-----------------------------------------
Version 0.0.4-Build1.837 2020-08-22T07:55:56

-----------------------------------------
Patch: SUSE-2014-70
Released: Tue Oct 28 19:16:10 2014
Summary: update for rsyslog
Severity: moderate
References: 890228,899756,CVE-2014-3634,CVE-2014-3683
Description:
This update for rsyslog provides the following fixes:

- Fixed remote PRI DoS vulnerability patch (CVE-2014-3683, bnc#899756)
- Removed broken, unsupported and dropped by upstream zpipe utility from rsyslog-diag-tools package (bnc#890228)


-----------------------------------------
Patch: SUSE-2014-75
Released: Tue Nov  4 16:25:40 2014
Summary: Recommended update for wicked
Severity: important
References: 887910,893665,900112,900401
Description:
This update for wicked fixes the following issues:

- ethernet: Do not fail when ETHTOOL_GSET/SSET fails. (bsc#900401, bsc#900112)
- dbus: Omit ethernet speed, duplex, autoneg properties if not supported by the driver.
- ethtool: Independent ioctl requests are handled separately: if one fails it should not stop the following ones.
- wireless: Request association even if link was up; linkup indicates association, rather than explicit linkAssociate event. (bsc#893665)
- bonding: Ignore redundant slaves in configs with a warning.
- fsm: Generate default config for children in existing relation.
- compat: Prefer /etc/hostname over /etc/HOSTNAME and warn about missed global configs. (bsc#887910)

-----------------------------------------
Patch: SUSE-2014-79
Released: Tue Nov  4 16:28:02 2014
Summary: Recommended update for yast2-proxy
Severity: moderate
References: 853725,871945
Description:
This update for yast2-proxy fixes an issue that made 'Test Proxy Settings' always report failure. (bnc#853725, bnc#871945)

-----------------------------------------
Patch: SUSE-2014-85
Released: Tue Nov  4 16:29:29 2014
Summary: Recommended update for dirmngr
Severity: moderate
References: 901845
Description:
This update for dirmngr fixes a segmentation fault at start up. (bnc#901845)

-----------------------------------------
Patch: SUSE-2014-86
Released: Tue Nov  4 16:42:58 2014
Summary: Recommended update for release-notes-sles
Severity: low
References: 888469,900083,900771,902380
Description:
This update provides the latest revision of the release notes for SUSE Linux Enterprise Server 12:

- Fix URLs to documentation (bsc#902868)
- Add life cycle of SUSE Linux Enterprise modules.
- Fixed typo in section 5.3.6.7 suseRegister replaced by SUSEConnect (bsc#900771, fate#316585)
- Cosmetic changes in section 3.2.1 (bsc#888469, fate#317042)
- Added a new entry about Support for Intel PSM API (fate#315889)

-----------------------------------------
Patch: SUSE-2014-74
Released: Tue Nov  4 16:49:16 2014
Summary: Recommended update for yast2-users
Severity: low
References: 901419
Description:
This update for yast2-users fixes a crash when trying to start
the authentication client module and yast2-auth-client is not installed on the
system. (bnc#901419)

-----------------------------------------
Patch: SUSE-2014-71
Released: Tue Nov  4 16:58:36 2014
Summary: Recommended update for aws-cli
Severity: moderate
References: 902598,902648
Description:
This collective update for the SUSE Linux Enterprise 12 Public Cloud module provides the following enhancements:

- Amazon Web Services Command Line Interface (aws-cli) has been updated to version 1.5.3.
- Amazon Web Services Library (python-boto) has been updated to version 2.34.0.
- Python interface for AWS (python-botocore) has been updated to version 0.67.0.
- Python's jmespath module has been updated to version 0.4.1.
- The latest Amazon Cloud region (eu-central-1) is now supported through the command line interface.

For a comprehensive list of fixes and enhancements, refer to the package's change log.

-----------------------------------------
Patch: SUSE-2014-76
Released: Wed Nov  5 16:41:10 2014
Summary: Security update for wget
Severity: moderate
References: 902709,CVE-2014-4877
Description:
wget was updated to fix one security issue.
	  
This security issue was fixed:
- FTP symlink arbitrary filesystem access (CVE-2014-4877).


-----------------------------------------
Patch: SUSE-2014-66
Released: Thu Nov  6 06:23:15 2014
Summary: Recommended update for gcc48
Severity: moderate
References: 899871
Description:
This update for gcc48 fixes a performance degradation issue caused by generation of unneeded code whe using option -pg.


-----------------------------------------
Patch: SUSE-2014-109
Released: Thu Nov 13 17:10:48 2014
Summary: Security update for gnutls
Severity: moderate
References: 904603,CVE-2014-8564
Description:
gnutls was updated to fix one security issue.
	  
- Fixed parsing problem in elliptic curve blobs over TLS that could lead to remote
  crashes (CVE-2014-8564).


-----------------------------------------
Patch: SUSE-2014-87
Released: Fri Nov 14 18:57:12 2014
Summary: Recommended update for rpcbind
Severity: low
References: 905042
Description:
This update for rpcbind disables debug code which could fill up the system log files.

-----------------------------------------
Patch: SUSE-2014-97
Released: Fri Nov 28 10:20:32 2014
Summary: Security update for file
Severity: moderate
References: 888308,902367,CVE-2014-3710
Description:
file was updated to fix one security issue.

This security issue was fixed:
- Out-of-bounds read in elf note headers (CVE-2014-3710).

This non-security issues was fixed:
- Correctly identify GDBM files created by libgdbm4 (bnc#888308).
  

-----------------------------------------
Patch: SUSE-2014-123
Released: Mon Dec  1 18:03:36 2014
Summary: Recommended update for libXi
Severity: moderate
References: 883553
Description:
This update for libXi fixes a double unlock issue when connecting to an X server with XInputExtension version lower than 2.0. This could result, for example, in a segmentation fault when starting YaST over an ssh connection from SUSE Linux Enterprise 11.

-----------------------------------------
Patch: SUSE-2014-115
Released: Mon Dec  1 18:06:24 2014
Summary: Security update for flac
Severity: moderate
References: 906831,907016,CVE-2014-8962,CVE-2014-9028
Description:
flac was updated to fix two security issues.

These security issues were fixed:
- Stack overflow may result in arbitrary code execution (CVE-2014-8962).
- Heap overflow via specially crafted .flac files (CVE-2014-9028).
  

-----------------------------------------
Patch: SUSE-2014-104
Released: Mon Dec  1 18:10:56 2014
Summary: Recommended update for apparmor
Severity: moderate
References: 898438
Description:

The AppArmor profiles were adjusted to allow running ntpd.
  

-----------------------------------------
Patch: SUSE-2014-84
Released: Mon Dec  1 19:54:01 2014
Summary: Security update for openssl
Severity: moderate
References: 901223,901277,CVE-2014-3513,CVE-2014-3566,CVE-2014-3567,CVE-2014-3568
Description:
openssl was updated to fix four security issues.

These security issues were fixed:
- SRTP Memory Leak (CVE-2014-3513).
- Session Ticket Memory Leak (CVE-2014-3567).
- Fixed incomplete no-ssl3 build option (CVE-2014-3568).
- Add support for TLS_FALLBACK_SCSV (CVE-2014-3566).

NOTE: This update alone DOESN'T FIX the POODLE SSL protocol vulnerability.
OpenSSL only adds downgrade detection support for client applications.
See https://www.suse.com/support/kb/doc.php?id=7015773 for mitigations.


-----------------------------------------
Patch: SUSE-2014-82
Released: Tue Dec  2 11:12:56 2014
Summary: Security update for python, python-base, python-doc
Severity: moderate
References: 898572,CVE-2014-7185
Description:
python, python-base, python-doc was updated to fix one security issue.
	  
This security issue was fixed:
- Fixed potential buffer overflow in buffer() (CVE-2014-7185).


-----------------------------------------
Patch: SUSE-2015-35
Released: Tue Dec  2 15:56:40 2014
Summary: Recommended update for samba
Severity: moderate
References: 896536,899558
Description:
This update for Samba provides the following fixes:

- Backport upstream master fixes for samba-regedit. (bsc#896536)
- Fix small memory-leak in the background print process. (bsc#899558)


-----------------------------------------
Patch: SUSE-2014-113
Released: Tue Dec  2 18:17:57 2014
Summary: Security update for cpio
Severity: moderate
References: 658010,907456,CVE-2014-9112
Description:

This cpio security update fixes the following buffer overflow issue and
two non security issues:

- fix an OOB write with cpio -i (bnc#907456) (CVE-2014-9112)
- prevent cpio from extracting over a symlink (bnc#658010)
- fix a truncation check in mt


-----------------------------------------
Patch: SUSE-2015-4
Released: Wed Dec  3 15:57:25 2014
Summary: Security update for libyaml
Severity: moderate
References: 907809,CVE-2014-9130
Description:

This libyaml update fixes the following security issue:

- bnc#907809: assert failure when processing wrapped strings
  (CVE-2014-9130)


-----------------------------------------
Patch: SUSE-2015-11
Released: Thu Dec  4 14:49:04 2014
Summary: Recommended update for SUSEConnect
Severity: moderate
References: 900689
Description:
This update fixes SUSEConnect to always write the configuration file when --url parameter used.

-----------------------------------------
Patch: SUSE-2015-15
Released: Thu Dec  4 15:24:10 2014
Summary: Security update for libjpeg-turbo, libjpeg62-turbo
Severity: moderate
References: 906761,CVE-2014-9092
Description:
libjpeg-turbo, libjpeg62-turbo were updated to fix one security issue.

This security issue was fixed:
- Passing special crafted jpeg file smashes stack (CVE-2014-9092).
  

-----------------------------------------
Patch: SUSE-2014-117
Released: Thu Dec  4 17:12:48 2014
Summary: Recommended update for ntp
Severity: moderate
References: 898596
Description:
This update for ntp re-enables usage of the legacy MD5 algorithm in FIPS mode.

-----------------------------------------
Patch: SUSE-2015-3
Released: Fri Dec  5 15:49:30 2014
Summary: Security update for mutt
Severity: important
References: 899712,907453,CVE-2014-9116
Description:
mutt was updated to fix one security issue.

This security issue was fixed:
- Heap-based buffer overflow in mutt_substrdup() (CVE-2014-9116).

This non-security issue was fixed:
- Handle text/html by default (bnc#899712)
  

-----------------------------------------
Patch: SUSE-2014-103
Released: Sat Dec  6 16:30:45 2014
Summary: Recommended update for bind
Severity: moderate
References: 906079
Description:
This update provides fixes for BIND for systems running with FIPS mode enabled:

- Do not consider a failure to load the GOST OpenSSL engine a fatal error.

-----------------------------------------
Patch: SUSE-2014-81
Released: Sat Dec  6 17:14:40 2014
Summary: Security update for MozillaFirefox and mozilla-nss
Severity: important
References: 897890,900941,908009,CVE-2014-1568,CVE-2014-1574,CVE-2014-1575,CVE-2014-1576,CVE-2014-1577,CVE-2014-1578,CVE-2014-1581,CVE-2014-1583,CVE-2014-1585,CVE-2014-1586,CVE-2014-1587,CVE-2014-1588,CVE-2014-1590,CVE-2014-1592,CVE-2014-1593,CVE-2014-1594,CVE-2014-1595
Description:

Mozilla Firefox was updated to 31.3.0 ESR (bnc#900941) (bnc#908009).

Security issues fixed:
MFSA 2014-83 / CVE-2014-1588 / CVE-2014-1587: Mozilla developers and
community identified and fixed several memory safety bugs in the browser
engine used in Firefox and other Mozilla-based products. Some of these
bugs showed evidence of memory corruption under certain circumstances,
and we presume that with enough effort at least some of these could be
exploited to run arbitrary code.

MFSA 2014-85 / CVE-2014-1590: Security researcher Joe Vennix from Rapid7
reported that passing a JavaScript object to XMLHttpRequest that mimics
an input stream will a crash. This crash is not exploitable and can only
be used for denial of service attacks.

MFSA 2014-87 / CVE-2014-1592: Security researcher Berend-Jan Wever
reported a use-after-free created by triggering the creation of a
second root element while parsing HTML written to a document created
with document.open(). This leads to a potentially exploitable crash.

MFSA 2014-88 / CVE-2014-1593: Security researcher Abhishek Arya (Inferno)
of the Google Chrome Security Team used the Address Sanitizer tool to
discover a buffer overflow during the parsing of media content. This
leads to a potentially exploitable crash.

MFSA 2014-89 / CVE-2014-1594: Security researchers Byoungyoung Lee,
Chengyu Song, and Taesoo Kim at the Georgia Tech Information Security
Center (GTISC) reported a bad casting from the BasicThebesLayer to
BasicContainerLayer, resulting in undefined behavior. This behavior is
potentially exploitable with some compilers but no clear mechanism to
trigger it through web content was identified.

MFSA 2014-90 / CVE-2014-1595: Security researcher Kent Howard reported an
Apple issue present in OS X 10.10 (Yosemite) where log files are created
by the CoreGraphics framework of OS X in the /tmp local directory. These
log files contain a record of all inputs into Mozilla programs during
their operation. In versions of OS X from versions 10.6 through 10.9,
the CoreGraphics had this logging ability but it was turned off by
default. In OS X 10.10, this logging was turned on by default for some
applications that use a custom memory allocator, such as jemalloc,
because of an initialization bug in the framework. This issue has been
addressed in Mozilla products by explicitly turning off the framework's
logging of input events. On vulnerable systems, this issue can result
in private data such as usernames, passwords, and other inputed data
being saved to a log file on the local system.

MFSA 2014-74 / CVE-2014-1574 / CVE-2014-1575:
Mozilla developers and community identified and fixed several memory
safety bugs in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption under
certain circumstances, and we presume that with enough effort at least
some of these could be exploited to run arbitrary code.

Bobby Holley, Christian Holler, David Bolter, Byron Campen, and Jon
Coppeard reported memory safety problems and crashes that affect Firefox
ESR 31.1 and Firefox 32.

Carsten Book, Christian Holler, Martijn Wargers, Shih-Chiang Chien,
Terrence Cole, Eric Rahm , and Jeff Walden reported memory safety problems
and crashes that affect Firefox 32.

MFSA 2014-75 / CVE-2014-1576: Using the Address Sanitizer tool, security
researcher Atte Kettunen from OUSPG discovered a buffer overflow when
making capitalization style changes during CSS parsing. This can cause
a crash that is potentially exploitable.

MFSA 2014-76 / CVE-2014-1577: Security researcher Holger Fuhrmannek
used the used the Address Sanitizer tool to discover an out-of-bounds
read issue with Web Audio when interacting with custom waveforms with
invalid values. This results in a crash and could allow for the reading
of random memory which may contain sensitive data, or of memory addresses
that could be used in combination with another bug.

MFSA 2014-77 / CVE-2014-1578: Using the Address Sanitizer tool, security
researcher Abhishek Arya (Inferno) of the Google Chrome Security Team
found an out-of-bounds write when buffering WebM format video containing
frames with invalid tile sizes. This can lead to a potentially exploitable
crash during WebM video playback.

MFSA 2014-79 / CVE-2014-1581: Security researcher regenrecht reported,
via TippingPoint's Zero Day Initiative, a use-after-free during text
layout when interacting with text direction. This results in a crash
which can lead to arbitrary code execution.

MFSA 2014-81 / CVE-2014-1585 / CVE-2014-1586: Mozilla developers Eric
Shepherd and Jan-Ivar Bruaroey reported issues with privacy and video
sharing using WebRTC. Once video sharing has started within a WebRTC
session running within an <iframe>, video will continue to be shared even
if the user selects the 'Stop Sharing' button in the controls. The
camera will also remain on even if the user navigates to another site and
will begin streaming again if the user returns to the original site. This
is a privacy problem and can lead to inadvertent video streaming. This
does not affect implementations that are not within an <iframe>.

MFSA 2014-82 / CVE-2014-1583: Mozilla developer Boris Zbarsky reported
that a malicious app could use the AlarmAPI to read the values of
cross-origin references, such as an iframe's location object, as part of
an alarm's JSON data. This allows a malicious app to bypass same-origin
policy.

SSLv3 is disabled by default. See README.POODLE for more
detailed information.

Mozilla NSS was updated to 3.17.2 (bnc#900941)
Bugfix release
  * bmo#1049435 - Importing an RSA private key fails if p < q
  * bmo#1057161 - NSS hangs with 100% CPU on invalid EC key
  * bmo#1078669 - certutil crashes when using the --certVersion
    parameter
- changes from earlier version of the 3.17 branch:
  update to 3.17.1 (bnc#897890)
  * MFSA 2014-73/CVE-2014-1568 (bmo#1064636, bmo#1069405)
    RSA Signature Forgery in NSS
  * Change library's signature algorithm default to SHA256
  * Add support for draft-ietf-tls-downgrade-scsv
  * Add clang-cl support to the NSS build system
  * Implement TLS 1.3:
    * Part 1. Negotiate TLS 1.3
    * Part 2. Remove deprecated cipher suites andcompression.
  * Add support for little-endian powerpc64
  update to 3.17
  * required for Firefox 33
  New functionality:
  * When using ECDHE, the TLS server code may be configured to
    generate a fresh ephemeral ECDH key for each handshake, by
    setting the SSL_REUSE_SERVER_ECDHE_KEY socket option to
    PR_FALSE. The SSL_REUSE_SERVER_ECDHE_KEY option defaults to
    PR_TRUE, which means the server's ephemeral ECDH key is reused
    for multiple handshakes.  This option does not affect the TLS
    client code, which always generates a fresh ephemeral ECDH key
    for each handshake.
  New Macros
  * SSL_REUSE_SERVER_ECDHE_KEY
  Notable Changes:
  * The manual pages for the certutil and pp tools have been
    updated to document the new parameters that had been added in
    NSS 3.16.2.


-----------------------------------------
Patch: SUSE-2015-16
Released: Thu Dec 11 09:25:27 2014
Summary: Security update for libksba
Severity: moderate
References: 907074,CVE-2014-9087
Description:
This libksba update fixes the following security issue:

- bnc#907074: buffer overflow in OID processing (CVE-2014-9087)


-----------------------------------------
Patch: SUSE-2014-114
Released: Thu Dec 11 15:18:56 2014
Summary: Security update for mailx
Severity: moderate
References: 909208,CVE-2004-2771,CVE-2014-7844
Description:

This mailx update fixes the following security and non security issues:

- bsc#909208: shell command injection via crafted email addresses
  (CVE-2004-2771, CVE-2014-7844)
- Correct comment in spec file 

-----------------------------------------
Patch: SUSE-2014-122
Released: Mon Dec 15 14:25:41 2014
Summary: Security update for tcpdump
Severity: moderate
References: 905870,905871,905872,CVE-2014-8767,CVE-2014-8768,CVE-2014-8769
Description:
This tcpdump update fixes the following security issues:

- fix CVE-2014-8767 (bnc#905870)
  * denial of service in verbose mode using malformed OLSR payload
- fix CVE-2014-8768 (bnc#905871)
  * denial of service in verbose mode using malformed Geonet payload
- fix CVE-2014-8769 (bnc#905872)
  * unreliable output using malformed AOVD payload


-----------------------------------------
Patch: SUSE-2015-34
Released: Fri Dec 19 15:16:12 2014
Summary: Security update for ruby2.1
Severity: moderate
References: 902851,905326,CVE-2014-8080,CVE-2014-8090
Description:
This ruby update fixes the following two security issues:

- bnc#902851: fix CVE-2014-8080: Denial Of Service XML Expansion
- bnc#905326: fix CVE-2014-8090: Another Denial Of Service XML Expansion
- Enable tests to run during the build. This way we can compare
  the results on different builds.


-----------------------------------------
Patch: SUSE-2015-5
Released: Fri Dec 19 19:56:21 2014
Summary: Security update for jasper
Severity: moderate
References: 906364,909474,909475,CVE-2014-8137,CVE-2014-9029
Description:
This libjasper update fixes the following three security issues:

- bnc#906364: heap overflows in libjasper (CVE-2014-9029)
- bnc#909474: double-free in jas_iccattrval_destroy() (CVE-2014-8137)
- bnc#909475: heap overflow in jas_decode() (CVE-2014-8138)


-----------------------------------------
Patch: SUSE-2014-126
Released: Fri Dec 19 20:16:00 2014
Summary: Security update for file
Severity: moderate
References: 910252,910253,CVE-2014-8116,CVE-2014-8117
Description:
This file update fixes the following security issues:

- bsc#910252: multiple denial of service issues (resource consumption)
              (CVE-2014-8116)
- bsc#910253: denial of service issue (resource consumption)
              (CVE-2014-8117)


-----------------------------------------
Patch: SUSE-2014-118
Released: Fri Dec 19 23:01:57 2014
Summary: Security update for ntp
Severity: critical
References: 910764,CVE-2014-9295,CVE-2014-9296
Description:

The network timeservice ntp was updated to fix critical security
issues (bnc#910764, CERT VU#852879)

* A potential remote code execution problem was found inside
  ntpd. The functions crypto_recv() (when using autokey
  authentication), ctl_putdata(), and configure() where updated
  to avoid buffer overflows that could be
  exploited. (CVE-2014-9295)
* Furthermore a problem inside the ntpd error handling was found
  that is missing a return statement. This could also lead to a
  potentially attack vector. (CVE-2014-9296)


-----------------------------------------
Patch: SUSE-2015-22
Released: Mon Dec 22 20:12:03 2014
Summary: Recommended update for perl-Net-DNS
Severity: low
References: 904041
Description:
This update for perl-Net-DNS fixes handling of TSIG algorithms, no longer removing dots and dashes from their names.

-----------------------------------------
Patch: SUSE-2014-121
Released: Tue Dec 23 13:03:48 2014
Summary: Security update for dbus-1
Severity: moderate
References: 904017,CVE-2014-3636,CVE-2014-7824
Description:
dbus-1 was updated to version 1.8.12 to fix one security issue.

This security issue was fixed:
- Increase dbus-daemons RLIMIT_NOFILE rlimit to 65536 to stop an attacker from
  exhausting the file descriptors of the system bus (CVE-2014-7824).

Note: This already includes the fix for the regression that was introduced by 
the first fix for CVE-2014-7824 in 1.8.10.

On fast systems where local users are considered particularly
hostile, administrators can return to the 5 second timeout
(or any other value in milliseconds) by saving this as
/etc/dbus-1/system-local.conf:
<busconfig>
<limit name='auth_timeout'>5000</limit>
</busconfig>


-----------------------------------------
Patch: SUSE-2015-1
Released: Tue Dec 23 18:07:58 2014
Summary: Security update for libxml2
Severity: moderate
References: 901546,908376,CVE-2014-3660
Description:
This libxml2 update fixes the following security and non-security issues:

- Fix a denial of service via recursive entity expansion. (CVE-2014-3660, bnc#901546, bgo#738805)
- Fix a regression in xzlib compression support. (bnc#908376)


-----------------------------------------
Patch: SUSE-2015-38
Released: Tue Dec 23 18:25:09 2014
Summary: Recommended update for dracut
Severity: important
References: 874621,897901,900831,901322,904533,905296,905869,906592
Description:
This update for dracut provides the following fixes:

- Fix console font for foreign languages (bnc#904533).
- Fix SUSE specific initrd-$kernel_ver vs mainline initramfs-$kernel_ver.img.
- Run file system check (bnc#906592).
- Add ifname=NIC:MAC boot parameter to always identify correct NIC (bnc#900831).
- Fix a typo (bnc#901322).
- Add the cmac.ko cryptographic module to the FIPS modules list (bnc#905296).
- Fix two install-kernel issues: call depmod (bnc#874621); add .config (bnc#897901).
- Clean up kgraft-patch packages in purge-kernel (bnc#905869).


-----------------------------------------
Patch: SUSE-2015-12
Released: Wed Jan  7 11:24:10 2015
Summary: Security update for unzip
Severity: moderate
References: 909214,CVE-2014-8139,CVE-2014-8140,CVE-2014-8141
Description:

  This update fixes the following security issues:

- CVE-2014-8139: fix heap overflow condition in
  the CRC32 verification (fixes bnc#909214)
- CVE-2014-8140 and CVE-2014-8141: fix write error
  (*_8349_*) shows a problem in extract.c:test_compr_eb(), and:
  read errors (*_6430_*, *_3422_*) show problems in
  process.c:getZip64Data() (fixes bnc#909214)



-----------------------------------------
Patch: SUSE-2015-99
Released: Wed Jan  7 19:36:45 2015
Summary: Recommended update for supportutils
Severity: low
References: 900366,904481,904729
Description:
This update for supportutils provides the following fixes and enhancements:

- Fixed NTP service in ntp.txt. (bnc#904729)
- Create a new lxc.txt file to include information about virtual containers using lxc and/or libvirt-lxc. (bnc#904481)
- Include /var/log/libvirt/libxl logs in xen.txt. (bnc#900366)

-----------------------------------------
Patch: SUSE-2015-46
Released: Thu Jan  8 11:52:33 2015
Summary: Security update for libsndfile
Severity: moderate
References: 911796,CVE-2014-9496
Description:

      This update fixes the following security issue:
      - two buffer read overflows in sd2_parse_rsrc_fork() (CVE-2014-9496, bnc#911796): backported upstream fix patches


-----------------------------------------
Patch: SUSE-2015-25
Released: Thu Jan  8 13:21:39 2015
Summary: Recommended update for release-notes-sles
Severity: low
References: 896645,903217,903673,903795,905802,909721
Description:
This update provides the latest revision of the release notes for SUSE Linux Enterprise Server 12:

- New: Dynamic Aggregation of LVM Metadata via lvmetad (fate#314556)
- New: Linux support for Flash and concurrent Flash MCL updates (bnc#909721, fate#315317)
- New: Connection to VNC support GNOME (fate#318311)
- New: Autoselecting Packages during Module Activation (bnc#905802, fate#318213)
- New: cifs-utils /etc/samba/smbfstab migration (bnc#903217, fate#318090)
- Updated: System z Performance Counters in perf Tool (bnc#909721, fate#315988)
- Updated: Current Features and Limitations in a UEFI Secure Boot Context (bnc#896645, fate#317500)
- Updated: Filesystem Support Table (bnc#903673)
- Updated: Enabling the wicked 'nanny' Framework (fate#316649)
- Updated: Apache 2.4 (fate#317912)
- Updated: Serial Console Bootloader Settings (fate#317818)
- Updated: /proc/acpit/event Interface Removed (fate#317911).

-----------------------------------------
Patch: SUSE-2015-21
Released: Thu Jan  8 15:56:56 2015
Summary: Security update for the Linux Kernel
Severity: important
References: 851603,853040,860441,862957,863526,870498,873228,874025,877622,879255,880767,880892,881085,883139,887046,887382,887418,889295,889297,891259,891619,892254,892612,892650,892860,893454,894057,894863,895221,895387,895468,895680,895983,896391,897101,897736,897770,897912,898234,898297,899192,899489,899551,899785,899787,899908,900126,901090,901774,901809,901925,902010,902016,902346,902893,902898,903279,903307,904013,904077,904115,904354,904871,905087,905100,905296,905758,905772,907818,908184,909077,910251,910697,CVE-2013-6405,CVE-2014-3185,CVE-2014-3610,CVE-2014-3611,CVE-2014-3647,CVE-2014-3673,CVE-2014-7826,CVE-2014-7841,CVE-2014-8133,CVE-2014-9090,CVE-2014-9322
Description:

The SUSE Linux Enterprise 12 kernel was updated to 3.12.31 to receive
various security and bugfixes.

Security issues fixed:
CVE-2014-9322: A local privilege escalation in the x86_64 32bit compatibility
signal handling was fixed, which could be used by local attackers to crash
the machine or execute code.

CVE-2014-9090: Various issues in LDT handling in 32bit compatibility mode on
the x86_64 platform were fixed, where local attackers could crash the machine.

CVE-2014-8133: Insufficient validation of TLS register usage could leak information
from the kernel stack to userspace.

CVE-2014-7826: kernel/trace/trace_syscalls.c in the Linux kernel did
not properly handle private syscall numbers during use of the ftrace
subsystem, which allowed local users to gain privileges or cause a denial
of service (invalid pointer dereference) via a crafted application.

CVE-2014-3647: Nadav Amit reported that the KVM (Kernel Virtual Machine) mishandled
noncanonical addresses when emulating instructions that change the rip
(Instruction Pointer). A guest user with access to I/O or the MMIO could use
this flaw to cause a denial of service (system crash) of the guest.

CVE-2014-3611: A race condition flaw was found in the way the Linux
kernel's KVM subsystem handled PIT (Programmable Interval Timer)
emulation. A guest user who has access to the PIT I/O ports could use
this flaw to crash the host.

CVE-2014-3610: If the guest writes a noncanonical value to certain MSR
registers, KVM will write that value to the MSR in the host context and
a #GP will be raised leading to kernel panic. A privileged guest user
could have used this flaw to crash the host.

CVE-2014-7841: A remote attacker could have used a flaw in SCTP to crash the
system by sending a maliciously prepared SCTP packet in order to trigger
a NULL pointer dereference on the server.

CVE-2014-3673: The SCTP implementation in the Linux kernel allowed
remote attackers to cause a denial of service (system crash) via
a malformed ASCONF chunk, related to net/sctp/sm_make_chunk.c and
net/sctp/sm_statefuns.c.

CVE-2014-3185: Multiple buffer overflows in the command_port_read_callback
function in drivers/usb/serial/whiteheat.c in the Whiteheat USB Serial
Driver in the Linux kernel allowed physically proximate attackers to
execute arbitrary code or cause a denial of service (memory corruption
and system crash) via a crafted device that provides a large amount of
(1) EHCI or (2) XHCI data associated with a bulk response.



Bugs fixed:
BTRFS:
- btrfs: fix race that makes btrfs_lookup_extent_info miss skinny
  extent items (bnc#904077).
- btrfs: fix invalid leaf slot access in btrfs_lookup_extent()
  (bnc#904077).
- btrfs: avoid returning -ENOMEM in convert_extent_bit() too early
  (bnc#902016).
- btrfs: make find_first_extent_bit be able to cache any state
  (bnc#902016).
- btrfs: deal with convert_extent_bit errors to avoid fs
  corruption (bnc#902016).
- btrfs: be aware of btree inode write errors to avoid fs
  corruption (bnc#899551).
- btrfs: add missing end_page_writeback on submit_extent_page
  failure (bnc#899551).
- btrfs: fix crash of btrfs_release_extent_buffer_page
  (bnc#899551).
- btrfs: ensure readers see new data after a clone operation
  (bnc#898234).
- btrfs: avoid visiting all extent items when cloning a range
  (bnc#898234).
- btrfs: fix clone to deal with holes when NO_HOLES feature is
  enabled (bnc#898234).
- btrfs: make fsync work after cloning into a file (bnc#898234).
- btrfs: fix use-after-free when cloning a trailing file hole
  (bnc#898234).
- btrfs: clone, don't create invalid hole extent map (bnc#898234).
- btrfs: limit the path size in send to PATH_MAX (bnc#897770).
- btrfs: send, fix more issues related to directory renames
  (bnc#897770).
- btrfs: send, remove dead code from __get_cur_name_and_parent
  (bnc#897770).
- btrfs: send, account for orphan directories when building path
  strings (bnc#897770).
- btrfs: send, avoid unnecessary inode item lookup in the btree
  (bnc#897770).
- btrfs: send, fix incorrect ref access when using extrefs
  (bnc#897770).
- btrfs: send, build path string only once in send_hole
  (bnc#897770).
- btrfs: part 2, fix incremental send's decision to delay a dir
  move/rename (bnc#897770).
- btrfs: fix incremental send's decision to delay a dir
  move/rename (bnc#897770).
- btrfs: remove unnecessary inode generation lookup in send
  (bnc#897770).
- btrfs: avoid unnecessary utimes update in incremental send
  (bnc#897770).
- btrfs: fix send issuing outdated paths for utimes, chown and
  chmod (bnc#897770).
- btrfs: fix send attempting to rmdir non-empty directories
  (bnc#897770).
- btrfs: send, don't send rmdir for same target multiple times
  (bnc#897770).
- btrfs: incremental send, fix invalid path after dir rename
  (bnc#897770).
- btrfs: fix assert screwup for the pending move stuff
  (bnc#897770).
- btrfs: make some tree searches in send.c more efficient
  (bnc#897770).
- btrfs: use right extent item position in send when finding
  extent clones (bnc#897770).
- btrfs: more send support for parent/child dir relationship
  inversion (bnc#897770).
- btrfs: fix send dealing with file renames and directory moves
  (bnc#897770).
- btrfs: add missing error check in incremental send (bnc#897770).
- btrfs: make send's file extent item search more efficient
  (bnc#897770).
- btrfs: fix infinite path build loops in incremental send
  (bnc#897770).
- btrfs: send, don't delay dir move if there's a new parent inode
  (bnc#897770).
- btrfs: add helper btrfs_fdatawrite_range (bnc#902010).
- btrfs: correctly flush compressed data before/after direct IO
  (bnc#902010).
- btrfs: make inode.c:compress_file_range() return void
  (bnc#902010).
- btrfs: report error after failure inlining extent in compressed
  write path (bnc#902010).
- btrfs: don't ignore compressed bio write errors (bnc#902010).
- btrfs: make inode.c:submit_compressed_extents() return void
  (bnc#902010).
- btrfs: process all async extents on compressed write failure
  (bnc#902010).
- btrfs: don't leak pages and memory on compressed write error
  (bnc#902010).
- btrfs: fix hang on compressed write error (bnc#902010).
- btrfs: set page and mapping error on compressed write failure
  (bnc#902010).
- btrfs: fix kfree on list_head in btrfs_lookup_csums_range
  error cleanup (bnc#904115).


Hyper-V:
- hyperv: Fix a bug in netvsc_send().
- hyperv: Fix a bug in netvsc_start_xmit().
- drivers: hv: vmbus: Enable interrupt driven flow control.
- drivers: hv: vmbus: Properly protect calls to
  smp_processor_id().
- drivers: hv: vmbus: Cleanup hv_post_message().
- drivers: hv: vmbus: Cleanup vmbus_close_internal().
- drivers: hv: vmbus: Fix a bug in vmbus_open().
- drivers: hv: vmbus: Cleanup vmbus_establish_gpadl().
- drivers: hv: vmbus: Cleanup vmbus_teardown_gpadl().
- drivers: hv: vmbus: Cleanup vmbus_post_msg().
- storvsc: get rid of overly verbose warning messages.
- hyperv: NULL dereference on error.
- hyperv: Increase the buffer length for netvsc_channel_cb().

zSeries / S390:
- s390: pass march flag to assembly files as well (bnc#903279,
  LTC#118177).
- kernel: reduce function tracer overhead (bnc#903279,
  LTC#118177).
- SUNRPC: Handle EPIPE in xprt_connect_status (bnc#901090).
- SUNRPC: Ensure that we handle ENOBUFS errors correctly
  (bnc#901090).
- SUNRPC: Ensure call_connect_status() deals correctly with
  SOFTCONN tasks (bnc#901090).
- SUNRPC: Ensure that call_connect times out correctly
  (bnc#901090).
- SUNRPC: Handle connect errors ECONNABORTED and EHOSTUNREACH
  (bnc#901090).
- SUNRPC: Ensure xprt_connect_status handles all potential
  connection errors (bnc#901090).
- SUNRPC: call_connect_status should recheck bind and connect
  status on error (bnc#901090).

kGraft:
- kgr: force patching process to succeed (fate#313296).
- kgr: usb-storage, mark kthread safe (fate#313296 bnc#899908).
- Refresh patches.suse/kgr-0039-kgr-fix-ugly-race.patch.
  Fix few bugs, and also races (immutable vs mark_processes vs other
  threads).
- kgr: always use locked bit ops for thread_info->flags
  (fate#313296).
- kgr: lower the workqueue scheduling timeout (fate#313296
  bnc#905087).
- kgr: mark even more kthreads (fate#313296 bnc#904871).
- rpm/kernel-binary.spec.in: Provide name-version-release for kgraft
  packages (bnc#901925)

Other:
- NFSv4: test SECINFO RPC_AUTH_GSS pseudoflavors for support
  (bnc#905758).

- Enable cmac(aes) and cmac(3des_ede) for FIPS mode (bnc#905296
  bnc#905772).

- scsi_dh_alua: disable ALUA handling for non-disk devices
  (bnc#876633).

- powerpc/vphn: NUMA node code expects big-endian (bsc#900126).

- net: fix checksum features handling in netif_skb_features()
  (bnc#891259).

- be2net: Fix invocation of be_close() after be_clear()
  (bnc#895468).

- PCI: pciehp: Clear Data Link Layer State Changed during init
  (bnc#898297).
- PCI: pciehp: Use symbolic constants, not hard-coded bitmask
  (bnc#898297).
- PCI: pciehp: Use link change notifications for hot-plug and
  removal (bnc#898297).
- PCI: pciehp: Make check_link_active() non-static (bnc#898297).
- PCI: pciehp: Enable link state change notifications
  (bnc#898297).

- ALSA: hda - Treat zero connection as non-error (bnc#902898).

- bcache: add mutex lock for bch_is_open (bnc#902893).

- futex: Fix a race condition between REQUEUE_PI and task death
  (bcn #851603 (futex scalability series)).

- Linux 3.12.31 (bnc#895983 bnc#897912).

- futex: Ensure get_futex_key_refs() always implies a barrier
  (bcn #851603 (futex scalability series)).

- usbback: don't access request fields in shared ring more
  than once.
- Update Xen patches to 3.12.30.

- locking/rwsem: Avoid double checking before try acquiring
  write lock (Locking scalability.).

- zcrypt: toleration of new crypto adapter hardware (bnc#894057,
  LTC#117041).
- zcrypt: support for extended number of ap domains (bnc#894057,
  LTC#117041).

- kABI: protect linux/fs.h include in mm/internal.h.

- Linux 3.12.30 (FATE#315482 bnc#862957 bnc#863526 bnc#870498).

- Update
  patches.fixes/xfs-mark-all-internal-workqueues-as-freezable.patch
  (bnc#899785).

- xfs: mark all internal workqueues as freezable.

- drm/i915: Move DP port disable to post_disable for pch platforms
  (bnc#899787).

- pagecachelimit: reduce lru_lock congestion for heavy parallel
  reclaim fix (bnc#895680).

- Linux 3.12.29 (bnc#879255 bnc#880892 bnc#887046 bnc#887418
  bnc#891619 bnc#892612 bnc#892650 bnc#897101).

- iommu/vt-d: Work around broken RMRR firmware entries
  (bnc#892860).
- iommu/vt-d: Store bus information in RMRR PCI device path
  (bnc#892860).
- iommu/vt-d: Only remove domain when device is removed
  (bnc#883139).
- driver core: Add BUS_NOTIFY_REMOVED_DEVICE event (bnc#883139).

- Update config files: Re-enable CONFIG_FUNCTION_PROFILER (bnc#899489)
  Option FUNCTION_PROFILER was enabled in debug and trace kernels so far,
  but it was accidentally disabled before tracing features were merged
  into the default kernel and the trace flavor was discarded. So all
  kernels are missing the feature now. Re-enable it.

- xfs: xlog_cil_force_lsn doesn't always wait correctly.

- scsi: clear 'host_scribble' upon successful abort (bnc#894863).

- module: warn if module init + probe takes long (bnc#889297
  bnc#877622 bnc#889295 bnc#893454).

- mm, THP: don't hold mmap_sem in khugepaged when allocating THP
  (bnc#880767, VM Performance).

- pagecache_limit: batch large nr_to_scan targets (bnc#895221).

- iommu/vt-d: Check return value of acpi_bus_get_device() (bnc#903307).

- rpm/kernel-binary.spec.in: Fix including the secure boot cert in /etc/uefi/certs

- sched: Reduce contention in update_cfs_rq_blocked_load()
  (Scheduler/core performance).

- x86: use optimized ioresource lookup in ioremap function
  (Boot time optimisations (bnc#895387)).
- x86: optimize resource lookups for ioremap (Boot time
  optimisations (bnc#895387)).

- usb: Do not re-read descriptors for wired devices in
  usb_authorize_device() (bnc#904354).

- netxen: Fix link event handling (bnc#873228).

- x86, cpu: Detect more TLB configuration -xen (TLB Performance).

- x86/mm: Fix RCU splat from new TLB tracepoints (TLB
  Performance).
- x86/mm: Set TLB flush tunable to sane value (33) (TLB
  Performance).
- x86/mm: New tunable for single vs full TLB flush (TLB
  Performance).
- x86/mm: Add tracepoints for TLB flushes (TLB Performance).
- x86/mm: Unify remote INVLPG code (TLB Performance).
- x86/mm: Fix missed global TLB flush stat (TLB Performance).
- x86/mm: Rip out complicated, out-of-date, buggy TLB flushing
  (TLB Performance).
- x86, cpu: Detect more TLB configuration (TLB Performance).
- mm, x86: Revisit tlb_flushall_shift tuning for page flushes
  except on IvyBridge (TLB Performance).
- x86/mm: Clean up the TLB flushing code (TLB Performance).
- mm: free compound page with correct order (VM Functionality).

- bnx2x: Utilize FW 7.10.51 (bnc#887382).
- bnx2x: Remove unnecessary internal mem config (bnc#887382).

- rtnetlink: fix oops in rtnl_link_get_slave_info_data_size
  (bnc#901774).

- dm: do not call dm_sync_table() when creating new devices
  (bnc#901809).

- [media] uvc: Fix destruction order in uvc_delete() (bnc#897736).

- uas: replace WARN_ON_ONCE() with lockdep_assert_held()
  (FATE#315595).

- cxgb4/cxgb4vf: Add Devicde ID for two more adapter (bsc#903999).
- cxgb4/cxgb4vf: Add device ID for new adapter and remove for
  dbg adapter (bsc#903999).
- cxgb4: Adds device ID for few more Chelsio T4 Adapters
  (bsc#903999).
- cxgb4: Check if rx checksum offload is enabled, while reading
  hardware calculated checksum (bsc#903999).

- xen-pciback: drop SR-IOV VFs when PF driver unloads
  (bsc#901839).

This update also includes fixes contained in the Linux 3.12.stable release series,
not seperately listed here.


-----------------------------------------
Patch: SUSE-2015-29
Released: Mon Jan 12 11:37:43 2015
Summary: Security update for curl
Severity: moderate
References: 901924,911363,CVE-2014-3707,CVE-2014-8150
Description:

   This update fixes the following security issues   
      - CVE-2014-8150: URL request injection vulnerability  (bnc#911363)
      - CVE-2014-3707: duphandle read out of bounds  (bnc#901924)


-----------------------------------------
Patch: SUSE-2015-145
Released: Mon Jan 12 21:21:28 2015
Summary: Recommended update for open-iscsi
Severity: moderate
References: 902183,905670
Description:
This update for open-iscsi provides the following fixes:

- Fix isns server to allow legal registration sequence, including portal group. (bsc#905670)
- Properly boot all iSCSI CNAs. (bsc#902183)


-----------------------------------------
Patch: SUSE-2015-53
Released: Tue Jan 13 12:24:12 2015
Summary: Security update for mpfr
Severity: moderate
References: 911812,CVE-2014-9474
Description:

      This update fixes the following security issue: 
      - CVE-2014-9474: possible buffer overflow in mpfr_strtofr (bnc#911812)


-----------------------------------------
Patch: SUSE-2015-36
Released: Wed Jan 14 09:37:49 2015
Summary: Security update for bind
Severity: important
References: 908994,CVE-2014-8500
Description:

This update of bind to 9.9.6P1 fixes bugs and also the following security issue:

A flaw in delegation handling could be exploited to put named
into an infinite loop.  This has been addressed by placing
limits on the number of levels of recursion named will allow
(default 7), and the number of iterative queries that it will
send (default 50) before terminating a recursive query
(CVE-2014-8500, bnc#908994).

The recursion depth limit is configured via the
'max-recursion-depth' option, and the query limit via the
'max-recursion-queries' option.

Also the rpz2 patch was removed as it is no longer maintained.


-----------------------------------------
Patch: SUSE-2015-33
Released: Wed Jan 14 10:47:09 2015
Summary: Security update for libpng16
Severity: important
References: 912076,912929,CVE-2014-9495,CVE-2015-0973
Description:

  This update fixes the following security issues:

  * CVE-2014-9495: libpng versions heap overflow vulnerability, that under certain circumstances could be exploit. [bnc#912076]

  * CVE-2015-0973: A heap-based overflow was found in the png_combine_row() function of the libpng library, when very large interlaced images were used.[bnc#912929]



-----------------------------------------
Patch: SUSE-2015-50
Released: Thu Jan 15 16:33:18 2015
Summary: Recommended update for ca-certificates-mozilla
Severity: moderate
References: 888534
Description:

The system root SSL certificates were updated to match Mozilla NSS 2.2.

Some removed/disabled 1024 bit certificates were temporarily reenabled/readded,
as openssl and gnutls have a different handling of intermediates than
mozilla nss and would otherwise not recognize SSL certificates from commonly used
sites like Amazon.

Updated to 2.2 (bnc#888534)
- The following CAs were added:
  + COMODO_RSA_Certification_Authority
    codeSigning emailProtection serverAuth
  + GlobalSign_ECC_Root_CA_-_R4
    codeSigning emailProtection serverAuth
  + GlobalSign_ECC_Root_CA_-_R5
    codeSigning emailProtection serverAuth
  + USERTrust_ECC_Certification_Authority
    codeSigning emailProtection serverAuth
  + USERTrust_RSA_Certification_Authority
    codeSigning emailProtection serverAuth
  + VeriSign-C3SSA-G2-temporary-intermediate-after-1024bit-removal
- The following CAs were changed:
  + Equifax_Secure_eBusiness_CA_1
    remote code signing and https trust, leave email trust
  + Verisign_Class_3_Public_Primary_Certification_Authority_-_G2
    only trust emailProtection
- Updated to 2.1 (bnc#888534)
- The following 1024-bit CA certificates were removed
  - Entrust.net Secure Server Certification Authority
  - ValiCert Class 1 Policy Validation Authority
  - ValiCert Class 2 Policy Validation Authority
  - ValiCert Class 3 Policy Validation Authority
  - TDC Internet Root CA
- The following CA certificates were added:
  - Certification Authority of WoSign
  - CA 沃通根证书
  - DigiCert Assured ID Root G2
  - DigiCert Assured ID Root G3
  - DigiCert Global Root G2
  - DigiCert Global Root G3
  - DigiCert Trusted Root G4
  - QuoVadis Root CA 1 G3
  - QuoVadis Root CA 2 G3
  - QuoVadis Root CA 3 G3
- The Trust Bits were changed for the following CA certificates
  - Class 3 Public Primary Certification Authority
  - Class 3 Public Primary Certification Authority
  - Class 2 Public Primary Certification Authority - G2
  - VeriSign Class 2 Public Primary Certification Authority - G3
  - AC Raíz Certicámara S.A.
  - NetLock Uzleti (Class B) Tanusitvanykiado
  - NetLock Expressz (Class C) Tanusitvanykiado

Temporary reenable some root ca trusts, as openssl/gnutls
have trouble using intermediates as root CA.
  - GTE CyberTrust Global Root
  - Thawte Server CA
  - Thawte Premium Server CA
  - ValiCert Class 1 VA
  - ValiCert Class 2 VA
  - RSA Root Certificate 1
  - Entrust.net Secure Server CA
  - America Online Root Certification Authority 1
  - America Online Root Certification Authority 2


-----------------------------------------
Patch: SUSE-2015-40
Released: Thu Jan 15 18:35:11 2015
Summary: Security update for rpm
Severity: important
References: 892431,906803,908128,911228,CVE-2013-6435,CVE-2014-8118
Description:
This rpm update fixes the following security and non-security issues:

- bnc#908128: Check for bad invalid name sizes (CVE-2014-8118)
- bnc#906803: Create files with mode 0 (CVE-2013-6435)
- bnc#892431: Honor --noglob in install mode 
- bnc#911228: Fix noglob patch, it broke files with space.

-----------------------------------------
Patch: SUSE-2015-56
Released: Thu Jan 15 18:45:08 2015
Summary: Optional update for python-setuptools, python3-setuptools
Severity: low
References: 913229
Description:
python-setuptools and python3-setuptools have been added
to SUSE Linux Enterprise 12 Software Development Kit.

Setuptools is a collection of enhancements to the Python distutils that
allow you to more easily build and distribute Python packages, especially
those that have dependencies on other packages.

-----------------------------------------
Patch: SUSE-2015-64
Released: Thu Jan 15 23:21:45 2015
Summary: Recommended update for e2fsprogs
Severity: moderate
References: 912229
Description:
This update for e2fsprogs fixes a 'use after free' issue in fsck(8).

-----------------------------------------
Patch: SUSE-2015-114
Released: Fri Jan 16 16:28:22 2015
Summary: Recommended update for yast2-packager
Severity: low
References: 899482,909399
Description:
This update for yast2-packager fixes a crash when using custom licenses in the firstboot workflow.

-----------------------------------------
Patch: SUSE-2015-26
Released: Fri Jan 16 18:54:45 2015
Summary: Security update for MozillaFirefox
Severity: important
References: 909563,910647,910669,CVE-2014-1569,CVE-2014-8634,CVE-2014-8635,CVE-2014-8638,CVE-2014-8639,CVE-2014-8641
Description:

This update fixes the following security issues in MozillaFirefox:
- MFSA 2015-01/CVE-2014-8634/CVE-2014-8635
   (bmo#1109889, bmo#1111737, bmo#1026774, bmo#1027300,
     bmo#1054538, bmo#1067473, bmo#1070962, bmo#1072130,
     bmo#1072871, bmo#1098583)
    Miscellaneous memory safety hazards (rv:35.0 / rv:31.4)
- MFSA 2015-03/CVE-2014-8638
   (bmo#1080987)
   sendBeacon requests lack an Origin header
- MFSA 2015-04/CVE-2014-8639
  (bmo#1095859)
  Cookie injection through Proxy Authenticate responses
- MFSA 2015-06/CVE-2014-8641
  (bmo#1108455)
  Read-after-free in WebRTC

Also Mozilla NSS was updated to 3.17.3 to fix:
* The QuickDER decoder now decodes lengths robustly
  (bmo#1064670/CVE-2014-1569)
* Support for TLS_FALLBACK_SCSV has been added to the ssltap
  and tstclnt utilities
* Changes in CA certificates


-----------------------------------------
Patch: SUSE-2015-44
Released: Tue Jan 20 00:18:26 2015
Summary: Security update for binutils
Severity: moderate
References: 902676,902677,903655,905735,905736,CVE-2014-8484,CVE-2014-8485,CVE-2014-8501,CVE-2014-8502,CVE-2014-8503,CVE-2014-8504,CVE-2014-8737,CVE-2014-8738
Description:
This binutils update fixes the following security issues:

- bnc#902676: lack of range checking leading to controlled write in 
  _bfd_elf_setup_sections() (CVE-2014-8485)
- bnc#902677: invalid read flaw in libbfd (CVE-2014-8484)
- bnc#903655: Multiple memory corruption issues in binary parsers of 
  libbfd (CVE-2014-8501, CVE-2014-8502, CVE-2014-8503, CVE-2014-8504)
- bnc#905735: Out-of-bounds memory write while processing a crafted 'ar'
  archive (CVE-2014-8738)
- bnc#905736: Directory traversal vulnerability allowing random file 
  deletion/creation (CVE-2014-8737)


-----------------------------------------
Patch: SUSE-2015-74
Released: Wed Jan 21 13:02:53 2015
Summary: Security update for krb5
Severity: important
References: 897874,898439,912002,CVE-2014-5351,CVE-2014-5352,CVE-2014-9421,CVE-2014-9422,CVE-2014-9423
Description:

MIT kerberos krb5 was updated to fix several security issues and bugs.

Security issues fixed:
CVE-2014-5351: The kadm5_randkey_principal_3 function in
lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka krb5)
sent old keys in a response to a -randkey -keepold request, which allowed
remote authenticated users to forge tickets by leveraging administrative
access.

CVE-2014-5352: In the MIT krb5 libgssapi_krb5 library, after
gss_process_context_token() is used to process a valid context
deletion token, the caller was left with a security context handle
containing a dangling pointer.  Further uses of this handle would have
resulted in use-after-free and double-free memory access violations.
libgssrpc server applications such as kadmind were vulnerable as they
can be instructed to call gss_process_context_token().

CVE-2014-9421: If the MIT krb5 kadmind daemon receives invalid XDR
data from an authenticated user, it may have performed use-after-free and
double-free memory access violations while cleaning up the partial
deserialization results. Other libgssrpc server applications might also
been vulnerable if they contain insufficiently defensive XDR functions.

CVE-2014-9422: The MIT krb5 kadmind daemon incorrectly accepted
authentications to two-component server principals whose first
component is a left substring of 'kadmin' or whose realm is a left
prefix of the default realm.

CVE-2014-9423: libgssrpc applications including kadmind output four or
eight bytes of uninitialized memory to the network as part of an
unused 'handle' field in replies to clients.

Bugs fixed:
- Work around replay cache creation race; (bnc#898439).


-----------------------------------------
Patch: SUSE-2015-48
Released: Wed Jan 21 20:55:46 2015
Summary: Security update for the Linux Kernel
Severity: important
References: 800255,809493,829110,856659,862374,873252,875220,884407,887108,887597,889192,891086,891277,893428,895387,895814,902232,902346,902349,903279,903640,904053,904177,904659,904969,905087,905100,906027,906140,906545,907069,907325,907536,907593,907714,907818,907969,907970,907971,907973,908057,908163,908198,908803,908825,908904,909077,909092,909095,909829,910249,910697,911181,911325,912129,912278,912281,912290,912514,912705,912946,913233,913387,913466,CVE-2014-3687,CVE-2014-3690,CVE-2014-8559,CVE-2014-9420,CVE-2014-9585
Description:

The SUSE Linux Enterprise 12 kernel was updated to 3.12.36 to receive
various security and bugfixes.

Following security bugs were fixed:
- CVE-2014-8559: The d_walk function in fs/dcache.c in the Linux kernel
  through 3.17.2 did not properly maintain the semantics of rename_lock,
  which allowed local users to cause a denial of service (deadlock and
  system hang) via a crafted application (bnc#903640).
- CVE-2014-9420: The rock_continue function in fs/isofs/rock.c in the
  Linux kernel through 3.18.1 did not restrict the number of Rock Ridge
  continuation entries, which allowed local users to cause a denial of
  service (infinite loop, and system crash or hang) via a crafted iso9660
  image (bnc#906545 911325).
- CVE-2014-3690: arch/x86/kvm/vmx.c in the KVM subsystem in the Linux
  kernel before 3.17.2 on Intel processors did not ensure that the value
  in the CR4 control register remained the same after a VM entry, which
  allowed host OS users to kill arbitrary processes or cause a denial of
  service (system disruption) by leveraging /dev/kvm access, as
  demonstrated by PR_SET_TSC prctl calls within a modified copy of QEMU
  (bnc#902232).
- CVE-2014-3687: The sctp_assoc_lookup_asconf_ack function in
  net/sctp/associola.c in the SCTP implementation in the Linux kernel
  through 3.17.2 allowed remote attackers to cause a denial of service
  (panic) via duplicate ASCONF chunks that triggered an incorrect uncork
  within the side-effect interpreter (bnc#902349).
- CVE-2014-9585: The vdso_addr function in arch/x86/vdso/vma.c in the
  Linux kernel through 3.18.2 did not properly choose memory locations
  for the vDSO area, which made it easier for local users to bypass the
  ASLR protection mechanism by guessing a location at the end of a PMD
  (bnc#912705).

