openSUSE Security June 2013

security@lists.opensuse.org

9 participants
6 discussions

[opensuse-security] AW: [security-announce] SUSE-SU-2013:1060-1: important: Security update for GnuTLS
by hans.paffrath＠stadt-koeln.de 27 Jun '13

27 Jun '13

Hello, I tried to install the gnutls patch for SLES11SP2 x86-64 and had to learn, that with this patch there were no devel rpms. After the update on a test server I have installed: libgnutls-extra-devel-2.4.1-24.39.45.1 libgnutls26-2.4.1-24.39.47.1 libgnutls-devel-2.4.1-24.39.45.1 libgnutls-extra26-2.4.1-24.39.47.1 Is that ok? Will there be devel packages 39.47.1 in the future? Thanks for you answer. Greetings Hans Paffrath Stadt Köln - Der Oberbürgermeister Amt für Informationsverarbeitung Willy-Brandt-Platz 3 50679 Köln Telefon: 0221/221-26085 Telefax: 0221/221-22845 E-Mail: hans.paffrath(a)stadt-koeln.de Internet: www.stadt-koeln.de -----Ursprüngliche Nachricht----- Von: opensuse-security(a)opensuse.org [mailto:opensuse-security@opensuse.org] Gesendet: Donnerstag, 20. Juni 2013 22:04 An: opensuse-security-announce(a)opensuse.org Betreff: [security-announce] SUSE-SU-2013:1060-1: important: Security update for GnuTLS SUSE Security Update: Security update for GnuTLS ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:1060-1 Rating: important References: #821818 Cross-References: CVE-2013-2116 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Server 11 SP2 for VMware SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Server 10 SP4 SUSE Linux Enterprise Desktop 11 SP2 SUSE Linux Enterprise Desktop 10 SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update of GnuTLS fixes a regression introduced by the previous update that could have resulted in a Denial of Service (application crash). Security Issue reference: * CVE-2013-2116 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2116 > Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp2-gnutls-7781 - SUSE Linux Enterprise Server 11 SP2 for VMware: zypper in -t patch slessp2-gnutls-7781 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp2-gnutls-7781 - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp2-gnutls-7781 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64): libgnutls-devel-2.4.1-24.39.47.1 libgnutls-extra-devel-2.4.1-24.39.47.1 libgnutls-extra26-2.4.1-24.39.47.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64): gnutls-2.4.1-24.39.47.1 libgnutls26-2.4.1-24.39.47.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (x86_64): libgnutls26-32bit-2.4.1-24.39.47.1 - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64): gnutls-2.4.1-24.39.47.1 libgnutls-extra26-2.4.1-24.39.47.1 libgnutls26-2.4.1-24.39.47.1 - SUSE Linux Enterprise Server 11 SP2 (ppc64 s390x x86_64): libgnutls26-32bit-2.4.1-24.39.47.1 - SUSE Linux Enterprise Server 11 SP2 (ia64): libgnutls26-x86-2.4.1-24.39.47.1 - SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc s390x x86_64): gnutls-1.2.10-13.36.1 gnutls-devel-1.2.10-13.36.1 - SUSE Linux Enterprise Server 10 SP4 (s390x x86_64): gnutls-32bit-1.2.10-13.36.1 gnutls-devel-32bit-1.2.10-13.36.1 - SUSE Linux Enterprise Server 10 SP4 (ia64): gnutls-x86-1.2.10-13.36.1 - SUSE Linux Enterprise Server 10 SP4 (ppc): gnutls-64bit-1.2.10-13.36.1 gnutls-devel-64bit-1.2.10-13.36.1 - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64): gnutls-2.4.1-24.39.47.1 libgnutls26-2.4.1-24.39.47.1 - SUSE Linux Enterprise Desktop 11 SP2 (x86_64): libgnutls26-32bit-2.4.1-24.39.47.1 - SUSE Linux Enterprise Desktop 10 SP4 (i586 x86_64): gnutls-1.2.10-13.36.1 gnutls-devel-1.2.10-13.36.1 - SUSE Linux Enterprise Desktop 10 SP4 (x86_64): gnutls-32bit-1.2.10-13.36.1 gnutls-devel-32bit-1.2.10-13.36.1 References: http://support.novell.com/security/cve/CVE-2013-2116.html https://bugzilla.novell.com/821818 http://download.novell.com/patch/finder/?keywords=6b62ecb51e089af80ba626d07… http://download.novell.com/patch/finder/?keywords=c39cabef26db30df30eff8a1b… -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org

2 1

[opensuse-security] opensuse-security-announce+unsubscribe@opensuse.org
by Florian Fell 24 Jun '13

24 Jun '13

opensuse-security-announce+unsubscribe(a)opensuse.org -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org

1 0

[opensuse-security] Problem with SLE11-SDK-SP2-Updates repo
by Werner Flamme 18 Jun '13

