June 2014 - openSUSE Updates - openSUSE Mailing Lists

openSUSE-SU-2014:0765-1: critical: update to version 1.0.0m
by opensuse-security＠opensuse.org 06 Jun '14

06 Jun '14

openSUSE Security Update: update to version 1.0.0m ______________________________________________________________________________ Announcement ID: openSUSE-SU-2014:0765-1 Rating: critical References: #880891 Cross-References: CVE-2014-0195 CVE-2014-0221 CVE-2014-0224 CVE-2014-3470 Affected Products: openSUSE 11.4 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: The openssl library was updated to version 1.0.0m fixing various security issues and bugs: Security issues fixed: - CVE-2014-0224: Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. - CVE-2014-0221: Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an OpenSSL DTLS client the code can be made to recurse eventually crashing in a DoS attack. - CVE-2014-0195: Fix DTLS invalid fragment vulnerability. A buffer overrun attack can be triggered by sending invalid DTLS fragments to an OpenSSL DTLS client or server. This is potentially exploitable to run arbitrary code on a vulnerable client or server. - CVE-2014-3470: Fix bug in TLS code where clients enable anonymous ECDH ciphersuites are subject to a denial of service attack. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 11.4: zypper in -t patch 2014-60 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 11.4 (i586 x86_64): libopenssl-devel-1.0.0m-18.53.1 libopenssl1_0_0-1.0.0m-18.53.1 libopenssl1_0_0-debuginfo-1.0.0m-18.53.1 openssl-1.0.0m-18.53.1 openssl-debuginfo-1.0.0m-18.53.1 openssl-debugsource-1.0.0m-18.53.1 - openSUSE 11.4 (x86_64): libopenssl1_0_0-32bit-1.0.0m-18.53.1 libopenssl1_0_0-debuginfo-32bit-1.0.0m-18.53.1 - openSUSE 11.4 (noarch): openssl-doc-1.0.0m-18.53.1 - openSUSE 11.4 (ia64): libopenssl1_0_0-debuginfo-x86-1.0.0m-18.53.1 libopenssl1_0_0-x86-1.0.0m-18.53.1 References: http://support.novell.com/security/cve/CVE-2014-0195.html http://support.novell.com/security/cve/CVE-2014-0221.html http://support.novell.com/security/cve/CVE-2014-0224.html http://support.novell.com/security/cve/CVE-2014-3470.html https://bugzilla.novell.com/880891

1 0

openSUSE-SU-2014:0764-1: critical: openssl: update to version 1.0.1h
by opensuse-security＠opensuse.org 06 Jun '14

06 Jun '14

openSUSE Security Update: openssl: update to version 1.0.1h ______________________________________________________________________________ Announcement ID: openSUSE-SU-2014:0764-1 Rating: critical References: #880891 Cross-References: CVE-2014-0195 CVE-2014-0221 CVE-2014-0224 CVE-2014-3470 Affected Products: openSUSE 13.1 openSUSE 12.3 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: The openssl library was updated to version 1.0.1h fixing various security issues and bugs: Security issues fixed: - CVE-2014-0224: Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. - CVE-2014-0221: Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an OpenSSL DTLS client the code can be made to recurse eventually crashing in a DoS attack. - CVE-2014-0195: Fix DTLS invalid fragment vulnerability. A buffer overrun attack can be triggered by sending invalid DTLS fragments to an OpenSSL DTLS client or server. This is potentially exploitable to run arbitrary code on a vulnerable client or server. - CVE-2014-3470: Fix bug in TLS code where clients enable anonymous ECDH ciphersuites are subject to a denial of service attack. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.1: zypper in -t patch openSUSE-2014-410 - openSUSE 12.3: zypper in -t patch openSUSE-2014-410 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.1 (i586 x86_64): libopenssl-devel-1.0.1h-11.48.1 libopenssl1_0_0-1.0.1h-11.48.1 libopenssl1_0_0-debuginfo-1.0.1h-11.48.1 openssl-1.0.1h-11.48.1 openssl-debuginfo-1.0.1h-11.48.1 openssl-debugsource-1.0.1h-11.48.1 - openSUSE 13.1 (x86_64): libopenssl-devel-32bit-1.0.1h-11.48.1 libopenssl1_0_0-32bit-1.0.1h-11.48.1 libopenssl1_0_0-debuginfo-32bit-1.0.1h-11.48.1 - openSUSE 13.1 (noarch): openssl-doc-1.0.1h-11.48.1 - openSUSE 12.3 (i586 x86_64): libopenssl-devel-1.0.1h-1.60.1 libopenssl1_0_0-1.0.1h-1.60.1 libopenssl1_0_0-debuginfo-1.0.1h-1.60.1 openssl-1.0.1h-1.60.1 openssl-debuginfo-1.0.1h-1.60.1 openssl-debugsource-1.0.1h-1.60.1 - openSUSE 12.3 (x86_64): libopenssl-devel-32bit-1.0.1h-1.60.1 libopenssl1_0_0-32bit-1.0.1h-1.60.1 libopenssl1_0_0-debuginfo-32bit-1.0.1h-1.60.1 - openSUSE 12.3 (noarch): openssl-doc-1.0.1h-1.60.1 References: http://support.novell.com/security/cve/CVE-2014-0195.html http://support.novell.com/security/cve/CVE-2014-0221.html http://support.novell.com/security/cve/CVE-2014-0224.html http://support.novell.com/security/cve/CVE-2014-3470.html https://bugzilla.novell.com/880891