The following non-security bugs were fixed:
- ACPI idle: permit sparse C-state sub-state numbers (bnc#907969).
- ALSA: hda - verify pin:converter connection on unsol event for HSW and
  VLV.
- ALSA: hda - verify pin:cvt connection on preparing a stream for Intel
  HDMI codec.
- ALSA: hda/hdmi - apply Valleyview fix-ups to Cherryview display codec.
- ALSA: hda_intel: Add Device IDs for Intel Sunrise Point PCH.
- ALSA: hda_intel: Add DeviceIDs for Sunrise Point-LP.
- Btrfs: Disable
  patches.suse/Btrfs-fix-abnormal-long-waiting-in-fsync.patch
  (bnc#910697) because it needs to be revisited due partial msync behavior.
- Btrfs: Fix misuse of chunk mutex (bnc#912514).
- Btrfs: always clear a block group node when removing it from the tree
  (bnc#912514).
- Btrfs: collect only the necessary ordered extents on ranged fsync
  (bnc#912946).
- Btrfs: do not access non-existent key when csum tree is empty.
- Btrfs: do not delay inode ref updates during log replay.
- Btrfs: do not ignore log btree writeback errors (bnc#912946).
- Btrfs: ensure btrfs_prev_leaf does not miss 1 item.
- Btrfs: ensure deletion from pinned_chunks list is protected
  (bnc#908198).
- Btrfs: ensure ordered extent errors are not missed on fsync
  (bnc#912946).
- Btrfs: fix abnormal long waiting in fsync (VM/FS Micro-optimisations).
- Btrfs: fix abnormal long waiting in fsync (bnc#912946).
- Btrfs: fix crash caused by block group removal (bnc#912514).
- Btrfs: fix freeing used extent after removing empty block group
  (bnc#912514).
- Btrfs: fix freeing used extents after removing empty block group
  (bnc#912514).
- Btrfs: fix fs corruption on transaction abort if device supports
  discard (bnc#908198).
- Btrfs: fix fs mapping extent map leak (bnc#908198).
- Btrfs: fix invalid block group rbtree access after bg is removed
  (bnc#912514).
- Btrfs: fix memory leak after block remove + trimming (bnc#908198).
- Btrfs: fix race between fs trimming and block group remove/allocation
  (bnc#908198).
- Btrfs: fix race between writing free space cache and trimming
  (bnc#908198).
- Btrfs: fix transaction leak during fsync call.
- Btrfs: fix unprotected deletion from pending_chunks list (bnc#908198).
- Btrfs: fix unprotected system chunk array insertion (bnc#912514).
- Btrfs: free ulist in qgroup_shared_accounting() error path.
- Btrfs: ioctl, do not re-lock extent range when not necessary.
- Btrfs: make btrfs_abort_transaction consider existence of new block
  groups (bnc#908198).
- Btrfs: make sure logged extents complete in the current transaction V3
  (bnc#912946).
- Btrfs: make sure we wait on logged extents when fsycning two subvols
  (bnc#912946).
- Btrfs: make xattr replace operations atomic (bnc#913466).
- Btrfs: remove empty block groups automatically (bnc#912514).
- Btrfs: remove unused wait queue in struct extent_buffer.
- Btrfs: replace EINVAL with ERANGE for resize when ULLONG_MAX.
- Btrfs: use helpers for last_trans_log_full_commit instead of opencode
  (bnc#912946).
- Drivers: hv: kvp,vss: Fast propagation of userspace communication
  failure.
- Drivers: hv: util: Properly pack the data for file copy functionality.
- Drivers: hv: util: make struct hv_do_fcopy match Hyper-V host messages.
- Drivers: hv: vmbus: Fix a race condition when unregistering a device.
- Drivers: hv: vss: Introduce timeout for communication with userspace.
- Fixed warning on DP unplugging driver in intel_dp.c (bnc#907536).
- Fixed warning on suspend in intel_display.c (bnc#907593).
- KEYS: Fix stale key registration at error path (bnc#908163).
- PCI/MSI: Add pci_enable_msi_range() and pci_enable_msix_range()
  (bug#912281).
- PCI/MSI: Add pci_enable_msi_range() and pci_enable_msix_range()
  (bug#912281).
- Refresh patches.xen/xen3-patch-3.9 (bsc#909829).
- Remove filesize checks for sync I/O journal commit (bnc#800255).
- SELinux: fix selinuxfs policy file on big endian systems (bsc#913233).
- Tools: hv: vssdaemon: ignore the EBUSY on multiple freezing the same
  partition.
- Tools: hv: vssdaemon: report freeze errors.
- Tools: hv: vssdaemon: skip all filesystems mounted readonly.
- Update Xen patches to 3.12.35.
- Update s390x kabi files again (bnc#903279, LTC#118177)
- benet: Use pci_enable_msix_range() instead of pci_enable_msix()
  (bug#912281).
- bfa: check for terminated commands (bnc#906027).
- cpuidle / menu: Return (-1) if there are no suitable states (cpuidle
  performance).
- cpuidle / menu: move repeated correction factor check to init (cpuidle
  performance).
- cpuidle: Do not substract exit latency from assumed sleep length
  (cpuidle performance).
- cpuidle: Ensure menu coefficients stay within domain (cpuidle
  performance).
- cpuidle: Move perf multiplier calculation out of the selection loop
  (cpuidle performance).
- cpuidle: Use actual state latency in menu governor (cpuidle
  performance).
- cpuidle: menu governor - remove unused macro STDDEV_THRESH (cpuidle
  performance).
- cpuidle: menu: Call nr_iowait_cpu less times (cpuidle performance).
- cpuidle: menu: Lookup CPU runqueues less (cpuidle performance).
- cpuidle: menu: Use ktime_to_us instead of reinventing the wheel
  (cpuidle performance).
- cpuidle: menu: Use shifts when calculating averages where possible
  (cpuidle performance).
- cpuidle: rename expected_us to next_timer_us in menu governor (cpuidle
  performance).
- crypto: aesni - Add support for 192 & 256 bit keys to AESNI RFC4106
  (bsc#913387).
- crypto: kernel oops at insmod of the z90crypt device driver
  (bnc#908057, LTC#119591).
- cxgb4: Add the MC1 registers to read in the interrupt handler
  (bsc#912290).
- cxgb4: Allow T4/T5 firmware sizes up to 1MB (bsc#912290).
- cxgb4: Fix FW flash logic using ethtool (bsc#912290).
- cxgb4: Fix T5 adapter accessing T4 adapter registers (bsc#912290).
- cxgb4: Fix for handling 1Gb/s SFP+ Transceiver Modules (bsc#912290).
- cxgb4: Fix race condition in cleanup (bsc#912290).
- cxgb4: Free completed tx skbs promptly (bsc#912290).
- cxgb4: Not need to hold the adap_rcu_lock lock when read adap_rcu_list
  (bsc#912290).
- cxgb4: Use FW interface to get BAR0 value (bsc#912290).
- drm/i915: Do a dummy DPCD read before the actual read (bnc#907714).
- drm: add MIPI DSI encoder and connector types (bnc#907971).
- ext4: cache extent hole in extent status tree for ext4_da_map_blocks()
  (bnc#893428).
- ext4: change LRU to round-robin in extent status tree shrinker
  (bnc#893428).
- ext4: cleanup flag definitions for extent status tree (bnc#893428).
- ext4: fix block reservation for bigalloc filesystems (bnc#893428).
- ext4: improve extents status tree trace point (bnc#893428).
- ext4: introduce aging to extent status tree (bnc#893428).
- ext4: limit number of scanned extents in status tree shrinker
  (bnc#893428).
- ext4: move handling of list of shrinkable inodes into extent status
  code (bnc#893428).
- ext4: track extent status tree shrinker delay statictics (bnc#893428).
- fix kABI after 'x86: use custom dma_get_required_mask()'.
- fsnotify: next_i is freed during fsnotify_unmount_inodes (bnc#908904).
- hv: hv_balloon: avoid memory leak on alloc_error of 2MB memory block.
- hyperv: Add processing of MTU reduced by the host.
- hyperv: Fix some variable name typos in send-buffer init/revoke.
- hyperv: Fix the total_data_buflen in send path.
- intel_idle: Add CPU model 54 (Atom N2000 series) (bnc#907969).
- intel_idle: allow sparse sub-state numbering, for Bay Trail
  (bnc#907969).
- intel_idle: support Bay Trail (bnc#907969).
- intel_pstate: Add setting voltage value for baytrail P states
  (bnc#907973).
- intel_pstate: Add support for Baytrail turbo P states (bnc#907973).
- intel_pstate: Fix BYT frequency reporting (bnc#907973).
- intel_pstate: Fix setting VID (bnc#907973).
- intel_pstate: Set turbo VID for BayTrail (bnc#907973).
- intel_pstate: Use LFM bus ratio as min ratio/P state (bnc#907973).
- iommu/vt-d: Fix an off-by-one bug in __domain_mapping() (bsc#908825).
- ipc/sem.c: change memory barrier in sem_lock() to smp_rmb() (IPC
  scalability).
- isofs: Fix unchecked printing of ER records.
- kABI: fix for move of d_rcu (bnc#903640 CVE-2014-8559).
- kABI: protect ipv6.h include in drivers/net.
- kABI: protect rmap include in mm/truncate.c.
- kABI: protect struct iwl_trans.
- kABI: protect struct pci_dev.
- kABI: protect struct user_namespace.
- kABI: protect user_namespace.h include in kernel/groups.c.
- kABI: reintroduce generic_write_sync.
- kABI: uninline of_property_count_string* functions. Omitted ppc64le
  kabi fix for 3.12.33.
- kernel: kprobes instruction corruption (bnc#908057, LTC#119330).
- kernel: reduce function tracer overhead (bnc#903279, LTC#118177).
- kgr: allow to search various types of struct kgr_patch_fun.
- kgr: be consistent when applying patches on loaded modules.
- kgr: fix replace_all.
- kgr: fix typo in error message.
- kgr: fix unwinder and user addresses (bnc#908803).
- kgr: handle IRQ context using global variable.
- kgr: mark even more kthreads (bnc#905087 bnc#906140).
- kgr: prevent recursive loops of stubs in ftrace.
- kgr: set revert slow state for all reverted symbols when loading
  patched module.
- kgr: unregister only the used ftrace ops when removing a patched
  module.
- kprobes: introduce weak arch_check_ftrace_location() helper function
  (bnc#903279, LTC#118177).
- kvm: Do not expose MONITOR cpuid as available (bnc#887597)
- lpfc: Fix race on command completion (bnc#906027).
- macvlan: allow setting LRO independently of lower device (bnc#829110
  bnc#891277 bnc#904053).
- mm, cma: drain single zone pcplists (VM Performance, bnc#904177).
- mm, compaction: always update cached scanner positions (VM Performance,
  bnc#904177).
- mm, compaction: defer each zone individually instead of preferred zone
  (VM Performance, bnc#904177).
- mm, compaction: defer only on COMPACT_COMPLETE (VM Performance,
  bnc#904177).
- mm, compaction: do not count compact_stall if all zones skipped
  compaction (VM Performance, bnc#904177).
- mm, compaction: do not recheck suitable_migration_target under lock (VM
  Performance, bnc#904177).
- mm, compaction: khugepaged should not give up due to need_resched() (VM
  Performance, bnc#904177).
- mm, compaction: more focused lru and pcplists draining (VM Performance,
  bnc#904177).
- mm, compaction: move pageblock checks up from
  isolate_migratepages_range() (VM Performance, bnc#904177).
- mm, compaction: pass classzone_idx and alloc_flags to watermark
  checking (VM Performance, bnc#904177).
- mm, compaction: pass gfp mask to compact_control (VM Cleanup,
  bnc#904177).
- mm, compaction: periodically drop lock and restore IRQs in scanners (VM
  Performance, bnc#904177).
- mm, compaction: prevent infinite loop in compact_zone (VM
  Functionality, bnc#904177).
- mm, compaction: reduce zone checking frequency in the migration scanner
  (VM Performance, bnc#904177).
- mm, compaction: remember position within pageblock in free pages
  scanner (VM Performance, bnc#904177).
- mm, compaction: simplify deferred compaction (VM Performance,
  bnc#904177).
- mm, compaction: skip buddy pages by their order in the migrate scanner
  (VM Performance, bnc#904177).
- mm, compaction: skip rechecks when lock was already held (VM
  Performance, bnc#904177).
- mm, memory_hotplug/failure: drain single zone pcplists (VM Performance,
  bnc#904177).
- mm, page_isolation: drain single zone pcplists (VM Performance,
  bnc#904177).
- mm, thp: avoid excessive compaction latency during fault (VM
  Performance, bnc#904177).
- mm, thp: restructure thp avoidance of light synchronous migration (VM
  Performance, bnc#904177).
- mm/compaction.c: avoid premature range skip in
  isolate_migratepages_range (VM Functionality, bnc#904177).
- mm/compaction: skip the range until proper target pageblock is met (VM
  Performance, bnc#904177).
- mm/vmscan.c: use DIV_ROUND_UP for calculation of zones balance_gap and
  correct comments (VM Cleanup, bnc#904177).
- mm/vmscan: do not check compaction_ready on promoted zones (VM Cleanup,
  bnc#904177).
- mm/vmscan: restore sc->gfp_mask after promoting it to __GFP_HIGHMEM (VM
  Cleanup, bnc#904177).
- mm: Disable patches.suse/msync-fix-incorrect-fstart-calculation.patch
  (bnc#910697) because it needs to be revisited due partial msync
  behavior.
- mm: Disabled
  patches.suse/mm-msync.c-sync-only-the-requested-range-in-msync.patch
  (bnc#910697) because it needs to be revisited due partial msync behavior.
- mm: improve documentation of page_order (VM Cleanup, bnc#904177).
- mm: introduce single zone pcplists drain (VM Performance, bnc#904177).
- mm: memcontrol: remove hierarchy restrictions for swappiness and
  oom_control (VM Cleanup, bnc#904177).
- mm: page_alloc: determine migratetype only once (VM Performance,
  bnc#904177).
- mm: rename allocflags_to_migratetype for clarity (VM Cleanup,
  bnc#904177).
- mm: unmapped page migration avoid unmap+remap overhead (MM
  performance).
- mm: vmscan: clean up struct scan_control (VM Cleanup, bnc#904177).
- mm: vmscan: move call to shrink_slab() to shrink_zones() (VM Cleanup,
  bnc#904177).
- mm: vmscan: move swappiness out of scan_control (VM Cleanup,
  bnc#904177).
- mm: vmscan: remove all_unreclaimable() (VM Cleanup, bnc#904177).
- mm: vmscan: remove remains of kswapd-managed zone->all_unreclaimable
  (VM Cleanup, bnc#904177).
- mm: vmscan: remove shrink_control arg from do_try_to_free_pages() (VM
  Cleanup, bnc#904177).
- mm: vmscan: rework compaction-ready signaling in direct reclaim (VM
  Cleanup, bnc#904177).
- msync: fix incorrect fstart calculation (VM/FS Micro-optimisations).
- net, sunrpc: suppress allocation warning in rpc_malloc() (bnc#904659).
- net: Find the nesting level of a given device by type (bnc#829110
  bnc#891277 bnc#904053).
- net: Hyper-V: Deletion of an unnecessary check before the function call
  'vfree'.
- net: generic dev_disable_lro() stacked device handling (bnc#829110
  bnc#891277 bnc#904053).
- nvme: Add missing hunk from backport (bnc#873252).
- parport: parport_pc, do not remove parent devices early (bnc#856659).
- patches.suse/supported-flag: fix mis-reported supported status
  (bnc#809493).
- patches.xen/xen-privcmd-hcall-preemption: Fix EFLAGS.IF check.
- powerpc/fadump: Fix endianess issues in firmware assisted dump handling
  (bsc#889192).
- powerpc/pseries/hvcserver: Fix endian issue in hvcs_get_partner_info
  (bsc#912129).
- powerpc/pseries: Make CPU hotplug path endian safe (bsc#907069).
- powerpc: fix dlpar memory
- pseries: Fix endian issues in cpu hot-removal (bsc#907069).
- pseries: Fix endian issues in onlining cpu threads (bsc#907069).
- rpm/constraints.in: Require 10GB disk space on POWER A debuginfo build
  currently requires about 8.5 GB on POWER. Also, require at least 8
  CPUs, so that builds do not get accidentally scheduled on slow machines.
- rpm/gitlog-fixups: Fix invalid address in two commits
- s390/ftrace,kprobes: allow to patch first instruction (bnc#903279,
  LTC#118177).
- s390/ftrace: add HAVE_DYNAMIC_FTRACE_WITH_REGS support (bnc#903279,
  LTC#118177).
- s390/ftrace: add code replacement sanity checks (bnc#903279,
  LTC#118177).
- s390/ftrace: enforce DYNAMIC_FTRACE if FUNCTION_TRACER is selected
  (bnc#903279, LTC#118177).
- s390/ftrace: optimize function graph caller code (bnc#903279,
  LTC#118177).
- s390/ftrace: optimize mcount code (bnc#903279, LTC#118177).
- s390/ftrace: remove 31 bit ftrace support (bnc#903279, LTC#118177).
- s390/ftrace: remove check of obsolete variable function_trace_stop
  (bnc#903279, LTC#118177).
- s390/ftrace: revert mcount_adjust change (bnc#903279, LTC#118177).
- s390/ftrace: simplify enabling/disabling of ftrace_graph_caller
  (bnc#903279, LTC#118177).
- s390: pass march flag to assembly files as well (bnc#903279,
  LTC#118177).
- sched/fair: cleanup: Remove useless assignment in select_task_rq_fair()
  (cpuidle performance).
- scripts/tags.sh: Do not specify kind-spec for emacs ctags/etags.
- scripts/tags.sh: fix DEFINE_HASHTABLE in emacs case.
- scripts/tags.sh: include compat_sys_* symbols in the generated tags.
- scsi: call device handler for failed TUR command (bnc#895814).
- series.conf: remove orphan bnc comments
- storvsc: ring buffer failures may result in I/O freeze.
- supported.conf: mark tcm_qla2xxx as supported Has not been ported from
  SLES11 SP3 automatically.
- tags.sh: Fixup regex definition for etags.
- tcm_loop: Wrong I_T nexus association (bnc#907325).
- tools: hv: ignore ENOBUFS and ENOMEM in the KVP daemon.
- tools: hv: introduce -n/--no-daemon option.
- udf: Check component length before reading it.
- udf: Check path length when reading symlink.
- udf: Verify i_size when loading inode.
- udf: Verify symlink size before loading it.
- vmscan: memcg: always use swappiness of the reclaimed memcg (VM
  Cleanup, bnc#904177).
- x86, cpu: Detect more TLB configuration (TLB Performance).
- x86-64/MCE: flip CPU and bank numbers in log message.
- x86/UV: Fix conditional in gru_exit() (bsc#909095).
- x86/early quirk: use gen6 stolen detection for VLV (bnc#907970).
- x86/efi: Do not export efi runtime map in case old map (bsc#904969).
- x86/mm: Add tracepoints for TLB flushes (TLB Performance).
- x86/mm: Rip out complicated, out-of-date, buggy TLB flushing (TLB
  Performance).
- x86/uv: Update the UV3 TLB shootdown logic (bsc#909092).
- x86: UV BAU: Avoid NULL pointer reference in ptc_seq_show (bsc#911181).
- x86: UV BAU: Increase maximum CPUs per socket/hub (bsc#911181).
- x86: fix step size adjustment during initial memory mapping
  (bsc#910249).
- x86: use custom dma_get_required_mask().
- x86: use optimized ioresource lookup in ioremap function (Boot time
  optimisations (bnc#895387)).
  

-----------------------------------------
Patch: SUSE-2015-63
Released: Fri Jan 23 12:46:35 2015
Summary: Recommended update for postfix
Severity: moderate
References: 729154,908003,910265,911806,914086
Description:
This update for Postfix provides fixes for the following issues:

- Wrong access rights on /usr/sbin/postdrop causes permission denied when trying to send mails as non-root user. (bsc#908003)
- Wrong permissions for some postfix components. (bsc#729154)
- config.postfix does not set up correct saslauthd socket directory for chroot. (bsc#911806)
- config.postfix does not upgrade the chroot. (bsc#910265)
- Fix syntax error in config.postfix. (bsc#914086)


-----------------------------------------
Patch: SUSE-2015-51
Released: Fri Jan 23 15:04:39 2015
Summary: Recommended update for openssh
Severity: moderate
References: 855676,856316,912436
Description:

This update adjusts various parts of openssh (paramaters and available
cipher lists) in regards to FIPS certification.

Adjustments done:
- Some Key exchange modifications were done for FIPS, removing
  algorithms no longer allowed in FIPS mode.

- Only use Diffie Hellmann groups with 2048 bits or more in FIPS mode.

- Allow 'stat' call in seccomp sandbox due to reseeding changes in openssl.


-----------------------------------------
Patch: SUSE-2015-68
Released: Sat Jan 24 12:18:22 2015
Summary: Security update for xdg-utils
Severity: moderate
References: 906625,913676,CVE-2014-9622
Description:

This update of xdg-utils fixes a command injection security problem (CVE-2014-9622, bsc#913676)
and a bug when opening files where multiple mime handlers existed (bsc#906625).


-----------------------------------------
Patch: SUSE-2015-85
Released: Thu Jan 29 10:18:28 2015
Summary: Recommended update for wicked
Severity: moderate
References: 895600,900951,901337,901402,901517,904061,904380,904432,904776,904903,905421,905750,906217,907683,908554,910323,911315
Description:
This update for Wicked provides the following fixes:

- nanny: Use ifindex to reference workers in managed devices and hold worker references when starting fsm (bsc#904061)
- nanny: Always reference mdev's worker by ifindex (bsc#904061)
- nanny: Register discovered devices only when ready (bsc#904061)
- events: Query and update device name on events (bsc#904061)
- udev: Verify netdev index and update name at start, disable ready handling if udev is not used, e.g. in LXC (bsc#904061)
- xml: Don't require parent's control node in config (bsc#901517)
- wireless: Use string dict entry for WIRELESS_AP/bssid (bsc#911315)
- extensions: Fixed false errors from hostname update (bsc#910323)
- client: Fixed segfault in status (bsc#908554)
- bonding: Add new/missed bonding options (bsc#905750)
- systemd: Service ordering dependencies (bsc#895600, bsc#901337)
- sysctl: Do not fail on read-only proc e.g. in LXC (bsc#904432)
- netlink: Recover from netlink event socket errors and allow to configure the event socket buffer sizes (bsc#905421)
- bonding: Add encap2+3 and 3+4 xmit-hash-policies (bsc#905750)
- client: Apply suse ifcfg alias label (bsc#907683)
- netlink: Retry on DUMP_INTR and AGAIN (bsc#904776)
- gcrypt: Do not fail when wicked has been build using a newer but compatible library than the currently used (bsc#906217)
- compat: Use info level on unspecified ip (bsc#904903)
- compat: Fix tap group node generation (bsc#904380)
- sit,ipip,gre: Generate tunnel config on change (bsc#901402)
- fsm: Always refresh worker on device-ready event and match only ready devices against config workers (bsc#904061)
- fsm: Perform tentative check on all started interfaces with nanny (bsc#900951)


-----------------------------------------
Patch: SUSE-2015-96
Released: Thu Jan 29 10:54:25 2015
Summary: Security update for vorbis-tools
Severity: moderate
References: 914938,CVE-2014-9640
Description:

      This update fixes the following security issue:

      - A crafted raw file used as input could cause a segmentation fault (CVE-2014-9640, bsc#914938)


-----------------------------------------
Patch: SUSE-2015-97
Released: Thu Jan 29 16:37:05 2015
Summary: Recommended update for btrfsprogs
Severity: moderate
References: 914955
Description:
This update provides btrfsprogs 3.16.2, which brings fixes and enhancements:

- Add options to control the output units to 'usage' and 'df' subcommands.
- Handle bad extent mapping in fsck.
- Fix 'btrfs-image' on balanced file systems.
- Make btrfs-show-super print flags in human readable way.
- Add option -R to 'subvol list' to print received UUID.
- Fix detection of multiple mounts on the same directory.
- Documentation updates.


-----------------------------------------
Patch: SUSE-2015-52
Released: Fri Jan 30 10:14:41 2015
Summary: Security update for openssl
Severity: moderate
References: 855676,895129,901902,906878,908362,908372,912014,912015,912018,912292,912293,912294,912296,CVE-2014-3570,CVE-2014-3571,CVE-2014-3572,CVE-2014-8275,CVE-2015-0204,CVE-2015-0205,CVE-2015-0206
Description:

OpenSSL was updated to fix security issues and also provide FIPS
compliance.

Security issues fixed:
CVE-2014-3570: Bignum squaring (BN_sqr) may have produced
incorrect results on some platforms, including x86_64.

CVE-2014-3571: Fixed crash in dtls1_get_record whilst in the
listen state where you get two separate reads performed - one for the
header and one for the body of the handshake record.

CVE-2014-3572: No longer accept a handshake using an ephemeral ECDH
ciphersuites with the server key exchange message omitted.

CVE-2014-8275: Fixed various certificate fingerprint issues.

CVE-2015-0204: Only allow ephemeral RSA keys in export ciphersuites.

CVE-2015-0205: Fix to prevent use of DH client certificates without
sending certificate verify message.

CVE-2015-0206: A memory leak could have occured in dtls1_buffer_record.

Bugfixes:
- Do not advertise curves we don't support (bsc#906878)

FIPS changes:
- Make RSA2 key generation FIPS 186-4 compliant (bsc#901902)

- X9.31 rand method is not allowed in FIPS mode.

- Do not allow dynamic ENGINEs loading in FIPS mode.

- Added a locking hack which prevents hangs in FIPS mode (bsc#895129)

- In non-FIPS RSA key generation, mirror the maximum and minimum limiters from
  FIPS rsa generation to meet Common Criteria and BSI TR requirements
  on minimum and maximum distances between p and q. (bsc#908362)

- Do constant reseeding from /dev/urandom; for every random byte pulled, seed with
  one byte from /dev/urandom, also change RAND_poll to pull the full state size of
  the SSLEAY DRBG to fulfil Common Criteria requirements. (bsc#908372)

FIPS mode can be enabled by either using the environment variable OPENSSL_FORCE_FIPS_MODE=1
or supplying the 'fips=1' parameter on the kernel boot commandline.


-----------------------------------------
Patch: SUSE-2015-92
Released: Fri Jan 30 14:51:02 2015
Summary: Security update for unzip
Severity: moderate
References: 914442,CVE-2014-9636
Description:
unzip was updated to fix one security issue.

This security issue was fixed:
- Out-of-bounds read/write in test_compr_eb() in extract.c (CVE-2014-9636).
  

-----------------------------------------
Patch: SUSE-2015-95
Released: Fri Jan 30 15:00:54 2015
Summary: Security update for libmspack
Severity: moderate
References: 912214,CVE-2014-9556
Description:
libmspack was updated to fix one security issue.

This security issue was fixed:
- Possible DoS by infinite loop (bnc#912214, CVE-2014-9556)
  

-----------------------------------------
Patch: SUSE-2015-76
Released: Fri Jan 30 15:01:03 2015
Summary: Security update for elfutils
Severity: moderate
References: 911662,CVE-2014-9447
Description:
elfutils was updated to fix one security issue.

This security issue was fixed:
- Directory traversal vulnerability in the read_long_names function (CVE-2014-9447).
  

-----------------------------------------
Patch: SUSE-2015-73
Released: Mon Feb  2 11:53:55 2015
Summary: Security update for jasper
Severity: moderate
References: 911837,CVE-2014-8157,CVE-2014-8158
Description:
jasper was updated to fix two security issues.

These security issues were fixed:
- CVE-2014-8157: Off-by-one error in the jpc_dec_process_sot function in JasPer 1.900.1 and earlier allowed remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted JPEG 2000 image, which triggers a heap-based buffer overflow (bnc#911837).
CVE-2014-8158: Multiple stack-based buffer overflows in jpc_qmfb.c in JasPer 1.900.1 and earlier allowed remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted JPEG 2000 image (bnc#911837).
  

-----------------------------------------
Patch: SUSE-2015-55
Released: Tue Feb  3 14:51:17 2015
Summary: Recommended update for curl
Severity: moderate
References: 913209
Description:

curl was updated to fix problems when operating in FIPS mode.

This patch reenables following methods:
- NTLM authentication (e.g. for proxies) (allowing its usage of MD4 and MD5)
- HTTP Digest authentication (allowing its usage of MD5)


-----------------------------------------
Patch: SUSE-2015-121
Released: Tue Feb  3 16:30:16 2015
Summary: Recommended update for pam
Severity: low
References: 912922
Description:
This update for pam fixes updating of NIS passwords.

-----------------------------------------
Patch: SUSE-2015-98
Released: Tue Feb  3 22:09:24 2015
Summary: Recommended update for libtirpc
Severity: moderate
References: 882973,899576
Description:
This update for libtirpc fixes race conditions in getnetconfig(). These races could cause segmentation faults in programs linked against libtirpc, such as AutoFS.

-----------------------------------------
Patch: SUSE-2015-124
Released: Wed Feb  4 13:38:17 2015
Summary: Recommended update for multipath-tools
Severity: moderate
References: 889927,898427,900758,901465,901809,901891,907483,908915,909742
Description:
This update for multipath-tools provides the following fixes:

- Skip uninitialized devices during reconfiguration (bsc#908915)
- Fix memory overflow when printing help text (bsc#909742)
- Trigger all devices on multipathd startup (bsc#901465)
- Fall back to SG_IO if no UID could be assigned (bsc#908915)
- Assign local priority for NAA VPD descriptor (bsc#907483)
- Fix dev_loss_tmo setting (bsc#889927)
- Do not use 'sscanf' for parsing integers (bsc#889927)
- Do not flush I/O for DM_DEVICE_CREATE (bsc#901809)
- Fix kpartx to handle more than 256 loop devices (bsc#898427)
- Fix multipathd locking in uev_remove_map() (bsc#901891)
- Use global variable for uxsock timeout (bsc#900758)
- Add %service calls for multipathd.socket.


-----------------------------------------
Patch: SUSE-2015-70
Released: Mon Feb  9 19:43:59 2015
Summary: Security update for ntp
Severity: important
References: 910764,911792,CVE-2014-9293,CVE-2014-9294,CVE-2014-9297,CVE-2014-9298
Description:
ntp was updated to fix four security issues.

These security issues were fixed:
- CVE-2014-9294: util/ntp-keygen.c in ntp-keygen used a weak RNG seed, which made it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack (bnc#910764 911792).
- CVE-2014-9293: The config_auth function in ntpd, when an auth key was not configured, improperly generated a key, which made it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack (bnc#910764 911792).
- CVE-2014-9298: ::1 can be spoofed on some OSes, so ACLs based on IPv6 ::1 addresses could be bypassed (bnc#911792).
- CVE-2014-9297: Information leak by not properly checking a length in several places in ntp_crypto.c (bnc#911792).


-----------------------------------------
Patch: SUSE-2015-215
Released: Tue Feb 10 15:23:13 2015
Summary: Security update for perl-YAML-LibYAML
Severity: moderate
References: 860617,868944,907809,911782,CVE-2013-6393,CVE-2014-2525,CVE-2014-9130
Description:
perl-YAML-LibYAML was updated to fix three security issues.

These security issues were fixed:
- CVE-2013-6393: The yaml_parser_scan_tag_uri function in scanner.c in LibYAML before 0.1.5 performed an incorrect cast, which allowed remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted tags in a YAML document, which triggered a heap-based buffer overflow (bnc#860617, bnc#911782).
- CVE-2014-9130: scanner.c in LibYAML 0.1.5 and 0.1.6, as used in the YAML-LibYAML (aka YAML-XS) module for Perl, allowed context-dependent attackers to cause a denial of service (assertion failure and crash) via vectors involving line-wrapping (bnc#907809, bnc#911782).
- CVE-2014-2525: Heap-based buffer overflow in the yaml_parser_scan_uri_escapes function in LibYAML before 0.1.6 allowed context-dependent attackers to execute arbitrary code via a long sequence of percent-encoded characters in a URI in a YAML file (bnc#868944, bnc#911782).
  

-----------------------------------------
Patch: SUSE-2015-67
Released: Tue Feb 10 15:45:34 2015
Summary: Security update for util-linux
Severity: moderate
References: 907434,908742,CVE-2014-9114
Description:
util-linux was updated to fix one security issue.

This security issue was fixed:
- CVE-2014-9114: Using crafted block devices (e.g. USB sticks) it was possibly to inject code via libblkid.
  libblkid was fixed to care about unsafe chars and possible buffer overflow in cache (bnc#907434)

This non-security issue was fixed:
- libblkid: Reset errno in blkid_probe_get_buffer() to prevent
  failing probes (e. g. for exFAT) (bnc#908742).


-----------------------------------------
Patch: SUSE-2015-77
Released: Thu Feb 12 14:42:07 2015
Summary: Recommended update for colord
Severity: low
References: 901148
Description:
This update for colord fixes its Apparmor profile to allow the use of USB calibration devices.

-----------------------------------------
Patch: SUSE-2015-91
Released: Wed Feb 18 02:04:04 2015
Summary: Security update for samba
Severity: important
References: 872912,873922,876312,889175,898031,908627,913238,917376,CVE-2015-0240
Description:
samba was updated to fix one security issue.

This security issue was fixed:
- CVE-2015-0240: Don't call talloc_free on an uninitialized pointer (bnc#917376).

These non-security issues were fixed:
- Fix vfs_snapper DBus string handling (bso#11055, bnc#913238).
- Fix libsmbclient DFS referral handling.
  + Reuse connections derived from DFS referrals (bso#10123).
  + Set domain/workgroup based on authentication callback value (bso#11059).
- pam_winbind: Fix warn_pwd_expire implementation (bso#9056).
- nsswitch: Fix soname of linux nss_*.so.2 modules (bso#9299).
- Fix profiles tool (bso#9629).
- s3-lib: Do not require a password with --use-ccache (bso#10279).
- s4:dsdb/rootdse: Expand extended dn values with the AS_SYSTEM control (bso#10949).
- s4-rpc: dnsserver: Fix enumeration of IPv4 and IPv6 addresses (bso#10952).
- s3:smb2_server: Allow reauthentication without signing (bso#10958).
- s3-smbclient: Return success if we listed the shares (bso#10960).
- s3-smbstatus: Fix exit code of profile output (bso#10961).
- libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does (bso#10966).
- s3: smbd/modules: Fix *allocate* calls to follow POSIX error return convention (bso#10982).
- Fix 'domain join' by adding 'drsuapi.DsBindInfoFallBack' attribute 'supported_extensions' (bso#11006).
- idl:drsuapi: Manage all possible lengths of drsuapi_DsBindInfo (bso#11006).
- winbind: Retry LogonControl RPC in ping-dc after session expiration (bso#11034).
- yast2-samba-client should be able to specify osName and osVer on AD domain join (bnc#873922).
- Lookup FSRVP share snums at runtime rather than storing them persistently (bnc#908627).
- Specify soft dependency for network-online.target in Winbind systemd service file (bnc#889175).
- Fix spoolss error response marshalling; (bso#10984).
- pidl/wscript: Remove --with-perl-* options; revert buildtools/wafadmin/ Tools/perl.py back to upstream state (bso#10472).
- s4-dns: Add support for BIND 9.10 (bso#10620).
- nmbd fails to accept '--piddir' option; (bso#10711).
- S3: source3/smbd/process.c::srv_send_smb() returns true on the error path (bso#10880).
- vfs_glusterfs: Remove 'integer fd' code and store the glfs pointers (bso#10889).
- s3-nmbd: Fix netbios name truncation (bso#10896).
- spoolss: Fix handling of bad EnumJobs levels (bso#10898).
- spoolss: Fix jobid in level 3 EnumJobs response; (bso#10905).
- s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920).
- s3:smbd: Fix file corruption using 'write cache size != 0'; (bso#10921).
- pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932).
- s3-keytab: Fix keytab array NULL termination; (bso#10933).
- Cleanup add_string_to_array and usage; (bso#10942).
- Remove and cleanup shares and registry state associated with
  externally deleted snaphots exposed as shadow copies; (bnc#876312).
- Use the upstream tar ball, as signature verification is now able to handle
  compressed archives.
- Fix leak when closing file descriptor returned from dirfd; (bso#10918).
- Fix spoolss EnumJobs and GetJob responses; (bso#10905); (bnc#898031).
  + Fix handling of bad EnumJobs levels; (bso#10898).
- Remove dependency on gpg-offline as signature checking is implemented in the
  source validator.
- s3-libnet: Add libnet_join_get_machine_spns(); (bso#9984).
- s3-libnet: Make sure we do not overwrite precreated SPNs; (bso#9984).
- s3-libads: Add all machine account principals to the keytab; (bso#9985).
- s3: winbindd: Old NT Domain code sets struct winbind_domain->alt_name to
  be NULL. Ensure this is safe with modern AD-DCs; (bso#10717).
- Fix unstrcpy; (bso#10735).
- pthreadpool: Slightly serialize jobs; (bso#10779).
- s3: smbd: streams - Ensure share mode validation ignores internal opens
  (op_mid == 0); (bso#10797).
- s3: smbd:open_file: Open logic fix; Use a more natural check; (bso#10809).
- vfs_media_harmony: Fix a crash bug; (bso#10813).
- docs: Mention incompatibility between kernel oplocks and streams_xattr;
  (bso#10814).
- nmbd: Send waiting status to systemd; (bso#10816).
- libcli: Fix a segfault calling smbXcli_req_set_pending() on NULL;
  (bso#10817).
- nsswitch: Skip groups we were not able to map; (bso#10824).
- s3-winbindd: Use correct realm for trusted domains in idmap child;
  (bso#10826).
- s3: nmbd: Ensure the main nmbd process doesn't create zombies; (bso#10830).
- s3: lib: Signal handling - ensure smbrun and change password code save and
  restore existing SIGCHLD handlers; (bso#10831).
- idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837).
- s3-winbindd: Do not use domain SID from LookupSids for Sids2UnixIDs call;
  (bso#10838).
- s3: smb2cli: Query info return length check was reversed; (bso#10848).
- registry: Don't leave dangling transactions; (bso#10860).
- Prune idle or hung connections older than 'winbind request timeout';
  (bso#3204); (bnc#872912).


-----------------------------------------
Patch: SUSE-2015-108
Released: Fri Feb 20 00:30:53 2015
Summary: Optional update for libgsm1-32bit, p11-kit-32bit
Severity: low
References: 904890
Description:
This update delivers a 32bit versions of p11-kit and libgsm1. These libraries are required by some 3rd-party applications.

-----------------------------------------
Patch: SUSE-2015-225
Released: Fri Feb 20 00:46:05 2015
Summary: Recommended update for Mesa
Severity: low
References: 899106
Description:
This update for Mesa fixes the following issue:

- Mapping textures in swrast may crash if no image slices array is allocated.
  This may happen in some software fallback paths. (bsc#899106)

-----------------------------------------
Patch: SUSE-2015-130
Released: Fri Feb 20 14:48:29 2015
Summary: Security update for the Linux Kernel
Severity: important
References: 799216,800255,860346,875220,877456,884407,895805,896484,897736,898687,900270,902286,902346,902349,903640,904177,904883,904899,904901,905100,905304,905329,905482,905783,906196,907069,908069,908322,908825,908904,909829,910322,911326,912202,912654,912705,913059,914112,914126,914254,914291,914294,914300,914457,914464,914726,915188,915322,915335,915425,915454,915456,915550,915660,916107,916513,916646,917089,917128,918161,918255,CVE-2014-3673,CVE-2014-3687,CVE-2014-7822,CVE-2014-7841,CVE-2014-8160,CVE-2014-8559,CVE-2014-9419,CVE-2014-9584
Description:

The SUSE Linux Enterprise 12 kernel was updated to 3.12.38 to receive
various security and bugfixes.

This update contains the following feature enablements:
- The remote block device (rbd) and ceph drivers have been enabled and
  are now supported. (FATE#318350)
  These can be used e.g. for accessing the SUSE Enterprise Storage product
  services.

- Support for Intel Select Bay trail CPUs has been added. (FATE#316038)

Following security issues were fixed:
- CVE-2014-9419: The __switch_to function in arch/x86/kernel/process_64.c
  in the Linux kernel through 3.18.1 did not ensure that Thread Local
  Storage (TLS) descriptors were loaded before proceeding with other steps,
  which made it easier for local users to bypass the ASLR protection
  mechanism via a crafted application that reads a TLS base address
  (bnc#911326).

- CVE-2014-7822: A flaw was found in the way the Linux kernels splice()
  system call validated its parameters. On certain file systems, a local,
  unprivileged user could have used this flaw to write past the maximum
  file size, and thus crash the system.

- CVE-2014-8160: The connection tracking module could be bypassed if a specific
  protocol module was not loaded, e.g. allowing SCTP traffic while the firewall
  should have filtered it.

- CVE-2014-9584: The parse_rock_ridge_inode_internal function in
  fs/isofs/rock.c in the Linux kernel before 3.18.2 did not validate a
  length value in the Extensions Reference (ER) System Use Field, which
  allowed local users to obtain sensitive information from kernel memory
  via a crafted iso9660 image (bnc#912654).

The following non-security bugs were fixed:
- audit: Allow login in non-init namespaces (bnc#916107).
- btrfs: avoid unnecessary switch of path locks to blocking mode.
- btrfs: fix directory inconsistency after fsync log replay (bnc#915425).
- btrfs: fix fsync log replay for inodes with a mix of regular refs and
  extrefs (bnc#915425).
- btrfs: fix fsync race leading to ordered extent memory leaks (bnc#917128).
- btrfs: fix fsync when extend references are added to an inode (bnc#915425).
- btrfs: fix missing error handler if submiting re-read bio fails.
- btrfs: fix race between transaction commit and empty block group removal (bnc#915550).
- btrfs: fix scrub race leading to use-after-free (bnc#915456).
- btrfs: fix setup_leaf_for_split() to avoid leaf corruption (bnc#915454).
- btrfs: improve free space cache management and space allocation.
- btrfs: make btrfs_search_forward return with nodes unlocked.
- btrfs: scrub, fix sleep in atomic context (bnc#915456).
- btrfs: unlock nodes earlier when inserting items in a btree.
- drm/i915: On G45 enable cursor plane briefly after enabling the display plane (bnc#918161).
- Fix Module.supported handling for external modules (bnc#905304).
- keys: close race between key lookup and freeing (bnc#912202).
- msi: also reject resource with flags all clear.
- pci: Add ACS quirk for Emulex NICs (bug#917089).
- pci: Add ACS quirk for Intel 10G NICs (bug#917089).
- pci: Add ACS quirk for Solarflare SFC9120 & SFC9140 (bug#917089).
- Refresh other Xen patches (bsc#909829).
- Update patches.suse/btrfs-8177-improve-free-space-cache-management-and-space-.patch (bnc#895805).
- be2net: avoid flashing SH-B0 UFI image on SH-P2 chip (bug#908322).
- be2net: refactor code that checks flash file compatibility (bug#908322).
- ceph: Add necessary clean up if invalid reply received in handle_reply() (bsc#918255).
- crush: CHOOSE_LEAF -&gt; CHOOSELEAF throughout (bsc#918255).
- crush: add SET_CHOOSE_TRIES rule step (bsc#918255).
- crush: add note about r in recursive choose (bsc#918255).
- crush: add set_choose_local_[fallback_]tries steps (bsc#918255).
- crush: apply chooseleaf_tries to firstn mode too (bsc#918255).
- crush: attempts -&gt; tries (bsc#918255).
- crush: clarify numrep vs endpos (bsc#918255).
- crush: eliminate CRUSH_MAX_SET result size limitation (bsc#918255).
- crush: factor out (trivial) crush_destroy_rule() (bsc#918255).
- crush: fix crush_choose_firstn comment (bsc#918255).
- crush: fix some comments (bsc#918255).
- crush: generalize descend_once (bsc#918255).
- crush: new SET_CHOOSE_LEAF_TRIES command (bsc#918255).
- crush: pass parent r value for indep call (bsc#918255).
- crush: pass weight vector size to map function (bsc#918255).
- crush: reduce scope of some local variables (bsc#918255).
- crush: return CRUSH_ITEM_UNDEF for failed placements with indep (bsc#918255).
- crush: strip firstn conditionals out of crush_choose, rename (bsc#918255).
- crush: use breadth-first search for indep mode (bsc#918255).
- crypto: drbg - panic on continuous self test error (bsc#905482).
- dasd: List corruption in error recovery (bnc#914291, LTC#120865).
- epoll: optimize setting task running after blocking (epoll-performance).
- fips: We need to activate gcm(aes) in FIPS mode, RFCs 4106 and 4543 (bsc#914126,bsc#914457).
- fips: __driver-gcm-aes-aesni needs to be listed explicitly inside the testmgr.c file (bsc#914457).
- flow_dissector: add tipc support (bnc#916513).
- hotplug, powerpc, x86: Remove cpu_hotplug_driver_lock() (bsc#907069).
- hyperv: Add support for vNIC hot removal.
- kernel: incorrect clock_gettime result (bnc#914291, LTC#121184).
- kvm: iommu: Add cond_resched to legacy device assignment code (bsc#898687).
- libceph: CEPH_OSD_FLAG_* enum update (bsc#918255).
- libceph: add ceph_kv{malloc,free}() and switch to them (bsc#918255).
- libceph: add ceph_pg_pool_by_id() (bsc#918255).
- libceph: all features fields must be u64 (bsc#918255).
- libceph: dout() is missing a newline (bsc#918255).
- libceph: factor out logic from ceph_osdc_start_request() (bsc#918255).
- libceph: fix error handling in ceph_osdc_init() (bsc#918255).
- libceph: follow redirect replies from osds (bsc#918255).
- libceph: follow {read,write}_tier fields on osd request submission (bsc#918255).
- libceph: introduce and start using oid abstraction (bsc#918255).
- libceph: rename MAX_OBJ_NAME_SIZE to CEPH_MAX_OID_NAME_LEN (bsc#918255).
- libceph: rename ceph_osd_request::r_{oloc,oid} to r_base_{oloc,oid} (bsc#918255).
- libceph: replace ceph_calc_ceph_pg() with ceph_oloc_oid_to_pg() (bsc#918255).
- libceph: start using oloc abstraction (bsc#918255).
- libceph: take map_sem for read in handle_reply() (bsc#918255).
- libceph: update ceph_features.h (bsc#918255).
- libceph: use CEPH_MON_PORT when the specified port is 0 (bsc#918255).
- locking/mutex: Explicitly mark task as running after wakeup (mutex scalability).
- locking/osq: No need for load/acquire when acquire-polling (mutex scalability).
- locking/rtmutex: Optimize setting task running after being blocked (mutex scalability).
- mm/compaction: fix wrong order check in compact_finished() (VM Performance, bnc#904177).
- mm/compaction: stop the isolation when we isolate enough freepage (VM Performance, bnc#904177).
- mm: fix negative nr_isolated counts (VM Performance).
- mutex-debug: Always clear owner field upon mutex_unlock() (mutex bugfix).
- net: 8021q/bluetooth/bridge/can/ceph: Remove extern from function prototypes (bsc#918255).
- net: allow macvlans to move to net namespace (bnc#915660).
- net:socket: set msg_namelen to 0 if msg_name is passed as NULL in msghdr struct from userland (bnc#900270).
- nfs_prime_dcache needs fh to be set (bnc#908069 bnc#896484).
- ocfs2: remove filesize checks for sync I/O journal commit (bnc#800255). Update references.
- powerpc/xmon: Fix another endiannes issue in RTAS call from xmon (bsc#915188).
- pvscsi: support suspend/resume (bsc#902286).
- random: account for entropy loss due to overwrites (bsc#904883,bsc#904901).
- random: allow fractional bits to be tracked (bsc#904883,bsc#904901).
- random: statically compute poolbitshift, poolbytes, poolbits (bsc#904883,bsc#904901).
- rbd: add '^A' sysfs rbd device attribute (bsc#918255).
- rbd: add support for single-major device number allocation scheme (bsc#918255).
- rbd: enable extended devt in single-major mode (bsc#918255).
- rbd: introduce rbd_dev_header_unwatch_sync() and switch to it (bsc#918255).
- rbd: rbd_device::dev_id is an int, format it as such (bsc#918255).
- rbd: refactor rbd_init() a bit (bsc#918255).
- rbd: switch to ida for rbd id assignments (bsc#918255).
- rbd: tear down watch request if rbd_dev_device_setup() fails (bsc#918255).
- rbd: tweak 'loaded' message and module description (bsc#918255).
- rbd: wire up is_visible() sysfs callback for rbd bus (bsc#918255).
- rpm/kernel-binary.spec.in: Own the modules directory in the devel package (bnc#910322)
- s390/dasd: fix infinite loop during format (bnc#914291, LTC#120608).
- s390/dasd: remove unused code (bnc#914291, LTC#120608).
- sched/Documentation: Remove unneeded word (mutex scalability).
- sched/completion: Add lock-free checking of the blocking case (scheduler scalability).
- scsifront: avoid acquiring same lock twice if ring is full.
- scsifront: do not use bitfields for indicators modified under different locks.
- swiotlb: Warn on allocation failure in swiotlb_alloc_coherent (bsc#905783).
- uas: Add NO_ATA_1X for VIA VL711 devices (bnc#914254).
- uas: Add US_FL_NO_ATA_1X for 2 more Seagate disk enclosures (bnc#914254).
- uas: Add US_FL_NO_ATA_1X for Seagate devices with usb-id 0bc2:a013 (bnc#914254).
- uas: Add US_FL_NO_ATA_1X quirk for 1 more Seagate model (bnc#914254).
- uas: Add US_FL_NO_ATA_1X quirk for 2 more Seagate models (bnc#914254).
- uas: Add US_FL_NO_ATA_1X quirk for Seagate (0bc2:ab20) drives (bnc#914254).
- uas: Add a quirk for rejecting ATA_12 and ATA_16 commands (bnc#914254).
- uas: Add missing le16_to_cpu calls to asm1051 / asm1053 usb-id check (bnc#914294).
- uas: Add no-report-opcodes quirk (bnc#914254).
- uas: Disable uas on ASM1051 devices (bnc#914294).
- uas: Do not blacklist ASM1153 disk enclosures (bnc#914294).
- uas: Use streams on upcoming 10Gbps / 3.1 USB (bnc#914464).
- uas: disable UAS on Apricorn SATA dongles (bnc#914300).
- usb-storage: support for more than 8 LUNs (bsc#906196).
- x86, crash: Allocate enough low-mem when crashkernel=high (bsc#905783).
- x86, crash: Allocate enough low-mem when crashkernel=high (bsc#905783).
- x86, swiotlb: Try coherent allocations with __GFP_NOWARN (bsc#905783).
- x86/hpet: Make boot_hpet_disable extern (bnc#916646).
- x86/intel: Add quirk to disable HPET for the Baytrail platform (bnc#916646).
- x86: irq: Check for valid irq descriptor incheck_irq_vectors_for_cpu_disable (bnc#914726).
- x86: irq: Check for valid irq descriptor in check_irq_vectors_for_cpu_disable (bnc#914726).
- xhci: Add broken-streams quirk for Fresco Logic FL1000G xhci controllers (bnc#914112).
- zcrypt: Number of supported ap domains is not retrievable (bnc#914291, LTC#120788).
  

-----------------------------------------
Patch: SUSE-2015-128
Released: Fri Feb 20 15:44:31 2015
Summary: Recommended update for haveged
Severity: moderate
References: 898669
Description:

haveged has been added to the initial ramdisk to generate randomness
earlier during bootup.

Also it was changed to be active longer during shutdown phases.

This helps when randomness is lacking during bootup which can regular
happen during Virtual Machine scenarios.


-----------------------------------------
Patch: SUSE-2015-69
Released: Mon Feb 23 11:53:02 2015
Summary: Recommended update for timezone
Severity: important
References: 912415,915422,915693
Description:
This update provides the latest timezone information (2015a) for your system, including the following changes:

- Add positive leap second on 2015-06-30 23:59:60 UTC, as per IERS Bulletin C 49. (bsc#912415)
- Mexico state Quintana Roo (America/Cancun) shifts from Central Time with DST to Eastern Time without DST on 2015-02-01 02:00. (bsc#915422)
- Chile (America/Santiago) will retain old DST as standard time from April, also Pacific/Easter, and Antarctica/Palmer.

This release also includes changes affecting past time stamps, documentation and some minor bug fixes. For a comprehensive list, refer to the release announcement from ICANN:

- [http://mm.icann.org/pipermail/tz-announce/2015-January/000028.html](http://mm.icann.org/pipermail/tz-announce/2015-January/000028.html)


-----------------------------------------
Patch: SUSE-2015-274
Released: Mon Feb 23 22:21:35 2015
Summary: Recommended update for openslp
Severity: moderate
References: 909195
Description:
This update for openslp provides the following fixes:

- Fix storage handling in predicate code. It clashed with gcc's fortify_source extension and this could cause a segmentation fault.
- Bring back allowDoubleEqualInPredicate option.


-----------------------------------------
Patch: SUSE-2015-111
Released: Mon Mar  2 15:30:29 2015
Summary: Security update for freetype2
Severity: moderate
References: 916847,916856,916857,916858,916859,916860,916861,916862,916863,916864,916865,916867,916868,916870,916871,916872,916873,916874,916879,916881,CVE-2014-2240,CVE-2014-9656,CVE-2014-9657,CVE-2014-9658,CVE-2014-9659,CVE-2014-9660,CVE-2014-9661,CVE-2014-9662,CVE-2014-9663,CVE-2014-9664,CVE-2014-9665,CVE-2014-9666,CVE-2014-9667,CVE-2014-9668,CVE-2014-9669,CVE-2014-9670,CVE-2014-9671,CVE-2014-9672,CVE-2014-9673,CVE-2014-9674,CVE-2014-9675
Description:
freetype2 was updated to fix 20 security issues.

These security issues were fixed:
- CVE-2014-9663: The tt_cmap4_validate function in sfnt/ttcmap.c in FreeType before 2.5.4 validates a certain length field before that field's value is completely calculated, which allowed remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted cmap SFNT table (bnc#916865).
- CVE-2014-9662: cff/cf2ft.c in FreeType before 2.5.4 did not validate the return values of point-allocation functions, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted OTF font (bnc#916860).
- CVE-2014-9661: type42/t42parse.c in FreeType before 2.5.4 did not consider that scanning can be incomplete without triggering an error, which allowed remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via a crafted Type42 font (bnc#916859).
- CVE-2014-9660: The _bdf_parse_glyphs function in bdf/bdflib.c in FreeType before 2.5.4 did not properly handle a missing ENDCHAR record, which allowed remote attackers to cause a denial of service (NULL pointer dereference) or possibly have unspecified other impact via a crafted BDF font (bnc#916858).
- CVE-2014-9667: sfnt/ttload.c in FreeType before 2.5.4 proceeds with offset+length calculations without restricting the values, which allowed remote attackers to cause a denial of service (integer overflow and out-of-bounds read) or possibly have unspecified other impact via a crafted SFNT table (bnc#916861).
- CVE-2014-9666: The tt_sbit_decoder_init function in sfnt/ttsbit.c in FreeType before 2.5.4 proceeds with a count-to-size association without restricting the count value, which allowed remote attackers to cause a denial of service (integer overflow and out-of-bounds read) or possibly have unspecified other impact via a crafted embedded bitmap (bnc#916862).
- CVE-2014-9665: The Load_SBit_Png function in sfnt/pngshim.c in FreeType before 2.5.4 did not restrict the rows and pitch values of PNG data, which allowed remote attackers to cause a denial of service (integer overflow and heap-based buffer overflow) or possibly have unspecified other impact by embedding a PNG file in a .ttf font file (bnc#916863).
- CVE-2014-9664: FreeType before 2.5.4 did not check for the end of the data during certain parsing actions, which allowed remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted Type42 font, related to type42/t42parse.c and type1/t1load.c (bnc#916864).
- CVE-2014-9669: Multiple integer overflows in sfnt/ttcmap.c in FreeType before 2.5.4 allowed remote attackers to cause a denial of service (out-of-bounds read or memory corruption) or possibly have unspecified other impact via a crafted cmap SFNT table (bnc#916870).
- CVE-2014-9668: The woff_open_font function in sfnt/sfobjs.c in FreeType before 2.5.4 proceeds with offset+length calculations without restricting length values, which allowed remote attackers to cause a denial of service (integer overflow and heap-based buffer overflow) or possibly have unspecified other impact via a crafted Web Open Font Format (WOFF) file (bnc#916868).
- CVE-2014-9656: The tt_sbit_decoder_load_image function in sfnt/ttsbit.c in FreeType before 2.5.4 did not properly check for an integer overflow, which allowed remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted OpenType font (bnc#916847).
- CVE-2014-9658: The tt_face_load_kern function in sfnt/ttkern.c in FreeType before 2.5.4 enforces an incorrect minimum table length, which allowed remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted TrueType font (bnc#916857).
- CVE-2014-9659: cff/cf2intrp.c in the CFF CharString interpreter in FreeType before 2.5.4 proceeds with additional hints after the hint mask has been computed, which allowed remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted OpenType font.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2240 (bnc#916867).
- CVE-2014-9674: The Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.5.4 proceeds with adding to length values without validating the original values, which allowed remote attackers to cause a denial of service (integer overflow and heap-based buffer overflow) or possibly have unspecified other impact via a crafted Mac font (bnc#916879).
- CVE-2014-9675: bdf/bdflib.c in FreeType before 2.5.4 identifies property names by only verifying that an initial substring is present, which allowed remote attackers to discover heap pointer values and bypass the ASLR protection mechanism via a crafted BDF font (bnc#916881).
- CVE-2014-9657: The tt_face_load_hdmx function in truetype/ttpload.c in FreeType before 2.5.4 did not establish a minimum record size, which allowed remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted TrueType font (bnc#916856).
- CVE-2014-9670: Multiple integer signedness errors in the pcf_get_encodings function in pcf/pcfread.c in FreeType before 2.5.4 allowed remote attackers to cause a denial of service (integer overflow, NULL pointer dereference, and application crash) via a crafted PCF file that specifies negative values for the first column and first row (bnc#916871).
- CVE-2014-9671: Off-by-one error in the pcf_get_properties function in pcf/pcfread.c in FreeType before 2.5.4 allowed remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted PCF file with a 0xffffffff size value that is improperly incremented (bnc#916872).
- CVE-2014-9672: Array index error in the parse_fond function in base/ftmac.c in FreeType before 2.5.4 allowed remote attackers to cause a denial of service (out-of-bounds read) or obtain sensitive information from process memory via a crafted FOND resource in a Mac font file (bnc#916873).
- CVE-2014-9673: Integer signedness error in the Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.5.4 allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted Mac font (bnc#916874).
  

-----------------------------------------
Patch: SUSE-2015-248
Released: Mon Mar  2 16:19:04 2015
Summary: Security update for autofs
Severity: moderate
References: 901448,909472,913376,916203,917977,CVE-2014-8169
Description:
autofs was updated to fix one security issue.

This security issue was fixed:
- CVE-2014-8169: Prevent potential privilege escalation via interpreter load path for program-based automount maps (bnc#917977).

These non-security issues were fixed:
- Dont pass sloppy option for other than nfs mounts (bnc#901448, bnc#916203)
- Fix insserv warning at postinstall (bnc#913376)
- Fix autofs.service so that multiple options passed through sysconfig AUTOFS_OPTIONS work correctly (bnc#909472)


-----------------------------------------
Patch: SUSE-2015-138
Released: Mon Mar  2 16:19:04 2015
Summary: Recommended update for cloud-init
Severity: moderate
References: 914920,918952,919305
Description:
This update for cloud-init provides the following fixes:

- Properly handle persistent network device names for OpenNebula 
- Properly set up network mode if interface config file
- Require e2fsprogs for filesystem resizing
- Fixed syntax error in dmidecode on ppc64 patch.

-----------------------------------------
Patch: SUSE-2015-123
Released: Mon Mar  2 16:19:05 2015
Summary: Security update for libmspack
Severity: moderate
References: 912214,CVE-2014-9556
Description:

libmspack was updated to fix one security issue.

This security issue was fixed:
- Possible DoS by infinite loop (bnc#912214, CVE-2014-9556)

The previous fix was not fully fixing this problem.


-----------------------------------------
Patch: SUSE-2015-110
Released: Mon Mar  2 17:43:50 2015
Summary: Security update for icu
Severity: moderate
References: 917129,CVE-2014-9654
Description:
icu was updated to fix one security issue.

This security issue was fixed:
- CVE-2014-9654: Insufficient size limit checks in regular expression compiler (bnc#917129).
  

-----------------------------------------
Patch: SUSE-2015-116
Released: Mon Mar  2 21:22:56 2015
Summary: Security update for cups, cups154
Severity: moderate
References: 917799,CVE-2014-9679
Description:
cups, cups154 was updated to fix one security issue.

This security issue was fixed:
- CVE-2014-9679: A malformed compressed raster file can trigger a buffer overflow in cupsRasterReadPixels (bnc#917799).
  

-----------------------------------------
Patch: SUSE-2015-112
Released: Wed Mar  4 02:08:34 2015
Summary: Security update for dbus-1
Severity: moderate
References: 916343,916785,CVE-2015-0245
Description:
dbus-1 was updated to version 1.8.16 to fix one security issue.

This update fixes the following security issue:

- CVE-2015-0245: Do not allow non-uid-0 processes to send forged
  ActivationFailure messages. On Linux systems with systemd
  activation, this would allow a local denial of service (bnc#916343).

These additional security hardenings are included:

- Do not allow calls to UpdateActivationEnvironment from uids
  other than the uid of the dbus-daemon. If a system service
  installs unsafe security policy rules that allow arbitrary
  method calls (such as CVE-2014-8148) then this prevents
  memory consumption and possible privilege escalation via
  UpdateActivationEnvironment.
- Do not allow calls to UpdateActivationEnvironment or the
  Stats interface on object paths other than
  /org/freedesktop/DBus. Some system services install unsafe
  security policy rules that allow arbitrary method calls to
  any destination, method and interface with a specified object
  path.


-----------------------------------------
Patch: SUSE-2015-129
Released: Fri Mar  6 16:57:19 2015
Summary: Security update for glibc
Severity: moderate
References: 864081,905313,906371,909053,910599,915526,915985,916222,CVE-2013-7423,CVE-2014-7817,CVE-2014-9402,CVE-2015-1472
Description:
glibc has been updated to fix four security issues.

These security issues were fixed:
- CVE-2014-7817: The wordexp function in GNU C Library (aka glibc) 2.21 did not enforce the WRDE_NOCMD flag, which allowed context-dependent attackers to execute arbitrary commands, as demonstrated by input containing '$((`...`))' (bnc#906371).
- CVE-2015-1472: Heap buffer overflow in glibc swscanf (bnc#916222).
- CVE-2014-9402: Denial of service in getnetbyname function (bnc#910599).
- CVE-2013-7423: Getaddrinfo() writes DNS queries to random file descriptors under high load (bnc#915526).

These non-security issues were fixed:
- Fix infinite loop in check_pf (bsc#909053)
- Restore warning about execution permission, it is still needed for noexec mounts (bsc#915985).
- Don't touch user-controlled stdio locks in forked child (bsc#864081)
- Don't use gcc extensions for non-gcc compilers (bsc#905313)
  

-----------------------------------------
Patch: SUSE-2015-245
Released: Mon Mar  9 11:19:05 2015
Summary: Security update for vorbis-tools
Severity: moderate
References: 914439,914441,CVE-2014-9638,CVE-2014-9639
Description:

Vorbis tools was updated to fix division by zero and integer overflows by crafted WAV files (CVE-2014-9638, CVE-2014-9639, bnc#914439, bnc#914441),
that would allow attackers to crash the vorbis tools processes.


-----------------------------------------
Patch: SUSE-2015-157
Released: Tue Mar 10 09:01:41 2015
Summary: Security update for libssh2_org
Severity: moderate
References: 921070,CVE-2015-1782
Description:

The ssh client library libssh2_org was updated to fix a security issue.

CVE-2015-1782: A malicious server could send a crafted SSH_MSG_KEXINIT
packet, that could lead to a buffer overread and to a crash of the
libssh2_org using application.


-----------------------------------------
Patch: SUSE-2015-208
Released: Thu Mar 12 10:43:10 2015
Summary: Security update for python-PyYAML
Severity: moderate
References: 921588,CVE-2014-9130
Description:
python-PyYAML was updated to fix one security issue which could have allowed an attacker to cause a denial of service by supplying specially crafted strings

The following issue was fixed:
- #921588: python-PyYAML: assert failure when processing wrapped strings (equivalent to CVE-2014-9130 in LibYAML) 


-----------------------------------------
Patch: SUSE-2015-313
Released: Fri Mar 13 00:47:47 2015
Summary: Recommended update for pciutils
Severity: low
References: 837347
Description:
This update for pciutils fixes a memory leak in function get_cache_name().

-----------------------------------------
Patch: SUSE-2015-155
Released: Mon Mar 16 10:21:09 2015
Summary: Security update for libarchive
Severity: moderate
References: 800024,920870,CVE-2013-0211,CVE-2015-2304
Description:

libarchive was updated to fix a directory traversal in the bsdcpio tool, which
allowed attackers supplying crafted archives to overwrite files. (CVE-2015-2304)

Also, a integer overflow was fixed that could also overflow buffers. (CVE-2013-0211)


-----------------------------------------
Patch: SUSE-2015-133
Released: Wed Mar 18 15:18:58 2015
Summary: Security update for openssl
Severity: important
References: 919648,920236,922488,922496,922499,922500,CVE-2015-0209,CVE-2015-0286,CVE-2015-0287,CVE-2015-0288,CVE-2015-0289,CVE-2015-0293
Description:

OpenSSL was updated to fix various security issues.

Following security issues were fixed:
- CVE-2015-0209: A Use After Free following d2i_ECPrivatekey error
  was fixed which could lead to crashes for attacker supplied Elliptic
  Curve keys. This could be exploited over SSL connections with client
  supplied keys.

- CVE-2015-0286: A segmentation fault in ASN1_TYPE_cmp was fixed that
  could be exploited by attackers when e.g. client authentication is
  used. This could be exploited over SSL connections.

- CVE-2015-0287: A ASN.1 structure reuse memory corruption was fixed. This
  problem can not be exploited over regular SSL connections, only if
  specific client programs use specific ASN.1 routines.

- CVE-2015-0288: A X509_to_X509_REQ NULL pointer dereference was fixed,
  which could lead to crashes. This function is not commonly used, and
  not reachable over SSL methods.

- CVE-2015-0289: Several PKCS7 NULL pointer dereferences were fixed,
  which could lead to crashes of programs using the PKCS7 APIs. The SSL
  apis do not use those by default.

- CVE-2015-0293: Denial of service via reachable assert in SSLv2 servers,
  could be used by remote attackers to terminate the server process. Note
  that this requires SSLv2 being allowed, which is not the default.


-----------------------------------------
Patch: SUSE-2015-275
Released: Wed Mar 18 18:21:44 2015
Summary: Recommended update for procps
Severity: low
References: 901202,908516
Description:
This update for procps provides the following fixes:

- Add description of pgrep's --list-full parameter to usage instructions (--help). (bsc#901202)
- Fix handling of arguments to -s option in free(1). (bsc#908516)
- Correct package name in descriptions: procps, not props.

-----------------------------------------
Patch: SUSE-2015-159
Released: Fri Mar 20 15:25:46 2015
Summary: Security update for tcpdump
Severity: moderate
References: 922220,922221,922222,922223,923142,CVE-2014-9140,CVE-2015-0261,CVE-2015-2153,CVE-2015-2154,CVE-2015-2155
Description:
tcpdump was updated to fix five vulnerabilities in protocol printers

When running tcpdump, a remote unauthenticated user could have crashed the application or, potentially, execute arbitrary code by injecting crafted packages into the network.

The following vulnerabilities were fixed:
 * IPv6 mobility printer remote DoS (CVE-2015-0261, bnc#922220)
 * PPP printer remote DoS (CVE-2014-9140, bnc#923142)
 * force printer remote DoS (CVE-2015-2155, bnc#922223)
 * ethernet printer remote DoS (CVE-2015-2154, bnc#922222)
 * tcp printer remote DoS (CVE-2015-2153, bnc#922221)


-----------------------------------------
Patch: SUSE-2015-146
Released: Mon Mar 23 11:45:22 2015
Summary: Recommended update for timezone
Severity: low
References: 923498
Description:
This update provides the latest timezone information (2015b) for your system, including the following changes:

- Mongolia will start observing DST again in 2015, from the last Saturday in March to the last Saturday in September.
- Palestine will start DST on March 28, not March 27.
- Fix integer overflow bug in reference 'mktime' implementation.

This release also includes changes affecting past time stamps and documentation. For a comprehensive list, refer to the release announcement from ICANN:

- http://mm.icann.org/pipermail/tz-announce/2015-March/000029.html


-----------------------------------------
Patch: SUSE-2015-143
Released: Mon Mar 23 21:46:58 2015
Summary: Initial release of SUSE Enterprise Storage client
Severity: low
References: 913799,914521,917309
Description:
This update provides the functionality required for SUSE Linux
Enterprise Server 12 to act as a client for SUSE Enterprise Storage.

qemu can now use storage provided by the SUSE Enterprise Storage Ceph
cluster via the RADOS Block Device (rbd) backend. Applications can now
be enhanced to directly incorporate object or block storage backed by
the SUSE Enterprise Storage cluster, by linking with the librados and
librbd client libraries.

Also included is the rbd tool to manage RADOS block devices mapped via
the rbd kernel module, for use as a standard generic block device.

-----------------------------------------
Patch: SUSE-2015-194
Released: Tue Mar 24 17:21:25 2015
Summary: Security update for gd
Severity: low
References: 923945,CVE-2014-9709
Description:
The graphics drawing library gd was updated to fix one security issue.

The following vulnerability was fixed:
* possible buffer read overflow (CVE-2014-9709)


-----------------------------------------
Patch: SUSE-2015-156
Released: Tue Mar 24 17:51:59 2015
Summary: Security update for pigz
Severity: moderate
References: 913627,CVE-2015-1191
Description:
Pigz, a multi-threaded implementation of gzip, was updated to fix one vulnerability.

The following vulnerability was fixed:

* A crafted file could have caused an unwanted directory traversal on extract (CVE-2015-1191)


-----------------------------------------
Patch: SUSE-2015-149
Released: Wed Mar 25 15:09:18 2015
Summary: Recommended update for systemd, aaa_base
Severity: moderate
References: 897799,897803,898233,901481,902240,902901,903009,903963,904517,904828,905550,906709,907318,907393,908476,910315,910643,911347,912030,916420,918118
Description:

systemd and aaa_base have been updated to fix the following bugs:

- Add path_id_compat for backwards compatibility with SLE11 (bsc#916420).

- Do not watch for socket events when service is in SERVICE_STOP (bsc#918118)

- Increase number of children/workers to CPU_COUNT * 64 to avoid 
  'maximum number of children reached' (bsc#907393).

- udev: link_setup - respect kernel name assign policy (bsc#907318).

- sync with patches from Base:System:Legacy (bsc#910315)

- Remove superfluous set -x from systemd-sleep-grub (bsc#905550)

- Make sure that quotacheck is executed after fsck for system root is
  finished (bsc#897799)

- Add missed keyboard layouts which are offered by YaST2 (bsc#910643
  and bsc#897803)

- Due to fragmentation, journal flushes on btrfs could take very long
  (bsc#911347)

- Fixed comparison of console log facility that caused journald to skip
  output to console (bsc#912030)

- Add user based ignore statements in tmpfiles removal directives.
  This feature was previously implemented by scripts in aaa_base,
  which are being removed by this update. (bsc#903009)

- Use --boot option in systemd-tmpfiles-setup-dev.service (bsc#908476)

- udev: link_setup - respect kernel name assign policy (bsc#907318).

