openSUSE Security Update: Security update for chromium
______________________________________________________________________________
Announcement ID: openSUSE-SU-2022:10010-1
Rating: critical
References: #1200139 #1200423
Cross-References: CVE-2022-2007 CVE-2022-2008 CVE-2022-2010
CVE-2022-2011
Affected Products:
openSUSE Backports SLE-15-SP4
______________________________________________________________________________
An update that fixes four vulnerabilities is now available.
Description:
This update for chromium fixes the following issues:
- Chromium 102.0.5005.115 (boo#1200423)
* CVE-2022-2007: Use after free in WebGPU
* CVE-2022-2008: Out of bounds memory access in WebGL
* CVE-2022-2010: Out of bounds read in compositing
* CVE-2022-2011: Use after free in ANGLE
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15-SP4:
zypper in -t patch openSUSE-2022-10010=1
Package List:
- openSUSE Backports SLE-15-SP4 (aarch64 x86_64):
chromedriver-102.0.5005.115-bp154.2.8.1
chromium-102.0.5005.115-bp154.2.8.1
References:
https://www.suse.com/security/cve/CVE-2022-2007.htmlhttps://www.suse.com/security/cve/CVE-2022-2008.htmlhttps://www.suse.com/security/cve/CVE-2022-2010.htmlhttps://www.suse.com/security/cve/CVE-2022-2011.htmlhttps://bugzilla.suse.com/1200139https://bugzilla.suse.com/1200423
openSUSE Security Update: Security update for librecad
______________________________________________________________________________
Announcement ID: openSUSE-SU-2022:10002-1
Rating: important
References: #1195105 #1195122 #1197664
Cross-References: CVE-2021-45341 CVE-2021-45342
CVSS scores:
CVE-2021-45341 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2021-45342 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products:
openSUSE Backports SLE-15-SP4
______________________________________________________________________________
An update that solves two vulnerabilities and has one
errata is now available.
Description:
This update for librecad fixes the following issues:
- CVE-2021-45341: Fixed a buffer overflow vulnerability in LibreCAD allows
an attacker to achieve remote code execution via a crafted JWW document
[boo#1195105]
- CVE-2021-45342: Fixed a buffer overflow vulnerability in jwwlib in
LibreCAD allows an attacker to achieve remote code execution via a
crafted JWW document [boo#1195122]
- Strip excess blank fields from librecad.desktop:MimeType [boo#1197664]
Update to 2.2.0-rc3
* major release
* DWG imports are more reliable now
* and a lot more of bugfixes and improvements
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15-SP4:
zypper in -t patch openSUSE-2022-10002=1
Package List:
- openSUSE Backports SLE-15-SP4 (aarch64 i586 ppc64le s390x x86_64):
libdxfrw-debuginfo-1.0.1+git.20220109-bp154.2.3.1
libdxfrw-debugsource-1.0.1+git.20220109-bp154.2.3.1
libdxfrw-devel-1.0.1+git.20220109-bp154.2.3.1
libdxfrw-tools-1.0.1+git.20220109-bp154.2.3.1
libdxfrw-tools-debuginfo-1.0.1+git.20220109-bp154.2.3.1
libdxfrw1-1.0.1+git.20220109-bp154.2.3.1
libdxfrw1-debuginfo-1.0.1+git.20220109-bp154.2.3.1
- openSUSE Backports SLE-15-SP4 (aarch64 ppc64le s390x x86_64):
librecad-2.2.0~rc3-bp154.3.3.1
- openSUSE Backports SLE-15-SP4 (noarch):
librecad-parts-2.2.0~rc3-bp154.3.3.1
References:
https://www.suse.com/security/cve/CVE-2021-45341.htmlhttps://www.suse.com/security/cve/CVE-2021-45342.htmlhttps://bugzilla.suse.com/1195105https://bugzilla.suse.com/1195122https://bugzilla.suse.com/1197664
openSUSE Security Update: Security update for caddy
______________________________________________________________________________
Announcement ID: openSUSE-SU-2022:10007-1
Rating: moderate
References: #1200279
Cross-References: CVE-2022-297182
Affected Products:
openSUSE Backports SLE-15-SP4
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for caddy fixes the following issues:
Update to version 2.5.1:
* Fixed regression in Unix socket admin endpoints.
