openSUSE Security Update: Security update for DirectFB
______________________________________________________________________________
Announcement ID: openSUSE-SU-2015:0807-1
Rating: important
References: #878345 #878349
Cross-References: CVE-2014-2977 CVE-2014-2978
Affected Products:
openSUSE 13.2
openSUSE 13.1
______________________________________________________________________________
An update that fixes two vulnerabilities is now available.
Description:
DirectFB was updated to fix two security issues.
The following vulnerabilities were fixed:
* CVE-2014-2977: Multiple integer signedness errors could allow remote
attackers to cause a denial of service (crash) and possibly execute
arbitrary code via the Voodoo interface, which triggers a stack-based
buffer overflow.
* CVE-2014-2978: Remote attackers could cause a denial of service (crash)
and possibly execute arbitrary code via the Voodoo interface, which
triggers an out-of-bounds write.
Patch Instructions:
To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- openSUSE 13.2:
zypper in -t patch openSUSE-2015-340=1
- openSUSE 13.1:
zypper in -t patch openSUSE-2015-340=1
To bring your system up-to-date, use "zypper patch".
Package List:
- openSUSE 13.2 (i586 x86_64):
DirectFB-1.7.5-3.3.1
DirectFB-Mesa-1.7.5-3.3.1
DirectFB-Mesa-debuginfo-1.7.5-3.3.1
DirectFB-debuginfo-1.7.5-3.3.1
DirectFB-debugsource-1.7.5-3.3.1
DirectFB-devel-1.7.5-3.3.1
DirectFB-doc-1.7.5-3.3.1
DirectFB-libSDL-1.7.5-3.3.1
DirectFB-libSDL-debuginfo-1.7.5-3.3.1
DirectFB-libvncclient-1.7.5-3.3.1
DirectFB-libvncclient-debuginfo-1.7.5-3.3.1
lib++dfb-1_7-5-1.7.5-3.3.1
lib++dfb-1_7-5-debuginfo-1.7.5-3.3.1
lib++dfb-devel-1.7.5-3.3.1
libdirectfb-1_7-5-1.7.5-3.3.1
libdirectfb-1_7-5-debuginfo-1.7.5-3.3.1
- openSUSE 13.2 (x86_64):
DirectFB-devel-32bit-1.7.5-3.3.1
libdirectfb-1_7-5-32bit-1.7.5-3.3.1
libdirectfb-1_7-5-debuginfo-32bit-1.7.5-3.3.1
- openSUSE 13.1 (i586 x86_64):
DirectFB-1.6.3-4.3.1
DirectFB-Mesa-1.6.3-4.3.1
DirectFB-Mesa-debuginfo-1.6.3-4.3.1
DirectFB-debuginfo-1.6.3-4.3.1
DirectFB-debugsource-1.6.3-4.3.1
DirectFB-devel-1.6.3-4.3.1
DirectFB-doc-1.6.3-4.3.1
DirectFB-libSDL-1.6.3-4.3.1
DirectFB-libSDL-debuginfo-1.6.3-4.3.1
DirectFB-libvncclient-1.6.3-4.3.1
DirectFB-libvncclient-debuginfo-1.6.3-4.3.1
libdirectfb-1_6-0-1.6.3-4.3.1
libdirectfb-1_6-0-debuginfo-1.6.3-4.3.1
- openSUSE 13.1 (x86_64):
DirectFB-devel-32bit-1.6.3-4.3.1
libdirectfb-1_6-0-32bit-1.6.3-4.3.1
libdirectfb-1_6-0-debuginfo-32bit-1.6.3-4.3.1
References:
https://www.suse.com/security/cve/CVE-2014-2977.htmlhttps://www.suse.com/security/cve/CVE-2014-2978.htmlhttps://bugzilla.suse.com/878345https://bugzilla.suse.com/878349
openSUSE Recommended Update: Recommended udpate for rsyslog
______________________________________________________________________________
Announcement ID: openSUSE-RU-2015:0800-1
Rating: moderate
References: #925512
Affected Products:
openSUSE 13.2
______________________________________________________________________________
An update that has one recommended fix can now be installed.
Description:
This recommended udpate for rsyslog fixes the following issue:
- Adjusted apparmor profile to prevent aa-genprof failures (bnc#925512)
Patch Instructions:
To install this openSUSE Recommended Update use YaST online_update.
Alternatively you can run the command listed for your product:
- openSUSE 13.2:
zypper in -t patch openSUSE-2015-338=1
To bring your system up-to-date, use "zypper patch".