- Avoid old net devices naming scheme on openSUSE 13.2 and less maybe caused by patch
 
- Fix systemd-nspawn network-veth support (bsc#906709)

- Change the maximum number of children from CPU_COUNT * 256 to CPU_COUNT * 64. (bsc#907393).

- Re-add directory /usr/lib/systemd/system/basic.target.wants 

- Remove pm-utils-hooks-compat.sh again, pm-utils built-in
  hooks partially duplicate hooks run by systemd which may
  potentially lead to problems, instead temporarily re-enable
  Forward-suspend-hibernate-calls-to-pm-utils.patch until bsc#904828 can
  be addressed properly

- Allow the use of --type in the systemctl command list-units and list-unit-files.

- Create rule to set I/O scheduler to deadline if device attribute
  'rotational' equals 0, usually SSDs (bsc#904517).

- Fix systemd-fstab-generator crypttab parsing (bsc#903963)

- Add pm-utils-hooks-compat.sh in order to run pm-utils sleep hooks from systemd (bsc#904828)

- Add patch watch_resolv.conf_for_become_changed.patch to add an inotify
  watch on /etc/resolv.conf which enables the reload of a changed resolver
  configuration on the fly (bsc#902901)

- Add upstream patches which will be applied if patch is applied a this
  may fix the trouble with iSCSI (bsc#898233)

- Add upstream patch 1089-fix-cgroup-device-controller.patch to avoid
  trouble on existing /dev/console with nspawn (bsc#902240)

- Add patch to close file descriptors if an incomming connection can
  not be handled due e.g. short memory. Could be related to (bsc#901481)
  

-----------------------------------------
Patch: SUSE-2015-152
Released: Fri Mar 27 02:15:39 2015
Summary: Security Update for Linux Kernel
Severity: important
References: 898675,903997,904242,909309,909477,909684,910517,913080,914818,915200,915660,917830,918584,918615,918620,918644,919463,919719,919939,920615,920805,920839,921313,921527,921990,922272,922275,922278,922284,924460,CVE-2015-0777,CVE-2015-2150
Description:

The SUSE Linux Enterprise Server 12 kernel was updated to 3.12.39 to
receive various security and bugfixes.

Following security bugs were fixed:
- CVE-2015-0777: The XEN usb backend could leak information to the guest
  system due to copying uninitialized memory.

- CVE-2015-2150: Xen and the Linux kernel did not properly restrict access
  to PCI command registers, which might have allowed local guest users to
  cause a denial of service (non-maskable interrupt and host crash) by
  disabling the (1) memory or (2) I/O decoding for a PCI Express device
  and then accessing the device, which triggers an Unsupported Request
  (UR) response.

The following non-security bugs were fixed:
- Added Little Endian support to vtpm module (bsc#918620).
- Add support for pnfs block layout. Patches not included by default yet
- ALSA: hda - Fix regression of HD-audio controller fallback modes (bsc#921313).
- btrfs: add missing blk_finish_plug in btrfs_sync_log() (bnc#922284).
- btrfs: cleanup orphans while looking up default subvolume (bsc#914818).
- btrfs: do not ignore errors from btrfs_lookup_xattr in do_setxattr (bnc#922272).
- btrfs: fix BUG_ON in btrfs_orphan_add() when delete unused block group (bnc#922278).
- btrfs: fix data loss in the fast fsync path (bnc#922275).
- btrfs: fix fsync data loss after adding hard link to inode (bnc#922275).
- cgroup: revert cgroup_mutex removal from idr_remove (bnc#918644).
- cifs: fix use-after-free bug in find_writable_file (bnc#909477).
- crypto: rng - RNGs must return 0 in success case (bsc#920805).
- crypto: testmgr - fix RNG return code enforcement (bsc#920805).
- exit: Always reap resource stats in __exit_signal() (Time scalability).
- fork: report pid reservation failure properly (bnc#909684).
- fsnotify: Fix handling of renames in audit (bnc#915200).
- HID: hyperv: match wait_for_completion_timeout return type.
- hv: address compiler warnings for hv_fcopy_daemon.c.
- hv: address compiler warnings for hv_kvp_daemon.c.
- hv: check vmbus_device_create() return value in vmbus_process_offer().
- hv: do not add redundant / in hv_start_fcopy().
- hv: hv_balloon: Do not post pressure status from interrupt context.
- hv: hv_balloon: Fix a locking bug in the balloon driver.
- hv: hv_balloon: Make adjustments in computing the floor.
- hv: hv_fcopy: drop the obsolete message on transfer failure.
- hv: kvp_daemon: make IPv6-only-injection work.
- hv: remove unused bytes_written from kvp_update_file().
- hv: rename sc_lock to the more generic lock.
- hv: vmbus: Fix a bug in vmbus_establish_gpadl().
- hv: vmbus: hv_process_timer_expiration() can be static.
- hv: vmbus: Implement a clockevent device.
- hv: vmbus: serialize Offer and Rescind offer.
- hv: vmbus: Support a vmbus API for efficiently sending page arrays.
- hv: vmbus: Use get_cpu() to get the current CPU.
- hyperv: fix sparse warnings.
- hyperv: Fix the error processing in netvsc_send().
- hyperv: match wait_for_completion_timeout return type.
- hyperv: netvsc.c: match wait_for_completion_timeout return type.
- iommu/vt-d: Fix dmar_domain leak in iommu_attach_device (bsc#924460).
- kabi, mm: prevent endless growth of anon_vma hierarchy (bnc#904242).
- kABI: protect linux/namei.h include in procfs.
- kABI: protect struct hif_scatter_req.
- kabi/severities: Stop maintaining the kgraft kabi
- kernel/sched/clock.c: add another clock for use with the soft lockup watchdog (bsc#919939).
- kgr: Allow patches to require an exact kernel version (bnc#920615).
- KVM: PPC: Book3S HV: ptes are big endian (bsc#920839).
- mm: convert the rest to new page table lock api (the suse-only cases) (fate#315482).
- mm: fix anon_vma-&gt;degree underflow in anon_vma endless growing prevention (bnc#904242).
- mm: fix corner case in anon_vma endless growing prevention (bnc#904242).
- mm: prevent endless growth of anon_vma hierarchy (bnc#904242).
- mm: prevent endless growth of anon_vma hierarchy  mm: prevent endless growth of anon_vma hierarchy (bnc#904242).
- mm: vmscan: count only dirty pages as congested (VM Performance, bnc#910517).
- module: Clean up ro/nx after early module load failures (bsc#921990).
- module: set nx before marking module MODULE_STATE_COMING (bsc#921990).
- net: add sysfs helpers for netdev_adjacent logic (bnc#915660).
- net: correct error path in rtnl_newlink() (bnc#915660).
- net: fix creation adjacent device symlinks (bnc#915660).
- net: prevent of emerging cross-namespace symlinks (bnc#915660).
- net: rename sysfs symlinks on device name change (bnc#915660).
- nfs: cap request size to fit a kmalloced page array (bnc#898675).
- nfs: commit layouts in fdatasync (bnc#898675).
- NFSv4.1: Do not trust attributes if a pNFS LAYOUTCOMMIT is outstanding (bnc#898675).
- NFSv4.1: Ensure that the layout recall callback matches layout stateids (bnc#898675).
- NFSv4.1: Ensure that we free existing layout segments if we get a new layout (bnc#898675).
- NFSv4.1: Fix a race in nfs4_write_inode (bnc#898675).
- NFSv4.1: Fix wraparound issues in pnfs_seqid_is_newer() (bnc#898675).
- NFSv4.1: Minor optimisation in get_layout_by_fh_locked() (bnc#898675).
- NFSv4: Do not update the open stateid unless it is newer than the old one (bnc#898675).
- pnfs: add a common GETDEVICELIST implementation (bnc#898675).
- pnfs: add a nfs4_get_deviceid helper (bnc#898675).
- pnfs: add flag to force read-modify-write in -&gt;write_begin (bnc#898675).
- pnfs: add return_range method (bnc#898675).
- pnfs: allow splicing pre-encoded pages into the layoutcommit args (bnc#898675).
- pnfs: avoid using stale stateids after layoutreturn (bnc#898675).
- pnfs/blocklayout: allocate separate pages for the layoutcommit payload (bnc#898675).
- pnfs/blocklayout: correctly decrement extent length (bnc#898675).
- pnfs/blocklayout: do not set pages uptodate (bnc#898675).
- pnfs/blocklayout: Fix a 64-bit division/remainder issue in bl_map_stripe (bnc#898675).
- pnfs/blocklayout: implement the return_range method (bnc#898675).
- pnfs/blocklayout: improve GETDEVICEINFO error reporting (bnc#898675).
- pnfs/blocklayout: include vmalloc.h for __vmalloc (bnc#898675).
- pnfs/blocklayout: in-kernel GETDEVICEINFO XDR parsing (bnc#898675).
- pnfs/blocklayout: move all rpc_pipefs related code into a single file (bnc#898675).
- pnfs/blocklayout: move extent processing to blocklayout.c (bnc#898675).
- pnfs/blocklayout: plug block queues (bnc#898675).
- pnfs/blocklayout: refactor extent processing (bnc#898675).
- pnfs/blocklayout: reject pnfs blocksize larger than page size (bnc#898675).
- pNFS/blocklayout: Remove a couple of unused variables (bnc#898675).
- pnfs/blocklayout: remove read-modify-write handling in bl_write_pagelist (bnc#898675).
- pnfs/blocklayout: remove some debugging (bnc#898675).
- pnfs/blocklayout: return layouts on setattr (bnc#898675).
- pnfs/blocklayout: rewrite extent tracking (bnc#898675).
- pnfs/blocklayout: use the device id cache (bnc#898675).
- pnfs: do not check sequence on new stateids in layoutget (bnc#898675).
- pnfs: do not pass uninitialized lsegs to -&gt;free_lseg (bnc#898675).
- pnfs: enable CB_NOTIFY_DEVICEID support (bnc#898675).
- pnfs: factor GETDEVICEINFO implementations (bnc#898675).
- pnfs: force a layout commit when encountering busy segments during recall (bnc#898675).
- pnfs: remove GETDEVICELIST implementation (bnc#898675).
- pnfs: retry after a bad stateid error from layoutget (bnc#898675).
- powerpc: add running_clock for powerpc to prevent spurious softlockup warnings (bsc#919939).
- powerpc/pseries: Fix endian problems with LE migration (bsc#918584).
- remove cgroup_mutex around deactivate_super because it might be dangerous.
- rtmutex: Document pi chain walk (mutex scalability).
- rtmutex: No need to keep task ref for lock owner check (mutex scalability).
- rtmutex: Simplify rtmutex_slowtrylock() (mutex scalability).
- rtnetlink: fix a memory leak when -&gt;newlink fails (bnc#915660).
- sched: Change thread_group_cputime() to use for_each_thread() (Time scalability).
- sched: replace INIT_COMPLETION with reinit_completion.
- sched, time: Atomically increment stime & utime (Time scalability).
- scsi: storvsc: Always send on the selected outgoing channel.
- scsi: storvsc: Do not assume that the scatterlist is not chained.
- scsi: storvsc: Enable clustering.
- scsi: storvsc: Fix a bug in copy_from_bounce_buffer().
- scsi: storvsc: Increase the ring buffer size.
- scsi: storvsc: Retrieve information about the capability of the target.
- scsi: storvsc: Set the tablesize based on the information given by the host.
- scsi: storvsc: Size the queue depth based on the ringbuffer size.
- storvsc: fix a bug in storvsc limits.
- storvsc: force discovery of LUNs that may have been removed.
- storvsc: force SPC-3 compliance on win8 and win8 r2 hosts.
- storvsc: in responce to a scan event, scan the host.
- take read_seqbegin_or_lock() and friends to seqlock.h (Time scalability).
- tcp: prevent fetching dst twice in early demux code (bnc#903997 bnc#919719).
- time, signal: Protect resource use statistics with seqlock -kabi (Time scalability).
- time, signal: Protect resource use statistics with seqlock (Time scalability).
- udp: only allow UFO for packets from SOCK_DGRAM sockets (bnc#909309).
- Update Xen patches to 3.12.39.
- virtio: rng: add derating factor for use by hwrng core (bsc#918615).
- x86, AVX-512: AVX-512 Feature Detection (bsc#921527).
- x86, AVX-512: Enable AVX-512 States Context Switch (bsc#921527).
- xenbus: add proper handling of XS_ERROR from Xenbus for transactions.
- xfs: xfs_alloc_fix_minleft can underflow near ENOSPC (bnc#913080).


-----------------------------------------
Patch: SUSE-2015-168
Released: Mon Mar 30 16:27:51 2015
Summary: Security update for gnutls
Severity: moderate
References: 919938,CVE-2015-0294
Description:

gnutls was updated to fix a certificate algorithm consistency checking issue. (CVE-2015-0294)


-----------------------------------------
Patch: SUSE-2015-222
Released: Wed Apr  8 01:19:45 2015
Summary: Recommended update for supportutils
Severity: moderate
References: 890604,912797,915888,918641,920795,922607,924738,924760,924761,925230
Description:
This update for supportutils provides the following fixes:

- Fixed xz system logs compressed (bnc#924761)
- Fixed xz compressed logs in updates.txt (bnc#924760)
- Added docker support in docker.txt with OPTION_DOCKER=1 (bnc#925230)
- Added missing SUSEConnect (bnc#924738)
- Fixed kdumptool error (bnc#922607)
- Added missing wicked configuration to network.txt (bnc#920795)
- Fixed vmcp detection (bnc#915888)
- Included DNS fix (bnc#918641)
- Use /etc/drbd.conf for test instead of rpm (bnc#890604)
- Added missing taint flag E (bnc#912797)
- Added lsinitrd to boot.txt for SLE12.


-----------------------------------------
Patch: SUSE-2015-175
Released: Wed Apr  8 11:23:39 2015
Summary: Recommended update for dracut
Severity: moderate
References: 886839,897252,902375,903001,911660,912734,914126,916348,918238
Description:

The dracut initramfs generation tool was updated to fix several bugs:

- Hooks were added for regenerating the initrd after updating this package,
  for both the main package and the fips subpackage. (bsc#916348)

- For FIPS usage, aesni-intel.ko is put into the initrd for selftests on powerup. (bsc#914126)

- Allow feeding host randomness into the ramdisk of a kvm based guest via
  the virtio_rng device (bsc#918238)

- Fixed 'bad array subscript' messages when adding kernel modules using
  '/etc/dracut.conf'. (bsc#911660)

- Enabled Warning for failed kernel modules per default (bsc#886839)

- 98systemd/rootfs-generator: Use builtins instead of 'grep' (bsc#897252)

- Log dracut command line during boot process.

- Follow symbolic links for kernel arguments (bsc#902375)

- Parse rootflags correctly (bsc#912734)

- 90multipath: start multipathd after udev (bsc#903001)


-----------------------------------------
Patch: SUSE-2015-345
Released: Thu Apr  9 02:56:42 2015
Summary: Recommended update for multipath-tools
Severity: moderate
References: 903001,908529,909358,917701,917963,920189,921703,922105
Description:
This update for multipath-tools provides the following fixes:

- Only import ID_FS_XXX variables if not set. (bsc#909358)
- Remove 'udev_sync' argument from dm_simplecmd (bsc#903001)
- Add dependency on systemd-udevd.service. (bsc#903001)
- Use ALUA for HP 3PAR. (bsc#922105)
- Add DX8700 S3 and DX8900 S3 defaults. (bsc#921703)
- Load all device handler modules on startup. (bsc#908529)
- Make vpd page 0x80 optional in libmultipath. (bsc#917963)
- Add HP MSA 2040 to the hardware table. (bsc#920189)
- Revert 'Skip unhandled device types'. (bsc#917701)


-----------------------------------------
Patch: SUSE-2015-169
Released: Wed Apr 15 02:34:35 2015
Summary: Recommended update for timezone
Severity: low
References: 927184
Description:
This update provides the latest timezone information (2015c) for your
system, including the following changes:

- Egypt's spring-forward transition in 2015 will be on Thursday, April 30 at 24:00,
  not Friday, April 24 at 00:00.

This release also includes changes affecting past time stamps and documentation.
For a comprehensive list, refer to the release announcement from ICANN:

- http://mm.icann.org/pipermail/tz-announce/2015-April/000030.html


-----------------------------------------
Patch: SUSE-2015-227
Released: Wed Apr 15 02:37:58 2015
Summary: Recommended update for grub2
Severity: moderate
References: 891946,892811,892852,894178,898198,901487,909359,913667,914514
Description:
This update for grub2 provides many fixes and enhancements:

- Add UEFI IPv6 PXE booting support. (bsc#894178)
- Fix the script grub2-snapper-plugin.sh to properly cleanup grub-snapshot.cfg files which don't refer to any snapshot. (bsc#909359, bsc#914514)
- Streamline and simplify boot to Grub menu on s390x. (bsc#898198)
- Command 'grub2-once --enum' now enumerates boot-entries in a way actually understood by 'grub2'. (bsc#892852, bsc#892811)
- Allow user to specify via LOADPARM which kernel/initrd should be booted. (bsc#891946, bsc#892852)
- Fix CAS reboot on PowerPC. (bsc#913667)


-----------------------------------------
Patch: SUSE-2015-234
Released: Thu Apr 16 15:41:43 2015
Summary: Recommended update for yp-tools
Severity: low
References: 902507
Description:
This update for yp-tools provides the following fixes:

- Add a workround for a Solaris ypbind bug, which let NIS use a 
  french server as NIS server.
- ypchfn/ypchsh are not deprecated and should not call the chfn/chsh
  variants.


-----------------------------------------
Patch: SUSE-2015-212
Released: Thu Apr 16 15:42:52 2015
Summary: Recommended update for yast2-services-manager
Severity: low
References: 893622,895023,906730
Description:
This update for yast2-services-manager provides the following fixes:

- Fixed adjusting service state according to new settings. Previously, already
  loaded services were ignored. (bnc#906730)
- Fixed installation to use the localized version of the default target name.
  (bnc#895023)
- Added minimal commandline support: just 'help'. (bnc#893622)


-----------------------------------------
Patch: SUSE-2015-171
Released: Mon Apr 20 13:11:55 2015
Summary: Optional update for vlan
Severity: low
References: 901940
Description:
This update adds the 'vlan' package to SUSE Linux Enterprise Desktop 12.

-----------------------------------------
Patch: SUSE-2015-196
Released: Tue Apr 21 12:44:04 2015
Summary: Recommended update for facter
Severity: low
References: 878129,920446
Description:
This update for facter provides the following fixes:

- Use 'ip link' instead of 'ifconfig' for retrieving interface names. (bsc#878129)
- Define 'operatingsystemmajorelease' variable properly for openSUSE and SLE. (bsc#920446)


-----------------------------------------
Patch: SUSE-2015-195
Released: Wed Apr 22 17:44:13 2015
Summary: Recommended update for openssh
Severity: moderate
References: 916473,916905,924476
Description:

This update to openssh brings small FIPS 140-2 certification
related adjustments.

- The integrity checking was changed to use an HMAC instead of a plain checksum.

The license was changed to 2-clause BSD to match the sources better.

The openssh and openssh-fips package have now versioned requirements
and also restarting the sshd service on update has been changed from
the openssh to the openssh-fips package, if the openssh-fips package
is installed.


-----------------------------------------
Patch: SUSE-2015-174
Released: Sat Apr 25 15:13:10 2015
Summary: Recommended update for timezone
Severity: low
References: 928246
Description:
This update adjusts Egypt's time zone definitions, canceling DST from 2015 onwards.

-----------------------------------------
Patch: SUSE-2015-204
Released: Mon Apr 27 16:58:47 2015
Summary: Security update for libtasn1
Severity: low
References: 924828,CVE-2015-2806
Description:
The ASN.1 parsing library libtasn1 was updated to fix one memory handling issue.

The following vulnerability was fixed:

* CVE-2015-2806: A stack-based buffer overflow in libtasn1 allowed remote attackers to have unspecified impact via unknown vectors.

-----------------------------------------
Patch: SUSE-2015-207
Released: Mon Apr 27 19:30:55 2015
Summary: Recommended update for wicked
Severity: moderate
References: 904323,905421,907215,907694,909307,911299,911562,914792,918662,920070,920889,921218,927065,927616
Description:
This update for Wicked provides the following fixes:

- Initial pre/post-up/down script and systemd service start support.
  (bsc#920070, bsc#907215)
- Fixed lease address owner and lifetime tracking to update address
  lifetimes on dhcp6 renewal, correctly drop (requesting/deferred)
  leases in wickedd not (yet) existing as lease in dhcp supplicants
  and avoid address exists error messages. (bsc#920889, bsc#907694)
- Add missed wpa_supplicant's wireless mode names. (bsc#927616)
- schema: Require macvlan lower device same as vlan. (bsc#927065)
- Fixes to use only ready devices by name to avoid dependency
  confusion mapping config to wrong device, event races and wrong
  use of the link-up instead of the wireless link-associated event.
  (bsc#918662, bsc#921218)
- nanny: Fix a memory-leak on policy load failure.
- ifreload: Fix segmentation fault handling argument for --timeout option.
- client/nanny: Initial handing of link-detection/require-link and
  timeout control flags (LINK_REQUIRED, LINK_READY_WAIT variables in
  suse ifcfg) to continue setup without ready link when requested in
  the config or based on device requirements (bsc#911562,bsc#914792).
- client/nanny: Wait for event ACKs from wickedd instead to continue
  on successful request results where possible, to minimize the risk
  of an event backlog (bsc#905421).
- client/nanny: fsm timer and cleanup related fixes and improvements,
  fix to use 'device-setup' (MAC, bond/bridge options, ...) as state
  name instead of 'device-up' and use 'device-up' as state when the
  device/link is administratively set UP. Separated waitLinkUp method
  to wait for link/carrier from linkUp setting it administratively UP.
- wireless: Consider auth-proto parameter (wpa1|wpa2) (bsc#911299).
- dhcp4: Do not set/query mtu if set in the config (bsc#904323).
- dhcp4: Limit MTU to be lower-equal 576 as before.
- dhcp4: Completed user-class option support permitting an rfc3004
  formatted option or as non-rfc, but widely used string (bsc#909307).


-----------------------------------------
Patch: SUSE-2015-193
Released: Tue Apr 28 14:36:57 2015
Summary: Security update for ntp
Severity: moderate
References: 918342,924202,928321,CVE-2015-1798,CVE-2015-1799,CVE-2015-3405
Description:
ntp was updated to fix two security related flaws as well as 'slew' mode handling for leap seconds. 

The following vulnerabilities were fixe:

* ntpd could accept unauthenticated packets with symmetric key crypto. (CVE-2015-1798)
* ntpd authentication did not protect symmetric associations against DoS attacks (CVE-2015-1799)
* ntp-keygen may generate non-random symmetric keys on big-endian systems (bsc#928321, CVE-2015-3405).

The following non-security issues were fixed:

* Fix slew mode for leap seconds (bnc#918342).


-----------------------------------------
Patch: SUSE-2015-235
Released: Wed Apr 29 19:05:01 2015
Summary: Security update for curl
Severity: moderate
References: 927556,927607,927608,927746,928533,CVE-2015-3143,CVE-2015-3144,CVE-2015-3145,CVE-2015-3148,CVE-2015-3153
Description:
curl was updated to fix five security issues.

The following vulnerabilities were fixed:

* CVE-2015-3143: curl could re-use NTML authenticateds connections
* CVE-2015-3144: curl could access memory out of bounds with zero length host names
* CVE-2015-3145: curl cookie parser could access memory out of boundary
* CVE-2015-3148: curl could treat Negotiate as not connection-oriented
* CVE-2015-3153: curl could have sent sensitive HTTP headers also to proxies


-----------------------------------------
Patch: SUSE-2015-228
Released: Wed May  6 01:49:19 2015
Summary: Recommended update for btrfsprogs
Severity: moderate
References: 929668
Description:
This update provides btrfsprogs 3.18.2, which brings several fixes and enhancements.
A comprehensive list of changes is available at https://btrfs.wiki.kernel.org/index.php/Changelog.


-----------------------------------------
Patch: SUSE-2015-363
Released: Mon May 11 11:14:58 2015
Summary: Security update for python-Jinja2
Severity: moderate
References: 858239,CVE-2014-0012
Description:
The python-Jinja2 package was updated to version 2.7.3 to fix a security issues and some build problems. 

The following vulnerabilities were fixed:
- Update to 2.7.3 (bnc#858239, CVE-2014-0012)
  - Security issue: Corrected the security fix for the cache folder.  
    This fix was provided by RedHat.

The following build issues were fixed:
- run testsuite during build
- adjust dependency to use up to date package name for python-MarkupSafe
- fix package build (file selection missing)


-----------------------------------------
Patch: SUSE-2015-190
Released: Mon May 11 20:13:51 2015
Summary: Recommended update for dracut
Severity: important
References: 930175
Description:
This update fixes generation of ramdisks on systems where /usr is a separate partition.

-----------------------------------------
Patch: SUSE-2015-233
Released: Wed May 13 15:03:41 2015
Summary: Recommended update for release-notes-sles
Severity: low
References: 899495,908342,913282,919672,921171,922978,924703,926388
Description:
This update provides the latest revision of the release notes for SUSE Linux Enterprise Server 12:

- Updated: kernel-extra belongs to SLE Workstation Extension (bsc#922978).
- Updated: KVM Limits (max vcpus is 160) (bsc#921171).
- Updated: TPM/Trusted Computing (fate#315468).
- Updated: Remote Login with XDMCP (fate#317876).
- New: Xen: Non-standard PCI device functionality may render pass-through
  insecure (bsc#924703 via fate#318861).
- New: NFSv2 Support (fate#318496).
- New: Developing and running 32bit applications on SLE12 (fate#317890).
- New: XEN watchdog causes restart (bsc#899495 via fate#318439).
- New: 'Parallel' implementations of compression software (fate#316220).
- Fix spelling errors (bsc#913282).


-----------------------------------------
Patch: SUSE-2015-273
Released: Mon May 18 10:42:24 2015
Summary: Security update for openldap2
Severity: moderate
References: 905959,916897,916914,CVE-2015-1545,CVE-2015-1546
Description:
openldap2 was updated to fix two security issues and one non-security bug.

The following vulnerabilities were fixed:

* A remote attacker could cause a denial of service through a NULL pointer dereference and crash via an empty attribute list in a deref control in a search request. (bnc#916897 CVE-2015-1545)
* A remote attacker could cause a denial of service (crash) via a crafted search query with a matched values control. (bnc#916914 CVE-2015-1546) 

The following non-security issue was fixed:

* Prevent connection-0 (internal connection) from showing up in the monitor backend (bnc#905959)


-----------------------------------------
Patch: SUSE-2015-221
Released: Tue May 19 20:15:40 2015
Summary: Recommended update for SLES 12 Manuals
Severity: low
References: 743874,857639,883393,889317,902463,904182,904186,904188,905330,906362,907504,907506,907648,907754,909494,910121,910132,910133,910137,910142,910148,911390,911409,912700,912882,913640,914727,918598
Description:
This update for SUSE Linux Enterprise Server 12 Manuals brings several enhancements and fixes.

-----------------------------------------
Patch: SUSE-2015-267
Released: Wed May 20 14:45:05 2015
Summary: Security update for fuse
Severity: moderate
References: 931452,CVE-2015-3202
Description:

This update fixes a vulnerability in fuse that 
did not clear the environment upon execution of external programs. 
CVE-2015-3202 has been assigned to this issue


-----------------------------------------
Patch: SUSE-2015-291
Released: Thu May 21 13:36:59 2015
Summary: Recommended update for kdump
Severity: moderate
References: 900134,900418,909515
Description:
This update for kdump provides the following fixes:

- Set up device timeout for kdump mounts. (bsc#909515)
- Make sure system root is not mounted in kdump initrd. (bsc#900134)
- Add the kdump-root.sh hook to the list of installed files. (bsc#900134)
- Always pass kernel version to dracut. (bsc#900418)
- Avoid Xen kernels as kdump kernel. (bsc#900418)


-----------------------------------------
Patch: SUSE-2015-213
Released: Tue May 26 13:09:06 2015
Summary: Recommended update for util-linux
Severity: moderate
References: 888678,900935,926945,930236
Description:
This update for util-linux provides the following enhancements:

- Recognize Unisys s-Par as hypervisor. (FATE#318231)
- Backport new script(1) implementation to fix all known hangs. (bsc#888678, bsc#930236)

Additionally, various bugs were fixed:

- flock: Handle zero timeout as valid. (bsc#926945)

- Fix lack of I18N support in util-linux-systemd (mis-compilation). (bsc#900935)
- Fix uuidd socket activation. (bnc#900935)
- Remove obsolete sysvinit script for uuidd.
- Remove no more needed uuidd permissions stuff.
- Replace PreReq for obsolete pwdutils by names of binaries.
- Add fstrim service scripts and rcfstrim helper.


-----------------------------------------
Patch: SUSE-2015-314
Released: Thu May 28 14:59:16 2015
Summary: Recommended update for lvm2
Severity: moderate
References: 888798,894202,908791,909358,912499,922905,925627,932300
Description:
This update for lvm2 and device-mapper provides the following fixes and
enhancements:

- If the disk is unavailable we need to import the existing ID_FS_XXX
  variables from the udev database, otherwise the filesystem UUID won't
  be set and the by-uuid symlinks will disappear, leading to
  intermittent boot failures. (bsc#909358)

- Do not attempt to unmount all volumes if only one path has failed.
  (bsc#932300)

- Add patches for multipath support to device-mapper. (bsc#922905)

- LVM2 does not support unpartitioned DASD device which has special
  format in the first 2 tracks and will silently discard LVM2 label
  information written to it by pvcreate. Mark this type of device as
  unsupported. (bsc#894202)

- Properly enable lvm2-lvmetad.socket in the package's pre and post-
  installation scripts. (bsc#908791)

- Set silent mode to 0 by default, otherwise some commands will have
  no output. (bsc#888798, bsc#912499)


-----------------------------------------
Patch: SUSE-2015-255
Released: Thu May 28 16:00:54 2015
Summary: Recommended update for yast2-users
Severity: low
References: 881396,899104,904645
Description:
This update for yast2-users provides the following fixes:

- Set F9 function key binding correctly in text mode. (bsc#881396)
- Remove X-KDE-Library from .desktop file. (bsc#899104)
- Allow changing of CN value if the LDAP user is not saved yet. (bsc#904645)


-----------------------------------------
Patch: SUSE-2015-258
Released: Thu May 28 17:20:36 2015
Summary: Recommended update for yast2-inetd
Severity: low
References: 898745,899104
Description:
This update for yast2-inetd fixes an internal error that could happen during
installation via AutoYaST.

-----------------------------------------
Patch: SUSE-2015-257
Released: Thu May 28 17:27:13 2015
Summary: Recommended update for yast2-ftp-server
Severity: low
References: 897470,899104,907354
Description:
This update for yast2-ftp-server fixes the following issues:

- A configuration problem which prevented xinetd from handling vsftp,
  since it was always configured as standalone. (bnc#897470)
- Remove X-KDE-Library from .desktop file. (bnc#899104)
- AutoYaST import: Initialize the correct ftpserver which will be used
  for configuration. (bnc#907354)


-----------------------------------------
Patch: SUSE-2015-253
Released: Thu May 28 17:52:10 2015
Summary: Recommended update for yast2-hardware-detection
Severity: low
References: 773323,903069,915938
Description:
This update for yast2-hardware-detection provides the following fixes:

- Fix configuration of ZFCP devices. (bsc#903069)
- Added VMware and VirtualBox VM detection. (bsc#773323)


-----------------------------------------
Patch: SUSE-2015-261
Released: Fri May 29 04:06:15 2015
Summary: Recommended update for yast2-samba-server
Severity: low
References: 873922,899104,901597
Description:
This update for yast2-samba-server provides the following fixes:

- When joining domain, provide osName and osVer arguments to 'net ads join'. (bsc#873922)
- Squash 'Possible precedence issue with control flow operator' warning. (bsc#901597)
- Remove X-KDE-Library from .desktop file. (bsc#899104)


-----------------------------------------
Patch: SUSE-2015-260
Released: Fri May 29 04:07:24 2015
Summary: Recommended update for yast2-samba-client
Severity: low
References: 873922,899104,902302
Description:
This update for yast2-samba-client provides the following fixes:

- When joining domain, provide osName and osVer arguments to 'net ads join'. (bsc#873922)
- Don't update Workgroup with realm name when invoking yast samba-client winbind enable. (bsc#902302)
- Remove X-KDE-Library from .desktop file. (bsc#899104)


-----------------------------------------
Patch: SUSE-2015-247
Released: Wed Jun  3 13:57:56 2015
Summary: Security update for patch
Severity: moderate
References: 904519,913678,915328,915329,CVE-2015-1196,CVE-2015-1395,CVE-2015-1396
Description:
The GNU patch utility was updated to 2.7.5 to fix three security issues and one non-security bug.

The following vulnerabilities were fixed:

* CVE-2015-1196: directory traversal flaw when handling git-style patches. This could allow an attacker to overwrite arbitrary files by tricking the user into applying a specially crafted patch. (bsc#913678)
* CVE-2015-1395: directory traversal flaw when handling patches which rename files. This could allow an attacker to overwrite arbitrary files by tricking the user into applying a specially crafted patch. (bsc#915328) 
* CVE-2015-1396: directory traversal flaw via symbolic links. This could allow an attacker to overwrite arbitrary files by tricking the user into applying a by applying a specially crafted patch. (bsc#915329)

The following bug was fixed:

* bsc#904519:  Function names in hunks (from diff -p) are now preserved in  reject files.


-----------------------------------------
Patch: SUSE-2015-372
Released: Tue Jun  9 16:24:27 2015
Summary: Recommended update for open-iscsi
Severity: moderate
References: 897565,902183,903729,922311
Description:
This update for open-iscsi provides the following fixes:

- Double the size of the iscsiuio ARP tables, making it faster when
  switches present. (bsc#922311)
- Fix ibft boot, amending previous update which only fixed NIC context.
  Now boot context has also been fixed. (bsc#902183)
- Do not convert all 'again' errors from transport to internal errors.
  (bsc#903729)
- Fixed iscsi.service start to ignore iscsiadm return value so that
  systemd knows service is running and can still shut it down.
  (bsc#897565)


-----------------------------------------
Patch: SUSE-2015-334
Released: Tue Jun  9 17:09:01 2015
Summary: Recommended update for tcsh
Severity: low
References: 901076
Description:
This update for tcsh fixes locking of .history files when multiple instances of the shell run simultaneously.

-----------------------------------------
Patch: SUSE-2015-264
Released: Wed Jun 10 16:31:35 2015
Summary: Security update for cups
Severity: critical
References: 924208,CVE-2012-5519,CVE-2015-1158,CVE-2015-1159
Description:
The following issues are fixed by this update:

* CVE-2012-5519: privilege escalation via cross-site scripting
  and bad print job submission used to replace cupsd.conf on server (bsc#924208).
* CVE-2015-1158: Improper Update of Reference Count
* CVE-2015-1159: Cross-Site Scripting



-----------------------------------------
Patch: SUSE-2015-296
Released: Thu Jun 11 15:46:59 2015
Summary: Security update for libgcrypt
Severity: moderate
References: 896202,896435,898003,899524,900275,900276,905483,920057,928740,929919,CVE-2014-3591
Description:

This update of libgcrypt fixes one security issue and brings various FIPS 140-2 related improvements.

libgcrypt now uses ciphertext blinding for Elgamal decryption (CVE-2014-3591)

FIPS 140-2 related changes:
* The library performs its self-tests when the module is complete (the -hmac file is also installed).

* Added a NIST 800-90a compliant DRBG.

* Change DSA key generation to be FIPS 186-4 compliant.

* Change RSA key generation to be FIPS 186-4 compliant.

* Enable HW support in fips mode (bnc#896435)

* Make DSA selftest use 2048 bit keys (bnc#898003)

* Added ECDSA selftests and add support for it to the CAVS testing
  framework (bnc#896202)

* Various CAVS testing improvements.


-----------------------------------------
Patch: SUSE-2015-269
Released: Thu Jun 11 20:39:55 2015
Summary: Security update for the Linux Kernel
Severity: important
References: 899192,900881,909312,913232,914742,915540,916225,917125,919007,919018,920262,921769,922583,922734,922944,924664,924803,924809,925567,926156,926240,926314,927084,927115,927116,927257,927285,927308,927455,928122,928130,928135,928141,928708,929092,929145,929525,929883,930224,930226,930669,930786,931014,931130,CVE-2014-3647,CVE-2014-8086,CVE-2014-8159,CVE-2015-1465,CVE-2015-2041,CVE-2015-2042,CVE-2015-2666,CVE-2015-2830,CVE-2015-2922,CVE-2015-3331,CVE-2015-3332,CVE-2015-3339,CVE-2015-3636
Description:
The SUSE Linux Enterprise 12 kernel was updated to version 3.12.43 to receive various security and bugfixes.

Following security bugs were fixed:

- CVE-2014-3647: arch/x86/kvm/emulate.c in the KVM subsystem in the Linux kernel through 3.17.2 did not properly perform RIP changes, which allowed guest OS users to cause a denial of service (guest OS crash) via a crafted application (bsc#899192).
- CVE-2014-8086: Race condition in the ext4_file_write_iter function in fs/ext4/file.c in the Linux kernel through 3.17 allowed local users to cause a denial of service (file unavailability) via a combination of a write action and an F_SETFL fcntl operation for the O_DIRECT flag (bsc#900881).
- CVE-2014-8159: The InfiniBand (IB) implementation did not properly restrict use of User Verbs for registration of memory regions, which allowed local users to access arbitrary physical memory locations, and consequently cause a denial of service (system crash) or gain privileges, by leveraging permissions on a uverbs device under /dev/infiniband/ (bsc#914742).
- CVE-2015-1465: The IPv4 implementation in the Linux kernel before 3.18.8 did not properly consider the length of the Read-Copy Update (RCU) grace period for redirecting lookups in the absence of caching, which allowed remote attackers to cause a denial of service (memory consumption or system crash) via a flood of packets (bsc#916225).
- CVE-2015-2041: net/llc/sysctl_net_llc.c in the Linux kernel before 3.19 used an incorrect data type in a sysctl table, which allowed local users to obtain potentially sensitive information from kernel memory or possibly have unspecified other impact by accessing a sysctl entry (bsc#919007).
- CVE-2015-2042: net/rds/sysctl.c in the Linux kernel before 3.19 used an incorrect data type in a sysctl table, which allowed local users to obtain potentially sensitive information from kernel memory or possibly have unspecified other impact by accessing a sysctl entry (bsc#919018).
- CVE-2015-2666: Fixed a flaw that allowed crafted microcode to overflow the kernel stack (bsc#922944).
- CVE-2015-2830: Fixed int80 fork from 64-bit tasks mishandling (bsc#926240).
- CVE-2015-2922: Fixed possible denial of service (DoS) attack against IPv6 network stacks due to improper handling of Router Advertisements (bsc#922583).
- CVE-2015-3331: Fixed buffer overruns in RFC4106 implementation using AESNI (bsc#927257).
- CVE-2015-3332: Fixed TCP Fast Open local DoS (bsc#928135).
- CVE-2015-3339: Fixed race condition flaw between the chown() and execve() system calls which could have lead to local privilege escalation (bsc#928130).
- CVE-2015-3636: Fixed use-after-free in ping sockets which could have lead to local privilege escalation (bsc#929525).

The following non-security bugs were fixed:

- /proc/stat: convert to single_open_size() (bsc#928122).
- ACPI / sysfs: Treat the count field of counter_show() as unsigned (bsc#909312).
- Automatically Provide/Obsolete all subpackages of old flavors (bsc#925567)
- Btrfs: btrfs_release_extent_buffer_page did not free pages of dummy extent (bsc#930226).
- Btrfs: fix inode eviction infinite loop after cloning into it (bsc#930224).
- Btrfs: fix inode eviction infinite loop after extent_same ioctl (bsc#930224).
- Btrfs: fix log tree corruption when fs mounted with -o discard (bsc#927116).
- Btrfs: fix up bounds checking in lseek (bsc#927115).
- Fix rtworkqueues crash. Calling __sched_setscheduler() in interrupt context is forbidden, and destroy_worker() did so in the timer interrupt with a nohz_full config. Preclude that possibility for both boot options.
- Input: psmouse - add psmouse_matches_pnp_id helper function (bsc#929092).
- Input: synaptics - fix middle button on Lenovo 2015 products (bsc#929092).
- Input: synaptics - handle spurious release of trackstick buttons (bsc#929092).
- Input: synaptics - re-route tracksticks buttons on the Lenovo 2015 series (bsc#929092).
- Input: synaptics - remove TOPBUTTONPAD property for Lenovos 2015 (bsc#929092).
- Input: synaptics - retrieve the extended capabilities in query $10 (bsc#929092).
- NFS: Add attribute update barriers to nfs_setattr_update_inode() (bsc#920262).
- NFS: restore kabi after change to nfs_setattr_update_inode (bsc#920262).
- af_iucv: fix AF_IUCV sendmsg() errno (bsc#927308, LTC#123304).
- audit: do not reject all AUDIT_INODE filter types (bsc#927455).
- bnx2x: Fix kdump when iommu=on (bsc#921769).
- cpufreq: fix a NULL pointer dereference in __cpufreq_governor() (bsc#924664).
- dasd: Fix device having no paths after suspend/resume (bsc#927308, LTC#123896).
- dasd: Fix inability to set a DASD device offline (bsc#927308, LTC#123905).
- dasd: Fix unresumed device after suspend/resume (bsc#927308, LTC#123892).
- dasd: Missing partition after online processing (bsc#917125, LTC#120565).
- drm/radeon/cik: Add macrotile mode array query (bsc#927285).
- drm/radeon: fix display tiling setup on SI (bsc#927285).
- drm/radeon: set correct number of banks for CIK chips in DCE (bsc#927285).
- iommu/amd: Correctly encode huge pages in iommu page tables (bsc#931014).
- iommu/amd: Optimize alloc_new_range for new fetch_pte interface (bsc#931014).
- iommu/amd: Optimize amd_iommu_iova_to_phys for new fetch_pte interface (bsc#931014).
- iommu/amd: Optimize iommu_unmap_page for new fetch_pte interface (bsc#931014).
- iommu/amd: Return the pte page-size in fetch_pte (bsc#931014).
- ipc/shm.c: fix overly aggressive shmdt() when calls span multiple segments (ipc fixes).
- ipmi: Turn off all activity on an idle ipmi interface (bsc#915540).
- ixgbe: fix detection of SFP+ capable interfaces (bsc#922734).
- kgr: add error code to the message in kgr_revert_replaced_funs.
- kgr: add kgraft annotations to kthreads wait_event_freezable() API calls.
- kgr: correct error handling of the first patching stage.
- kgr: handle the delayed patching of the modules.
- kgr: handle the failure of finalization stage.
- kgr: return error in kgr_init if notifier registration fails.
- kgr: take switching of the fops out of kgr_patch_code to new function.
- kgr: use for_each_process_thread (bsc#929883).
- kgr: use kgr_in_progress for all threads (bnc#929883).
- libata: Blacklist queued TRIM on Samsung SSD 850 Pro (bsc#926156).
- mlx4: Call dev_kfree_skby_any instead of dev_kfree_skb (bsc#928708).
- mm, numa: really disable NUMA balancing by default on single node machines (Automatic NUMA Balancing).
- mm: vmscan: do not throttle based on pfmemalloc reserves if node has no reclaimable pages (bsc#924803, VM Functionality).
- net/mlx4: Cache line CQE/EQE stride fixes (bsc#927084).
- net/mlx4_core: Cache line EQE size support (bsc#927084).
- net/mlx4_core: Enable CQE/EQE stride support (bsc#927084).
- net/mlx4_en: Add mlx4_en_get_cqe helper (bsc#927084).
- perf/x86/amd/ibs: Update IBS MSRs and feature definitions.
- powerpc/mm: Fix mmap errno when MAP_FIXED is set and mapping exceeds the allowed address space (bsc#930669).
- powerpc/numa: Add ability to disable and debug topology updates (bsc#924809).
- powerpc/numa: Enable CONFIG_HAVE_MEMORYLESS_NODES (bsc#924809).
- powerpc/numa: Enable USE_PERCPU_NUMA_NODE_ID (bsc#924809).
- powerpc/numa: check error return from proc_create (bsc#924809).
- powerpc/numa: ensure per-cpu NUMA mappings are correct on topology update (bsc#924809).
- powerpc/numa: use cached value of update-&gt;cpu in update_cpu_topology (bsc#924809).
- powerpc/perf: Cap 64bit userspace backtraces to PERF_MAX_STACK_DEPTH (bsc#928141).
- powerpc/pseries: Introduce api_version to migration sysfs interface (bsc#926314).
- powerpc/pseries: Little endian fixes for post mobility device tree update (bsc#926314).
- powerpc/pseries: Simplify check for suspendability during suspend/migration (bsc#926314).
- powerpc: Fix sys_call_table declaration to enable syscall tracing.
- powerpc: Fix warning reported by verify_cpu_node_mapping() (bsc#924809).
- powerpc: Only set numa node information for present cpus at boottime (bsc#924809).
- powerpc: reorder per-cpu NUMA information initialization (bsc#924809).
- powerpc: some changes in numa_setup_cpu() (bsc#924809).
- quota: Fix use of units in quota getting / setting interfaces (bsc#913232).
- rpm/kernel-binary.spec.in: Fix build if there is no *.crt file
- rpm/kernel-obs-qa.spec.in: Do not fail if the kernel versions do not match
- s390/bpf: Fix ALU_NEG (A = -A) (bsc#917125, LTC#121759).
- s390/bpf: Fix JMP_JGE_K (A >= K) and JMP_JGT_K (A > K) (bsc#917125, LTC#121759).
- s390/bpf: Fix JMP_JGE_X (A > X) and JMP_JGT_X (A >= X) (bsc#917125, LTC#121759).
- s390/bpf: Fix offset parameter for skb_copy_bits() (bsc#917125, LTC#121759).
- s390/bpf: Fix sk_load_byte_msh() (bsc#917125, LTC#121759).
- s390/bpf: Fix skb_copy_bits() parameter passing (bsc#917125, LTC#121759).
- s390/bpf: Zero extend parameters before calling C function (bsc#917125, LTC#121759).
- s390/sclp: Consolidate early sclp init calls to sclp_early_detect() (bsc#917125, LTC#122429).
- s390/sclp: Determine HSA size dynamically for zfcpdump (bsc#917125, LTC#122429).
- s390/sclp: Move declarations for sclp_sdias into separate header file (bsc#917125, LTC#122429).
- s390/sclp: Move early code from sclp_cmd.c to sclp_early.c (bsc#917125, LTC#122429).
- s390/sclp: replace uninitialized early_event_mask_sccb variable with sccb_early (bsc#917125, LTC#122429).
- s390/sclp: revert smp-detect-possible-cpus.patch (bsc#917125, LTC#122429).
- s390/sclp_early: Add function to detect sclp console capabilities (bsc#917125, LTC#122429).
- s390/sclp_early: Get rid of sclp_early_read_info_sccb_valid (bsc#917125, LTC#122429).
- s390/sclp_early: Pass sccb pointer to every *_detect() function (bsc#917125, LTC#122429).
- s390/sclp_early: Replace early_read_info_sccb with sccb_early (bsc#917125, LTC#122429).
- s390/sclp_early: Return correct HSA block count also for zero (bsc#917125, LTC#122429).
- s390/smp: limit number of cpus in possible cpu mask (bsc#917125, LTC#122429).
- s390: kgr, change the kgraft state only if enabled.
- sched, time: Fix lock inversion in thread_group_cputime()
- sched: Fix potential near-infinite distribute_cfs_runtime() loop (bsc#930786)
- sched: Robustify topology setup (bsc#924809).
- seqlock: Add irqsave variant of read_seqbegin_or_lock() (Time scalability).
- storvsc: Set the SRB flags correctly when no data transfer is needed (bsc#931130).
- x86/apic/uv: Update the APIC UV OEM check (bsc#929145).
- x86/apic/uv: Update the UV APIC HUB check (bsc#929145).
- x86/apic/uv: Update the UV APIC driver check (bsc#929145).
- x86/microcode/intel: Guard against stack overflow in the loader (bsc#922944).


-----------------------------------------
Patch: SUSE-2015-290
Released: Thu Jun 11 21:00:43 2015
Summary: Recommended update for sysconfig
Severity: moderate
References: 895447,900982,909307,912891,930309
Description:
This update for sysconfig provides the following fixes:

- Use correct name of ntp systemd service in ntp-runtime. (bsc#930309)
- Add explicit dependency on /bin/logger.
- Add variables for handling of DHCPv4 user-class. (bsc#909307)
- Use domain name from hostname: when there is no dns domain or
  search list provided (by dhcp), but a hostname as FQDN, use
  it's domain for /etc/resolv.conf search list. (bsc#912891)
- Merge NetworkManager settings on -m. (bsc#900982)
- Kill all NetworkManager child processes on migration: before
  we stop (the always running) NetworkManager.service, ensure to
  kill all (child) processes when migrating from the
  NETWORKMANAGER=no variable. (bsc#895447)


-----------------------------------------
Patch: SUSE-2015-315
Released: Thu Jun 11 21:03:44 2015
Summary: Recommended update for freetype2
Severity: low
References: 933247,CVE-2014-9671
Description:

This update of freetype2 fixes a regression introduced by the security
fix for CVE-2014-9671.

This is not itself a security issue, it just improves on a previous one.

This update is needed for LSB 5 fontconfig usage.


-----------------------------------------
Patch: SUSE-2015-319
Released: Sun Jun 14 22:19:30 2015
Summary: Recommended update for yast2-dns-server
Severity: moderate
References: 746401,898659,899104
Description:
This update for yast2-dns-server provides the following fixes:

Fix handling of zones (bsc#898659):

- Extend list of zones marked as system (internal) with (0\.)+ip6.arpa
- Do not allow to edit system zones (they belong to bind package)
- Check if 'bind' package is installed before writing the configuration
- Mark all imported zones as 'modified' to be written later
- Mark all imported non-system zones as 'is_new' to create a zone file for them
- Flush /etc/named.conf cache 'after' writing zones (instead of 'before')
- Use '' as the default NETCONFIG_DNS_POLICY (instead of 0)
- Do not write system zones to LDAP (bnc#746401)
- If systems zones are marked as modified, they are written to named configuration (if LDAP is not in use).

Fix Import() and Write() in AutoYast (bnc#898659):

- Imported zones were not written to the system as they were not marked as 'modified'
- Directory /etc/named.d/ was used even if it didn't exist
- The whole named.conf was rewritten from scratch as Yast thought
  that something has changed that file while Yast was running.


-----------------------------------------
Patch: SUSE-2015-294
Released: Mon Jun 15 17:32:43 2015
Summary: Recommended update for Package Management Stack
Severity: moderate
References: 725867,820693,828631,832519,848054,892431,893294,896224,897301,899510,899603,899781,899907,901590,901691,903405,903675,904737,906549,908135,908345,908976,909143,909244,909772,911335,911658,914258,914284,915461,915928,916254,919709,921332,922352,923800,925678,925696,927319,929483,929528,929593,929990,931601,932393,933277,CVE-2014-3566
Description:
This update provides fixes and enhancements for the Software Update Stack.

gnome-packagekit:

- Fix title of license agreement window. (bsc#927319)

libsolv:

- Rework splitprovides handling. (bnc#921332)
- Add product:regflavor attribute. (bnc#896224)
- Fix bug in reorder_dq_for_jobrules that could lead to crashes. (bnc#899907)
- Fix bug in dislike_old_versions that could lead to a segfault. (bnc#922352)
- Add manpages for the tools.

libzypp:

- Add configuration values for gpgcheck, repo_gpgcheck and pkg_gpgcheck to zypp.conf. (FATE#314603)
- Support $releasever_major/$releasever_minor repo variables. (FATE#318354)
- Support repo variable replacement in service url.
- Support repo variable replacement in gpg url.
- Add support for SHA224/384/512.
- Don't execute scripts in /tmp or /var/tmp, as they could be mounted noexec for security reasons. (bnc#915928)
- Let $ZYPP_REPO_RELEASEVER overwrite $releasever in .repo files. (bnc#911658)
- Parse and offer productRegisterFlavor attribute. (bnc#896224)
- Improve conflict message for locked packages. (bnc#828631)
- Fix broken de-escaping in str::splitEscaped. (bnc#909772)
- Filter PIDs running in a container. (bnc#909143)
- Suppress informal license (no need to accept) upon update. (bnc#908976)
- Adapt to gpg-2.1. (bnc#908135)
- Call rpm with '--noglob'. (bnc#892431)
- Fix URL path concatenation in MediaCurl. (bnc#901590)
- Move doxygen html doc to libzypp-devel-doc. (bnc#901691)
- Support parsing multiple baseurls from a repo file. (bnc#899510)
- Suppress MediaChangeReport while testing multiple baseurls. (bnc#899510)
- Fix handling local mirrorlist= files in .repo. (bnc#899510)
- Prevent POODLE by talking TLS only. (bnc#903405)
- Fix segmentation fault when dumping rpm header with epoch. (bnc#929483)
- Handle repository aliases containing ']' correctly. (bnc#929528)
- Avoid nested exception on user abort. (bnc#931601)
- Fix SSL client certificate authentication via URL option ssl_clientcert/ssl_clientkey. (bnc#932393)

libzypp-bindings:

- Enforce Python 2.7 libzypp-bindings is not yet ready for Python 3. 
- Adapt to libzypp changes.

zypper:

- Implement and document GPG signature checking. (FATE#314603)
- Enhance 'Digest verification failed' message and dialog. (FATE#315008)
- Refresh plugin services on 'lr' 'ls -r' and 'ref'. (bnc#893294, FATE#318117)
  Repositories provided by a plugin service (SUSE Manager) must always
  be (auto-)refreshed to reflect server side changes immediately.
- Allow repo:package to reinstall from a different repo. (bnc#725867)
- Suppress MediaChangeReport while testing multiple baseurls. (bnc#899510)
- A date limit must ignore newer patch candidates. (bnc#919709)
- Notify about volatile changes to service repos. (bnc#916254)
- Change column header from 'Login' to 'User'. (bnc#915461)
- Fix wrong exit status using the --xmlout option. (bnc#914258)
- Add new color/pkglistHighlightAttribute to zypper.conf. (bnc#914284)
- New global option --releasever: Set the value of the $releasever variable in all .repo files.
  This can be used to switch to new distribution repositories when performing a distribution upgrade. (bnc#911658)
- Clarify legacy warning. (bnc#911335)
- Show new product:registerflavor attribute in 'zypper info'. (bnc#896224)
- Enhance message text when skipping repos due to an error. (bnc#909244)
- Fix additional spaces in zypper output and new colorization code. (bnc#908345)
- Properly reset auto-retry counter. (bnc#906549)
- Improve patch description in man page. (bnc#904737)
- Warn about repositories with 'gpgcheck=0'. (bnc#848054)
- Summary: quote names including spaces. (bnc#903675)
- Warn if legacy CLI options are used. (bnc#899781)
- Fix prompt returning undefined default value after wrong input. (bnc#925696)
- Fix typo in man page. (bnc#923800)
- Only use ANSI color codes on terminals. (bnc#925678)
- Fix table sorting with option --sort-by-priority. (bnc#832519)
- Clarify 'zypper lp --date' description. (bnc#929593)
- Warn user that deleting a service repository is a volatile change. (bnc#929990)
- Adapt Enterprise product detection, fixing display of package's support status. (bnc#933277)
- Fix format of sizes in output. (bnc#897301)
- Clarify comment in zypper.conf. (bnc#820693)


-----------------------------------------
Patch: SUSE-2015-283
Released: Tue Jun 16 15:02:53 2015
Summary: Recommended update for timezone
Severity: low
References: 928841,934654
Description:

This update provides the latest timezone information (2015e) for your
system, including the following changes:

- Morocco will suspend DST from 2015-06-14 03:00 through 2015-07-19 02:00,
  not 06-13 and 07-18.
- Assume Cayman Islands will observe DST starting next year, using US rules.
- Fix post-install script to overwrite the temporary file when attempting
  to create /etc/localtime as a hard link. (bsc#928841)

This release also includes changes affecting past time stamps and documentation.
For a comprehensive list, refer to the release announcements from ICANN:

http://mm.icann.org/pipermail/tz-announce/2015-June/000032.html
http://mm.icann.org/pipermail/tz-announce/2015-April/000031.html


-----------------------------------------
Patch: SUSE-2015-282
Released: Wed Jun 17 16:54:15 2015
Summary: Security update for openssl
Severity: important
References: 926597,929678,931698,933898,933911,934487,934489,934491,934493,CVE-2015-1788,CVE-2015-1789,CVE-2015-1790,CVE-2015-1791,CVE-2015-1792,CVE-2015-3216,CVE-2015-4000
Description:

This update of openssl fixes the following security issues:
- CVE-2015-4000 (bsc#931698)
  * The Logjam Attack / weakdh.org
  * reject connections with DH parameters shorter than 1024 bits
  * generates 2048-bit DH parameters by default
- CVE-2015-1788 (bsc#934487)
  * Malformed ECParameters causes infinite loop
- CVE-2015-1789 (bsc#934489)
  * Exploitable out-of-bounds read in X509_cmp_time
- CVE-2015-1790 (bsc#934491)
  * PKCS7 crash with missing EnvelopedContent
- CVE-2015-1792 (bsc#934493)
  * CMS verify infinite loop with unknown hash function
- CVE-2015-1791 (bsc#933911)
  * race condition in NewSessionTicket
- CVE-2015-3216 (bsc#933898)
  * Crash in ssleay_rand_bytes due to locking regression
- fix a timing side channel in RSA decryption (bnc#929678)


-----------------------------------------
Patch: SUSE-2015-343
Released: Mon Jun 22 17:44:25 2015
Summary: Security update for python-setuptools
Severity: moderate
References: 930189,CVE-2013-7440
Description:
the following issue was fixed by this update: 
Non-RFC6125-compliant host name matching was incorrect (CVE-2013-7440 bnc#930189)
  

-----------------------------------------
Patch: SUSE-2015-320
Released: Wed Jun 24 09:10:39 2015
Summary: Security update for augeas
Severity: moderate
References: 925225,CVE-2014-8119
Description:

This update fixes an untrusted argument escaping problem (CVE-2014-8119):

* new API - aug_escape_name() - which can be used to escape
  untrusted inputs before using them as part of path expressions
* aug_match() is changed to return properly escaped output


-----------------------------------------
Patch: SUSE-2015-366
Released: Mon Jun 29 10:13:43 2015
Summary: Security update for e2fsprogs
Severity: low
References: 915402,918346,CVE-2015-0247,CVE-2015-1572
Description:

Two security issues were fixed in e2fsprogs:

Security issues fixed:

* CVE-2015-0247: Various heap overflows were fixed in e2fsprogs (fsck, dumpe2fs, e2image...).
* CVE-2015-1572: Fixed a potential buffer overflow in closefs() (bsc#918346 )


-----------------------------------------
Patch: SUSE-2015-367
Released: Tue Jun 30 16:48:06 2015
Summary: Security update for python
Severity: moderate
References: 898572,901715,924312,935856,CVE-2013-1752,CVE-2013-1753,CVE-2014-4650,CVE-2014-7185
Description:
This update to python 2.7.9 fixes the following issues:
* python-2.7-libffi-aarch64.patch: Fix argument passing in libffi for aarch64

From the version update to 2.7.9:
  * contains full backport of ssl module from Python 3.4 (PEP466)
  * HTTPS certificate validation enabled by default (PEP476)
  * SSLv3 disabled by default (bnc#901715)
  * backported ensurepip module (PEP477)
  * fixes several missing CVEs from last release: CVE-2013-1752, CVE-2013-1753
  * dropped upstreamed patches: python-2.7.6-poplib.patch,
    smtplib_maxline-2.7.patch, xmlrpc_gzip_27.patch
  * dropped patch python-2.7.3-ssl_ca_path.patch because we don't need it
    with ssl module from Python 3
  * libffi was upgraded upstream, seems to contain our changes,
    so dropping libffi-ppc64le.diff as well
  * python-2.7-urllib2-localnet-ssl.patch - properly remove unconditional
    'import ssl' from test_urllib2_localnet that caused it to fail without ssl

  * skip test_thread in qemu_linux_user mode 

From the version update to 2.7.8:
  * fixes CVE-2014-4650 directory traversal in CGIHTTPServer
  * fixes CVE-2014-7185 (bnc#898572) potential buffer overflow in buffer()

Also the DH parameters were increased to 2048 bit to fix logjam security issue (bsc#935856)


-----------------------------------------
Patch: SUSE-2015-378
Released: Tue Jun 30 20:34:17 2015
Summary: Recommended update for cloud-init
Severity: moderate
References: 920190,928552
Description:
This update provides cloud-init version 0.7.6, which brings several
fixes and enhancements:

- Properly write the routes file for static networks. (bsc#920190)
- Require pmtools only on Intel architecture. (bsc#928552)
- Enable vendordata on CloudSigma datasource.
- Do not write comments in /etc/timezone.
- Make cloud-init block ssh service startup to guarantee keys are generated.
- Fix rendering resolv.conf if no 'options' are provided.
- In resizefs check first that device is writable.

For a comprehensive list of fixes, please refer to the package's change log.


-----------------------------------------
Patch: SUSE-2015-354
Released: Fri Jul  3 20:34:17 2015
Summary: Recommended update for systemd
Severity: moderate
References: 906900,909358,919095,920195,921831,921898,921920,926169,927457,928265,931388,932284,933365,933512,934077
Description:
This update for systemd provides the following fixes:

- Support 'locally administered' MAC address in persistent rules.
  (bsc#921831)
- Avoid confusing warning messages. (bsc#928265)
- Allow more concurrent connections to dbus. (bsc#920195)
- Amend patch to fix stack overwrite when using struct rand_pool_info.
  (bsc#926169)
- Adds kernel commandline options 'mount.timeout' and 'rd.timeout' for
  allowing to modify the default device timeout. (bsc#909358)
- Correct systemd-sleep-grub return code. (bsc#919095)
- Fix systemd --test option. (bsc#921920)
- Fix a race condition where systemd could unmount devices known by sysfs
  but not by udev. (bsc#921898)
- Add examples of how to allow units to be enabled and how to overwrite
  vendor settings to the systemd.unit man page. (bsc#927457)
- Return an error code if 'systemctl status' fails. (bsc#931388)
- Don't drop bus_name_good and cgroup_realized on daemon-reload.
  (bsc#933365, bsc#934077)
- Respect DefaultTimeoutStopSec in systemd unit files. (bsc#933512)
- DBUS serialization has been made more stable.
- Let bus connection survive a daemon reload as well as let services
  track clients which reference certain objects they maintain. This solve
  the problem that e.g. the sd-pam processes become not closed together
  with closing an ssh connection after a daemon reload.
- Ensure processes started using su(1) by sysv scripts are not stopped
  early on shutdown. (bsc#906900, bsc#932284)
  

-----------------------------------------
Patch: SUSE-2015-300
Released: Tue Jul  7 16:21:05 2015
Summary: Security update for bind
Severity: moderate
References: 918330,936476,CVE-2015-1349,CVE-2015-4620
Description:
bind was updated to fix two security issues.

These security issues were fixed:
- CVE-2015-1349: Named in ISC BIND 9.7.0 through 9.9.6 before 9.9.6-P2 and 9.10.x before 9.10.1-P2, when DNSSEC validation and the managed-keys feature are enabled, allowed remote attackers to cause a denial of service (assertion failure and daemon exit, or daemon crash) by triggering an incorrect trust-anchor management scenario in which no key is ready for use (bsc#918330).
- CVE-2015-4620: Fixed resolver crash when validating (bsc#936476).
  

