openSUSE Security Update: Security update for openssl
______________________________________________________________________________
Announcement ID: openSUSE-SU-2018:2957-1
Rating: moderate
References: #1089039 #1101246 #1101470 #1104789 #1106197
#997043
Cross-References: CVE-2018-0737
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________
An update that solves one vulnerability and has 5 fixes is
now available.
Description:
This update for openssl fixes the following issues:
These security issues were fixed:
- Prevent One&Done side-channel attack on RSA that allowed physically near
attackers to use EM emanations to recover information (bsc#1104789)
- CVE-2018-0737: The RSA Key generation algorithm has been shown to be
vulnerable to a cache timing side channel attack. An attacker with
sufficient access to mount cache timing attacks during the RSA key
generation process could have recovered the private key (bsc#1089039)
These non-security issues were fixed:
- Add openssl(cli) Provide so the packages that require the openssl binary
can require this instead of the new openssl meta package (bsc#1101470)
- Fixed path to the engines which are under /lib64 on SLE-12 (bsc#1101246,
bsc#997043)
This update was imported from the SUSE:SLE-12-SP2:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 42.3:
zypper in -t patch openSUSE-2018-1091=1
Package List:
- openSUSE Leap 42.3 (i586 x86_64):
libopenssl-devel-1.0.2j-29.1
libopenssl1_0_0-1.0.2j-29.1
libopenssl1_0_0-debuginfo-1.0.2j-29.1
libopenssl1_0_0-hmac-1.0.2j-29.1
openssl-1.0.2j-29.1
openssl-cavs-1.0.2j-29.1
openssl-cavs-debuginfo-1.0.2j-29.1
openssl-debuginfo-1.0.2j-29.1
openssl-debugsource-1.0.2j-29.1
- openSUSE Leap 42.3 (noarch):
openssl-doc-1.0.2j-29.1
- openSUSE Leap 42.3 (x86_64):
libopenssl-devel-32bit-1.0.2j-29.1
libopenssl1_0_0-32bit-1.0.2j-29.1
libopenssl1_0_0-debuginfo-32bit-1.0.2j-29.1
libopenssl1_0_0-hmac-32bit-1.0.2j-29.1
References:
https://www.suse.com/security/cve/CVE-2018-0737.htmlhttps://bugzilla.suse.com/1089039https://bugzilla.suse.com/1101246https://bugzilla.suse.com/1101470https://bugzilla.suse.com/1104789https://bugzilla.suse.com/1106197https://bugzilla.suse.com/997043
--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org
openSUSE Security Update: Security update for yast2-smt
______________________________________________________________________________
Announcement ID: openSUSE-SU-2018:2943-1
Rating: important
References: #1097560
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________
An update that contains security fixes can now be installed.
Description:
This update fixes the following issue in yast2-smt:
- Remove cron job rescheduling (bsc#1097560)
This update is a requirement for the security update for SMT. Because of
that it is tagged as security to ensure that all users, even those that
only install security updates, install it.
This update was imported from the SUSE:SLE-12-SP3:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 42.3:
zypper in -t patch openSUSE-2018-1081=1
Package List:
- openSUSE Leap 42.3 (noarch):
yast2-smt-3.0.14-2.3.1
References:
https://bugzilla.suse.com/1097560
--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org
openSUSE Security Update: Security update for mgetty
______________________________________________________________________________
Announcement ID: openSUSE-SU-2018:2942-1
Rating: important
References: #1108752 #1108756 #1108757 #1108761 #1108762
Cross-References: CVE-2018-16741 CVE-2018-16742 CVE-2018-16743
CVE-2018-16744 CVE-2018-16745
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________
An update that fixes 5 vulnerabilities is now available.
Description:
This update for mgetty fixes the following issues:
- CVE-2018-16741: The function do_activate() did not properly sanitize
shell metacharacters to prevent command injection (bsc#1108752).