Package List:
- openSUSE 13.2 (i586 x86_64):
rsyslog-8.4.2-3.1
rsyslog-debuginfo-8.4.2-3.1
rsyslog-debugsource-8.4.2-3.1
rsyslog-diag-tools-8.4.2-3.1
rsyslog-diag-tools-debuginfo-8.4.2-3.1
rsyslog-doc-8.4.2-3.1
rsyslog-module-dbi-8.4.2-3.1
rsyslog-module-dbi-debuginfo-8.4.2-3.1
rsyslog-module-elasticsearch-8.4.2-3.1
rsyslog-module-elasticsearch-debuginfo-8.4.2-3.1
rsyslog-module-gcrypt-8.4.2-3.1
rsyslog-module-gcrypt-debuginfo-8.4.2-3.1
rsyslog-module-gssapi-8.4.2-3.1
rsyslog-module-gssapi-debuginfo-8.4.2-3.1
rsyslog-module-gtls-8.4.2-3.1
rsyslog-module-gtls-debuginfo-8.4.2-3.1
rsyslog-module-guardtime-8.4.2-3.1
rsyslog-module-guardtime-debuginfo-8.4.2-3.1
rsyslog-module-mmnormalize-8.4.2-3.1
rsyslog-module-mmnormalize-debuginfo-8.4.2-3.1
rsyslog-module-mysql-8.4.2-3.1
rsyslog-module-mysql-debuginfo-8.4.2-3.1
rsyslog-module-pgsql-8.4.2-3.1
rsyslog-module-pgsql-debuginfo-8.4.2-3.1
rsyslog-module-relp-8.4.2-3.1
rsyslog-module-relp-debuginfo-8.4.2-3.1
rsyslog-module-snmp-8.4.2-3.1
rsyslog-module-snmp-debuginfo-8.4.2-3.1
rsyslog-module-udpspoof-8.4.2-3.1
rsyslog-module-udpspoof-debuginfo-8.4.2-3.1
References:
https://bugzilla.suse.com/925512
openSUSE Security Update: Security update for curl
______________________________________________________________________________
Announcement ID: openSUSE-SU-2015:0799-1
Rating: moderate
References: #927556 #927607 #927608 #927746
Cross-References: CVE-2015-3143 CVE-2015-3144 CVE-2015-3145
CVE-2015-3148
Affected Products:
openSUSE 13.2
openSUSE 13.1
______________________________________________________________________________
An update that fixes four vulnerabilities is now available.
Description:
curl was updated to fix four security issues.
The following vulnerabilities were fixed:
* CVE-2015-3143: curl could re-use NTML authenticateds connections
* CVE-2015-3144: curl could access memory out of bounds with zero length
host names
* CVE-2015-3145: curl cookie parser could access memory out of boundary
* CVE-2015-3148: curl could treat Negotiate as not connection-oriented
Patch Instructions:
To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- openSUSE 13.2:
zypper in -t patch openSUSE-2015-336=1
- openSUSE 13.1:
zypper in -t patch openSUSE-2015-336=1
To bring your system up-to-date, use "zypper patch".
Package List:
- openSUSE 13.2 (i586 x86_64):
curl-7.42.0-7.1
curl-debuginfo-7.42.0-7.1
curl-debugsource-7.42.0-7.1
libcurl-devel-7.42.0-7.1
libcurl4-7.42.0-7.1
libcurl4-debuginfo-7.42.0-7.1
- openSUSE 13.2 (x86_64):
libcurl4-32bit-7.42.0-7.1
libcurl4-debuginfo-32bit-7.42.0-7.1
- openSUSE 13.1 (i586 x86_64):
curl-7.42.0-2.38.1
curl-debuginfo-7.42.0-2.38.1
curl-debugsource-7.42.0-2.38.1
libcurl-devel-7.42.0-2.38.1
libcurl4-7.42.0-2.38.1
libcurl4-debuginfo-7.42.0-2.38.1
- openSUSE 13.1 (x86_64):
libcurl4-32bit-7.42.0-2.38.1
libcurl4-debuginfo-32bit-7.42.0-2.38.1
References:
https://www.suse.com/security/cve/CVE-2015-3143.htmlhttps://www.suse.com/security/cve/CVE-2015-3144.htmlhttps://www.suse.com/security/cve/CVE-2015-3145.htmlhttps://www.suse.com/security/cve/CVE-2015-3148.htmlhttps://bugzilla.suse.com/927556https://bugzilla.suse.com/927607https://bugzilla.suse.com/927608https://bugzilla.suse.com/927746
openSUSE Security Update: Security update for python-Pillow
______________________________________________________________________________
Announcement ID: openSUSE-SU-2015:0798-1
Rating: moderate
References: #921566
Cross-References: CVE-2014-3589 CVE-2014-3598 CVE-2014-9601
Affected Products:
openSUSE 13.2
______________________________________________________________________________
An update that fixes three vulnerabilities is now available.