-----------------------------------------
Patch: SUSE-2015-575
Released: Fri Jul 10 10:41:31 2015
Summary: Recommended update for yast2-metapackage-handler
Severity: low
References: 551014,926313
Description:
This update for yast2-metapackage-handler provides the following fixes:

- Do not use repository name as alias, it must be unique, let pkg-bindings create it. (bsc#551014)
- OneClickInstallCLI: use /usr/sbin/yast instead of /sbin/YaST. (bsc#926313)


-----------------------------------------
Patch: SUSE-2015-335
Released: Tue Jul 14 15:19:31 2015
Summary: Security update for krb5
Severity: moderate
References: 910457,910458,918595,928978,CVE-2014-5353,CVE-2014-5354,CVE-2014-5355,CVE-2015-2694
Description:
krb5 was updated to fix four security issues.

These security issues were fixed:
- CVE-2014-5353: NULL pointer dereference when using a ticket policy name as password name (bsc#910457).
- CVE-2014-5354: NULL pointer dereference when using keyless entries (bsc#910458).
- CVE-2014-5355: Denial of service in krb5_read_message (bsc#918595).
- CVE-2015-2694: OTP and PKINIT kdcpreauth modules leading to requires_preauth bypass (bsc#928978).


-----------------------------------------
Patch: SUSE-2015-330
Released: Tue Jul 14 20:28:10 2015
Summary: Security update for MozillaFirefox, mozilla-nspr, mozilla-nss
Severity: important
References: 856315,935033,935979,CVE-2015-2721,CVE-2015-2722,CVE-2015-2724,CVE-2015-2725,CVE-2015-2726,CVE-2015-2728,CVE-2015-2730,CVE-2015-2733,CVE-2015-2734,CVE-2015-2735,CVE-2015-2736,CVE-2015-2737,CVE-2015-2738,CVE-2015-2739,CVE-2015-2740,CVE-2015-2743,CVE-2015-4000
Description:
MozillaFirefox, mozilla-nspr and  mozilla-nss were updated to fix 17 security issues.

For more details please check the changelogs.
- CVE-2015-2724/CVE-2015-2725/CVE-2015-2726: Miscellaneous memory safety hazards (bsc#935979).
- CVE-2015-2728: Type confusion in Indexed Database Manager (bsc#935979).
- CVE-2015-2730: ECDSA signature validation fails to handle some signatures correctly (bsc#935979).
- CVE-2015-2722/CVE-2015-2733: Use-after-free in workers while using XMLHttpRequest (bsc#935979).
- CVE-2015-2734/CVE-2015-2735/CVE-2015-2736/CVE-2015-2737/CVE-2015-2738/CVE-2015-2739/CVE-2015-2740: Vulnerabilities found through code inspection (bsc#935979).
- CVE-2015-2743: Privilege escalation in PDF.js (bsc#935979).
- CVE-2015-4000: NSS accepts export-length DHE keys with regular DHE cipher suites (bsc#935033).
- CVE-2015-2721: NSS incorrectly permits skipping of ServerKeyExchange (bsc#935979).


-----------------------------------------
Patch: SUSE-2015-361
Released: Wed Jul 15 08:26:27 2015
Summary: Recommended update for gcc48, libffi48, libgcj48
Severity: moderate
References: 889990,917169,919274,922534,924525,924687,927993,930176,934689
Description:

The system compiler gcc48 was updated to the GCC 4.8.5 release, fixing
a lot of bugs and bringing some improvements.

It includes various bug fixes found by our customers:

* Fixes bogus integer overflow in constant expression.  [bnc#934689]
* Fixes ICE with atomics on aarch64.  [bnc#930176]
* Includes fix for -imacros bug.  [bnc#917169]
* Includes fix for incorrect -Warray-bounds warnings.  [bnc#919274]
* Includes updated -mhotpatch for s390x.  [bnc#924525]
* Includes fix for ppc64le issue with doubleword vector extract.  [bnc#924687]
* Includes patches to allow building against ISL 0.14.
* Backport rework of the memory allocator for C++ exceptions used in OOM situations.  [bnc#889990]
* Fix a reload issue on S390 (GCC PR66306).
* Avoid accessing invalid memory when passing aggregates by value. [bnc#922534]
  

-----------------------------------------
Patch: SUSE-2015-356
Released: Thu Jul 16 18:16:36 2015
Summary: Security update for the SUSE Linux Enterprise 12 kernel
Severity: important
References: 854817,854824,858727,866911,867362,895814,903279,907092,908491,915183,917630,918618,921430,924071,924526,926369,926953,927455,927697,927786,928131,929475,929696,929879,929974,930092,930399,930579,930599,930972,931124,931403,931538,931620,931860,931988,932348,932793,932897,932898,932899,932900,932967,933117,933429,933637,933896,933904,933907,934160,935083,935085,935088,935174,935542,935881,935918,936012,936423,936445,936446,936502,936556,936831,936875,937032,937087,937609,937612,937613,937616,938022,938023,938024,CVE-2014-9728,CVE-2014-9729,CVE-2014-9730,CVE-2014-9731,CVE-2015-1805,CVE-2015-3212,CVE-2015-4036,CVE-2015-4167,CVE-2015-4692,CVE-2015-5364,CVE-2015-5366
Description:
The SUSE Linux Enterprise 12 kernel was updated to 3.12.44 to receive various security and bugfixes.

These features were added:
- mpt2sas: Added Reply Descriptor Post Queue (RDPQ) Array support (bsc#854824).
- mpt3sas: Bump mpt3sas driver version to 04.100.00.00 (bsc#854817).

Following security bugs were fixed:
- CVE-2015-1805: iov overrun for failed atomic copy could have lead to
  DoS or privilege escalation (bsc#933429).
- CVE-2015-3212: A race condition in the way the Linux kernel handled
  lists of associations in SCTP sockets could have lead to list
  corruption and kernel panics (bsc#936502).
- CVE-2015-4036: DoS via memory corruption in vhost/scsi driver
  (bsc#931988).
- CVE-2015-4167: Linux kernel built with the UDF file
  system(CONFIG_UDF_FS) support was vulnerable to a crash. It occurred
  while fetching inode information from a corrupted/malicious udf file
  system image (bsc#933907).
- CVE-2015-4692: DoS via NULL pointer dereference in kvm_apic_has_events
  function (bsc#935542).
- CVE-2015-5364: Remote DoS via flood of UDP packets with invalid
  checksums (bsc#936831).
- CVE-2015-5366: Remote DoS of EPOLLET epoll applications via flood of
  UDP packets with invalid checksums (bsc#936831).

Security issues already fixed in the previous update but not referenced by CVE:
- CVE-2014-9728: Kernel built with the UDF file system(CONFIG_UDF_FS)
  support were vulnerable to a crash (bsc#933904).
- CVE-2014-9729: Kernel built with the UDF file system(CONFIG_UDF_FS)
  support were vulnerable to a crash (bsc#933904).
- CVE-2014-9730: Kernel built with the UDF file system(CONFIG_UDF_FS)
  support were vulnerable to a crash (bsc#933904).
- CVE-2014-9731: Kernel built with the UDF file system(CONFIG_UDF_FS)
  support were vulnerable to information leakage (bsc#933896).

The following non-security bugs were fixed:
- ALSA: hda - add codec ID for Skylake display audio codec (bsc#936556).
- ALSA: hda/hdmi - apply Haswell fix-ups to Skylake display codec
  (bsc#936556).
- ALSA: hda_controller: Separate stream_tag for input and output streams
  (bsc#936556).
- ALSA: hda_intel: add AZX_DCAPS_I915_POWERWELL for SKL and BSW
  (bsc#936556).
- ALSA: hda_intel: apply the Seperate stream_tag for Skylake
  (bsc#936556).
- ALSA: hda_intel: apply the Seperate stream_tag for Sunrise Point
  (bsc#936556).
- Btrfs: Handle unaligned length in extent_same (bsc#937609).
- Btrfs: add missing inode item update in fallocate() (bsc#938023).
- Btrfs: check pending chunks when shrinking fs to avoid corruption
  (bsc#936445).
- Btrfs: do not update mtime/ctime on deduped inodes (bsc#937616).
- Btrfs: fix block group ->space_info null pointer dereference
  (bsc#935088).
- Btrfs: fix clone / extent-same deadlocks (bsc#937612).
- Btrfs: fix deadlock with extent-same and readpage (bsc#937612).
- Btrfs: fix fsync data loss after append write (bsc#936446).
- Btrfs: fix hang during inode eviction due to concurrent readahead
  (bsc#935085).
- Btrfs: fix memory leak in the extent_same ioctl (bsc#937613).
- Btrfs: fix race when reusing stale extent buffers that leads to BUG_ON
  (bsc#926369).
- Btrfs: fix use after free when close_ctree frees the orphan_rsv
  (bsc#938022).
- Btrfs: pass unaligned length to btrfs_cmp_data() (bsc#937609).
- Btrfs: provide super_operations->inode_get_dev (bsc#927455).
- Drivers: hv: balloon: check if ha_region_mutex was acquired in
  MEM_CANCEL_ONLINE case.
- Drivers: hv: fcopy: process deferred messages when we complete the
  transaction.
- Drivers: hv: fcopy: rename fcopy_work -> fcopy_timeout_work.
- Drivers: hv: fcopy: set .owner reference for file operations.
- Drivers: hv: fcopy: switch to using the hvutil_device_state state
  machine.
- Drivers: hv: hv_balloon: correctly handle num_pages>INT_MAX case.
- Drivers: hv: hv_balloon: correctly handle val.freeram lower than num_pages case.
- Drivers: hv: hv_balloon: do not lose memory when onlining order is not
  natural.
- Drivers: hv: hv_balloon: do not online pages in offline blocks.
- Drivers: hv: hv_balloon: eliminate jumps in piecewiese linear floor
  function.
- Drivers: hv: hv_balloon: eliminate the trylock path in
  acquire/release_region_mutex.
- Drivers: hv: hv_balloon: keep locks balanced on add_memory() failure.
- Drivers: hv: hv_balloon: refuse to balloon below the floor.
- Drivers: hv: hv_balloon: report offline pages as being used.
- Drivers: hv: hv_balloon: survive ballooning request with num_pages=0.
- Drivers: hv: kvp: move poll_channel() to hyperv_vmbus.h.
- Drivers: hv: kvp: rename kvp_work -> kvp_timeout_work.
- Drivers: hv: kvp: reset kvp_context.
- Drivers: hv: kvp: switch to using the hvutil_device_state state
  machine.
- Drivers: hv: util: Fix a bug in the KVP code. reapply upstream change
  ontop of v3.12-stable change
- Drivers: hv: util: On device remove, close the channel after
  de-initializing the service.
- Drivers: hv: util: introduce hv_utils_transport abstraction.
- Drivers: hv: util: introduce state machine for util drivers.
- Drivers: hv: util: move kvp/vss function declarations to
  hyperv_vmbus.h.
- Drivers: hv: vmbus: Add device and vendor ID to vmbus devices.
- Drivers: hv: vmbus: Add support for VMBus panic notifier handler
  (bsc#934160).
- Drivers: hv: vmbus: Add support for the NetworkDirect GUID.
- Drivers: hv: vmbus: Correcting truncation error for constant
  HV_CRASH_CTL_CRASH_NOTIFY (bsc#934160).
- Drivers: hv: vmbus: Export the vmbus_sendpacket_pagebuffer_ctl().
- Drivers: hv: vmbus: Fix a bug in rescind processing in
  vmbus_close_internal().
- Drivers: hv: vmbus: Fix a siganlling host signalling issue.
- Drivers: hv: vmbus: Get rid of some unnecessary messages.
- Drivers: hv: vmbus: Get rid of some unused definitions.
- Drivers: hv: vmbus: Handle both rescind and offer messages in the same
  context.
- Drivers: hv: vmbus: Implement the protocol for tearing down vmbus
  state.
- Drivers: hv: vmbus: Introduce a function to remove a rescinded offer.
- Drivers: hv: vmbus: Perform device register in the per-channel work
  element.
- Drivers: hv: vmbus: Permit sending of packets without payload.
- Drivers: hv: vmbus: Properly handle child device remove.
- Drivers: hv: vmbus: Remove the channel from the channel list(s) on
  failure.
- Drivers: hv: vmbus: Suport an API to send packet with additional
  control.
- Drivers: hv: vmbus: Suport an API to send pagebuffers with additional
  control.
- Drivers: hv: vmbus: Teardown clockevent devices on module unload.
- Drivers: hv: vmbus: Teardown synthetic interrupt controllers on module
  unload.
- Drivers: hv: vmbus: Use a round-robin algorithm for picking the
  outgoing channel.
- Drivers: hv: vmbus: Use the vp_index map even for channels bound to CPU
  0.
- Drivers: hv: vmbus: avoid double kfree for device_obj.
- Drivers: hv: vmbus: briefly comment num_sc and next_oc.
- Drivers: hv: vmbus: decrease num_sc on subchannel removal.
- Drivers: hv: vmbus: distribute subchannels among all vcpus.
- Drivers: hv: vmbus: do cleanup on all vmbus_open() failure paths.
- Drivers: hv: vmbus: introduce vmbus_acpi_remove.
- Drivers: hv: vmbus: kill tasklets on module unload.
- Drivers: hv: vmbus: move init_vp_index() call to vmbus_process_offer().
- Drivers: hv: vmbus: prevent cpu offlining on newer hypervisors.
- Drivers: hv: vmbus: rename channel work queues.
- Drivers: hv: vmbus: teardown hv_vmbus_con workqueue and
  vmbus_connection pages on shutdown.
- Drivers: hv: vmbus: unify calls to percpu_channel_enq().
- Drivers: hv: vmbus: unregister panic notifier on module unload.
- Drivers: hv: vmbus:Update preferred vmbus protocol version to windows
  10.
- Drivers: hv: vss: process deferred messages when we complete the
  transaction.
- Drivers: hv: vss: switch to using the hvutil_device_state state
  machine.
- Enable CONFIG_BRIDGE_NF_EBTABLES on s390x (bsc#936012)
- Fix connection reuse when sk_error_report is used (bsc#930972).
- GHES: Carve out error queueing in a separate function (bsc#917630).
- GHES: Carve out the panic functionality (bsc#917630).
- GHES: Elliminate double-loop in the NMI handler (bsc#917630).
- GHES: Make NMI handler have a single reader (bsc#917630).
- GHES: Panic right after detection (bsc#917630).
- IB/mlx4: Fix wrong usage of IPv4 protocol for multicast attach/detach
  (bsc#918618).
- Initialize hv_netvsc_packet->xmit_more to avoid transfer stalls
- KVM: PPC: BOOK3S: HV: CMA: Reserve cma region only in hypervisor mode
  (bsc#908491).
- KVM: s390: virtio-ccw: Handle command rejects (bsc#931860).
- MODSIGN: loading keys from db when SecureBoot disabled (bsc#929696).
- MODSIGN: loading keys from db when SecureBoot disabled (bsc#929696).
- PCI: pciehp: Add hotplug_lock to serialize hotplug events (bsc#866911).
- Revert 'MODSIGN: loading keys from db when SecureBoot disabled'. This
  reverts commit b45412d4, because it breaks legacy boot.
- SUNRPC: Report connection error values to rpc_tasks on the pending
  queue (bsc#930972).
- Update s390x kabi files with netfilter change (bsc#936012)
- client MUST ignore EncryptionKeyLength if CAP_EXTENDED_SECURITY is set
  (bsc#932348).
- cpufreq: pcc: Enable autoload of pcc-cpufreq for ACPI processors
  (bsc#933117).
- dmapi: fix value from newer Linux strnlen_user() (bsc#932897).
- drm/i915/hsw: Fix workaround for server AUX channel clock divisor
  (bsc#935918).
- drm/i915: Evict CS TLBs between batches (bsc#935918).
- drm/i915: Fix DDC probe for passive adapters (bsc#935918).
- drm/i915: Handle failure to kick out a conflicting fb driver
  (bsc#935918).
- drm/i915: drop WaSetupGtModeTdRowDispatch:snb (bsc#935918).
- drm/i915: save/restore GMBUS freq across suspend/resume on gen4
  (bsc#935918).
- edd: support original Phoenix EDD 3.0 information (bsc#929974).
- ext4: fix over-defensive complaint after journal abort (bsc#935174).
- fs/cifs: Fix corrupt SMB2 ioctl requests (bsc#931124).
- ftrace: add oco handling patch (bsc#924526).
- ftrace: allow architectures to specify ftrace compile options
  (bsc#924526).
- ftrace: let notrace function attribute disable hotpatching if necessary
  (bsc#924526).
- hugetlb, kabi: do not account hugetlb pages as NR_FILE_PAGES
  (bsc#930092).
- hugetlb: do not account hugetlb pages as NR_FILE_PAGES (bsc#930092).
- hv: channel: match var type to return type of wait_for_completion.
- hv: do not schedule new works in
  vmbus_onoffer()/vmbus_onoffer_rescind().
- hv: hv_balloon: match var type to return type of wait_for_completion.
- hv: hv_util: move vmbus_open() to a later place.
- hv: hypervvssd: call endmntent before call setmntent again.
- hv: no rmmod for hv_vmbus and hv_utils.
- hv: remove the per-channel workqueue.
- hv: run non-blocking message handlers in the dispatch tasklet.
- hv: vmbus: missing curly braces in vmbus_process_offer().
- hv: vmbus_free_channels(): remove the redundant free_channel().
- hv: vmbus_open(): reset the channel state on ENOMEM.
- hv: vmbus_post_msg: retry the hypercall on some transient errors.
- hv_netvsc: Allocate the receive buffer from the correct NUMA node.
- hv_netvsc: Allocate the sendbuf in a NUMA aware way.
- hv_netvsc: Clean up two unused variables.
- hv_netvsc: Cleanup the test for freeing skb when we use sendbuf
  mechanism.
- hv_netvsc: Define a macro RNDIS_AND_PPI_SIZE.
- hv_netvsc: Eliminate memory allocation in the packet send path.
- hv_netvsc: Fix a bug in netvsc_start_xmit().
- hv_netvsc: Fix the packet free when it is in skb headroom.
- hv_netvsc: Implement batching in send buffer.
- hv_netvsc: Implement partial copy into send buffer.
- hv_netvsc: Use the xmit_more skb flag to optimize signaling the host.
- hv_netvsc: change member name of struct netvsc_stats.
- hv_netvsc: introduce netif-msg into netvsc module.
- hv_netvsc: remove unused variable in netvsc_send().
- hv_netvsc: remove vmbus_are_subchannels_present() in
  rndis_filter_device_add().
- hv_netvsc: try linearizing big SKBs before dropping them.
- hv_netvsc: use per_cpu stats to calculate TX/RX data.
- hv_netvsc: use single existing drop path in netvsc_start_xmit.
- hv_vmbus: Add gradually increased delay for retries in
  vmbus_post_msg().
- hyperv: Implement netvsc_get_channels() ethool op.
- hyperv: hyperv_fb: match wait_for_completion_timeout return type.
- iommu/amd: Handle integer overflow in dma_ops_area_alloc (bsc#931538).
- iommu/amd: Handle large pages correctly in free_pagetable (bsc#935881).
- ipr: Increase default adapter init stage change timeout (bsc#930579).
- ipv6: do not delete previously existing ECMP routes if add fails
  (bsc#930399).
- ipv6: fix ECMP route replacement (bsc#930399).
- jbd2: improve error messages for inconsistent journal heads
  (bsc#935174).
- jbd2: revise KERN_EMERG error messages (bsc#935174).
- kabi/severities: Add s390 symbols allowed to change in bsc#931860
- kabi: only use sops->get_inode_dev with proper fsflag.
- kernel: add panic_on_warn.
- kexec: allocate the kexec control page with KEXEC_CONTROL_MEMORY_GFP
  (bsc#928131).
- kgr: fix redirection on s390x arch (bsc#903279).
- kgr: move kgr_task_in_progress() to sched.h.
- kgr: send a fake signal to all blocking tasks.
- kvm: irqchip: Break up high order allocations of kvm_irq_routing_table
  (bsc#926953).
- libata: Blacklist queued TRIM on all Samsung 800-series (bsc#930599).
- mei: bus: () can be static.
- mm, thp: really limit transparent hugepage allocation to local node (VM
  Performance, bsc#931620).
- mm, thp: respect MPOL_PREFERRED policy with non-local node (VM
  Performance, bsc#931620).
- mm/mempolicy.c: merge alloc_hugepage_vma to alloc_pages_vma (VM
  Performance, bsc#931620).
- mm/thp: allocate transparent hugepages on local node (VM Performance,
  bsc#931620).
- net/mlx4_en: Call register_netdevice in the proper location
  (bsc#858727).
- net/mlx4_en: Do not attempt to TX offload the outer UDP checksum for
  VXLAN (bsc#858727).
- net: fib6: fib6_commit_metrics: fix potential NULL pointer dereference
  (bsc#867362).
- net: introduce netdev_alloc_pcpu_stats() for drivers.
- net: ipv6: fib: do not sleep inside atomic lock (bsc#867362).
- netdev: set __percpu attribute on netdev_alloc_pcpu_stats.
- netdev_alloc_pcpu_stats: use less common iterator variable.
- netfilter: xt_NFQUEUE: fix --queue-bypass regression (bsc#935083)
- ovl: default permissions (bsc#924071).
- ovl: move s_stack_depth .
- powerpc/perf/hv-24x7: use kmem_cache instead of aligned stack
  allocations (bsc#931403).
- powerpc/pseries: Correct cpu affinity for dlpar added cpus (bsc#932967).
- powerpc: Add VM_FAULT_HWPOISON handling to powerpc page fault handler
  (bsc#929475).
- powerpc: Fill in si_addr_lsb siginfo field (bsc#929475).
- powerpc: Simplify do_sigbus (bsc#929475).
- reiserfs: Fix use after free in journal teardown (bsc#927697).
- rtlwifi: rtl8192cu: Fix kernel deadlock (bsc#927786).
- s390/airq: add support for irq ranges (bsc#931860).
- s390/airq: silence lockdep warning (bsc#931860).
- s390/compat,signal: change return values to -EFAULT (bsc#929879).
- s390/ftrace: hotpatch support for function tracing (bsc#924526).
- s390/irq: improve displayed interrupt order in /proc/interrupts
  (bsc#931860).
- s390/kernel: use stnsm 255 instead of stosm 0 (bsc#929879).
- s390/kgr: reorganize kgr infrastructure in entry64.S.
- s390/mm: align 64-bit PIE binaries to 4GB (bsc#929879).
- s390/mm: limit STACK_RND_MASK for compat tasks (bsc#929879).
- s390/rwlock: add missing local_irq_restore calls (bsc#929879).
- s390/sclp_vt220: Fix kernel panic due to early terminal input
  (bsc#931860).
- s390/smp: only send external call ipi if needed (bsc#929879).
- s390/spinlock,rwlock: always to a load-and-test first (bsc#929879).
- s390/spinlock: cleanup spinlock code (bsc#929879).
- s390/spinlock: optimize spin_unlock code (bsc#929879).
- s390/spinlock: optimize spinlock code sequence (bsc#929879).
- s390/spinlock: refactor arch_spin_lock_wait[_flags] (bsc#929879).
- s390/time: use stck clock fast for do_account_vtime (bsc#929879).
- s390: Remove zfcpdump NR_CPUS dependency (bsc#929879).
- s390: add z13 code generation support (bsc#929879).
- s390: avoid z13 cache aliasing (bsc#929879).
- s390: fix control register update (bsc#929879).
- s390: optimize control register update (bsc#929879).
- s390: z13 base performance (bsc#929879).
- sched: fix __sched_setscheduler() vs load balancing race (bsc#921430)
- scsi: retry MODE SENSE on unit attention (bsc#895814).
- scsi_dh_alua: Recheck state on unit attention (bsc#895814).
- scsi_dh_alua: fixup crash in alua_rtpg_work() (bsc#895814).
- scsi_dh_alua: parse device id instead of target id (bsc#895814).
- scsi_dh_alua: recheck RTPG in regular intervals (bsc#895814).
- scsi_dh_alua: update all port states (bsc#895814).
- sd: always retry READ CAPACITY for ALUA state transition (bsc#895814).
- st: null pointer dereference panic caused by use after kref_put by
  st_open (bsc#936875).
- supported.conf: add btrfs to kernel-$flavor-base (bsc#933637)
- udf: Remove repeated loads blocksize (bsc#933907).
- usb: core: Fix USB 3.0 devices lost in NOTATTACHED state after a hub
  port reset (bsc#938024).
- vTPM: set virtual device before passing to ibmvtpm_reset_crq
  (bsc#937087).
- vfs: add super_operations->get_inode_dev (bsc#927455).
- virtio-ccw: virtio-ccw adapter interrupt support (bsc#931860).
- virtio-rng: do not crash if virtqueue is broken (bsc#931860).
- virtio: fail adding buffer on broken queues (bsc#931860).
- virtio: virtio_break_device() to mark all virtqueues broken
  (bsc#931860).
- virtio_blk: verify if queue is broken after virtqueue_get_buf()
  (bsc#931860).
- virtio_ccw: fix hang in set offline processing (bsc#931860).
- virtio_ccw: fix vcdev pointer handling issues (bsc#931860).
- virtio_ccw: introduce device_lost in virtio_ccw_device (bsc#931860).
- virtio_net: do not crash if virtqueue is broken (bsc#931860).
- virtio_net: verify if queue is broken after virtqueue_get_buf()
  (bsc#931860).
- virtio_ring: adapt to notify() returning bool (bsc#931860).
- virtio_ring: add new function virtqueue_is_broken() (bsc#931860).
- virtio_ring: change host notification API (bsc#931860).
- virtio_ring: let virtqueue_{kick()/notify()} return a bool
  (bsc#931860).
- virtio_ring: plug kmemleak false positive (bsc#931860).
- virtio_scsi: do not call virtqueue_add_sgs(... GFP_NOIO) holding
  spinlock (bsc#931860).
- virtio_scsi: verify if queue is broken after virtqueue_get_buf()
  (bsc#931860).
- vmxnet3: Bump up driver version number (bsc#936423).
- vmxnet3: Changes for vmxnet3 adapter version 2 (fwd) (bug#936423).
- vmxnet3: Fix memory leaks in rx path (fwd) (bug#936423).
- vmxnet3: Register shutdown handler for device (fwd) (bug#936423).
- x86/PCI: Use host bridge _CRS info on Foxconn K8M890-8237A
  (bsc#907092).
- x86/PCI: Use host bridge _CRS info on systems with >32 bit addressing
  (bsc#907092).
- x86/kgr: move kgr infrastructure from asm to C.
- x86/mm: Improve AMD Bulldozer ASLR workaround (bsc#937032).
- xfrm: release dst_orig in case of error in xfrm_lookup() (bsc#932793).
- xfs: Skip dirty pages in ->releasepage (bsc#915183).
- xfs: fix xfs_setattr for DMAPI (bsc#932900).
- xfs_dmapi: fix transaction ilocks (bsc#932899).
- xfs_dmapi: fix value from newer Linux strnlen_user() (bsc#932897).
- xfs_dmapi: xfs_dm_rdwr() uses dir file ops not file's ops (bsc#932898).


-----------------------------------------
Patch: SUSE-2015-439
Released: Wed Jul 22 13:34:09 2015
Summary: Recommended update for polkit-default-privs
Severity: moderate
References: 918594
Description:

The policy kit rules for colord were adjusted so that a remote login
does not get colord permission requests. (bsc#918594)


-----------------------------------------
Patch: SUSE-2015-357
Released: Thu Jul 23 14:41:11 2015
Summary: Recommended update for release-notes-sles
Severity: low
References: 900935,912272,927292,930353,934230,934752
Description:

This update provides the latest revision of the Release Notes for SUSE Linux
Enterprise Server 12.

- New: Importing PTF key. (bsc#927292 via fate#319093)
- New: Activating uuidd socket. (bsc#900935 via fate#318949)
- New: pm-profiler replaced with tuned. (bsc#912272 via fate#319043)
- New: YaST: IPv6 open-iscsi support. (fate#316261)
- New: libzypp gpg check handling. (bsc#934230 via fate#319082)
- Updated: Docker references. (fate#317064)
- Removed entry: Extended Built-in Management Infrastructure


-----------------------------------------
Patch: SUSE-2015-422
Released: Tue Jul 28 06:25:51 2015
Summary: The Toolchain module containing GCC 5.2
Severity: low
References: 926412,936050,937823
Description:

This update contains the release of the new SUSE Linux Enterprise Toolchain module.

Its major feature is the GNU Compiler Collection 5.2, please see
https://gcc.gnu.org/gcc-5/changes.html for important changes.

This update also includes a version update of binutils to 2.25 release branch
to provide features and bugfixes.

Following features have been added to binutils:

* IBM zSeries z13 hardware support (fate#318036, bnc#936050).
* various IBM Power8 improvements (fate#318238, bnc#926412).
* AVX512 support on the Intel EM64T platform (fate#318520).


The GNU Debugger gdb was updated to version 7.9.1 bringing
various features and lots of bugfixes. Also IBM zSeries z13 hardware
support has been added to gdb. (fate#318039)


-----------------------------------------
Patch: SUSE-2015-346
Released: Tue Jul 28 15:40:08 2015
Summary: Security update for bind
Severity: important
References: 939567,CVE-2015-5477
Description:
bind was updated to fix one security issue.

This security issue was fixed:
- CVE-2015-5477: Remote DoS via TKEY queries (bsc#939567)

Exposure to this issue can not be prevented by either ACLs or configuration options limiting or denying service because the exploitable code occurs early in the packet handling. 
  

-----------------------------------------
Patch: SUSE-2015-442
Released: Fri Jul 31 17:25:19 2015
Summary: Security update for perl-XML-LibXML
Severity: moderate
References: 929237,CVE-2015-3451
Description:

perl-XML-LibXML was updated to fix the expand_entities option to be preserved in all cases. (CVE-2015-3451).


-----------------------------------------
Patch: SUSE-2015-525
Released: Mon Aug  3 13:24:34 2015
Summary: Recommended update for wicked
Severity: moderate
References: 903759,911310,915025,916402,918069,919573,925276,927615,931288,934067
Description:

This update provides Wicked 0.6.20, which brings many fixes and enhancements:

- ifconfig: Handle link up of externally enslaved devices.
- ifcfg: Generate link master from master config, added MASTER_DEVICE variable.
- fsm: Master/slave transition dependency and state check fixes.
- fsm: Improve subordinate device relation updating and logging.
- fsm: Reference count config nodes to avoid memleaks.
- ethtool: Fix option tables terminator. (bsc#925276)
- scripts: Fixed typo breaking wicked scheme scripts.
- sysfs: Fixed memleak while reading device path.
- client: Config parsing, origin processing, root-directory cleanup and memory
  leak fixes.
- xml: Fixes to memory leaks, location functions cleanup.
- firmware: Properly extract discovery type and path.
- dhcp4: Improve invalid dhcp options handling. (bsc#918069)
- dhcp6: Refresh ipv6 link on newprefix in auto mode to workaround that
  the kernel does not send us events about mode change when RA timers are
  unspecified. (bsc#934067)
- ethtool: Do not warn when reading ethtool settings while netlink newlink
  processing and the device is already gone.
- ibft: Ignore invalid default gateway (0.0.0.0 and ::) provided by the
  firmware. (bsc#903759)
- wireless: Handle ANY for WPA-EAP methods and send passwd when phase2
  method isn't set. (bsc#927615)
- bonding: Don't insist that arp_validate=none default is valid in
  active-backup mode only. (bsc#919573)
- nanny: Fix error handling for NULL policy objects and fix to not compare
  iftype to a dbus class name. (bsc#931288)
- spec: Require util-linux-systemd providing logger. (bsc#911310)


-----------------------------------------
Patch: SUSE-2015-556
Released: Tue Aug  4 14:52:55 2015
Summary: Recommended update for python-requests
Severity: moderate
References: 935252
Description:

python-requests was updated to use the system CA certificate store.


-----------------------------------------
Patch: SUSE-2015-418
Released: Thu Aug  6 11:03:44 2015
Summary: Recommended update for openssl
Severity: moderate
References: 937212,937492,CVE-2015-0287
Description:

This update of openssl fixes two regressions.

- A regression was caused by the security fix for CVE-2015-0287, where
  DSA keys were not correctly loaded from file anymore. (bsc#937492)

- RSA key generation odd keylengths was entering an endless loop (bsc#937212)


-----------------------------------------
Patch: SUSE-2015-552
Released: Mon Aug 10 14:32:27 2015
Summary: Recommended update for plymouth
Severity: low
References: 923992,926742,929616,936005
Description:
This update adds RemainAfterExit=yes to plymouth-start.service, avoiding
an undesired restart of plymouthd after it has finished.

The update also ensures Plymouth is not started if 'init=/bin/bash' is present in the
Kernel command line.


-----------------------------------------
Patch: SUSE-2015-416
Released: Tue Aug 11 18:18:42 2015
Summary: Recommended update for timezone
Severity: low
References: 941249
Description:

This update provides the latest timezone information (2015f) for your
system, including the following changes:

- North Korea switches to +0830 on 2015-08-15. The abbreviation remains 'KST'.
- Uruguay no longer observes DST.
- Moldova starts and ends DST at 00:00 UTC, not at 01:00 UTC.

This release also includes changes affecting past time stamps, documentation
and some minor code fixes. For a comprehensive list, refer to the release
announcement from ICANN:

http://mm.icann.org/pipermail/tz-announce/2015-August/000033.html


-----------------------------------------
Patch: SUSE-2015-426
Released: Fri Aug 14 02:23:29 2015
Summary: Recommended update for yast2-registration
Severity: low
References: 891293,894460,925700
Description:
This update for yast2-registration provides the following fixes:

- Collect product rename also for the base product (the internal
  SLES-for-SAP product identifier has been changed). (bsc#925700)
- Display correct default EULA translation for extensions/modules.
  (bsc#894460)
- Reset registration URL when registration upgrade fails to allow
  easily switch from SMT to SCC and to be consistent with full
  installation. (bsc#891293)


-----------------------------------------
Patch: SUSE-2015-500
Released: Mon Aug 17 11:36:33 2015
Summary: Security update for libgcrypt
Severity: moderate
References: 920057,938343,CVE-2015-0837
Description:

This update fixes the following issues:

Security:
* Fixed data-dependent timing variations in modular exponentiation
  [related to CVE-2015-0837, Last-Level Cache Side-Channel Attacks
   are Practical] (bsc#920057)

Bugfixes:
* don't drop privileges when locking secure memory (bsc#938343)


-----------------------------------------
Patch: SUSE-2015-421
Released: Tue Aug 18 16:34:18 2015
Summary: Recommended update for screen
Severity: moderate
References: 941988
Description:

screen was updated to enable pam support.

This allows password based screenlocking. (bsc#941988)


-----------------------------------------
Patch: SUSE-2015-465
Released: Thu Aug 20 13:08:04 2015
Summary: Recommended update for yast2-installation
Severity: moderate
References: 889757,889791,897956,903682,924278,938790,940878
Description:
This update for yast2-installation provides the following fixes:

- Always enable systemd startup services for Second Stage and
  Firstboot. (bsc#924278)
- On AutoYaST installations, if the system starts in multi-user mode,
  terminate Plymouth to ensure that installation will be finished on
  console 1 and login prompt will be shown. (bsc#903682, bsc#889757,
  bsc#897956)
- In AutoYaST second stage, continue installation even if plymouth has
  returned an error. (bsc#940878)
- Fixed the 'previously used repositories' step to work correctly
  when reached using the back button. (bsc#889791)
- Fix a typo in inst_finish client. (bsc#938790)


-----------------------------------------
Patch: SUSE-2015-531
Released: Fri Aug 21 13:44:15 2015
Summary: Recommended update for cronie
Severity: low
References: 900604
Description:
cronie has been updated to fix loading of PAM environment from the pam_env module.

-----------------------------------------
Patch: SUSE-2015-503
Released: Fri Aug 21 13:44:17 2015
Summary: Recommended update for shadow
Severity: low
References: 899409,935203
Description:
This update for shadow provides the following fixes:

- Add package dependency for aaa_base. (bsc#899409)
- Document in the man page that some settings from /etc/login.defs are not
  evaluated if PAM is used. (bsc#935203)


-----------------------------------------
Patch: SUSE-2015-498
Released: Fri Aug 21 13:44:31 2015
Summary: Recommended update for mailx
Severity: low
References: 922543
Description:
This update for mailx provides the following fixes:

- Allow Form Feed as valid characters within mail messages. (bsc#922543)


-----------------------------------------
Patch: SUSE-2015-537
Released: Fri Aug 21 14:12:11 2015
Summary: Security update for net-snmp
Severity: moderate
References: 909479,935863,935876,940084,940188,CVE-2015-5621
Description:

The following issues have been fixed within this update:

* fix btrfs output inside HOST-RESOURCES-MIB::hrStorageDescr.
  (bsc#909479)
* fix an incompletely initialized vulnerability within the
  snmp_pdu_parse() function of snmp_api.c. (bsc#940188, CVE-2015-5621)
* add build requirement 'procps' to fix a net-snmp-config error
  (bsc#935863)
* --disable-md5 to allow operation in FIPS mode and not use the
  old algorithm (bsc#935876 bsc#940084)
* also stop snmptrapd on removal



-----------------------------------------
Patch: SUSE-2015-490
Released: Fri Aug 21 14:24:10 2015
Summary: Recommended update for AppArmor
Severity: low
References: 911118,921098,940749
Description:
This update for AppArmor provides the following fixes:

- Add support for newer versions of Samba. (bsc#921098)
- Add more directories needed by nscd(8) to the nameservice abstraction settings. (bsc#911118)
- Adjust dnsmasq profile to allow running libvirt leases helper script. (bsc#940749)


-----------------------------------------
Patch: SUSE-2015-595
Released: Fri Aug 21 15:06:37 2015
Summary: Recommended update for os-prober
Severity: moderate
References: 892364
Description:
This update for os-proper improves probing of operating systems on btrfs volumes for grub2.

-----------------------------------------
Patch: SUSE-2015-573
Released: Fri Aug 21 15:55:14 2015
Summary: Recommended update for libXi
Severity: moderate
References: 940529
Description:
This update provides libXi 1.7.4, which brings several fixes and
enhancements:

- Fix handling of request elements for the XIChangeHierarchy(XIAddMaster) 
  request.
- Fix display locking inside _XIPassiveGrabDevice for error paths.
- Fix locking problems in XIGrabTouchBegin(), XIAllowTouchEvents()
  and XIUngrabTouchBegin().
- Remove fallback for _XEatDataWords, no longer needed on SLE 12.


-----------------------------------------
Patch: SUSE-2015-533
Released: Fri Aug 21 21:50:03 2015
Summary: Recommended update for rsyslog
Severity: low
References: 925512
Description:
rsyslog's AppArmor profile has been adjusted to prevent aa-genprof failures.

-----------------------------------------
Patch: SUSE-2015-513
Released: Mon Aug 24 16:44:41 2015
Summary: Security update for gnutls
Severity: moderate
References: 929414,929690,941794,CVE-2015-3622,CVE-2015-6251
Description:
gnutls was updated to fix several security vulnerabilities.

- fix double free in certificate DN decoding (GNUTLS-SA-2015-3)(bsc#941794,CVE-2015-6251)
- fix invalid read in octet string in bundled libtasn1 (bsc#929414,CVE-2015-3622)
- fix ServerKeyExchange signature issue (GNUTLS-SA-2015-2)(bsc#929690)


-----------------------------------------
Patch: SUSE-2015-473
Released: Tue Aug 25 16:06:40 2015
Summary: Security update for tiff
Severity: moderate
References: 914890,916927,CVE-2014-8127,CVE-2014-8128,CVE-2014-8129,CVE-2014-8130,CVE-2014-9655
Description:

LibTiff was updated to the 4.0.4 stable release fixing various security
issues and bugs.

These security issues were fixed:
- CVE-2014-8127: Out-of-bounds write (bnc#914890).
- CVE-2014-8128: Out-of-bounds write (bnc#914890).
- CVE-2014-8129: Out-of-bounds write (bnc#914890).
- CVE-2014-8130: Out-of-bounds write (bnc#914890).
- CVE-2014-9655: Access of uninitialized memory (bnc#916927).


-----------------------------------------
Patch: SUSE-2015-530
Released: Wed Aug 26 03:07:07 2015
Summary: Recommended update for sed
Severity: low
References: 933029
Description:

This update for sed fixes the behavior of --follow-symlinks when reading from the
standard input (stdin).

The behavior of 'sed --follow-symlinks -' is now identical to 'sed -'. In both
cases, sed will read from the standard input and no longer from a file named '-'.


-----------------------------------------
Patch: SUSE-2015-564
Released: Wed Aug 26 13:58:57 2015
Summary: Recommended update for yast2-nfs-client
Severity: moderate
References: 867766,919061,922307
Description:
This update for yast2-nfs-client provides the following fixes:

- Consider path dependencies between mount points, allowing eg.
  a local mount on top of an NFS mount point. (bsc#922307)
- Fix crash when accessing certain variables outside their block
  local scope. (bsc#919061)
- Removed obsolete service (nfsboot) handling. (bsc#867766)


-----------------------------------------
Patch: SUSE-2015-489
Released: Wed Aug 26 14:12:12 2015
Summary: Recommended update for postfix
Severity: moderate
References: 928885
Description:

Postfix was updated to fix an abort when the system is running in FIPS mode.

The fingerprinting methods still used md5 by default, this was replaced
by sha1. bsc#928885


-----------------------------------------
Patch: SUSE-2015-546
Released: Wed Aug 26 21:16:17 2015
Summary: Recommended update for tar
Severity: low
References: 940120
Description:

This update for tar enables support for ACLs, extended attributes (Xattr) and SELinux.


-----------------------------------------
Patch: SUSE-2015-521
Released: Wed Aug 26 22:09:24 2015
Summary: Recommended update for yast2-network
Severity: moderate
References: 874259,898250,899363,905738,910337,912169,912904,914833,916013,916376,917606,918356,934180,935937,940192,940892,942461,943297
Description:
This update for yast2-network fixes the following issues:

- Error when deleting interfaces using command-line interface. (bsc#940192, bsc#935937)
- Internal error in lan AutoYaST client. (bsc#934180)
- Keep device configuration provided via linuxrc when AutoYaST's keep_install_network
  is set. (bsc#874259)
- Boot from iSCSI over IPv6 fails and boot drops into a shell. (bsc#916376)
- Setting up 'bond' device under YaST shows 'ethX' instead of 'bondX'. (bsc#910337)
- When renaming virtual device an internal error is raised. (bsc#914833)
- YaST crashes while adding a new network device with empty static IP and name
  change. (bsc#912904)
- Apply udev rules provided by AutoYaST profile. (bsc#905738)
- Populate bond slave candidates list with proper device names. (bsc#918356)
- Ignore /etc/install.inf:usessh flag when the file is present in installed
  system and always restart the network service in case of updated
  configuration. (bsc#898250, bsc#899363)
- Fix internal error when importing AutoYaST profile. (bsc#940892)
- IPv6 forwarding setup is stored persistently. (bsc#916013)

The YaST2 core system was updated to match some of the above yast2-network changes and
also fixes some other bugs:

- Check cpuinfo_flags correctly while evaluating kernel packages for i586. (bsc#943297)
- Fix 'Reboot' button at the end of online migration. (bsc#942461)
- Keep routing state when firewall is enabled/disabled. (bsc#916013)
- Fix crash when media is requested during package management operations. (bsc#917606)
- Better handling of line breaks in system log viewer. (bsc#912169)
- Treat PowerNV platform as CHRP.


-----------------------------------------
Patch: SUSE-2015-480
Released: Mon Aug 31 16:35:24 2015
Summary: Recommended update for sles-manuals_en
Severity: low
References: 936253
Description:
This update for sles-manuals_en adds the Docker Quickstart
  manual (bsc#936253)

-----------------------------------------
Patch: SUSE-2015-561
Released: Tue Sep  1 21:05:50 2015
Summary: Recommended update for kbd
Severity: low
References: 915473
Description:

This update fixes loading of some console keymaps, including the default keymap
used by 'loadkeys -d'.


-----------------------------------------
Patch: SUSE-2015-472
Released: Wed Sep  2 08:25:03 2015
Summary: Security update for MozillaFirefox, mozilla-nss
Severity: important
References: 940806,943557,943558,943608,CVE-2015-4473,CVE-2015-4474,CVE-2015-4475,CVE-2015-4478,CVE-2015-4479,CVE-2015-4484,CVE-2015-4485,CVE-2015-4486,CVE-2015-4487,CVE-2015-4488,CVE-2015-4489,CVE-2015-4491,CVE-2015-4492,CVE-2015-4495,CVE-2015-4497,CVE-2015-4498
Description:

Mozilla Firefox was updated to version 38.2.1 ESR to fix several
critical and non critical security vulnerabilities.

- Firefox was updated to 38.2.1 ESR (bsc#943608)
  * MFSA 2015-94/CVE-2015-4497 (bsc#943557)
    Use-after-free when resizing canvas element during restyling
  * MFSA 2015-95/CVE-2015-4498 (bsc#943558)
    Add-on notification bypass through data URLs

- Firefox was updated to 38.2.0 ESR (bsc#940806)
  * MFSA 2015-78/CVE-2015-4495
    (bmo#1178058, bmo#1179262)
    Same origin violation and local file stealing via PDF reader
  * MFSA 2015-79/CVE-2015-4473/CVE-2015-4474
    (bmo#1143130, bmo#1161719, bmo#1177501, bmo#1181204,
     bmo#1184068, bmo#1188590, bmo#1146213, bmo#1178890,
     bmo#1182711)
    Miscellaneous memory safety hazards (rv:40.0 / rv:38.2)
  * MFSA 2015-80/CVE-2015-4475
    (bmo#1175396)
    Out-of-bounds read with malformed MP3 file
  * MFSA 2015-82/CVE-2015-4478
    (bmo#1105914)
    Redefinition of non-configurable JavaScript object properties
  * MFSA 2015-83/CVE-2015-4479
    (bmo#1185115, bmo#1144107, bmo#1170344, bmo#1186718)
    Overflow issues in libstagefright
  * MFSA 2015-87/CVE-2015-4484
    (bmo#1171540)
    Crash when using shared memory in JavaScript
  * MFSA 2015-88/CVE-2015-4491
    (bmo#1184009)
    Heap overflow in gdk-pixbuf when scaling bitmap images
  * MFSA 2015-89/CVE-2015-4485/CVE-2015-4486
    (bmo#1177948, bmo#1178148)
    Buffer overflows on Libvpx when decoding WebM video
  * MFSA 2015-90/CVE-2015-4487/CVE-2015-4488/CVE-2015-4489
    (bmo#1176270, bmo#1182723, bmo#1171603)
    Vulnerabilities found through code inspection
  * MFSA 2015-92/CVE-2015-4492
    (bmo#1185820)
    Use-after-free in XMLHttpRequest with shared workers

Mozilla NSS switched the CKBI ABI from 1.98 to 2.4, which is what Firefox 38ESR uses.


-----------------------------------------
Patch: SUSE-2015-478
Released: Wed Sep  2 13:55:39 2015
Summary: Security update for bind
Severity: important
References: 944066,CVE-2015-5722
Description:

The nameserver bind was updated to fix a remote denial of service (crash) attack against 
bind nameservers doing validation on DNSSEC signed records. (CVE-2015-5722, bsc#944066).


-----------------------------------------
Patch: SUSE-2015-535
Released: Thu Sep  3 14:01:58 2015
Summary: Recommended update for usbutils
Severity: low
References: 943773
Description:
This update for usbutils adds new IDs to the devices' database.

-----------------------------------------
Patch: SUSE-2015-502
Released: Thu Sep  3 14:53:31 2015
Summary: Optional update for mozjs17
Severity: low
References: 944331
Description:
This update for mozjs17 includes fixes specific to the ARM64 architecture.

-----------------------------------------
Patch: SUSE-2015-606
Released: Tue Sep  8 17:59:56 2015
Summary: Recommended update for blktrace
Severity: low
References: 939307
Description:
This update fixes blktrace to run on systems with more than 512 CPUs.

-----------------------------------------
Patch: SUSE-2015-526
Released: Wed Sep  9 10:57:39 2015
Summary: Security update for openssh
Severity: moderate
References: 903649,932483,936695,938746,943006,943010,CVE-2015-4000,CVE-2015-5352,CVE-2015-5600,CVE-2015-6563,CVE-2015-6564
Description:

openssh was updated to fix several security issues.

These security issues were fixed:
* CVE-2015-5352: The x11_open_helper function in channels.c in ssh
  in OpenSSH when ForwardX11Trusted mode is not used, lacked a check of
  the refusal deadline for X connections, which made it easier for remote
  attackers to bypass intended access restrictions via a connection outside
  of the permitted time window (bsc#936695).
* CVE-2015-5600: The kbdint_next_device function in auth2-chall.c
  in sshd in OpenSSH did not properly restrict the processing of
  keyboard-interactive devices within a single connection, which made it
  easier for remote attackers to conduct brute-force attacks or cause a
  denial of service (CPU consumption) via a long and duplicative list in
  the ssh -oKbdInteractiveDevices option, as demonstrated by a modified
  client that provides a different password for each pam element on this
  list (bsc#938746).
* CVE-2015-4000: Removed and disabled weak DH groups to address LOGJAM (bsc#932483).
* Hardening patch to fix sftp RCE (bsc#903649).
* CVE-2015-6563: The monitor component in sshd in OpenSSH accepted
  extraneous username data in MONITOR_REQ_PAM_INIT_CTX requests, which
  allowed local users to conduct impersonation attacks by leveraging any SSH
  login access in conjunction with control of the sshd uid to send a crafted
  MONITOR_REQ_PWNAM request, related to monitor.c and monitor_wrap.c. (bsc#943010)
* CVE-2015-6564: Use-after-free vulnerability in the
  mm_answer_pam_free_ctx function in monitor.c in sshd in OpenSSH might
  have allowed local users to gain privileges by leveraging control of the
  sshd uid to send an unexpectedly early MONITOR_REQ_PAM_FREE_CTX request. (bsc#943006)

Also use %restart_on_update in the trigger script.


-----------------------------------------
Patch: SUSE-2015-588
Released: Thu Sep 10 14:21:41 2015
Summary: Security update for kernel-source
Severity: moderate
References: 924525,936916,944001
Description:

The SUSE Linux Enterprise 12 kernel was updated to version 3.12.44-52.13
to receive various bugfixes.

- Btrfs: don't initialize a space info as full to prevent ENOSPC (bsc#944001).
- kernel/kvm: Fix MSA3/MSA4 detection (bsc#936916, LTC#127868).
- zcrypt: Fixed reset and interrupt handling of AP queues (bsc#936916,
  LTC#126491).
- Update s390x kABI files after gcc update (bsc#924525).

-----------------------------------------
Patch: SUSE-2015-547
Released: Thu Sep 10 16:17:37 2015
Summary: Recommended update for release-notes-sles
Severity: low
References: 936551,938765,939408,943224
Description:
This update provides the latest revision of the Release Notes for SUSE Linux
Enterprise Server 12.

- New: iscsitarget and related packages replaced with lio. (bsc#939408 via fate#316773)
- New: SUSE Linux Enterprise Toolchain Module 12. (fate#316684)
- New: Deprecation of lukemftp client. (bsc#943224 via fate#313673)
- Updated: Adjust XEN VM guest memory limit. (bsc#938765)


-----------------------------------------
Patch: SUSE-2015-534
Released: Mon Sep 14 12:24:28 2015
Summary: Recommended update for python-six
Severity: moderate
References: 940812
Description:

python-six was updated to version 1.9.0, which brings several fixes and enhancements.
For a comprehensive list of changes please refer to the package's change log.


-----------------------------------------
Patch: SUSE-2015-599
Released: Mon Sep 14 19:05:47 2015
Summary: Security update for coreutils
Severity: moderate
References: 866010,901905,907290,921559,928749,930565,933396,CVE-2015-4041,CVE-2015-4042
Description:
This update for coreutils provides the following fixes:

- Fix memory handling error with case insensitive sort using UTF-8.
  (CVE-2015-4041, CVE-2015-4042)
- Ensure 'df -a' shows all remote file system entries.
- Only suppress remote mounts of separate exports with 'df --total'.
- Document that 'df -a' might list duplicated file systems.
- Adjust references to info nodes in man pages.


-----------------------------------------
Patch: SUSE-2015-568
Released: Wed Sep 16 13:30:12 2015
Summary: Recommended update for grep
Severity: low
References: 920386
Description:
This update for grep fixes undefined behaviour with -P and non-utf-8 data.

-----------------------------------------
Patch: SUSE-2015-571
Released: Wed Sep 16 15:27:13 2015
Summary: Recommended update for make
Severity: low
References: 934131
Description:
This update for make provides the following fixes:

- Force recomputing .VARIABLES when a variable was made undefined. (bsc#934131)


-----------------------------------------
Patch: SUSE-2015-559
Released: Wed Sep 16 16:07:25 2015
Summary: Recommended update for python-six
Severity: moderate
References: 940812
Description:

python-six was updated to version 1.9.0, which brings several fixes and enhancements.
For a comprehensive list of changes please refer to the package's change log.


-----------------------------------------
Patch: SUSE-2015-659
Released: Thu Sep 17 18:33:53 2015
Summary: Security update for rpcbind
Severity: moderate
References: 940191,946204,CVE-2015-7236
Description:

A use-after-free security bug in rpcbind was fixed which could lead to a remote denial of service.


-----------------------------------------
Patch: SUSE-2015-587
Released: Fri Sep 18 02:21:53 2015
Summary: Recommended update for openldap2
Severity: moderate
References: 904028,945633
Description:

This update provides OpenLDAP version 2.4.41, which brings several bug fixes and
stability improvements.

For a comprehensive list of changes between 2.4.39 and 2.4.41 refer to the release
notes at http://www.openldap.org/software/release/changes.html.


-----------------------------------------
Patch: SUSE-2015-640
Released: Wed Sep 23 20:20:09 2015
Summary: Security update for MozillaFirefox, mozilla-nspr
Severity: important
References: 947003,CVE-2015-4500,CVE-2015-4501,CVE-2015-4506,CVE-2015-4509,CVE-2015-4511,CVE-2015-4517,CVE-2015-4519,CVE-2015-4520,CVE-2015-4521,CVE-2015-4522,CVE-2015-7174,CVE-2015-7175,CVE-2015-7176,CVE-2015-7177,CVE-2015-7180
Description:

Mozilla Firefox was updated to version 38.3.0 ESR (bsc#947003),
fixing bugs and security issues.

* MFSA 2015-96/CVE-2015-4500/CVE-2015-4501
  Miscellaneous memory safety hazards (rv:41.0 / rv:38.3)
* MFSA 2015-101/CVE-2015-4506
  Buffer overflow in libvpx while parsing vp9 format video
* MFSA 2015-105/CVE-2015-4511
  Buffer overflow while decoding WebM video
* MFSA 2015-106/CVE-2015-4509
  Use-after-free while manipulating HTML media content
* MFSA 2015-110/CVE-2015-4519
  Dragging and dropping images exposes final URL after
  redirects
* MFSA 2015-111/CVE-2015-4520
  Errors in the handling of CORS preflight request headers
* MFSA 2015-112/CVE-2015-4517/CVE-2015-4521/CVE-2015-4522
  CVE-2015-7174/CVE-2015-7175/CVE-2015-7176/CVE-2015-7177
  CVE-2015-7180
  Vulnerabilities found through code inspection

More details can be found on
	https://www.mozilla.org/en-US/security/advisories/

The Mozilla NSPR library was updated to version 4.10.9, fixing various bugs.


-----------------------------------------
Patch: SUSE-2015-648
Released: Thu Sep 24 14:44:01 2015
Summary: Recommended update for postfix
Severity: moderate
References: 871575,944722
Description:

The Postfix mail server has been updated to version 2.1.16, which brings several
fixes and enhancements:

- Bugfix: sender_dependent_relayhost_maps ignored the relayhost setting in the case
  of a DUNNO lookup result.
- Robustness: don't segfault due to excessive recursion after a faulty configuration
  runs into the virtual_alias_recursion_limit.
- Bugfix: core dump when smtp_policy_maps specifies an invalid TLS level.
- Bugfix: qmqpd null pointer bug when it logs a lost connection while not in a mail
  transaction.
- Bugfix: with connection caching enabled (the default), recipients could be given
  to the wrong mail server. (bsc#944722)
- Security: opportunistic TLS by default uses 'medium' or stronger ciphers instead
  of 'export' or stronger. 
- Security: Postfix TLS support by default no longer uses SSLv2 or SSLv3.
- Remove references to SuSEconfig.postfix from sysconfig docs.  (bsc#871575)


-----------------------------------------
Patch: SUSE-2015-764
Released: Thu Sep 24 18:28:38 2015
Summary: Security update for glibc
Severity: moderate
References: 915955,918187,920338,927080,928723,931480,934084,937853,939211,940195,940332,944494,945779,CVE-2014-8121,CVE-2015-1781
Description:

glibc was updated to fix bugs and security issues.

Security issues fixed:

* A buffer overflow in nss_dns was fixed that could lead to crashes. (CVE-2015-1781, bsc#927080, BZ #18287)
* A denial of service attack (out of memory) in the NSS files backend was fixed (CVE-2014-8121, bsc#918187, GLIBC BZ #18007)

Non security bugs fixed:

* Fix regression in threaded application malloc performance (bsc#915955, GLIBC#17195)
* Fix read past end of pattern in fnmatch (bsc#920338, GLIBC#17062, GLIBC#18032, GLIBC#18036)
* Record TTL also for DNS PTR queries (bsc#928723, GLIBC#18513)
* Increase MINSIGSTKSZ and SIGSTKSZ for aarch64 (bsc#931480, GLIBC#16850)
* Fix handling of IPv6 nameservers (bsc#939211, GLIBC#13028, GLIBC#17053)
* Avoid use of asm/ptrace.h (bsc#934084)
* Do not corrupt the top of a threaded heap if top chunk is MINSIZE (GLIBC#18502)
* Terminate unwinding after makecontext_ret on s390 (bsc#940332. bsc#944494, GLIBC#18508)
* Restore signal mask in set/swapcontext on s390 (bsc#940195, bsc#944494, GLIBC#18080)
* fix dlopen in static binaries (bsc#937853, GLIBC#17250)
* Properly reread entry after failure in nss_files getent function (bsc#945779, BZ #18991)

Features added:

* AVX512 support (fate#318844)
* Add compatibility symlinks for LSB 3.0 (fate#318933)


-----------------------------------------
Patch: SUSE-2015-672
Released: Thu Sep 24 23:32:49 2015
Summary: Recommended update for ethtool
Severity: low
References: 927309,945710
Description:

The list of advertised speed modes recognized by Ethtool has been updated to include
the following full-duplex modes: 56000baseKR4, 56000baseCR4, 56000baseSR4, 56000baseLR4
and 10000baseKX4.


-----------------------------------------
Patch: SUSE-2015-616
Released: Fri Sep 25 02:41:36 2015
Summary: Recommended update for yast2-security
Severity: moderate
References: 899104,900829,907907,911523,941620,942379,946889
Description:
This update for the YaST Security Module provides several fixes and enhancements:

- Redefined security levels and updated list of mandatory and optional services.
  (fate#318425)
- Adapted management of the display manager shutdown to use DISPLAYMANAGER_SHUTDOWN
  instead of AllowShutdown. (bsc#946889)
- Added some entries to the list of optional services. (bsc#942379)
- When checking services, systemd aliases are now taken into account (so, for example,
  rsyslog is accounted as syslog).
- Removed references to runlevels (obsolete). Only current systemd target is analyzed.
- Fixed an error setting the shutdown behaviour of KDM. (bsc#907907)
- Fix paths for systemd target links. (bsc#911523)
- Fixed the interface to show and process values from sysctl.conf correctly.
- Remove X-KDE-Library from desktop file. (bsc#899104)


-----------------------------------------
Patch: SUSE-2015-618
Released: Sat Sep 26 00:34:44 2015
Summary: Recommended update for branding-SLE
Severity: low
References: 945565
Description:
This update enables GRUB2 branding for aarch64.

-----------------------------------------
Patch: SUSE-2015-704
Released: Sat Sep 26 10:51:29 2015
Summary: Security update for vorbis-tools
Severity: moderate
References: 943795,CVE-2015-6749
Description:

vorbis-tools was updated to fix a buffer overflow in aiff_open() that could be triggered
by opening prepared malicious files. (CVE-2015-6749, bsc#943795).


-----------------------------------------
Patch: SUSE-2015-646
Released: Mon Sep 28 14:03:41 2015
Summary: Recommended update for lio-utils, python-rtslib, targetcli
Severity: moderate
References: 907029,908270,910721,919474,940216,940531,945230,947335,947555
Description:

This update for lio-utils, python-rtslib and targetcli brings features and fixes
various issues.

Support for the Ceph RBD backend has been added to python-rtslib and targetcli.
(bsc#947335, fate#319433, fate#318836)

Additionally, the following issues have been fixed:

- When running as root, mount configFS under /sys/kernel/config if it's not yet
  mounted. (bsc#907029)
- Convert user-input of an empty string to 'NULL' when writing sysfs string
  attributes such as userid and password. (bsc#919474)
- Wait for configFS to mount when loading iscsi_target_mod module. (bsc#910721)
- Update systemd service file to start after configfs. (bsc#908270)
- Fix TPG disable logic. (bsc#940216)
- Allow portals for non-existent IP addresses in targetcli. (bsc#940531)


-----------------------------------------
Patch: SUSE-2015-624
Released: Mon Sep 28 20:07:29 2015
Summary: Recommended update for plymouth
Severity: important
References: 946640,946986
Description:

This update for plymouth fixes a buffer overrun which could lead to a segmentation
fault and termination of the plymouthd daemon.


-----------------------------------------
Patch: SUSE-2015-677
Released: Mon Sep 28 21:14:33 2015
Summary: Recommended update for net-snmp
Severity: moderate
References: 944302
Description:

This update reenables the MD5 auth support (disabled earlier for FIPS usage),
as its an external interface to NET-SNMP and needs to stay, so third party
applications and tools do not break.


