February 2012 - openSUSE Updates - openSUSE Mailing Lists

openSUSE-SU-2012:0240-1: moderate: VUL-0: CVE-2011-4362: lighttpd/mod_auth out-of-bounds read due to signedness error
by opensuse-security＠opensuse.org 09 Feb '12

09 Feb '12

openSUSE Security Update: VUL-0: CVE-2011-4362: lighttpd/mod_auth out-of-bounds read due to signedness error ______________________________________________________________________________ Announcement ID: openSUSE-SU-2012:0240-1 Rating: moderate References: #733607 Cross-References: CVE-2011-4362 Affected Products: openSUSE 11.4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update of lighttpd fixes an out-of-bounds read due to a signedness error which could cause a Denial of Service (CVE-2011-4362). Additionally an option was added to honor the server cipher order (resolves lighttpd#2364). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 11.4: zypper in -t patch lighttpd-5735 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 11.4 (i586 x86_64): lighttpd-1.4.26-6.7.1 lighttpd-mod_cml-1.4.26-6.7.1 lighttpd-mod_magnet-1.4.26-6.7.1 lighttpd-mod_mysql_vhost-1.4.26-6.7.1 lighttpd-mod_rrdtool-1.4.26-6.7.1 lighttpd-mod_trigger_b4_dl-1.4.26-6.7.1 lighttpd-mod_webdav-1.4.26-6.7.1 References: http://support.novell.com/security/cve/CVE-2011-4362.html https://bugzilla.novell.com/733607

1 0

openSUSE-RU-2012:0239-1: moderate: release-notes-openSUSE: End of Life of 11.3.
by maintenance＠opensuse.org 09 Feb '12

09 Feb '12

openSUSE Recommended Update: release-notes-openSUSE: End of Life of 11.3. ______________________________________________________________________________ Announcement ID: openSUSE-RU-2012:0239-1 Rating: moderate References: #742522 Affected Products: openSUSE 11.3 ______________________________________________________________________________ An update that has one recommended fix can now be installed. It includes one version update. Description: openSUSE 11.3 security and bugfix support is discontinued. This patch concludes the openSUSE 11.3 security and bugfix support cycle after 18 months. No more updates will be published after this one. Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this openSUSE Recommended Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 11.3: zypper in -t patch release-notes-openSUSE-5673 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 11.3 (noarch) [New Version: 11.3.8]: release-notes-openSUSE-11.3.8-0.3.1 References: https://bugzilla.novell.com/742522

1 0

openSUSE-SU-2012:0237-1: important: VUL-0: nginx: heap overflow
by opensuse-security＠opensuse.org 09 Feb '12

09 Feb '12

openSUSE Security Update: VUL-0: nginx: heap overflow ______________________________________________________________________________ Announcement ID: openSUSE-SU-2012:0237-1 Rating: important References: #731084 Cross-References: CVE-2011-4315 Affected Products: openSUSE 11.4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: A flaw in the custom DNS resolver of nginx could lead to a heap based buffer overflow which could potentially allow attackers to execute arbitrary code or to cause a Denial of Service (bnc#731084, CVE-2011-4315). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 11.4: zypper in -t patch nginx-0.8-5467 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 11.4 (i586 x86_64): nginx-0.8-0.8.53-4.9.1 References: http://support.novell.com/security/cve/CVE-2011-4315.html https://bugzilla.novell.com/731084

1 0

openSUSE-SU-2012:0236-1: important: kernel: security and bugfix update.
by opensuse-security＠opensuse.org 09 Feb '12