1 0

openSUSE-SU-2014:0763-1: important: gnutls: Fixed possible memory corruption and NULL pointer dereference
by opensuse-security＠opensuse.org 06 Jun '14

06 Jun '14

openSUSE Security Update: gnutls: Fixed possible memory corruption and NULL pointer dereference ______________________________________________________________________________ Announcement ID: openSUSE-SU-2014:0763-1 Rating: important References: #880730 #880733 Cross-References: CVE-2014-3465 CVE-2014-3466 Affected Products: openSUSE 13.1 openSUSE 12.3 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: gnutls was patched to fix two security vulnerabilities that could be used to disrupt service or potentially allow remote code execution. - Memory corruption during connect (CVE-2014-3466) - NULL pointer dereference in gnutls_x509_dn_oid_name (CVE-2014-3465) Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.1: zypper in -t patch openSUSE-2014-411 - openSUSE 12.3: zypper in -t patch openSUSE-2014-411 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.1 (i586 x86_64): gnutls-3.2.4-2.24.1 gnutls-debuginfo-3.2.4-2.24.1 gnutls-debugsource-3.2.4-2.24.1 libgnutls-devel-3.2.4-2.24.1 libgnutls-openssl-devel-3.2.4-2.24.1 libgnutls-openssl27-3.2.4-2.24.1 libgnutls-openssl27-debuginfo-3.2.4-2.24.1 libgnutls28-3.2.4-2.24.1 libgnutls28-debuginfo-3.2.4-2.24.1 libgnutlsxx-devel-3.2.4-2.24.1 libgnutlsxx28-3.2.4-2.24.1 libgnutlsxx28-debuginfo-3.2.4-2.24.1 - openSUSE 13.1 (x86_64): libgnutls-devel-32bit-3.2.4-2.24.1 libgnutls28-32bit-3.2.4-2.24.1 libgnutls28-debuginfo-32bit-3.2.4-2.24.1 - openSUSE 12.3 (i586 x86_64): gnutls-3.0.28-1.14.1 gnutls-debuginfo-3.0.28-1.14.1 gnutls-debugsource-3.0.28-1.14.1 libgnutls-devel-3.0.28-1.14.1 libgnutls-openssl-devel-3.0.28-1.14.1 libgnutls-openssl27-3.0.28-1.14.1 libgnutls-openssl27-debuginfo-3.0.28-1.14.1 libgnutls28-3.0.28-1.14.1 libgnutls28-debuginfo-3.0.28-1.14.1 libgnutlsxx-devel-3.0.28-1.14.1 libgnutlsxx28-3.0.28-1.14.1 libgnutlsxx28-debuginfo-3.0.28-1.14.1 - openSUSE 12.3 (x86_64): libgnutls-devel-32bit-3.0.28-1.14.1 libgnutls28-32bit-3.0.28-1.14.1 libgnutls28-debuginfo-32bit-3.0.28-1.14.1 References: http://support.novell.com/security/cve/CVE-2014-3465.html http://support.novell.com/security/cve/CVE-2014-3466.html https://bugzilla.novell.com/880730 https://bugzilla.novell.com/880733