-----------------------------------------
Patch: SUSE-2015-699
Released: Tue Sep 29 20:40:19 2015
Summary: Recommended update for dracut
Severity: important
References: 898711,904533,905746,912734,919179,922676,931307,932981,936736,939101,940100,940585,943312
Description:
This update for Dracut provides the following fixes:

- Revert patch for bsc#912734 ('parse rootflags correctly') to fix a regression.
  The bug which got fixed by the reverted patch is solved via documentation TID:
  https://www.suse.com/support/kb/doc.php?id=7016840
  (bsc#940100)
- Ensure that the correct FONT_MAP files are installed into the initrd.
  (bsc#932981, bsc#943312, bsc#904533)
- Check for existence of link targets (/run), fixing a critical bug for s390x
  kiwi images which need the symlink from /var/run to /run. (bsc#922676)
- Multiple fixes to iSCSI and multipath booting. (bsc#919179, bsc#898711)
- Fix a few issues and improve support for DMRAID. (bsc#905746, bsc#940585)
- Fix nfs rootfs in case of mounting via IPv4 address and not hostname. (bsc#931307)
- Do not open an unprotected root shell on failure. (bsc#936736)
- Update active_devices.txt from /boot/zipl device. (bsc#939101)


-----------------------------------------
Patch: SUSE-2015-647
Released: Tue Sep 29 20:56:38 2015
Summary: Recommended update for release-notes-sles
Severity: low
References: 898195,944833,946804
Description:

The Release Notes of SUSE Linux Enterprise Server 12 have been updated to document:

- New: Dropped wireless drivers. (fate#319452)
- New: Dropped YaST modules. (bsc#898195 via fate#314685)
- Updated: Pagecache limits. (bsc#946804 via fate#309111)


-----------------------------------------
Patch: SUSE-2015-689
Released: Tue Sep 29 22:27:09 2015
Summary: Recommended update for nfs-utils
Severity: moderate
References: 898674,912277,930972,941645,941833
Description:
This update for nfs-utils provides the following fixes:

- Correctly handle NFSV4LEASETIME setting in nfsserver.init. (bsc#941833)
- Only start rpc.gssd if /etc/krb5.keytab exists. (bsc#912277)
- Allow setting of STATD_PORT, STATD_HOSTNAME, LOCKD_TCPPORT and LOCKD_UDPPORT
  in sysconfig.nfs. (bsc#941645)
- Install nfs-config.service so sysconfig.nfs variables are available to
  rpc-statd.service. (bsc#930972, bsc#941645)
- Use start-statd helper to start statd so that systemctl is used and proper
  sysconfig variables applied. (bsc#941645)
- Make blkmapd dump useful device information to syslog. (bsc#898674)
- Fix multipath handling in blkmapd. (bsc#898674)


-----------------------------------------
Patch: SUSE-2015-768
Released: Wed Sep 30 21:39:36 2015
Summary: Recommended update for permissions
Severity: moderate
References: 685093,891268,895647,904060,906336,943471
Description:
The default permission settings received the following adjustments:

- Adjust radosgw to root:www mode 0750. (bsc#943471)
- Add capability cap_bind_net_service to radosgw. (bsc#943471)
- Remove /usr/bin/get_printing_ticket. (bsc#685093, bsc#906336)
- Add iouyap capabilities. (bsc#904060)
- Add settings for the Squid Proxy server. (bsc#891268)
- Document that 'chkstat --system --set' needs to be run after editing. (bsc#895647)


-----------------------------------------
Patch: SUSE-2015-682
Released: Fri Oct  2 19:17:57 2015
Summary: Recommended update for timezone
Severity: low
References: 948227,948568
Description:

This update provides the latest timezone information (2015g) for your
system, including the following changes:

- Turkey's 2015 fall-back transition is scheduled for Nov. 8, not Oct. 25.
- Norfolk moves from +1130 to +1100 on 2015-10-04 at 02:00 local time.
- Fiji's 2016 fall-back transition is scheduled for January 17, not 24.
- Fort Nelson, British Columbia will not fall back on 2015-11-01.  It has 
  effectively been on MST (-0700) since it advanced its clocks on 2015-03-08.
  Add new zone America/Fort_Nelson.

This release also includes changes affecting past time stamps, documentation
and some minor code fixes. For a comprehensive list, refer to the release
announcement from ICANN:

http://mm.icann.org/pipermail/tz/2015-October/022728.html


-----------------------------------------
Patch: SUSE-2015-667
Released: Mon Oct  5 18:46:45 2015
Summary: Recommended update for systemd-presets-branding-SLE
Severity: low
References: 921075,944761,948824
Description:
This update for systemd presets adjusts the following settings:

- Enable fstrim.timer and disable fstrim.service. TRIM should be performed once
  a week and not on every boot. (fate#317727)
- Enable the sapconf.service in one shot mode. (bsc#944761)
- Enable smartd by default. (bnc#921075).
- Enable rollback.service by default. (bsc#948824, fate#319118)


-----------------------------------------
Patch: SUSE-2015-668
Released: Tue Oct  6 08:05:47 2015
Summary: Security update for kernel-source
Severity: important
References: 856382,886785,898159,907973,908950,912183,914818,916543,920016,922071,924722,929092,929871,930813,932285,932350,934430,934942,934962,936556,936773,937609,937612,937613,937616,938550,938706,938891,938892,938893,939145,939266,939716,939834,939994,940398,940545,940679,940776,940912,940925,940965,941098,941305,941908,941951,942160,942204,942307,942367,948536,CVE-2015-5156,CVE-2015-5157,CVE-2015-5283,CVE-2015-5697,CVE-2015-6252,CVE-2015-6937,CVE-2015-7613
Description:
The SUSE Linux Enterprise 12 kernel was updated to 3.12.48-52.27 to
receive various security and bugfixes.

Following security bugs were fixed:
* CVE-2015-7613: A flaw was found in the Linux kernel IPC code that could
  lead to arbitrary code execution. The ipc_addid() function initialized
  a shared object that has unset uid/gid values. Since the fields are not
  initialized, the check can falsely succeed. (bsc#948536)
* CVE-2015-5156: When a guests KVM network devices is in a bridge
  configuration the kernel can create a situation in which packets are
  fragmented in an unexpected fashion. The GRO functionality can create
  a situation in which multiple SKB's are chained together in a single
  packets fraglist (by design). (bsc#940776)
* CVE-2015-5157: arch/x86/entry/entry_64.S in the Linux kernel before
  4.1.6 on the x86_64 platform mishandles IRET faults in processing NMIs
  that occurred during userspace execution, which might allow local
  users to gain privileges by triggering an NMI (bsc#938706).
* CVE-2015-6252: A flaw was found in the way the Linux kernel's vhost
  driver treated userspace provided log file descriptor when processing
  the VHOST_SET_LOG_FD ioctl command. The file descriptor was never
  released and continued to consume kernel memory. A privileged local
  user with access to the /dev/vhost-net files could use this flaw to
  create a denial-of-service attack (bsc#942367).
* CVE-2015-5697: The get_bitmap_file function in drivers/md/md.c in the
  Linux kernel before 4.1.6 does not initialize a certain bitmap data
  structure, which allows local users to obtain sensitive information
  from kernel memory via a GET_BITMAP_FILE ioctl call. (bnc#939994)
* CVE-2015-6937: A NULL pointer dereference flaw was found in the
  Reliable Datagram Sockets (RDS) implementation allowing a local user to
  cause system DoS. A verification was missing that the underlying
  transport exists when a connection was created. (bsc#945825)
* CVE-2015-5283: A NULL pointer dereference flaw was found in SCTP
  implementation allowing a local user to cause system DoS. Creation of
  multiple sockets in parallel when system doesn't have SCTP module
  loaded can lead to kernel panic. (bsc#947155)

The following non-security bugs were fixed:
- ALSA: hda - Abort the probe without i915 binding for HSW/BDW
  (bsc#936556).
- Btrfs: Backport subvolume mount option handling (bsc#934962)
- Btrfs: Handle unaligned length in extent_same (bsc#937609).
- Btrfs: advertise which crc32c implementation is being used on mount
  (bsc#946057).
- Btrfs: allow mounting btrfs subvolumes with different ro/rw options.
- Btrfs: check if previous transaction aborted to avoid fs corruption
  (bnc#942509).
- Btrfs: clean up error handling in mount_subvol() (bsc#934962).
- Btrfs: cleanup orphans while looking up default subvolume (bsc#914818).
- Btrfs: do not update mtime/ctime on deduped inodes (bsc#937616).
- Btrfs: fail on mismatched subvol and subvolid mount options
  (bsc#934962).
- Btrfs: fix chunk allocation regression leading to transaction abort
  (bnc#938550).
- Btrfs: fix clone / extent-same deadlocks (bsc#937612).
- Btrfs: fix crash on close_ctree() if cleaner starts new transaction
  (bnc#938891).
- Btrfs: fix deadlock with extent-same and readpage (bsc#937612).
- Btrfs: fix file corruption after cloning inline extents (bnc#942512).
- Btrfs: fix file read corruption after extent cloning and fsync
  (bnc#946902).
- Btrfs: fix find_free_dev_extent() malfunction in case device tree has
  hole (bnc#938550).
- Btrfs: fix hang when failing to submit bio of directIO (bnc#942685).
- Btrfs: fix list transaction-&gt;pending_ordered corruption
  (bnc#938893).
- Btrfs: fix memory corruption on failure to submit bio for direct IO
  (bnc#942685).
- Btrfs: fix memory leak in the extent_same ioctl (bsc#937613).
- Btrfs: fix put dio bio twice when we submit dio bio fail (bnc#942685).
- Btrfs: fix race between balance and unused block group deletion
  (bnc#938892).
- Btrfs: fix range cloning when same inode used as source and destination
  (bnc#942511).
- Btrfs: fix read corruption of compressed and shared extents
  (bnc#946906).
- Btrfs: fix uninit variable in clone ioctl (bnc#942511).
- Btrfs: fix use-after-free in mount_subvol().
- Btrfs: fix wrong check for btrfs_force_chunk_alloc() (bnc#938550).
- Btrfs: lock superblock before remounting for rw subvol (bsc#934962).
- Btrfs: pass unaligned length to btrfs_cmp_data() (bsc#937609).
- Btrfs: remove all subvol options before mounting top-level
  (bsc#934962).
- Btrfs: show subvol= and subvolid= in /proc/mounts (bsc#934962).
- Btrfs: unify subvol= and subvolid= mounting (bsc#934962).
- Btrfs: fill ->last_trans for delayed inode in btrfs_fill_inode
  (bnc#942925).
- Btrfs: fix metadata inconsistencies after directory fsync (bnc#942925).
- Btrfs: fix stale dir entries after removing a link and fsync
  (bnc#942925).
- Btrfs: fix stale dir entries after unlink, inode eviction and fsync
  (bnc#942925).
- Btrfs: fix stale directory entries after fsync log replay (bnc#942925).
- Btrfs: make btrfs_search_forward return with nodes unlocked
  (bnc#942925).
- Btrfs: support NFSv2 export (bnc#929871).
- Btrfs: update fix for read corruption of compressed and shared extents
  (bsc#948256).
- Drivers: hv: do not do hypercalls when hypercall_page is NULL.
- Drivers: hv: vmbus: add special crash handler.
- Drivers: hv: vmbus: add special kexec handler.
- Drivers: hv: vmbus: remove hv_synic_free_cpu() call from
  hv_synic_cleanup().
- Input: evdev - do not report errors form flush() (bsc#939834).
- Input: synaptics - do not retrieve the board id on old firmwares
  (bsc#929092).
- Input: synaptics - log queried and quirked dimension values
  (bsc#929092).
- Input: synaptics - query min dimensions for fw v8.1.
- Input: synaptics - remove X1 Carbon 3rd gen from the topbuttonpad list
  (bsc#929092).
- Input: synaptics - remove X250 from the topbuttonpad list.
- Input: synaptics - remove obsolete min/max quirk for X240 (bsc#929092).
- Input: synaptics - skip quirks when post-2013 dimensions (bsc#929092).
- Input: synaptics - split synaptics_resolution(), query first
  (bsc#929092).
- Input: synaptics - support min/max board id in min_max_pnpid_table
  (bsc#929092).
- NFS: Make sure XPRT_CONNECTING gets cleared when needed (bsc#946309).
- NFSv4: do not set SETATTR for O_RDONLY|O_EXCL (bsc#939716).
- PCI: Move MPS configuration check to pci_configure_device()
  (bsc#943313).
- PCI: Set MPS to match upstream bridge (bsc#943313).
- SCSI: fix regression in scsi_send_eh_cmnd() (bsc#930813).
- SCSI: fix scsi_error_handler vs. scsi_host_dev_release race
  (bnc#942204).
- SCSI: vmw_pvscsi: Fix pvscsi_abort() function (bnc#940398).
- UAS: fixup for remaining use of dead_list (bnc#934942).
- USB: storage: use %*ph specifier to dump small buffers (bnc#934942).
- aio: fix reqs_available handling (bsc#943378).
- audit: do not generate loginuid log when audit disabled (bsc#941098).
- blk-merge: do not compute bi_phys_segments from bi_vcnt for cloned bio
  (bnc#934430).
- blk-merge: fix blk_recount_segments (bnc#934430).
- blk-merge: recaculate segment if it isn't less than max segments
  (bnc#934430).
- block: add queue flag for disabling SG merging (bnc#934430).
- block: blk-merge: fix blk_recount_segments() (bnc#934430).
- config: disable CONFIG_TCM_RBD on ppc64le and s390x
- cpufreq: intel_pstate: Add CPU ID for Braswell processor.
- dlm: fix missing endian conversion of rcom_status flags (bsc#940679).
- dm cache mq: fix memory allocation failure for large cache devices
  (bsc#942707).
- drm/i915: Avoid race of intel_crt_detect_hotplug() with HPD interrupt
  (bsc#942938).
- drm/i915: Make hpd arrays big enough to avoid out of bounds access
  (bsc#942938).
- drm/i915: Only print hotplug event message when hotplug bit is set
  (bsc#942938).
- drm/i915: Queue reenable timer also when enable_hotplug_processing is
  false (bsc#942938).
- drm/i915: Use an interrupt save spinlock in intel_hpd_irq_handler()
  (bsc#942938).
- drm/radeon: fix hotplug race at startup (bsc#942307).
- ethtool, net/mlx4_en: Add 100M, 20G, 56G speeds ethtool reporting
  support (bsc#945710).
- hrtimer: prevent timer interrupt DoS (bnc#886785).
- hv: fcopy: add memory barrier to propagate state (bnc#943529).
- inotify: Fix nested sleeps in inotify_read() (bsc#940925).
- intel_pstate: Add CPU IDs for Broadwell processors.
- intel_pstate: Add CPUID for BDW-H CPU.
- intel_pstate: Add support for SkyLake.
- intel_pstate: Correct BYT VID values (bnc#907973).
- intel_pstate: Remove periodic P state boost (bnc#907973).
- intel_pstate: add sample time scaling (bnc#907973, bnc#924722,
  bnc#916543).
- intel_pstate: don't touch turbo bit if turbo disabled or unavailable
  (bnc#907973).
- intel_pstate: remove setting P state to MAX on init (bnc#907973).
- intel_pstate: remove unneeded sample buffers (bnc#907973).
- intel_pstate: set BYT MSR with wrmsrl_on_cpu() (bnc#907973).
- ipr: Fix incorrect trace indexing (bsc#940912).
- ipr: Fix invalid array indexing for HRRQ (bsc#940912).
- iwlwifi: dvm: drop non VO frames when flushing (bsc#940545).
- kABI workaround for ieee80211_ops.flush argument change (bsc#940545).
- kconfig: Do not print status messages in make -s mode (bnc#942160).
- kernel/modsign_uefi.c: Check for EFI_RUNTIME_SERVICES in
  load_uefi_certs (bsc#856382).
- kernel: do full redraw of the 3270 screen on reconnect (bnc#943476,
  LTC#129509).
- kexec: define kexec_in_progress in !CONFIG_KEXEC case.
- kvm: Use WARN_ON_ONCE for missing X86_FEATURE_NRIPS (bsc#947537).
- lpfc: Fix scsi prep dma buf error (bsc#908950).
- mac80211: add vif to flush call (bsc#940545).
- md/bitmap: do not abuse i_writecount for bitmap files (bsc#943270).
- md/bitmap: protect clearing of -&gt;bitmap by mddev-&gt;lock
  (bnc#912183).
- md/raid5: use -&gt;lock to protect accessing raid5 sysfs attributes
  (bnc#912183).
- md: fix problems with freeing private data after -&gt;run failure
  (bnc#912183).
- md: level_store: group all important changes into one place
  (bnc#912183).
- md: move GET_BITMAP_FILE ioctl out from mddev_lock (bsc#943270).
- md: protect -&gt;pers changes with mddev-&gt;lock (bnc#912183).
- md: remove mddev_lock from rdev_attr_show() (bnc#912183).
- md: remove mddev_lock() from md_attr_show() (bnc#912183).
- md: remove need for mddev_lock() in md_seq_show() (bnc#912183).
- md: split detach operation out from -&gt;stop (bnc#912183).
- md: tidy up set_bitmap_file (bsc#943270).
- megaraid_sas: Handle firmware initialization after fast boot
  (bsc#922071).
- mfd: lpc_ich: Assign subdevice ids automatically (bnc#898159).
- mm: filemap: Avoid unnecessary barriers and waitqueue lookups -fix
  (VM/FS Performance (bnc#941951)).
- mm: make page pfmemalloc check more robust (bnc#920016).
- mm: numa: disable change protection for vma(VM_HUGETLB) (bnc#943573).
- netfilter: nf_conntrack_proto_sctp: minimal multihoming support
  (bsc#932350).
- net/mlx4_core: Add ethernet backplane autoneg device capability
  (bsc#945710).
- net/mlx4_core: Introduce ACCESS_REG CMD and eth_prot_ctrl dev cap
  (bsc#945710).
- net/mlx4_en: Use PTYS register to query ethtool settings (bsc#945710).
- net/mlx4_en: Use PTYS register to set ethtool settings (Speed)
  (bsc#945710).
- rcu: Reject memory-order-induced stall-warning false positives
  (bnc#941908).
- s390/dasd: fix kernel panic when alias is set offline (bnc#940965,
  LTC#128595).
- sched: Fix KMALLOC_MAX_SIZE overflow during cpumask allocation
  (bnc#939266).
- sched: Fix cpu_active_mask/cpu_online_mask race (bsc#936773).
- sched, numa: do not hint for NUMA balancing on VM_MIXEDMAP mappings
  (bnc#943573).
- uas: Add US_FL_MAX_SECTORS_240 flag (bnc#934942).
- uas: Add response iu handling (bnc#934942).
- uas: Add uas_get_tag() helper function (bnc#934942).
- uas: Check against unexpected completions (bnc#934942).
- uas: Cleanup uas_log_cmd_state usage (bnc#934942).
- uas: Do not log urb status error on cancellation (bnc#934942).
- uas: Do not use scsi_host_find_tag (bnc#934942).
- uas: Drop COMMAND_COMPLETED flag (bnc#934942).
- uas: Drop all references to a scsi_cmnd once it has been aborted
  (bnc#934942).
- uas: Drop inflight list (bnc#934942).
- uas: Fix memleak of non-submitted urbs (bnc#934942).
- uas: Fix resetting flag handling (bnc#934942).
- uas: Free data urbs on completion (bnc#934942).
- uas: Log error codes when logging errors (bnc#934942).
- uas: Reduce number of function arguments for uas_alloc_foo functions
  (bnc#934942).
- uas: Remove cmnd reference from the cmd urb (bnc#934942).
- uas: Remove support for old sense ui as used in pre-production hardware
  (bnc#934942).
- uas: Remove task-management / abort error handling code (bnc#934942).
- uas: Set max_sectors_240 quirk for ASM1053 devices (bnc#934942).
- uas: Simplify reset / disconnect handling (bnc#934942).
- uas: Simplify unlink of data urbs on error (bnc#934942).
- uas: Use scsi_print_command (bnc#934942).
- uas: pre_reset and suspend: Fix a few races (bnc#934942).
- uas: zap_pending: data urbs should have completed at this time
  (bnc#934942).
- x86/kernel: Do not reserve crashkernel high memory if crashkernel low
  memory reserving failed (bsc#939145).
- x86/smpboot: Check for cpu_active on cpu initialization (bsc#932285).
- x86/smpboot: Check for cpu_active on cpu initialization (bsc#936773).
- xhci: Workaround for PME stuck issues in Intel xhci (bnc#944028).
- xhci: rework cycle bit checking for new dequeue pointers (bnc#944028).
- xfs: Fix file type directory corruption for btree directories
  (bsc#941305).

-----------------------------------------
Patch: SUSE-2015-756
Released: Wed Oct  7 07:07:48 2015
Summary: Security update for gcc48
Severity: moderate
References: 945842,947772,947791,948168,949000,CVE-2015-5276
Description:
This update for GCC 4.8 provides the following fixes:

- Fix C++11 std::random_device short read issue that could lead to predictable
  randomness. (CVE-2015-5276, bsc#945842)
- Fix linker segmentation fault when building SLOF on ppc64le. (bsc#949000)
- Fix no_instrument_function attribute handling on PPC64 with -mprofile-kernel. (bsc#947791)
- Fix internal compiler error with aarch64 target using PCH and builtin functions. (bsc#947772)
- Fix libffi issues on aarch64. (bsc#948168)


-----------------------------------------
Patch: SUSE-2015-727
Released: Wed Oct  7 09:26:23 2015
Summary: Recommended update for cloud-init
Severity: low
References: 948930,948995,948996
Description:

cloud-init uses the Jinja2 Python module to generate configuration files from
templates, but this dependency was not defined in the package's spec file.
This update adds the missing requirement to cloud-init.


-----------------------------------------
Patch: SUSE-2015-663
Released: Wed Oct  7 16:01:20 2015
Summary: Optional update for binutils
Severity: low
References: 949066
Description:

ARM64 (aarch64) binaries produced by binutils 2.25 gold linker had incorrect (4k)
section alignment. As a result, those binaries could not be mapped when being
executed on a SLE 12 kernel.

This update adjusts the section alignment to 64k, as required by the ABI.


-----------------------------------------
Patch: SUSE-2015-797
Released: Sat Oct 10 04:42:14 2015
Summary: Recommended update for LibreOffice
Severity: moderate
References: 470073,806250,829430,86241,87222,890735,900186,900877,907966,910805,910806,913042,914911,915996,916181,918852,919409,926375,929793,934423,936188,936190,940838,943075,945692,CVE-2014-8146,CVE-2014-8147,CVE-2015-1774,CVE-2015-4551,CVE-2015-5212,CVE-2015-5213,CVE-2015-5214
Description:

This update brings LibreOffice to version 5.0.2, a major version
update.

It brings lots of new features, bugfixes and also security fixes.

Features as seen on http://www.libreoffice.org/discover/new-features/

* LibreOffice 5.0 ships an impressive number of new features for
  its spreadsheet module, Calc: complex formulae image cropping, new
  functions, more powerful conditional formatting, table addressing
  and much more. Calc's blend of performance and features makes it
  an enterprise-ready, heavy duty spreadsheet application capable of
  handling all kinds of workload for an impressive range of use cases
* New icons, major improvements to menus and sidebar : no other
  LibreOffice version has looked that good and helped you be creative and
  get things done the right way. In addition, style management is now more
  intuitive thanks to the visualization of styles right in the interface.
* LibreOffice 5 ships with numerous improvements to document import and
  export filters for MS Office, PDF, RTF, and more. You can now timestamp
  PDF documents generated with LibreOffice and enjoy enhanced document
  conversion fidelity all around.

The Pentaho Flow Reporting Engine is now added and used.

Security issues fixed:

* CVE-2014-8146: The resolveImplicitLevels function in common/ubidi.c
  in the Unicode Bidirectional Algorithm implementation in ICU4C in
  International Components for Unicode (ICU) before 55.1 did not properly
  track directionally isolated pieces of text, which allowed remote
  attackers to cause a denial of service (heap-based buffer overflow)
  or possibly execute arbitrary code via crafted text.
* CVE-2014-8147: The resolveImplicitLevels function in common/ubidi.c
  in the Unicode Bidirectional Algorithm implementation in ICU4C in
  International Components for Unicode (ICU) before 55.1 used an integer
  data type that is inconsistent with a header file, which allowed remote
  attackers to cause a denial of service (incorrect malloc followed by
  invalid free) or possibly execute arbitrary code via crafted text.
* CVE-2015-4551: An arbitrary file disclosure vulnerability in Libreoffice
  and Openoffice Calc and Writer was fixed.
* CVE-2015-1774: The HWP filter in LibreOffice allowed remote attackers
  to cause a denial of service (crash) or possibly execute arbitrary code
  via a crafted HWP document, which triggered an out-of-bounds write.
* CVE-2015-5212: A LibreOffice 'PrinterSetup Length' integer underflow
  vulnerability could be used by attackers supplying documents to execute
  code as the user opening the document.
* CVE-2015-5213: A LibreOffice 'Piece Table Counter' invalid check design
  error vulnerability allowed attackers supplying documents to execute
  code as the user opening the document.
* CVE-2015-5214: Multiple Vendor LibreOffice Bookmark Status Memory
  Corruption Vulnerability allowed attackers supplying documents to execute
  code as the user opening the document.
  

-----------------------------------------
Patch: SUSE-2015-696
Released: Mon Oct 12 17:03:09 2015
Summary: Recommended update for yast2-registration and SUSEConnect
Severity: low
References: 949424
Description:

This update for yast2-registration and SUSEConnect provides the following fixes and improvements:

yast2-registration:

- Addon selection dialog - avoid possible ID duplicates when an addon with multiple versions is displayed, fixes the problem when registering SES1.0 or SES2.0 extension (bsc#949424)
- Addon selection dialog - sort the addons by the displayed label, not by the internal name (which might not be unique) (bsc#949424)
- Require connect &gt;= 0.2.14.42 to allow using a SCC server side workaround for bsc#949424 in the original GA installer

SUSEConnect:

- Ensure version of SUSEConnect is bumped in order to be able to distinct requests from affected YaST version in SCC API


-----------------------------------------
Patch: SUSE-2015-708
Released: Tue Oct 13 17:36:20 2015
Summary: Recommended update for pciutils-ids
Severity: low
References: 911528,944104,944436,944825
Description:
The system's PCI IDs database has been updated to version 2015.10.07. Additionally, the
merge-pciids.pl script was fixed to not print warnings about conflicting definitions by
default.

-----------------------------------------
Patch: SUSE-2015-729
Released: Thu Oct 15 03:40:43 2015
Summary: Recommended update for release-notes-sles
Severity: low
References: 943017,947023
Description:

The Release Notes of SUSE Linux Enterprise Server 12 have been updated to document:

- New: NTP 4.2.8. (bsc#943017, fate#319525)
- New: Boot from devices larger than 2 TiB. (fate#317853)
- New: module-init-tools replaced by kmod. (fate#317866)


-----------------------------------------
Patch: SUSE-2015-749
Released: Thu Oct 15 11:47:57 2015
Summary: Recommended update for yast2-sysconfig
Severity: low
References: 899104,926485
Description:

This update for yast2-sysconfig improves compatibility with systemd when
restarting or reloading services.


-----------------------------------------
Patch: SUSE-2015-747
Released: Thu Oct 15 14:34:52 2015
Summary: Recommended update for supportutils
Severity: low
References: 944445,950216
Description:
This update for supportutils provides the following fixes and enhancements:

- Capture information about IBM's PowerNV platform. (bsc#944445)
- Collect important libvirt log files. (bsc#950216)


-----------------------------------------
Patch: SUSE-2015-759
Released: Thu Oct 22 09:44:27 2015
Summary: Security update for polkit
Severity: moderate
References: 912889,933922,935119,939246,943816,950114,CVE-2015-3218,CVE-2015-3255,CVE-2015-3256,CVE-2015-4625
Description:

polkit was updated to the 0.113 release, fixing security issues and bugs.

Security issues fixed:
* Fixes CVE-2015-4625, a local privilege escalation due to predictable
  authentication session cookie values. Thanks to Tavis Ormandy, Google Project
  Zero for reporting this issue. For the future, authentication agents are
  encouraged to use PolkitAgentSession instead of using the D-Bus agent response
  API directly. (bsc#935119)
* Fixes CVE-2015-3256, various memory corruption vulnerabilities in use of the
  JavaScript interpreter, possibly leading to local privilege escalation.
  (bsc#943816)
* Fixes CVE-2015-3255, a memory corruption vulnerability in handling duplicate
  action IDs, possibly leading to local privilege escalation. Thanks to
  Laurent Bigonville for reporting this issue. (bsc#939246)
* Fixes CVE-2015-3218, which allowed any local user to crash polkitd. Thanks to
  Tavis Ormandy, Google Project Zero, for reporting this issue. (bsc#933922)

Other issues fixed:
* On systemd-213 and later, the 'active' state is shared across all sessions of
  an user, instead of being tracked separately.
* pkexec, when not given a program to execute, runs the users shell by
  default.
* Fixed shutdown problems on powerpc64le (bsc#950114)
* polkit had a memory leak (bsc#912889)


-----------------------------------------
Patch: SUSE-2015-800
Released: Fri Oct 23 12:04:57 2015
Summary: Recommended update for yast2-network
Severity: moderate
References: 866742,945947,948206,949193
Description:
This update for yast2-network provides the following fixes:

- Fixed a regression where AutoYaST flag keep_install_network=false was ignored. (bsc#949193)
- Fix Relax-NG parser errors when checking validity of AutoYaST profiles. (bsc#948206)
- Do not fail with internal error when cloning configuration twice in a row. (bsc#866742)
- Fix routing module to return the correct code when invoked from command line. (bsc#945947)


-----------------------------------------
Patch: SUSE-2015-815
Released: Sun Oct 25 11:52:49 2015
Summary: Recommended update for libsolv, libzypp, zypper
Severity: moderate
References: 900769,941453,941463,941539,941563,943563,945169,946129,946750,946752,948482,948608,949957,951339,951402,951782
Description:
This update for the Software Update Stack provides fixes and enhancements.

libsolv:

- Support testcase writing in bindings. (bsc#946752)
- Support a generic string for pattern-visible(). (bsc#900769)
- Fix bug in recommends handling. (bsc#948482)

libzypp:

- Resolver allow tuning DUP mode solver flags. (fate#319128)
- Add attemptToModify to indicate an attempt to actually install/remove
  was made. (bsc#946750, fate#319467)
- Fix broken product: <-> -release package relation. (bsc#951782)
- Fix Plugin-services not updating repo GPGCheck settings. (bsc#951402)
- Avoid URL rewrite if probing local cache directories. (bsc#946129)
- Don't cache repo releasever. (bsc#943563)
- Fix setting dup_allow* solver options. (bsc#941463)
- Don't make zypper encode {} around repo vars. (bsc#941453)
- Make Solvable::asUserString more readable. (bsc#949957)

yast2-pkg-bindings:

- Pkg::SourceGeneralData(): Return also the raw URL (without expanding the
  variables). (bsc#941563)
- Pkg.SetSolverFlags(): Added DUP mode solver settings, these are different
  than the 'normal' mode settings. (fate#319128)
- Pkg::ResolvableProperties(): 'version' value contains a full edition (in
  form '[epoch:]version[-release]'), additionally return also 'version_epoch',
  'version_version' and 'version_release' with the parts of the edition.
  (fate#318505)
- Fixed saving removed services. (fate#315161)
- Add pkgGpgCheck callback. (bsc#948608)

zypper:

- Return ZYPPER_EXIT_ERR_COMMIT if an error occurred during commit. (bsc#946750,
  fate#319467)
- Show locked packages in summary of patch, up and dup commands. (fate#318299)
- Search: Append 'l' to locked items' status tag. (fate#318299)
- List locks: Implement new command options --matches and --solvables to see
  the resolvables matched by each lock definition. (fate#318299)
- Issue 'volatile change' warning when modifying a plugin service repo. (bsc#951339)
- Add new option commit/psCheckAccessDeleted to zypper.conf to avoid 'lsof'
  call after commit. On some systems 'lsof' seems to perform very slow, and
  the check takes up to several minutes. Due to this it's possible to disable
  the automatic check after each commit. Explicit calls to 'zypper ps' are not
  affected by this option. (bsc#945169)
- Add -s option to 'locks' to show solvables repositories. (bsc#949957)
- Add options to allow vendor locking for 'zypper dup'. (fate#319128)
- Implement --updatestack-only parameter for 'zypper patch': Install only
  patches which affect the package management itself. (fate#319407)
- Add git-like subcommand support for zypper. Zypper subcommands are standalone
  executables that live in the zypper exec dir or are available in your $PATH
  (see zypper(8)).

Additional note:

This update is one of several that contains features that are needed for
enabling the migration of a SLE 12 system to SLE 12 SP1 or later. As soon
as the package yast2-migration is available and the target Service Pack
migration is activated in the SUSE Customer Center the migration could be
performed.


-----------------------------------------
Patch: SUSE-2015-808
Released: Sun Oct 25 20:51:11 2015
Summary: Recommended update for yast2-slp-server
Severity: low
References: 878892
Description:
This update for yast2-slp-server fixes handling of comments on slp.conf.

-----------------------------------------
Patch: SUSE-2015-752
Released: Sun Oct 25 20:58:19 2015
Summary: Recommended update for python-coverage
Severity: low
References: 950619
Description:

This update for python-coverage adjusts the package's spec file to require coreutils.
This package is needed for the rm(1) call by the pre-installation script.


-----------------------------------------
Patch: SUSE-2015-791
Released: Wed Oct 28 18:29:08 2015
Summary: Recommended update for aaa_base
Severity: low
References: 907873,915259,921172,926049,928398,932456,942734,950892
Description:
This update for aaa_base provides the following fixes:

- Remove references to suseconfig and unused variables. (bsc#942734)
- Do not insert spaces at start of string in sysconf_addword. (bsc#932456)
- Fix suse.de-backup-rc.config to trigger also if only files that have spaces
  in their name changes. (bsc#915259)
- Avoid sourcing /etc/bash_completion.d twice. (bsc#907873)
- Even if GDM has done language setup the personal .i18n should be sourced. (bsc#950892)
- Correct the boolean test in /etc/profile.d/lang.sh.
- Handle also command lines starting with the env command as this is used by Gnome xsessions. (bsc#921172)
- Add SOCKS5_SERVER and socks_proxy to proxy settings. (bsc#928398)
- Allow SysRq dump by default. (bsc#926049)


-----------------------------------------
Patch: SUSE-2015-776
Released: Fri Oct 30 08:06:58 2015
Summary: Recommended update for libyaml
Severity: low
References: 952625
Description:
This update adjusts libyaml's packaging to require pkg-config at build time.

-----------------------------------------
Patch: SUSE-2015-792
Released: Fri Oct 30 11:16:03 2015
Summary: Security update for krb5
Severity: important
References: 948011,952188,952189,952190,CVE-2015-2695,CVE-2015-2696,CVE-2015-2697
Description:
krb5 was updated to fix three security issues.

These security issues were fixed:
- CVE-2015-2695: Applications which call gss_inquire_context() on a partially-established SPNEGO context could have caused the GSS-API library to read from a pointer using the wrong type, generally causing a process crash. (bsc#952188).
- CVE-2015-2696: Applications which call gss_inquire_context() on a partially-established IAKERB context could have caused the GSS-API library to read from a pointer using the wrong type, generally causing a process crash. (bsc#952189).
- CVE-2015-2697: Incorrect string handling in build_principal_va can lead to DOS (bsc#952190).
  

-----------------------------------------
Patch: SUSE-2015-812
Released: Tue Nov  3 01:58:24 2015
Summary: Recommended update for plymouth
Severity: moderate
References: 939204,949046,951983
Description:
This update for plymouth provides the following fixes:

- Do not filter out useful control characters. (bsc#951983)
- Rewrite version handling in the spec file to avoid hard-coding SLE versions. (bsc#949046)
- Ensure plymouth-reboot always restarts if needed to show all the log messages. (bsc#939204)


-----------------------------------------
Patch: SUSE-2015-813
Released: Wed Nov  4 19:38:37 2015
Summary: Recommended update for supportutils
Severity: low
References: 915888,931390,939079,941773,952024
Description:
This update for supportutils provides the following fixes and enhancements:

- Added OPTION_NIT for novell-nit.txt. (bsc#939079)
- Included control group listing in systemd.txt.
- Fixed find loop for autoupg.xml. (bsc#952024)
- Added nic,lan,vswitch. (bsc#915888)
- Fixed kernel taint flags. (bsc#941773)
- Fixed package reference. (bsc#931390)


-----------------------------------------
Patch: SUSE-2015-807
Released: Thu Nov  5 07:48:32 2015
Summary: Security update for MozillaFirefox, mozilla-nspr, mozilla-nss
Severity: important
References: 908275,952810,CVE-2015-4513,CVE-2015-7181,CVE-2015-7182,CVE-2015-7183,CVE-2015-7188,CVE-2015-7189,CVE-2015-7193,CVE-2015-7194,CVE-2015-7196,CVE-2015-7197,CVE-2015-7198,CVE-2015-7199,CVE-2015-7200
Description:

This Mozilla Firefox, NSS and NSPR update fixes the following security
and non security issues.

- mozilla-nspr was updated to version 4.10.10 (bsc#952810)
  * MFSA 2015-133/CVE-2015-7183
    (bmo#1205157)
    NSPR memory corruption issues

- mozilla-nss was updated to 3.19.2.1 (bsc#952810)
  * MFSA 2015-133/CVE-2015-7181/CVE-2015-7182
    (bmo#1192028, bmo#1202868)
    NSS and NSPR memory corruption issues

- MozillaFirefox was updated to 38.4.0 ESR (bsc#952810)
  * MFSA 2015-116/CVE-2015-4513
    (bmo#1107011, bmo#1191942, bmo#1193038, bmo#1204580,
     bmo#1204669, bmo#1204700, bmo#1205707, bmo#1206564,
     bmo#1208665, bmo#1209471, bmo#1213979)
    Miscellaneous memory safety hazards (rv:42.0 / rv:38.4)
  * MFSA 2015-122/CVE-2015-7188
    (bmo#1199430)
    Trailing whitespace in IP address hostnames can bypass
    same-origin policy
  * MFSA 2015-123/CVE-2015-7189
    (bmo#1205900)
    Buffer overflow during image interactions in canvas
  * MFSA 2015-127/CVE-2015-7193
    (bmo#1210302)
    CORS preflight is bypassed when non-standard Content-Type
    headers are received
  * MFSA 2015-128/CVE-2015-7194
    (bmo#1211262)
    Memory corruption in libjar through zip files
  * MFSA 2015-130/CVE-2015-7196
    (bmo#1140616)
    JavaScript garbage collection crash with Java applet
  * MFSA 2015-131/CVE-2015-7198/CVE-2015-7199/CVE-2015-7200
    (bmo#1204061, bmo#1188010, bmo#1204155)
    Vulnerabilities found through code inspection
  * MFSA 2015-132/CVE-2015-7197
    (bmo#1204269)
    Mixed content WebSocket policy bypass through workers
  * MFSA 2015-133/CVE-2015-7181/CVE-2015-7182/CVE-2015-7183
    (bmo#1202868, bmo#1192028, bmo#1205157)
    NSS and NSPR memory corruption issues
- fix printing on landscape media (bsc#908275)


-----------------------------------------
Patch: SUSE-2015-822
Released: Wed Nov 11 12:41:29 2015
Summary: Recommended update for systemd
Severity: moderate
References: 900558,904214,912334,913517,932284,933521,933533,934901,937512,937900,938908,939571,940264,941576,942946,944132,944799,945282,947212,948705,950510,951265,951663,953241
Description:

This collective update for SystemD provides the following fixes and enhancements:

- Implement firstboot helper and ConditionFirstBoot support. (fate#318894)
- Avoid broken virtual console mapping due to stressed ioctl API for the virtual
  consoles. (bsc#904214)
- Fix persistent net rule generation for KVM. (bsc#938908)
- Avoid that processes in scopes like login shells are killed immediately
  after signaled with SIGTERM. (bsc#932284) 
- Avoid race condition for two loadkey processes, that is one loading the keymap
  and one for loading the compose tables. (bsc#941576)
- Add persistent device name rules for NVMe devices. (bsc#944132)
- Don't mount system root as read/write, if 'readonly' is given as boot parameter.
  (bsc#900558)
- Make TERM configurable for vm serial consoles. (bsc#913517)
- Avoid delay while booting with nofail entries in fstab. (bsc#912334) 
- Parse /etc/systemd/system.conf on daemon reload. (bsc#933521)
- Avoid stuck sbus connection due invalid dbus call. (bsc#937900)
- Work around a problem of an assert on ENODEV for closing fd on an input
  event device. (bsc#939571) 
- Fix 'invalid argument' error when setting memory.limit_in_bytes. (bsc#937512)
- Support reboot -f on kexec kernels. (bsc#940264)
- Not all watchdog drivers implement WDIOC_SETOPTIONS, so do not require it.
  (bsc#933533)
- Make rootsymlink_generator return success even if stat fails. (bsc#945282)
- Create /run/udev if it doesn't exist. (bsc#945282)
- Exclude device-mapper from block device ownership event locking. (bsc#944799)
- Drop original fix for bsc#872929, superseded by later changes. (bsc#942946)
- Support Virtualbox 5.0 running on top of KVM hypervisor. (bsc#948705)
- Suppress warnings about duplicated sysfs paths. (bsc#947212)
- Avoid restarting logind after package update. (bsc#934901)
- Add old fashion phy sas disk enumeration to path_id_compat. (bsc#950510)
- Fix disabled event source handling. (bsc#951663)


-----------------------------------------
Patch: SUSE-2015-827
Released: Wed Nov 11 17:24:14 2015
Summary: Recommended update for sqlite3
Severity: low
References: 952710
Description:

This update for sqlite3 enables support for the sqlite3_unlock_notify() API.


-----------------------------------------
Patch: SUSE-2015-834
Released: Thu Nov 12 13:52:22 2015
Summary: Recommended update for python-Twisted
Severity: moderate
References: 940813
Description:

python-Twisted has been updated to version 15.2.1, which brings several fixes and
enhancements such as:

- twisted.positioning, a new API for positioning systems such as GPS, has been added.
  It comes with an implementation of NMEA, the most common wire protocol for GPS devices.
  It will supersede twisted.protocols.gps.
- IReactorUDP.listenUDP, IUDPTransport.write and IUDPTransport.connect now accept ipv6
  address literals.
- A new API, twisted.internet.ssl.optionsForClientTLS, allows clients to specify and
  verify the identity of the peer they're communicating with.  When used with the
  service_identity library from PyPI, this provides support for service identity
  verification from RFC 6125, as well as server name indication from RFC 6066.
- Twisted's TLS support now provides a way to ask for user-configured trust roots
  rather than having to manually configure such certificate authority certificates.
- twisted.internet.ssl.CertificateOptions now supports ECDHE for servers by default
  on pyOpenSSL 0.14 and later, if the underlying versions of cryptography.io and
  OpenSSL support it.
- twisted.internet.ssl.CertificateOptions now allows the user to set acceptable ciphers
  and uses secure ones by default.
- The new package twisted.logger provides a new, fully tested, and feature-rich logging
  framework. The old module twisted.python.log is now implemented using the new framework.
- twisted.conch.ssh.forwarding now supports local->remote forwarding of IPv6.
- twisted.mail.smtp.sendmail now uses ESMTP. It will opportunistically enable encryption
  and allow the use of authentication.
- twisted.internet.ssl.CertificateOptions now enables TLSv1.1 and TLSv1.2 by default
  (in addition to TLSv1.0) if the underlying version of OpenSSL supports these protocol
  versions.
- twisted.internet.ssl.CertificateOptions now supports Diffie-Hellman key exchange.
- twisted.internet.ssl.CertificateOptions now disables TLS compression to avoid CRIME
  attacks and, for servers, uses server preference to choose the cipher.
- MSN protocol support has been marked as deprecated.
- Removed deprecated UDPClient.
- Better support and integration with Python 3.

For a comprehensive list of changes, please refer to the file NEWS shipped within the
package.


-----------------------------------------
Patch: SUSE-2015-841
Released: Fri Nov 13 11:42:56 2015
Summary: Recommended update for autoyast2
Severity: moderate
References: 872711,897321,901739,901904,908271,909349,909745,923992,926241,928987,937900,948608,953162
Description:
This update for AutoYaST2 provides the following fixes:

- Do not restart dbus service after installation. Otherwise some other services might hang. (bsc#937900)
- Added new section 'restricts' for ntp configuration. (bsc#928987)
- Avoid ayast_probe module crashing when called from an installed system. (bsc#926241)
- Introduce new autoinst flag in general/mode section: final_restart_services.
  This option makes AutoYaST restart all services after finishing the installation.
  The default is 'true' which is a backward compatible value. (bsc#923992)
- Checking if the disk is -partitionable- instead of checking if it is a real disk.
  Needed for Multipath disks. (bsc#909349)
- Mount the installation source in order to copy AutoYaST configuration file into inst_sys. (bsc#908271)
- Removed code which will be already done by service_manager. (bsc#909745)
- AutoYaST configuration module: Reset menu bar after calling single YAST configuration module. (bsc#872711)
- Fixed too small dialog for autoyast profile location. (bsc#897321)
- Fixed UI in partition configuration. (bsc#901904, bsc#901739)
- Handle pkgGpgCheck callback introduced in libzypp 14.39.0. (bsc#948608, bsc#953162)


-----------------------------------------
Patch: SUSE-2015-844
Released: Fri Nov 13 17:53:05 2015
Summary: Recommended update for release-notes-sles
Severity: low
References: 950159,951480,952981
Description:

The Release Notes of SUSE Linux Enterprise Server 12 have been updated to document:

- New: Deprecate DMSVSMA for snIPL. (fate#316144)
- New: Availability of Docker images based on SLES 11-SP4. (fate#319375)
- New: Usage of NOOP I/O scheduler for multipathing environments. (fate#319091)
- New: Inclusion of the virt-top tool. (fate#319422)
- New: ixgbe behavior regarding the configuration of VF MAC addresses. (fate#319714)
- Changed: Decision about CUPS version upgrade for SLE12. (fate#314630)


-----------------------------------------
Patch: SUSE-2015-854
Released: Wed Nov 18 10:40:35 2015
Summary: Security update for libpng12
Severity: moderate
References: 952051,954980,CVE-2015-7981,CVE-2015-8126
Description:
The libpng12 package was updated to fix the following security issues:

- CVE-2015-8126: Fixed a buffer overflow vulnerabilities in png_get_PLTE/png_set_PLTE functions (bsc#954980).
- CVE-2015-7981: Fixed an out-of-bound read (bsc#952051).


-----------------------------------------
Patch: SUSE-2015-855
Released: Wed Nov 18 10:41:00 2015
Summary: Security update for libpng16
Severity: moderate
References: 954980,CVE-2015-8126
Description:
The libpng16 package was updated to fix the following security issue:

- CVE-2015-8126: Fixed a buffer overflow vulnerabilities in png_get_PLTE/png_set_PLTE functions (bsc#954980).


-----------------------------------------
Patch: SUSE-2015-859
Released: Wed Nov 18 13:53:50 2015
Summary: Recommended update for bind
Severity: moderate
References: 947483
Description:

This update for bind removes the start/stop dependency of named and lwresd on remote-fs,
fixing a service dependency cycle.


-----------------------------------------
Patch: SUSE-2015-865
Released: Thu Nov 19 18:01:11 2015
Summary: Recommended update for os-prober
Severity: low
References: 931955
Description:
This update fixes os-prober to not attempt to mount btrfs snapshots.

-----------------------------------------
Patch: SUSE-2015-866
Released: Thu Nov 19 18:01:47 2015
Summary: Recommended update for systemd
Severity: moderate
References: 954336,954781
Description:
This update for SystemD provides the following fixes:

- Do not return error when paths in ReadOnlyDirectories= and InaccessibleDirectories=
  directives are prefixed with '-' and don't exist. (bsc#954781)
- Allow systemd-sysv-convert to do its job even if one of the sysvinit scripts is not
  found. (bsc#954336)


-----------------------------------------
Patch: SUSE-2015-874
Released: Fri Nov 20 14:05:52 2015
Summary: Recommended update for sg3_utils
Severity: moderate
References: 903323,903329,903332,907049,907483,917011,917049,943817
Description:
This update for sg3_utils provides the following fixes:

- Change rescan-scsi-bus.sh to set IPTYPE and IPQUAL on failure, fixing syntax errors
  later on. (bsc#903329)
- Allow spaces when comparing types in rescan-scsi-bus.sh. (bsc#903323)
- Fix sg_inq(8) to correctly ignore invalid VPD entries. (bsc#907049)
- Differentiate between NAA VPD descriptor types. (bsc#907483)
- Use udev-compliant character encoding in 'sg_inq --export'. (bsc#917011)
- Fix regular expression in rescan-scsi-bus.sh to not produce strings with white spaces.
  (bsc#943817)
- Fix rescan-scsi-bus.sh to check if temporary file exists before trying to remove it.
  Previously it could end up removing /dev/null. (bsc#917049)
- Implement option '--issue-lip-wait' in rescan-scsi-bus.sh to insert a delay after
  issuing a LIP reset. (bsc#903332)
- Interpret DID_NEXUS_FAILURE as 'reservation conflict'. (bsc#903332)


-----------------------------------------
Patch: SUSE-2015-877
Released: Fri Nov 20 14:29:14 2015
Summary: Security update for dracut
Severity: moderate
References: 935338,935993,947518,952491,CVE-2015-0794
Description:
The dracut package was updated to fix the following security and non-security issues:

- CVE-2015-0794: Use mktemp instead of hardcoded filenames, possible vulnerability (bsc#935338).
- Always install mdraid modules (bsc#935993).
- Add notice when dracut failed to install modules (bsc#952491).
- Always install dm-snaphost module if lvm dracut module is needed, even if dm-snapshot is not loaded on the host yet (bsc#947518).


-----------------------------------------
Patch: SUSE-2015-892
Released: Wed Nov 25 10:27:06 2015
Summary: Recommended update for crash
Severity: moderate
References: 922005,940720
Description:
This update for crash provides the following fixes:

- Fix changed Xen 4.2.5 domain structure member. (bsc#922005)
- Fix mis-labeled per-cpu exception stacks. (bsc#940720) 


-----------------------------------------
Patch: SUSE-2015-900
Released: Thu Nov 26 14:42:12 2015
Summary: Recommended update for YaST2 modules
Severity: low
References: 954412
Description:

Several YaST2 modules have been updated to fix errors in the schema definitions
used to validate AutoYaST profiles.


-----------------------------------------
Patch: SUSE-2015-909
Released: Fri Nov 27 15:07:41 2015
Summary: Recommended update for sles-manuals_en
Severity: low
References: 918217,922976,927506,938152,947526
Description:

SUSE Linux Enterprise Server 12 manuals have been updated with fixes and enhancements:

- Added more examples of 'zypper list-patches --cve'. (fate#319053)
- Added a new tip on updating the initramfs file after changing the default sysctl
  configuration. (bsc#927506)
- Replaced CA.sh with the explicit openssl command.
- Improved GRUB 2 re-installation procedure.
- Removed documentation about VNC view-only passwords because they are not available
  in SUSE Linux Enterprise Server.
- Fixed procedure to access the installed system in a rescue mode. (bsc#918217)
- Added a tip on preventing wicked from deactivating the network device on NFS roots.
  (bsc#938152)
- Fixed misleading statement about kernel-FLAVOR-extra. (bsc#922976)


-----------------------------------------
Patch: SUSE-2015-910
Released: Fri Nov 27 16:01:28 2015
Summary: Recommended update for yast2-packager, yast2-pkg-bindings
Severity: moderate
References: 944504,944505,952112
Description:
This update provides the following fixes and enhancements:

yast2-packager:

- Repository editor can now manage URLs with repo variables like $arch and
  $releasever. (bsc#944505)
- Do not check the free space on a CD/DVD mounted medium during online
  migration. (bsc#952112)
- Added a filter showing only those repositories not belonging to any
  service. (bsc#944504)

yast2-pkg-bindings:

- Added Pkg::SourceRawURL() and Pkg:ExpandedUrl() to deal with repositories
  including repo variables. (bsc#944505)


-----------------------------------------
Patch: SUSE-2015-912
Released: Fri Nov 27 17:54:46 2015
Summary: Recommended update for lvm2
Severity: moderate
References: 935621,935623,937791,938208,938419,942888,946217,946651,948859,952027,952300
Description:
This update for lvm2 provides the following fixes:

- Adjust lvm2-lvmetad.service to ensure lvm2-lvmetad.socket is removed when the service
  is disabled. (bsc#952027)
- Fix moving of PVs when physical block sizes of devices differ. (bsc#952300)
- Allow creation of PVs on unpartitioned DASD devices formatted with CDL. (bsc#948859,
  bsc##946217)
- Activate LVM volumes after network-attached devices (iSCSI and FCoE) are set up
  and set correct initialization order for lvm2 systemd services. (bsc#946651)
- Fix segmentation fault when extending a LV with a smaller number of stripes than
  originally used. (bsc#942888)
- Fix vgchange to check if there are no mounted file systems preventing deactivation
  of the volume group. (bsc#938419)
- Retry VG-refresh in pvscan to prevent premature auto-activation failures. (bsc#938208)
- Print debug information to standard output. (bsc#937791)
- Fix an error in dmeventd which prevented the creation of the monitor thread. (bsc#935623)
- Modify lvm2-monitor.service to add dependency on lvm2-activation.service. (bsc#935621)


-----------------------------------------
Patch: SUSE-2015-945
Released: Fri Dec  4 10:33:50 2015
Summary: Security update for the Linux Kernel
Severity: important
References: 814440,867595,904348,921949,924493,930145,933514,935961,936076,936773,939826,939926,940853,941202,941867,942938,944749,945626,946078,947241,947321,947478,948521,948685,948831,949100,949463,949504,949706,949744,950013,950750,950862,950998,951110,951165,951199,951440,951546,952666,952758,953796,953980,954635,955148,955224,955422,955533,955644,956047,956053,956703,956711,CVE-2015-0272,CVE-2015-2925,CVE-2015-5283,CVE-2015-5307,CVE-2015-7799,CVE-2015-7872,CVE-2015-7990,CVE-2015-8104
Description:
The SUSE Linux Enterprise 12 kernel was updated to 3.12.51 to receive various security and bugfixes.

Following security bugs were fixed:
- CVE-2015-7799: The slhc_init function in drivers/net/slip/slhc.c in the Linux kernel did not ensure that certain slot numbers were valid, which allowed local users to cause a denial of service (NULL pointer dereference and system crash) via a crafted PPPIOCSMAXCID ioctl call (bnc#949936).
- CVE-2015-5283: The sctp_init function in net/sctp/protocol.c in the Linux kernel had an incorrect sequence of protocol-initialization steps, which allowed local users to cause a denial of service (panic or memory corruption) by creating SCTP sockets before all of the steps have finished (bnc#947155).
- CVE-2015-2925: The prepend_path function in fs/dcache.c in the Linux kernel did not properly handle rename actions inside a bind mount, which allowed local users to bypass an intended container protection mechanism by renaming a directory, related to a 'double-chroot attack (bnc#926238).
- CVE-2015-8104: The KVM subsystem in the Linux kernel allowed guest OS users to cause a denial of service (host OS panic or hang) by triggering many #DB (aka Debug) exceptions, related to svm.c (bnc#954404).
- CVE-2015-5307: The KVM subsystem in the Linux kernel allowed guest OS users to cause a denial of service (host OS panic or hang) by triggering many #AC (aka Alignment Check) exceptions, related to svm.c and vmx.c (bnc#953527).
- CVE-2015-7990: RDS: There was no verification that an underlying transport exists when creating a connection, causing usage of a NULL pointer (bsc#952384).
- CVE-2015-7872: The key_gc_unused_keys function in security/keys/gc.c in the Linux kernel allowed local users to cause a denial of service (OOPS) via crafted keyctl commands (bnc#951440).
- CVE-2015-0272: Missing checks allowed remote attackers to cause a denial of service (IPv6 traffic disruption) via a crafted MTU value in an IPv6 Router Advertisement (RA) message, a different vulnerability than CVE-2015-8215 (bnc#944296).

The following non-security bugs were fixed:
- ALSA: hda - Disable 64bit address for Creative HDA controllers (bnc#814440).
- Add PCI IDs of Intel Sunrise Point-H SATA Controller S232/236 (bsc#953796).
- Btrfs: fix file corruption and data loss after cloning inline extents (bnc#956053).
- Btrfs: fix truncation of compressed and inlined extents (bnc#956053).
- Disable some ppc64le netfilter modules to restore the kabi (bsc#951546)
- Fix regression in NFSRDMA server (bsc#951110).
- KEYS: Fix race between key destruction and finding a keyring by name (bsc#951440).
- KVM: x86: call irq notifiers with directed EOI (bsc#950862).
- NVMe: Add shutdown timeout as module parameter (bnc#936076).
- NVMe: Mismatched host/device page size support (bsc#935961).
- PCI: Drop 'setting latency timer' messages (bsc#956047).
- SCSI: Fix hard lockup in scsi_remove_target() (bsc#944749).
- SCSI: hosts: update to use ida_simple for host_no (bsc#939926)
- SUNRPC: Fix oops when trace sunrpc_task events in nfs client (bnc#956703).
- Sync ppc64le netfilter config options with other archs (bnc#951546)
- Update kabi files with sbc_parse_cdb symbol change (bsc#954635).
- apparmor: allow SYS_CAP_RESOURCE to be sufficient to prlimit another task (bsc#921949).
- apparmor: temporary work around for bug while unloading policy (boo#941867).
- audit: correctly record file names with different path name types (bsc#950013).
- audit: create private file name copies when auditing inodes (bsc#950013).
- cpu: Defer smpboot kthread unparking until CPU known to scheduler (bsc#936773).
- dlm: make posix locks interruptible, (bsc#947241).
- dm sysfs: introduce ability to add writable attributes (bsc#904348).
- dm-snap: avoid deadock on s->lock when a read is split (bsc#939826).
- dm: do not start current request if it would've merged with the previous (bsc#904348).
- dm: impose configurable deadline for dm_request_fn's merge heuristic (bsc#904348).
- dmapi: Fix xfs dmapi to not unlock and lock XFS_ILOCK_EXCL (bsc#949744).
- drm/i915: Avoid race of intel_crt_detect_hotplug() with HPD interrupt, v2 (bsc#942938).
- drm/i915: add hotplug activation period to hotplug update mask (bsc#953980).
- fanotify: fix notification of groups with inode and mount marks (bsc#955533).
- genirq: Make sure irq descriptors really exist when __irq_alloc_descs returns (bsc#945626).
- hv: vss: run only on supported host versions (bnc#949504).
- ipv4: Do not increase PMTU with Datagram Too Big message (bsc#955224).
- ipv6: Check RTF_LOCAL on rt->rt6i_flags instead of rt->dst.flags (bsc#947321).
- ipv6: Consider RTF_CACHE when searching the fib6 tree (bsc#947321).
- ipv6: Extend the route lookups to low priority metrics (bsc#947321).
- ipv6: Stop /128 route from disappearing after pmtu update (bsc#947321).
- ipv6: Stop rt6_info from using inet_peer's metrics (bsc#947321).
- ipv6: distinguish frag queues by device for multicast and link-local packets (bsc#955422).
- ipvs: drop first packet to dead server (bsc#946078).
- kABI: protect struct ahci_host_priv.
- kABI: protect struct rt6_info changes from bsc#947321 changes (bsc#947321).
- kabi: Hide rt6_* types from genksyms on ppc64le (bsc#951546).
- kabi: Restore kabi in struct iscsi_tpg_attrib (bsc#954635).
- kabi: Restore kabi in struct se_cmd (bsc#954635).
- kabi: Restore kabi in struct se_subsystem_api (bsc#954635).
- kabi: protect skb_copy_and_csum_datagram_iovec() signature (bsc#951199).
- kgr: fix migration of kthreads to the new universe.
- kgr: wake up kthreads periodically.
- ktime: add ktime_after and ktime_before helper (bsc#904348).
- macvlan: Support bonding events (bsc#948521).
- net: add length argument to skb_copy_and_csum_datagram_iovec (bsc#951199).
- net: handle null iovec pointer in skb_copy_and_csum_datagram_iovec() (bsc#951199).
- pci: Update VPD size with correct length (bsc#924493).
- rcu: Eliminate deadlock between CPU hotplug and expedited grace periods (bsc#949706).
- ring-buffer: Always run per-cpu ring buffer resize with schedule_work_on() (bnc#956711).
- route: Use ipv4_mtu instead of raw rt_pmtu (bsc#955224).
- rtc: cmos: Cancel alarm timer if alarm time is equal to now+1 seconds (bsc#930145).
- rtc: cmos: Revert 'rtc-cmos: Add an alarm disable quirk' (bsc#930145).
- sched/core: Fix task and run queue sched_info::run_delay inconsistencies (bnc#949100).
- sunrpc/cache: make cache flushing more reliable (bsc#947478).
- supported.conf: Add missing dependencies of supported modules hwmon_vid needed by nct6775 hwmon_vid needed by w83627ehf reed_solomon needed by ramoops
- supported.conf: Fix dependencies on ppc64le of_mdio needed by mdio-gpio
- target/pr: fix core_scsi3_pr_seq_non_holder() caller (bnc#952666).
- target/rbd: fix COMPARE AND WRITE page vector leak (bnc#948831).
- target/rbd: fix PR info memory leaks (bnc#948831).
- target: Send UA upon LUN RESET tmr completion (bsc#933514).
- target: use '^A' when allocating UAs (bsc#933514).
- usbvision fix overflow of interfaces array (bnc#950998).
- vmxnet3: Fix ethtool -S to return correct rx queue stats (bsc#950750).
- vmxnet3: adjust ring sizes when interface is down (bsc#950750).
- x86/efi: Fix boot crash by mapping EFI memmap entries bottom-up at runtime, instead of top-down (bsc#940853).
- x86/evtchn: make use of PHYSDEVOP_map_pirq.
- x86/mm/hotplug: Modify PGD entry when removing memory (VM Functionality, bnc#955148).
- x86/mm/hotplug: Pass sync_global_pgds() a correct argument in remove_pagetable() (VM Functionality, bnc#955148).
- xfs: DIO needs an ioend for writes (bsc#949744).
- xfs: DIO write completion size updates race (bsc#949744).
- xfs: DIO writes within EOF do not need an ioend (bsc#949744).
- xfs: always drain dio before extending aio write submission (bsc#949744).
- xfs: direct IO EOF zeroing needs to drain AIO (bsc#949744).
- xfs: do not allocate an ioend for direct I/O completions (bsc#949744).
- xfs: factor DIO write mapping from get_blocks (bsc#949744).
- xfs: handle DIO overwrite EOF update completion correctly (bsc#949744).
- xfs: move DIO mapping size calculation (bsc#949744).
- xfs: using generic_file_direct_write() is unnecessary (bsc#949744).
- xhci: Add spurious wakeup quirk for LynxPoint-LP controllers (bnc#951165).
- xhci: change xhci 1.0 only restrictions to support xhci 1.1 (bnc#949463).


