openSUSE Security Update: Security update for aubio
______________________________________________________________________________
Announcement ID: openSUSE-SU-2018:0856-1
Rating: moderate
References: #1070399
Cross-References: CVE-2017-17054
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for aubio fixes the following issues:
- CVE-2017-17054: Specially crafted wav files could have been used to
cause an application crash (boo#1070399)
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 42.3:
zypper in -t patch openSUSE-2018-329=1
Package List:
- openSUSE Leap 42.3 (i586 x86_64):
aubio-debugsource-0.4.1-9.3.1
aubio-tools-0.4.1-9.3.1
aubio-tools-debuginfo-0.4.1-9.3.1
libaubio-devel-0.4.1-9.3.1
libaubio4-0.4.1-9.3.1
libaubio4-debuginfo-0.4.1-9.3.1
- openSUSE Leap 42.3 (x86_64):
libaubio4-32bit-0.4.1-9.3.1
libaubio4-debuginfo-32bit-0.4.1-9.3.1
References:
https://www.suse.com/security/cve/CVE-2017-17054.htmlhttps://bugzilla.suse.com/1070399
openSUSE Security Update: Security update for memcached
______________________________________________________________________________
Announcement ID: openSUSE-SU-2018:0855-1
Rating: important
References: #1056865
Cross-References: CVE-2017-9951
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for memcached fixes the following issues:
- CVE-2017-9951: Fixed heap-based buffer over-read in try_read_command
function which allowed remote attackers to cause a denial of service
attack (bsc#1056865).
This update was imported from the SUSE:SLE-12:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 42.3:
zypper in -t patch openSUSE-2018-327=1
Package List:
- openSUSE Leap 42.3 (i586 x86_64):
memcached-1.4.39-11.3.1
memcached-debuginfo-1.4.39-11.3.1
memcached-debugsource-1.4.39-11.3.1
memcached-devel-1.4.39-11.3.1
References:
https://www.suse.com/security/cve/CVE-2017-9951.htmlhttps://bugzilla.suse.com/1056865
openSUSE Security Update: Security update for krb5
______________________________________________________________________________
Announcement ID: openSUSE-SU-2018:0854-1
Rating: moderate
References: #1057662 #1081725 #1083926 #1083927
Cross-References: CVE-2018-5729 CVE-2018-5730
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________
An update that solves two vulnerabilities and has two fixes
is now available.
Description:
This update for krb5 provides the following fixes:
Security issues fixed:
- CVE-2018-5730: DN container check bypass by supplying special crafted
data (bsc#1083927).
- CVE-2018-5729: Null pointer dereference in kadmind or DN container check
bypass by supplying special crafted data (bsc#1083926).
Non-security issues fixed:
- Make it possible for legacy applications (e.g. SAP Netweaver) to remain
compatible with newer Kerberos. System administrators who are
experiencing this kind of compatibility issues may set the environment
variable GSSAPI_ASSUME_MECH_MATCH to a non-empty value, and make sure
the environment variable is visible and effective to the application
startup script. (bsc#1057662)
- Fix a GSS failure in legacy applications by not indicating deprecated
GSS mechanisms in gss_indicate_mech() list. (bsc#1081725)
This update was imported from the SUSE:SLE-12-SP2:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 42.3:
zypper in -t patch openSUSE-2018-328=1
Package List:
- openSUSE Leap 42.3 (i586 x86_64):
krb5-1.12.5-16.1
krb5-client-1.12.5-16.1
krb5-client-debuginfo-1.12.5-16.1
krb5-debuginfo-1.12.5-16.1
krb5-debugsource-1.12.5-16.1
krb5-devel-1.12.5-16.1
krb5-doc-1.12.5-16.1
krb5-mini-1.12.5-16.1
krb5-mini-debuginfo-1.12.5-16.1
krb5-mini-debugsource-1.12.5-16.1
krb5-mini-devel-1.12.5-16.1
krb5-plugin-kdb-ldap-1.12.5-16.1
krb5-plugin-kdb-ldap-debuginfo-1.12.5-16.1
krb5-plugin-preauth-otp-1.12.5-16.1
