openSUSE Security Update: Security update for e2fsprogs
______________________________________________________________________________
Announcement ID: openSUSE-SU-2018:2133-1
Rating: moderate
References: #1009532 #1038194 #915402 #918346 #960273
Cross-References: CVE-2015-0247 CVE-2015-1572
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________
An update that solves two vulnerabilities and has three
fixes is now available.
Description:
This update for e2fsprogs fixes the following issues:
Security issues fixed:
- CVE-2015-0247: Fixed couple of heap overflows in e2fsprogs (fsck,
dumpe2fs, e2image...) (bsc#915402).
- CVE-2015-1572: Fixed potential buffer overflow in closefs() (bsc#918346).
Bug fixes:
- bsc#1038194: generic/405 test fails with /dev/mapper/thin-vol is
inconsistent on ext4 file system.
- bsc#1009532: resize2fs hangs when trying to resize a large ext4 file
system.
- bsc#960273: xfsprogs does not call %{?regenerate_initrd_post}.
This update was imported from the SUSE:SLE-15:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.0:
zypper in -t patch openSUSE-2018-771=1
Package List:
- openSUSE Leap 15.0 (i586 x86_64):
e2fsprogs-1.43.8-lp150.3.3.1
e2fsprogs-debuginfo-1.43.8-lp150.3.3.1
e2fsprogs-debugsource-1.43.8-lp150.3.3.1
e2fsprogs-devel-1.43.8-lp150.3.3.1
libcom_err-devel-1.43.8-lp150.3.3.1
libcom_err-devel-static-1.43.8-lp150.3.3.1
libcom_err2-1.43.8-lp150.3.3.1
libcom_err2-debuginfo-1.43.8-lp150.3.3.1
libext2fs-devel-1.43.8-lp150.3.3.1
libext2fs-devel-static-1.43.8-lp150.3.3.1
libext2fs2-1.43.8-lp150.3.3.1
libext2fs2-debuginfo-1.43.8-lp150.3.3.1
- openSUSE Leap 15.0 (x86_64):
e2fsprogs-32bit-debuginfo-1.43.8-lp150.3.3.1
libcom_err-devel-32bit-1.43.8-lp150.3.3.1
libcom_err2-32bit-1.43.8-lp150.3.3.1
libcom_err2-32bit-debuginfo-1.43.8-lp150.3.3.1
libext2fs-devel-32bit-1.43.8-lp150.3.3.1
libext2fs2-32bit-1.43.8-lp150.3.3.1
libext2fs2-32bit-debuginfo-1.43.8-lp150.3.3.1
References:
https://www.suse.com/security/cve/CVE-2015-0247.htmlhttps://www.suse.com/security/cve/CVE-2015-1572.htmlhttps://bugzilla.suse.com/1009532https://bugzilla.suse.com/1038194https://bugzilla.suse.com/915402https://bugzilla.suse.com/918346https://bugzilla.suse.com/960273
--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org
openSUSE Security Update: Security update for mercurial
______________________________________________________________________________
Announcement ID: openSUSE-SU-2018:2132-1
Rating: moderate
References: #1100353 #1100354 #1100355
Cross-References: CVE-2018-13346 CVE-2018-13347 CVE-2018-13348
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________
An update that fixes three vulnerabilities is now available.
Description:
This update for mercurial fixes the following issues:
Security issues fixed:
- CVE-2018-13346: Fix mpatch_apply function in mpatch.c that incorrectly
proceeds in cases where the fragment start is past the end of the
original data (bsc#1100354).
- CVE-2018-13347: Fix mpatch.c that mishandles integer addition and
subtraction (bsc#1100355).
- CVE-2018-13348: Fix the mpatch_decode function in mpatch.c that
mishandles certain situations where there should be at least 12 bytes
remaining after thecurrent position in the patch data (bsc#1100353).
This update was imported from the SUSE:SLE-15:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.0:
zypper in -t patch openSUSE-2018-772=1
Package List:
- openSUSE Leap 15.0 (i586 x86_64):
mercurial-4.5.2-lp150.2.3.1
mercurial-debuginfo-4.5.2-lp150.2.3.1
mercurial-debugsource-4.5.2-lp150.2.3.1
- openSUSE Leap 15.0 (noarch):
mercurial-lang-4.5.2-lp150.2.3.1
References:
https://www.suse.com/security/cve/CVE-2018-13346.htmlhttps://www.suse.com/security/cve/CVE-2018-13347.htmlhttps://www.suse.com/security/cve/CVE-2018-13348.htmlhttps://bugzilla.suse.com/1100353https://bugzilla.suse.com/1100354https://bugzilla.suse.com/1100355
--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org
openSUSE Security Update: Security update for bouncycastle
______________________________________________________________________________
Announcement ID: openSUSE-SU-2018:2131-1
Rating: moderate
References: #1072697 #1100694
Cross-References: CVE-2017-13098 CVE-2018-1000613
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________
An update that fixes two vulnerabilities is now available.
