openSUSE Security Update: Security update for nodejs14
______________________________________________________________________________
Announcement ID: openSUSE-SU-2021:0356-1
Rating: important
References: #1182619 #1182620
Cross-References: CVE-2021-22883 CVE-2021-22884
CVSS scores:
CVE-2021-22883 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2021-22884 (SUSE): 5.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L
Affected Products:
openSUSE Leap 15.2
______________________________________________________________________________
An update that fixes two vulnerabilities is now available.
Description:
This update for nodejs14 fixes the following issues:
- New upstream LTS version 14.16.0:
* CVE-2021-22883: HTTP2 'unknownProtocol' cause Denial of Service by
resource exhaustion (bsc#1182619)
* CVE-2021-22884: DNS rebinding in --inspect (bsc#1182620)
This update was imported from the SUSE:SLE-15-SP2:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.2:
zypper in -t patch openSUSE-2021-356=1
Package List:
- openSUSE Leap 15.2 (noarch):
nodejs14-docs-14.16.0-lp152.8.1
- openSUSE Leap 15.2 (x86_64):
nodejs14-14.16.0-lp152.8.1
nodejs14-debuginfo-14.16.0-lp152.8.1
nodejs14-debugsource-14.16.0-lp152.8.1
nodejs14-devel-14.16.0-lp152.8.1
npm14-14.16.0-lp152.8.1
References:
https://www.suse.com/security/cve/CVE-2021-22883.htmlhttps://www.suse.com/security/cve/CVE-2021-22884.htmlhttps://bugzilla.suse.com/1182619https://bugzilla.suse.com/1182620
openSUSE Security Update: Security update for nodejs12
______________________________________________________________________________
Announcement ID: openSUSE-SU-2021:0357-1
Rating: important
References: #1182333 #1182619 #1182620
Cross-References: CVE-2021-22883 CVE-2021-22884 CVE-2021-23840
CVSS scores:
CVE-2021-22883 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2021-22884 (SUSE): 5.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L
CVE-2021-23840 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2021-23840 (SUSE): 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H
Affected Products:
openSUSE Leap 15.2
______________________________________________________________________________
An update that fixes three vulnerabilities is now available.
Description:
This update for nodejs12 fixes the following issues:
New upstream LTS version 12.21.0:
- CVE-2021-22883: HTTP2 'unknownProtocol' cause Denial of Service by
resource exhaustion (bsc#1182619)
- CVE-2021-22884: DNS rebinding in --inspect (bsc#1182620)
- CVE-2021-23840: OpenSSL - Integer overflow in CipherUpdate (bsc#1182333)
This update was imported from the SUSE:SLE-15-SP2:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.2:
zypper in -t patch openSUSE-2021-357=1
Package List:
- openSUSE Leap 15.2 (noarch):
nodejs12-docs-12.21.0-lp152.3.12.1
- openSUSE Leap 15.2 (x86_64):
nodejs12-12.21.0-lp152.3.12.1
nodejs12-debuginfo-12.21.0-lp152.3.12.1
nodejs12-debugsource-12.21.0-lp152.3.12.1
nodejs12-devel-12.21.0-lp152.3.12.1
npm12-12.21.0-lp152.3.12.1
References:
https://www.suse.com/security/cve/CVE-2021-22883.htmlhttps://www.suse.com/security/cve/CVE-2021-22884.htmlhttps://www.suse.com/security/cve/CVE-2021-23840.htmlhttps://bugzilla.suse.com/1182333https://bugzilla.suse.com/1182619https://bugzilla.suse.com/1182620
openSUSE Security Update: Security update for python-cryptography
______________________________________________________________________________
Announcement ID: openSUSE-SU-2021:0349-1
Rating: important
References: #1182066
Cross-References: CVE-2020-36242
CVSS scores:
CVE-2020-36242 (NVD) : 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
CVE-2020-36242 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:
openSUSE Leap 15.2
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for python-cryptography fixes the following issues:
- CVE-2020-36242: Using the Fernet class to symmetrically encrypt multi
gigabyte values could result in an integer overflow and buffer overflow
(bsc#1182066).