Description:
python-pillow was updated to 2.7.0 to fix security issues and bugs.
The following vulnerabilities were fixed:
* CVE-2014-9601: Remote attackers could cause a denial of service via a
compressed text chunk in a PNG image that has a large size when it is
decompressed.
* CVE-2014-3598: Remote attackers could cause a denial of service using
specially crafted image files via Jpeg2KImagePlugin
* CVE-2014-3589: Remote attackers could cause a denial of service using
specially crafted image files via IcnsImagePlugin
Patch Instructions:
To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- openSUSE 13.2:
zypper in -t patch openSUSE-2015-337=1
To bring your system up-to-date, use "zypper patch".
Package List:
- openSUSE 13.2 (i586 x86_64):
python-Pillow-2.8.1-3.3.1
python-Pillow-debuginfo-2.8.1-3.3.1
python-Pillow-debugsource-2.8.1-3.3.1
python-Pillow-tk-2.8.1-3.3.1
python-Pillow-tk-debuginfo-2.8.1-3.3.1
References:
https://www.suse.com/security/cve/CVE-2014-3589.htmlhttps://www.suse.com/security/cve/CVE-2014-3598.htmlhttps://www.suse.com/security/cve/CVE-2014-9601.htmlhttps://bugzilla.suse.com/921566
openSUSE Recommended Update: Recommended udpate for docker
______________________________________________________________________________
Announcement ID: openSUSE-RU-2015:0785-1
Rating: moderate
References: #908033 #920645
Affected Products:
openSUSE 13.2
______________________________________________________________________________
An update that has two recommended fixes can now be
installed.
Description:
This recommended udpate for docker provides version 1.6.0 with several
fixes and improvements:
- Updated to version 1.6.0 (2015-04-07)
+ Builder:
* Building images from an image ID
* build containers with resource constraints, ie `docker build
--cpu-shares=100 --memory=1024m...`
* `commit --change` to apply specified Dockerfile instructions while
committing the image
* `import --change` to apply specified Dockerfile instructions while
importing the image
* basic build cancellation
+ Client:
* Windows Support
+ Runtime:
* Container and image Labels
* `--cgroup-parent` for specifying a parent cgroup to place container
cgroup within
* Logging drivers, `json-file`, `syslog`, or `none`
* Pulling images by ID
* `--ulimit` to set the ulimit on a container
* `--default-ulimit` option on the daemon which applies to all created
containers (and overwritten by `--ulimit` on run)
- Support of Docker Registry API v2. (bnc#908033)
- Enable build for armv7l
- Fix building with the latest version of our Go pacakge.
- Fix check made by the docker daemon against the dockerinit binary.
- Updated systemd service and socket units to fix socket activation and to
align with best practices recommended by upstream. Moreover socket
activation fixes bnc#920645.
Patch Instructions:
To install this openSUSE Recommended Update use YaST online_update.
Alternatively you can run the command listed for your product:
- openSUSE 13.2:
zypper in -t patch openSUSE-2015-333=1
To bring your system up-to-date, use "zypper patch".
Package List:
- openSUSE 13.2 (x86_64):
docker-1.6.0-25.1
docker-debuginfo-1.6.0-25.1
docker-debugsource-1.6.0-25.1
- openSUSE 13.2 (noarch):
docker-bash-completion-1.6.0-25.1
docker-zsh-completion-1.6.0-25.1
References:
https://bugzilla.suse.com/908033https://bugzilla.suse.com/920645
openSUSE Security Update: Security update for ntp
______________________________________________________________________________
Announcement ID: openSUSE-SU-2015:0775-1
Rating: moderate
References: #924202
Cross-References: CVE-2015-1798 CVE-2015-1799
Affected Products:
openSUSE 13.2
openSUSE 13.1
______________________________________________________________________________
An update that fixes two vulnerabilities is now available.
Description:
NTP was updated to fix two security vulnerabilities:
* ntpd could accept unauthenticated packets with symmetric key crypto.
(CVE-2015-1798)
* ntpd authentication did not protect symmetric associations against DoS
attacks (CVE-2015-1799)
Patch Instructions:
To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- openSUSE 13.2:
zypper in -t patch openSUSE-2015-330=1
- openSUSE 13.1:
zypper in -t patch openSUSE-2015-330=1
To bring your system up-to-date, use "zypper patch".
