openSUSE Security Update: Security update for MozillaThunderbird
______________________________________________________________________________
Announcement ID: openSUSE-SU-2022:0559-1
Rating: important
References: #1195682 #1196072
Cross-References: CVE-2022-0566 CVE-2022-22753 CVE-2022-22754
CVE-2022-22756 CVE-2022-22759 CVE-2022-22760
CVE-2022-22761 CVE-2022-22763 CVE-2022-22764
Affected Products:
openSUSE Leap 15.3
openSUSE Leap 15.4
______________________________________________________________________________
An update that fixes 9 vulnerabilities is now available.
Description:
This update for MozillaThunderbird fixes the following issues:
- Mozilla Thunderbird 91.6.1 / MFSA 2022-07 (bsc#1196072)
* CVE-2022-0566 (bmo#1753094) Crafted email could trigger an
out-of-bounds write
- Mozilla Thunderbird 91.6 / MFSA 2022-06 (bsc#1195682)
* CVE-2022-22753 (bmo#1732435) Privilege Escalation to SYSTEM on Windows
via Maintenance Service
* CVE-2022-22754 (bmo#1750565) Extensions could have bypassed permission
confirmation during update
* CVE-2022-22756 (bmo#1317873) Drag and dropping an image could have
resulted in the dropped
object being an executable
* CVE-2022-22759 (bmo#1739957) Sandboxed iframes could have executed
script if the parent appended elements
* CVE-2022-22760 (bmo#1740985, bmo#1748503) Cross-Origin responses could
be distinguished between script and non-script content-types
* CVE-2022-22761 (bmo#1745566) frame-ancestors Content Security Policy
directive was not enforced for framed extension pages
* CVE-2022-22763 (bmo#1740534) Script Execution during invalid object
state
* CVE-2022-22764 (bmo#1742682, bmo#1744165, bmo#1746545, bmo#1748210,
bmo#1748279) Memory safety bugs fixed in Thunderbird 91.6
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.4:
zypper in -t patch openSUSE-SLE-15.4-2022-559=1
- openSUSE Leap 15.3:
zypper in -t patch openSUSE-SLE-15.3-2022-559=1
Package List:
- openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64):
MozillaThunderbird-91.6.1-8.54.1
MozillaThunderbird-debuginfo-91.6.1-8.54.1
MozillaThunderbird-debugsource-91.6.1-8.54.1
MozillaThunderbird-translations-common-91.6.1-8.54.1
MozillaThunderbird-translations-other-91.6.1-8.54.1
- openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):
MozillaThunderbird-91.6.1-8.54.1
MozillaThunderbird-debuginfo-91.6.1-8.54.1
MozillaThunderbird-debugsource-91.6.1-8.54.1
MozillaThunderbird-translations-common-91.6.1-8.54.1
MozillaThunderbird-translations-other-91.6.1-8.54.1
References:
https://www.suse.com/security/cve/CVE-2022-0566.htmlhttps://www.suse.com/security/cve/CVE-2022-22753.htmlhttps://www.suse.com/security/cve/CVE-2022-22754.htmlhttps://www.suse.com/security/cve/CVE-2022-22756.htmlhttps://www.suse.com/security/cve/CVE-2022-22759.htmlhttps://www.suse.com/security/cve/CVE-2022-22760.htmlhttps://www.suse.com/security/cve/CVE-2022-22761.htmlhttps://www.suse.com/security/cve/CVE-2022-22763.htmlhttps://www.suse.com/security/cve/CVE-2022-22764.htmlhttps://bugzilla.suse.com/1195682https://bugzilla.suse.com/1196072
openSUSE Security Update: Security update for sphinx
______________________________________________________________________________
Announcement ID: openSUSE-SU-2022:0046-1
Rating: moderate
References: #1195227
Cross-References: CVE-2020-29050
CVSS scores:
CVE-2020-29050 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected Products:
openSUSE Leap 15.4
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
sphinx was updated to fix the following issues:
- CVE-2020-29050: SphinxSearch in Sphinx Technologies Sphinx through 3.1.1
