January 2012 - openSUSE Updates - openSUSE Mailing Lists

openSUSE-SU-2012:0107-1: important: libxml2: fixing heap-based buffer overflow (CVE-2011-3919)
by opensuse-security＠opensuse.org 19 Jan '12

19 Jan '12

openSUSE Security Update: libxml2: fixing heap-based buffer overflow (CVE-2011-3919) ______________________________________________________________________________ Announcement ID: openSUSE-SU-2012:0107-1 Rating: important References: #739894 Cross-References: CVE-2011-3919 Affected Products: openSUSE 11.4 openSUSE 11.3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: A heap-based buffer overflow during decoding of entity references with overly long names has been fixed. CVE-2011-3919 has been assigned. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 11.4: zypper in -t patch libxml2-5659 - openSUSE 11.3: zypper in -t patch libxml2-5659 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 11.4 (i586 x86_64): libxml2-2.7.8-16.21.1 libxml2-devel-2.7.8-16.21.1 - openSUSE 11.4 (x86_64): libxml2-32bit-2.7.8-16.21.1 libxml2-devel-32bit-2.7.8-16.21.1 - openSUSE 11.4 (noarch): libxml2-doc-2.7.8-16.21.1 - openSUSE 11.3 (i586 x86_64): libxml2-2.7.7-4.11.1 libxml2-devel-2.7.7-4.11.1 - openSUSE 11.3 (x86_64): libxml2-32bit-2.7.7-4.11.1 libxml2-devel-32bit-2.7.7-4.11.1 - openSUSE 11.3 (noarch): libxml2-doc-2.7.7-4.11.1 References: http://support.novell.com/security/cve/CVE-2011-3919.html https://bugzilla.novell.com/739894

1 0

openSUSE-SU-2012:0106-1: moderate: ecryptfs-utils to fix umask of /etc/mtab.tmp
by opensuse-security＠opensuse.org 19 Jan '12

19 Jan '12

openSUSE Security Update: ecryptfs-utils to fix umask of /etc/mtab.tmp ______________________________________________________________________________ Announcement ID: openSUSE-SU-2012:0106-1 Rating: moderate References: #735342 Cross-References: CVE-2011-3145 Affected Products: openSUSE 11.4 openSUSE 11.3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: mount.ecrpytfs_private did not set correct group ownerships when it modifies mtab (CVE-2011-3145). Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 11.4: zypper in -t patch ecryptfs-utils-5541 - openSUSE 11.3: zypper in -t patch ecryptfs-utils-5541 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 11.4 (i586 x86_64): ecryptfs-utils-83-6.9.1 - openSUSE 11.4 (x86_64): ecryptfs-utils-32bit-83-6.9.1 - openSUSE 11.3 (i586 x86_64): ecryptfs-utils-83-3.5.1 - openSUSE 11.3 (x86_64): ecryptfs-utils-32bit-83-3.5.1 References: http://support.novell.com/security/cve/CVE-2011-3145.html https://bugzilla.novell.com/735342

1 0

openSUSE-SU-2012:0103-1: moderate: Fixed apache tomcat hash collision vulnerability (CVE-2011-4858)
by opensuse-security＠opensuse.org 19 Jan '12

19 Jan '12

openSUSE Security Update: Fixed apache tomcat hash collision vulnerability (CVE-2011-4858) ______________________________________________________________________________ Announcement ID: openSUSE-SU-2012:0103-1 Rating: moderate References: #712784 #727543 Cross-References: CVE-2011-4858 Affected Products: openSUSE 11.4 openSUSE 11.3 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: The apache tomcat was vulnerable to a hash collision attack which allowed remote attackers to mount DoS attacks. CVE-2011-4858 has been assigned to this issue. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 11.4: zypper in -t patch tomcat6-5619 - openSUSE 11.3: zypper in -t patch tomcat6-5619 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 11.4 (noarch): tomcat6-6.0.32-7.12.1 tomcat6-admin-webapps-6.0.32-7.12.1 tomcat6-docs-webapp-6.0.32-7.12.1 tomcat6-el-1_0-api-6.0.32-7.12.1 tomcat6-javadoc-6.0.32-7.12.1 tomcat6-jsp-2_1-api-6.0.32-7.12.1 tomcat6-lib-6.0.32-7.12.1 tomcat6-servlet-2_5-api-6.0.32-7.12.1 tomcat6-webapps-6.0.32-7.12.1 - openSUSE 11.3 (noarch): tomcat6-6.0.24-5.16.1 tomcat6-admin-webapps-6.0.24-5.16.1 tomcat6-docs-webapp-6.0.24-5.16.1 tomcat6-el-1_0-api-6.0.24-5.16.1 tomcat6-javadoc-6.0.24-5.16.1 tomcat6-jsp-2_1-api-6.0.24-5.16.1 tomcat6-lib-6.0.24-5.16.1 tomcat6-servlet-2_5-api-6.0.24-5.16.1 tomcat6-webapps-6.0.24-5.16.1 References: http://support.novell.com/security/cve/CVE-2011-4858.html https://bugzilla.novell.com/712784 https://bugzilla.novell.com/727543

