openSUSE Security Announce June 2020

security-announce@lists.opensuse.org

1 participants
73 discussions

[security-announce] openSUSE-SU-2020:0908-1: important: Security update for curl
by opensuse-security＠opensuse.org 29 Jun '20

29 Jun '20

openSUSE Security Update: Security update for curl ______________________________________________________________________________ Announcement ID: openSUSE-SU-2020:0908-1 Rating: important References: #1173027 Cross-References: CVE-2020-8177 Affected Products: openSUSE Leap 15.1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for curl fixes the following issues: - CVE-2020-8177: Fixed an issue where curl could have been tricked by a malicious server to overwrite a local file when using the -J option (bsc#1173027). This update was imported from the SUSE:SLE-15:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.1: zypper in -t patch openSUSE-2020-908=1 Package List: - openSUSE Leap 15.1 (i586 x86_64): curl-7.60.0-lp151.5.12.1 curl-debuginfo-7.60.0-lp151.5.12.1 curl-debugsource-7.60.0-lp151.5.12.1 curl-mini-7.60.0-lp151.5.12.1 curl-mini-debuginfo-7.60.0-lp151.5.12.1 curl-mini-debugsource-7.60.0-lp151.5.12.1 libcurl-devel-7.60.0-lp151.5.12.1 libcurl-mini-devel-7.60.0-lp151.5.12.1 libcurl4-7.60.0-lp151.5.12.1 libcurl4-debuginfo-7.60.0-lp151.5.12.1 libcurl4-mini-7.60.0-lp151.5.12.1 libcurl4-mini-debuginfo-7.60.0-lp151.5.12.1 - openSUSE Leap 15.1 (x86_64): libcurl-devel-32bit-7.60.0-lp151.5.12.1 libcurl4-32bit-7.60.0-lp151.5.12.1 libcurl4-32bit-debuginfo-7.60.0-lp151.5.12.1 References: https://www.suse.com/security/cve/CVE-2020-8177.html https://bugzilla.suse.com/1173027 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] openSUSE-SU-2020:0914-1: important: Security update for squid
by opensuse-security＠opensuse.org 29 Jun '20

29 Jun '20

openSUSE Security Update: Security update for squid ______________________________________________________________________________ Announcement ID: openSUSE-SU-2020:0914-1 Rating: important References: #1173304 Cross-References: CVE-2020-14059 Affected Products: openSUSE Leap 15.2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for squid fixes the following issues: squid was updated to version 4.12 Security issue fixed: - CVE-2020-14059: Fixed an issue where a client could potentially deny the service of a server during TLS Handshake (bsc#1173304). Other issues addressed: - Reverted to slow search for new SMP shm pages due to a regression - Fixed an issue where negative responses were never cached - Fixed stall if transaction was overwriting a recently active cache entry This update was imported from the SUSE:SLE-15:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.2: zypper in -t patch openSUSE-2020-914=1 Package List: - openSUSE Leap 15.2 (x86_64): squid-4.12-lp152.2.3.1 squid-debuginfo-4.12-lp152.2.3.1 squid-debugsource-4.12-lp152.2.3.1 References: https://www.suse.com/security/cve/CVE-2020-14059.html https://bugzilla.suse.com/1173304 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] openSUSE-SU-2020:0915-1: important: Security update for mutt
by opensuse-security＠opensuse.org 29 Jun '20