- CVE-2018-16745: The mail_to parameter was not sanitized, leading to a
buffer
overflow if long untrusted input reached it (bsc#1108756).
- CVE-2018-16744: The mail_to parameter was not sanitized, leading to
command injection if untrusted input reached reach it (bsc#1108757).
- CVE-2018-16742: Prevent stack-based buffer overflow that could have been
triggered via a command-line parameter (bsc#1108762).
- CVE-2018-16743: The command-line parameter username wsa passed
unsanitized to strcpy(), which could have caused a stack-based buffer
overflow (bsc#1108761).
This update was imported from the SUSE:SLE-15:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.0:
zypper in -t patch openSUSE-2018-1080=1
Package List:
- openSUSE Leap 15.0 (x86_64):
g3utils-1.1.37-lp150.2.3.1
g3utils-debuginfo-1.1.37-lp150.2.3.1
mgetty-1.1.37-lp150.2.3.1
mgetty-debuginfo-1.1.37-lp150.2.3.1
mgetty-debugsource-1.1.37-lp150.2.3.1
sendfax-1.1.37-lp150.2.3.1
sendfax-debuginfo-1.1.37-lp150.2.3.1
References:
https://www.suse.com/security/cve/CVE-2018-16741.htmlhttps://www.suse.com/security/cve/CVE-2018-16742.htmlhttps://www.suse.com/security/cve/CVE-2018-16743.htmlhttps://www.suse.com/security/cve/CVE-2018-16744.htmlhttps://www.suse.com/security/cve/CVE-2018-16745.htmlhttps://bugzilla.suse.com/1108752https://bugzilla.suse.com/1108756https://bugzilla.suse.com/1108757https://bugzilla.suse.com/1108761https://bugzilla.suse.com/1108762
--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org
openSUSE Security Update: Security update for gd
______________________________________________________________________________
Announcement ID: openSUSE-SU-2018:2941-1
Rating: moderate
References: #1105434
Cross-References: CVE-2018-1000222
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for gd fixes the following issues:
Security issue fixed:
- CVE-2018-1000222: Fixed a double free vulnerability in gdImageBmpPtr()
that could result in remote code execution. This could have been
exploited via a specially crafted JPEG image files. (bsc#1105434)
This update was imported from the SUSE:SLE-15:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.0:
zypper in -t patch openSUSE-2018-1079=1
Package List:
- openSUSE Leap 15.0 (i586 x86_64):
gd-2.2.5-lp150.3.3.1
gd-debuginfo-2.2.5-lp150.3.3.1
gd-debugsource-2.2.5-lp150.3.3.1
gd-devel-2.2.5-lp150.3.3.1
libgd3-2.2.5-lp150.3.3.1
libgd3-debuginfo-2.2.5-lp150.3.3.1
- openSUSE Leap 15.0 (x86_64):
libgd3-32bit-2.2.5-lp150.3.3.1
libgd3-32bit-debuginfo-2.2.5-lp150.3.3.1
References:
https://www.suse.com/security/cve/CVE-2018-1000222.htmlhttps://bugzilla.suse.com/1105434
--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org
openSUSE Security Update: Security update for dom4j
______________________________________________________________________________
Announcement ID: openSUSE-SU-2018:2931-1
Rating: moderate
References: #1105443
Cross-References: CVE-2018-1000632
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for dom4j fixes the following issues:
- CVE-2018-1000632: Prevent XML injection vulnerability that allowed an
attacker to tamper with XML documents (bsc#1105443)
This update was imported from the SUSE:SLE-12:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 42.3:
zypper in -t patch openSUSE-2018-1077=1
Package List:
- openSUSE Leap 42.3 (noarch):
dom4j-1.6.1-31.3.2
dom4j-demo-1.6.1-31.3.2
dom4j-javadoc-1.6.1-31.3.2
dom4j-manual-1.6.1-31.3.2
References:
https://www.suse.com/security/cve/CVE-2018-1000632.htmlhttps://bugzilla.suse.com/1105443