18 Jun '13

Hi, someone else experiencing Problems with the SLE11-SDK-SP2-Updates repo? Doing a "zypper ref" on a SLES 11 SP2 machine, I get ---snip--- Repository 'SLE11-SDK-SP2-Core' is up to date. Retrieving repository 'SLE11-SDK-SP2-Updates' metadata [|] Signature verification failed for file 'repomd.xml' from repository 'SLE11-SDK-SP2-Updates'. Warning: This might be caused by a malicious change in the file! Continuing might be risky. Continue anyway? [yes/no] (no): ---pins--- And thus I fail connecting the box to our SUSE Manager. "smt-mirror" on the old SMT server shows the same problem. ---snip--- cat /etc/zypp/repos.d/nu_novell_com\:SLE11-SDK-SP2-Updates.repo [nu_novell_com:SLE11-SDK-SP2-Updates] name=SLE11-SDK-SP2-Updates enabled=1 autorefresh=1 baseurl=https://nu.novell.com/repo/$RCE/SLE11-SDK-SP2-Updates/sle-11-x86_64… type=rpm-md keeppackages=0 service=nu_novell_com ---pins--- Regards, Werner -- -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org

3 6

[opensuse-security] unsubscribe
by Thomas Fischer 13 Jun '13

13 Jun '13

-- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org

1 0

[opensuse-security] unsubscribe
by Björn Kindler 10 Jun '13

10 Jun '13

Am 10.06.2013 um 18:22 schrieb opensuse-security(a)opensuse.org: > openSUSE Security Update: Package icedtea-web was updated to version 1.4 > ______________________________________________________________________________ > > Announcement ID: openSUSE-SU-2013:0966-1 > Rating: moderate > References: #818768 > Cross-References: CVE-2012-3422 CVE-2012-3423 CVE-2013-1926 > CVE-2013-1927 > Affected Products: > openSUSE 11.4 > ______________________________________________________________________________ > > An update that fixes four vulnerabilities is now available. > > Description: > > Changes in icedtea-web with update to 1.4 (bnc#818768): > * Added cs, de, pl localization > * Splash screen for javaws and plugin > * Better error reporting for plugin via Error-splash-screen > * All IcedTea-Web dialogues are centered to middle of > active screen > * Download indicator made compact for more then one jar > * User can select its own JVM via itw-settings and > deploy.properties. > * Added extended applets security settings and dialogue > * Security updates > - CVE-2013-1926, RH916774: Class-loader incorrectly > shared for applets with same relative-path. > - CVE-2013-1927, RH884705: fixed gifar vulnerabilit > - CVE-2012-3422, RH840592: Potential read from an > uninitialized memory location > - CVE-2012-3423, RH841345: Incorrect handling of not > 0-terminated strings > * NetX > - PR1027: DownloadService is not supported by IcedTea-Web > - PR725: JNLP applications will prompt for creating > desktop shortcuts every time they are run > - PR1292: Javaws does not resolve versioned jar names > with periods correctly > * Plugin > - PR1106: Buffer overflow in plugin table- > - PR1166: Embedded JNLP File is not supported in applet > tag > - PR1217: Add command line arguments for plugins > - PR1189: Icedtea-plugin requires code attribute when > using jnlp_href > - PR1198: JSObject is not passed to javascript correctly > - PR1260: IcedTea-Web should not rely on GTK > - PR1157: Applets can hang browser after fatal exception > - PR580: http://www.horaoficial.cl/ loads improperly > * Common > - PR1049: Extension jnlp's signed jar with the content of > only META-INF/* is considered > - PR955: regression: SweetHome3D fails to run > - PR1145: IcedTea-Web can cause ClassCircularityError > - PR1161: X509VariableTrustManager does not work > correctly with OpenJDK7 > - PR822: Applets fail to load if jars have different > signers > - PR1186: > System.getProperty("deployment.user.security.trusted.cacerts > ") is null > - PR909: The Java applet at > http://de.gosupermodel.com/games/wardrobegame.jsp fails > - PR1299: WebStart doesn't read socket proxy settings > from firefox correctly > > > Patch Instructions: > > To install this openSUSE Security Update use YaST online_update. > Alternatively you can run the command listed for your product: > > - openSUSE 11.4: > > zypper in -t patch 2013-86 > > To bring your system up-to-date, use "zypper patch". > > > Package List: > > - openSUSE 11.4 (i586 x86_64): > > icedtea-web-1.4-34.1 > icedtea-web-debuginfo-1.4-34.1 > icedtea-web-debugsource-1.4-34.1 > > - openSUSE 11.4 (noarch): > > icedtea-web-javadoc-1.4-34.1 > > > References: > > http://support.novell.com/security/cve/CVE-2012-3422.html > http://support.novell.com/security/cve/CVE-2012-3423.html > http://support.novell.com/security/cve/CVE-2013-1926.html > http://support.novell.com/security/cve/CVE-2013-1927.html > https://bugzilla.novell.com/818768 > > -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org

1 0

[opensuse-security] is opensuse-security & opensuse-update becoming crazy
by Bruno Friedmann 10 Jun '13

10 Jun '13

I've just received something like one hundred messages about new update Some mentionning new things ( especially concerning evergreen ) but most of them are just new edition about very old patches like http://lists.opensuse.org/opensuse-updates/2013-06/msg00126.html Was installed on my system 2013-05-25 13:42:52|install|acroread|9.5.5-4.1|i586||repo-update-non-oss| 43aea2851f872e21c6d1fd9e2661e6d5de12338b3ca677063a4b349c1534428e| Just check archive ml ... http://lists.opensuse.org/opensuse-updates/2013-06/ insane :-) -- Bruno Friedmann Ioda-Net Sàrl www.ioda-net.ch openSUSE Member & Ambassador GPG KEY : D5C9B751C4653227 irc: tigerfoot -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org

3 2

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

1997

1996

openSUSE Security June 2013