krb5-plugin-preauth-otp-debuginfo-1.12.5-16.1
krb5-plugin-preauth-pkinit-1.12.5-16.1
krb5-plugin-preauth-pkinit-debuginfo-1.12.5-16.1
krb5-server-1.12.5-16.1
krb5-server-debuginfo-1.12.5-16.1
- openSUSE Leap 42.3 (x86_64):
krb5-32bit-1.12.5-16.1
krb5-debuginfo-32bit-1.12.5-16.1
krb5-devel-32bit-1.12.5-16.1
References:
https://www.suse.com/security/cve/CVE-2018-5729.htmlhttps://www.suse.com/security/cve/CVE-2018-5730.htmlhttps://bugzilla.suse.com/1057662https://bugzilla.suse.com/1081725https://bugzilla.suse.com/1083926https://bugzilla.suse.com/1083927
openSUSE Security Update: Security update for links
______________________________________________________________________________
Announcement ID: openSUSE-SU-2018:0853-1
Rating: moderate
References: #1051448
Cross-References: CVE-2017-11114
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for links to version 2.15 fixes the following issues:
- CVE-2017-11114: Buffer over-read vulnerability in case of corrupted
UTF-8 data (boo#1051448)
This update also contains a number of upstream improvements:
- Rewrite google docs URLs to the download link, so that the file can be
viewed in external viewer
- Improved handling of compressed connections and content
- various other bug fixes and improvements
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 42.3:
zypper in -t patch openSUSE-2018-330=1
Package List:
- openSUSE Leap 42.3 (x86_64):
links-2.15-7.3.1
links-debuginfo-2.15-7.3.1
links-debugsource-2.15-7.3.1
References:
https://www.suse.com/security/cve/CVE-2017-11114.htmlhttps://bugzilla.suse.com/1051448
openSUSE Security Update: Security update for tomcat
______________________________________________________________________________
Announcement ID: openSUSE-SU-2018:0852-1
Rating: moderate
References: #1078677 #1082480 #1082481
Cross-References: CVE-2017-15706 CVE-2018-1304 CVE-2018-1305
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________
An update that fixes three vulnerabilities is now available.
Description:
This update for tomcat fixes the following issues:
Security issues fixed:
- CVE-2018-1305: Fixed late application of security constraints that can
lead to resource exposure for unauthorised users (bsc#1082481).
- CVE-2018-1304: Fixed incorrect handling of empty string URL in security
constraints that can lead to unitended exposure of resources
(bsc#1082480).
- CVE-2017-15706: Fixed incorrect documentation of CGI Servlet search
algorithm that may lead to misconfiguration (bsc#1078677).
This update was imported from the SUSE:SLE-12-SP2:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 42.3:
zypper in -t patch openSUSE-2018-325=1
Package List:
- openSUSE Leap 42.3 (noarch):
tomcat-8.0.50-12.1
tomcat-admin-webapps-8.0.50-12.1
tomcat-docs-webapp-8.0.50-12.1
tomcat-el-3_0-api-8.0.50-12.1
tomcat-embed-8.0.50-12.1
tomcat-javadoc-8.0.50-12.1
tomcat-jsp-2_3-api-8.0.50-12.1
tomcat-jsvc-8.0.50-12.1
tomcat-lib-8.0.50-12.1
tomcat-servlet-3_1-api-8.0.50-12.1
tomcat-webapps-8.0.50-12.1
References:
https://www.suse.com/security/cve/CVE-2017-15706.htmlhttps://www.suse.com/security/cve/CVE-2018-1304.htmlhttps://www.suse.com/security/cve/CVE-2018-1305.htmlhttps://bugzilla.suse.com/1078677https://bugzilla.suse.com/1082480https://bugzilla.suse.com/1082481
openSUSE Security Update: Security update for LibVNCServer
______________________________________________________________________________
Announcement ID: openSUSE-SU-2018:0851-1
Rating: important
References: #1017711 #1017712 #1081493
Cross-References: CVE-2016-9941 CVE-2016-9942 CVE-2018-7225
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________
An update that fixes three vulnerabilities is now available.
Description:
LibVNCServer was updated to fix two security issues.