09 Feb '12

openSUSE Security Update: kernel: security and bugfix update. ______________________________________________________________________________ Announcement ID: openSUSE-SU-2012:0236-1 Rating: important References: #676602 #679059 #681180 #681181 #681184 #681185 #691052 #692498 #699709 #700879 #702037 #707288 #709561 #709764 #710235 #713933 #723999 #726788 #736149 Cross-References: CVE-2011-1080 CVE-2011-1170 CVE-2011-1171 CVE-2011-1172 CVE-2011-1173 CVE-2011-1770 CVE-2011-2203 CVE-2011-2213 CVE-2011-2534 CVE-2011-2699 CVE-2011-2723 CVE-2011-2898 CVE-2011-4081 CVE-2011-4087 CVE-2011-4604 Affected Products: openSUSE 11.4 ______________________________________________________________________________ An update that solves 15 vulnerabilities and has four fixes is now available. It includes one version update. Description: The openSUSE 11.4 kernel was updated to fix bugs and security issues. Following security issues have been fixed: CVE-2011-4604: If root does read() on a specific socket, it's possible to corrupt (kernel) memory over network, with an ICMP packet, if the B.A.T.M.A.N. mesh protocol is used. CVE-2011-2699: Fernando Gont discovered that the IPv6 stack used predictable fragment identification numbers. A remote attacker could exploit this to exhaust network resources, leading to a denial of service. CVE-2011-1173: A kernel information leak via ip6_tables was fixed. CVE-2011-1172: A kernel information leak via ip6_tables netfilter was fixed. CVE-2011-1171: A kernel information leak via ip_tables was fixed. CVE-2011-1170: A kernel information leak via arp_tables was fixed. CVE-2011-1080: A kernel information leak via netfilter was fixed. CVE-2011-2213: The inet_diag_bc_audit function in net/ipv4/inet_diag.c in the Linux kernel did not properly audit INET_DIAG bytecode, which allowed local users to cause a denial of service (kernel infinite loop) via crafted INET_DIAG_REQ_BYTECODE instructions in a netlink message, as demonstrated by an INET_DIAG_BC_JMP instruction with a zero yes value, a different vulnerability than CVE-2010-3880. CVE-2011-2534: Buffer overflow in the clusterip_proc_write function in net/ipv4/netfilter/ipt_CLUSTERIP.c in the Linux kernel might have allowed local users to cause a denial of service or have unspecified other impact via a crafted write operation, related to string data that lacks a terminating '\0' character. CVE-2011-1770: Integer underflow in the dccp_parse_options function (net/dccp/options.c) in the Linux kernel allowed remote attackers to cause a denial of service via a Datagram Congestion Control Protocol (DCCP) packet with an invalid feature options length, which triggered a buffer over-read. CVE-2011-2723: The skb_gro_header_slow function in include/linux/netdevice.h in the Linux kernel, when Generic Receive Offload (GRO) is enabled, reset certain fields in incorrect situations, which allowed remote attackers to cause a denial of service (system crash) via crafted network traffic. CVE-2011-2898: A kernel information leak in the AF_PACKET protocol was fixed which might have allowed local attackers to read kernel memory. CVE-2011-4087: A local denial of service when using bridged networking via a flood ping was fixed. CVE-2011-2203: A NULL ptr dereference on mounting corrupt hfs filesystems was fixed which could be used by local attackers to crash the kernel. CVE-2011-4081: Using the crypto interface a local user could Oops the kernel by writing to a AF_ALG socket. Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 11.4: zypper in -t patch kernel-5606 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 11.4 (i586 x86_64) [New Version: 2.6.37.6]: kernel-debug-2.6.37.6-0.11.1 kernel-debug-base-2.6.37.6-0.11.1 kernel-debug-devel-2.6.37.6-0.11.1 kernel-default-2.6.37.6-0.11.1 kernel-default-base-2.6.37.6-0.11.1 kernel-default-devel-2.6.37.6-0.11.1 kernel-desktop-2.6.37.6-0.11.1 kernel-desktop-base-2.6.37.6-0.11.1 kernel-desktop-devel-2.6.37.6-0.11.1 kernel-ec2-2.6.37.6-0.11.1 kernel-ec2-base-2.6.37.6-0.11.1 kernel-ec2-devel-2.6.37.6-0.11.1 kernel-ec2-extra-2.6.37.6-0.11.1 kernel-syms-2.6.37.6-0.11.1 kernel-trace-2.6.37.6-0.11.1 kernel-trace-base-2.6.37.6-0.11.1 kernel-trace-devel-2.6.37.6-0.11.1 kernel-vanilla-2.6.37.6-0.11.1 kernel-vanilla-base-2.6.37.6-0.11.1 kernel-vanilla-devel-2.6.37.6-0.11.1 kernel-xen-2.6.37.6-0.11.1 kernel-xen-base-2.6.37.6-0.11.1 kernel-xen-devel-2.6.37.6-0.11.1 preload-kmp-default-1.2_k2.6.37.6_0.11-6.7.28 preload-kmp-desktop-1.2_k2.6.37.6_0.11-6.7.28 - openSUSE 11.4 (noarch) [New Version: 2.6.37.6]: kernel-devel-2.6.37.6-0.11.1 kernel-docs-2.6.37.6-0.11.1 kernel-source-2.6.37.6-0.11.1 kernel-source-vanilla-2.6.37.6-0.11.1 - openSUSE 11.4 (i586) [New Version: 2.6.37.6]: kernel-pae-2.6.37.6-0.11.1 kernel-pae-base-2.6.37.6-0.11.1 kernel-pae-devel-2.6.37.6-0.11.1 kernel-vmi-2.6.37.6-0.11.1 kernel-vmi-base-2.6.37.6-0.11.1 kernel-vmi-devel-2.6.37.6-0.11.1 References: http://support.novell.com/security/cve/CVE-2011-1080.html http://support.novell.com/security/cve/CVE-2011-1170.html http://support.novell.com/security/cve/CVE-2011-1171.html http://support.novell.com/security/cve/CVE-2011-1172.html http://support.novell.com/security/cve/CVE-2011-1173.html http://support.novell.com/security/cve/CVE-2011-1770.html http://support.novell.com/security/cve/CVE-2011-2203.html http://support.novell.com/security/cve/CVE-2011-2213.html http://support.novell.com/security/cve/CVE-2011-2534.html http://support.novell.com/security/cve/CVE-2011-2699.html http://support.novell.com/security/cve/CVE-2011-2723.html http://support.novell.com/security/cve/CVE-2011-2898.html http://support.novell.com/security/cve/CVE-2011-4081.html http://support.novell.com/security/cve/CVE-2011-4087.html http://support.novell.com/security/cve/CVE-2011-4604.html https://bugzilla.novell.com/676602 https://bugzilla.novell.com/679059 https://bugzilla.novell.com/681180 https://bugzilla.novell.com/681181 https://bugzilla.novell.com/681184 https://bugzilla.novell.com/681185 https://bugzilla.novell.com/691052 https://bugzilla.novell.com/692498 https://bugzilla.novell.com/699709 https://bugzilla.novell.com/700879 https://bugzilla.novell.com/702037 https://bugzilla.novell.com/707288 https://bugzilla.novell.com/709561 https://bugzilla.novell.com/709764 https://bugzilla.novell.com/710235 https://bugzilla.novell.com/713933 https://bugzilla.novell.com/723999 https://bugzilla.novell.com/726788 https://bugzilla.novell.com/736149

