openSUSE Security October 2017

security@lists.opensuse.org

9 participants
5 discussions

[opensuse-security] Antw: [security-announce] SUSE-SU-2017:2791-1: important: Security update for Linux Kernel Live Patch 21 for SLE 12 SP1
by Ulrich Windl 23 Oct '17

23 Oct '17

>>> <opensuse-security(a)opensuse.org> schrieb am 20.10.2017 um 03:07 in Nachricht <20171020010740.0C339FC69(a)maintenance.suse.de>: > SUSE Security Update: Security update for Linux Kernel Live Patch 21 for SLE > 12 SP1 I wonder: Shouldn't the subject be like "[security-announce] SUSE-SU-2017:2791-1: important: Security update (Linux Kernel Live Patch 21 for SLE 12 SP1)"? Or is it actually a security update for the kernel live patch? Regards, Ulrich > ____________________________________________________________________________ > __ > > Announcement ID: SUSE-SU-2017:2791-1 > Rating: important > References: #1038564 #1042892 #1045327 #1052311 #1052368 > > Cross-References: CVE-2017-1000112 CVE-2017-15274 CVE-2017-8890 > CVE-2017-9242 > Affected Products: > SUSE Linux Enterprise Server for SAP 12-SP1 > SUSE Linux Enterprise Server 12-SP1-LTSS > ____________________________________________________________________________ > __ > > An update that solves four vulnerabilities and has one > errata is now available. > > Description: > > This update for the Linux Kernel 3.12.74-60_64_60 fixes several issues. > > The following security bugs were fixed: > > - CVE-2017-15274: security/keys/keyctl.c in the Linux kernel did not > consider the case of a NULL payload in conjunction with a nonzero > length > value, which allowed local users to cause a denial of service (NULL > pointer dereference and OOPS) via a crafted add_key or keyctl system > call (bsc#1045327). > - CVE-2017-1000112: Updated patch for this issue to be in sync with the > other livepatches. Description of the issue: Prevent race condition in > net-packet code that could have been exploited by unprivileged users to > gain root access (bsc#1052368, bsc#1052311). > - CVE-2017-9242: The __ip6_append_data function in net/ipv6/ip6_output.c > was too late in checking whether an overwrite of an skb data structure > may occur, which allowed local users to cause a denial of service > (system crash) via crafted system calls (bsc#1042892). > - CVE-2017-8890: The inet_csk_clone_lock function in > net/ipv4/inet_connection_sock.c allowed attackers to cause a denial of > service (double free) or possibly have unspecified other impact by > leveraging use of the accept system call (bsc#1038564). > > > Patch Instructions: > > To install this SUSE Security Update use YaST online_update. > Alternatively you can run the command listed for your product: > > - SUSE Linux Enterprise Server for SAP 12-SP1: > > zypper in -t patch SUSE-SLE-SAP-12-SP1-2017-1732=1 > > - SUSE Linux Enterprise Server 12-SP1-LTSS: > > zypper in -t patch SUSE-SLE-SERVER-12-SP1-2017-1732=1 > > To bring your system up-to-date, use "zypper patch". > > > Package List: > > - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): > > kgraft-patch-3_12_74-60_64_60-default-2-4.1 > kgraft-patch-3_12_74-60_64_60-xen-2-4.1 > > - SUSE Linux Enterprise Server 12-SP1-LTSS (x86_64): > > kgraft-patch-3_12_74-60_64_60-default-2-4.1 > kgraft-patch-3_12_74-60_64_60-xen-2-4.1 > > > References: > > https://www.suse.com/security/cve/CVE-2017-1000112.html > https://www.suse.com/security/cve/CVE-2017-15274.html > https://www.suse.com/security/cve/CVE-2017-8890.html > https://www.suse.com/security/cve/CVE-2017-9242.html > https://bugzilla.suse.com/1038564 > https://bugzilla.suse.com/1042892 > https://bugzilla.suse.com/1045327 > https://bugzilla.suse.com/1052311 > https://bugzilla.suse.com/1052368 > > -- > To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org > For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org