1 0

openSUSE-SU-2014:0753-1: moderate: libxml2, python-libxml2: Reverted patch for CVE-2014-0191
by opensuse-security＠opensuse.org 04 Jun '14

04 Jun '14

openSUSE Security Update: libxml2, python-libxml2: Reverted patch for CVE-2014-0191 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2014:0753-1 Rating: moderate References: #876652 Cross-References: CVE-2014-0191 Affected Products: openSUSE 13.1 openSUSE 12.3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: Removed fix for CVE-2014-0191. This fix breaks existing applications and there's currently no way to prevent that. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.1: zypper in -t patch openSUSE-2014-409 - openSUSE 12.3: zypper in -t patch openSUSE-2014-409 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.1 (i586 x86_64): libxml2-2-2.9.1-2.12.1 libxml2-2-debuginfo-2.9.1-2.12.1 libxml2-debugsource-2.9.1-2.12.1 libxml2-devel-2.9.1-2.12.1 libxml2-tools-2.9.1-2.12.1 libxml2-tools-debuginfo-2.9.1-2.12.1 python-libxml2-2.9.1-2.12.1 python-libxml2-debuginfo-2.9.1-2.12.1 python-libxml2-debugsource-2.9.1-2.12.1 - openSUSE 13.1 (x86_64): libxml2-2-32bit-2.9.1-2.12.1 libxml2-2-debuginfo-32bit-2.9.1-2.12.1 libxml2-devel-32bit-2.9.1-2.12.1 - openSUSE 13.1 (noarch): libxml2-doc-2.9.1-2.12.1 - openSUSE 12.3 (i586 x86_64): libxml2-2-2.9.0-2.29.1 libxml2-2-debuginfo-2.9.0-2.29.1 libxml2-debugsource-2.9.0-2.29.1 libxml2-devel-2.9.0-2.29.1 libxml2-tools-2.9.0-2.29.1 libxml2-tools-debuginfo-2.9.0-2.29.1 python-libxml2-2.9.0-2.29.1 python-libxml2-debuginfo-2.9.0-2.29.1 python-libxml2-debugsource-2.9.0-2.29.1 - openSUSE 12.3 (x86_64): libxml2-2-32bit-2.9.0-2.29.1 libxml2-2-debuginfo-32bit-2.9.0-2.29.1 libxml2-devel-32bit-2.9.0-2.29.1 - openSUSE 12.3 (noarch): libxml2-doc-2.9.0-2.29.1 References: http://support.novell.com/security/cve/CVE-2014-0191.html https://bugzilla.novell.com/876652

1 0

openSUSE-SU-2014:0749-1: moderate: libcap-ng:policycoreutils setuid() fix
by opensuse-security＠opensuse.org 03 Jun '14

03 Jun '14

openSUSE Security Update: libcap-ng:policycoreutils setuid() fix ______________________________________________________________________________ Announcement ID: openSUSE-SU-2014:0749-1 Rating: moderate References: #876832 Cross-References: CVE-2014-3215 Affected Products: openSUSE 11.4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: Besides other enhancements, this version update contains: - fix for CVE-2014-3215 (bnc#876832) * use PR_SET_NO_NEW_PRIVS to prevent gain of new privileges * added libcap-ng-CVE-2014-3215.patch Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 11.4: zypper in -t patch 2014-58 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 11.4 (i586 x86_64): libcap-ng-debugsource-0.6.5-6.1 libcap-ng-devel-0.6.5-6.1 libcap-ng-python-debugsource-0.6.5-6.1 libcap-ng-utils-0.6.5-6.1 libcap-ng-utils-debuginfo-0.6.5-6.1 libcap-ng0-0.6.5-6.1 libcap-ng0-debuginfo-0.6.5-6.1 python-capng-0.6.5-6.1 python-capng-debuginfo-0.6.5-6.1 - openSUSE 11.4 (x86_64): libcap-ng0-32bit-0.6.5-6.1 libcap-ng0-debuginfo-32bit-0.6.5-6.1 - openSUSE 11.4 (ia64): libcap-ng0-debuginfo-x86-0.6.5-6.1 libcap-ng0-x86-0.6.5-6.1 References: http://support.novell.com/security/cve/CVE-2014-3215.html https://bugzilla.novell.com/876832