Description:
This update for bouncycastle fixes the following issues:
Security issues fixed:
- CVE-2018-1000613: Fix use of Externally-Controlled Input to Select
Classes or Code ('Unsafe Reflection') (boo#1100694).
- CVE-2017-13098: Fix against Bleichenbacher oracle when not using the
lightweight APIs (boo#1072697).
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.0:
zypper in -t patch openSUSE-2018-776=1
Package List:
- openSUSE Leap 15.0 (noarch):
bouncycastle-1.60-lp150.2.3.1
bouncycastle-javadoc-1.60-lp150.2.3.1
References:
https://www.suse.com/security/cve/CVE-2017-13098.htmlhttps://www.suse.com/security/cve/CVE-2018-1000613.htmlhttps://bugzilla.suse.com/1072697https://bugzilla.suse.com/1100694
--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org
openSUSE Security Update: Security update for qutebrowser
______________________________________________________________________________
Announcement ID: openSUSE-SU-2018:2130-1
Rating: moderate
References: #1101507
Cross-References: CVE-2018-1000559
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for qutebrowser fixes the following issues:
Security issue fixed:
- CVE-2018-1000559: Fix an XSS issue on qute://history (boo#1101507).
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 42.3:
zypper in -t patch openSUSE-2018-774=1
Package List:
- openSUSE Leap 42.3 (noarch):
qutebrowser-0.11.1-2.3.1
References:
https://www.suse.com/security/cve/CVE-2018-1000559.htmlhttps://bugzilla.suse.com/1101507
--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org
openSUSE Security Update: Security update for openssl-1_0_0
______________________________________________________________________________
Announcement ID: openSUSE-SU-2018:2129-1
Rating: moderate
References: #1097158 #1097624 #1098592
Cross-References: CVE-2018-0732
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________
An update that solves one vulnerability and has two fixes
is now available.
Description:
This update for openssl-1_0_0 fixes the following issues:
- CVE-2018-0732: During key agreement in a TLS handshake using a DH(E)
based ciphersuite a malicious server could have sent a very large prime
value to the client. This caused the client to spend an unreasonably
long period of time generating a key for this prime resulting in a hang
until the client has finished. This could be exploited in a Denial Of
Service attack (bsc#1097158).
- Blinding enhancements for ECDSA and DSA (bsc#1097624, bsc#1098592)
This update was imported from the SUSE:SLE-15:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.0:
zypper in -t patch openSUSE-2018-763=1
Package List:
- openSUSE Leap 15.0 (i586 x86_64):
libopenssl-1_0_0-devel-1.0.2n-lp150.2.3.1
libopenssl1_0_0-1.0.2n-lp150.2.3.1
libopenssl1_0_0-debuginfo-1.0.2n-lp150.2.3.1
libopenssl1_0_0-hmac-1.0.2n-lp150.2.3.1
libopenssl1_0_0-steam-1.0.2n-lp150.2.3.1
libopenssl1_0_0-steam-debuginfo-1.0.2n-lp150.2.3.1
openssl-1_0_0-1.0.2n-lp150.2.3.1
openssl-1_0_0-cavs-1.0.2n-lp150.2.3.1
openssl-1_0_0-cavs-debuginfo-1.0.2n-lp150.2.3.1
openssl-1_0_0-debuginfo-1.0.2n-lp150.2.3.1
openssl-1_0_0-debugsource-1.0.2n-lp150.2.3.1
- openSUSE Leap 15.0 (x86_64):
libopenssl-1_0_0-devel-32bit-1.0.2n-lp150.2.3.1
libopenssl1_0_0-32bit-1.0.2n-lp150.2.3.1
libopenssl1_0_0-32bit-debuginfo-1.0.2n-lp150.2.3.1
libopenssl1_0_0-hmac-32bit-1.0.2n-lp150.2.3.1
libopenssl1_0_0-steam-32bit-1.0.2n-lp150.2.3.1
libopenssl1_0_0-steam-32bit-debuginfo-1.0.2n-lp150.2.3.1
- openSUSE Leap 15.0 (noarch):
openssl-1_0_0-doc-1.0.2n-lp150.2.3.1
References:
https://www.suse.com/security/cve/CVE-2018-0732.htmlhttps://bugzilla.suse.com/1097158https://bugzilla.suse.com/1097624https://bugzilla.suse.com/1098592
--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org
openSUSE Security Update: Security update for openssh
______________________________________________________________________________
Announcement ID: openSUSE-SU-2018:2128-1
Rating: moderate
References: #1076957
Cross-References: CVE-2016-10708
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for openssh fixes the following issues:
Security issue fixed:
- CVE-2016-10708: Prevent DoS due to crashes caused by out-of-sequence
NEWKEYS message (bsc#1076957).