These security issues were fixed:
- CVE-2018-7225: Missing input sanitization inside rfbserver.c
rfbProcessClientNormalMessage() (bsc#1081493).
- CVE-2016-9942: Heap-based buffer overflow in ultra.c allowed remote
servers to cause a denial of service (application crash) or possibly
execute arbitrary code via a crafted FramebufferUpdate message with the
Ultra type tile, such that the LZO payload decompressed length exceeds
what is specified by the tile dimensions (bsc#1017712).
- CVE-2016-9941: Heap-based buffer overflow in rfbproto.c allowed remote
servers to cause a denial of service (application crash) or possibly
execute arbitrary code via a crafted FramebufferUpdate message
containing a subrectangle outside of the client drawing area
(bsc#1017711).
This update was imported from the SUSE:SLE-12:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 42.3:
zypper in -t patch openSUSE-2018-326=1
Package List:
- openSUSE Leap 42.3 (i586 x86_64):
LibVNCServer-debugsource-0.9.9-16.3.1
LibVNCServer-devel-0.9.9-16.3.1
libvncclient0-0.9.9-16.3.1
libvncclient0-debuginfo-0.9.9-16.3.1
libvncserver0-0.9.9-16.3.1
libvncserver0-debuginfo-0.9.9-16.3.1
linuxvnc-0.9.9-16.3.1
linuxvnc-debuginfo-0.9.9-16.3.1
References:
https://www.suse.com/security/cve/CVE-2016-9941.htmlhttps://www.suse.com/security/cve/CVE-2016-9942.htmlhttps://www.suse.com/security/cve/CVE-2018-7225.htmlhttps://bugzilla.suse.com/1017711https://bugzilla.suse.com/1017712https://bugzilla.suse.com/1081493
openSUSE Recommended Update: Recommended update for virtualbox
______________________________________________________________________________
Announcement ID: openSUSE-RU-2018:0849-1
Rating: moderate
References: #1081360 #1081856
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________
An update that has two recommended fixes can now be
installed.
Description:
This update for virtualbox contains the following bug fixes:
- boo#1081360: Allow usage with non-distribution kernels
- boo#1081856: virtualbox-vnc needs to require libvncserver0
This update also includes all fixes and improvements in the 5.1.34
upstream release.
Patch Instructions:
To install this openSUSE Recommended Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 42.3:
zypper in -t patch openSUSE-2018-323=1
Package List:
- openSUSE Leap 42.3 (x86_64):
python-virtualbox-5.1.34-47.1
python-virtualbox-debuginfo-5.1.34-47.1
virtualbox-5.1.34-47.1
virtualbox-debuginfo-5.1.34-47.1
virtualbox-debugsource-5.1.34-47.1
virtualbox-devel-5.1.34-47.1
virtualbox-guest-kmp-default-5.1.34_k4.4.120_45-47.1
virtualbox-guest-kmp-default-debuginfo-5.1.34_k4.4.120_45-47.1
virtualbox-guest-tools-5.1.34-47.1
virtualbox-guest-tools-debuginfo-5.1.34-47.1
virtualbox-guest-x11-5.1.34-47.1
virtualbox-guest-x11-debuginfo-5.1.34-47.1
virtualbox-host-kmp-default-5.1.34_k4.4.120_45-47.1
virtualbox-host-kmp-default-debuginfo-5.1.34_k4.4.120_45-47.1
virtualbox-qt-5.1.34-47.1
virtualbox-qt-debuginfo-5.1.34-47.1
virtualbox-vnc-5.1.34-47.1
virtualbox-websrv-5.1.34-47.1
virtualbox-websrv-debuginfo-5.1.34-47.1
- openSUSE Leap 42.3 (noarch):
virtualbox-guest-desktop-icons-5.1.34-47.1
virtualbox-guest-source-5.1.34-47.1
virtualbox-host-source-5.1.34-47.1
References:
https://bugzilla.suse.com/1081360https://bugzilla.suse.com/1081856
openSUSE Recommended Update: Recommended update for drbd, drbd-utils
______________________________________________________________________________
Announcement ID: openSUSE-RU-2018:0847-1
Rating: moderate
References: #1037109 #1058770 #1061145 #1061147 #1064402
#1068032 #1077176
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________
An update that solves one vulnerability and has 6 fixes is
now available.