29 Jun '20

openSUSE Security Update: Security update for mutt ______________________________________________________________________________ Announcement ID: openSUSE-SU-2020:0915-1 Rating: important References: #1172906 #1172935 #1173197 Cross-References: CVE-2020-14093 CVE-2020-14154 CVE-2020-14954 Affected Products: openSUSE Leap 15.2 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for mutt fixes the following issues: - CVE-2020-14954: Fixed a response injection due to a STARTTLS buffering issue which was affecting IMAP, SMTP, and POP3 (bsc#1173197). - CVE-2020-14093: Fixed a potential IMAP Man-in-the-Middle attack via a PREAUTH response (bsc#1172906, bsc#1172935). - CVE-2020-14154: Fixed an issue where Mutt was ignoring an expired certificate and was proceeding with a connection (bsc#1172906, bsc#1172935). This update was imported from the SUSE:SLE-15:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.2: zypper in -t patch openSUSE-2020-915=1 Package List: - openSUSE Leap 15.2 (x86_64): mutt-1.10.1-lp152.3.3.1 mutt-debuginfo-1.10.1-lp152.3.3.1 mutt-debugsource-1.10.1-lp152.3.3.1 - openSUSE Leap 15.2 (noarch): mutt-doc-1.10.1-lp152.3.3.1 mutt-lang-1.10.1-lp152.3.3.1 References: https://www.suse.com/security/cve/CVE-2020-14093.html https://www.suse.com/security/cve/CVE-2020-14154.html https://www.suse.com/security/cve/CVE-2020-14954.html https://bugzilla.suse.com/1172906 https://bugzilla.suse.com/1172935 https://bugzilla.suse.com/1173197 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] openSUSE-SU-2020:0912-1: important: Security update for unbound
by opensuse-security＠opensuse.org 29 Jun '20

29 Jun '20

openSUSE Security Update: Security update for unbound ______________________________________________________________________________ Announcement ID: openSUSE-SU-2020:0912-1 Rating: important References: #1157268 #1171889 Cross-References: CVE-2019-18934 CVE-2020-12662 CVE-2020-12663 Affected Products: openSUSE Leap 15.1 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for unbound fixes the following issues: - CVE-2020-12662: Fixed an issue where unbound could have been tricked into amplifying an incoming query into a large number of queries directed to a target (bsc#1171889). - CVE-2020-12663: Fixed an issue where malformed answers from upstream name servers could have been used to make unbound unresponsive (bsc#1171889). - CVE-2019-18934: Fixed a vulnerability in the IPSec module which could have allowed code execution after receiving a special crafted answer (bsc#1157268). This update was imported from the SUSE:SLE-15-SP1:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.1: zypper in -t patch openSUSE-2020-912=1 Package List: - openSUSE Leap 15.1 (i586 x86_64): libunbound-devel-mini-1.6.8-lp151.8.3.1 libunbound-devel-mini-debuginfo-1.6.8-lp151.8.3.1 libunbound-devel-mini-debugsource-1.6.8-lp151.8.3.1 - openSUSE Leap 15.1 (noarch): unbound-munin-1.6.8-lp151.8.3.1 - openSUSE Leap 15.1 (x86_64): libunbound2-1.6.8-lp151.8.3.1 libunbound2-debuginfo-1.6.8-lp151.8.3.1 unbound-1.6.8-lp151.8.3.1 unbound-anchor-1.6.8-lp151.8.3.1 unbound-anchor-debuginfo-1.6.8-lp151.8.3.1 unbound-debuginfo-1.6.8-lp151.8.3.1 unbound-debugsource-1.6.8-lp151.8.3.1 unbound-devel-1.6.8-lp151.8.3.1 unbound-python-1.6.8-lp151.8.3.1 unbound-python-debuginfo-1.6.8-lp151.8.3.1 References: https://www.suse.com/security/cve/CVE-2019-18934.html https://www.suse.com/security/cve/CVE-2020-12662.html https://www.suse.com/security/cve/CVE-2020-12663.html https://bugzilla.suse.com/1157268 https://bugzilla.suse.com/1171889 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] openSUSE-SU-2020:0910-1: important: Security update for squid
by opensuse-security＠opensuse.org 29 Jun '20