--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org
openSUSE Security Update: Security update for ant
______________________________________________________________________________
Announcement ID: openSUSE-SU-2018:2895-1
Rating: moderate
References: #1100053
Cross-References: CVE-2018-10886
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for ant fixes the following issues:
Security issue fixed:
- CVE-2018-10886: Fixed a path traversal vulnerability in malformed zip
file paths, which allowed arbitrary file writes and could potentially
lead to code execution (bsc#1100053)
This update was imported from the SUSE:SLE-15:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.0:
zypper in -t patch openSUSE-2018-1057=1
Package List:
- openSUSE Leap 15.0 (noarch):
ant-1.9.10-lp150.2.3.1
ant-antlr-1.9.10-lp150.2.3.1
ant-apache-bcel-1.9.10-lp150.2.3.1
ant-apache-bsf-1.9.10-lp150.2.3.1
ant-apache-log4j-1.9.10-lp150.2.3.1
ant-apache-oro-1.9.10-lp150.2.3.1
ant-apache-regexp-1.9.10-lp150.2.3.1
ant-apache-resolver-1.9.10-lp150.2.3.1
ant-apache-xalan2-1.9.10-lp150.2.3.1
ant-commons-logging-1.9.10-lp150.2.3.1
ant-commons-net-1.9.10-lp150.2.3.1
ant-javamail-1.9.10-lp150.2.3.1
ant-jdepend-1.9.10-lp150.2.3.1
ant-jmf-1.9.10-lp150.2.3.1
ant-jsch-1.9.10-lp150.2.3.1
ant-junit-1.9.10-lp150.2.3.1
ant-manual-1.9.10-lp150.2.3.1
ant-scripts-1.9.10-lp150.2.3.1
ant-swing-1.9.10-lp150.2.3.1
ant-testutil-1.9.10-lp150.2.3.1
References:
https://www.suse.com/security/cve/CVE-2018-10886.htmlhttps://bugzilla.suse.com/1100053
--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org
openSUSE Security Update: Security update for shadow
______________________________________________________________________________
Announcement ID: openSUSE-SU-2018:2885-1
Rating: moderate
References: #1106914
Cross-References: CVE-2018-16588
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for shadow fixes the following security issue:
- CVE-2018-16588: Prevent useradd from creating intermediate directories
with mode 0777 (bsc#1106914)
This update was imported from the SUSE:SLE-12-SP2:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 42.3:
zypper in -t patch openSUSE-2018-1055=1
Package List:
- openSUSE Leap 42.3 (i586 x86_64):
shadow-4.2.1-20.1
shadow-debuginfo-4.2.1-20.1
shadow-debugsource-4.2.1-20.1
References:
https://www.suse.com/security/cve/CVE-2018-16588.htmlhttps://bugzilla.suse.com/1106914
--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org
openSUSE Security Update: Security update for libzypp, zypper
______________________________________________________________________________
Announcement ID: openSUSE-SU-2018:2881-1
Rating: important
References: #1036304 #1049825 #1070851 #1076192 #1088705
#1091624 #1092413 #1096803 #1099847 #1100028
#1101349 #1102429
Cross-References: CVE-2018-7685
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________
An update that solves one vulnerability and has 11 fixes is
now available.
Description:
This update for libzypp, zypper fixes the following issues:
Update libzypp to version 16.17.20:
Security issues fixed:
- PackageProvider: Validate delta rpms before caching (bsc#1091624,
bsc#1088705, CVE-2018-7685)
- PackageProvider: Validate downloaded rpm package signatures before
caching (bsc#1091624, bsc#1088705, CVE-2018-7685)
Other bugs fixed:
- lsof: use '-K i' if lsof supports it (bsc#1099847, bsc#1036304)
- Handle http error 502 Bad Gateway in curl backend (bsc#1070851)
- RepoManager: Explicitly request repo2solv to generate application pseudo
packages.