Package List:
- openSUSE 13.2 (i586 x86_64):
ntp-4.2.6p5-25.12.1
ntp-debuginfo-4.2.6p5-25.12.1
ntp-debugsource-4.2.6p5-25.12.1
ntp-doc-4.2.6p5-25.12.1
- openSUSE 13.1 (i586 x86_64):
ntp-4.2.6p5-15.16.1
ntp-debuginfo-4.2.6p5-15.16.1
ntp-debugsource-4.2.6p5-15.16.1
ntp-doc-4.2.6p5-15.16.1
References:
https://www.suse.com/security/cve/CVE-2015-1798.htmlhttps://www.suse.com/security/cve/CVE-2015-1799.htmlhttps://bugzilla.suse.com/924202
openSUSE Security Update: Security update for java-1_7_0-openjdk
______________________________________________________________________________
Announcement ID: openSUSE-SU-2015:0774-1
Rating: important
References: #927591
Cross-References: CVE-2015-0458 CVE-2015-0459 CVE-2015-0460
CVE-2015-0469 CVE-2015-0477 CVE-2015-0478
CVE-2015-0480 CVE-2015-0484 CVE-2015-0488
CVE-2015-0491 CVE-2015-0492
Affected Products:
openSUSE 13.2
______________________________________________________________________________
An update that fixes 11 vulnerabilities is now available.
Description:
OpenJDK was updated to 2.5.5 - OpenJdk 7u79 to fix security issues and
bugs:
The following vulnerabilities were fixed:
* CVE-2015-0458: Deployment: unauthenticated remote attackers could
execute arbitrary code via multiple protocols.
* CVE-2015-0459: 2D: unauthenticated remote attackers could execute
arbitrary code via multiple protocols.
* CVE-2015-0460: Hotspot: unauthenticated remote attackers could execute
arbitrary code via multiple protocols.
* CVE-2015-0469: 2D: unauthenticated remote attackers could execute
arbitrary code via multiple protocols.
* CVE-2015-0477: Beans: unauthenticated remote attackers could update,
insert or delete some JAVA accessible data via multiple protocols
* CVE-2015-0478: JCE: unauthenticated remote attackers could read some
JAVA accessible data via multiple protocols
* CVE-2015-0480: Tools: unauthenticated remote attackers could update,
insert or delete some JAVA accessible data via multiple protocols and
cause a partial denial of service (partial DOS)
* CVE-2015-0484: JavaFX: unauthenticated remote attackers could read,
update, insert or delete access some Java accessible data via multiple
protocols and cause a partial denial of service (partial DOS).
* CVE-2015-0488: JSSE: unauthenticated remote attackers could cause a
partial denial of service (partial DOS).
* CVE-2015-0491: 2D: unauthenticated remote attackers could execute
arbitrary code via multiple protocols.
* CVE-2015-0492: JavaFX: unauthenticated remote attackers could execute
arbitrary code via multiple protocols.
Patch Instructions:
To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- openSUSE 13.2:
zypper in -t patch openSUSE-2015-331=1
To bring your system up-to-date, use "zypper patch".
Package List:
- openSUSE 13.2 (i586 x86_64):
java-1_7_0-openjdk-1.7.0.79-7.4
java-1_7_0-openjdk-accessibility-1.7.0.79-7.4
java-1_7_0-openjdk-debuginfo-1.7.0.79-7.4
java-1_7_0-openjdk-debugsource-1.7.0.79-7.4
java-1_7_0-openjdk-demo-1.7.0.79-7.4
java-1_7_0-openjdk-demo-debuginfo-1.7.0.79-7.4
java-1_7_0-openjdk-devel-1.7.0.79-7.4
java-1_7_0-openjdk-devel-debuginfo-1.7.0.79-7.4
java-1_7_0-openjdk-headless-1.7.0.79-7.4
java-1_7_0-openjdk-headless-debuginfo-1.7.0.79-7.4
java-1_7_0-openjdk-src-1.7.0.79-7.4
- openSUSE 13.2 (noarch):
java-1_7_0-openjdk-javadoc-1.7.0.79-7.4
References:
https://www.suse.com/security/cve/CVE-2015-0458.htmlhttps://www.suse.com/security/cve/CVE-2015-0459.htmlhttps://www.suse.com/security/cve/CVE-2015-0460.htmlhttps://www.suse.com/security/cve/CVE-2015-0469.htmlhttps://www.suse.com/security/cve/CVE-2015-0477.htmlhttps://www.suse.com/security/cve/CVE-2015-0478.htmlhttps://www.suse.com/security/cve/CVE-2015-0480.htmlhttps://www.suse.com/security/cve/CVE-2015-0484.htmlhttps://www.suse.com/security/cve/CVE-2015-0488.htmlhttps://www.suse.com/security/cve/CVE-2015-0491.htmlhttps://www.suse.com/security/cve/CVE-2015-0492.htmlhttps://bugzilla.suse.com/927591