29 Jun '20

openSUSE Security Update: Security update for squid ______________________________________________________________________________ Announcement ID: openSUSE-SU-2020:0910-1 Rating: important References: #1173304 Cross-References: CVE-2020-14059 Affected Products: openSUSE Leap 15.1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for squid fixes the following issues: squid was updated to version 4.12 Security issue fixed: - CVE-2020-14059: Fixed an issue where a client could potentially deny the service of a server during TLS Handshake (bsc#1173304). Other issues addressed: - Reverted to slow search for new SMP shm pages due to a regression - Fixed an issue where negative responses were never cached - Fixed stall if transaction was overwriting a recently active cache entry This update was imported from the SUSE:SLE-15:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.1: zypper in -t patch openSUSE-2020-910=1 Package List: - openSUSE Leap 15.1 (x86_64): squid-4.12-lp151.2.21.1 squid-debuginfo-4.12-lp151.2.21.1 squid-debugsource-4.12-lp151.2.21.1 References: https://www.suse.com/security/cve/CVE-2020-14059.html https://bugzilla.suse.com/1173304 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] openSUSE-SU-2020:0913-1: important: Security update for unbound
by opensuse-security＠opensuse.org 29 Jun '20

29 Jun '20

openSUSE Security Update: Security update for unbound ______________________________________________________________________________ Announcement ID: openSUSE-SU-2020:0913-1 Rating: important References: #1157268 #1171889 Cross-References: CVE-2019-18934 CVE-2020-12662 CVE-2020-12663 Affected Products: openSUSE Leap 15.2 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for unbound fixes the following issues: - CVE-2020-12662: Fixed an issue where unbound could have been tricked into amplifying an incoming query into a large number of queries directed to a target (bsc#1171889). - CVE-2020-12663: Fixed an issue where malformed answers from upstream name servers could have been used to make unbound unresponsive (bsc#1171889). - CVE-2019-18934: Fixed a vulnerability in the IPSec module which could have allowed code execution after receiving a special crafted answer (bsc#1157268). This update was imported from the SUSE:SLE-15-SP1:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.2: zypper in -t patch openSUSE-2020-913=1 Package List: - openSUSE Leap 15.2 (i586 x86_64): libunbound-devel-mini-1.6.8-lp152.9.3.1 libunbound-devel-mini-debuginfo-1.6.8-lp152.9.3.1 libunbound-devel-mini-debugsource-1.6.8-lp152.9.3.1 - openSUSE Leap 15.2 (noarch): unbound-munin-1.6.8-lp152.9.3.1 - openSUSE Leap 15.2 (x86_64): libunbound2-1.6.8-lp152.9.3.1 libunbound2-debuginfo-1.6.8-lp152.9.3.1 unbound-1.6.8-lp152.9.3.1 unbound-anchor-1.6.8-lp152.9.3.1 unbound-anchor-debuginfo-1.6.8-lp152.9.3.1 unbound-debuginfo-1.6.8-lp152.9.3.1 unbound-debugsource-1.6.8-lp152.9.3.1 unbound-devel-1.6.8-lp152.9.3.1 unbound-python-1.6.8-lp152.9.3.1 unbound-python-debuginfo-1.6.8-lp152.9.3.1 References: https://www.suse.com/security/cve/CVE-2019-18934.html https://www.suse.com/security/cve/CVE-2020-12662.html https://www.suse.com/security/cve/CVE-2020-12663.html https://bugzilla.suse.com/1157268 https://bugzilla.suse.com/1171889 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] openSUSE-SU-2020:0911-1: important: Security update for tomcat
by opensuse-security＠opensuse.org 29 Jun '20

