>>> <opensuse-security(a)opensuse.org> schrieb am 20.10.2017 um 03:07 in Nachricht
<20171020010740.0C339FC69(a)maintenance.suse.de>:
> SUSE Security Update: Security update for Linux Kernel Live Patch 21 for SLE
> 12 SP1
I wonder: Shouldn't the subject be like "[security-announce] SUSE-SU-2017:2791-1: important: Security update (Linux Kernel Live Patch 21 for SLE 12 SP1)"? Or is it actually a security update for the kernel live patch?
Regards,
Ulrich
> ____________________________________________________________________________
> __
>
> Announcement ID: SUSE-SU-2017:2791-1
> Rating: important
> References: #1038564 #1042892 #1045327 #1052311 #1052368
>
> Cross-References: CVE-2017-1000112 CVE-2017-15274 CVE-2017-8890
> CVE-2017-9242
> Affected Products:
> SUSE Linux Enterprise Server for SAP 12-SP1
> SUSE Linux Enterprise Server 12-SP1-LTSS
> ____________________________________________________________________________
> __
>
> An update that solves four vulnerabilities and has one
> errata is now available.
>
> Description:
>
> This update for the Linux Kernel 3.12.74-60_64_60 fixes several issues.
>
> The following security bugs were fixed:
>
> - CVE-2017-15274: security/keys/keyctl.c in the Linux kernel did not
> consider the case of a NULL payload in conjunction with a nonzero
> length
> value, which allowed local users to cause a denial of service (NULL
> pointer dereference and OOPS) via a crafted add_key or keyctl system
> call (bsc#1045327).
> - CVE-2017-1000112: Updated patch for this issue to be in sync with the
> other livepatches. Description of the issue: Prevent race condition in
> net-packet code that could have been exploited by unprivileged users to
> gain root access (bsc#1052368, bsc#1052311).
> - CVE-2017-9242: The __ip6_append_data function in net/ipv6/ip6_output.c
> was too late in checking whether an overwrite of an skb data structure
> may occur, which allowed local users to cause a denial of service
> (system crash) via crafted system calls (bsc#1042892).
> - CVE-2017-8890: The inet_csk_clone_lock function in
> net/ipv4/inet_connection_sock.c allowed attackers to cause a denial of
> service (double free) or possibly have unspecified other impact by
> leveraging use of the accept system call (bsc#1038564).
>
>
> Patch Instructions:
>
> To install this SUSE Security Update use YaST online_update.
> Alternatively you can run the command listed for your product:
>
> - SUSE Linux Enterprise Server for SAP 12-SP1:
>
> zypper in -t patch SUSE-SLE-SAP-12-SP1-2017-1732=1
>
> - SUSE Linux Enterprise Server 12-SP1-LTSS:
>
> zypper in -t patch SUSE-SLE-SERVER-12-SP1-2017-1732=1
>
> To bring your system up-to-date, use "zypper patch".
>
>
> Package List:
>
> - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64):
>
> kgraft-patch-3_12_74-60_64_60-default-2-4.1
> kgraft-patch-3_12_74-60_64_60-xen-2-4.1
>
> - SUSE Linux Enterprise Server 12-SP1-LTSS (x86_64):
>
> kgraft-patch-3_12_74-60_64_60-default-2-4.1
> kgraft-patch-3_12_74-60_64_60-xen-2-4.1
>
>
> References:
>
> https://www.suse.com/security/cve/CVE-2017-1000112.html
> https://www.suse.com/security/cve/CVE-2017-15274.html
> https://www.suse.com/security/cve/CVE-2017-8890.html
> https://www.suse.com/security/cve/CVE-2017-9242.html
> https://bugzilla.suse.com/1038564
> https://bugzilla.suse.com/1042892
> https://bugzilla.suse.com/1045327
> https://bugzilla.suse.com/1052311
> https://bugzilla.suse.com/1052368
>
> --
> To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
> For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org
--
To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org
Greetings,
I just read a (german) article[0] and official (german) Mozilla blog
post[1] saying that starting next week, a small percentage of
(german?) Firefox downloads will contain the "Cliqz" add-on, which is
controversial, to say the least.
There's already a bug report to remove it[2].
Will this in any way affect openSUSE? If so, are there plans to keep
the add-on out of the openSUSE version of Firefox?
[0]: https://www.heise.de/newsticker/meldung/Firefox-Testlauf-fuer-neue-Empfehlu…
[1]: https://blog.mozilla.org/press-de/2017/10/06/ein-neues-cliqz-experiment-in-…
[2]: https://bugzilla.mozilla.org/show_bug.cgi?id=1406647
--
Kind regards
Christopher 'm4z' Holm / 686f6c6d
"We must respect the other fellow's religion, but only in the sense
and to the extent that we respect his theory that his wife is
beautiful and his children smart." --H. L. Mencken
--
To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org
Hi
Is ipcop vulnerable to any of this: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.h…
# dnsmasq -v
Dnsmasq version 2.72 Copyright (c) 2000-2014 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC loop-detect
Yours
David
--
To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org
Hello,
I think the buildservice(a)opensuse.org key ( 0x6B9D6523) can be regarded
a very important key.
Thus, I wonder why is it not signed by the SUSE security team?
It is signed by Marcus Meissner, which is fine, but shouldn´t such an
important key be signed as well by the security team or at least by the
openSUSE project signing key?
IMHO that would grant a stronger chain of trust for that key.....
--
To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org
Hello everyone,
I hope I am asking on the good list. Excuse me, please, if not.
This is strange, but on the 5 Leap 42.3 installations on a labtop Compaq
Presario C700, the last two did me the honor to ask me the configuration of
the network, and not the first three. Can anyone tell me, please, why the
installation may require configuration, immediately after the choice of
language and layout of the keyboard ? The choice of a minimal installation,
perhaps.
After this minimal installation for a text-based operation, online
updating, adding to the minimum system of XOrg-X11 and tigervnc, having
banned the "yast2-firewall" and "network manager" packages, the system
reboots and works correctly, with wifi interfaces and Ethernet still in the
desired configuration.
Here is a shema of installation :
____ eth0 ____
| |<---------------->| |
|desk| .-->|hub |
|top | eth1 | | |
|____|<--. | |____|
| | 192.168.0.0 ______
eth1 | | _____ _/ \_
198.168.1.0 | .-->| | ( )
| |modem|---->( INTERNET )
eth0 | |cable| (_ _)
____ | |_____| \______/
| |<--’ eth0 ^
|lab | |
| top| wlan0 . 192.168.0.0
|____|<--.... ....
Can anyone help me, please, to set up the labtop firewall, with the
file /etc/sysconfig/SuSEfirewall2 ? Here is the contents of this file for my
last attempt:
FW_DEV_EXT="wlan0"
FW_DEV_INT="eth0"
FW_DEV_DMZ=""
FW_ROUTE="no"
FW_MASQUERADE="no"
FW_MASQ_DEV=""
FW_MASQ_NETS=""
FW_NOMASQ_NETS=""
FW_PROTECT_FROM_INT=""
FW_SERVICES_EXT_TCP="http https 587 imap"
FW_SERVICES_EXT_UDP="53"
All other parameters contain their default values (either empty,
or empty strings).
My goal is to allow all the traffic on the network 192.168.1.0 (eth0) and
limit that from the outside (wlan0) to http, https, 587 and imap. The labtop
must of course be able to resolve domain names (DNS).
I thank you for the attention you paid ti this e-mail.
Sincerly,
Patrick Serru
--
To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org