openSUSE Security Update: Security update for python-mistune
______________________________________________________________________________
Announcement ID: openSUSE-SU-2018:0402-1
Rating: moderate
References: #1064640 #1072307
Cross-References: CVE-2017-15612 CVE-2017-16876
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________
An update that fixes two vulnerabilities is now available.
Description:
This update for python-mistune to version 0.8.3 fixes several issues.
These security issues were fixed:
- CVE-2017-16876: Cross-site scripting (XSS) vulnerability in the _keyify
function in mistune.py allowed remote attackers to inject arbitrary web
script
or HTML by leveraging failure to escape the "key" argument (bsc#1072307).
- CVE-2017-15612: Prevent XSS via an unexpected newline (such as in
java\nscript:) or a crafted email address, related to the escape and
autolink functions (bsc#1064640).
These non-security issues were fixed:
- Fix nested html issue
- Fix _keyify with lower case.
- Remove non breaking spaces preprocessing
- Remove rev and rel attribute for footnotes
- Fix escape_link method
- Handle block HTML with no content
- Use expandtabs for tab
- Fix escape option for text renderer
- Fix HTML attribute regex pattern
- Fix strikethrough regex
- Fix HTML attribute regex
- Fix close tag regex
- Fix hard_wrap options on renderer.
- Fix emphasis regex pattern
- Fix base64 image link
- Fix link security per
- Fix inline html when there is no content per
Patch Instructions:
To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- openSUSE Leap 42.3:
zypper in -t patch openSUSE-2018-148=1
To bring your system up-to-date, use "zypper patch".
Package List:
- openSUSE Leap 42.3 (noarch):
python-mistune-0.8.3-11.1
python3-mistune-0.8.3-9.1
References:
https://www.suse.com/security/cve/CVE-2017-15612.htmlhttps://www.suse.com/security/cve/CVE-2017-16876.htmlhttps://bugzilla.suse.com/1064640https://bugzilla.suse.com/1072307
openSUSE Security Update: Security update for mariadb
______________________________________________________________________________
Announcement ID: openSUSE-SU-2018:0400-1
Rating: moderate
References: #1058722 #1064101 #1064115 #1076505
Cross-References: CVE-2017-10268 CVE-2017-10378
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________
An update that solves two vulnerabilities and has two fixes
is now available.
Description:
This update for mariadb to version 10.0.33 fixes several issues.
These security issues were fixed:
- CVE-2017-10378: Vulnerability in subcomponent: Server: Optimizer. Easily
exploitable vulnerability allowed low privileged attacker with network
access via multiple protocols to compromise MySQL Server. Successful
attacks of this vulnerability can result in unauthorized ability to
cause a hang or frequently repeatable crash (complete DOS) of MySQL
Server (bsc#1064115).
- CVE-2017-10268: Vulnerability in subcomponent: Server: Replication.
Difficult to exploit vulnerability allowed high privileged attacker with
logon to the infrastructure where MySQL Server executes to compromise
MySQL Server. Successful attacks of this vulnerability can result in
unauthorized access to critical data or complete access to all MySQL
Server accessible data (bsc#1064101).
These non-security issues were fixed:
- CHECK TABLE no longer returns an error when run on a CONNECT table
- 'Undo log record is too big.' error occurring in very narrow range of
string lengths
- Race condition between INFORMATION_SCHEMA.INNODB_SYS_TABLESTATS and
ALTER/DROP/TRUNCATE TABLE
- Wrong result after altering a partitioned table fixed bugs in InnoDB
FULLTEXT INDEX
- InnoDB FTS duplicate key error
- InnoDB crash after failed ADD INDEX and table_definition_cache eviction
- fts_create_doc_id() unnecessarily allocates 8 bytes for every inserted
row
- IMPORT TABLESPACE may corrupt ROW_FORMAT=REDUNDANT tables
For additional details please see
https://kb.askmonty.org/en/mariadb-10033-changelog
This update was imported from the SUSE:SLE-12-SP1:Update update project.