This update was imported from the SUSE:SLE-12-SP2:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 42.3:
zypper in -t patch openSUSE-2018-765=1
Package List:
- openSUSE Leap 42.3 (i586 x86_64):
openssh-7.2p2-21.1
openssh-askpass-gnome-7.2p2-21.1
openssh-askpass-gnome-debuginfo-7.2p2-21.1
openssh-cavs-7.2p2-21.1
openssh-cavs-debuginfo-7.2p2-21.1
openssh-debuginfo-7.2p2-21.1
openssh-debugsource-7.2p2-21.1
openssh-fips-7.2p2-21.1
openssh-helpers-7.2p2-21.1
openssh-helpers-debuginfo-7.2p2-21.1
References:
https://www.suse.com/security/cve/CVE-2016-10708.htmlhttps://bugzilla.suse.com/1076957
--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org
openSUSE Security Update: Security update for shadow
______________________________________________________________________________
Announcement ID: openSUSE-SU-2018:2127-1
Rating: important
References: #1099310
Cross-References: CVE-2016-6252
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for shadow fixes the following issues:
- CVE-2016-6252: Incorrect integer handling could results in local
privilege escalation (bsc#1099310)
This update was imported from the SUSE:SLE-12-SP2:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 42.3:
zypper in -t patch openSUSE-2018-770=1
Package List:
- openSUSE Leap 42.3 (i586 x86_64):
shadow-4.2.1-16.1
shadow-debuginfo-4.2.1-16.1
shadow-debugsource-4.2.1-16.1
References:
https://www.suse.com/security/cve/CVE-2016-6252.htmlhttps://bugzilla.suse.com/1099310
--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org
openSUSE Security Update: Security update for python
______________________________________________________________________________
Announcement ID: openSUSE-SU-2018:2126-1
Rating: moderate
References: #1083507
Cross-References: CVE-2017-18207
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for python fixes the following issues:
The following security vulnerabilities were addressed:
- Add a check to Lib/wave.py that verifies that at least one channel is
provided. Prior to this, attackers could cause a denial of service via a
crafted wav format audio file. [bsc#1083507, CVE-2017-18207]
This update was imported from the SUSE:SLE-12-SP1:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 42.3:
zypper in -t patch openSUSE-2018-779=1
Package List:
- openSUSE Leap 42.3 (i586 x86_64):
libpython2_7-1_0-2.7.13-27.6.1
libpython2_7-1_0-debuginfo-2.7.13-27.6.1
python-2.7.13-27.6.1
python-base-2.7.13-27.6.1
python-base-debuginfo-2.7.13-27.6.1
python-base-debugsource-2.7.13-27.6.1
python-curses-2.7.13-27.6.1
python-curses-debuginfo-2.7.13-27.6.1
python-debuginfo-2.7.13-27.6.1
python-debugsource-2.7.13-27.6.1
python-demo-2.7.13-27.6.1
python-devel-2.7.13-27.6.1
python-gdbm-2.7.13-27.6.1
python-gdbm-debuginfo-2.7.13-27.6.1
python-idle-2.7.13-27.6.1
python-tk-2.7.13-27.6.1
python-tk-debuginfo-2.7.13-27.6.1
python-xml-2.7.13-27.6.1
python-xml-debuginfo-2.7.13-27.6.1
- openSUSE Leap 42.3 (noarch):
python-doc-2.7.13-27.6.1
python-doc-pdf-2.7.13-27.6.1
- openSUSE Leap 42.3 (x86_64):
libpython2_7-1_0-32bit-2.7.13-27.6.1
libpython2_7-1_0-debuginfo-32bit-2.7.13-27.6.1
python-32bit-2.7.13-27.6.1
python-base-32bit-2.7.13-27.6.1
python-base-debuginfo-32bit-2.7.13-27.6.1
python-debuginfo-32bit-2.7.13-27.6.1
References:
https://www.suse.com/security/cve/CVE-2017-18207.htmlhttps://bugzilla.suse.com/1083507
--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org