2 1

[opensuse-security] Will Cliqz affect Firefox versions in openSUSE?
by 686f6c6d 11 Oct '17

11 Oct '17

Greetings, I just read a (german) article[0] and official (german) Mozilla blog post[1] saying that starting next week, a small percentage of (german?) Firefox downloads will contain the "Cliqz" add-on, which is controversial, to say the least. There's already a bug report to remove it[2]. Will this in any way affect openSUSE? If so, are there plans to keep the add-on out of the openSUSE version of Firefox? [0]: https://www.heise.de/newsticker/meldung/Firefox-Testlauf-fuer-neue-Empfehlu… [1]: https://blog.mozilla.org/press-de/2017/10/06/ein-neues-cliqz-experiment-in-… [2]: https://bugzilla.mozilla.org/show_bug.cgi?id=1406647 -- Kind regards Christopher 'm4z' Holm / 686f6c6d "We must respect the other fellow's religion, but only in the sense and to the extent that we respect his theory that his wife is beautiful and his children smart." --H. L. Mencken -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org

2 1

[opensuse-security] dnsmasq vulnerability?
by Administrator 05 Oct '17

05 Oct '17

Hi Is ipcop vulnerable to any of this: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.h… # dnsmasq -v Dnsmasq version 2.72 Copyright (c) 2000-2014 Simon Kelley Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC loop-detect Yours David -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org

2 1

[opensuse-security] Build Service key
by linux maillist 04 Oct '17

04 Oct '17

Hello, I think the buildservice(a)opensuse.org key ( 0x6B9D6523) can be regarded a very important key. Thus, I wonder why is it not signed by the SUSE security team? It is signed by Marcus Meissner, which is fine, but shouldn´t such an important key be signed as well by the security team or at least by the openSUSE project signing key? IMHO that would grant a stronger chain of trust for that key..... -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org

5 4

[opensuse-security] Firewall on a labtop as private web / mail server
by Patrick Serru 04 Oct '17

04 Oct '17

Hello everyone, I hope I am asking on the good list. Excuse me, please, if not. This is strange, but on the 5 Leap 42.3 installations on a labtop Compaq Presario C700, the last two did me the honor to ask me the configuration of the network, and not the first three. Can anyone tell me, please, why the installation may require configuration, immediately after the choice of language and layout of the keyboard ? The choice of a minimal installation, perhaps. After this minimal installation for a text-based operation, online updating, adding to the minimum system of XOrg-X11 and tigervnc, having banned the "yast2-firewall" and "network manager" packages, the system reboots and works correctly, with wifi interfaces and Ethernet still in the desired configuration. Here is a shema of installation : ____ eth0 ____ | |<---------------->| | |desk| .-->|hub | |top | eth1 | | | |____|<--. | |____| | | 192.168.0.0 ______ eth1 | | _____ _/ \_ 198.168.1.0 | .-->| | ( ) | |modem|---->( INTERNET ) eth0 | |cable| (_ _) ____ | |_____| \______/ | |<--’ eth0 ^ |lab | | | top| wlan0 . 192.168.0.0 |____|<--.... .... Can anyone help me, please, to set up the labtop firewall, with the file /etc/sysconfig/SuSEfirewall2 ? Here is the contents of this file for my last attempt: FW_DEV_EXT="wlan0" FW_DEV_INT="eth0" FW_DEV_DMZ="" FW_ROUTE="no" FW_MASQUERADE="no" FW_MASQ_DEV="" FW_MASQ_NETS="" FW_NOMASQ_NETS="" FW_PROTECT_FROM_INT="" FW_SERVICES_EXT_TCP="http https 587 imap" FW_SERVICES_EXT_UDP="53" All other parameters contain their default values (either empty, or empty strings). My goal is to allow all the traffic on the network 192.168.1.0 (eth0) and limit that from the outside (wlan0) to http, https, 587 and imap. The labtop must of course be able to resolve domain names (DNS). I thank you for the attention you paid ti this e-mail. Sincerly, Patrick Serru -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org

2 2

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

1997

1996

openSUSE Security October 2017