29 Jun '20

openSUSE Security Update: Security update for tomcat ______________________________________________________________________________ Announcement ID: openSUSE-SU-2020:0911-1 Rating: important References: #1172405 Cross-References: CVE-2020-8022 Affected Products: openSUSE Leap 15.1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for tomcat fixes the following issues: - CVE-2020-8022: Fixed a local root exploit due to improper permissions (bsc#1172405) This update was imported from the SUSE:SLE-15-SP1:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.1: zypper in -t patch openSUSE-2020-911=1 Package List: - openSUSE Leap 15.1 (noarch): tomcat-9.0.35-lp151.3.21.1 tomcat-admin-webapps-9.0.35-lp151.3.21.1 tomcat-docs-webapp-9.0.35-lp151.3.21.1 tomcat-el-3_0-api-9.0.35-lp151.3.21.1 tomcat-embed-9.0.35-lp151.3.21.1 tomcat-javadoc-9.0.35-lp151.3.21.1 tomcat-jsp-2_3-api-9.0.35-lp151.3.21.1 tomcat-jsvc-9.0.35-lp151.3.21.1 tomcat-lib-9.0.35-lp151.3.21.1 tomcat-servlet-4_0-api-9.0.35-lp151.3.21.1 tomcat-webapps-9.0.35-lp151.3.21.1 References: https://www.suse.com/security/cve/CVE-2020-8022.html https://bugzilla.suse.com/1172405 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] openSUSE-SU-2020:0906-1: moderate: Security update for graphviz
by opensuse-security＠opensuse.org 29 Jun '20

29 Jun '20

openSUSE Security Update: Security update for graphviz ______________________________________________________________________________ Announcement ID: openSUSE-SU-2020:0906-1 Rating: moderate References: #1132091 Cross-References: CVE-2019-11023 Affected Products: openSUSE Leap 15.2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for graphviz fixes the following issues: Security issue fixed: - CVE-2019-11023: Fixed a denial of service vulnerability, which was caused by a NULL pointer dereference in agroot() (bsc#1132091). This update was imported from the SUSE:SLE-15:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.2: zypper in -t patch openSUSE-2020-906=1 Package List: - openSUSE Leap 15.2 (i586 x86_64): graphviz-2.40.1-lp152.7.4.2 graphviz-addons-debuginfo-2.40.1-lp152.7.4.2 graphviz-addons-debugsource-2.40.1-lp152.7.4.2 graphviz-debuginfo-2.40.1-lp152.7.4.2 graphviz-debugsource-2.40.1-lp152.7.4.2 graphviz-devel-2.40.1-lp152.7.4.2 graphviz-doc-2.40.1-lp152.7.4.2 graphviz-gd-2.40.1-lp152.7.4.2 graphviz-gd-debuginfo-2.40.1-lp152.7.4.2 graphviz-gnome-2.40.1-lp152.7.4.2 graphviz-gnome-debuginfo-2.40.1-lp152.7.4.2 graphviz-guile-2.40.1-lp152.7.4.2 graphviz-guile-debuginfo-2.40.1-lp152.7.4.2 graphviz-gvedit-2.40.1-lp152.7.4.2 graphviz-gvedit-debuginfo-2.40.1-lp152.7.4.2 graphviz-java-2.40.1-lp152.7.4.2 graphviz-java-debuginfo-2.40.1-lp152.7.4.2 graphviz-lua-2.40.1-lp152.7.4.2 graphviz-lua-debuginfo-2.40.1-lp152.7.4.2 graphviz-perl-2.40.1-lp152.7.4.2 graphviz-perl-debuginfo-2.40.1-lp152.7.4.2 graphviz-php-2.40.1-lp152.7.4.2 graphviz-php-debuginfo-2.40.1-lp152.7.4.2 graphviz-plugins-core-2.40.1-lp152.7.4.2 graphviz-plugins-core-debuginfo-2.40.1-lp152.7.4.2 graphviz-python-2.40.1-lp152.7.4.2 graphviz-python-debuginfo-2.40.1-lp152.7.4.2 graphviz-ruby-2.40.1-lp152.7.4.2 graphviz-ruby-debuginfo-2.40.1-lp152.7.4.2 graphviz-smyrna-2.40.1-lp152.7.4.2 graphviz-smyrna-debuginfo-2.40.1-lp152.7.4.2 graphviz-tcl-2.40.1-lp152.7.4.2 graphviz-tcl-debuginfo-2.40.1-lp152.7.4.2 libgraphviz6-2.40.1-lp152.7.4.2 libgraphviz6-debuginfo-2.40.1-lp152.7.4.2 References: https://www.suse.com/security/cve/CVE-2019-11023.html https://bugzilla.suse.com/1132091 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] openSUSE-SU-2020:0903-1: important: Security update for mutt
by opensuse-security＠opensuse.org 29 Jun '20