* Fixed regression in caddy trust commands.
* Hash-based load balancing policies (ip_hash, uri_hash, header, and
cookie) use an improved highest-random-weight (HRW) algorithm for
increased consistency.
* Dynamic upstreams, which is the ability to get the list of upstreams at
every request (more specifically, every iteration in the proxy loop of
every request) rather than just once at config-load time.
* Caddy will automatically try to get relevant certificates from the local
Tailscale instance.
* New OpenTelemetry integration.
* Added new endpoints /pki/ca/<id> and /pki/ca/<id>/certificates for
getting information about Caddy's managed CAs.
* Rename _caddy to zsh-completion
* Fix MatchPath sanitizing [bsc#1200279, CVE-2022-29718]
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15-SP4:
zypper in -t patch openSUSE-2022-10007=1
Package List:
- openSUSE Backports SLE-15-SP4 (aarch64 i586 ppc64le s390x x86_64):
caddy-2.5.1-bp154.2.5.1
References:
https://www.suse.com/security/cve/CVE-2022-297182.htmlhttps://bugzilla.suse.com/1200279
openSUSE Security Update: Security update for libredwg
______________________________________________________________________________
Announcement ID: openSUSE-SU-2022:0155-1
Rating: moderate
References: #1193372
Cross-References: CVE-2021-28237
Affected Products:
openSUSE Backports SLE-15-SP4
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for libredwg fixes the following issues:
Update to release 0.12.5 [boo#1193372] [CVE-2021-28237]
* Restricted accepted DXF objects to all stable and unstable classes,
minus MATERIAL, ARC_DIMENSION, SUN, PROXY*. I.e. most unstable objects
do not allow unknown DXF codes anymore. This fixed most oss-fuzz errors.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15-SP4:
zypper in -t patch openSUSE-2022-155=1
Package List:
- openSUSE Backports SLE-15-SP4 (aarch64 i586 ppc64le s390x x86_64):
libredwg-devel-0.12.5-bp154.2.3.1
libredwg-tools-0.12.5-bp154.2.3.1
libredwg0-0.12.5-bp154.2.3.1
References:
https://www.suse.com/security/cve/CVE-2021-28237.htmlhttps://bugzilla.suse.com/1193372
SUSE Security Update: Security update for varnish
______________________________________________________________________________
Announcement ID: openSUSE-SU-2022:0144-1
Rating: moderate
References: #1194469 #1195188
Cross-References: CVE-2021-4122 CVE-2022-23959
CVSS scores:
CVE-2021-4122 (SUSE): 5.9 CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
CVE-2022-23959 (NVD) : 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CVE-2022-23959 (SUSE): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Affected Products:
openSUSE Backports SLE-15-SP4
openSUSE Leap 15.3
______________________________________________________________________________
An update that fixes two vulnerabilities is now available.
Description:
This update for varnish fixes the following issues:
varnish was updated to release 7.1.0 [boo#1195188] [CVE-2022-23959]
* VCL: It is now possible to assign a BLOB value to a BODY variable, in
addition to STRING as before.
* VMOD: New STRING strftime(TIME time, STRING format) function for UTC
formatting.