- libzypp-devel should not require cmake (bsc#1101349)
- HardLocksFile: Prevent against empty commit without Target having been
been loaded (bsc#1096803)
- Avoid zombie tar processes (bsc#1076192)
Update to zypper to version 1.13.45:
Other bugs fixed:
- XML <install-summary> attribute `packages-to-change` added (bsc#1102429)
- man: Strengthen that `--config FILE' affects zypper.conf, not zypp.conf
(bsc#1100028)
- Prevent nested calls to exit() if aborted by a signal (bsc#1092413)
- ansi.h: Prevent ESC sequence strings from going out of scope
(bsc#1092413)
- Fix: zypper bash completion expands non-existing options (bsc#1049825)
This update was imported from the SUSE:SLE-12-SP3:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 42.3:
zypper in -t patch openSUSE-2018-1054=1
Package List:
- openSUSE Leap 42.3 (i586 x86_64):
libzypp-16.17.20-27.1
libzypp-debuginfo-16.17.20-27.1
libzypp-debugsource-16.17.20-27.1
libzypp-devel-16.17.20-27.1
libzypp-devel-doc-16.17.20-27.1
zypper-1.13.45-20.1
zypper-debuginfo-1.13.45-20.1
zypper-debugsource-1.13.45-20.1
- openSUSE Leap 42.3 (noarch):
zypper-aptitude-1.13.45-20.1
zypper-log-1.13.45-20.1
References:
https://www.suse.com/security/cve/CVE-2018-7685.htmlhttps://bugzilla.suse.com/1036304https://bugzilla.suse.com/1049825https://bugzilla.suse.com/1070851https://bugzilla.suse.com/1076192https://bugzilla.suse.com/1088705https://bugzilla.suse.com/1091624https://bugzilla.suse.com/1092413https://bugzilla.suse.com/1096803https://bugzilla.suse.com/1099847https://bugzilla.suse.com/1100028https://bugzilla.suse.com/1101349https://bugzilla.suse.com/1102429
--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org
openSUSE Security Update: Security update for tiff
______________________________________________________________________________
Announcement ID: openSUSE-SU-2018:2880-1
Rating: moderate
References: #1074186 #1092480 #983440
Cross-References: CVE-2016-5319 CVE-2017-17942 CVE-2018-10779
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________
An update that fixes three vulnerabilities is now available.
Description:
This update for tiff fixes the following issues:
Security issues fixed:
- CVE-2018-10779: Fixed a heap-based buffer overflow in
TIFFWriteScanline() in tif_write.c (bsc#1092480)
- CVE-2017-17942: Fixed a heap-based buffer overflow in the function
PackBitsEncode in tif_packbits.c. (bsc#1074186)
- CVE-2016-5319: Fixed a beap-based buffer overflow in bmp2tiff
(bsc#983440)
This update was imported from the SUSE:SLE-12:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 42.3:
zypper in -t patch openSUSE-2018-1056=1
Package List:
- openSUSE Leap 42.3 (i586 x86_64):
libtiff-devel-4.0.9-34.1
libtiff5-4.0.9-34.1
libtiff5-debuginfo-4.0.9-34.1
tiff-4.0.9-34.1
tiff-debuginfo-4.0.9-34.1
tiff-debugsource-4.0.9-34.1
- openSUSE Leap 42.3 (x86_64):
libtiff-devel-32bit-4.0.9-34.1
libtiff5-32bit-4.0.9-34.1
libtiff5-debuginfo-32bit-4.0.9-34.1
References:
https://www.suse.com/security/cve/CVE-2016-5319.htmlhttps://www.suse.com/security/cve/CVE-2017-17942.htmlhttps://www.suse.com/security/cve/CVE-2018-10779.htmlhttps://bugzilla.suse.com/1074186https://bugzilla.suse.com/1092480https://bugzilla.suse.com/983440
--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org