29 Jun '20

openSUSE Security Update: Security update for mutt ______________________________________________________________________________ Announcement ID: openSUSE-SU-2020:0903-1 Rating: important References: #1172906 #1172935 #1173197 Cross-References: CVE-2020-14093 CVE-2020-14154 CVE-2020-14954 Affected Products: openSUSE Leap 15.1 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for mutt fixes the following issues: - CVE-2020-14954: Fixed a response injection due to a STARTTLS buffering issue which was affecting IMAP, SMTP, and POP3 (bsc#1173197). - CVE-2020-14093: Fixed a potential IMAP Man-in-the-Middle attack via a PREAUTH response (bsc#1172906, bsc#1172935). - CVE-2020-14154: Fixed an issue where Mutt was ignoring an expired certificate and was proceeding with a connection (bsc#1172906, bsc#1172935). This update was imported from the SUSE:SLE-15:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.1: zypper in -t patch openSUSE-2020-903=1 Package List: - openSUSE Leap 15.1 (noarch): mutt-doc-1.10.1-lp151.2.3.1 mutt-lang-1.10.1-lp151.2.3.1 - openSUSE Leap 15.1 (x86_64): mutt-1.10.1-lp151.2.3.1 mutt-debuginfo-1.10.1-lp151.2.3.1 mutt-debugsource-1.10.1-lp151.2.3.1 References: https://www.suse.com/security/cve/CVE-2020-14093.html https://www.suse.com/security/cve/CVE-2020-14154.html https://www.suse.com/security/cve/CVE-2020-14954.html https://bugzilla.suse.com/1172906 https://bugzilla.suse.com/1172935 https://bugzilla.suse.com/1173197 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] openSUSE-SU-2020:0902-1: important: Security update for chromium
by opensuse-security＠opensuse.org 29 Jun '20

29 Jun '20

openSUSE Security Update: Security update for chromium ______________________________________________________________________________ Announcement ID: openSUSE-SU-2020:0902-1 Rating: important References: #1173107 #1173187 #1173188 #1173251 #1173254 #1173292 Cross-References: CVE-2020-6509 Affected Products: openSUSE Backports SLE-15-SP1 ______________________________________________________________________________ An update that solves one vulnerability and has 5 fixes is now available. Description: This update for chromium fixes the following issues: Update to 83.0.4103.116 boo#1173251: * CVE-2020-6509: Use after free in extensions - Add patch to work with new ffmpeg (bsc#1173292) - Add multimedia fix for disabled location and also try one additional patch from Debian on the same issue boo#1173107 - Disable wayland integration on openSUSE Leap 15.x (boo#1173187 boo#1173188 boo#1173254) This update was imported from the openSUSE:Leap:15.1:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP1: zypper in -t patch openSUSE-2020-902=1 Package List: - openSUSE Backports SLE-15-SP1 (aarch64 x86_64): chromedriver-83.0.4103.116-bp151.3.91.1 chromium-83.0.4103.116-bp151.3.91.1 References: https://www.suse.com/security/cve/CVE-2020-6509.html https://bugzilla.suse.com/1173107 https://bugzilla.suse.com/1173187 https://bugzilla.suse.com/1173188 https://bugzilla.suse.com/1173251 https://bugzilla.suse.com/1173254 https://bugzilla.suse.com/1173292 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

openSUSE Security Announce June 2020