CVE-2018-5185.htmlhttps://bugzilla.suse.com/1092548https://bugzilla.suse.com/1093152
--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org
openSUSE Security Update: Security update for ghostscript
______________________________________________________________________________
Announcement ID: openSUSE-SU-2018:1348-1
Rating: moderate
References: #1090099
Cross-References: CVE-2018-10194
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for ghostscript fixes the following issues:
- CVE-2018-10194: A stack-based buffer overflow was fixed in gdevpdts.c
(bsc#1090099)
This update was imported from the SUSE:SLE-12:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 42.3:
zypper in -t patch openSUSE-2018-479=1
Package List:
- openSUSE Leap 42.3 (i586 x86_64):
ghostscript-9.15-14.6.1
ghostscript-debuginfo-9.15-14.6.1
ghostscript-debugsource-9.15-14.6.1
ghostscript-devel-9.15-14.6.1
ghostscript-mini-9.15-14.6.1
ghostscript-mini-debuginfo-9.15-14.6.1
ghostscript-mini-debugsource-9.15-14.6.1
ghostscript-mini-devel-9.15-14.6.1
ghostscript-x11-9.15-14.6.1
ghostscript-x11-debuginfo-9.15-14.6.1
References:
https://www.suse.com/security/cve/CVE-2018-10194.htmlhttps://bugzilla.suse.com/1090099
--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org
openSUSE Security Update: Security update for enigmail
______________________________________________________________________________
Announcement ID: openSUSE-SU-2018:1347-1
Rating: moderate
References: #1093151 #1093152
Cross-References: CVE-2017-17688 CVE-2017-17689
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________
An update that fixes two vulnerabilities is now available.
Description:
This update for enigmail fixes multiple issues.
Security issues fixed:
- CVE-2017-17688: CFB gadget attacks allowed to exfiltrate plaintext out
of encrypted emails. enigmail now fails on GnuPG integrity check
warnings for old Algorithms (bsc#1093151)
- CVE-2017-17689: CBC gadget attacks allows to exfiltrate plaintext out of
encrypted emails (bsc#1093152)
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.0:
zypper in -t patch openSUSE-2018-474=1
Package List:
- openSUSE Leap 15.0 (x86_64):
enigmail-2.0.4-lp150.2.3.1
References:
https://www.suse.com/security/cve/CVE-2017-17688.htmlhttps://www.suse.com/security/cve/CVE-2017-17689.htmlhttps://bugzilla.suse.com/1093151https://bugzilla.suse.com/1093152
--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org