-----------------------------------------
Patch: SUSE-2015-958
Released: Wed Dec  9 16:47:29 2015
Summary: Security update for openssl
Severity: moderate
References: 937085,947104,954256,957812,957813,957815,CVE-2015-3194,CVE-2015-3195,CVE-2015-3196
Description:

This update for openssl fixes the following issues: 

Security fixes:
- CVE-2015-3194: The signature verification routines will crash with a
  NULL pointer dereference if presented with an ASN.1 signature using the
  RSA PSS algorithm and absent mask generation function parameter. Since
  these routines are used to verify certificate signature algorithms
  this can be used to crash any certificate verification operation and
  exploited in a DoS attack. Any application which performs certificate
  verification is vulnerable including OpenSSL clients and servers which
  enable client authentication. (bsc#957815)
- CVE-2015-3195: When presented with a malformed X509_ATTRIBUTE structure OpenSSL would leak
  memory. This structure is used by the PKCS#7 and CMS routines so any
  application which reads PKCS#7 or CMS data from untrusted sources is affected.
  SSL/TLS is not affected. (bsc#957812)
- CVE-2015-3196: If PSK identity hints are received by a multi-threaded client then
  the values were wrongly updated in the parent SSL_CTX structure. This could
  result in a race condition potentially leading to a double free of the
  identify hint data.  (bsc#957813)

Non security bugs fixed:
- Clear the error after setting non-fips mode (bsc#947104)
- Improve S/390 performance on IBM z196 and z13 (bsc#954256)
- Add support for 'ciphers' providing no encryption (bsc#937085)


-----------------------------------------
Patch: SUSE-2015-966
Released: Mon Dec 14 19:31:34 2015
Summary: SLE 12 SP migration enablement
Severity: low
References: 880701,897129,941539,944019,955400
Description:

This update provides the necessary package for performing a Service Pack
migration on SUSE Linux Enterprise 12. It contains the following packages and
changes:

yast2-migration:

The initial package of yast2-migration which provides a YaST2 module for
migrating to a newer Service Pack if it's available. This package is installed
automatically whenever an update is performed. 

zypper-migration-plugin:

A plugin which provides migration functionality to zypper. This package is
installed automatically whenever an update is performed.

yast2:

- Avoid too many snapshots created during the online migration. (bsc#944019)
- Fixed clipped labels in Arabic on some widgets. (bsc#880701)
- AutoYaST will no longer ignore firewall settings if keep_install_network
  is enabled. (bsc#897129)
- Add a default value for firewall setting FW_BOOT_INIT_FULL. (bsc#955400)


-----------------------------------------
Patch: SUSE-2015-967
Released: Mon Dec 14 19:32:09 2015
Summary: Recommended update for yast2-registration and SUSEConnect
Severity: moderate
References: 934582,939293,941303,941402,941403,941491,941532,941563,941565,941739,942843,942892,943451,943466,943568,943636,943960,944089,944510,945028,945462,946004,946200,946488,948363,949424,949934,950233,950795,953536,954266,954412
Description:

SUSEConnect and yast2-registration have been enhanced with a set of features to enable
Service Pack migration.

yast2-registration:

- Added support for online migration, the registration part handles the service upgrade
  and migration repository management. (fate#315161)
- Make sure the base product is downgraded first when doing a migration rollback. (fate#315161)
- Restore the original product registration when online migration is aborted. (fate#315161)
- Use 'zypper dup --no-vendor-change' equivalent for online migration. (fate#319138)
- Adapt module to new version of SUSEConnect. (fate#318800)
- Always enable update repositories for modules during online migration. (bsc#953536)
- Fix crash at the end of AutoYaST configuration's workflow. (bsc#949934)
- Fix crash due to undefined method when upgrading installed addon. (bsc#950795)
- AutoYaST: Take registration server from AutoYaST configuration file and set it
  in /etc/SUSEConnect. (bsc#943466, bsc#950233)
- Restore the original $releasever value and refresh the repositories when online
  migration is aborted. (bsc#948363)
- Do not crash when a repository cannot be accessed, ask the user to skip it or abort
  the online migration. (bsc#946200)
- Check whether the system is registered before running online migration. (bsc#946004)
- Set the selected repository states in the manual repository selection dialog before
  starting the full repository management module.
- Specific migration repositories are not used in SLE12, use better wording. (bsc#944510)
- Set $releasever URL variable to the new base product during online migration. (bsc#941563)
- Display short product names instead of the internal identifiers in the migration
  selection dialog. (bsc#945028)
- Restore (enable) the Updates repositories at the end of the migration workflow. (bsc#943960)
- Fix syntax error. (bsc#944089)
- Make the migration selection widget smaller to have more space for details when only
  a few migrations are available. (bsc#943636)
- Keep the original NCCCredentials file permissions when upgrading from SLE11. (bsc#943568)
- Better wording in the 'install updates' popup. (bsc#942843)
- Handle not available products when using SMT for running online migration. (bsc#942892)
- Fix registering a product with POOL flavor. (bsc#941402)
- Avoid possible ID duplicates when an add-on with multiple versions is displayed.
- Improve user messages when registration does not happen during installation. (bsc#941403,
  bsc#941739)
- Catch exceptions also when loading the available extensions. (bsc#941491)
- Reload the packages after modifying the repository setup. (bsc#941532)
- Fix validation of AutoYaST profiles. (bsc#954412)

SUSEConnect:

- Add --rollback option to SUSEConnect. (fate#319114)
- Add find_products method to migration abstraction layer. (fate#319140)
- Update manpages to match the latest CLI options
- Silently ignore malformed lscpu lines instead of failing (bnc#954266)
- zypper migration slow with lots of modules and extensions registered. (bsc#945462)
- Allow registration without system uid (dmidecode fails on qemu system). (bsc#934582)
- Ensure version of SUSEConnect is bumped in order to be able to distinct requests from
  affected YaST version in SCC API. (bsc#949424)
- Fix migration failure when 'zypper search' returns empty list. (bsc#943451)
- Synchronization API call returns 'no implicit conversion of Symbol into Integer'
  error. (bsc#946488)
- Fix zypper migration not using --releasever. (bsc#941565)
- Improve hwinfo detection on physical s390 systems.
- Fix 'Undefined method 'strip' for nil:NilClass' error. (bsc#939293)
- Fix baseproduct mismatch in migration rollback. (bsc#941303)
- Fix add_service method which also creates the credentials files
- Implement new --cleanup option to remove old system credentials and all zypper
  services installed by SUSEConnect.
- Implement new --namespace option to forward SMT staging environment to proxy
  registration server.
- Use C locale for all the syscalls, fixing output parsing issues in some locales.
- In case of wrong registration code, provide meaningful message back to the user.


-----------------------------------------
Patch: SUSE-2015-982
Released: Wed Dec 16 11:31:55 2015
Summary: Recommended update for yast2-ntp-client
Severity: low
References: 928987,940881,954412
Description:
This update for yast2-ntp-client provides the following fixes:

- Fix validation of AutoYaST profiles. (bsc#954412)
- Always use a server from pool.ntp.org as default. (bsc#940881)
- Read ntp.conf again before generating autoinst.xml file. (bsc#928987)
- Add new section 'restricts' to AutoYaST profiles. (bsc#928987)


-----------------------------------------
Patch: SUSE-2015-986
Released: Thu Dec 17 13:16:14 2015
Summary: Recommended update for wicked
Severity: moderate
References: 899985,916035,927309,928459,939142,940239,941964,942278,948423,950333,953107,954289
Description:

This update provides Wicked 0.6.28, which brings many fixes and enhancements:

- fsm: Dynamically resolve references and requirements. (bsc#954289)
- nanny: Do not pull in and rearm subordinate workers. (bsc#954289)
- nanny: Fix managed policy list handling. (bsc#953107)
- ifup: Do not update policy when it has been created and recheck with a name filter
  list instead to enable separately to avoid a race condition. (bsc#953107)
- nanny: Fix policy file reading and objects references. (bsc#916035)
- netconfig: Do not refresh unrelated details in supplicants.
- service: Fix wicked client and nanny dependencies. (bsc#950333)
- service: Restart wickedd* on dbus restart. (bsc#941964)
- fsm: Do not follow link-up checks on configured master devices not involved in the
  current ifup operation. (bsc#948423)
- client: Add more comfortable 'wicked test dhcp[46]' commands executing the wickedd-dhcp[46]
  in their --test mode. (bsc#942278)
  This makes nanny check and wait until the configuration for link references is applied
  by ifup (master device worker is available) in order to not start managing ports/slaves
  and fail on unresolvable requirements with 'document error' first.  Unavailable reference
  matches caused a timing race, where nanny omits to enslave ports into master (e.g. a dummy
  into ovsbr), but was not limited to ovs setups.
- dhcp4: Fix to request offer by default in --test. (bsc#942278)
- compat: Read complete sysctl file set. (bsc#928459)
- wireless: Fix to parse/format hex escapes in essid. (bsc#928459)
- auto4: Initial autoip and dhcp4 fallback fix. (bsc#899985)
- ethtool: Update to the most recent ethtool.h, fixed advertised mode and flags. (bsc#927309)
- fsm: Do not run post-up scripts when leases defer. (bsc#940239)
- ifstatus: Fix error return code and quiet option. (bsc#939142)


-----------------------------------------
Patch: SUSE-2015-863
Released: Thu Dec 17 16:02:51 2015
Summary: Recommended update for tar
Severity: moderate
References: 950785
Description:

The tar(1) archiving utility has been updated to fix one issue:

When the --acls option is used, explicitly set or delete default ACLs for extracted
directories. Prior to this update, arbitrary default ACLs based on standard file
permissions were being created.


-----------------------------------------
Patch: SUSE-2015-991
Released: Fri Dec 18 12:29:43 2015
Summary: Recommended update for libselinux
Severity: moderate
References: 940006
Description:

The selinux-ready helper in libselinux was updated to detect new style Linux initial
ramdisks generated by dracut.


-----------------------------------------
Patch: SUSE-2015-992
Released: Fri Dec 18 16:43:21 2015
Summary: Security update for krb5
Severity: moderate
References: 954204,CVE-2015-2698
Description:
The krb5 package was updated to fix the following security issue:

- CVE-2015-2698: Fixed a memory corruption regression introduced by resolving of CVE-2015-2698 (bsc#954204).


-----------------------------------------
Patch: SUSE-2015-994
Released: Fri Dec 18 17:47:30 2015
Summary: Security update for ldb, samba, talloc, tdb, tevent
Severity: important
References: 295284,773464,872912,901813,902421,910378,912457,913304,923374,931854,936909,939051,947552,949022,951660,953382,954658,958581,958582,958583,958584,958585,958586,CVE-2015-3223,CVE-2015-5252,CVE-2015-5296,CVE-2015-5299,CVE-2015-5330,CVE-2015-8467
Description:

This update for ldb, samba, talloc, tdb, tevent fixes the following security issues: 

- ldb was updated to version 1.1.24.
  + Fix ldap \00 search expression attack dos; CVE-2015-3223; (bso#11325)
  + Fix remote read memory exploit in ldb; CVE-2015-5330; (bso#11599)
  + Move ldb_(un)pack_data into ldb_module.h for testing
  + Fix installation of _ldb_text.py
  + Fix propagation of ldb errors through tdb
  + Fix bug triggered by having an empty message in database during search

- Move the ldb-cmdline library to the ldb-tools package as the packaged
  binaries depend on it.

- Update the samba library distribution key file 'ldb.keyring'; (bso#945116).

Samba was updated to fix these issues:
- Malicious request can cause samba ldap server to hang, spinning using cpu;
  CVE-2015-3223; (bso#11325); (bsc#958581).
- Remote read memory exploit in ldb; cve-2015-5330; (bso#11599); (bsc#958586).
- Insufficient symlink verification (file access outside the share);
  CVE-2015-5252; (bso#11395); (bsc#958582).
- No man in the middle protection when forcing smb encryption on the client
  side; CVE-2015-5296; (bso#11536); (bsc#958584).
- Currently the snapshot browsing is not secure thru windows previous version
  (shadow_copy2); CVE-2015-5299; (bso#11529); (bsc#958583).
- Fix microsoft ms15-096 to prevent machine accounts from being changed into
  user accounts; CVE-2015-8467; (bso#11552); (bsc#958585).
- Changing log level of two entries to from 1 to 3; (bso#9912).
- Vfs_gpfs: re-enable share modes; (bso#11243).
- Wafsamba: also build libraries with relro protection; (bso#11346).
- Ctdb: strip trailing spaces from nodes file; (bso#11365).
- S3-smbd: fix old dos client doing wildcard delete - gives a attribute type
  of zero; (bso#11452).
- Nss_wins: do not run into use after free issues when we access memory
  allocated on the globals and the global being reinitialized; (bso#11563).
- Async_req: fix non-blocking connect(); (bso#11564).
- Auth: gensec: fix a memory leak; (bso#11565).
- Lib: util: make non-critical message a warning; (bso#11566).
- Fix winbindd crashes with samlogon for trusted domain user; (bso#11569);
  (bsc#949022).
- Smbd: send smb2 oplock breaks unencrypted; (bso#11570).
- Ctdb: open the ro tracking db with perms 0600 instead of 0000; (bso#11577).
- Manpage: correct small typo error; (bso#11584).
- S3: smbd: if ea's are turned off on a share don't allow an smb2 create
  containing them; (bso#11589).
- Backport some valgrind fixes from upstream master; (bso#11597).
- S3: smbd: have_file_open_below() fails to enumerate open files below an open
  directory handle; (bso#11615).
- Docs: fix some typos in the idmap config section of man 5 smb.conf;
  (bso#11619).
- Cleanup and enhance the pidl sub package.
- S3: smbd: fix our access-based enumeration on 'hide unreadable' to match
  Windows; (bso#10252).
- Smbd: fix file name buflen and padding in notify repsonse; (bso#10634).
- Kerberos: make sure we only use prompter type when available; (bso#11038).
- S3:ctdbd_conn: make sure we destroy tevent_fd before closing the socket;
  (bso#11316).
- Dcerpc.idl: accept invalid dcerpc_bind_nak pdus; (bso#11327).
- Fix a deadlock in tdb; (bso#11381).
- S3: smbd: fix mkdir race condition; (bso#11486).
- Pam_winbind: fix a segfault if initialization fails; (bso#11502).
- S3: dfs: fix a crash when the dfs targets are disabled; (bso#11509).
- S3: smbd: fix opening/creating :stream files on the root share directory;
  (bso#11522).
- Net: fix a crash with 'net ads keytab create'; (bso#11528).
- S3: smbd: fix a crash in unix_convert() and a null pointer bug introduced by
  previous 'raw' stream fix (bso#11522); (bso#11535).
- Vfs_fruit: return value of ad_pack in vfs_fruit.c; (bso#11543).
- Vfs_commit: set the fd on open before calling smb_vfs_fstat; (bso#11547).
- Fix bug in smbstatus where the lease info is not printed; (bso#11549).
- S3:smbstatus: add stream name to share_entry_forall(); (bso#11550).
- Prevent null pointer access in samlogon fallback when security
  credentials are null; (bsc#949022).
- Fix 100% cpu in winbindd when logging in with 'user must change password on
  next logon'; (bso#11038).

talloc was updated to version 2.1.5; (bsc#954658) (bsc#951660).
  + Test that talloc magic differs between processes.
  + Increment minor version due to added talloc_test_get_magic.
  + Provide tests access to talloc_magic.
  + Test magic protection measures.

tdb was updated to version 1.3.8; (bsc#954658).
  + First fix deadlock in the interaction between fcntl and mutex locking; (bso#11381)
  + Improved python3 bindings
  + Fix runtime detection for robust mutexes in the standalone build;
    (bso#11326).
  + Possible fix for the build with robust mutexes on solaris 11; (bso#11319).
  + Abi change: tdb_chainlock_read_nonblock() has been added, a nonblock
    variant of tdb_chainlock_read()
  + Do not build test binaries if it's not a standalone build
  + Fix cid 1034842 resource leak
  + Fix cid 1034841 resource leak
  + Don't let tdb_wrap_open() segfault with name==null
  + Toos: allow transactions with tdb_mutex_locking
  + Test: add tdb1-run-mutex-transaction1 test
  + Allow transactions on on tdb's with tdb_mutex_locking
  + Test: tdb_clear_if_first | tdb_mutex_locking, o_rdonly is a valid
    combination
  + Allow tdb_open_ex() with o_rdonly of tdb_feature_flag_mutex tdbs.
  + Fix a comment
  + Fix tdb_runtime_check_for_robust_mutexes()
  + Improve wording in a comment
  + Tdb.h needs bool type; obsoletes include_stdbool_bso10625.patch
  + Tdb_wrap: make mutexes easier to use
  + Tdb_wrap: only pull in samba-debug
  + Tdb_wrap: standalone compile without includes.h
  + Tdb_wrap: tdb_wrap.h doesn't need struct loadparm_context
- Update to version 1.3.1.
  + Tools: fix a compiler warning
  + Defragment the freelist in tdb_allocate_from_freelist()
  + Add 'freelist_size' sub-command to tdbtool
  + Use tdb_freelist_merge_adjacent in tdb_freelist_size()
  + Add tdb_freelist_merge_adjacent()
  + Add utility function check_merge_ptr_with_left_record()
  + Simplify tdb_free() using check_merge_with_left_record()
  + Add utility function check_merge_with_left_record()
  + Improve comments for tdb_free().
  + Factor merge_with_left_record() out of tdb_free()
  + Fix debug message in tdb_free()
  + Reduce indentation in tdb_free() for merging left
  + Increase readability of read_record_on_left()
  + Factor read_record_on_left() out of tdb_free()
  + Build: improve detection of srcdir.

tevent was updated to 0.9.26; (bsc#954658).
  + New tevent_thread_proxy api
  + Minor build fixes
  + Fix compile error in solaris ports backend.
  + Fix access after free in tevent_common_check_signal(); (bso#11308).
  + Improve pytevent bindings.
  + Testsuite fixes.
  + Improve the documentation of the tevent_add_fd() assumtions. it must be
    talloc_free'ed before closing the fd! (bso##11141); (bso#11316).
  + Ignore unexpected signal events in the same way the epoll backend does.
  + Update the tevent_data.dox tutrial stuff to fix some errors, including
    white space problems.
  + Use tevent_req_simple_recv_unix in a few places.
  + Remove unused exit_code in tevent_select.c
  + Remove unused exit_code in tevent_poll.c
  + Build: improve detection of srcdir
  + Lib: tevent: make tevent_sig_increment atomic.
  + Update flags in tevent pkgconfig file


-----------------------------------------
Patch: SUSE-2015-922
Released: Tue Dec 22 08:44:25 2015
Summary: Security update for gpg2
Severity: moderate
References: 918089,918090,952347,955753,CVE-2015-1606,CVE-2015-1607
Description:
The gpg2 package was updated to fix the following security and non security issues:

- CVE-2015-1606: Fixed invalid memory read using a garbled keyring (bsc#918089).
- CVE-2015-1607: Fixed memcpy with overlapping ranges (bsc#918090).

- bsc#955753: Fixed a regression of 'gpg --recv' due to keyserver import filter (also boo#952347). 


-----------------------------------------
Patch: SUSE-2015-1009
Released: Tue Dec 22 13:01:30 2015
Summary: Security update for bind
Severity: important
References: 958861,CVE-2015-8000
Description:

      This update fixes the following security issue:

      - CVE-2015-8000: Fix remote denial of service by misparsing incoming responses (bsc#958861).


-----------------------------------------
Patch: SUSE-2015-869
Released: Wed Dec 23 10:01:16 2015
Summary: Recommended update for libksba
Severity: moderate
References: 926826
Description:
The libksba package was updated to fix the following security issues:

- Fixed an integer overflow, an out of bounds read and a stack overflow issues (bsc#926826).


-----------------------------------------
Patch: SUSE-2015-946
Released: Wed Dec 23 14:20:38 2015
Summary: Security update for gdk-pixbuf
Severity: moderate
References: 942801,948790,948791,CVE-2015-4491,CVE-2015-7673,CVE-2015-7674
Description:
The gdk pixbuf library was updated to fix three security issues.

These security issues were fixed:
- CVE-2015-7673: Fix some more overflows scaling a gif (bsc#948791)
- CVE-2015-4491: Check for overflow before allocating memory when scaling (bsc#942801)
- CVE-2015-7673: Fix an overflow and DoS when scaling TGA files (bsc#948790).
- CVE-2015-7674: Fix overflow when scaling GIF files(bsc#948791).


-----------------------------------------
Patch: SUSE-2015-862
Released: Wed Dec 23 17:40:51 2015
Summary: Recommended update for acl
Severity: moderate
References: 945899
Description:
This update for acl provides the following fixes:

- Fix segmentation fault of getfacl -e on overly long group name.
- Make sure that acl_from_text() always sets errno when it fails.
- Fix memory and resource leaks in getfacl.


-----------------------------------------
Patch: SUSE-2015-1018
Released: Fri Dec 25 11:50:44 2015
Summary: Recommended update for ksh
Severity: moderate
References: 887320,924043,924318,926172,931908,933328,934437,939252,951430,953533,954856,955221
Description:

The Korn Shell (ksh) was downgraded from 93v to 93u, as version 93v is not
as stable as version 93u.  This is inline with the purpose of the Legacy
Module, which is to provide a compatibility layer for customers who need
more time to migrate from SUSE Linux Enterprise 11 to 12.

The updated package has its version set to 93vu to ensure the software update
stack (RPM, zypper) will see it as a regular update.  Users who want to stay
with version 93v can prevent the update with 'zypper addlock ksh'.


-----------------------------------------
Patch: SUSE-2015-846
Released: Fri Dec 25 11:51:23 2015
Summary: Security update for libsndfile
Severity: moderate
References: 953516,953519,953521,CVE-2014-9756,CVE-2015-7805,CVE-2015-8075
Description:
The libsndfile package was updated to fix the following security issue:

- CVE-2014-9756: Fixed a divide by zero problem that can lead to a Denial of Service (DoS) (bsc#953521).
- CVE-2015-7805: Fixed heap overflow issue (bsc#953516).
- CVE-2015-8075: Fixed heap overflow issue (bsc#953519).


-----------------------------------------
Patch: SUSE-2015-1022
Released: Mon Dec 28 17:41:42 2015
Summary: Security update for xfsprogs
Severity: moderate
References: 939367,CVE-2012-2150
Description:
xfsprogs was updated to fix one security vulnerability and several bugs.

- Handle unwanted data disclosure in xfs_metadump (bsc#939367, CVE-2012-2150)


-----------------------------------------
Patch: SUSE-2015-828
Released: Tue Dec 29 11:25:11 2015
Summary: Recommended update for avahi
Severity: low
References: 947140,948277
Description:
This update for Avahi provides the following fixes:

- Do not log errors for every invalid packet received.


-----------------------------------------
Patch: SUSE-2015-1028
Released: Tue Dec 29 12:10:43 2015
Summary: Recommended update for numactl
Severity: moderate
References: 955334
Description:

This update for numactl provides fixes for the following issues:

- When numa_node_to_cpu() was called on machines with non-contiguous nodes, it
  returned the first node which wasn't present. Now the return code is checked
  and non-existing nodes are skipped until the right one is found. (bsc#955334)


-----------------------------------------
Patch: SUSE-2015-1032
Released: Wed Dec 30 08:30:56 2015
Summary: Security update for grub2
Severity: important
References: 928131,943380,946148,952539,956631,CVE-2015-8370
Description:
This update for grub2 provides the following fixes and enhancements:

Security issue fixed:
- Fix buffer overflows when reading username and password. (bsc#956631, CVE-2015-8370)

Non security issues fixed:
- Expand list of grub.cfg search path in PV Xen guests for systems installed
  on btrfs snapshots. (bsc#946148, bsc#952539)
- Add --image switch to force zipl update to specific kernel. (bsc#928131)
- Do not use shim lock protocol for reading PE header as it won't be available
  when secure boot is disabled. (bsc#943380)
- Make firmware flaw condition be more precisely detected and add debug message
  for the case.


-----------------------------------------
Patch: SUSE-2015-867
Released: Wed Dec 30 10:25:44 2015
Summary: Recommended update for libseccomp
Severity: low
References: 932372
Description:

This update for libseccomp adjusts the pkgconfig reported version from 2.1.0
to the correct 2.1.1.


-----------------------------------------
Patch: SUSE-2016-2
Released: Mon Jan  4 10:18:31 2016
Summary: Security update for libmspack
Severity: moderate
References: 934524,934525,934526,934527,934528,934529,CVE-2014-9732,CVE-2015-4467,CVE-2015-4468,CVE-2015-4469,CVE-2015-4470,CVE-2015-4471,CVE-2015-4472
Description:
libmspack was updated to fix security issues.

These security issues were fixed:
* CVE-2014-9732: The cabd_extract function in cabd.c in libmspack did not properly maintain decompression callbacks in certain cases where an invalid file follows a valid file, which allowed remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted CAB archive (bnc#934524).
* CVE-2015-4467: The chmd_init_decomp function in chmd.c in libmspack did not properly validate the reset interval, which allowed remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted CHM file (bnc#934525).
* CVE-2015-4468: Multiple integer overflows in the search_chunk function in chmd.c in libmspack allowed remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted CHM file (bnc#934526).
* CVE-2015-4469: The chmd_read_headers function in chmd.c in libmspack did not validate name lengths, which allowed remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted CHM file (bnc#934526).
* CVE-2015-4470: Off-by-one error in the inflate function in mszipd.c in libmspack allowed remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted CAB archive (bnc#934527).
* CVE-2015-4471: Off-by-one error in the lzxd_decompress function in lzxd.c in libmspack allowed remote attackers to cause a denial of service (buffer under-read and application crash) via a crafted CAB archive (bnc#934528).
* CVE-2015-4472: Off-by-one error in the READ_ENCINT macro in chmd.c in libmspack allowed remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted CHM file (bnc#934529).
  

-----------------------------------------
Patch: SUSE-2016-4
Released: Mon Jan  4 11:20:40 2016
Summary: Recommended update for python-rsa
Severity: low
References: 935595
Description:

The python-rsa module was updated from 3.1.2 to 3.1.4. This minor version update
provides fixes for a few minor issues.

Additionally, the update adds coreutils to the list of python-rsa requirements.
This ensures rm(1) will be available at installation time.


-----------------------------------------
Patch: SUSE-2016-16
Released: Tue Jan  5 15:13:34 2016
Summary: Security update for libpng16
Severity: moderate
References: 954980,CVE-2015-8126
Description:

  This update fixes the following security issue:

  * CVE-2015-8126 Multiple buffer overflows in the png_set_PLTE and png_get_PLTE functions
    allow remote attackers to cause a denial of service (application crash) or possibly have 
    unspecified other impact [bsc#954980]


-----------------------------------------
Patch: SUSE-2016-17
Released: Tue Jan  5 16:00:46 2016
Summary: Recommended update for libnet
Severity: low
References: 949391
Description:

This update for libnet ensures the library is always built with AF_PACKET support
enabled.


-----------------------------------------
Patch: SUSE-2016-29
Released: Wed Jan  6 21:15:16 2016
Summary: Recommended update for yast2-slp-server
Severity: low
References: 878892,954494
Description:
This update for yast2-slp-server fixes handling of comments on slp.conf.

-----------------------------------------
Patch: SUSE-2016-31
Released: Thu Jan  7 10:18:49 2016
Summary: Recommended update for os-prober
Severity: moderate
References: 910654,947487,953987,954225,956337,957018
Description:

This update for os-prober fixes the following issues: 

- Detect Operating System on default sub-volume in btrfs snapshot. (bsc#954225)
- Fix detection of Windows 8. (bsc#910654)
- Detect Windows 10 installations. (bsc#947487)
- Also skip legacy grub if /boot/grub2/grub.cfg is present. (bsc#956337)
- Fix failure to detect operating system in btrfs root trees. (bsc#957018)
- Optimize identification of Linux distributions, avoiding expensive file
  system traversal. (bsc#953987)


-----------------------------------------
Patch: SUSE-2016-37
Released: Thu Jan  7 13:40:33 2016
Summary: Security update for libpng12
Severity: moderate
References: 954980,CVE-2015-8126
Description:

  This update fixes the following security issue
  * CVE-2015-8126 Multiple buffer overflows in the png_set_PLTE and png_get_PLTE functions
    allow remote attackers to cause a denial of service (application crash) or possibly have 
    unspecified other impact [bsc#954980]
  

-----------------------------------------
Patch: SUSE-2016-38
Released: Thu Jan  7 13:52:04 2016
Summary: Security update for libxml2
Severity: moderate
References: 928193,951734,951735,954429,956018,956021,956260,957105,957106,957107,957109,957110,CVE-2015-1819,CVE-2015-5312,CVE-2015-7497,CVE-2015-7498,CVE-2015-7499,CVE-2015-7500,CVE-2015-7941,CVE-2015-7942,CVE-2015-8035,CVE-2015-8241,CVE-2015-8242,CVE-2015-8317
Description:
- security update:
      This update fixes the following security issues: 

    * CVE-2015-1819 Enforce the reader to run in constant memory [bnc#928193]
    * CVE-2015-7941 Fix out of bound read with crafted xml input by stopping parsing on entities boundaries errors [bnc#951734]
    * CVE-2015-7942 Fix another variation of overflow in Conditional sections [bnc#951735]
    * CVE-2015-8241 Avoid extra processing of MarkupDecl when EOF [bnc#956018]
    * CVE-2015-8242 Buffer overead with HTML parser in push mode [bnc#956021]
    * CVE-2015-8317 Return if the encoding declaration is broken or encoding conversion failed [bnc#956260]
    * CVE-2015-5312 Fix another entity expansion issue [bnc#957105]
    * CVE-2015-7497 Avoid an heap buffer overflow in xmlDictComputeFastQKey [bnc#957106]
    * CVE-2015-7498 Processes entities after encoding conversion failures [bnc#957107]
    * CVE-2015-7499 Add xmlHaltParser() to stop the parser / Detect incoherency on GROW [bnc#957109]
    * CVE-2015-8317 Multiple out-of-bound read could lead to denial of service [bnc#956260]
    * CVE-2015-8035 DoS when parsing specially crafted XML document if XZ support is enabled [bnc#954429]
    * CVE-2015-7500 Fix memory access error due to incorrect entities boundaries [bnc#957110] 


-----------------------------------------
Patch: SUSE-2016-40
Released: Thu Jan  7 13:57:48 2016
Summary: Recommended update for yast2-bootloader
Severity: low
References: 926843,945479,954412
Description:
This update for yast2-bootloader provides the following fixes:

- Fix validation of AutoYaST profiles. (bsc#954412)
- Empty kernel command lines are now properly written. (bsc#945479)
- Add missing cleaning of temporary files. (bsc#926843)


-----------------------------------------
Patch: SUSE-2016-42
Released: Thu Jan  7 18:10:50 2016
Summary: Recommended update for yast2-services-manager
Severity: low
References: 909745,909768,954412
Description:
This update for yast2-services-manager provides the following fixes:

- Add X-SuSE-YaST-AutoInstSchema declaration so services-manager.rnc could be included in
  yast2-schema. Fixes validation of AutoYaST profiles. (bsc#954412)
- Move code from autoyast2 package to import function of services_manager_target. (bsc#909745)
- AutoYaST import: initialize Yast::I18n correctly. (bsc#909768)


-----------------------------------------
Patch: SUSE-2016-46
Released: Fri Jan  8 12:37:34 2016
Summary: Recommended update for gcr, gnome-keyring, libgcrypt, libsecret
Severity: moderate
References: 932232
Description:

This update for gcr, gnome-keyring, libgcrypt, libsecret fixes issues when the system
operates in FIPS mode.

The various GNOME libraries and tool have been changed to use the default libgcrypt
allocators.

GNOME keyring was changed not to use MD5 anymore.

libgcrypt was adjusted to free the DRBG on exit to avoid crashes.


-----------------------------------------
Patch: SUSE-2016-61
Released: Tue Jan 12 15:44:14 2016
Summary: Recommended update for deltarpm
Severity: low
References: 948504
Description:
This update for deltarpm provides the following fixes:

- Fix off-by-one error in delta generation code which could lead to a segmentation
  fault in some rare circumstances. (bsc#948504)
- Return error rather than crashing if memory allocation fails.
- Add newline in missing prelink error.
- Do not finish applydeltarpm jobs when in the middle of a request.


-----------------------------------------
Patch: SUSE-2016-71
Released: Wed Jan 13 11:12:11 2016
Summary: Recommended update for polkit-default-privs
Severity: low
References: 927275,946210
Description:
This update for polkit-default-privs provides the following fixes:

- Specify an explicit umask of 0022 to create rule files with appropriate file
  permissions. (bsc#946210)
- PowerDevil action names have been updated. (bsc#927275)


-----------------------------------------
Patch: SUSE-2016-75
Released: Wed Jan 13 15:12:32 2016
Summary: Security update for python-rsa
Severity: moderate
References: 960680,CVE-2016-1494
Description:

This update for python-rsa fixes the following security issue:

* CVE-2016-1494: Possible signature forgery via Bleichenbacher attack (bsc#960680)


-----------------------------------------
Patch: SUSE-2016-80
Released: Wed Jan 13 21:05:28 2016
Summary: Security update for python-requests
Severity: moderate
References: 922448,929736,961596,CVE-2015-2296
Description:

The python-requests module has been updated to version 2.8.1, which brings several
fixes and enhancements:

- Fix handling of cookies on redirect. Previously a cookie without a host value set
  would use the hostname for the redirected URL exposing requests users to session
  fixation attacks and potentially cookie stealing. (bsc#922448, CVE-2015-2296)

- Add support for per-host proxies. This allows the proxies dictionary to have entries
  of the form {'<scheme>://<hostname>': '<proxy>'}. Host-specific
  proxies will be used in preference to the previously-supported scheme-specific ones,
  but the previous syntax will continue to work.
- Update certificate bundle to match 'certifi' 2015.9.6.2's weak certificate bundle.
- Response.raise_for_status now prints the URL that failed as part of the exception message.
- requests.utils.get_netrc_auth now takes an raise_errors kwarg, defaulting to False.
  When True, errors parsing .netrc files cause exceptions to be thrown.
- Change to bundled projects import logic to make it easier to unbundle requests downstream.
- Change the default User-Agent string to avoid leaking data on Linux: now contains only
  the requests version.
- The json parameter to post() and friends will now only be used if neither data nor files
  are present, consistent with the documentation.
- Empty fields in the NO_PROXY environment variable are now ignored.
- Fix problem where httplib.BadStatusLine would get raised if combining stream=True with
  contextlib.closing.
- Prevent bugs where we would attempt to return the same connection back to the connection
  pool twice when sending a Chunked body.
- Digest Auth support is now thread safe.
- Resolved several bugs involving chunked transfer encoding and response framing.
- Copy a PreparedRequest's CookieJar more reliably.
- Support bytearrays when passed as parameters in the 'files' argument.
- Avoid data duplication when creating a request with 'str', 'bytes', or 'bytearray'
  input to the 'files' argument.
- 'Connection: keep-alive' header is now sent automatically.
- Support for connect timeouts. Timeout now accepts a tuple (connect, read) which is
  used to set individual connect and read timeouts.

For a comprehensive list of changes please refer to the package's change log or the
Release Notes at http://docs.python-requests.org/en/latest/community/updates/#id3


-----------------------------------------
Patch: SUSE-2016-85
Released: Thu Jan 14 16:33:05 2016
Summary: Security update for openssh
Severity: critical
References: 961642,961645,CVE-2016-0777,CVE-2016-0778
Description:

This update for openssh fixes the following issues:

- CVE-2016-0777: A malicious or compromised server could cause the OpenSSH client to expose part or all of the client's private key through the roaming feature (bsc#961642)
- CVE-2016-0778: A malicious or compromised server could could trigger a buffer overflow in the OpenSSH client through the roaming feature (bsc#961645)

This update disables the undocumented feature supported by the OpenSSH client and a commercial SSH server.


-----------------------------------------
Patch: SUSE-2016-98
Released: Mon Jan 18 10:20:53 2016
Summary: Security update for mozilla-nss
Severity: moderate
References: 959888,CVE-2015-7575
Description:
This update contains mozilla-nss 3.19.2.2 and fixes the following security issue:

  - CVE-2015-7575: MD5 signatures accepted within TLS 1.2 ServerKeyExchange in server signature (bsc#959888).


-----------------------------------------
Patch: SUSE-2016-104
Released: Mon Jan 18 18:38:06 2016
Summary: Security update for tiff
Severity: moderate
References: 942690,960341,CVE-2015-7554
Description:

This update to tiff 4.0.6 fixes the following issues:

- CVE-2015-7554: Out-of-bounds write in the thumbnail and tiffcmp tools allowed attacker to cause a denial of service or have unspecified further impact (bsc#960341)
- bsc#942690: potential out-of-bound write in NeXTDecode() (#2508)


-----------------------------------------
Patch: SUSE-2016-107
Released: Tue Jan 19 10:43:03 2016
Summary: Security update for the Linux Kernel
Severity: important
References: 758040,902606,924919,935087,937261,943959,945649,949440,951155,951199,951392,951615,951638,952579,952976,956708,956801,956876,957395,957546,957988,957990,958463,958504,958510,958647,958886,958951,959190,959364,959399,959436,959705,960300,CVE-2015-7550,CVE-2015-8539,CVE-2015-8543,CVE-2015-8550,CVE-2015-8551,CVE-2015-8552,CVE-2015-8569,CVE-2015-8575
Description:
The SUSE Linux Enterprise 12 kernel was updated to receive various security and bugfixes.

Following security bugs were fixed:
- CVE-2015-7550: A local user could have triggered a race between read and revoke in keyctl (bnc#958951).
- CVE-2015-8539: A negatively instantiated user key could have been used by a local user to leverage privileges (bnc#958463).
- CVE-2015-8543: The networking implementation in the Linux kernel did not validate protocol identifiers for certain protocol families, which allowed local users to cause a denial of service (NULL function pointer dereference and system crash) or possibly gain privileges by leveraging CLONE_NEWUSER support to execute a crafted SOCK_RAW application (bnc#958886).
- CVE-2015-8550: Compiler optimizations in the XEN PV backend drivers could have lead to double fetch vulnerabilities, causing denial of service or arbitrary code execution (depending on the configuration) (bsc#957988).
- CVE-2015-8551, CVE-2015-8552: xen/pciback: For XEN_PCI_OP_disable_msi[|x] only disable if device has MSI(X) enabled (bsc#957990).
- CVE-2015-8569: The (1) pptp_bind and (2) pptp_connect functions in drivers/net/ppp/pptp.c in the Linux kernel did not verify an address length, which allowed local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism via a crafted application (bnc#959190).
- CVE-2015-8575: Validate socket address length in sco_sock_bind() to prevent information leak (bsc#959399).

The following non-security bugs were fixed:
- ACPICA: Correctly cleanup after a ACPI table load failure (bnc#937261).
- ALSA: hda - Fix noise problems on Thinkpad T440s (boo#958504).
- Input: aiptek - fix crash on detecting device without endpoints (bnc#956708).
- Re-add copy_page_vector_to_user()
- Refresh patches.xen/xen3-patch-3.12.46-47 (bsc#959705).
- Refresh patches.xen/xen3-patch-3.9 (bsc#951155).
- Update patches.suse/btrfs-8361-Btrfs-keep-dropped-roots-in-cache-until-transaction-.patch (bnc#935087, bnc#945649, bnc#951615).
- bcache: Add btree_insert_node() (bnc#951638).
- bcache: Add explicit keylist arg to btree_insert() (bnc#951638).
- bcache: Clean up keylist code (bnc#951638).
- bcache: Convert btree_insert_check_key() to btree_insert_node() (bnc#951638).
- bcache: Convert bucket_wait to wait_queue_head_t (bnc#951638).
- bcache: Convert try_wait to wait_queue_head_t (bnc#951638).
- bcache: Explicitly track btree node's parent (bnc#951638).
- bcache: Fix a bug when detaching (bsc#951638).
- bcache: Fix a lockdep splat in an error path (bnc#951638).
- bcache: Fix a shutdown bug (bsc#951638).
- bcache: Fix more early shutdown bugs (bsc#951638).
- bcache: Fix sysfs splat on shutdown with flash only devs (bsc#951638).
- bcache: Insert multiple keys at a time (bnc#951638).
- bcache: Refactor journalling flow control (bnc#951638).
- bcache: Refactor request_write() (bnc#951638).
- bcache: Use blkdev_issue_discard() (bnc#951638).
- bcache: backing device set to clean after finishing detach (bsc#951638).
- bcache: kill closure locking usage (bnc#951638).
- blktap: also call blkif_disconnect() when frontend switched to closed (bsc#952976).
- blktap: refine mm tracking (bsc#952976).
- block: Always check queue limits for cloned requests (bsc#902606).
- btrfs: Add qgroup tracing (bnc#935087, bnc#945649).
- btrfs: Adjust commit-transaction condition to avoid NO_SPACE more (bsc#958647).
- btrfs: Fix out-of-space bug (bsc#958647).
- btrfs: Fix tail space processing in find_free_dev_extent() (bsc#958647).
- btrfs: Set relative data on clear btrfs_block_group_cache->pinned (bsc#958647).
- btrfs: Update btrfs qgroup status item when rescan is done (bnc#960300).
- btrfs: backref: Add special time_seq == (u64)-1 case for btrfs_find_all_roots() (bnc#935087, bnc#945649).
- btrfs: backref: Do not merge refs which are not for same block (bnc#935087, bnc#945649).
- btrfs: cleanup: remove no-used alloc_chunk in btrfs_check_data_free_space() (bsc#958647).
- btrfs: delayed-ref: Cleanup the unneeded functions (bnc#935087, bnc#945649).
- btrfs: delayed-ref: Use list to replace the ref_root in ref_head (bnc#935087, bnc#945649).
- btrfs: extent-tree: Use ref_node to replace unneeded parameters in __inc_extent_ref() and __free_extent() (bnc#935087, bnc#945649).
- btrfs: fix comp_oper to get right order (bnc#935087, bnc#945649).
- btrfs: fix condition of commit transaction (bsc#958647).
- btrfs: fix leak in qgroup_subtree_accounting() error path (bnc#935087, bnc#945649).
- btrfs: fix order by which delayed references are run (bnc#949440).
- btrfs: fix qgroup sanity tests (bnc#951615).
- btrfs: fix race waiting for qgroup rescan worker (bnc#960300).
- btrfs: fix regression running delayed references when using qgroups (bnc#951615).
- btrfs: fix regression when running delayed references (bnc#951615).
- btrfs: fix sleeping inside atomic context in qgroup rescan worker (bnc#960300).
- btrfs: fix the number of transaction units needed to remove a block group (bsc#958647).
- btrfs: keep dropped roots in cache until transaction commit (bnc#935087, bnc#945649).
- btrfs: qgroup: Add function qgroup_update_counters() (bnc#935087, bnc#945649).
- btrfs: qgroup: Add function qgroup_update_refcnt() (bnc#935087, bnc#945649).
- btrfs: qgroup: Add new function to record old_roots (bnc#935087, bnc#945649).
- btrfs: qgroup: Add new qgroup calculation function btrfs_qgroup_account_extents() (bnc#935087, bnc#945649).
- btrfs: qgroup: Add the ability to skip given qgroup for old/new_roots (bnc#935087, bnc#945649).
- btrfs: qgroup: Cleanup open-coded old/new_refcnt update and read (bnc#935087, bnc#945649).
- btrfs: qgroup: Cleanup the old ref_node-oriented mechanism (bnc#935087, bnc#945649).
- btrfs: qgroup: Do not copy extent buffer to do qgroup rescan (bnc#960300).
- btrfs: qgroup: Fix a regression in qgroup reserved space (bnc#935087, bnc#945649).
- btrfs: qgroup: Make snapshot accounting work with new extent-oriented qgroup (bnc#935087, bnc#945649).
- btrfs: qgroup: Record possible quota-related extent for qgroup (bnc#935087, bnc#945649).
- btrfs: qgroup: Switch rescan to new mechanism (bnc#935087, bnc#945649).
- btrfs: qgroup: Switch self test to extent-oriented qgroup mechanism (bnc#935087, bnc#945649).
- btrfs: qgroup: Switch to new extent-oriented qgroup mechanism (bnc#935087, bnc#945649).
- btrfs: qgroup: account shared subtree during snapshot delete (bnc#935087, bnc#945649).
- btrfs: qgroup: clear STATUS_FLAG_ON in disabling quota (bnc#960300).
- btrfs: qgroup: exit the rescan worker during umount (bnc#960300).
- btrfs: qgroup: fix quota disable during rescan (bnc#960300).
- btrfs: qgroup: move WARN_ON() to the correct location (bnc#935087, bnc#945649).
- btrfs: remove transaction from send (bnc#935087, bnc#945649).
- btrfs: ulist: Add ulist_del() function (bnc#935087, bnc#945649).
- btrfs: use btrfs_get_fs_root in resolve_indirect_ref (bnc#935087, bnc#945649).
- btrfs: use global reserve when deleting unused block group after ENOSPC (bsc#958647).
- cache: Fix sysfs splat on shutdown with flash only devs (bsc#951638).
- cpusets, isolcpus: exclude isolcpus from load balancing in cpusets (bsc#957395).
- drm/i915: Fix SRC_COPY width on 830/845g (bsc#758040).
- drm: Allocate new master object when client becomes master (bsc#956876, bsc#956801).
- drm: Fix KABI of 'struct drm_file' (bsc#956876, bsc#956801).
- e1000e: Do not read ICR in Other interrupt (bsc#924919).
- e1000e: Do not write lsc to ics in msi-x mode (bsc#924919).
- e1000e: Fix msi-x interrupt automask (bsc#924919).
- e1000e: Remove unreachable code (bsc#924919).
- genksyms: Handle string literals with spaces in reference files (bsc#958510).
- ipv6: fix tunnel error handling (bsc#952579).
- lpfc: Fix null ndlp dereference in target_reset_handler (bsc#951392).
- mm/mempolicy.c: convert the shared_policy lock to a rwlock (bnc#959436).
- mm: remove PG_waiters from PAGE_FLAGS_CHECK_AT_FREE (bnc#943959).
- pm, hinernate: use put_page in release_swap_writer (bnc#943959).
- sched, isolcpu: make cpu_isolated_map visible outside scheduler (bsc#957395).
- udp: properly support MSG_PEEK with truncated buffers (bsc#951199 bsc#959364).
- xhci: Workaround to get Intel xHCI reset working more reliably (bnc#957546).


-----------------------------------------
Patch: SUSE-2016-113
Released: Tue Jan 19 20:35:10 2016
Summary: Security update for rsync
Severity: moderate
References: 898513,900914,915410,922710,CVE-2014-8242,CVE-2014-9512
Description:

This update for rsync fixes two security issues and two non-security bugs.

The following vulnerabilities were fixed:

- CVE-2014-8242: Checksum collisions leading to a denial of service (bsc#900914)
- CVE-2014-9512: Malicious servers could send files outside of the transferred directory (bsc#915410)

The following non-security bugs were fixed:

- bsc#922710: Prevent rsyncd from spamming the log when trying to register SLP.
- bsc#898513: slp support broke rsync usage.


-----------------------------------------
Patch: SUSE-2016-117
Released: Wed Jan 20 13:29:11 2016
Summary: Security update for libxml2
Severity: moderate
References: 960674,CVE-2015-8710
Description:

This update for libxml2 fixes the following security issue:

- CVE-2015-8710: Parsing short unclosed HTML comment could cause uninitialized memory access, which allowed remote attackers to read contents from previous HTTP requests depending on the application (bsc#960674)


-----------------------------------------
Patch: SUSE-2016-118
Released: Wed Jan 20 15:10:16 2016
Summary: Security update for bind
Severity: important
References: 962189,CVE-2015-8704
Description:

This update for bind fixes the following issues:

- CVE-2015-8704: Specific APL data allowed remote attacker to trigger a crash in certain configurations (bsc#962189)


-----------------------------------------
Patch: SUSE-2016-133
Released: Thu Jan 21 17:51:55 2016
Summary: Recommended update for cairo
Severity: moderate
References: 958844
Description:

This update for cairo fixes mutex deadlocks when processing certain documents. This
issue could prevent evince from correctly displaying some PDF files.


-----------------------------------------
Patch: SUSE-2016-134
Released: Fri Jan 22 10:54:06 2016
Summary: Recommended update for aaa_base
Severity: moderate
References: 954909,960393
Description:

This update for aaa_base fixes the following issues:

- Replace UNICODE double dash with simple ASCII single dash. (bsc#954909)
- Use '+' for find's -exec option as this also respects white spaces in files names
  and is more like xargs.
- Respect status lines of screen sessions.


-----------------------------------------
Patch: SUSE-2016-137
Released: Fri Jan 22 15:10:57 2016
Summary: Security update for the Linux Kernel
Severity: important
References: 962075,CVE-2016-0728
Description:

The SUSE Linux Enterprise 12 kernel was updated to receive a security fix.

Following security bug was fixed:
- A reference leak in keyring handling with join_session_keyring() could lead
  to local attackers gain root privileges. (bsc#962075, CVE-2016-0728).


-----------------------------------------
Patch: SUSE-2016-139
Released: Mon Jan 25 09:47:36 2016
Summary: Security update for openldap2
Severity: important
References: 937766,945582,955210,CVE-2015-4000,CVE-2015-6908
Description:
This update fixes the following security issues:

- CVE-2015-6908: The ber_get_next function allowed remote attackers to cause a denial
  of service (reachable assertion and application crash) via crafted BER data, as
  demonstrated by an attack against slapd. (bsc#945582)
- CVE-2015-4000: Fix weak Diffie-Hellman size vulnerability. (bsc#937766)

It also fixes the following non-security bugs:

- bsc#955210: Unresponsive LDAP host lookups in IPv6 environment

This update adds the following functionality:

- fate#319300: SHA2 password hashing module that can be loaded on-demand. 


-----------------------------------------
Patch: SUSE-2016-140
Released: Mon Jan 25 09:59:20 2016
Summary: Security update for gdk-pixbuf
Severity: moderate
References: 958963,960155,CVE-2015-7552
Description:

This update for gdk-pixbuf fixes the following security issues:

- CVE-2015-7552: various overflows, including heap overflow in flipping bmp files (bsc#958963)

The following non-security issue was fixed:

- bsc#960155: fix a possible divide by zero


-----------------------------------------
Patch: SUSE-2016-155
Released: Mon Jan 25 18:10:54 2016
Summary: Recommended update for polkit
Severity: moderate
References: 954139
Description:

The previous version update of polkit to fix security and stability issues brought
a small regression in session activeness detection. This update reverts the small
part responsible for the regression.


-----------------------------------------
Patch: SUSE-2016-157
Released: Tue Jan 26 13:19:19 2016
Summary: Recommended update for ruby-common
Severity: moderate
References: 934328,953771
Description:
This update for ruby-common provides several fixes and enhancements:

- Help the solver to pick the right gem2rpm for the default Ruby version. (bsc#934328)
- Fix premature return from from gem install.
- Fail early if gem install fails, avoiding confusing error messages at the end of the build.
- Implement cleaner solution for the extensions doc dir.
- Do not overwrite options.otheropts.
- Fixed forwarding of options to gem install.
- Call ruby with -x from shell wrappers otherwise it might run into an endless loop.
- Add shell-launcher to avoid dependency on a fixed Ruby version.
- Ignore any files found in */.gem/*. In some versions of rubygems, gems that are installed
  are also copied to ~/.gem/.


-----------------------------------------
Patch: SUSE-2016-185
Released: Mon Feb  1 11:59:43 2016
Summary: Recommended update for SUSEConnect
Severity: moderate
References: 946183,952804,957354,963080
Description:

This update for SUSEConnect fixes the following issues:

- Re-add SUSEConnect binary to /usr/sbin. (bsc#963080)
- Use `--match-exact` when searching for a product. (bsc#952804)
- Fix fonts on xterm. (bsc#957354)
- Remove unneeded link in %post which caused a warning. (bsc#946183)


-----------------------------------------
Patch: SUSE-2016-197
Released: Thu Feb  4 12:49:32 2016
Summary: Recommended update for permissions
Severity: low
References: 950557,961363
Description:

This update for permissions fixes the following issues:

- Change pinger owner to squid:root instead of root:squid, as there is no squid group.
  (bsc#961363)
- Add missing '/' to the squid specific directories. (bsc#950557)


-----------------------------------------
Patch: SUSE-2016-199
Released: Thu Feb  4 15:48:09 2016
Summary: Security update for MozillaFirefox, MozillaFirefox-branding-SLE, mozilla-nss
Severity: important
References: 954447,963520,963632,963635,963731,964332,CVE-2016-1930,CVE-2016-1935,CVE-2016-1938
Description:

This update for MozillaFirefox, MozillaFirefox-branding-SLE, mozilla-nss fixes the following issues: (bsc#963520)

Mozilla Firefox was updated to 38.6.0 ESR.
Mozilla NSS was updated to 3.20.2.

The following vulnerabilities were fixed:

- CVE-2016-1930: Memory safety bugs fixed in Firefox ESR 38.6 (bsc#963632)
- CVE-2016-1935: Buffer overflow in WebGL after out of memory allocation (bsc#963635)
- CVE-2016-1938: Calculations with mp_div and mp_exptmod in Network Security Services (NSS) canproduce wrong results (bsc#963731)

The following improvements were added:

- bsc#954447: Mozilla NSS now supports a number of new DHE ciphersuites
- Tracking protection is now enabled by default
- bsc#964332: Fixed leaking file descriptors inside FIPS selfcheck code


-----------------------------------------
Patch: SUSE-2016-201
Released: Thu Feb  4 15:51:22 2016
Summary: Security update for curl
Severity: moderate
References: 934333,936676,962983,962996,CVE-2016-0755
Description:

This update for curl fixes the following issues:

- CVE-2016-0755: libcurl would reuse NTLM-authenticated proxy connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer (bsc#962983)

The following non-security bugs were fixed:

- bsc#936676: secure_getenv or __secure_getenv may not be detected correctly at build time

The following tracked bugs only affect the test suite:

- bsc#962996: Expired cookie in test 46 caused test failures
- bsc#934333: Curl test suite was not run, is now enabled during build


-----------------------------------------
Patch: SUSE-2016-243
Released: Thu Feb 11 11:51:37 2016
Summary: Security update for krb5
Severity: moderate
References: 963964,963968,963975,CVE-2015-8629,CVE-2015-8630,CVE-2015-8631
Description:

This update for krb5 fixes the following issues:

- CVE-2015-8629: Information leak authenticated attackers with permissions to modify the database (bsc#963968)
- CVE-2015-8630: An authenticated attacker with permission to modify a principal entry may have caused kadmind to crash (bsc#963964)
- CVE-2015-8631: An authenticated attacker could have caused a memory leak in auditd by supplying a null principal name in request (bsc#963975)


-----------------------------------------
Patch: SUSE-2016-252
Released: Fri Feb 12 14:58:06 2016
Summary: Recommended update for timezone
Severity: low
References: 963921
Description:

This update provides the latest timezone information (2016a) for your
system, including the following changes:

- America/Cayman will not observe daylight saving this year.
- Asia/Chita switches from +0800 to +0900 on 2016-03-27 at 02:00.
- Asia/Tehran now has DST predictions for the year 2038 and later.
- America/Metlakatla switched from PST all year to AKST/AKDT on
  2015-11-01 at 02:00.
- America/Santa_Isabel has been removed, and replaced with a
  backward compatibility link to America/Tijuana.
- Asia/Karachi's two transition times in 2002 were off by a minute.

This release also includes changes affecting past time stamps, documentation
and some minor code fixes. For a comprehensive list, refer to the release
announcement from ICANN:

http://mm.icann.org/pipermail/tz/2016-January/023106.html


-----------------------------------------
Patch: SUSE-2016-259
Released: Mon Feb 15 14:25:02 2016
Summary: Security update for libnettle
Severity: moderate
References: 964845,964847,964849,CVE-2015-8803,CVE-2015-8804,CVE-2015-8805
Description:
This update for libnettle fixes the following security issues: 

- CVE-2015-8803: Fixed miscomputation bugs in secp-256r1 modulo functions. (bsc#964845)
- CVE-2015-8804: Fixed carry folding bug in x86_64 ecc_384_modp. (bsc#964847)
- CVE-2015-8805: Fixed miscomputation bugs in secp-256r1 modulo functions. (bsc#964849)


-----------------------------------------
Patch: SUSE-2016-270
Released: Tue Feb 16 16:08:18 2016
Summary: Recommended update for shared-mime-info
Severity: low
References: 862596
Description:

This update for shared-mime-info removes excessive calls to fdatasync() from
update-mime-database.


-----------------------------------------
Patch: SUSE-2016-272
Released: Tue Feb 16 16:20:12 2016
Summary: Security update for glibc
Severity: important
References: 950944,955647,956716,958315,961721,962736,962737,962738,962739,CVE-2014-9761,CVE-2015-7547,CVE-2015-8776,CVE-2015-8777,CVE-2015-8778,CVE-2015-8779
Description:

This update for glibc fixes the following security issues:

- CVE-2015-7547: A stack-based buffer overflow in getaddrinfo allowed remote attackers to cause a crash or execute arbitrary code via crafted and timed DNS responses (bsc#961721)
- CVE-2015-8777: Insufficient checking of LD_POINTER_GUARD environment variable allowed local attackers to bypass the pointer guarding protection of the dynamic loader on set-user-ID and set-group-ID programs (bsc#950944)
- CVE-2015-8776: Out-of-range time values passed to the strftime function may cause it to crash, leading to a denial of service, or potentially disclosure information (bsc#962736)
- CVE-2015-8778: Integer overflow in hcreate and hcreate_r could have caused an out-of-bound memory access. leading to application crashes or, potentially, arbitrary code execution (bsc#962737)
- CVE-2014-9761: A stack overflow (unbounded alloca) could have caused applications which process long strings with the nan function to crash or, potentially, execute arbitrary code. (bsc#962738)
- CVE-2015-8779: A stack overflow (unbounded alloca) in the catopen function could have caused applications which pass long strings to the catopen function to crash or, potentially execute arbitrary code. (bsc#962739)

The following non-security bugs were fixed:

- bsc#955647: Resource leak in resolver
- bsc#956716: Don't do lock elision on an error checking mutex
- bsc#958315: Reinitialize dl_load_write_lock on fork


-----------------------------------------
Patch: SUSE-2016-279
Released: Wed Feb 17 11:36:05 2016
Summary: Recommended update for puppet
Severity: moderate
References: 927946,951553,964437
Description:

Puppet was updated to version 3.8.5, which brings several fixes, enhancements and
new features.

For a comprehensive list of changes, please refer to the Release Notes available at:

http://docs.puppetlabs.com/puppet/3.8/reference/release_notes.html
http://docs.puppetlabs.com/puppet/3.7/reference/release_notes.html


-----------------------------------------
Patch: SUSE-2016-286
Released: Thu Feb 18 17:37:04 2016
Summary: Recommended update for inst-source-utils
Severity: low
References: 910388
Description:
This update for inst-source-utils provides the following fixes:

- Set LC_CTYPE in mk_listings. (bnc#910388)
- Add endoflife tag to product structure in ABXML.pm.


-----------------------------------------
Patch: SUSE-2016-290
Released: Fri Feb 19 18:30:02 2016
Summary: Recommended update for zypper
Severity: moderate
References: 793424,893833,948566,953458,955615,956480,959564,961719,965027
Description:

This update for zypper fixes the following issues: 

- Fail if tty is bad or at EOF when reading user input. (bsc#965027)
- Propagate repo refresh errors even if main action succeeded. (bsc#961719)
- Fix misaligned TAB stops in colored prompts. (bsc#948566)
- Fix claiming an error after successful download. (bsc#956480)
- Don't return 0 if repositories were skipped during refresh. (bsc#959564)
- Explain meaning of 'System Packages' and '@System' shown in search results. (bsc#953458)
- Fix different data returned in xml and text output of lu/lp commands. (bsc#793424, bsc#893833)
- Also report needed but locked patches in 'pchk'.
- Fix tab-completion if zypper is defined as an alias. (bsc#955615)


-----------------------------------------
Patch: SUSE-2016-291
Released: Fri Feb 19 19:31:54 2016
Summary: Recommended update for openslp
Severity: low
References: 950777
Description:

This update for OpenSLP adjusts slpd's initialization to use SystemD's forking
mechanism, avoiding stale PID files after the daemon is stopped.


-----------------------------------------
Patch: SUSE-2016-331
Released: Thu Feb 25 18:17:18 2016
Summary: Recommended update for systemd
Severity: moderate
References: 927250,942946,948458,948555,949574,955469,955770,958295,958935,958937,961226,961576,962080,964355,965475
Description:
This update for systemd provides the following fixes:

- Set 'maximum number of udev children reached' message's log level to debug. (bsc#958295)
- Properly sum up journald's entry size counter. This allows systemd services to
  generate a core dump when they crash. (bsc#961226)
- Rework messages during shutdown. (bsc#955469)
- Move net_persistent_rule generator to SCRIPTS. (bsc#958935)
- Revert 'Skip persistent device link creation on multipath device paths'. (bsc#942946)
- Make sure all swap units are ordered before the swap target. (bsc#955770)
- Add minimal support for 'set-property' command to bash-completion. (bsc#948458)
- Properly handle locale at boot time. (bsc#927250)
- Ensure tmp.mount is started automatically at boot time. (bsc#949574)
- Don't ship fix.service anymore on 13.1, not needed by v210 (boo#965475)
- Fix wrong substitution variable name in systemd-udev-root-symlink.service.in (boo#964355)


-----------------------------------------
Patch: SUSE-2016-352
Released: Tue Mar  1 14:29:41 2016
Summary: Security update for openssl
Severity: important
References: 952871,958501,963415,968046,968047,968048,968050,968051,968053,968265,968374,CVE-2015-3197,CVE-2016-0702,CVE-2016-0703,CVE-2016-0704,CVE-2016-0705,CVE-2016-0797,CVE-2016-0798,CVE-2016-0799,CVE-2016-0800
Description:

This update for openssl fixes various security issues and bugs: 

Security issues fixed:
- CVE-2016-0800 aka the 'DROWN' attack (bsc#968046):
  OpenSSL was vulnerable to a cross-protocol attack that could lead to
  decryption of TLS sessions by using a server supporting SSLv2 and
  EXPORT cipher suites as a Bleichenbacher RSA padding oracle.

  This update changes the openssl library to:

  * Disable SSLv2 protocol support by default.

    This can be overridden by setting the environment variable
    'OPENSSL_ALLOW_SSL2' or by using SSL_CTX_clear_options using the
    SSL_OP_NO_SSLv2 flag.

    Note that various services and clients had already disabled SSL
    protocol 2 by default previously.

  * Disable all weak EXPORT ciphers by default. These can be reenabled
    if required by old legacy software using the environment variable
    'OPENSSL_ALLOW_EXPORT'.

- CVE-2016-0702 aka the 'CacheBleed' attack. (bsc#968050)
  Various changes in the modular exponentation code were added that
  make sure that it is not possible to recover RSA secret keys by
  analyzing cache-bank conflicts on the Intel Sandy-Bridge microarchitecture.

  Note that this was only exploitable if the malicious code was running
  on the same hyper threaded Intel Sandy Bridge processor as the victim
  thread performing decryptions.

- CVE-2016-0705 (bnc#968047):
  A double free() bug in the DSA ASN1 parser code was fixed that could
  be abused to facilitate a denial-of-service attack.

- CVE-2016-0797 (bnc#968048):
  The BN_hex2bn() and BN_dec2bn() functions had a bug that could result
  in an attempt to de-reference a NULL pointer leading to crashes.
  This could have security consequences if these functions were ever
  called by user applications with large untrusted hex/decimal data. Also,
  internal usage of these functions in OpenSSL uses data from config files
  or application command line arguments. If user developed applications
  generated config file data based on untrusted data, then this could
  have had security consequences as well.

- CVE-2016-0798 (bnc#968265)
  The SRP user database lookup method SRP_VBASE_get_by_user() had a memory
  leak that attackers could abuse to facility DoS attacks. To mitigate
  the issue, the seed handling in SRP_VBASE_get_by_user() was disabled
  even if the user has configured a seed. Applications are advised to
  migrate to SRP_VBASE_get1_by_user().

- CVE-2016-0799 (bnc#968374)
  On many 64 bit systems, the internal fmtstr() and doapr_outch()
  functions could miscalculate the length of a string and attempt to
  access out-of-bounds memory locations. These problems could have
  enabled attacks where large amounts of untrusted data is passed to
  the BIO_*printf functions. If applications use these functions in
  this way then they could have been vulnerable. OpenSSL itself uses
  these functions when printing out human-readable dumps of ASN.1
  data. Therefore applications that print this data could have been
  vulnerable if the data is from untrusted sources. OpenSSL command line
  applications could also have been vulnerable when they print out ASN.1
  data, or if untrusted data is passed as command line arguments. Libssl
  is not considered directly vulnerable.

- CVE-2015-3197 (bsc#963415):
  The SSLv2 protocol did not block disabled ciphers.


Note that the March 1st 2016 release also references following CVEs
that were fixed by us with CVE-2015-0293 in 2015:

- CVE-2016-0703 (bsc#968051): This issue only affected versions of
  OpenSSL prior to March 19th 2015 at which time the code was refactored
  to address vulnerability CVE-2015-0293. It would have made the above
  'DROWN' attack much easier.
- CVE-2016-0704 (bsc#968053): 'Bleichenbacher oracle in SSLv2'
  This issue only affected versions of OpenSSL prior to March 19th
  2015 at which time the code was refactored to address vulnerability
  CVE-2015-0293. It would have made the above 'DROWN' attack much easier.