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.3:
zypper in -t patch openSUSE-SLE-15.3-2022-144=1
- openSUSE Backports SLE-15-SP4:
zypper in -t patch openSUSE-2022-144=1
Package List:
- openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):
cryptsetup-2.3.7-150300.3.5.1
cryptsetup-debuginfo-2.3.7-150300.3.5.1
cryptsetup-debugsource-2.3.7-150300.3.5.1
libcryptsetup-devel-2.3.7-150300.3.5.1
libcryptsetup12-2.3.7-150300.3.5.1
libcryptsetup12-debuginfo-2.3.7-150300.3.5.1
libcryptsetup12-hmac-2.3.7-150300.3.5.1
- openSUSE Leap 15.3 (x86_64):
libcryptsetup12-32bit-2.3.7-150300.3.5.1
libcryptsetup12-32bit-debuginfo-2.3.7-150300.3.5.1
libcryptsetup12-hmac-32bit-2.3.7-150300.3.5.1
- openSUSE Leap 15.3 (noarch):
cryptsetup-lang-2.3.7-150300.3.5.1
- openSUSE Backports SLE-15-SP4 (aarch64 i586 ppc64le s390x x86_64):
libvarnishapi3-7.1.0-bp154.2.3.1
varnish-7.1.0-bp154.2.3.1
varnish-devel-7.1.0-bp154.2.3.1
References:
https://www.suse.com/security/cve/CVE-2021-4122.htmlhttps://www.suse.com/security/cve/CVE-2022-23959.htmlhttps://bugzilla.suse.com/1194469https://bugzilla.suse.com/1195188
SUSE Security Update: Security update for 389-ds
______________________________________________________________________________
Announcement ID: SUSE-SU-2022:2081-1
Rating: important
References: #1195324 #1199889
Cross-References: CVE-2021-4091 CVE-2022-1949
CVSS scores:
CVE-2021-4091 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2021-4091 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2022-1949 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2022-1949 (SUSE): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Affected Products:
SUSE Linux Enterprise High Performance Computing 15-SP3
SUSE Linux Enterprise Module for Server Applications 15-SP3
SUSE Linux Enterprise Server 15-SP3
SUSE Linux Enterprise Server for SAP Applications 15-SP3
SUSE Manager Proxy 4.2
SUSE Manager Server 4.2
openSUSE Leap 15.3
______________________________________________________________________________
An update that fixes two vulnerabilities is now available.
Description:
This update for 389-ds fixes the following issues:
- CVE-2021-4091: Fixed double free in psearch (bsc#1195324).
- CVE-2022-1949: Fixed full access control bypass with simple crafted
query (bsc#1199889).
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.3:
zypper in -t patch openSUSE-SLE-15.3-2022-2081=1
- SUSE Linux Enterprise Module for Server Applications 15-SP3:
zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP3-2022-2081=1
Package List:
- openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):
389-ds-1.4.4.19~git38.9951c1101-150300.3.17.1
389-ds-debuginfo-1.4.4.19~git38.9951c1101-150300.3.17.1
389-ds-debugsource-1.4.4.19~git38.9951c1101-150300.3.17.1
389-ds-devel-1.4.4.19~git38.9951c1101-150300.3.17.1
389-ds-snmp-1.4.4.19~git38.9951c1101-150300.3.17.1
389-ds-snmp-debuginfo-1.4.4.19~git38.9951c1101-150300.3.17.1
lib389-1.4.4.19~git38.9951c1101-150300.3.17.1
libsvrcore0-1.4.4.19~git38.9951c1101-150300.3.17.1
libsvrcore0-debuginfo-1.4.4.19~git38.9951c1101-150300.3.17.1
- SUSE Linux Enterprise Module for Server Applications 15-SP3 (aarch64 ppc64le s390x x86_64):
389-ds-1.4.4.19~git38.9951c1101-150300.3.17.1
389-ds-debuginfo-1.4.4.19~git38.9951c1101-150300.3.17.1
389-ds-debugsource-1.4.4.19~git38.9951c1101-150300.3.17.1
389-ds-devel-1.4.4.19~git38.9951c1101-150300.3.17.1
lib389-1.4.4.19~git38.9951c1101-150300.3.17.1
libsvrcore0-1.4.4.19~git38.9951c1101-150300.3.17.1
libsvrcore0-debuginfo-1.4.4.19~git38.9951c1101-150300.3.17.1
References:
https://www.suse.com/security/cve/CVE-2021-4091.htmlhttps://www.suse.com/security/cve/CVE-2022-1949.htmlhttps://bugzilla.suse.com/1195324https://bugzilla.suse.com/1199889