1 0

openSUSE-RU-2014:0747-1: ipset: Update from 6.19 to upstream release 6.21.1
by maintenance＠opensuse.org 03 Jun '14

03 Jun '14

openSUSE Recommended Update: ipset: Update from 6.19 to upstream release 6.21.1 ______________________________________________________________________________ Announcement ID: openSUSE-RU-2014:0747-1 Rating: low References: #877543 Affected Products: openSUSE 13.1 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update fixes the following issues with ipset: - bnc#877543: Update to upstream release 6.21.1 to resolve lack of em_ipset in standalone package + add userspace support for forceadd + fix ifname "physdev:" prefix parsing + print mark and mark mask in hex rather then decimal + add markmask for hash:ip,mark data type + add hash:ip,mark data type to ipset + Fix all set output from list/save when set with counters in use. + ipset: Fix malformed output from list/save for ICMP types in port field + ipset: fix timeout data type size + build fixes for kernel 3.8 and the userspace library + netns support + new set types: hash:net,net and hash:net,port,net + new extension: "comment", for annotation of set elements Patch Instructions: To install this openSUSE Recommended Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.1: zypper in -t patch openSUSE-2014-408 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.1 (i586 x86_64): ipset-6.21.1-2.11.1 ipset-debuginfo-6.21.1-2.11.1 ipset-debugsource-6.21.1-2.11.1 ipset-devel-6.21.1-2.11.1 ipset-kmp-default-6.21.1_k3.11.10_11-2.11.1 ipset-kmp-default-debuginfo-6.21.1_k3.11.10_11-2.11.1 ipset-kmp-desktop-6.21.1_k3.11.10_11-2.11.1 ipset-kmp-desktop-debuginfo-6.21.1_k3.11.10_11-2.11.1 ipset-kmp-xen-6.21.1_k3.11.10_11-2.11.1 ipset-kmp-xen-debuginfo-6.21.1_k3.11.10_11-2.11.1 libipset3-6.21.1-2.11.1 libipset3-debuginfo-6.21.1-2.11.1 - openSUSE 13.1 (i586): ipset-kmp-pae-6.21.1_k3.11.10_11-2.11.1 ipset-kmp-pae-debuginfo-6.21.1_k3.11.10_11-2.11.1 References: https://bugzilla.novell.com/877543

1 0

openSUSE-RU-2014:0746-1: spamassassin: Added upstream fixes
by maintenance＠opensuse.org 03 Jun '14

03 Jun '14

openSUSE Recommended Update: spamassassin: Added upstream fixes ______________________________________________________________________________ Announcement ID: openSUSE-RU-2014:0746-1 Rating: low References: #862963 Affected Products: openSUSE 13.1 openSUSE 12.3 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update fixes the following issues with spamassassin: -bnc#862963: Added upstream fixes + Use of each() on hash after insertion without resetting hash iterator results in undefined behavior - Perl 5.4.18 Patch Instructions: To install this openSUSE Recommended Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.1: zypper in -t patch openSUSE-2014-407 - openSUSE 12.3: zypper in -t patch openSUSE-2014-407 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.1 (i586 x86_64): perl-Mail-SpamAssassin-3.3.2-37.4.1 perl-Mail-SpamAssassin-Plugin-iXhash2-2.05-37.4.1 spamassassin-3.3.2-37.4.1 spamassassin-debuginfo-3.3.2-37.4.1 spamassassin-debugsource-3.3.2-37.4.1 - openSUSE 12.3 (i586 x86_64): perl-Mail-SpamAssassin-3.3.2-31.5.1 perl-Mail-SpamAssassin-Plugin-iXhash2-2.05-31.5.1 spamassassin-3.3.2-31.5.1 spamassassin-debuginfo-3.3.2-31.5.1 spamassassin-debugsource-3.3.2-31.5.1 References: https://bugzilla.novell.com/862963