1 0

openSUSE-RU-2012:0235-1: policykit-qt-1: Fixed crash at KDE logout
by maintenance＠opensuse.org 09 Feb '12

09 Feb '12

openSUSE Recommended Update: policykit-qt-1: Fixed crash at KDE logout ______________________________________________________________________________ Announcement ID: openSUSE-RU-2012:0235-1 Rating: low References: #736158 Affected Products: openSUSE 11.4 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update fixes a policykit agent crash at KDE logout. - #736158: PolicyKit crashes at KDE logout Special Instructions and Notes: Please reboot the system after installing this update.This update triggers a restart of the software management stack. More updates will be available for installation after applying this update and restarting the application. This update triggers a restart of the software management stack. More updates will be available for installation after applying this update and restarting the application. Patch Instructions: To install this openSUSE Recommended Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 11.4: zypper in -t patch libpolkit-qt-1-1-5569 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 11.4 (i586 x86_64): libpolkit-qt-1-1-0.99.1-6.7.1 libpolkit-qt-1-devel-0.99.1-6.7.1 References: https://bugzilla.novell.com/736158

1 0

openSUSE-SU-2012:0234-1: important: MozillaFirefox: Version 10
by opensuse-security＠opensuse.org 09 Feb '12

09 Feb '12

openSUSE Security Update: MozillaFirefox: Version 10 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2012:0234-1 Rating: important References: #744275 Affected Products: openSUSE 11.4 ______________________________________________________________________________ An update that contains security fixes can now be installed. It includes 5 new package versions. Description: Mozilla Firefox was updated to version 10 to fix bugs and security issues. MFSA 2012-01: Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. In general these flaws cannot be exploited through email in the Thunderbird and SeaMonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts in those products. References CVE-2012-0443: Ben Hawkes, Christian Holler, Honza Bombas, Jason Orendorff, Jesse Ruderman, Jan Odvarko, Peter Van Der Beken, and Bill McCloskey reported memory safety problems that were fixed in Firefox 10. CVE-2012-0442: Jesse Ruderman and Bob Clary reported memory safety problems that were fixed in both Firefox 10 and Firefox 3.6.26. MFSA 2012-02/CVE-2011-3670: For historical reasons Firefox has been generous in its interpretation of web addresses containing square brackets around the host. If this host was not a valid IPv6 literal address, Firefox attempted to interpret the host as a regular domain name. Gregory Fleischer reported that requests made using IPv6 syntax using XMLHttpRequest objects through a proxy may generate errors depending on proxy configuration for IPv6. The resulting error messages from the proxy may disclose sensitive data because Same-Origin Policy (SOP) will allow the XMLHttpRequest object to read these error messages, allowing user privacy to be eroded. Firefox now enforces RFC 3986 IPv6 literal syntax and that may break links written using the non-standard Firefox-only forms that were previously accepted. This was fixed previously for Firefox 7.0, Thunderbird 7.0, and SeaMonkey 2.4 but only fixed in Firefox 3.6.26 and Thunderbird 3.1.18 during 2012. MFSA 2012-03/CVE-2012-0445: Alex Dvorov reported that an attacker could replace a sub-frame in another domain's document by using the name attribute of the sub-frame as a form submission target. This can potentially allow for phishing attacks against users and violates the HTML5 frame navigation policy. Firefox 3.6 and Thunderbird 3.1 are not affected by this vulnerability MFSA 2012-04/CVE-2011-3659: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that removed child nodes of nsDOMAttribute can be accessed under certain circumstances because of a premature notification of AttributeChildRemoved. This use-after-free of the child