SUSE Security Update: Security update for spacewalk-java ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1218-1 Rating: important References: #889721 #896012 Cross-References: CVE-2014-3595 Affected Products: SUSE Manager Server ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: The Spacewalk frontend displayed a logfile without escaping content, allowing remote attackers to inject cross site scripting (XSS) into the admin's session. (CVE-2014-3595) Additionally, the following bug was fixed: * Fixed package upgrade via SSM when using the Oracle DB as backend. (bnc#889721) Security Issues: * CVE-2014-3595 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3595 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Manager Server: zypper in -t patch sleman21-spacewalk-java-9719 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Manager Server (noarch): spacewalk-java-2.1.165.6-0.11.1 spacewalk-java-config-2.1.165.6-0.11.1 spacewalk-java-lib-2.1.165.6-0.11.1 spacewalk-java-oracle-2.1.165.6-0.11.1 spacewalk-java-postgresql-2.1.165.6-0.11.1 spacewalk-taskomatic-2.1.165.6-0.11.1 References: http://support.novell.com/security/cve/CVE-2014-3595.html https://bugzilla.suse.com/889721 https://bugzilla.suse.com/896012 http://download.suse.com/patch/finder/?keywords=a50d8ce1310e48a468cc85ce6ed4... -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security-announce+help@opensuse.org