Patch Instructions:
To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- openSUSE Leap 42.3:
zypper in -t patch openSUSE-2018-146=1
To bring your system up-to-date, use "zypper patch".
Package List:
- openSUSE Leap 42.3 (i586 x86_64):
libmysqlclient-devel-10.0.33-29.1
libmysqlclient18-10.0.33-29.1
libmysqlclient18-debuginfo-10.0.33-29.1
libmysqlclient_r18-10.0.33-29.1
libmysqld-devel-10.0.33-29.1
libmysqld18-10.0.33-29.1
libmysqld18-debuginfo-10.0.33-29.1
mariadb-10.0.33-29.1
mariadb-bench-10.0.33-29.1
mariadb-bench-debuginfo-10.0.33-29.1
mariadb-client-10.0.33-29.1
mariadb-client-debuginfo-10.0.33-29.1
mariadb-debuginfo-10.0.33-29.1
mariadb-debugsource-10.0.33-29.1
mariadb-errormessages-10.0.33-29.1
mariadb-test-10.0.33-29.1
mariadb-test-debuginfo-10.0.33-29.1
mariadb-tools-10.0.33-29.1
mariadb-tools-debuginfo-10.0.33-29.1
- openSUSE Leap 42.3 (x86_64):
libmysqlclient18-32bit-10.0.33-29.1
libmysqlclient18-debuginfo-32bit-10.0.33-29.1
libmysqlclient_r18-32bit-10.0.33-29.1
References:
https://www.suse.com/security/cve/CVE-2017-10268.htmlhttps://www.suse.com/security/cve/CVE-2017-10378.htmlhttps://bugzilla.suse.com/1058722https://bugzilla.suse.com/1064101https://bugzilla.suse.com/1064115https://bugzilla.suse.com/1076505
openSUSE Security Update: spice-vdagent
______________________________________________________________________________
Announcement ID: openSUSE-SU-2018:0399-1
Rating: moderate
References: #1012215 #1070724
Cross-References: CVE-2017-15108
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________
An update that solves one vulnerability and has one errata
is now available.
Description:
This update for spice-vdagent provides the following fixes:
This security issue was fixed:
- CVE-2017-15108: Properly escape save directory that is passed to the
shell to prevent local attacker with access to the session the agent
runs from injecting arbitrary commands to be executed (bsc#1070724).
This non-security issue was fixed:
- Implement endian swapping, required for big-endian guests to connect to
the spice client successfully. (bsc#1012215)
This update was imported from the SUSE:SLE-12-SP2:Update update project.
Patch Instructions:
To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- openSUSE Leap 42.3:
zypper in -t patch openSUSE-2018-144=1
To bring your system up-to-date, use "zypper patch".
Package List:
- openSUSE Leap 42.3 (x86_64):
spice-vdagent-0.16.0-8.1
spice-vdagent-debuginfo-0.16.0-8.1
spice-vdagent-debugsource-0.16.0-8.1
References:
https://www.suse.com/security/cve/CVE-2017-15108.htmlhttps://bugzilla.suse.com/1012215https://bugzilla.suse.com/1070724
openSUSE Security Update: Security update for plasma5-workspace
______________________________________________________________________________
Announcement ID: openSUSE-SU-2018:0398-1
Rating: important
References: #1013550 #1079429 #1079751
Cross-References: CVE-2018-6790 CVE-2018-6791
Affected Products:
SUSE Package Hub for SUSE Linux Enterprise 12
______________________________________________________________________________
An update that solves two vulnerabilities and has one
errata is now available.
Description:
This update for plasma5-workspace fixes security issues and bugs.