allows directory traversal (in conjunction with CVE-2019-14511) because
the mysql client can be used for CALL SNIPPETS and load_file operations
on a full pathname (e.g., a file in the /etc directory). (boo#1195227)
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.4:
zypper in -t patch openSUSE-2022-46=1
Package List:
- openSUSE Leap 15.4 (aarch64 i586 ppc64le s390x x86_64):
libsphinxclient-0_0_1-2.2.11-lp154.3.3.1
libsphinxclient-devel-2.2.11-lp154.3.3.1
sphinx-2.2.11-lp154.3.3.1
sphinx-debuginfo-2.2.11-lp154.3.3.1
sphinx-debugsource-2.2.11-lp154.3.3.1
References:
https://www.suse.com/security/cve/CVE-2020-29050.htmlhttps://bugzilla.suse.com/1195227
openSUSE Security Update: Security update for kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools-container, virt-operator-container
______________________________________________________________________________
Announcement ID: openSUSE-SU-2022:0526-1
Rating: moderate
References:
Cross-References: CVE-2021-43565
CVSS scores:
CVE-2021-43565 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:
openSUSE Leap 15.3
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for kubevirt, virt-api-container, virt-controller-container,
virt-handler-container, virt-launcher-container,
virt-libguestfs-tools-container, virt-operator-container fixes the
following issues:
- Update to version 0.49.0 Release notes
https://github.com/kubevirt/kubevirt/releases/tag/v0.49.0
- Drop kubevirt-psp-caasp.yaml
- Install curl and lsscsi (needed for testing)
- Symlink UEFI firmware with AMD SEV support
- Install tar package to enable kubectl cp ...
- Make a "fixed appliance" for libguestfs
- Explicitly install libguestfs{,-devel} and supermin
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.3:
zypper in -t patch openSUSE-SLE-15.3-2022-526=1
Package List:
- openSUSE Leap 15.3 (x86_64):
kubevirt-container-disk-0.49.0-150300.8.10.1
kubevirt-container-disk-debuginfo-0.49.0-150300.8.10.1
kubevirt-manifests-0.49.0-150300.8.10.1
kubevirt-tests-0.49.0-150300.8.10.1
kubevirt-tests-debuginfo-0.49.0-150300.8.10.1
kubevirt-virt-api-0.49.0-150300.8.10.1
kubevirt-virt-api-debuginfo-0.49.0-150300.8.10.1
kubevirt-virt-controller-0.49.0-150300.8.10.1
kubevirt-virt-controller-debuginfo-0.49.0-150300.8.10.1
kubevirt-virt-handler-0.49.0-150300.8.10.1
kubevirt-virt-handler-debuginfo-0.49.0-150300.8.10.1
kubevirt-virt-launcher-0.49.0-150300.8.10.1
kubevirt-virt-launcher-debuginfo-0.49.0-150300.8.10.1
kubevirt-virt-operator-0.49.0-150300.8.10.1
kubevirt-virt-operator-debuginfo-0.49.0-150300.8.10.1
kubevirt-virtctl-0.49.0-150300.8.10.1
kubevirt-virtctl-debuginfo-0.49.0-150300.8.10.1
obs-service-kubevirt_containers_meta-0.49.0-150300.8.10.1
References:
https://www.suse.com/security/cve/CVE-2021-43565.html
openSUSE Security Update: Security update for jaw
______________________________________________________________________________
Announcement ID: openSUSE-SU-2022:0045-1
Rating: moderate
References: #1194358
Cross-References: CVE-2022-21653
CVSS scores:
CVE-2022-21653 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:
openSUSE Backports SLE-15-SP2
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
jawn was updated to fix:
* CVE-2022-21653: DoS caused by a hash collision in SimpleFacade and
MutableFacade (bsc#1194358)
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15-SP2:
zypper in -t patch openSUSE-2022-45=1
Package List:
- openSUSE Backports SLE-15-SP2 (noarch):
jawn-ast-0.14.1-bp152.2.3.1
jawn-json4s-0.14.1-bp152.2.3.1
jawn-parser-0.14.1-bp152.2.3.1
jawn-util-0.14.1-bp152.2.3.1
References:
https://www.suse.com/security/cve/CVE-2022-21653.htmlhttps://bugzilla.suse.com/1194358