nodes could possibly allow for for remote code execution. MFSA 2012-05/CVE-2012-0446: Mozilla security researcher moz_bug_r_a4 reported that frame scripts bypass XPConnect security checks when calling untrusted objects. This allows for cross-site scripting (XSS) attacks through web pages and Firefox extensions. The fix enables the Script Security Manager (SSM) to force security checks on all frame scripts. Firefox 3.6 and Thunderbird 3.1 are not affected by this vulnerability MFSA 2012-06/CVE-2012-0447: Mozilla developer Tim Abraldes reported that when encoding images as image/vnd.microsoft.icon the resulting data was always a fixed size, with uninitialized memory appended as padding beyond the size of the actual image. This is the result of mImageBufferSize in the encoder being initialized with a value different than the size of the source image. There is the possibility of sensitive data from uninitialized memory being appended to a PNG image when converted fron an ICO format image. This sensitive data may then be disclosed in the resulting image. Firefox 3.6 and Thunderbird 3.1 are not affected by this vulnerability MFSA 2012-07/CVE-2012-0444: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative the possibility of memory corruption during the decoding of Ogg Vorbis files. This can cause a crash during decoding and has the potential for remote code execution. MFSA 2012-08/CVE-2012-0449: Security researchers Nicolas Gregoire and Aki Helin independently reported that when processing a malformed embedded XSLT stylesheet, Firefox can crash due to a memory corruption. While there is no evidence that this is directly exploitable, there is a possibility of remote code execution. MFSA 2012-09/CVE-2012-0450: magicant starmen reported that if a user chooses to export their Firefox Sync key the "Firefox Recovery Key.html" file is saved with incorrect permissions, making the file contents potentially readable by other users on Linux and OS X systems. Firefox 3.6 is not affected by this vulnerability. Special Instructions and Notes: Please reboot the system after installing this update.This update triggers a restart of the software management stack. More updates will be available for installation after applying this update and restarting the application. This update triggers a restart of the software management stack. More updates will be available for installation after applying this update and restarting the application. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 11.4: zypper in -t patch MozillaFirefox-5750 MozillaThunderbird-5751 mozilla-js192-5749 seamonkey-5768 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 11.4 (i586 x86_64) [New Version: 1.9.2.26,10.0,2.7 and 3.1.18]: MozillaFirefox-10.0-0.2.1 MozillaFirefox-branding-upstream-10.0-0.2.1 MozillaFirefox-buildsymbols-10.0-0.2.1 MozillaFirefox-devel-10.0-0.2.1 MozillaFirefox-translations-common-10.0-0.2.1 MozillaFirefox-translations-other-10.0-0.2.1 MozillaThunderbird-3.1.18-0.23.1 MozillaThunderbird-buildsymbols-3.1.18-0.23.1 MozillaThunderbird-devel-3.1.18-0.23.1 MozillaThunderbird-translations-common-3.1.18-0.23.1 MozillaThunderbird-translations-other-3.1.18-0.23.1 enigmail-1.1.2+3.1.18-0.23.1 mozilla-js192-1.9.2.26-0.2.1 mozilla-xulrunner192-1.9.2.26-0.2.1 mozilla-xulrunner192-buildsymbols-1.9.2.26-0.2.1 mozilla-xulrunner192-devel-1.9.2.26-0.2.1 mozilla-xulrunner192-gnome-1.9.2.26-0.2.1 mozilla-xulrunner192-translations-common-1.9.2.26-0.2.1 mozilla-xulrunner192-translations-other-1.9.2.26-0.2.1 seamonkey-2.7-0.2.1 seamonkey-dom-inspector-2.7-0.2.1 seamonkey-irc-2.7-0.2.1 seamonkey-translations-common-2.7-0.2.1 seamonkey-translations-other-2.7-0.2.1 seamonkey-venkman-2.7-0.2.1 - openSUSE 11.4 (x86_64) [New Version: 1.9.2.26]: mozilla-js192-32bit-1.9.2.26-0.2.1 mozilla-xulrunner192-32bit-1.9.2.26-0.2.1 mozilla-xulrunner192-gnome-32bit-1.9.2.26-0.2.1 mozilla-xulrunner192-translations-common-32bit-1.9.2.26-0.2.1 mozilla-xulrunner192-translations-other-32bit-1.9.2.26-0.2.1 References: https://bugzilla.novell.com/744275