1 0

openSUSE-RU-2014:0745-1: nfs-utils: Fix fallback from tcp to udp
by maintenance＠opensuse.org 03 Jun '14

03 Jun '14

openSUSE Recommended Update: nfs-utils: Fix fallback from tcp to udp ______________________________________________________________________________ Announcement ID: openSUSE-RU-2014:0745-1 Rating: low References: #863749 Affected Products: openSUSE 12.3 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update fixes the following issues with nfs-utils: -bnc#863749: Fixes fallback from tcp to udp Patch Instructions: To install this openSUSE Recommended Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 12.3: zypper in -t patch openSUSE-2014-406 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 12.3 (i586 x86_64): nfs-client-1.2.7-2.22.1 nfs-client-debuginfo-1.2.7-2.22.1 nfs-doc-1.2.7-2.22.1 nfs-kernel-server-1.2.7-2.22.1 nfs-kernel-server-debuginfo-1.2.7-2.22.1 nfs-utils-debugsource-1.2.7-2.22.1 References: https://bugzilla.novell.com/863749

1 0

openSUSE-SU-2014:0742-1: moderate: update for libgadu
by opensuse-security＠opensuse.org 02 Jun '14

02 Jun '14

openSUSE Security Update: update for libgadu ______________________________________________________________________________ Announcement ID: openSUSE-SU-2014:0742-1 Rating: moderate References: #861019 #878540 Cross-References: CVE-2013-6487 CVE-2014-3775 Affected Products: openSUSE 11.4 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: - Update to version 1.11.4, bugfix release: + Fix buffer overflow with remote code execution potential. Only triggerable by a Gadu-Gadu server or a man-in-the-middle. CVE-2013-6487 (bnc#861019, bnc#878540) + Fix memory overwrite in file transfer with proxy server. CVE-2014-3775 (bnc#878540) + Minor fixes reported by Pidgin project members. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 11.4: zypper in -t patch 2014-57 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 11.4 (i586 x86_64): libgadu-debugsource-1.11.4-5.1 libgadu-devel-1.11.4-5.1 libgadu3-1.11.4-5.1 libgadu3-debuginfo-1.11.4-5.1 References: http://support.novell.com/security/cve/CVE-2013-6487.html http://support.novell.com/security/cve/CVE-2014-3775.html https://bugzilla.novell.com/861019 https://bugzilla.novell.com/878540

1 0

openSUSE-SU-2014:0741-1: moderate: libxml2, python-libxml2: Prevent external entities from being loaded
by opensuse-security＠opensuse.org 02 Jun '14

02 Jun '14

openSUSE Security Update: libxml2, python-libxml2: Prevent external entities from being loaded ______________________________________________________________________________ Announcement ID: openSUSE-SU-2014:0741-1 Rating: moderate References: #876652 Cross-References: CVE-2014-0191 Affected Products: openSUSE 11.4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: Updated fix for openSUSE-SU-2014:0645-1 because of a regression that caused xmllint to break. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 11.4: zypper in -t patch 2014-56 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 11.4 (i586 x86_64): libxml2-2.7.8-53.1 libxml2-debuginfo-2.7.8-53.1 libxml2-debugsource-2.7.8-53.1 libxml2-devel-2.7.8-53.1 - openSUSE 11.4 (x86_64): libxml2-32bit-2.7.8-53.1 libxml2-debuginfo-32bit-2.7.8-53.1 libxml2-devel-32bit-2.7.8-53.1 - openSUSE 11.4 (noarch): libxml2-doc-2.7.8-53.1 - openSUSE 11.4 (ia64): libxml2-debuginfo-x86-2.7.8-53.1 libxml2-x86-2.7.8-53.1 References: http://support.novell.com/security/cve/CVE-2014-0191.html https://bugzilla.novell.com/876652

1 0