1 0

openSUSE-SU-2012:0102-1: moderate: squid
by opensuse-security＠opensuse.org 19 Jan '12

19 Jan '12

openSUSE Security Update: squid ______________________________________________________________________________ Announcement ID: openSUSE-SU-2012:0102-1 Rating: moderate References: #587375 Cross-References: CVE-2010-0639 Affected Products: openSUSE 11.4 openSUSE 11.3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update fixes the following security issues: - 587375: NULL deref via HTCP request (CVE-2010-0639) Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 11.4: zypper in -t patch squid-5580 - openSUSE 11.3: zypper in -t patch squid-5580 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 11.4 (i586 x86_64): squid-2.7.STABLE6-10.11.1 - openSUSE 11.3 (i586 x86_64): squid-2.7.STABLE6-7.3.1 References: http://support.novell.com/security/cve/CVE-2010-0639.html https://bugzilla.novell.com/587375

1 0

openSUSE-SU-2012:0101-1: moderate: NetworkManager-gnome
by opensuse-security＠opensuse.org 19 Jan '12

19 Jan '12

openSUSE Security Update: NetworkManager-gnome ______________________________________________________________________________ Announcement ID: openSUSE-SU-2012:0101-1 Rating: moderate References: #574266 #732700 Affected Products: openSUSE 11.4 openSUSE 11.3 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: NetworkManager did not pin a certificate's subject to an ESSID. A rogue access point could therefore be used to conduct MITM attacks by using any other valid certificate issued by same CA as used in the original network (CVE-2006-7246). Please note that existing WPA2 Enterprise connections need to be deleted and re-created to take advantage of the new security checks. This is a re-release of the previous update to also enable the checks for EAP-TLS. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 11.4: zypper in -t patch NetworkManager-gnome-5627 - openSUSE 11.3: zypper in -t patch NetworkManager-gnome-5627 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 11.4 (i586 x86_64): NetworkManager-gnome-0.8.2-9.16.1 - openSUSE 11.4 (noarch): NetworkManager-gnome-lang-0.8.2-9.16.1 - openSUSE 11.3 (i586 x86_64): NetworkManager-gnome-0.8-6.7.2 References: https://bugzilla.novell.com/574266 https://bugzilla.novell.com/732700

1 0

openSUSE-SU-2012:0100-1: moderate: icu (CVE-2011-4599, CVE-2010-4409)
by opensuse-security＠opensuse.org 19 Jan '12

19 Jan '12

openSUSE Security Update: icu (CVE-2011-4599, CVE-2010-4409) ______________________________________________________________________________ Announcement ID: openSUSE-SU-2012:0100-1 Rating: moderate References: #657910 #736146 Cross-References: CVE-2010-4409 CVE-2011-4599 Affected Products: openSUSE 11.4 openSUSE 11.3 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: Specially crafted strings could cause a buffer overflow in icu (CVE-2011-4599). An integer overflow in the getSymbol() function could crash applications using icu (CVE-2010-4409) Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 11.4: zypper in -t patch icu-5658 - openSUSE 11.3: zypper in -t patch icu-5658 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 11.4 (i586 x86_64): icu-4.4.2-4.5.1 icu-data-4.4.2-4.5.1 libicu-4.4.2-4.5.1 libicu-devel-4.4.2-4.5.1 libicu-doc-4.4.2-4.5.1 - openSUSE 11.4 (x86_64): libicu-32bit-4.4.2-4.5.1 libicu-devel-32bit-4.4.2-4.5.1 - openSUSE 11.3 (i586 x86_64): icu-4.2-7.3.1 icu-data-4.2-7.3.1 libicu-4.2-7.3.1 libicu-devel-4.2-7.3.1 libicu-doc-4.2-7.3.1 - openSUSE 11.3 (x86_64): libicu-32bit-4.2-7.3.1 libicu-devel-32bit-4.2-7.3.1 References: http://support.novell.com/security/cve/CVE-2010-4409.html http://support.novell.com/security/cve/CVE-2011-4599.html https://bugzilla.novell.com/657910 https://bugzilla.novell.com/736146

1 0

openSUSE-SU-2012:0091-1: important: libqt4: fixed stack-based buffer overflow in glyph handling (CVE-2011-3922)
by opensuse-security＠opensuse.org 19 Jan '12