Bugs fixed:
- Avoid running OPENSSL_config twice. This avoids breaking
  engine loading. (bsc#952871)
- Ensure that OpenSSL doesn't fall back to the default digest
  algorithm (SHA1) in case a non-FIPS algorithm was negotiated while
  running in FIPS mode. Instead, OpenSSL will refuse the digest.
  (bnc#958501)


-----------------------------------------
Patch: SUSE-2016-363
Released: Wed Mar  2 15:35:51 2016
Summary: Recommended update for python-boto
Severity: moderate
References: 962138
Description:

Amazon's Web Services Library (python-boto) was updated to version 2.38.0, bringing
several fixes and enhancements:

- Support new region ap-northeast-2.
- Add features to other regions that are now supported by AWS.
- Implement update-alternatives to allow usage with Python 3.
- Add support for Amazon Machine Learning.
- Fix issue with modify reserved instances for modifying instance type.
- Update AWS CloudTrail to the latest API.
- Add 'eu-central-1' endpoints (Frankfurt region) for IAM and Route53.
- Add Amazon DynamoDB online indexing support on High level API.
- Add support for Amazon EC2 Container Service.
- Add support for CloudHSM.
- Add support for AWS Config.
- Add support for AWS CodeDeploy.
- Add support for AWS Lambda.
- Add AWS Key Managment Support.
- Add support for new data types in DynamoDB.
- Add Amazon EC2 Classic Link support.

For a comprehensive list of changes please refer to the package's change log.


-----------------------------------------
Patch: SUSE-2016-369
Released: Thu Mar  3 12:18:47 2016
Summary: Recommended update for grub2
Severity: moderate
References: 904647,926795,955493,957383,960776,962182
Description:

This update for grub2 provides the following fixes and enhancements:

- Add configuration option ($SUSE_CMDLINE_XENEFI) to set command line options for
  the EFI Xen loader. (bsc#957383)
- Fix failure to boot s390x guests when the root file system is on btrfs and spans
  multiple disks. (bsc#960776)
- Support booting installer media as PV DomU. (bsc#926795)
- Backport upstream patches for HyperV Gen2 TSC timer calibration without RTC.
  (bsc#904647, bsc#962182)
- Use dirname for copying Xen kernel and initrd to esp. (bsc#955493)


-----------------------------------------
Patch: SUSE-2016-371
Released: Thu Mar  3 15:58:18 2016
Summary: Recommended update for insserv-compat
Severity: low
References: 960820
Description:

This update for insserv-compat fixes the name of the ntpd service.


-----------------------------------------
Patch: SUSE-2016-376
Released: Fri Mar  4 16:18:34 2016
Summary: Recommended update for nfs-utils
Severity: moderate
References: 947852,950340,952055
Description:
This update for nfs-utils provides the following fixes:

- Avoid 'already mounted' errors from 'mount -a' when name in /etc/fstab differs
  slightly from /proc/mounts. (bsc#950340)
- Use proper annotations for service restart. (bsc#952055)
- Pass $RPC_PIPEFS_DIR to idmap when executing 'try-restart' or 'condrestart'.
  (bsc#947852)


-----------------------------------------
Patch: SUSE-2016-378
Released: Fri Mar  4 18:29:05 2016
Summary: Recommended update for wicked
Severity: moderate
References: 927615,936514,944710,953107,955778,955864,957944,959356
Description:

This update provides Wicked 0.6.30, which brings many fixes and enhancements:

- wireless: Fix EAP inconsistencies and add missing auth method names to translation maps.
  (bsc#936514, bsc#927615)
- fsm: Do not terminate with a segmentation fault on device hierarchy loops. (bsc#959356)
- fsm: Handle down/step back events in ifup flow instead of trying to workaround in nanny.
  (bsc#955864)
- ethtool: Map da,none,other port types. (bsc#957944)
- ipv4: Remove pointless broadcast calculations and send to the kernel only if explicitly
  requested in ifcfg file or by dhcp options. The kernel has its own logic to automatically
  calculate related settings as needed. Also removed broadcast setting from ifcfg-lo to
  not override kernel's setup. (bsc#944710)
- rpm: Do not use systemctl show in scripts. (bsc#955778)
- nanny: Skip recheck when no policy configured. (bsc#953107)


-----------------------------------------
Patch: SUSE-2016-382
Released: Mon Mar  7 14:43:46 2016
Summary: Recommended update for SDL
Severity: low
References: 953861
Description:

This update for SDL disables usage of backing storage by default due to tearing
effects. Users who would like to enable it can set the SDL_VIDEO_X11_BACKINGSTORE
environment variable.


-----------------------------------------
Patch: SUSE-2016-395
Released: Tue Mar  8 13:58:10 2016
Summary: Recommended update for systemd-presets-branding-SLE
Severity: low
References: 958880
Description:

This update for systemd-presets-branding-SLE fixes the following issues:

- Add display-manager.service to defaults presets. (bsc#958880)


-----------------------------------------
Patch: SUSE-2016-401
Released: Wed Mar  9 12:05:06 2016
Summary: Recommended update for lio-utils
Severity: low
References: 934521,940636,950990
Description:
This update for lio-utils provides the following fixes:

- Restore configuration from saved file at startup. (bsc#950990)
- When dumping lio state, do not consider it an error if there is no target
  directory, since that can mean there are no targets. (bsc#934521)
- Retry 5 times if first attempt to enable a new target fails, which can
  happen on a fast multiprocessor system. (bsc#940636)


-----------------------------------------
Patch: SUSE-2016-413
Released: Fri Mar 11 10:17:57 2016
Summary: Security update for libssh2_org
Severity: moderate
References: 933336,961964,967026,CVE-2016-0787
Description:

This update for libssh2_org fixes the following issues: 

Security issue fixed:
- CVE-2016-0787 (bsc#967026):
  Weakness in diffie-hellman secret key generation lead to much shorter DH groups
  then needed, which could be used to retrieve server keys.

A feature was added:
- Support of SHA256 digests for DH group exchanges was added (fate#320343, bsc#961964)

Bug fixed:
- Properly detect EVP_aes_128_ctr at configure time (bsc#933336)


-----------------------------------------
Patch: SUSE-2016-419
Released: Fri Mar 11 16:25:09 2016
Summary: Security update for MozillaFirefox, mozilla-nspr, mozilla-nss
Severity: important
References: 969894,CVE-2016-1950,CVE-2016-1952,CVE-2016-1953,CVE-2016-1954,CVE-2016-1957,CVE-2016-1958,CVE-2016-1960,CVE-2016-1961,CVE-2016-1962,CVE-2016-1964,CVE-2016-1965,CVE-2016-1966,CVE-2016-1974,CVE-2016-1977,CVE-2016-1978,CVE-2016-1979,CVE-2016-2790,CVE-2016-2791,CVE-2016-2792,CVE-2016-2793,CVE-2016-2794,CVE-2016-2795,CVE-2016-2796,CVE-2016-2797,CVE-2016-2798,CVE-2016-2799,CVE-2016-2800,CVE-2016-2801,CVE-2016-2802
Description:

This update for MozillaFirefox, mozilla-nspr, mozilla-nss fixes the following issues:

Mozilla Firefox was updated to 38.7.0 ESR (bsc#969894), fixing
following security issues:
* MFSA 2016-16/CVE-2016-1952/CVE-2016-1953
  Miscellaneous memory safety hazards (rv:45.0 / rv:38.7)
* MFSA 2016-17/CVE-2016-1954
  Local file overwriting and potential privilege escalation
  through CSP reports
* MFSA 2016-20/CVE-2016-1957
  Memory leak in libstagefright when deleting an array during
  MP4 processing
* MFSA 2016-21/CVE-2016-1958
  Displayed page address can be overridden
* MFSA 2016-23/CVE-2016-1960
  Use-after-free in HTML5 string parser
* MFSA 2016-24/CVE-2016-1961
  Use-after-free in SetBody
* MFSA 2016-25/CVE-2016-1962
  Use-after-free when using multiple WebRTC data channels
* MFSA 2016-27/CVE-2016-1964
  Use-after-free during XML transformations
* MFSA 2016-28/CVE-2016-1965
  Addressbar spoofing though history navigation and Location
  protocol property
* MFSA 2016-31/CVE-2016-1966
  Memory corruption with malicious NPAPI plugin
* MFSA 2016-34/CVE-2016-1974
  Out-of-bounds read in HTML parser following a failed
  allocation
* MFSA 2016-35/CVE-2016-1950
  Buffer overflow during ASN.1 decoding in NSS
* MFSA 2016-37/CVE-2016-1977/CVE-2016-2790/CVE-2016-2791/
  CVE-2016-2792/CVE-2016-2793/CVE-2016-2794/CVE-2016-2795/
  CVE-2016-2796/CVE-2016-2797/CVE-2016-2798/CVE-2016-2799/
  CVE-2016-2800/CVE-2016-2801/CVE-2016-2802
  Font vulnerabilities in the Graphite 2 library

Mozilla NSPR was updated to version 4.12 (bsc#969894), fixing following bugs:
* added a PR_GetEnvSecure function, which attempts to detect if
  the program is being executed with elevated privileges, and
  returns NULL if detected. It is recommended to use this function
  in general purpose library code.
* fixed a memory allocation bug related to the PR_*printf functions
* exported API PR_DuplicateEnvironment, which had already been
  added in NSPR 4.10.9
* added support for FreeBSD aarch64
* several minor correctness and compatibility fixes

Mozilla NSS was updated to fix security issues (bsc#969894):
* MFSA 2016-15/CVE-2016-1978
  Use-after-free in NSS during SSL connections in low memory
* MFSA 2016-35/CVE-2016-1950
  Buffer overflow during ASN.1 decoding in NSS
* MFSA 2016-36/CVE-2016-1979
  Use-after-free during processing of DER encoded keys in NSS


-----------------------------------------
Patch: SUSE-2016-456
Released: Tue Mar 15 18:01:12 2016
Summary: Security update for graphite2
Severity: important
References: 965803,965807,965810,CVE-2016-1521,CVE-2016-1523,CVE-2016-1526
Description:

This update for graphite2 fixes the following issues:

- CVE-2016-1521: The directrun function in directmachine.cpp in
  Libgraphite did not validate a certain skip operation, which allowed
  remote attackers to execute arbitrary code, obtain sensitive information,
  or cause a denial of service (out-of-bounds read and application crash)
  via a crafted Graphite smart font.

- CVE-2016-1523: The SillMap::readFace function in FeatureMap.cpp in
  Libgraphite mishandled a return value, which allowed remote attackers
  to cause a denial of service (missing initialization, NULL pointer
  dereference, and application crash) via a crafted Graphite smart font.

- CVE-2016-1526: The TtfUtil:LocaLookup function in TtfUtil.cpp in
  Libgraphite incorrectly validated a size value, which allowed remote
  attackers to obtain sensitive information or cause a denial of service
  (out-of-bounds read and application crash) via a crafted Graphite
  smart font.


-----------------------------------------
Patch: SUSE-2016-458
Released: Tue Mar 15 18:02:16 2016
Summary: Security update for bind
Severity: important
References: 970072,970073,CVE-2016-1285,CVE-2016-1286
Description:

This update for bind fixes the following issues:

Fix two assertion failures that can lead to a remote denial of service attack:
* CVE-2016-1285: An error when parsing signature records for DNAME can lead to named exiting due to an assertion failure. (bsc#970072)
* CVE-2016-1286: An error when parsing signature records for DNAME records having specific properties can lead to named exiting due to an assertion failure in resolver.c or db.c. (bsc#970073)


-----------------------------------------
Patch: SUSE-2016-460
Released: Wed Mar 16 11:39:17 2016
Summary: Security update for the Linux Kernel
Severity: important
References: 812259,816099,855062,867583,884701,899908,922071,937444,940338,940946,941363,943989,945219,947953,949752,950292,951155,955308,955654,956084,956514,957525,957986,959090,959146,959257,959463,959629,959709,960174,960227,960458,960561,960629,961257,961500,961509,961516,961588,961658,961971,962336,962356,962788,962965,963193,963449,963572,963746,963765,963767,963825,963960,964201,964730,965199,965344,965830,965840,965891,966026,966094,966278,966437,966471,966693,966864,966910,967802,968018,968074,968206,968230,968234,968253,969112,CVE-2013-7446,CVE-2015-5707,CVE-2015-8709,CVE-2015-8767,CVE-2015-8785,CVE-2015-8812,CVE-2016-0723,CVE-2016-0774,CVE-2016-2069,CVE-2016-2384
Description:

The SUSE Linux Enterprise 12 kernel was updated to 3.12.55 to receive various security and bugfixes.

Features added:
- A improved XEN blkfront module was added, which allows more I/O bandwidth. (FATE#320625)
  It is called xen-blkfront in PV, and xen-vbd-upstream in HVM mode.

The following security bugs were fixed:
- CVE-2013-7446: Use-after-free vulnerability in net/unix/af_unix.c in
  the Linux kernel allowed local users to bypass intended AF_UNIX socket
  permissions or cause a denial of service (panic) via crafted epoll_ctl
  calls (bnc#955654).
- CVE-2015-5707: Integer overflow in the sg_start_req function in
  drivers/scsi/sg.c in the Linux kernel allowed local users to cause a
  denial of service or possibly have unspecified other impact via a large
  iov_count value in a write request (bnc#940338).
- CVE-2015-8709: kernel/ptrace.c in the Linux kernel mishandled uid and
  gid mappings, which allowed local users to gain privileges by establishing
  a user namespace, waiting for a root process to enter that namespace
  with an unsafe uid or gid, and then using the ptrace system call.  NOTE:
  the vendor states 'there is no kernel bug here' (bnc#959709 bnc#960561).
- CVE-2015-8767: net/sctp/sm_sideeffect.c in the Linux kernel did not
  properly manage the relationship between a lock and a socket, which
  allowed local users to cause a denial of service (deadlock) via a crafted
  sctp_accept call (bnc#961509).
- CVE-2015-8785: The fuse_fill_write_pages function in fs/fuse/file.c
  in the Linux kernel allowed local users to cause a denial of service
  (infinite loop) via a writev system call that triggers a zero length
  for the first segment of an iov (bnc#963765).
- CVE-2015-8812: A use-after-free flaw was found in the CXGB3 kernel
  driver when the network was considered to be congested. This could be
  used by local attackers to cause machine crashes or potentially code
  executuon (bsc#966437).
- CVE-2016-0723: Race condition in the tty_ioctl function in
  drivers/tty/tty_io.c in the Linux kernel allowed local users to obtain
  sensitive information from kernel memory or cause a denial of service
  (use-after-free and system crash) by making a TIOCGETD ioctl call during
  processing of a TIOCSETD ioctl call (bnc#961500).
- CVE-2016-0774: A pipe buffer state corruption after unsuccessful atomic
  read from pipe was fixed (bsc#964730).
- CVE-2016-2069: Race conditions in TLB syncing was fixed which could
  leak to information leaks (bnc#963767).
- CVE-2016-2384: A double-free triggered by invalid USB descriptor in
  ALSA usb-audio was fixed, which could be exploited by physical local
  attackers to crash the kernel or gain code execution (bnc#966693).

The following non-security bugs were fixed:
- alsa: rawmidi: Make snd_rawmidi_transmit() race-free (bsc#968018).
- alsa: seq: Fix leak of pool buffer at concurrent writes (bsc#968018).
- be2net: fix some log messages (bnc#855062 FATE#315961, bnc#867583).
- block: xen-blkfront: Fix possible NULL ptr dereference (bsc#957986 fate#320625).
- btrfs: Add handler for invalidate page (bsc#963193).
- btrfs: check prepare_uptodate_page() error code earlier (bnc#966910).
- btrfs: delayed_ref: Add new function to record reserved space into delayed ref (bsc#963193).
- btrfs: delayed_ref: release and free qgroup reserved at proper timing (bsc#963193).
- btrfs: extent_io: Introduce needed structure for recoding set/clear bits (bsc#963193).
- btrfs: extent_io: Introduce new function clear_record_extent_bits() (bsc#963193).
- btrfs: extent_io: Introduce new function set_record_extent_bits (bsc#963193).
- btrfs: extent-tree: Add new version of btrfs_check_data_free_space and btrfs_free_reserved_data_space (bsc#963193).
- btrfs: extent-tree: Add new version of btrfs_delalloc_reserve/release_space (bsc#963193).
- btrfs: extent-tree: Switch to new check_data_free_space and free_reserved_data_space (bsc#963193).
- btrfs: extent-tree: Switch to new delalloc space reserve and release (bsc#963193).
- btrfs: fallocate: Add support to accurate qgroup reserve (bsc#963193).
- btrfs: fix deadlock between direct IO write and defrag/readpages (bnc#965344).
- btrfs: fix invalid page accesses in extent_same (dedup) ioctl (bnc#968230).
- btrfs: fix page reading in extent_same ioctl leading to csum errors (bnc#968230).
- btrfs: fix warning in backref walking (bnc#966278).
- btrfs: qgroup: Add handler for NOCOW and inline (bsc#963193).
- btrfs: qgroup: Add new trace point for qgroup data reserve (bsc#963193).
- btrfs: qgroup: Avoid calling btrfs_free_reserved_data_space in clear_bit_hook (bsc#963193).
- btrfs: qgroup: Check if qgroup reserved space leaked (bsc#963193).
- btrfs: qgroup: Cleanup old inaccurate facilities (bsc#963193).
- btrfs: qgroup: Fix a race in delayed_ref which leads to abort trans (bsc#963193).
- btrfs: qgroup: Fix a rebase bug which will cause qgroup double free (bsc#963193).
- btrfs: qgroup: Introduce btrfs_qgroup_reserve_data function (bsc#963193).
- btrfs: qgroup: Introduce functions to release/free qgroup reserve data space (bsc#963193).
- btrfs: qgroup: Introduce new functions to reserve/free metadata (bsc#963193).
- btrfs: qgroup: Use new metadata reservation (bsc#963193).
- btrfs: skip locking when searching commit root (bnc#963825).
- dcache: use IS_ROOT to decide where dentry is hashed (bsc#949752).
- documentation: Document kernel.panic_on_io_nmi sysctl (bsc#940946, bsc#937444).
- documentation: Fix build of PDF files in kernel-docs package Double the spaces for tex, and fix buildrequires for docbook.
- doc: Use fop for creating PDF files in kernel-docs package as some files still cannot be built with the default backend.
- driver core: Add BUS_NOTIFY_REMOVED_DEVICE event (bnc#962965).
- drivers: xen-blkfront: only talk_to_blkback() when in XenbusStateInitialising (bsc#957986 fate#320625).
- driver: xen-blkfront: move talk_to_blkback to a more suitable place (bsc#957986 fate#320625).
- ec2: updated kabi files and start tracking
- fs: Improve fairness when locking the per-superblock s_anon list (bsc#957525, bsc#941363).
- fs/proc_namespace.c: simplify testing nsp and nsp->mnt_ns (bug#963960).
- fuse: break infinite loop in fuse_fill_write_pages() (bsc#963765).
- futex: Drop refcount if requeue_pi() acquired the rtmutex (bug#960174).
- jbd2: Fix unreclaimed pages after truncate in data=journal mode (bsc#961516).
- kabi: Preserve checksum of kvm_x86_ops (bsc#969112).
- kABI: protect struct af_alg_type.
- kABI: protect struct crypto_ahash.
- kABI: reintroduce blk_rq_check_limits.
- kabi/severities: Fail on changes in kvm_x86_ops, needed by lttng-modules
- kernel: Change ASSIGN_ONCE(val, x) to WRITE_ONCE(x, val) (bsc#940946, bsc#937444).
- kernel: Provide READ_ONCE and ASSIGN_ONCE (bsc#940946, bsc#937444).
- kernel/watchdog.c: perform all-CPU backtrace in case of hard lockup (bsc#940946, bsc#937444).
- kexec: Fix race between panic() and crash_kexec() (bsc#940946, bsc#937444).
- kgr: do not print error for !abort_if_missing symbols (bnc#943989).
- kgr: do not use WQ_MEM_RECLAIM workqueue (bnc#963572).
- kgr: log when modifying kernel (fate#317827).
- kgr: mark some more missed kthreads (bnc#962336).
- kgr: usb/storage: do not emit thread awakened (bnc#899908).
- kvm: x86: Check dest_map->vector to match eoi signals for rtc (bsc#966471).
- kvm: x86: Convert ioapic->rtc_status.dest_map to a struct (bsc#966471).
- kvm: x86: store IOAPIC-handled vectors in each VCPU (bsc#966471).
- kvm: x86: Track irq vectors in ioapic->rtc_status.dest_map (bsc#966471).
- libceph: fix scatterlist last_piece calculation (bsc#963746).
- megaraid_sas: Chip reset if driver fails to get IOC ready (bsc#922071). Refresh the patch based on the actual upstream commit, and add the commit ID.
- mm/memory_hotplug.c: check for missing sections in test_pages_in_a_zone() (VM Functionality, bnc#961588).
- module: keep percpu symbols in module's symtab (bsc#962788).
- namespaces: Re-introduce task_nsproxy() helper (bug#963960).
- namespaces: Use task_lock and not rcu to protect nsproxy (bug#963960).
- net: core: Correct an over-stringent device loop detection (bsc#945219).
- nfs: Background flush should not be low priority (bsc#955308).
- nfsd: Do not start lockd when only NFSv4 is running (fate#316311).
- nfs: do not use STABLE writes during writeback (bnc#816099).
- nfs: Fix handling of re-write-before-commit for mmapped NFS pages (bsc#964201).
- nfs: Move nfsd patch to the right section
- nfsv4: Recovery of recalled read delegations is broken (bsc#956514).
- nmi: provide the option to issue an NMI back trace to every cpu but current (bsc#940946, bsc#937444).
- nmi: provide the option to issue an NMI back trace to every cpu but current (bsc#940946, bsc#937444).
- panic, x86: Allow CPUs to save registers even if looping in NMI context (bsc#940946, bsc#937444).
- panic, x86: Fix re-entrance problem due to panic on NMI (bsc#940946, bsc#937444).
- pci: allow access to VPD attributes with size 0 (bsc#959146).
- pciback: Check PF instead of VF for PCI_COMMAND_MEMORY.
- pciback: Save the number of MSI-X entries to be copied later.
- pci: Blacklist vpd access for buggy devices (bsc#959146).
- pci: Determine actual VPD size on first access (bsc#959146).
- pci: Update VPD definitions (bsc#959146).
- perf: Do not modify perf bias performance setting by default at boot (bnc#812259,bsc#959629).
- proc: Fix ptrace-based permission checks for accessing task maps.
- rpm/constraints.in: Bump disk space requirements up a bit Require 10GB on s390x, 20GB elsewhere.
- rpm/kernel-binary.spec.in: Fix build if no UEFI certs are installed
- rpm/kernel-binary.spec.in: Fix kernel-vanilla-devel dependency (bsc#959090)
- rpm/kernel-binary.spec.in: Fix paths in kernel-vanilla-devel (bsc#959090).
- rpm/kernel-binary.spec.in: Install libopenssl-devel for newer sign-file
- rpm/kernel-binary.spec.in: Sync the main and -base package dependencies (bsc#965830#c51).
- rpm/kernel-binary.spec.in: Use bzip compression to speed up build (bsc#962356)
- rpm/kernel-module-subpackage: Fix obsoleting dropped flavors (bsc#968253)
- rpm/kernel-source.spec.in: Install kernel-macros for kernel-source-vanilla (bsc#959090)
- rpm/kernel-spec-macros: Do not modify the release string in PTFs (bsc#963449)
- rpm/package-descriptions: Add kernel-zfcpdump and drop -desktop
- sched/fair: Disable tg load_avg/runnable_avg update for root_task_group (bnc#960227).
- sched/fair: Move cache hot load_avg/runnable_avg into separate cacheline (bnc#960227).
- sched: Fix race between task_group and sched_task_group (Automatic NUMA Balancing (fate#315482))
- scsi: Add sd_mod to initrd modules For some reason PowerVM backend can't work without sd_mod
- scsi_dh_alua: Do not block request queue if workqueue is active (bsc#960458).
- scsi: fix soft lockup in scsi_remove_target() on module removal (bsc#965199).
- scsi: restart list search after unlock in scsi_remove_target (bsc#959257).
- series.conf: add section comments
- supported.conf: Add e1000e (emulated by VMware) to -base (bsc#968074)
- supported.conf: Add Hyper-V modules to -base (bsc#965830)
- supported.conf: Add more QEMU and VMware drivers to -base (bsc#965840).
- supported.conf: Add more qemu device driver (bsc#968234)
- supported.conf: Add mptspi and mptsas to -base (bsc#968206)
- supported.conf: Add netfilter modules to base (bsc#950292)
- supported.conf: Add nls_iso8859-1 and nls_cp437 to -base (bsc#950292)
- supported.conf: Add the qemu scsi driver (sym53c8xx) to -base (bsc#967802)
- supported.conf: Add tulip to -base for Hyper-V (bsc#968234)
- supported.conf: Add vfat to -base to be able to mount the ESP (bsc#950292).
- supported.conf: Add virtio_{blk,net,scsi} to kernel-default-base (bsc#950292)
- supported.conf: Add virtio-rng (bsc#966026)
- supported.conf: Add xen-blkfront.
- supported.conf: Add xfs to -base (bsc#965891)
- supported.conf: Also add virtio_pci to kernel-default-base (bsc#950292).
- supported.conf: drop +external from ghash-clmulni-intel It was agreed that it does not make sense to maintain 'external' for this specific module. Furthermore it causes problems in rather ordinary VMware environments. (bsc#961971)
- supported.conf: Fix usb-common path usb-common moved to its own subdirectory in kernel v3.16, and we backported that change to SLE12.
- tcp: Restore RFC5961-compliant behavior for SYN packets (bsc#966864).
- usb: Quiet down false peer failure messages (bnc#960629).
- x86/apic: Introduce apic_extnmi command line parameter (bsc#940946, bsc#937444).
- x86/nmi: Save regs in crash dump on external NMI (bsc#940946, bsc#937444).
- x86/nmi: Save regs in crash dump on external NMI (bsc#940946, bsc#937444).
- xen: Add /etc/modprobe.d/50-xen.conf selecting Xen frontend driver implementation (bsc#957986, bsc#956084, bsc#961658).
- xen-blkfront: allow building in our Xen environment (bsc#957986 fate#320625).
- xen, blkfront: factor out flush-related checks from do_blkif_request() (bsc#957986 fate#320625).
- xen-blkfront: fix accounting of reqs when migrating (bsc#957986 fate#320625).
- xen/blkfront: Fix crash if backend does not follow the right states (bsc#957986 fate#320625).
- xen-blkfront: improve aproximation of required grants per request (bsc#957986 fate#320625).
- xen/blkfront: improve protection against issuing unsupported REQ_FUA (bsc#957986 fate#320625).
- xen/blkfront: remove redundant flush_op (bsc#957986 fate#320625).
- xen-blkfront: remove type check from blkfront_setup_discard (bsc#957986 fate#320625).
- xen-blkfront: Silence pfn maybe-uninitialized warning (bsc#957986 fate#320625).
- xen: Linux 3.12.52.
- xen: Refresh patches.xen/xen3-patch-3.9 (bsc#951155).
- xen: Refresh patches.xen/xen3-patch-3.9 (do not subvert NX protection during 1:1 mapping setup).
- xen-vscsi-large-requests: Fix resource collision for racing request maps and unmaps (bsc#966094).
- xen: Xen config files updated to enable upstream block frontend.
- xfs: add a few more verifier tests (bsc#947953).
- xfs: fix double free in xlog_recover_commit_trans (bsc#947953).
- xfs: recovery of XLOG_UNMOUNT_TRANS leaks memory (bsc#947953).


-----------------------------------------
Patch: SUSE-2016-462
Released: Wed Mar 16 18:17:59 2016
Summary: Recommended update for libcap
Severity: low
References: 967838
Description:

This update for libcap adds two new capabilities (CAP_WAKE_ALARM and CAP_BLOCK_SUSPEND)
which are available in Linux Kernel 3.12.


-----------------------------------------
Patch: SUSE-2016-477
Released: Fri Mar 18 10:54:32 2016
Summary: Security update for samba
Severity: important
References: 953382,953972,960249,962177,968222,CVE-2015-7560
Description:

This update for samba fixes the following issues:

- CVE-2015-7560: Getting and setting Windows ACLs on symlinks can change permissions on link 
  target. (bso#11648 bsc#968222)

Also the following bugs were fixed:
- Add quotes around path of update-apparmor-samba-profile; (bsc#962177).
- Prevent access denied if the share path is '/'; (bso#11647); (bsc#960249).
- Ensure samlogon fallback requests are rerouted after kerberos failure; (bsc#953382).
- samba: winbind crash -> netlogon_creds_client_authenticator; (bsc#953972).


-----------------------------------------
Patch: SUSE-2016-479
Released: Fri Mar 18 15:35:18 2016
Summary: Recommended update for supportutils
Severity: low
References: 951218,958403,959252,961318,965682
Description:

This update for supportutils provides the following fixes:

- Capture the correct pacemaker logs. (bsc#958403)
- Fix name space errors. (bsc#961318)
- Change rpm to check with NCP server. (bsc#965682)
- Collect more data about Docker containers in docker.txt.
- Added OPTION_HAPROXY for haproxy.txt. (bsc#959252)
- Fixed mount option. (bsc#951218)


-----------------------------------------
Patch: SUSE-2016-488
Released: Mon Mar 21 16:16:13 2016
Summary: Recommended update for SUSEConnect
Severity: moderate
References: 963996,968245
Description:

This update for SUSEConnect fixes the following issues:

- Do not crash on --list-extensions when connected to SMT (bsc#963996)
- Do not let zypper attempt to read products from remote locations (bsc#968245)


-----------------------------------------
Patch: SUSE-2016-490
Released: Mon Mar 21 16:45:13 2016
Summary: Recommended update for timezone
Severity: low
References: 971377
Description:

This update provides the latest timezone information (2016b) for your system, including
the following changes:

- New zones Europe/Astrakhan and Europe/Ulyanovsk for Astrakhan and Ulyanovsk Oblasts,
  Russia, both of which will switch from +03 to +04 on 2016-03-27 at 02:00 local time.
- New zone Asia/Barnaul for Altai Krai and Altai Republic, Russia, which will switch
  from +06 to +07 on the same date and local time.
- Asia/Sakhalin moves from +10 to +11 on 2016-03-27 at 02:00.
- As a trial of a new system that needs less information to be made up, the new zones
  use numeric time zone abbreviations like '+04' instead of invented abbreviations
  like 'ASTT'.
- Haiti will not observe DST in 2016.
- Palestine's spring-forward transition on 2016-03-26 is at 01:00, not 00:00.
- tzselect's diagnostics and checking, and checktab.awk's checking, have been improved.
- tzselect now tests Julian-date TZ settings more accurately.


-----------------------------------------
Patch: SUSE-2016-510
Released: Thu Mar 24 15:40:28 2016
Summary: Recommended update for timezone
Severity: low
References: 972433
Description:

This update provides the latest timezone information (2016c) for your
system, including the following changes:

- Azerbaijan no longer observes DST (Asia/Baku)
- Chile reverts from permanent to seasonal DST

This release also includes changes affecting past time stamps and documentation.
For a comprehensive list, please refer to the release announcement from ICANN:

http://mm.icann.org/pipermail/tz-announce/2016-March/000037.html


-----------------------------------------
Patch: SUSE-2016-525
Released: Wed Mar 30 17:06:50 2016
Summary: Recommended update for cloud-init
Severity: moderate
References: 971275
Description:

This update for cloud-init fixes the following issue:

- Properly handle the package_upgrade configuration option (bsc#971275)


-----------------------------------------
Patch: SUSE-2016-533
Released: Thu Mar 31 15:45:44 2016
Summary: Recommended update for libsolv, libzypp, zypper, zypp-plugin
Severity: moderate
References: 889363,953214,955801,956443,957606,961738,966760,967673,968006,969186,970575,971018
Description:

This update for the Software Update Stack provides fixes and enhancements.

libsolv:

- Fix rule generation for linked packages. (bsc#961738)
- Fix update handling of multiversion packages. (bsc#957606)
- Fix orphan handling for dup with keeporphans set. (bsc#957606)
- Change product links to also look at timestamps. (bsc#956443)
- Rework multiversion orphaned handling. (bsc#957606)
- Support key type changes in repodata_internalize().
- Allow serialization of REPOKEY_TYPE_DELETED.
- Improve appdata handling of installed packages.
- Improve performance when run under Xen.

libzypp:

- Send stats header to download.opensuse.org only. (bsc#955801)
- Require libsolv 0.6.19 or newer to build. (bsc#971018)

zypper:

- Don't check for zypp lock in command versioncmp. (bsc#970575)
- Rephrase unclear explanation of --non-interactive in man page. (bsc#969186)
- Add missing --non-interactive-include-reboot-patches option to man page.
- Fix repository import to honor enable and auto-refresh flags. (bsc#967673)
- Return error code 106 (ZYPPER_EXIT_INF_REPOS_SKIPPED) if repos were skipped
  due to a failing refresh. (bsc#968006)
- Fix addlock man page header. (bsc#966760)
- Fix typo in man page. (bsc#953214)

zypp-plugin:

- Force usage of the official python VM instead of using '/usr/bin/env python'.
  (bsc#889363)


-----------------------------------------
Patch: SUSE-2016-542
Released: Fri Apr  1 18:07:22 2016
Summary: Recommended update for release-notes-sles
Severity: low
References: 970541
Description:

The Release Notes of SUSE Linux Enterprise Server 12 have been updated to document:

- Wayland Libraries Are Not Supported (fate#320285) 
- Updating Registration Status After Rollback (fate#319118) 
- Intel 10GbE PCI Express Adapters: Setting MAC Address (fate#315667) 
- Support for Btrfs Features (fate#317061) 
- zypper-docker, the Updater for Docker Images (fate#319426) 
- Docker Image: Support for SLES 12 SP1 (fate#319425) 
- Upgrading PostgreSQL Installations (fate#319049) 
- Deduplicated entries for fate#315289, fate#315316, fate#316111, fate#316314, fate#317286, fate#317868
- Fixes for typographical errors in numerous entries


-----------------------------------------
Patch: SUSE-2016-543
Released: Fri Apr  1 18:44:16 2016
Summary: Recommended update for libgcrypt
Severity: moderate
References: 970882
Description:

This update for libgcrypt fixes a crash in GPG key generation when operating in FIPS mode. (bsc#970882)


-----------------------------------------
Patch: SUSE-2016-562
Released: Tue Apr  5 16:31:47 2016
Summary: Optional update for yast2-samba-server
Severity: low
References: 972197
Description:

This update for yast2-samba-server fixes the following issues:

- Don't require libsmbclient as it's pulled in by libsmbclient-devel. (bsc#972197)


-----------------------------------------
Patch: SUSE-2016-565
Released: Wed Apr  6 16:26:42 2016
Summary: Security update for gcc5
Severity: moderate
References: 939460,945842,952151,953831,954002,955382,962765,964468,966220,968771,CVE-2015-5276
Description:

The GNU Compiler Collection was updated to version 5.3.1, which brings several fixes
and enhancements.

The following security issue has been fixed:

- Fix C++11 std::random_device short read issue that could lead to predictable
  randomness. (CVE-2015-5276, bsc#945842)

The following non-security issues have been fixed:

- Enable frame pointer for TARGET_64BIT_MS_ABI when stack is misaligned. Fixes internal
  compiler error when building Wine. (bsc#966220)
- Fix a PowerPC specific issue in gcc-go that broke compilation of newer versions of
  Docker. (bsc#964468)
- Fix HTM built-ins on PowerPC. (bsc#955382)
- Fix libgo certificate lookup. (bsc#953831)
- Suppress deprecated-declarations warnings for inline definitions of deprecated virtual
  methods. (bsc#939460)
- Build s390[x] with '--with-tune=z9-109 --with-arch=z900' on SLE11 again. (bsc#954002)
- Revert accidental libffi ABI breakage on aarch64. (bsc#968771)
- On x86_64, set default 32bit code generation to -march=x86-64 rather than -march=i586.
- Add experimental File System TS library.


-----------------------------------------
Patch: SUSE-2016-566
Released: Wed Apr  6 17:35:05 2016
Summary: Recommended update for open-iscsi
Severity: moderate
References: 939923,969108
Description:

This update for open-iscsi fixes the following issues:

- Allow non-tcp transport for discovery daemon (bsc#939923) 
- Add rcsymlinks (bsc#969108)


-----------------------------------------
Patch: SUSE-2016-575
Released: Thu Apr  7 15:45:32 2016
Summary: Recommended update for at
Severity: low
References: 945124
Description:

This update for 'at' provides the following fixes:

- Don't loop on corrupted files and prevent their creation. (bsc#945124)


-----------------------------------------
Patch: SUSE-2016-586
Released: Fri Apr  8 15:36:20 2016
Summary: Security update for krb5
Severity: moderate
References: 971942,CVE-2016-3119
Description:

This update for krb5 fixes the following security issue:

- CVE-2016-3119: An authenticated attacker with permission to modify a
  principal entry could have caused kadmind to dereference a null pointer
  by supplying an empty DB argument to the modify_principal command,
  if kadmind is configured to use the LDAP KDB module. (bsc#971942)


-----------------------------------------
Patch: SUSE-2016-587
Released: Fri Apr  8 17:06:56 2016
Summary: Recommended update for ca-certificates-mozilla
Severity: moderate
References: 973042
Description:

The root SSL certificate store ca-certificates-mozilla was updated
to version 2.7 of the Mozilla NSS equivalent. (bsc#973042)

- Newly added CAs:
  * CA WoSign ECC Root
  * Certification Authority of WoSign
  * Certification Authority of WoSign G2
  * Certinomis - Root CA
  * Certum Trusted Network CA 2
  * CFCA EV ROOT
  * COMODO RSA Certification Authority
  * DigiCert Assured ID Root G2
  * DigiCert Assured ID Root G3
  * DigiCert Global Root G2
  * DigiCert Global Root G3
  * DigiCert Trusted Root G4
  * Entrust Root Certification Authority - EC1
  * Entrust Root Certification Authority - G2
  * GlobalSign
  * IdenTrust Commercial Root CA 1
  * IdenTrust Public Sector Root CA 1
  * OISTE WISeKey Global Root GB CA
  * QuoVadis Root CA 1 G3
  * QuoVadis Root CA 2 G3
  * QuoVadis Root CA 3 G3
  * Staat der Nederlanden EV Root CA
  * Staat der Nederlanden Root CA - G3
  * S-TRUST Universal Root CA
  * SZAFIR ROOT CA2
  * TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5
  * TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6
  * USERTrust ECC Certification Authority
  * USERTrust RSA Certification Authority
  * 沃通根证书

- Removed CAs:
  * AOL CA
  * A Trust nQual 03
  * Buypass Class 3 CA 1
  * CA Disig
  * Digital Signature Trust Co Global CA 1
  * Digital Signature Trust Co Global CA 3
  * E Guven Kok Elektronik Sertifika Hizmet Saglayicisi
  * NetLock Expressz (Class C) Tanusitvanykiado
  * NetLock Kozjegyzoi (Class A) Tanusitvanykiado
  * NetLock Minositett Kozjegyzoi (Class QA) Tanusitvanykiado
  * NetLock Uzleti (Class B) Tanusitvanykiado
  * SG TRUST SERVICES RACINE
  * Staat der Nederlanden Root CA
  * TC TrustCenter Class 2 CA II
  * TC TrustCenter Universal CA I
  * TDC Internet Root CA
  * UTN DATACorp SGC Root CA
  * Verisign Class 1 Public Primary Certification Authority - G2
  * Verisign Class 3 Public Primary Certification Authority
  * Verisign Class 3 Public Primary Certification Authority - G2

- Removed server trust from:
  * AC Raíz Certicámara S.A.
  * ComSign Secured CA
  * NetLock Uzleti (Class B) Tanusitvanykiado
  * NetLock Business (Class B) Root
  * NetLock Expressz (Class C) Tanusitvanykiado
  * TC TrustCenter Class 3 CA II
  * TURKTRUST Certificate Services Provider Root 1
  * TURKTRUST Certificate Services Provider Root 2
  * Equifax Secure Global eBusiness CA-1
  * Verisign Class 4 Public Primary Certification Authority G3

- Enable server trust for:
  * Actalis Authentication Root CA


-----------------------------------------
Patch: SUSE-2016-605
Released: Tue Apr 12 20:46:02 2016
Summary: Security update for samba
Severity: important
References: 320709,913547,919309,924519,936862,942716,946051,949022,964023,966271,968973,971965,972197,973031,973032,973033,973034,973036,973832,974629,CVE-2015-5370,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2115,CVE-2016-2118
Description:
Samba was updated to the 4.2.x codestream, bringing some new features and security fixes (bsc#973832, FATE#320709).

These security issues were fixed:
- CVE-2015-5370: DCERPC server and client were vulnerable to DOS and MITM attacks (bsc#936862).
- CVE-2016-2110: A man-in-the-middle could have downgraded NTLMSSP authentication (bsc#973031).
- CVE-2016-2111: Domain controller netlogon member computer could have been spoofed (bsc#973032).
- CVE-2016-2112: LDAP conenctions were vulnerable to downgrade and MITM attack (bsc#973033).
- CVE-2016-2113: TLS certificate validation were missing (bsc#973034).
- CVE-2016-2115: Named pipe IPC were vulnerable to MITM attacks (bsc#973036).
- CVE-2016-2118: 'Badlock' DCERPC impersonation of authenticated account were possible (bsc#971965).

Also the following fixes were done:
- Upgrade on-disk FSRVP server state to new version; (bsc#924519).
- Fix samba.tests.messaging test and prevent potential tdb corruption by removing obsolete now invalid tdb_close call; (bsc#974629).
- Align fsrvp feature sources with upstream version.
- Obsolete libsmbsharemodes0 from samba-libs and libsmbsharemodes-devel from samba-core-devel; (bsc#973832).
- s3:utils/smbget: Fix recursive download; (bso#6482).
- s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystem with no ACL support; (bso#10489).
- docs: Add example for domain logins to smbspool man page; (bso#11643).
- s3-client: Add a KRB5 wrapper for smbspool; (bso#11690).
- loadparm: Fix memory leak issue; (bso#11708).
- lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714).
- ctdb-scripts: Drop use of 'smbcontrol winbindd ip-dropped ...'; (bso#11719).
- s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727).
- param: Fix str_list_v3 to accept ';' again; (bso#11732).
- Real memeory leak(buildup) issue in loadparm; (bso#11740).
- Obsolete libsmbclient from libsmbclient0 and libpdb-devel from libsamba-passdb-devel while not providing it; (bsc#972197).
- Getting and setting Windows ACLs on symlinks can change permissions on link
- Only obsolete but do not provide gplv2/3 package names; (bsc#968973).
- Enable clustering (CTDB) support; (bsc#966271).
- s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703); (bsc#964023).
- vfs_fruit: Fix renaming directories with open files; (bso#11065).
- Fix MacOS finder error 36 when copying folder to Samba; (bso#11347).
- s3:smbd/oplock: Obey kernel oplock setting when releasing oplocks; (bso#11400).
- Fix copying files with vfs_fruit when using vfs_streams_xattr without stream prefix and type suffix; (bso#11466).
- s3:libsmb: Correctly initialize the list head when keeping a list of primary followed by DFS connections; (bso#11624).
- Reduce the memory footprint of empty string options; (bso#11625).
- lib/async_req: Do not install async_connect_send_test; (bso#11639).
- docs: Fix typos in man vfs_gpfs; (bso#11641).
- smbd: make 'hide dot files' option work with 'store dos attributes = yes'; (bso#11645).
- smbcacls: Fix uninitialized variable; (bso#11682).
- s3:smbd: Ignore initial allocation size for directory creation; (bso#11684).
- Changing log level of two entries to from 1 to 3; (bso#9912).
- vfs_gpfs: Re-enable share modes; (bso#11243).
- wafsamba: Also build libraries with RELRO protection; (bso#11346).
- ctdb: Strip trailing spaces from nodes file; (bso#11365).
- s3-smbd: Fix old DOS client doing wildcard delete - gives a attribute type of zero; (bso#11452).
- nss_wins: Do not run into use after free issues when we access memory allocated on the globals and the global being reinitialized; (bso#11563).
- async_req: Fix non-blocking connect(); (bso#11564).
- auth: gensec: Fix a memory leak; (bso#11565).
- lib: util: Make non-critical message a warning; (bso#11566).
- Fix winbindd crashes with samlogon for trusted domain user; (bso#11569); (bsc#949022).
- smbd: Send SMB2 oplock breaks unencrypted; (bso#11570).
- ctdb: Open the RO tracking db with perms 0600 instead of 0000; (bso#11577).
- manpage: Correct small typo error; (bso#11584).
- s3: smbd: If EA's are turned off on a share don't allow an SMB2 create containing them; (bso#11589).
- Backport some valgrind fixes from upstream master; (bso#11597).
- s3: smbd: have_file_open_below() fails to enumerate open files below an open directory handle; (bso#11615).
- docs: Fix some typos in the idmap config section of man 5 smb.conf; (bso#11619).


-----------------------------------------
Patch: SUSE-2016-620
Released: Thu Apr 14 21:04:08 2016
Summary: Recommended update for grub2
Severity: moderate
References: 968721,971867
Description:

This update for grub2 fixes the following issues:

- Fix 'attempt to seek outside of the file' error when parsing Xen ELF notes, an issue
  that could prevent Xen guests from booting some kernels. (bsc#968721)
- Do not ignore settings in variables GRUB_DISABLE_LINUX_UUID and GRUB_DEVICE. (bsc#971867)


-----------------------------------------
Patch: SUSE-2016-621
Released: Thu Apr 14 21:05:33 2016
Summary: Recommended update for multipath-tools
Severity: moderate
References: 924316,926588,933282,933885,935312,941954,943157,946658,947845,954726,956349,969857,972329
Description:

This update for multipath-tools provides the following fixes:

- Fix error return in store_path(). (bsc#972329)
- Fix overzealous warning 'empty device number'. (bsc#969857)
- Fix queueing mode in 'show maps status'. (bsc#933885)
- Fix 'DM_DEVICE_RELOAD' handling in libmultipath. (bsc#933282)
- Fix hang in 'multipath -f'. (bsc#941954)
- Block checkerloop during reconfiguration. (bsc#946658)
- Don't buffer output with systemd. (bsc#954726)
- Do not forward partition events. (bsc#954726)
- Improve uxlsnr handling in libmultipath. (bsc#954726)
- Do not realloc memory in uxlsnr. (bsc#954726)
- Call get_uid() for all paths in libmultipath. (bsc#935312)
- Do not switch paths on empty multipath tables. (bsc#956349)
- Use find_path_by_dev() where possible. (bsc#924316)
- Ensure 'dev_t' is set when store paths. (bsc#924316)
- Do not store paths with empty dev_t. (bsc#924316)
- Do not store paths with empty device name. (bsc#924316)
- Fix handling of sysfs_set_rport_tmo. (bsc#926588)
- Add LIO-ORG/SUSE RBD backend hardware defaults. (bsc#947845)
- Reset alias if renaming fails. (bsc#943157)


-----------------------------------------
Patch: SUSE-2016-636
Released: Mon Apr 18 09:18:19 2016
Summary: Security update for libgcrypt
Severity: moderate
References: 965902,CVE-2015-7511
Description:
libgcrypt was updated to fix one security issue.

This security issue was fixed:
- CVE-2015-7511: Side-channel attack on ECDH with Weierstrass curves (bsc#965902).
  

-----------------------------------------
Patch: SUSE-2016-643
Released: Tue Apr 19 09:23:39 2016
Summary: Recommended update for bzip2
Severity: low
References: 970260
Description:

This update for bzip2 fixes the following issues:

- Fix bzgrep wrapper that always returns 0 as exit code when working on multiple
  archives, even when the pattern is not found.


-----------------------------------------
Patch: SUSE-2016-646
Released: Tue Apr 19 11:32:13 2016
Summary: Security update for cairo
Severity: moderate
References: 971964,CVE-2016-3190
Description:

This update for cairo fixes the following issues:

- CVE-2016-3190: Fixed an out-of-bound read in the fill_xrgb32_lerp_opaque_spans
  function that might lead to a crash when processing a maliciously
  crafted image file (bsc#971964).


-----------------------------------------
Patch: SUSE-2016-652
Released: Wed Apr 20 10:34:05 2016
Summary: Recommended update for SUSE Manager Client Tools
Severity: moderate
References: 956981,970550,970989,974864,975093
Description:

This update for SUSE Manager Client Tools provides the following new features:

- Integrate SaltStack for configuration management. (fate#312447)
- Replace upstream subscription counting with new subscription matching. (fate#311619)

This update fixes the following issues:

osad:

- Fix file permissions. (bsc#970550)
- Add possibility for OSAD to work in failover mode.

rhn-custom-info:

- Version update.

rhn-virtualization:

- Version update.

rhncfg:

- Fix file permissions. (bsc#970550)
- Fix removal of temporary files during transaction rollback for rhncfg-manager.
- Fix removal of directories which rhncfg-manager didn't create.
- Remove temporary files when exception occurs.
- Make rhncfg support sha256 and use it by default.
- Fix for assigning all groups user belongs to running process.
- Show server modified time with rhncfg-client diff.

rhnlib:

- Use TLSv1_METHOD in SSL Context. (bsc#970989)

rhnpush:

- Don't count on having newest rhn-client-tools.
- Allow to use existing rpcServer when creating RhnServer.
- Wire in timeout for rhnpush.

spacecmd:

- Text description missing for remote command by Spacecmd.
- Added functions to add/edit SSL certificates for repositories.
- Mimetype detection to set the binary flag requires 'file' tool.
- Always base64 encode to avoid trim() bugs in the XML-RPC library.
- Replace upstream subscription counting with new subscription matching. (fate#311619)

spacewalk-backend:

- Version update.

spacewalk-client-tools:

- Convert dbus.Int32 to int to fix a TypeError during registration. (bsc#974864)
- Fix client registration for network interfaces with labels. (bsc#956981)
- Show a descriptive message on reboot.
- Replace upstream subscription counting with new subscription matching. (fate#311619)

spacewalk-koan:

- Fix file permissions. (bsc#970550)
- Switch to KVM if possible.

spacewalk-oscap:

- Still require openscap-utils on RHEL5.

spacewalk-remote-utils:

- Add RHEL 7.2 channel definitions.
- Update RHEL 6.7 and 7.1 channel definitions.
- Use hostname instead of localhost for https connections.
- Spacewalk-create-channel added -o option to clone channel to current state.

spacewalksd:

- Delete file with input files after template is created.

suseRegisterInfo:

- Fix file permissions. (bsc#970550)


-----------------------------------------
Patch: SUSE-2016-654
Released: Wed Apr 20 16:26:03 2016
Summary: Recommended update for perl-Bootloader
Severity: moderate
References: 831791,857556,898099,899921,908664,910479,926426,937806,940486,942519,947697,948778
Description:
This update for perl-Bootloader provides the following fixes:

- Fix extended partition detection. (bsc#947697)
- Allow empty distributor, which for new grub2 means use os-release. (bsc#942519)
- Fix empty distributor handling for grub2-efi. (bsc#942519)
- Remove no longer needed quotes. (bsc#940486)
- Do not escape empty string as it lead to invalid kernel command line. (bsc#937806)
- Do not prepend additional empty space to append. (bsc#926426)
- Use proper upstream name for disabling recovery section. (bsc#898099)
- Escape dollar signs. (bsc#857556)
- Escape/unescape special characters on write/read (bsc#831791)
- Preserve configuration file permissions. (bsc#908664)
- Add device scanning speed-ups done for SLE-11-SP3. (bsc#910479)
- Determine disk device from sysfs tree.


-----------------------------------------
Patch: SUSE-2016-659
Released: Thu Apr 21 13:23:13 2016
Summary: Recommended update for aaa_base
Severity: low
References: 926539,971567
Description:

This update for aaa_base provides the following fixes:

- Make chkconfig -a/-d work. (bsc#926539)
- Avoid recursion if systemd call chkconfig back for sysv units.
- Fix chkconfig(8) to return 1 when attempting to show status of service that
  doesn't exist. (bsc#971567)
- Add --no-systemctl option to chckconfig(8).


-----------------------------------------
Patch: SUSE-2016-661
Released: Fri Apr 22 15:18:03 2016
Summary: Recommended update for supportutils
Severity: moderate
References: 973803
Description:

This update for supportutils fixes the following issue:

- Removed 11 digit SR limit (bsc#973803)


-----------------------------------------
Patch: SUSE-2016-663
Released: Fri Apr 22 15:33:50 2016
Summary: Recommended update for timezone
Severity: low
References: 975875
Description:

This update provides the latest timezone information (2016d) for your
system, including the following changes:

- Venezuela (America/Caracas) switches from -0430 to -04 on 2016-05-01 at 02:30.
- Asia/Magadan switches from +10 to +11 on 2016-04-24 at 02:00.
- New zone Asia/Tomsk, split off from Asia/Novosibirsk. It covers Tomsk Oblast,
  Russia, which switches from +06 to +07 on 2016-05-29 at 02:00.

This release also includes changes affecting past time stamps. For a comprehensive
list, please refer to the release announcement from ICANN:

http://mm.icann.org/pipermail/tz/2016-April/023563.html


-----------------------------------------
Patch: SUSE-2016-664
Released: Fri Apr 22 17:04:55 2016
Summary: Recommended update for release-notes-sles
Severity: low
References: 958052,970949,971824
Description:

The Release Notes of SUSE Linux Enterprise Server 12 have been updated to document:

- Memory Compression with zswap (bsc#971824, fate#315454) 
- VMware now supports 11-to-12 migrations (bsc#970949, fate#317832)
- OpenSSH FIPS Usage (fate#315806)
- LUN Scanning Enabled by Default (bsc#958052, fate#317881)



-----------------------------------------
Patch: SUSE-2016-675
Released: Mon Apr 25 17:43:07 2016
Summary: Recommended update for postfix
Severity: low
References: 947519,947707,972346
Description:

This update for postfix fixes the following issues: 

- Incorrect path to smtp_tls_session_cache_database in config.postfix script. (bsc#972346)
- Mail generated by Amavis prevented from being re-addressed by /etc/postfix/virtual. (bsc#947707)
- SuSEconfig.postfix should enforce umask 022. (bsc#947519)


-----------------------------------------
Patch: SUSE-2016-677
Released: Tue Apr 26 08:17:51 2016
Summary: Recommended update for python-paramiko, python-ecdsa
Severity: moderate
References: 962291
Description:

The Python Paramiko module was updated to version 1.15.2, which brings several
fixes and enhancements.

The ECDSA module was updated to version 0.13 to fulfill requirements of the
newer Paramiko.

For a comprehensive list of changes please refer to the detailed change log
at http://paramiko-www.readthedocs.org/en/latest/changelog.html


-----------------------------------------
Patch: SUSE-2016-680
Released: Tue Apr 26 13:11:21 2016
Summary: Recommended update for nfs-utils
Severity: low
References: 945937
Description:

This update for nfs-utils fixes the following issue:

- mount.nfs should fail if statd is being slow to start due to DNS issues (bsc#945937)


-----------------------------------------
Patch: SUSE-2016-684
Released: Tue Apr 26 16:18:45 2016
Summary: Recommended update for autofs
Severity: moderate
References: 955477,966573
Description:

This update for autofs fixes the following issues:

- Improve scalability of direct mount path component creation. (bsc#966573)
- Use libldap_r instead of libldap for thread safety. (bsc#955477)
- Don't overwrite tirpc version of auth_destroy.


-----------------------------------------
Patch: SUSE-2016-689
Released: Wed Apr 27 20:08:42 2016
Summary: Recommended update for ruby2.1
Severity: low
References: 973073
Description:

This update for ruby2.1 brings performance improvements of Ruby on the IBM POWER platform.


-----------------------------------------
Patch: SUSE-2016-690
Released: Thu Apr 28 11:37:24 2016
Summary: Recommended update for wicked
Severity: moderate
References: 954012,964019,964477,964877,971629
Description:

This update for wicked fixes the following issues:

- xml: fix to not assert on too long entities or missed semicolon and fixed pointer use on DOCTYPE related parse error
- ifconfig: readd broadcast calculation (bsc#971629)
- ifup: let ovs bridges pull ovs-system config and omit ovs-system master reference in policy match (bsc#964019)
- fixed a negated check causing a segmentation fault in some cases where the vlan config references a device without config
- bonding: call setup routine at the end of create (bsc#964877)
- xml-schema: do not add description node to enums
- ifreload: let ifdown delete team instances (bsc#954012, bsc#964477)
- fsm: reset device_api of deleted workers (bsc#954012)
 


-----------------------------------------
Patch: SUSE-2016-697
Released: Thu Apr 28 16:03:24 2016
Summary: Recommended update for libssh2_org
Severity: important
References: 974691
Description:

This update for libssh2_org fixes a regression introduced by a previous update
which could result in a segmentation fault in EVP_DigestInit_Ex().


-----------------------------------------
Patch: SUSE-2016-589
Released: Mon May  2 15:01:37 2016
Summary: Security update for python-tornado
Severity: moderate
References: 930361,930362,974657,CVE-2014-9720
Description:

The python-tornado module was updated to version 4.2.1, which brings several fixes,
enhancements and new features.

The following security issues have been fixed:

- A path traversal vulnerability in StaticFileHandler, in which files whose names
  started with the static_path directory but were not actually in that directory
  could be accessed.
- The XSRF token is now encoded with a random mask on each request. This makes it
  safe to include in compressed pages without being vulnerable to the BREACH attack.
  This applies to most applications that use both the xsrf_cookies and gzip options
  (or have gzip applied by a proxy). (bsc#930362, CVE-2014-9720)
- The signed-value format used by RequestHandler.{g,s}et_secure_cookie changed to be
  more secure. (bsc#930361)

The following enhancements have been implemented:

- SSLIOStream.connect and IOStream.start_tls now validate certificates by default.
- Certificate validation will now use the system CA root certificates.
- The default SSL configuration has become stricter, using ssl.create_default_context
  where available on the client side.
- The deprecated classes in the tornado.auth module, GoogleMixin, FacebookMixin and
  FriendFeedMixin have been removed.
- New modules have been added: tornado.locks and tornado.queues.
- The tornado.websocket module now supports compression via the 'permessage-deflate'
  extension.
- Tornado now depends on the backports.ssl_match_hostname when running on Python 2.

For a comprehensive list of changes, please refer to the release notes:

- http://www.tornadoweb.org/en/stable/releases/v4.2.0.html
- http://www.tornadoweb.org/en/stable/releases/v4.1.0.html
- http://www.tornadoweb.org/en/stable/releases/v4.0.0.html
- http://www.tornadoweb.org/en/stable/releases/v3.2.0.html


-----------------------------------------
Patch: SUSE-2016-709
Released: Tue May  3 16:19:55 2016
Summary: Security update for libxml2
Severity: moderate
References: 972335,975947,CVE-2016-3627
Description:
This update for libxml2 fixes two security issues:

- libxml2 limits the number of recursions an XML document can contain so to protect against the 'Billion Laughs' denial-of-service attack. Unfortunately, the underlying counter was not incremented properly in all necessary locations. Therefore, specially crafted XML documents could exhaust all available stack space and crash the XML parser without running into the recursion limit. This vulnerability has been fixed. (bsc#975947)

- When running in recovery mode, certain invalid XML documents would trigger an infinite recursion in libxml2 that ran until all stack space was exhausted. This vulnerability could have been used to facilitate a denial-of-sevice attack. (CVE-2016-3627, bsc#972335)


-----------------------------------------
Patch: SUSE-2016-713
Released: Tue May  3 21:37:55 2016
Summary: Recommended update for Mesa, libGLw
Severity: low
References: 945444,962609,970725
Description:

This update for Mesa and libGLw provides fixes and enhancements.

Mesa:

- Add separate definition of GLAPIVAR as GLAPI doesn't have the an 'extern'
  for some compiler versions. This is needed for GLw. (bsc#970725)
- Check for dummyContext to see if the glx_context is valid. (bsc#962609)
- Fix crash due to early miptree release. (bsc#945444)

libGLw:

- Use newly introduced GLAPIVAR instead of GLAPI for variable declarations.
  This adds an 'extern' in cases where GLAPI doesn't have one and avoids a
  variable declaration to become a definition. (bsc#970725)


-----------------------------------------
Patch: SUSE-2016-715
Released: Wed May  4 13:13:49 2016
Summary: Security update for openssl
Severity: important
References: 958501,976942,976943,977614,977615,977616,977617,977621,CVE-2016-2105,CVE-2016-2106,CVE-2016-2107,CVE-2016-2108,CVE-2016-2109
Description:
This update for openssl fixes the following issues:

- CVE-2016-2108: Memory corruption in the ASN.1 encoder (bsc#977617)
- CVE-2016-2107: Padding oracle in AES-NI CBC MAC check (bsc#977616)
- CVE-2016-2105: EVP_EncodeUpdate overflow (bsc#977614)
- CVE-2016-2106: EVP_EncryptUpdate overflow (bsc#977615)
- CVE-2016-2109: ASN.1 BIO excessive memory allocation (bsc#976942)
- bsc#976943: Buffer overrun in ASN1_parse
- bsc#977621: Preserve negotiated digests for SNI (bsc#977621)
- bsc#958501: Fix openssl enc -non-fips-allow option in FIPS mode (bsc#958501)


-----------------------------------------
Patch: SUSE-2016-720
Released: Wed May  4 18:25:08 2016
Summary: Recommended update for autoyast2
Severity: moderate
References: 908356,916628,928303,956730,959723,963137
Description:

This update for autoyast2 provides the following fixes:

- Evaluate the correct domain, network, product and product version when applying
  rules. (bsc#963137)
- Evaluate the correct host IP in order to read the proper autoyast.xml file.
  (bsc#928303, bsc#908356, bsc#916628)
- Check uptime instead of system time while waiting for systemd services to be
  restarted. (bsc#956730)
- Fix nil exception error when starting installation with 'autoyast=default'.
  (bsc#959723)


-----------------------------------------
Patch: SUSE-2016-727
Released: Fri May  6 09:50:42 2016
Summary: Security update for ntp
Severity: important
References: 782060,905885,910063,916617,920238,926510,936327,937837,942587,944300,946386,951559,951608,951629,954982,956773,962318,962784,962802,962960,962966,962970,962988,962994,962995,962997,963000,963002,975496,975981,CVE-2015-5300,CVE-2015-7691,CVE-2015-7692,CVE-2015-7701,CVE-2015-7702,CVE-2015-7703,CVE-2015-7704,CVE-2015-7705,CVE-2015-7848,CVE-2015-7849,CVE-2015-7850,CVE-2015-7851,CVE-2015-7852,CVE-2015-7853,CVE-2015-7854,CVE-2015-7855,CVE-2015-7871,CVE-2015-7973,CVE-2015-7974,CVE-2015-7975,CVE-2015-7976,CVE-2015-7977,CVE-2015-7978,CVE-2015-7979,CVE-2015-8138,CVE-2015-8139,CVE-2015-8140,CVE-2015-8158
Description:
ntp was updated to version 4.2.8p6 to fix 28 security issues.

Major functional changes:
- The 'sntp' commandline tool changed its option handling in a major way,
  some options have been renamed or dropped.
- 'controlkey 1' is added during update to ntp.conf to allow sntp to work.
- The local clock is being disabled during update.
- ntpd is no longer running chrooted.

Other functional changes:
- ntp-signd is installed.
- 'enable mode7' can be added to the configuration to allow ntdpc to work as compatibility mode option.
- 'kod' was removed from the default restrictions.
- SHA1 keys are used by default instead of MD5 keys.