Description:
This update for drbd and drbd-utils provides the following fixes:
Changes in drbd-utils:
- Make sure the full bitmap gets properly propagated in drbdmeta. Also
make sure the ID is kept when downgrading from v9 to v8. (bsc#1037109)
- Support passing "--force" to drbdadm dump-md. (bsc#1077176)
- Fix a possible kernel trace while starting the initial syncing of a
stacked drbd. (bsc#1058770)
- Backport some fixes of peer_device objects.
- Do not hardcode loglevel local5 and make it possible to change that
using --logfacility. (bsc#1064402)
- Update documentation and examples regarding fencing: it is now moved
from the disk to the net section. (bsc#1061145)
- Skip running drbdadm sh-b-pri in drbd9. (bsc#1061147)
- The included kernel modules in the KMP packages were rebuilt using
"retpoline" support to mitigate Spectre v2 (bsc#1068032 CVE-2017-5715)
Changes in drbd:
- Make sure the full bitmap gets properly propagated in drbdmeta.
(bsc#1037109)
This update was imported from the SUSE:SLE-12-SP3:Update update project.
Patch Instructions:
To install this openSUSE Recommended Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 42.3:
zypper in -t patch openSUSE-2018-324=1
Package List:
- openSUSE Leap 42.3 (i586 x86_64):
drbd-utils-9.0.0-6.1
drbd-utils-debuginfo-9.0.0-6.1
drbd-utils-debugsource-9.0.0-6.1
- openSUSE Leap 42.3 (x86_64):
drbd-9.0.8+git.c8bc3670-2.5.1
drbd-debugsource-9.0.8+git.c8bc3670-2.5.1
drbd-kmp-default-9.0.8+git.c8bc3670_k4.4.120_45-2.5.1
drbd-kmp-default-debuginfo-9.0.8+git.c8bc3670_k4.4.120_45-2.5.1
References:
https://www.suse.com/security/cve/CVE-2017-5715.htmlhttps://bugzilla.suse.com/1037109https://bugzilla.suse.com/1058770https://bugzilla.suse.com/1061145https://bugzilla.suse.com/1061147https://bugzilla.suse.com/1064402https://bugzilla.suse.com/1068032https://bugzilla.suse.com/1077176
openSUSE Recommended Update: Recommended update for perl-Finance-Quote
______________________________________________________________________________
Announcement ID: openSUSE-RU-2018:0845-1
Rating: moderate
References: #1077300
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________
An update that has one recommended fix can now be installed.
Description:
This update for perl-Finance-Quote fixes the following issues:
* boo#1077300: GnuCash was no longer able to retrieve pricing information
for various securities
Patch Instructions:
To install this openSUSE Recommended Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 42.3:
zypper in -t patch openSUSE-2018-322=1
Package List:
- openSUSE Leap 42.3 (noarch):
perl-Finance-Quote-1.47-4.3.1
References:
https://bugzilla.suse.com/1077300
openSUSE Security Update: Security update for Mozilla Firefox
______________________________________________________________________________
Announcement ID: openSUSE-SU-2018:0843-1
Rating: moderate
References: #1087059
Cross-References: CVE-2018-5148
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for Mozilla Firefox to version 52.7.3 fixes the following
issue:
- CVE-2018-5148: A use-after-free in compositor allowed for crashes to be
triggered Or potentially have further code execution impact (bsc#1087059)
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 42.3:
zypper in -t patch openSUSE-2018-320=1
Package List:
- openSUSE Leap 42.3 (x86_64):
MozillaFirefox-52.7.3-86.1
MozillaFirefox-branding-upstream-52.7.3-86.1
MozillaFirefox-buildsymbols-52.7.3-86.1
MozillaFirefox-debuginfo-52.7.3-86.1
MozillaFirefox-debugsource-52.7.3-86.1
MozillaFirefox-devel-52.7.3-86.1
MozillaFirefox-translations-common-52.7.3-86.1
MozillaFirefox-translations-other-52.7.3-86.1
References:
https://www.suse.com/security/cve/CVE-2018-5148.htmlhttps://bugzilla.suse.com/1087059