This update was imported from the SUSE:SLE-15-SP2:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.2:
zypper in -t patch openSUSE-2021-349=1
Package List:
- openSUSE Leap 15.2 (i586 x86_64):
python-cryptography-debuginfo-2.8-lp152.2.6.1
python-cryptography-debugsource-2.8-lp152.2.6.1
python2-cryptography-2.8-lp152.2.6.1
python2-cryptography-debuginfo-2.8-lp152.2.6.1
python3-cryptography-2.8-lp152.2.6.1
python3-cryptography-debuginfo-2.8-lp152.2.6.1
References:
https://www.suse.com/security/cve/CVE-2020-36242.htmlhttps://bugzilla.suse.com/1182066
openSUSE Security Update: Security update for gnuplot
______________________________________________________________________________
Announcement ID: openSUSE-SU-2021:0345-1
Rating: moderate
References: #1176689
Cross-References: CVE-2020-25559
CVSS scores:
CVE-2020-25559 (SUSE): 5.9 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Affected Products:
openSUSE Leap 15.2
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for gnuplot fixes the following issues:
- CVE-2020-25559: Fixed double free when executing print_set_output()
(bsc#1176689).
This update was imported from the SUSE:SLE-15:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.2:
zypper in -t patch openSUSE-2021-345=1
Package List:
- openSUSE Leap 15.2 (i586 x86_64):
gnuplot-5.2.2-lp152.6.3.1
gnuplot-debuginfo-5.2.2-lp152.6.3.1
gnuplot-debugsource-5.2.2-lp152.6.3.1
- openSUSE Leap 15.2 (noarch):
gnuplot-doc-5.2.2-lp152.6.3.1
References:
https://www.suse.com/security/cve/CVE-2020-25559.htmlhttps://bugzilla.suse.com/1176689
openSUSE Security Update: Security update for nghttp2
______________________________________________________________________________
Announcement ID: openSUSE-SU-2021:0341-1
Rating: moderate
References: #1159003 #1166481
Cross-References: CVE-2019-18802
CVSS scores:
CVE-2019-18802 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2019-18802 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:
openSUSE Leap 15.2
______________________________________________________________________________
An update that solves one vulnerability and has one errata
is now available.
Description:
This update for nghttp2 fixes the following issues:
nghttp2 was update to version 1.40.0 (bsc#1166481)
- lib: Add nghttp2_check_authority as public API
- lib: Fix the bug that stream is closed with wrong error code
- lib: Faster huffman encoding and decoding
- build: Avoid filename collision of static and dynamic lib
- build: Add new flag ENABLE_STATIC_CRT for Windows
- build: cmake: Support building nghttpx with systemd
- third-party: Update neverbleed to fix memory leak
- nghttpx: Fix bug that mruby is incorrectly shared between backends
- nghttpx: Reconnect h1 backend if it lost connection before sending
headers
- nghttpx: Returns 408 if backend timed out before sending headers
- nghttpx: Fix request stal
This update was imported from the SUSE:SLE-15:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.2:
zypper in -t patch openSUSE-2021-341=1
Package List:
- openSUSE Leap 15.2 (i586 x86_64):
libnghttp2-14-1.40.0-lp152.2.3.1
libnghttp2-14-debuginfo-1.40.0-lp152.2.3.1
libnghttp2-devel-1.40.0-lp152.2.3.1
libnghttp2_asio-devel-1.40.0-lp152.2.3.1
libnghttp2_asio1-1.40.0-lp152.2.3.1
libnghttp2_asio1-debuginfo-1.40.0-lp152.2.3.1
nghttp2-1.40.0-lp152.2.3.1
nghttp2-debuginfo-1.40.0-lp152.2.3.1
nghttp2-debugsource-1.40.0-lp152.2.3.1
nghttp2-python-debugsource-1.40.0-lp152.2.3.1
python3-nghttp2-1.40.0-lp152.2.3.1
python3-nghttp2-debuginfo-1.40.0-lp152.2.3.1
- openSUSE Leap 15.2 (x86_64):
libnghttp2-14-32bit-1.40.0-lp152.2.3.1
libnghttp2-14-32bit-debuginfo-1.40.0-lp152.2.3.1
libnghttp2_asio1-32bit-1.40.0-lp152.2.3.1
libnghttp2_asio1-32bit-debuginfo-1.40.0-lp152.2.3.1
References:
https://www.suse.com/security/cve/CVE-2019-18802.htmlhttps://bugzilla.suse.com/1159003https://bugzilla.suse.com/1166481
openSUSE Security Update: Security update for python-djangorestframework
______________________________________________________________________________
Announcement ID: openSUSE-SU-2021:0338-1
Rating: important
References: #1177205
Cross-References: CVE-2020-25626
CVSS scores:
CVE-2020-25626 (NVD) : 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVE-2020-25626 (SUSE): 7.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:L
Affected Products:
openSUSE Backports SLE-15-SP2
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for python-djangorestframework fixes the following issues:
Update to 3.11.2
* Security: Drop urlize_quoted_links template tag in favour of Django's
built-in urlize. Removes a XSS vulnerability for some kinds of content
in the browsable API. (boo#1177205, CVE-2020-25626)
* update Django for APIs book to 3.0 edition
* decode base64 credentials as utf8; adjust tests
* Remove compat urls for Django < 2.0
This update was imported from the openSUSE:Leap:15.2:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15-SP2:
zypper in -t patch openSUSE-2021-338=1
Package List:
- openSUSE Backports SLE-15-SP2 (noarch):
python3-djangorestframework-3.11.2-bp152.2.3.1
References:
https://www.suse.com/security/cve/CVE-2020-25626.htmlhttps://bugzilla.suse.com/1177205
openSUSE Security Update: Security update for postgresql, postgresql13
______________________________________________________________________________
Announcement ID: openSUSE-SU-2021:0337-1
Rating: moderate
References: #1178666 #1178667 #1178668 #1178961
Cross-References: CVE-2020-25694 CVE-2020-25695 CVE-2020-25696
CVSS scores:
CVE-2020-25694 (NVD) : 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2020-25694 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVE-2020-25695 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2020-25695 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2020-25696 (NVD) : 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2020-25696 (SUSE): 8 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Affected Products:
openSUSE Leap 15.2
______________________________________________________________________________
An update that solves three vulnerabilities and has one
errata is now available.
Description:
This update for postgresql, postgresql13 fixes the following issues:
This update ships postgresql13.
Upgrade to version 13.1:
* CVE-2020-25695, bsc#1178666: Block DECLARE CURSOR ... WITH HOLD and
firing of deferred triggers within index expressions and materialized
view queries.
* CVE-2020-25694, bsc#1178667: a) Fix usage of complex connection-string
parameters in pg_dump, pg_restore, clusterdb, reindexdb, and vacuumdb.
b) When psql's \connect command re-uses connection parameters, ensure
that all non-overridden parameters from a previous connection string are
re-used.
* CVE-2020-25696, bsc#1178668: Prevent psql's \gset command from modifying
specially-treated variables.
* Fix recently-added timetz test case so it works when the USA is not
observing daylight savings time. (obsoletes postgresql-timetz.patch)
* https://www.postgresql.org/about/news/2111/
* https://www.postgresql.org/docs/13/release-13-1.html
Initial packaging of PostgreSQL 13:
* https://www.postgresql.org/about/news/2077/
* https://www.postgresql.org/docs/13/release-13.html
- bsc#1178961: %ghost the symlinks to pg_config and ecpg.
Changes in postgresql wrapper package:
- Bump major version to 13.
- We also transfer PostgreSQL 9.4.26 to the new package layout in
SLE12-SP2 and newer. Reflect this in the conflict with postgresql94.
- Also conflict with PostgreSQL versions before 9.
- Conflicting with older versions is not limited to SLE.
This update was imported from the SUSE:SLE-15-SP2:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.2:
zypper in -t patch openSUSE-2021-337=1
Package List:
- openSUSE Leap 15.2 (noarch):
postgresql-13-lp152.3.6.1
postgresql-contrib-13-lp152.3.6.1
postgresql-devel-13-lp152.3.6.1
postgresql-docs-13-lp152.3.6.1
postgresql-llvmjit-13-lp152.3.6.1
postgresql-plperl-13-lp152.3.6.1
postgresql-plpython-13-lp152.3.6.1
postgresql-pltcl-13-lp152.3.6.1
postgresql-server-13-lp152.3.6.1
postgresql-server-devel-13-lp152.3.6.1
postgresql-test-13-lp152.3.6.1
References:
https://www.suse.com/security/cve/CVE-2020-25694.htmlhttps://www.suse.com/security/cve/CVE-2020-25695.htmlhttps://www.suse.com/security/cve/CVE-2020-25696.htmlhttps://bugzilla.suse.com/1178666https://bugzilla.suse.com/1178667https://bugzilla.suse.com/1178668https://bugzilla.suse.com/1178961