The following vulnerabilities were fixed:
- CVE-2018-6790: Desktop notifications could have been used to load
arbitrary remote images into Plasma, allowing for client IP discovery
(boo#1079429)
- CVE-2018-6791: A specially crafted file system label may have allowed
execution of arbitrary code (boo#1079751)
The following bugs were fixed:
- Plasma could freeze with certain notifications (boo#1013550)
Patch Instructions:
To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Package Hub for SUSE Linux Enterprise 12:
zypper in -t patch openSUSE-2018-147=1
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Package Hub for SUSE Linux Enterprise 12 (x86_64):
drkonqi5-5.8.7-8.1
plasma5-workspace-5.8.7-8.1
plasma5-workspace-devel-5.8.7-8.1
plasma5-workspace-libs-5.8.7-8.1
- SUSE Package Hub for SUSE Linux Enterprise 12 (noarch):
plasma5-workspace-lang-5.8.7-8.1
References:
https://www.suse.com/security/cve/CVE-2018-6790.htmlhttps://www.suse.com/security/cve/CVE-2018-6791.htmlhttps://bugzilla.suse.com/1013550https://bugzilla.suse.com/1079429https://bugzilla.suse.com/1079751
openSUSE Security Update: Security update for plasma5-workspace
______________________________________________________________________________
Announcement ID: openSUSE-SU-2018:0397-1
Rating: important
References: #1013550 #1079429 #1079751
Cross-References: CVE-2018-6790 CVE-2018-6791
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________
An update that solves two vulnerabilities and has one
errata is now available.
Description:
This update for plasma5-workspace fixes security issues and bugs.
The following vulnerabilities were fixed:
- CVE-2018-6790: Desktop notifications could have been used to load
arbitrary remote images into Plasma, allowing for client IP discovery
(boo#1079429)
- CVE-2018-6791: A specially crafted file system label may have allowed
execution of arbitrary code (boo#1079751)
The following bugs were fixed:
- Plasma could freeze with certain notifications (boo#1013550)
Patch Instructions:
To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- openSUSE Leap 42.3:
zypper in -t patch openSUSE-2018-147=1
To bring your system up-to-date, use "zypper patch".
Package List:
- openSUSE Leap 42.3 (x86_64):
drkonqi5-5.8.7-11.1
drkonqi5-debuginfo-5.8.7-11.1
plasma5-workspace-5.8.7-11.1
plasma5-workspace-debuginfo-5.8.7-11.1
plasma5-workspace-debugsource-5.8.7-11.1
plasma5-workspace-devel-5.8.7-11.1
plasma5-workspace-libs-5.8.7-11.1
plasma5-workspace-libs-debuginfo-5.8.7-11.1
- openSUSE Leap 42.3 (noarch):
plasma5-workspace-lang-5.8.7-11.1
References:
https://www.suse.com/security/cve/CVE-2018-6790.htmlhttps://www.suse.com/security/cve/CVE-2018-6791.htmlhttps://bugzilla.suse.com/1013550https://bugzilla.suse.com/1079429https://bugzilla.suse.com/1079751
openSUSE Security Update: Security update for pound
______________________________________________________________________________
Announcement ID: openSUSE-SU-2018:0394-1
Rating: moderate
References: #1078298
Cross-References: CVE-2016-10711
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for pound fixes one issue.
This security issue was fixed:
- CVE-2016-10711: Prevent request smuggling via crafted headers
(bsc#1078298).
Patch Instructions:
To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- openSUSE Leap 42.3:
zypper in -t patch openSUSE-2018-143=1
To bring your system up-to-date, use "zypper patch".
Package List:
- openSUSE Leap 42.3 (i586 x86_64):
pound-2.7-8.1
pound-debuginfo-2.7-8.1
pound-debugsource-2.7-8.1
pound-doc-2.7-8.1
References:
https://www.suse.com/security/cve/CVE-2016-10711.htmlhttps://bugzilla.suse.com/1078298
openSUSE Security Update: Security update for libjpeg-turbo
______________________________________________________________________________
Announcement ID: openSUSE-SU-2018:0393-1
Rating: moderate
References: #1062937
Cross-References: CVE-2017-15232
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for libjpeg-turbo fixes the following security issue:
- CVE-2017-15232: Fix NULL pointer dereference in jdpostct.c and jquant1.c
- additional fixes (bsc#1062937)
This update was imported from the SUSE:SLE-12:Update update project.