1 0

openSUSE-RU-2012:0233-1: puppet: fixed incorrect permissions
by maintenance＠opensuse.org 09 Feb '12

09 Feb '12

openSUSE Recommended Update: puppet: fixed incorrect permissions ______________________________________________________________________________ Announcement ID: openSUSE-RU-2012:0233-1 Rating: low References: #739361 Affected Products: openSUSE 11.4 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update fixes the following issue for puppet: - 739361: fixed wrong directory-permissions and ownerships Special Instructions and Notes: Please reboot the system after installing this update.This update triggers a restart of the software management stack. More updates will be available for installation after applying this update and restarting the application. This update triggers a restart of the software management stack. More updates will be available for installation after applying this update and restarting the application. Patch Instructions: To install this openSUSE Recommended Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 11.4: zypper in -t patch puppet-5746 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 11.4 (i586 x86_64): puppet-2.6.4-4.13.1 puppet-server-2.6.4-4.13.1 References: https://bugzilla.novell.com/739361

1 0

openSUSE-RU-2012:0232-1: python-qt4: Phonon module not available in PyQt4 package
by maintenance＠opensuse.org 09 Feb '12

09 Feb '12

openSUSE Recommended Update: python-qt4: Phonon module not available in PyQt4 package ______________________________________________________________________________ Announcement ID: openSUSE-RU-2012:0232-1 Rating: low References: #607579 Affected Products: openSUSE 11.4 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update fixes the following issue for python-qt4: - 607579: added phonon-devel to BuildRequires Special Instructions and Notes: Please reboot the system after installing this update.This update triggers a restart of the software management stack. More updates will be available for installation after applying this update and restarting the application. This update triggers a restart of the software management stack. More updates will be available for installation after applying this update and restarting the application. Patch Instructions: To install this openSUSE Recommended Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 11.4: zypper in -t patch python-qt4-5671 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 11.4 (i586 x86_64): python-qt4-4.8.3-4.5.2 python-qt4-devel-4.8.3-4.5.2 References: https://bugzilla.novell.com/607579

1 0

openSUSE-RU-2012:0230-1: opensuse-manuals-ru: Provides Russian translation
by maintenance＠opensuse.org 09 Feb '12

09 Feb '12

openSUSE Recommended Update: opensuse-manuals-ru: Provides Russian translation ______________________________________________________________________________ Announcement ID: openSUSE-RU-2012:0230-1 Rating: low References: #729638 Affected Products: openSUSE 11.4 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update provides the complete openSUSE documentation in a Russion translation, provided by openSUSE community members. Special Instructions and Notes: Please reboot the system after installing this update.This update triggers a restart of the software management stack. More updates will be available for installation after applying this update and restarting the application. This update triggers a restart of the software management stack. More updates will be available for installation after applying this update and restarting the application. Patch Instructions: To install this openSUSE Recommended Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 11.4: zypper in -t patch opensuse-manuals_ru-5445 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 11.4 (noarch): opensuse-kvm_ru-pdf-11.4-2.2.1 opensuse-manuals_ru-11.4-2.2.1 opensuse-reference_ru-pdf-11.4-2.2.1 opensuse-security_ru-pdf-11.4-2.2.1 opensuse-startup_ru-pdf-11.4-2.2.1 opensuse-tuning_ru-pdf-11.4-2.2.1 References: https://bugzilla.novell.com/729638

1 0

openSUSE-SU-2012:0229-1: moderate: Fixing curl URL sanitizing vulnerability and SSL weakness
by opensuse-security＠opensuse.org 09 Feb '12

09 Feb '12

openSUSE Security Update: Fixing curl URL sanitizing vulnerability and SSL weakness ______________________________________________________________________________ Announcement ID: openSUSE-SU-2012:0229-1 Rating: moderate References: #740452 #742306 Cross-References: CVE-2010-4180 CVE-2011-3389 CVE-2012-0036 Affected Products: openSUSE 11.4 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: The following vulnerabilities have been fixed in curl: - IMAP, POP3 and SMTP URL sanitization vulnerability (CVE-2012-0036) - disable SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS (CVE-2011-3389) - disable SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option for older openssl versions (CVE-2010-4180) Special Instructions and Notes: Please reboot the system after installing this update.This update triggers a restart of the software management stack. More updates will be available for installation after applying this update and restarting the application. This update triggers a restart of the software management stack. More updates will be available for installation after applying this update and restarting the application. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 11.4: zypper in -t patch curl-5702 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 11.4 (i586 x86_64): curl-7.21.2-10.11.1 libcurl-devel-7.21.2-10.11.1 libcurl4-7.21.2-10.11.1 - openSUSE 11.4 (x86_64): libcurl4-32bit-7.21.2-10.11.1 References: http://support.novell.com/security/cve/CVE-2010-4180.html http://support.novell.com/security/cve/CVE-2011-3389.html http://support.novell.com/security/cve/CVE-2012-0036.html https://bugzilla.novell.com/740452 https://bugzilla.novell.com/742306

1 0