19 Jan '12

openSUSE Security Update: libqt4: fixed stack-based buffer overflow in glyph handling (CVE-2011-3922) ______________________________________________________________________________ Announcement ID: openSUSE-SU-2012:0091-1 Rating: important References: #739904 Cross-References: CVE-2011-3922 Affected Products: openSUSE 11.4 openSUSE 11.3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: A stack-based buffer overflow in the glyph handling of libqt4's harfbuzz has been fixed. CVE-2011-3922 has been assigned to this issue. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 11.4: zypper in -t patch libQtWebKit-devel-5628 - openSUSE 11.3: zypper in -t patch libQtWebKit-devel-5628 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 11.4 (i586 x86_64): libQtWebKit-devel-4.7.1-8.17.1 libQtWebKit4-4.7.1-8.17.1 libqt4-4.7.1-8.17.1 libqt4-devel-4.7.1-8.17.1 libqt4-qt3support-4.7.1-8.17.1 libqt4-sql-4.7.1-8.17.1 libqt4-sql-sqlite-4.7.1-8.17.1 libqt4-x11-4.7.1-8.17.1 - openSUSE 11.4 (x86_64): libQtWebKit4-32bit-4.7.1-8.17.1 libqt4-32bit-4.7.1-8.17.1 libqt4-qt3support-32bit-4.7.1-8.17.1 libqt4-sql-32bit-4.7.1-8.17.1 libqt4-sql-sqlite-32bit-4.7.1-8.17.1 libqt4-x11-32bit-4.7.1-8.17.1 - openSUSE 11.3 (i586 x86_64): libQtWebKit-devel-4.6.3-2.7.1 libQtWebKit4-4.6.3-2.7.1 libqt4-4.6.3-2.7.1 libqt4-devel-4.6.3-2.7.1 libqt4-qt3support-4.6.3-2.7.1 libqt4-sql-4.6.3-2.7.1 libqt4-sql-sqlite-4.6.3-2.7.1 libqt4-x11-4.6.3-2.7.1 - openSUSE 11.3 (x86_64): libQtWebKit4-32bit-4.6.3-2.7.1 libqt4-32bit-4.6.3-2.7.1 libqt4-qt3support-32bit-4.6.3-2.7.1 libqt4-sql-32bit-4.6.3-2.7.1 libqt4-sql-sqlite-32bit-4.6.3-2.7.1 libqt4-x11-32bit-4.6.3-2.7.1 References: http://support.novell.com/security/cve/CVE-2011-3922.html https://bugzilla.novell.com/739904

1 0

openSUSE-RU-2012:0090-1: moderate: atftpd: Sorcerer's Apprentice Syndrome
by maintenance＠opensuse.org 18 Jan '12

18 Jan '12

openSUSE Recommended Update: atftpd: Sorcerer's Apprentice Syndrome ______________________________________________________________________________ Announcement ID: openSUSE-RU-2012:0090-1 Rating: moderate References: #727843 Affected Products: openSUSE 11.4 openSUSE 11.3 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update fixes the following issue for atftp: - 727843: provides stability enhancements for tftp usage in packet loss situations ("Sorcerer's Apprentice Syndrome") Patch Instructions: To install this openSUSE Recommended Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 11.4: zypper in -t patch atftp-5483 - openSUSE 11.3: zypper in -t patch atftp-5483 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 11.4 (i586 x86_64): atftp-0.7.0-143.146.1 - openSUSE 11.3 (i586 x86_64): atftp-0.7.0-137.3.1 References: https://bugzilla.novell.com/727843

1 0

openSUSE-RU-2012:0089-1: mawk: mawk RE matching can return invalid results causing unexpected behavior and crashes
by maintenance＠opensuse.org 18 Jan '12

18 Jan '12

openSUSE Recommended Update: mawk: mawk RE matching can return invalid results causing unexpected behavior and crashes ______________________________________________________________________________ Announcement ID: openSUSE-RU-2012:0089-1 Rating: low References: #740484 Affected Products: openSUSE 11.4 openSUSE 11.3 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update fixes the following issue for mawk: - 740484: mawk RE matching can return invalid results causing unexpected behavior and crashes Patch Instructions: To install this openSUSE Recommended Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 11.4: zypper in -t patch mawk-5644 - openSUSE 11.3: zypper in -t patch mawk-5644 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 11.4 (i586 x86_64): mawk-1.3.4-7.8.1 - openSUSE 11.3 (i586 x86_64): mawk-1.3.4-4.3.1 References: https://bugzilla.novell.com/740484

1 0

openSUSE-RU-2012:0088-1: xarchiver: thunar-plugin-archive doesn't package a file with spaces in its name
by maintenance＠opensuse.org 18 Jan '12

18 Jan '12

openSUSE Recommended Update: xarchiver: thunar-plugin-archive doesn't package a file with spaces in its name ______________________________________________________________________________ Announcement ID: openSUSE-RU-2012:0088-1 Rating: low References: #723170 Affected Products: openSUSE 11.4 openSUSE 11.3 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update fixes the following issue for xarchiver: - 723170: thunar-plugin-archive doesn't package a file with spaces in its name Patch Instructions: To install this openSUSE Recommended Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 11.4: zypper in -t patch xarchiver-5647 - openSUSE 11.3: zypper in -t patch xarchiver-5647 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 11.4 (i586 x86_64): xarchiver-0.5.2+20090319-9.14.1 - openSUSE 11.3 (i586 x86_64): xarchiver-0.5.2+20090319-2.3.1 References: https://bugzilla.novell.com/723170

1 0