Patch Instructions:
To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- openSUSE Leap 42.3:
zypper in -t patch openSUSE-2018-141=1
To bring your system up-to-date, use "zypper patch".
Package List:
- openSUSE Leap 42.3 (i586 x86_64):
libjpeg-turbo-1.5.3-42.1
libjpeg-turbo-debuginfo-1.5.3-42.1
libjpeg-turbo-debugsource-1.5.3-42.1
libjpeg62-62.2.0-42.1
libjpeg62-debuginfo-62.2.0-42.1
libjpeg62-devel-62.2.0-42.1
libjpeg62-turbo-1.5.3-42.1
libjpeg62-turbo-debugsource-1.5.3-42.1
libjpeg8-8.1.2-42.1
libjpeg8-debuginfo-8.1.2-42.1
libjpeg8-devel-8.1.2-42.1
libturbojpeg0-8.1.2-42.1
libturbojpeg0-debuginfo-8.1.2-42.1
- openSUSE Leap 42.3 (x86_64):
libjpeg62-32bit-62.2.0-42.1
libjpeg62-debuginfo-32bit-62.2.0-42.1
libjpeg62-devel-32bit-62.2.0-42.1
libjpeg8-32bit-8.1.2-42.1
libjpeg8-debuginfo-32bit-8.1.2-42.1
libjpeg8-devel-32bit-8.1.2-42.1
libturbojpeg0-32bit-8.1.2-42.1
libturbojpeg0-debuginfo-32bit-8.1.2-42.1
References:
https://www.suse.com/security/cve/CVE-2017-15232.htmlhttps://bugzilla.suse.com/1062937
openSUSE Recommended Update: Recommended update for ca-certificates-mozilla
______________________________________________________________________________
Announcement ID: openSUSE-RU-2018:0392-1
Rating: moderate
References: #1010996 #1071152 #1071390
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________
An update that has three recommended fixes can now be
installed.
Description:
The system SSL root certificate store was updated to Mozilla certificate
version 2.22 from January 2018. (bsc#1071152 bsc#1071390 bsc#1010996)
We removed the old 1024 bit legacy CAs that were temporary left in to
allow in-chain root certificates as openssl is now able to handle it.
Further changes coming from Mozilla:
- New Root CAs added:
* Amazon Root CA 1: (email protection, server auth)
* Amazon Root CA 2: (email protection, server auth)
* Amazon Root CA 3: (email protection, server auth)
* Amazon Root CA 4: (email protection, server auth)
* Certplus Root CA G1: (email protection, server auth)
* Certplus Root CA G2: (email protection, server auth)
* D-TRUST Root CA 3 2013: (email protection)
* GDCA TrustAUTH R5 ROOT: (server auth)
* Hellenic Academic and Research Institutions ECC RootCA 2015: (email
protection, server auth)
* Hellenic Academic and Research Institutions RootCA 2015: (email
protection, server auth)
* ISRG Root X1: (server auth)
* LuxTrust Global Root 2: (server auth)
* OpenTrust Root CA G1: (email protection, server auth)
* OpenTrust Root CA G2: (email protection, server auth)
* OpenTrust Root CA G3: (email protection, server auth)
* SSL.com EV Root Certification Authority ECC: (server auth)
* SSL.com EV Root Certification Authority RSA R2: (server auth)
* SSL.com Root Certification Authority ECC: (email protection, server
auth)
* SSL.com Root Certification Authority RSA: (email protection, server
auth)
* Symantec Class 1 Public Primary Certification Authority - G4: (email
protection)
* Symantec Class 1 Public Primary Certification Authority - G6: (email
protection)
* Symantec Class 2 Public Primary Certification Authority - G4: (email
protection)
* Symantec Class 2 Public Primary Certification Authority - G6: (email
protection)
* TrustCor ECA-1: (email protection, server auth)
* TrustCor RootCert CA-1: (email protection, server auth)
* TrustCor RootCert CA-2: (email protection, server auth)
* TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1: (server auth)
- Removed root CAs:
* AddTrust Public Services Root
* AddTrust Public CA Root
* AddTrust Qualified CA Root
* ApplicationCA - Japanese Government
* Buypass Class 2 CA 1
* CA Disig Root R1
* CA WoSign ECC Root
* Certification Authority of WoSign G2
* Certinomis - Autorité Racine
* Certum Root CA
* China Internet Network Information Center EV Certificates Root
* CNNIC ROOT
* Comodo Secure Services root
* Comodo Trusted Services root
* ComSign Secured CA
* EBG Elektronik Sertifika Hizmet Sağlayıcısı
* Equifax Secure CA
* Equifax Secure eBusiness CA 1
* Equifax Secure Global eBusiness CA
* GeoTrust Global CA 2
* IGC/A
* Juur-SK
* Microsec e-Szigno Root CA
* PSCProcert
* Root CA Generalitat Valenciana
* RSA Security 2048 v3
* Security Communication EV RootCA1
* Sonera Class 1 Root CA
* StartCom Certification Authority
* StartCom Certification Authority G2
* S-TRUST Authentication and Encryption Root CA 2005 PN
* Swisscom Root CA 1
* Swisscom Root EV CA 2
* TÜBİTAK UEKAE Kök Sertifika Hizmet Sağlayıcısı - Sürüm 3
* TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı
* TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6
* UTN USERFirst Hardware Root CA
* UTN USERFirst Object Root CA
* VeriSign Class 3 Secure Server CA - G2
* Verisign Class 1 Public Primary Certification Authority
* Verisign Class 2 Public Primary Certification Authority - G2
* Verisign Class 3 Public Primary Certification Authority
* WellsSecure Public Root Certificate Authority
* Certification Authority of WoSign
* WoSign China
- Removed Code Signing rights from a lot of CAs (not listed here).
- Removed Server Auth rights from:
* AddTrust Low-Value Services Root
* Camerfirma Chambers of Commerce Root
* Camerfirma Global Chambersign Root
* Swisscom Root CA 2
This update was imported from the SUSE:SLE-12:Update update project.
Patch Instructions:
To install this openSUSE Recommended Update use YaST online_update.
Alternatively you can run the command listed for your product:
- openSUSE Leap 42.3:
zypper in -t patch openSUSE-2018-142=1
To bring your system up-to-date, use "zypper patch".
Package List:
- openSUSE Leap 42.3 (noarch):
ca-certificates-mozilla-2.22-12.1
References:
https://bugzilla.suse.com/1010996https://bugzilla.suse.com/1071152https://bugzilla.suse.com/1071390
openSUSE Recommended Update: Recommended update for accountsservice
______________________________________________________________________________
Announcement ID: openSUSE-RU-2018:0391-1
Rating: low
References: #1063794
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________
An update that has one recommended fix can now be installed.
Description:
This update for accountsservice provides the following fix:
- Drop operator, nobody4 and noaccess accounts from the blacklist so that
they can be used and displayed in gdm. (bsc#1063794)
This update was imported from the SUSE:SLE-12-SP2:Update update project.
Patch Instructions:
To install this openSUSE Recommended Update use YaST online_update.
Alternatively you can run the command listed for your product:
- openSUSE Leap 42.3:
zypper in -t patch openSUSE-2018-138=1
To bring your system up-to-date, use "zypper patch".
Package List:
- openSUSE Leap 42.3 (i586 x86_64):
accountsservice-0.6.42-8.1
accountsservice-debuginfo-0.6.42-8.1
accountsservice-debugsource-0.6.42-8.1
accountsservice-devel-0.6.42-8.1
libaccountsservice0-0.6.42-8.1
libaccountsservice0-debuginfo-0.6.42-8.1
typelib-1_0-AccountsService-1_0-0.6.42-8.1
- openSUSE Leap 42.3 (noarch):
accountsservice-lang-0.6.42-8.1
References:
https://bugzilla.suse.com/1063794