Also yast2-ntp-client was updated to match some sntp syntax changes. (bsc#937837)

These security issues were fixed:
- CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966).
- CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002).
- CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode (bsc#962784).
- CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list (bsc#963000).
- CVE-2015-7977: reslist NULL pointer dereference (bsc#962970).
- CVE-2015-7976: ntpq saveconfig command allows dangerous characters in filenames (bsc#962802).
- CVE-2015-7975: nextvar() missing length check (bsc#962988).
- CVE-2015-7974: Skeleton Key: Missing key check allows impersonation between authenticated peers (bsc#962960).
- CVE-2015-7973: Replay attack on authenticated broadcast mode (bsc#962995).
- CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994).
- CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997).
- CVE-2015-5300: MITM attacker could have forced ntpd to make a step larger than the panic threshold (bsc#951629).
- CVE-2015-7871: NAK to the Future: Symmetric association authentication bypass via crypto-NAK (bsc#951608).
- CVE-2015-7855: decodenetnum() will ASSERT botch instead of returning FAIL on some bogus values (bsc#951608).
- CVE-2015-7854: Password Length Memory Corruption Vulnerability (bsc#951608).
- CVE-2015-7853: Invalid length data provided by a custom refclock driver could cause a buffer overflow (bsc#951608).
- CVE-2015-7852: ntpq atoascii() Memory Corruption Vulnerability (bsc#951608).
- CVE-2015-7851: saveconfig Directory Traversal Vulnerability (bsc#951608).
- CVE-2015-7850: remote config logfile-keyfile (bsc#951608).
- CVE-2015-7849: trusted key use-after-free (bsc#951608).
- CVE-2015-7848: mode 7 loop counter underrun (bsc#951608).
- CVE-2015-7701: Slow memory leak in CRYPTO_ASSOC (bsc#951608).
- CVE-2015-7703: configuration directives 'pidfile' and 'driftfile' should only be allowed locally (bsc#951608).
- CVE-2015-7704, CVE-2015-7705: Clients that receive a KoD should validate the origin timestamp field (bsc#951608).
- CVE-2015-7691, CVE-2015-7692, CVE-2015-7702: Incomplete autokey data packet length checks (bsc#951608).

These non-security issues were fixed:
- fate#320758 bsc#975981: Enable compile-time support for MS-SNTP (--enable-ntp-signd).
  This replaces the w32 patches in 4.2.4 that added the authreg
  directive.
- bsc#962318: Call /usr/sbin/sntp with full path to synchronize in start-ntpd.
  When run as cron job, /usr/sbin/ is not in the path, which caused
  the synchronization to fail.
- bsc#782060: Speedup ntpq.
- bsc#916617: Add /var/db/ntp-kod.
- bsc#956773: Add ntp-ENOBUFS.patch to limit a warning that might happen quite a lot on loaded systems.
- bsc#951559,bsc#975496: Fix the TZ offset output of sntp during DST.
- Add ntp-fork.patch and build with threads disabled to allow name resolution even when running chrooted.
- Add a controlkey line to /etc/ntp.conf if one does not already exist to allow runtime configuuration via ntpq.
- bsc#946386: Temporarily disable memlock to avoid problems due to high memory usage during name resolution.
- bsc#905885: Use SHA1 instead of MD5 for symmetric keys.
- Improve runtime configuration:
  * Read keytype from ntp.conf
  * Don't write ntp keys to syslog.
- Fix legacy action scripts to pass on command line arguments.
- bsc#944300: Remove 'kod' from the restrict line in ntp.conf.
- bsc#936327: Use ntpq instead of deprecated ntpdc in start-ntpd.
- Add a controlkey to ntp.conf to make the above work.
- Don't let 'keysdir' lines in ntp.conf trigger the 'keys' parser.
- Disable mode 7 (ntpdc) again, now that we don't use it anymore.
- Add 'addserver' as a new legacy action.
- bsc#910063: Fix the comment regarding addserver in ntp.conf.
- bsc#926510: Disable chroot by default.
- bsc#920238: Enable ntpdc for backwards compatibility.


-----------------------------------------
Patch: SUSE-2016-728
Released: Fri May  6 15:53:05 2016
Summary: Recommended update for rsyslog
Severity: low
References: 958728
Description:

This update for rsyslog provides the following fixes:

- Allow rsyslog to bind to UDP sockets with an IP address that is not yet configured
  in any local network interface.


-----------------------------------------
Patch: SUSE-2016-729
Released: Fri May  6 15:53:38 2016
Summary: Recommended update for pciutils-ids
Severity: low
References: 958712
Description:

The system's PCI IDs database has been updated to version 2016.04.04.


-----------------------------------------
Patch: SUSE-2016-756
Released: Wed May 11 17:20:38 2016
Summary: Recommended update for augeas
Severity: moderate
References: 933210,975729
Description:

This update for augeas fixes the following issues:

- Improved inputrc, host.conf and shellvars lenses. (bsc#975729)
- Temporarily rule out everything in if-up.d and if-down.d from the shellvars
  lens. (bsc#933210)


-----------------------------------------
Patch: SUSE-2016-760
Released: Thu May 12 14:26:13 2016
Summary: Recommended update for hwinfo
Severity: low
References: 908616,913360,941288,943008,949287,974737
Description:

This update for hwinfo provides the following fixes and enhancements:

- Adjust DMI parser to read memory size according to latest SMBIOS spec. (bsc#974737)
- SCSI serial id: Read VPD page 0x80 from sysfs, if possible. (bsc#949287)
- Adjust disk device info gathering after NVMe driver change. (bsc#943008)
- Read disk model info also via SCSI inquiry command. (bsc#943008)
- Expose more properties to all devices in /proc/device-tree/vpd. (bsc#941288)
- Add ARM platform devices. (bsc#908616)


-----------------------------------------
Patch: SUSE-2016-781
Released: Wed May 18 14:01:57 2016
Summary: Optional update for flac
Severity: low
References: 975377
Description:
This update adds libFLAC++6 to SUSE Linux Enterprise Desktop 12 SP1.

-----------------------------------------
Patch: SUSE-2016-791
Released: Wed May 18 15:20:56 2016
Summary: Security update for systemd
Severity: moderate
References: 959886,960158,963230,965897,967122,970423,970860,972612,972727,973848,976766,978275,CVE-2014-9770,CVE-2015-8842
Description:

This update for SystemD provides fixes and enhancements.

The following security issue has been fixed:

- Don't allow read access to journal files to users. (bsc#972612, CVE-2014-9770, CVE-2015-8842)

The following non-security issues have been fixed:

- Restore initrd-udevadm-cleanup-db.service. (bsc#978275, bsc#976766)
- Incorrect permissions set after boot on journal files. (bsc#973848)
- Exclude device-mapper from block device ownership event locking. (bsc#972727)
- Explicitly set mode for /run/log.
- Don't apply sgid and executable bit to journal files, only the directories they are contained in.
- Add ability to mask access mode by pre-existing access mode on files/directories.
- No need to pass --all if inactive is explicitly requested in list-units. (bsc#967122)
- Fix automount option and don't start associated mount unit at boot. (bsc#970423)
- Support more than just power-gpio-key. (fate#318444, bsc#970860)
- Add standard gpio power button support. (fate#318444, bsc#970860)
- Downgrade warnings about wanted unit which are not found. (bsc#960158)
- Shorten hostname before checking for trailing dot. (bsc#965897)
- Remove WorkingDirectory parameter from emergency, rescue and console-shell.service. (bsc#959886)
- Don't ship boot.udev and systemd-journald.init anymore.
- Revert 'log: honour the kernel's quiet cmdline argument'. (bsc#963230)


-----------------------------------------
Patch: SUSE-2016-801
Released: Thu May 19 22:38:01 2016
Summary: Recommended update for curl
Severity: moderate
References: 915846
Description:

This update for curl fixes the following issue:

- Fix 'Network is unreachable' error when ipv6 is not available but ipv4.
  This fixes the same error in applications using libcurl4 (like zypper). (bsc#915846)



-----------------------------------------
Patch: SUSE-2016-802
Released: Thu May 19 22:38:32 2016
Summary: Recommended update for open-iscsi
Severity: important
References: 974102
Description:

This update for open-iscsi fixes the following issue:

- Fix possible data corruption with iSCSI switch port flicker (bsc#974102)



-----------------------------------------
Patch: SUSE-2016-812
Released: Mon May 23 14:36:18 2016
Summary: Recommended update for tcpdump
Severity: low
References: 944294
Description:

This update for tcpdump removes a duplicated binary (/usr/sbin/tcpdump.4.5.1) from the package.


-----------------------------------------
Patch: SUSE-2016-818
Released: Mon May 23 17:04:36 2016
Summary: Security update for openssh
Severity: moderate
References: 729190,932483,945484,945493,947458,948902,960414,961368,962313,965576,970632,975865,CVE-2015-8325,CVE-2016-1908,CVE-2016-3115
Description:
This update for OpenSSH fixes three security issues.

These security issues were fixed:
- CVE-2016-3115: Sanitise input for xauth(1) (bsc#970632)
- CVE-2016-1908: Prevent X11 SECURITY circumvention when forwarding X11 connections (bsc#962313)
- CVE-2015-8325: Ignore PAM environment when using login (bsc#975865)

These non-security issues were fixed:
- Fix help output of sftp (bsc#945493)
- Restarting openssh with openssh-fips installed was not working correctly (bsc#945484)
- Fix crashes when /proc is not available in the chroot (bsc#947458)
- Correctly parse GSSAPI KEX algorithms (bsc#961368)
- More verbose FIPS mode/CC related documentation in README.FIPS (bsc#965576, bsc#960414)
- Fix PRNG re-seeding (bsc#960414, bsc#729190)
- Disable DH parameters under 2048 bits by default and allow lowering the limit back to the RFC 4419 specified minimum through an option (bsc#932483, bsc#948902)


-----------------------------------------
Patch: SUSE-2016-835
Released: Wed May 25 18:27:30 2016
Summary: Recommended update for libgcrypt
Severity: moderate
References: 979629
Description:

This update for libgcrypt fixes the following issue:

- Fix failing reboot after installing fips pattern (bsc#979629) 


-----------------------------------------
Patch: SUSE-2016-841
Released: Fri May 27 11:29:34 2016
Summary: Recommended update for bash
Severity: moderate
References: 976776
Description:

This update for bash fixes the following issue:

- Fix crash if ~/.bash_history is empty (bsc#976776)


-----------------------------------------
Patch: SUSE-2016-848
Released: Fri May 27 15:06:09 2016
Summary: Recommended update for cloud-init
Severity: moderate
References: 978048
Description:

This update for cloud-init fixes the following issues:

- Avoid login prompt before cloud-init is finished (bsc#978048)


-----------------------------------------
Patch: SUSE-2016-858
Released: Tue May 31 13:04:57 2016
Summary: Recommended update for Software Update Stack
Severity: moderate
References: 933760,949945,951592,956480,964932,967006,971637,974275
Description:

This update for the Software Update Stack provides the following fixes:

PackageKit:

- Raise priority of software stack updates (zypper, libzypp) if there are pending
  security patches shadowed by it. (bsc#951592)

libsolv:

- Simplify handling of pseudo package updates. (bsc#967006)
- Improve speed of rpmmd metadata parsing.

libzypp:

- Fix credential file parser losing entries with known URL but different user name. (bsc#933760)
- RepoManager: Allow extraction of multiple baseurls for service repositories. (bsc#964932)
- DiskUsageCounter: Limit estimated waste per file. (bsc#974275)
- Filter unwanted btrfs subvolumes. (bsc#949945)
- Use PluginExecutor for commit- and system-hooks. (bsc#971637)

zypper:

- Fix testing for '-- download*' options. (bsc#956480)


-----------------------------------------
Patch: SUSE-2016-863
Released: Tue May 31 17:54:57 2016
Summary: Recommended update for autofs
Severity: low
References: 955477
Description:

This update for autofs fixes a build issue which prevented automount from being
linked to the reentrant version of libldap.


-----------------------------------------
Patch: SUSE-2016-870
Released: Wed Jun  1 13:46:24 2016
Summary: Recommended update for systemd
Severity: moderate
References: 964934,980303
Description:

This update for systemd fixes the following issues:

- Re-add NVMe entries to udev's 60-persistent-storage.rules. (bsc#980303)
- Always create dependencies for bind mounts and loop devices. (bsc#964934)


-----------------------------------------
Patch: SUSE-2016-878
Released: Thu Jun  2 14:55:15 2016
Summary: Recommended update for samba
Severity: important
References: 977669,979268,CVE-2016-2110
Description:

This update for Samba provides the following fixes:

- Fix libads' record session expiry for spnego sasl binds. (bsc#979268)
- Fix NT_STATUS_ACCESS_DENIED when accessing windows public share.
- Only validate MIC if 'map to guest' is not being used.
- NetAPP SMB servers don't negotiate NTLMSSP_SIGN. (bsc#977669)
- Fix non-working anonymous smb connections.
- Handle broken mechListMIC response from Windows 2000.
- wbinfo -u or net ads search doesn't work anymore.
- Fix regressions regarding the NTLMSSP hardening of CVE-2016-2110.
- Allow Domain member resolve trusted domains' users.


-----------------------------------------
Patch: SUSE-2016-880
Released: Thu Jun  2 19:57:59 2016
Summary: Recommended update for supportutils
Severity: low
References: 976358
Description:

This update for supportutils provides the following fixes:

- Added new SLE12 SP2 kernel taint flags. (bsc#976358)
- Fixed NFS service detection.


-----------------------------------------
Patch: SUSE-2016-884
Released: Fri Jun  3 14:21:26 2016
Summary: Recommended update for SUSEConnect and zypper-migration-plugin
Severity: low
References: 972688,973315,973851,973886,975485
Description:

This update for SUSEConnect and zypper-migration-plugin provides fixes and enhancements.

SUSEConnect:

- Implement more flexible exit codes handling in internal zypper calls. (bsc#973851)
- Direct update from versions older than 0.2.27 does not remove /usr/bin symlink. (bsc#973315)

zypper-migration-plugin:

- Improve help text for --download-only option. (bsc#973886)
- Call rollback only if release package can't be installed.
- Improve error messages. (bsc#975485)
- Add zypper-migration.8 man page. (bsc#972688)
- Install release packages and call SUSEConnect rollback before getting migration
  target. (fate#320533)


-----------------------------------------
Patch: SUSE-2016-890
Released: Mon Jun  6 08:33:13 2016
Summary: Recommended update for mailx
Severity: low
References: 974561
Description:

This update for mailx fixes the following issues:

- Correct parenthese expansion to fulfill natural order (bsc#974561)


-----------------------------------------
Patch: SUSE-2016-897
Released: Tue Jun  7 09:46:29 2016
Summary: Security update for supportutils
Severity: moderate
References: 980670,CVE-2016-1602
Description:
supportutils was updated to fix one security issue.

This security issue was fixed:
- CVE-2016-1602: Code injection and privilege escalation via unescaped filenames (bsc#980670).
  

-----------------------------------------
Patch: SUSE-2016-898
Released: Tue Jun  7 09:48:12 2016
Summary: Security update for expat
Severity: important
References: 979441,980391,CVE-2015-1283,CVE-2016-0718
Description:

This update for expat fixes the following issues: 

Security issue fixed:
- CVE-2016-0718: Fix Expat XML parser that mishandles certain kinds of malformed input documents. (bsc#979441)
- CVE-2015-1283: Fix multiple integer overflows. (bnc#980391)


-----------------------------------------
Patch: SUSE-2016-900
Released: Tue Jun  7 10:58:37 2016
Summary: Security update for libksba
Severity: moderate
References: 979261,979906,CVE-2016-4574,CVE-2016-4579
Description:

This update for libksba fixes the following issues:

- CVE-2016-4579: Out-of-bounds read in _ksba_ber_parse_tl()
- CVE-2016-4574: two OOB read access bugs (remote DoS) (bsc#979261)

Also adding reliability fixes from v1.3.4.



-----------------------------------------
Patch: SUSE-2016-905
Released: Tue Jun  7 16:40:07 2016
Summary: Recommended update for bash-completion, util-linux
Severity: moderate
References: 880468,889319,903362,903440,903738,905348,922758,923777,924994,931955,940835,940837,943415,946875,947494,949754,950778,953691,954482,956540,958462,959299,963140,963399,970404,972684,975082,976141,977259,977336,CVE-2015-5218
Description:

This update provides fixes and enhancements to bash-completion and util-linux.

bash-completion:

- Improve completion of LVM commands. (bsc#946875)
- Fix completion with backticks. (bsc#940835)
- Make ls completion smarter. (bsc#889319)
- Avoid negative cword position counter. (bsc#922758)
- Avoid trouble if restricted characters of the shell (e.g. exclamation mark) are used
  in PS1. (bsc#903362)
- Expand variables whose value is a directory to avoid escaped dollar sign. (bsc#905348)
- Remove completions conflicting with util-linux. (bsc#977259)
- Improve handling of sub commands which will be expanded by backticks. (bsc#963140)
- Fix completion within a directory even if local sub directories exist. (bsc#977336)
- Allow completions list. (bsc#958462)
- Improve handling of completions of which result in variables. (bsc#940837, bsc#959299)

util-linux:

- Reuse existing loop device to prevent possible data corruption when multiple -o loop
  are used to mount a single file. (bsc#947494)
- Remove incorrect --with-bashcompletiondir that breaks bash-completion, use path in
  bash-completion.pc instead. (bsc#977259)
- Fix blkid to wipe correct area for probes with offset. (bsc#976141)
- Fix and improve function of lscpu on Power Systems. (bsc#975082)
- Fix crash while evaluating root of btrfs. (bsc#972684)
- Make sulogin call tcfinal unconditionally. (bsc#970404)
- Fixing 'mount -a' for loop devices. (bsc#947494)
- Prevent 'mount -a' from mounting btrfs volumes multiple times. (bsc#947494)
- Add support for locked root accounts in sulogin. (bsc#963399)
- Remove Persistent= directive from fstrim for systemd versions older than 212.
  (bsc#956540, bsc#953691, bsc#954482)
- Prevent colcrt buffer overflow. (bsc#949754, CVE-2015-5218)
- Do not segfault when TERM is not defined or wrong. (bsc#903440)
- Fix fsck -C {fd} parsing. (bsc#923777, bsc#903738)
- Add patches to fix lsblk output in some situations. (bsc#943415, bsc#950778)
- Fix mount point lookup (and mount -a) if the path contains //. (bsc#931955)
- Follow multipath-tools partition names configuration. (bsc#880468)
- Fix recognition of /dev/dm-N partitions names. (bsc#880468)
- Fix lsblk -f and fdisk -l on devices with nodes in /dev subdirectory. (bsc#924994)


-----------------------------------------
Patch: SUSE-2016-907
Released: Wed Jun  8 13:45:40 2016
Summary: Recommended update for Mesa
Severity: moderate
References: 980382
Description:

This update for Mesa fixes the following issues:

- Potential crash due to out of bounds ScreenCount check. (bsc#980382).


-----------------------------------------
Patch: SUSE-2016-909
Released: Wed Jun  8 13:50:21 2016
Summary: Recommended update for irqbalance
Severity: moderate
References: 949276,968711,968870
Description:

This update for irqbalance fixes the following issues:

- Fix banned IRQ balance list. (bsc#968711)
- Remove unused sysconfig variable IRQBALANCE_BANNED_INTERRUPTS. (bsc#968870)
- Balance correctly IRQs reappearing. (bsc#949276)
- Classify PCI Sub-Class for better performance. (bsc#949276)
- Follow latest PCI class code spec. (bsc#949276)


-----------------------------------------
Patch: SUSE-2016-915
Released: Thu Jun  9 14:41:18 2016
Summary: Security update for libxml2
Severity: important
References: 963963,965283,978395,981040,981041,981108,981109,981111,981112,981114,981115,981548,981549,981550,CVE-2015-8806,CVE-2016-1762,CVE-2016-1833,CVE-2016-1834,CVE-2016-1835,CVE-2016-1837,CVE-2016-1838,CVE-2016-1839,CVE-2016-1840,CVE-2016-2073,CVE-2016-3705,CVE-2016-4447,CVE-2016-4448,CVE-2016-4449,CVE-2016-4483
Description:

This update for libxml2 fixes the following security issues: 

- CVE-2016-2073, CVE-2015-8806, CVE-2016-1839: A Heap-buffer overread
  was fixed in libxml2/dict.c  [bsc#963963, bsc#965283, bsc#981114].
- CVE-2016-4483: Code was added to avoid an out of bound access when
  serializing malformed strings [bsc#978395].
- CVE-2016-1762: Fixed a heap-based buffer overread in xmlNextChar [bsc#981040].
- CVE-2016-1834: Fixed a heap-buffer-overflow in xmlStrncat [bsc#981041].
- CVE-2016-1833: Fixed a heap-based buffer overread in htmlCurrentChar [bsc#981108].
- CVE-2016-1835: Fixed a heap use-after-free in xmlSAX2AttributeNs [bsc#981109].
- CVE-2016-1837: Fixed a heap use-after-free in htmlParsePubidLiteral
  and htmlParseSystemiteral [bsc#981111].
- CVE-2016-1838: Fixed a heap-based buffer overread in
  xmlParserPrintFileContextInternal [bsc#981112].
- CVE-2016-1840: Fixed a heap-buffer-overflow in xmlFAParsePosCharGroup [bsc#981115].
- CVE-2016-4447: Fixed a heap-based buffer-underreads due to xmlParseName [bsc#981548].
- CVE-2016-4448: Fixed some format string warnings with possible format
  string vulnerability [bsc#981549],
- CVE-2016-4449: Fixed inappropriate fetch of entities content [bsc#981550].
- CVE-2016-3705: Fixed missing increment of recursion counter.


-----------------------------------------
Patch: SUSE-2016-920
Released: Fri Jun 10 12:46:43 2016
Summary: Recommended update for sysconfig
Severity: moderate
References: 865573
Description:

This update for sysconfig fixes the following issue:

- ppp: install refactored ip-up and related scripts (bsc#865573)


-----------------------------------------
Patch: SUSE-2016-929
Released: Mon Jun 13 13:43:27 2016
Summary: Recommended update for mtools
Severity: low
References: 957007
Description:

This update for mtools provides the following fixes:

- Add glibc-locale as a runtime dependency. Tools like mcopy(1) use it. (bsc#957007)


-----------------------------------------
Patch: SUSE-2016-933
Released: Tue Jun 14 08:45:41 2016
Summary: Security update for ntp
Severity: important
References: 957226,962960,977450,977451,977452,977455,977457,977458,977459,977461,977464,979302,979981,981422,982064,982065,982066,982067,982068,CVE-2015-7704,CVE-2015-7705,CVE-2015-7974,CVE-2016-1547,CVE-2016-1548,CVE-2016-1549,CVE-2016-1550,CVE-2016-1551,CVE-2016-2516,CVE-2016-2517,CVE-2016-2518,CVE-2016-2519,CVE-2016-4953,CVE-2016-4954,CVE-2016-4955,CVE-2016-4956,CVE-2016-4957
Description:
ntp was updated to version 4.2.8p8 to fix 17 security issues.

These security issues were fixed:
- CVE-2016-4956: Broadcast interleave (bsc#982068).
- CVE-2016-2518: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC (bsc#977457).
- CVE-2016-2519: ctl_getitem() return value not always checked (bsc#977458).
- CVE-2016-4954: Processing spoofed server packets (bsc#982066).
- CVE-2016-4955: Autokey association reset (bsc#982067).
- CVE-2015-7974: NTP did not verify peer associations of symmetric keys when authenticating packets, which might allowed remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a 'skeleton key (bsc#962960).
- CVE-2016-4957: CRYPTO_NAK crash (bsc#982064).
- CVE-2016-2516: Duplicate IPs on unconfig directives will cause an assertion botch (bsc#977452).
- CVE-2016-2517: Remote configuration trustedkey/requestkey values are not properly validated (bsc#977455).
- CVE-2016-4953: Bad authentication demobilizes ephemeral associations (bsc#982065).
- CVE-2016-1547: CRYPTO-NAK DoS (bsc#977459).
- CVE-2016-1551: Refclock impersonation vulnerability, AKA: refclock-peering (bsc#977450).
- CVE-2016-1550: Improve NTP security against buffer comparison timing attacks, authdecrypt-timing, AKA: authdecrypt-timing (bsc#977464).
- CVE-2016-1548: Interleave-pivot - MITIGATION ONLY (bsc#977461).
- CVE-2016-1549: Sybil vulnerability: ephemeral association attack, AKA: ntp-sybil - MITIGATION ONLY (bsc#977451).

This release also contained improved patches for CVE-2015-7704, CVE-2015-7705, CVE-2015-7974.

These non-security issues were fixed:
- bsc#979302: Change the process name of the forking DNS worker process to avoid the impression that ntpd is started twice.
- bsc#981422: Don't ignore SIGCHILD because it breaks wait().
- bsc#979981: ntp-wait does not accept fractional seconds, so use 1 instead of 0.2 in ntp-wait.service.
- Separate the creation of ntp.keys and key #1 in it to avoid problems when upgrading installations that have the file, but no key #1, which is needed e.g. by 'rcntp addserver'.
- bsc#957226: Restrict the parser in the startup script to the first occurrance of 'keys' and 'controlkey' in ntp.conf.
  

-----------------------------------------
Patch: SUSE-2016-937
Released: Tue Jun 14 15:12:23 2016
Summary: Recommended update for lio-utils
Severity: moderate
References: 972717,972720
Description:

This update for lio-utils fixes the following issues:

- Provide target status by adding a helper script (bsc#972717)
- Update HOWTO to talk about systemd instead of init (bsc#972720)



-----------------------------------------
Patch: SUSE-2016-940
Released: Wed Jun 15 11:45:37 2016
Summary: Security update for libarchive
Severity: moderate
References: 979005,CVE-2016-1541
Description:

This update for libarchive fixes the following issue: 

- Fix a heap-based buffer overflow (CVE-2016-1541, bsc#979005)



-----------------------------------------
Patch: SUSE-2016-941
Released: Wed Jun 15 14:26:35 2016
Summary: Recommended update for gcc48
Severity: moderate
References: 955382,970009,976627,977654
Description:

This update for gcc48 fixes the following issues:

- Fix internal compiler error specific to the ppc64le architecture. (bsc#976627)
- Fix issue with using gcov and #pragma pack. (bsc#977654)
- Fix internal compiler error when building samba on aarch64. (bsc#970009)
- Fix HTM built-ins on PowerPC. (bsc#955382)
- Build without GRAPHITE where cloog-isl is not available.


-----------------------------------------
Patch: SUSE-2016-942
Released: Wed Jun 15 14:37:23 2016
Summary: Recommended update for dmidecode
Severity: low
References: 955705,974862
Description:

This update for dmidecode fixes the following issues:

- Skip the SMBIOS version comparison in quiet mode. (bsc#974862)
- Add support for DDR4 memory type. (bsc#955705)
- Decode the CPUID of recent AMD processors.
- Fix memory voltage labels.


-----------------------------------------
Patch: SUSE-2016-944
Released: Thu Jun 16 11:08:01 2016
Summary: Security update for the Linux Kernel
Severity: important
References: 983143,CVE-2016-1583
Description:
The SUSE Linux Enterprise 12 GA kernel was updated to fix one security issue.

The following security bug was fixed:
- CVE-2016-1583: Prevent the usage of mmap when the lower file system does not allow it. This could have lead to local privilege escalation when ecryptfs-utils was installed and /sbin/mount.ecryptfs_private was setuid (bsc#983143).


-----------------------------------------
Patch: SUSE-2016-949
Released: Thu Jun 16 15:33:18 2016
Summary: Security update for libtasn1
Severity: moderate
References: 929414,961491,982779,CVE-2015-3622,CVE-2016-4008
Description:
This update for libtasn1 fixes the following issues:

- Malformed asn1 definitions could have caused a segmentation fault in the asn1 definition parser (bsc#961491)
- CVE-2015-3622: Fixed invalid read in octet string decoding (bsc#929414)
- CVE-2016-4008: Fixed infinite loop while parsing DER certificates (bsc#982779)


-----------------------------------------
Patch: SUSE-2016-953
Released: Fri Jun 17 13:25:32 2016
Summary: Recommended update for libcap1
Severity: low
References: 982232
Description:

This update fixes building of libcap1 with newer versions of glibc.


-----------------------------------------
Patch: SUSE-2016-967
Released: Mon Jun 20 12:05:16 2016
Summary: Recommended update for timezone
Severity: low
References: 982833
Description:

This update provides the latest timezone information (2016e) for your
system, including the following changes:

- Africa/Cairo observes DST in 2016 from July 7 to the end of October.

This release also includes changes affecting past time stamps. For a comprehensive
list, please refer to the release announcement from ICANN:

http://mm.icann.org/pipermail/tz-announce/2016-June/000039.html


-----------------------------------------
Patch: SUSE-2016-981
Released: Tue Jun 21 16:13:37 2016
Summary: Recommended update for mdadm
Severity: moderate
References: 853944,930417,939124,952644,953380,953595,956236,958597,966773,974154
Description:

This update for mdadm fixes the following issues:

- A segmentation fault when a disk is re-added to the system shortly after being
  removed. (bsc#974154)
- A problem when adding a spare disk to a degraded array. (bsc#958597)
- A misleading error code returned by mdadm --detail on inactive arrays. (bsc#966773)
- 'Insufficient head-space for reshape' error when attempting to expand array on s390x
  systems. (bsc#953595)
- Message 'Starting Activate md array even though degraded...' could be erroneously
  printed at boot time. (bsc#853944)
- A regression in 'mdadm /dev/mdXX --remove failed' handling. (bsc#952644)
- A regression when attempting to remove failed devices from an array. (bsc#952644)
- Potential corruption of DDF anchor. (bsc#930417)
- A crash when running --detail on a dm device which contains an md device. (bsc#939124)
- Ignore multipath devices when not yet ready. (bsc#956236)


-----------------------------------------
Patch: SUSE-2016-987
Released: Wed Jun 22 14:32:18 2016
Summary: Recommended update for procps
Severity: low
References: 981616
Description:

This update for procps fixes the following issues:

- Improve pmap(1) to be compatible with kernel 4.4. (bsc#981616)


-----------------------------------------
Patch: SUSE-2016-997
Released: Fri Jun 24 14:38:39 2016
Summary: Recommended update for bind
Severity: moderate
References: 908850,977657,983505
Description:

The BIND DNS server was updated to version 9.9.9-P1, which brings fixes and
enhancements.

One new feature has been implemented:

- Add quotas to be used in recursive resolvers that are under high query load 
  for names in zones whose authoritative servers are non-responsive or are 
  experiencing a denial of service attack. (fate#320694)

The following fixes are also included in the update:

- Make /var/lib/named owned by the named user. (bsc#908850)
- Add systemd service macros. (bsc#977657)


-----------------------------------------
Patch: SUSE-2016-1001
Released: Mon Jun 27 15:26:48 2016
Summary: Security update for the Linux Kernel
Severity: important
References: 676471,880007,889207,899908,903279,928547,931448,940413,943989,944309,945345,947337,953233,954847,956491,956852,957805,957986,960857,962336,962846,962872,963193,963572,963762,964461,964727,965319,966054,966245,966573,966831,967251,967292,967299,967903,968010,968141,968448,968512,968667,968670,968687,968812,968813,969439,969571,969655,969690,969735,969992,969993,970062,970114,970504,970506,970604,970892,970909,970911,970948,970955,970956,970958,970970,971049,971124,971125,971126,971159,971170,971360,971600,971628,971947,972003,972174,972844,972891,972933,972951,973378,973556,973570,973855,974165,974308,974406,974418,974646,975371,975488,975533,975945,976739,976868,977582,977685,978401,978822,979169,979213,979419,979485,979548,979867,979879,980348,980371,981143,981344,982354,982698,983213,983318,983394,983904,984456,CVE-2014-9717,CVE-2015-8816,CVE-2015-8845,CVE-2016-0758,CVE-2016-2053,CVE-2016-2143,CVE-2016-2184,CVE-2016-2185,CVE-2016-2186,CVE-2016-2188,CVE-2016-2782,CVE-2016-2847,CVE-2016-3134,CVE-2016-3136,CVE-2016-3137,CVE-2016-3138,CVE-2016-3139,CVE-2016-3140,CVE-2016-3156,CVE-2016-3672,CVE-2016-3689,CVE-2016-3951,CVE-2016-4482,CVE-2016-4486,CVE-2016-4565,CVE-2016-4569,CVE-2016-4578,CVE-2016-4805,CVE-2016-5244
Description:

The SUSE Linux Enterprise 12 kernel was updated to 3.12.60 to receive various security and bugfixes.

The following security bugs were fixed:
- CVE-2014-9717: fs/namespace.c in the Linux kernel processes MNT_DETACH umount2 system called without verifying that the MNT_LOCKED flag is unset, which allowed local users to bypass intended access restrictions and navigate to filesystem locations beneath a mount by calling umount2 within a user namespace (bnc#928547).
- CVE-2015-8816: The hub_activate function in drivers/usb/core/hub.c in the Linux kernel did not properly maintain a hub-interface data structure, which allowed physically proximate attackers to cause a denial of service (invalid memory access and system crash) or possibly have unspecified other impact by unplugging a USB hub device (bnc#968010).
- CVE-2015-8845: The tm_reclaim_thread function in arch/powerpc/kernel/process.c in the Linux kernel on powerpc platforms did not ensure that TM suspend mode exists before proceeding with a tm_reclaim call, which allowed local users to cause a denial of service (TM Bad Thing exception and panic) via a crafted application (bnc#975533).
- CVE-2016-0758: Fix ASN.1 indefinite length object parsing (bsc#979867).
- CVE-2016-2053: The asn1_ber_decoder function in lib/asn1_decoder.c in the Linux kernel allowed attackers to cause a denial of service (panic) via an ASN.1 BER file that lacks a public key, leading to mishandling by the public_key_verify_signature function in crypto/asymmetric_keys/public_key.c (bnc#963762).
- CVE-2016-2143: The fork implementation in the Linux kernel on s390 platforms mishandled the case of four page-table levels, which allowed local users to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted application, related to arch/s390/include/asm/mmu_context.h and arch/s390/include/asm/pgalloc.h. (bnc#970504)
- CVE-2016-2184: The create_fixed_stream_quirk function in sound/usb/quirks.c in the snd-usb-audio driver in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference or double free, and system crash) via a crafted endpoints value in a USB device descriptor (bnc#971125).
- CVE-2016-2185: The ati_remote2_probe function in drivers/input/misc/ati_remote2.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#971124).
- CVE-2016-2186: The powermate_probe function in drivers/input/misc/powermate.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#970958).
- CVE-2016-2188: The iowarrior_probe function in drivers/usb/misc/iowarrior.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#970956).
- CVE-2016-2782: The treo_attach function in drivers/usb/serial/visor.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by inserting a USB device that lacks a (1) bulk-in or (2) interrupt-in endpoint (bnc#968670).
- CVE-2016-2847: fs/pipe.c in the Linux kernel did not limit the amount of unread data in pipes, which allowed local users to cause a denial of service (memory consumption) by creating many pipes with non-default sizes (bnc#970948).
- CVE-2016-3134: The netfilter subsystem in the Linux kernel did not validate certain offset fields, which allowed local users to gain privileges or cause a denial of service (heap memory corruption) via an IPT_SO_SET_REPLACE setsockopt call (bnc#971126).
- CVE-2016-3136: The mct_u232_msr_to_state function in drivers/usb/serial/mct_u232.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted USB device without two interrupt-in endpoint descriptors (bnc#970955).
- CVE-2016-3137: drivers/usb/serial/cypress_m8.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a USB device without both an interrupt-in and an interrupt-out endpoint descriptor, related to the cypress_generic_port_probe and cypress_open functions (bnc#970970).
- CVE-2016-3138: The acm_probe function in drivers/usb/class/cdc-acm.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a USB device without both a control and a data endpoint descriptor (bnc#970911).
- CVE-2016-3139: The wacom_probe function in drivers/input/tablet/wacom_sys.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#970909).
- CVE-2016-3140: The digi_port_init function in drivers/usb/serial/digi_acceleport.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#970892).
- CVE-2016-3156: The IPv4 implementation in the Linux kernel mishandled destruction of device objects, which allowed guest OS users to cause a denial of service (host OS networking outage) by arranging for a large number of IP addresses (bnc#971360).
- CVE-2016-3672: The arch_pick_mmap_layout function in arch/x86/mm/mmap.c in the Linux kernel did not properly randomize the legacy base address, which made it easier for local users to defeat the intended restrictions on the ADDR_NO_RANDOMIZE flag, and bypass the ASLR protection mechanism for a setuid or setgid program, by disabling stack-consumption resource limits (bnc#974308).
- CVE-2016-3689: The ims_pcu_parse_cdc_data function in drivers/input/misc/ims-pcu.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (system crash) via a USB device without both a master and a slave interface (bnc#971628).
- CVE-2016-3951: Double free vulnerability in drivers/net/usb/cdc_ncm.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (system crash) or possibly have unspecified other impact by inserting a USB device with an invalid USB descriptor (bnc#974418).
- CVE-2016-4482: The proc_connectinfo function in drivers/usb/core/devio.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted USBDEVFS_CONNECTINFO ioctl call (bnc#978401).
- CVE-2016-4486: The rtnl_fill_link_ifmap function in net/core/rtnetlink.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory by reading a Netlink message (bnc#978822).
- CVE-2016-4565: The InfiniBand (aka IB) stack in the Linux kernel incorrectly relied on the write system call, which allowed local users to cause a denial of service (kernel memory write operation) or possibly have unspecified other impact via a uAPI interface (bnc#979548).
- CVE-2016-4569: The snd_timer_user_params function in sound/core/timer.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface (bnc#979213).
- CVE-2016-4578: sound/core/timer.c in the Linux kernel did not initialize certain r1 data structures, which allowed local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface, related to the (1) snd_timer_user_ccallback and (2) snd_timer_user_tinterrupt functions (bnc#979879).
- CVE-2016-4805: Use-after-free vulnerability in drivers/net/ppp/ppp_generic.c in the Linux kernel allowed local users to cause a denial of service (memory corruption and system crash, or spinlock) or possibly have unspecified other impact by removing a network namespace, related to the ppp_register_net_channel and ppp_unregister_channel functions (bnc#980371).
- CVE-2016-5244: Fixed an infoleak in rds_inc_info_copy (bsc#983213).

The following non-security bugs were fixed:
- ALSA: hrtimer: Handle start/stop more properly (bsc#973378).
- ALSA: timer: Call notifier in the same spinlock (bsc#973378).
- ALSA: timer: Protect the whole snd_timer_close() with open race (bsc#973378).
- ALSA: timer: Sync timer deletion at closing the system timer (bsc#973378).
- ALSA: timer: Use mod_timer() for rearming the system timer (bsc#973378).
- Btrfs-8394-qgroup-Account-data-space-in-more-proper-timin.patch: (bsc#963193).
- Btrfs: do not collect ordered extents when logging that inode exists (bsc#977685).
- Btrfs: do not use src fd for printk (bsc#980348).
- Btrfs: fix deadlock between direct IO reads and buffered writes (bsc#973855).
- Btrfs: fix empty symlink after creating symlink and fsync parent dir (bsc#977685).
- Btrfs: fix file loss on log replay after renaming a file and fsync (bsc#977685).
- Btrfs: fix file/data loss caused by fsync after rename and new inode (bsc#977685).
- Btrfs: fix for incorrect directory entries after fsync log replay (bsc#957805, bsc#977685).
- Btrfs: fix loading of orphan roots leading to BUG_ON (bsc#972844).
- Btrfs: fix race between fsync and lockless direct IO writes (bsc#977685).
- Btrfs: fix unreplayable log after snapshot delete + parent dir fsync (bsc#977685).
- Btrfs: handle non-fatal errors in btrfs_qgroup_inherit() (bsc#972951).
- Btrfs: qgroup: Fix dead judgement on qgroup_rescan_leaf() return value (bsc#969439).
- Btrfs: qgroup: Fix qgroup accounting when creating snapshot (bsc#972933).
- Btrfs: qgroup: return EINVAL if level of parent is not higher than child's (bsc#972951).
- Btrfs: teach backref walking about backrefs with underflowed offset values (bsc#975371).
- CacheFiles: Fix incorrect test for in-memory object collision (bsc#971049).
- CacheFiles: Handle object being killed before being set up (bsc#971049).
- Ceph: Remove racey watch/notify event infrastructure (bsc#964727)
- Driver: Vmxnet3: set CHECKSUM_UNNECESSARY for IPv6 packets (bsc#976739).
- FS-Cache: Add missing initialization of ret in cachefiles_write_page() (bsc#971049).
- FS-Cache: Count culled objects and objects rejected due to lack of space (bsc#971049).
- FS-Cache: Fix cancellation of in-progress operation (bsc#971049).
- FS-Cache: Handle a new operation submitted against a killed object (bsc#971049).
- FS-Cache: Move fscache_report_unexpected_submission() to make it more available (bsc#971049).
- FS-Cache: Out of line fscache_operation_init() (bsc#971049).
- FS-Cache: Permit fscache_cancel_op() to cancel in-progress operations too (bsc#971049).
- FS-Cache: Put an aborted initialised op so that it is accounted correctly (bsc#971049).
- FS-Cache: Reduce cookie ref count if submit fails (bsc#971049).
- FS-Cache: Synchronise object death state change vs operation submission (bsc#971049).
- FS-Cache: The operation cancellation method needs calling in more places (bsc#971049).
- FS-Cache: Timeout for releasepage() (bsc#971049).
- FS-Cache: When submitting an op, cancel it if the target object is dying (bsc#971049).
- FS-Cache: fscache_object_is_dead() has wrong logic, kill it (bsc#971049).
- Fix cifs_uniqueid_to_ino_t() function for s390x (bsc#944309)
- Fix kabi issue (bsc#971049).
- Fix kmalloc overflow in LPFC driver at large core count (bsc#969690).
- Fix problem with setting ACL on directories (bsc#967251).
- Input: i8042 - lower log level for 'no controller' message (bsc#945345).
- KVM: SVM: add rdmsr support for AMD event registers (bsc#968448).
- MM: increase safety margin provided by PF_LESS_THROTTLE (bsc#956491).
- NFSv4.1: do not use machine credentials for CLOSE when using 'sec=sys' (bsc#972003).
- PCI/AER: Fix aer_inject error codes (bsc#931448).
- PCI/AER: Log actual error causes in aer_inject (bsc#931448).
- PCI/AER: Log aer_inject error injections (bsc#931448).
- PCI/AER: Use dev_warn() in aer_inject (bsc#931448).
- Revert 'libata: Align ata_device's id on a cacheline'.
- Revert 'net/ipv6: add sysctl option accept_ra_min_hop_limit'.
- USB: quirk to stop runtime PM for Intel 7260 (bnc#984456).
- USB: usbip: fix potential out-of-bounds write (bnc#975945).
- USB: xhci: Add broken streams quirk for Frescologic device id 1009 (bnc#982698).
- Update patches.drivers/0001-nvme-fix-max_segments-integer-truncation.patch (bsc#979419). Fix reference.
- Update patches.drivers/drm-ast-Initialize-data-needed-to-map-fbdev-memory.patch (bnc#880007). Fix refs and upstream status.
- Update patches.kernel.org/patch-3.12.55-56 references (add bsc#973570).
- Update patches.suse/kgr-0102-add-TAINT_KGRAFT.patch (bsc#974406).
- acpi: Disable ACPI table override when UEFI Secure Boot is enabled (bsc#970604).
- acpi: Disable APEI error injection if securelevel is set (bsc#972891).
- cachefiles: perform test on s_blocksize when opening cache file (bsc#971049).
- cpuset: Fix potential deadlock w/ set_mems_allowed (bsc#960857, bsc#974646).
- dmapi: fix dm_open_by_handle_rvp taking an extra ref to mnt (bsc#967292).
- drm/core: Preserve the framebuffer after removing it (bsc#968812).
- drm/mgag200: Add support for a new G200eW3 chipset (bsc#983904).
- drm/mgag200: Add support for a new rev of G200e (bsc#983904).
- drm/mgag200: Black screen fix for G200e rev 4 (bsc#983904).
- drm/mgag200: remove unused variables (bsc#983904).
- drm/radeon: fix-up some float to fixed conversion thinkos (bsc#968813).
- drm/radeon: use HDP_MEM_COHERENCY_FLUSH_CNTL for sdma as well (bsc#968813).
- drm: qxl: Workaround for buggy user-space (bsc#981344).
- efifb: Fix 16 color palette entry calculation (bsc#983318).
- ehci-pci: enable interrupt on BayTrail (bnc#947337).
- enic: set netdev->vlan_features (bsc#966245).
- ext4: fix races between page faults and hole punching (bsc#972174).
- ext4: fix races of writeback with punch hole and zero range (bsc#972174).
- fix: print ext4 mountopt data_err=abort correctly (bsc#969735).
- fs, seq_file: fallback to vmalloc instead of oom kill processes (bnc#968687).
- fs, seqfile: always allow oom killer (bnc#968687).
- fs/pipe.c: skip file_update_time on frozen fs (bsc#975488).
- hid-elo: kill not flush the work (bnc#982354).
- ibmvscsi: Remove unsupported host config MAD (bsc#973556).
- ipv6: make fib6 serial number per namespace (bsc#965319).
- ipv6: mld: fix add_grhead skb_over_panic for devs with large MTUs (bsc#956852).
- ipv6: per netns FIB garbage collection (bsc#965319).
- ipv6: per netns fib6 walkers (bsc#965319).
- ipv6: replace global gc_args with local variable (bsc#965319).
- ipvs: count pre-established TCP states as active (bsc#970114).
- kABI: kgr: fix subtle race with kgr_module_init(), going notifier and kgr_modify_kernel().
- kABI: protect enum enclosure_component_type.
- kABI: protect function file_open_root.
- kABI: protect include in evm.
- kABI: protect struct dm_exception_store_type.
- kABI: protect struct fib_nh_exception.
- kABI: protect struct module.
- kABI: protect struct rq.
- kABI: protect struct sched_class.
- kABI: protect struct scm_creds.
- kABI: protect struct user_struct.
- kABI: protect struct user_struct.
- kabi fix for patches.fixes/reduce-m_start-cost (bsc#966573).
- kabi/severities: Whitelist libceph and rbd (bsc#964727).
- kabi: kgr, add reserved fields
- kabi: protect struct fc_rport_priv (bsc#953233, bsc#962846).
- kabi: protect struct netns_ipv6 after FIB6 GC series (bsc#965319).
- kgr: add TAINT_KGRAFT
- kgr: add kgraft annotation to hwrng kthread.
- kgr: add kgraft annotations to kthreads' wait_event_freezable() API calls.
- kgr: add objname to kgr_patch_fun struct.
- kgr: add sympos and objname to error and debug messages.
- kgr: add sympos as disambiguator field to kgr_patch_fun structure.
- kgr: add sympos to sysfs.
- kgr: call kgr_init_ftrace_ops() only for loaded objects.
- kgr: change to kallsyms_on_each_symbol iterator.
- kgr: define pr_fmt and modify all pr_* messages.
- kgr: do not print error for !abort_if_missing symbols (bnc#943989).
- kgr: do not return and print an error only if the object is not loaded.
- kgr: do not use WQ_MEM_RECLAIM workqueue (bnc#963572).
- kgr: fix an asymmetric dealing with delayed module loading.
- kgr: fix redirection on s390x arch (bsc#903279).
- kgr: fix subtle race with kgr_module_init(), going notifier and kgr_modify_kernel().
- kgr: handle btrfs kthreads (bnc#889207).
- kgr: kmemleak, really mark the kthread safe after an interrupt.
- kgr: log when modifying kernel.
- kgr: mark some more missed kthreads (bnc#962336).
- kgr: remove abort_if_missing flag.
- kgr: usb/storage: do not emit thread awakened (bnc#899908).
- kgraft/gfs2: Do not block livepatching in the log daemon for too long.
- kgraft/xen: Do not block livepatching in the XEN blkif kthread.
- libfc: replace 'rp_mutex' with 'rp_lock' (bsc#953233, bsc#962846).
- memcg: do not hang on OOM when killed by userspace OOM access to memory reserves (bnc#969571).
- mld, igmp: Fix reserved tailroom calculation (bsc#956852).
- mmc: Allow forward compatibility for eMMC (bnc#966054).
- mmc: sdhci: Allow for irq being shared (bnc#977582).
- net/qlge: Avoids recursive EEH error (bsc#954847).
- net: Account for all vlan headers in skb_mac_gso_segment (bsc#968667).
- net: Start with correct mac_len in skb_network_protocol (bsc#968667).
- net: disable fragment reassembly if high_thresh is set to zero (bsc#970506).
- net: fix wrong mac_len calculation for vlans (bsc#968667).
- net: irda: Fix use-after-free in irtty_open() (bnc#967903).
- nfs4: treat lock owners as opaque values (bnc#968141).
- nfs: fix high load average due to callback thread sleeping (bsc#971170).
- nfsd: fix nfsd_setattr return code for HSM (bsc#969992).
- nvme: fix max_segments integer truncation (bsc#676471).
- ocfs2: do not set fs read-only if rec[0] is empty while committing truncate (bnc#971947).
- ocfs2: extend enough credits for freeing one truncate record while replaying truncate records (bnc#971947).
- ocfs2: extend transaction for ocfs2_remove_rightmost_path() and ocfs2_update_edge_lengths() before to avoid inconsistency between inode and et (bnc#971947).
- perf, nmi: Fix unknown NMI warning (bsc#968512).
- pipe: limit the per-user amount of pages allocated in pipes (bsc#970948).
- rbd: do not log miscompare as an error (bsc#970062).
- rbd: handle OBJ_REQUEST_SG types for copyup (bsc#983394).
- rbd: report unsupported features to syslog (bsc#979169).
- rbd: use GFP_NOIO consistently for request allocations (bsc#971159).
- reduce m_start() cost.. (bsc#966573).
- rpm/modprobe-xen.conf: Revert comment change to allow parallel install (bsc#957986). This reverts commit 6c6d86d3cdc26f7746fe4ba2bef8859b5aeb346c.
- s390/pageattr: do a single TLB flush for change_page_attr (bsc#940413).
- sched/x86: Fix up typo in topology detection (bsc#974165).
- scsi: proper state checking and module refcount handling in scsi_device_get (boo#966831).
- series.conf: move netfilter section at the end of core networking
- supported.conf: Add bridge.ko for OpenStack (bsc#971600)
- supported.conf: Add isofs to -base (bsc#969655).
- supported.conf:Add drivers/infiniband/hw/ocrdma/ocrdma.ko to supported.conf (bsc#964461)
- target/rbd: do not put snap_context twice (bsc#981143).
- target/rbd: remove caw_mutex usage (bsc#981143).
- target: Drop incorrect ABORT_TASK put for completed commands (bsc#962872).
- target: Fix LUN_RESET active I/O handling for ACK_KREF (bsc#962872).
- target: Fix LUN_RESET active TMR descriptor handling (bsc#962872).
- target: Fix TAS handling for multi-session se_node_acls (bsc#962872).
- target: Fix race with SCF_SEND_DELAYED_TAS handling (bsc#962872).
- target: Fix remote-port TMR ABORT + se_cmd fabric stop (bsc#962872).
- vgaarb: Add more context to error messages (bsc#976868).
- x86, sched: Add new topology for multi-NUMA-node CPUs (bsc#974165).
- x86/efi: parse_efi_setup() build fix (bsc#979485).
- x86: standardize mmap_rnd() usage (bnc#974308).
- xen/acpi: Disable ACPI table override when UEFI Secure Boot is enabled (bsc#970604).
- xfs/dmapi: drop lock over synchronous XFS_SEND_DATA events (bsc#969993).
- xfs/dmapi: propertly send postcreate event (bsc#967299).


-----------------------------------------
Patch: SUSE-2016-1003
Released: Mon Jun 27 17:01:45 2016
Summary: Security update for MozillaFirefox, MozillaFirefox-branding-SLE, mozilla-nspr, mozilla-nss
Severity: important
References: 982366,983549,983638,983639,983643,983646,983651,983652,983653,983655,984006,984126,985659,CVE-2016-2815,CVE-2016-2818,CVE-2016-2819,CVE-2016-2821,CVE-2016-2822,CVE-2016-2824,CVE-2016-2828,CVE-2016-2831,CVE-2016-2834
Description:
MozillaFirefox, MozillaFirefox-branding-SLE, mozilla-nss and mozilla-nspr were updated to fix nine security issues.

MozillaFirefox was updated to version 45.2.0 ESR. mozilla-nss was updated to version 3.21.1.

These security issues were fixed:
- CVE-2016-2834: Memory safety bugs in NSS (MFSA 2016-61) (bsc#983639).
- CVE-2016-2824: Out-of-bounds write with WebGL shader (MFSA 2016-53) (bsc#983651).
- CVE-2016-2822: Addressbar spoofing though the SELECT element (MFSA 2016-52) (bsc#983652).
- CVE-2016-2821: Use-after-free deleting tables from a contenteditable document (MFSA 2016-51) (bsc#983653).
- CVE-2016-2819: Buffer overflow parsing HTML5 fragments (MFSA 2016-50) (bsc#983655).
- CVE-2016-2828: Use-after-free when textures are used in WebGL operations after recycle pool destruction (MFSA 2016-56) (bsc#983646).
- CVE-2016-2831: Entering fullscreen and persistent pointerlock without user permission (MFSA 2016-58) (bsc#983643).
- CVE-2016-2815, CVE-2016-2818: Miscellaneous memory safety hazards (MFSA 2016-49) (bsc#983638)
  
These non-security issues were fixed:
- bsc#982366: Unknown SSL protocol error in connections 
- Fix crashes on aarch64
  * Determine page size at runtime (bsc#984006)
  * Allow aarch64 to work in safe mode (bsc#985659)
- Fix crashes on mainframes

All extensions must now be signed by addons.mozilla.org. Please read README.SUSE for more details.


-----------------------------------------
Patch: SUSE-2016-1013
Released: Thu Jun 30 17:29:32 2016
Summary: Security update for the Linux Kernel
Severity: important
References: 986362,CVE-2016-4997
Description:

The SUSE Linux Enterprise 12 GA kernel was updated to receive one critical security fix.

Security issue fixed:
- CVE-2016-4997: A buffer overflow in 32bit compat_setsockopt iptables handling could lead to a local privilege escalation. (bsc#986362)


-----------------------------------------
Patch: SUSE-2016-1015
Released: Thu Jun 30 21:23:38 2016
Summary: Security update for glibc
Severity: moderate
References: 968787,969727,973010,973164,975930,980483,980854,CVE-2016-1234,CVE-2016-3075,CVE-2016-3706,CVE-2016-4429
Description:

This update for glibc provides the following fixes:

- Increase DTV_SURPLUS limit. (bsc#968787)
- Do not copy d_name field of struct dirent. (CVE-2016-1234, bsc#969727)
- Fix memory leak in _nss_dns_gethostbyname4_r. (bsc#973010)
- Fix stack overflow in _nss_dns_getnetbyname_r. (CVE-2016-3075, bsc#973164)
- Fix malloc performance regression from SLE 11. (bsc#975930)
- Fix getaddrinfo stack overflow in hostent conversion. (CVE-2016-3706, bsc#980483)
- Do not use alloca in clntudp_call (CVE-2016-4429, bsc#980854)


-----------------------------------------
Patch: SUSE-2016-1016
Released: Fri Jul  1 14:37:29 2016
Summary: Security update for LibreOffice
Severity: moderate
References: 718113,856729,939998,945443,945445,955832,965294,965296,967014,967015,977784,CVE-2016-0794,CVE-2016-0795
Description:

LibreOffice was updated to version 5.1.3.2, bringing many new features and bug fixes.

Two security issues have been fixed:

- CVE-2016-0795: LibreOffice allowed remote attackers to cause a denial of service
  (memory corruption) or possibly have unspecified other impact via a crafted
  LwpTocSuperLayout record in a LotusWordPro (lwp) document.
- CVE-2016-0794: The lwp filter in LibreOffice allowed remote attackers to cause a
  denial of service (memory corruption) or possibly have unspecified other impact
  via a crafted LotusWordPro (lwp) document.

A comprehensive list of new features and improvements in this release is provided by
the Document Foundation at https://wiki.documentfoundation.org/ReleaseNotes/5.1 .


-----------------------------------------
Patch: SUSE-2016-1017
Released: Fri Jul  1 15:45:22 2016
Summary: Recommended update for openldap2
Severity: moderate
References: 770009,972331,976172,978408,984691
Description:

This update for openldap2 provides the following fixes:

- Package previously missing schema files in LDIF format and fix a minor issue in
  schema2ldif script that led to missing attribute in the generated LDIF. (bsc#984691)
- Enable non-blocking SSL/TLS handshakes. (fate#314570, bnc#770009, bsc#978408)
- Fix an issue with transaction management that could cause server crash. (bsc#972331)
- Remove outdated README.update file. (bsc#976172)


-----------------------------------------
Patch: SUSE-2016-1022
Released: Mon Jul  4 18:05:08 2016
Summary: Recommended update for cups
Severity: low
References: 968706
Description:

This update for cups fixes the following issues:

- Fix raw printing multiple files by adding the gziptoany filter. (bsc#968706)
- Avoid warnings in error_log of the form 'Unexpected 'document-name' operation
  attribute in a Create-Job request'.


-----------------------------------------
Patch: SUSE-2016-1026
Released: Wed Jul  6 17:20:17 2016
Summary: Recommended update for timezone
Severity: moderate
References: 987720
Description:

This update provides the latest timezone information (2016f) for your system, including the following changes:

- Egypt (Africa/Cairo) DST change 2016-07-07 cancelled (bsc#987720)
- Asia/Novosibirsk switches from +06 to +07 on 2016-07-24 02:00
- Asia/Novokuznetsk and Asia/Novosibirsk now use numeric time zone abbreviations instead of invented ones
- Europe/Minsk's 1992-03-29 spring-forward transition was at 02:00 not 00:00



-----------------------------------------
Patch: SUSE-2016-1028
Released: Thu Jul  7 11:50:47 2016
Summary: Recommended update for findutils
Severity: moderate
References: 986935
Description:

This update for findutils fixes the following issues:

- find -exec + would not pass all arguments for certain specific filename lengths (bsc#986935)


-----------------------------------------
Patch: SUSE-2016-1029
Released: Thu Jul  7 11:52:21 2016
Summary: Recommended update for w3m
Severity: moderate
References: 950468,950800
Description:

This update for w3m fixes the following issues:

- Segmentation fault when doing an https request to an unresolvable host. (bsc#950468)
- w3mman(1) displays invalid characters. (bsc#950800)


-----------------------------------------
Patch: SUSE-2016-1055
Released: Thu Jul 14 14:22:30 2016
Summary: Recommended update for krb5
Severity: low
References: 968111
Description:

This update for krb5 fixes the following issues:

- Remove unneeded source file with unacceptable license (bsc#968111)



-----------------------------------------
Patch: SUSE-2016-1076
Released: Tue Jul 19 18:17:50 2016
Summary: Recommended update for cloud-init
Severity: low
References: 903449
Description:

This update for cloud-init fixes the following issues:

- Restore SIGPIPE default handler when executing shell scripts (bsc#903449)


-----------------------------------------
Patch: SUSE-2016-1087
Released: Fri Jul 22 10:53:01 2016
Summary: Recommended update for supportutils
Severity: moderate
References: 968073,968269,971778,987627
Description:

This update for supportutils fixes the following issues:

- Support for iSCSI LIO Targets (bsc#968269)
- Fixed docker error (bsc#971778)
- Fixed crash basename extra operand (bsc#968073, bsc#987627)


-----------------------------------------
Patch: SUSE-2016-1090
Released: Fri Jul 22 13:07:15 2016
Summary: Recommended update for automake
Severity: low
References: 986764
Description:

This update for automake provides the following fixes:

- Ensure ac_aux_dir is defined before usage. This fixes building of some packages
  (flatpak for instance). (bsc#986764)


-----------------------------------------
Patch: SUSE-2016-1091
Released: Fri Jul 22 20:13:08 2016
Summary: Recommended update for mozjs17
Severity: low
References: 984126
Description:

This update for mozjs17 adds support for 48 bits virtual address space, used
in the arm64 architecture.


-----------------------------------------
Patch: SUSE-2016-1103
Released: Wed Jul 27 03:45:48 2016
Summary: Recommended update for aaa_base
Severity: low
References: 958295,970395,971567
Description:

This update for aaa_base fixes the following issues:

- Let the ~/.i18n values parsed as well if GDM_LANG is set. (bsc#958295)
- Allow GDM to override locale.
- If GDM_LANG equals system LANG then use system defaults.
- Fix typo in last patch (no-systemctl support for chkconfig). (bsc#971567)


-----------------------------------------
Patch: SUSE-2016-1109
Released: Wed Jul 27 15:31:51 2016
Summary: Recommended update for numactl
Severity: low
References: 976199
Description:
This update for numactl enables support for the aarch64 architecture.


-----------------------------------------
Patch: SUSE-2016-1110
Released: Thu Jul 28 10:09:39 2016
Summary: Recommended update for permissions
Severity: low
References: 975352
Description:

This update for permissions fixes the following issues:

- chage(1) only needs read rights for /etc/shadow, so change its default mode to
  setgid shadow instead of setuid root. (bsc#975352)


-----------------------------------------
Patch: SUSE-2016-1115
Released: Thu Jul 28 12:40:36 2016
Summary: Recommended update for psmisc
Severity: low
References: 908063,930760,974161
Description:

This update for psmisc prevents attempts to close files which are not open. This
issue could make pstree(1) terminate with a segmentation fault.


-----------------------------------------
Patch: SUSE-2016-1120
Released: Thu Jul 28 17:19:40 2016
Summary: Recommended update for ksh
Severity: moderate
References: 962069,964966,982423,987362
Description:

This update for ksh fixes the following issues:

- Own the ksh files in /etc/alternatives. (bsc#987362, bsc#962069)
- Fix leak in optimize processing. (bsc#982423)
- Fix editor prediction code garbling input. (bsc#964966)


-----------------------------------------
Patch: SUSE-2016-1123
Released: Fri Jul 29 10:19:58 2016
Summary: Security update for libarchive
Severity: important
References: 984990,985609,985665,985669,985673,985675,985679,985682,985685,985688,985689,985697,985698,985700,985703,985704,985706,985826,985832,985835,CVE-2015-8918,CVE-2015-8919,CVE-2015-8920,CVE-2015-8921,CVE-2015-8922,CVE-2015-8923,CVE-2015-8924,CVE-2015-8925,CVE-2015-8926,CVE-2015-8928,CVE-2015-8929,CVE-2015-8930,CVE-2015-8931,CVE-2015-8932,CVE-2015-8933,CVE-2015-8934,CVE-2016-4300,CVE-2016-4301,CVE-2016-4302,CVE-2016-4809
Description:
libarchive was updated to fix 20 security issues.

These security issues were fixed:
- CVE-2015-8918: Overlapping memcpy in CAB parser (bsc#985698).
- CVE-2015-8919: Heap out of bounds read in LHA/LZH parser (bsc#985697).
- CVE-2015-8920: Stack out of bounds read in ar parser (bsc#985675).
- CVE-2015-8921: Global out of bounds read in mtree parser (bsc#985682).
- CVE-2015-8922: Null pointer access in 7z parser (bsc#985685).
- CVE-2015-8923: Unclear crashes in ZIP parser (bsc#985703).
- CVE-2015-8924: Heap buffer read overflow in tar (bsc#985609).
- CVE-2015-8925: Unclear invalid memory read in mtree parser (bsc#985706).
- CVE-2015-8926: NULL pointer access in RAR parser (bsc#985704).
- CVE-2015-8928: Heap out of bounds read in mtree parser (bsc#985679).
- CVE-2015-8929: Memory leak in tar parser (bsc#985669).
- CVE-2015-8930: Endless loop in ISO parser (bsc#985700).
- CVE-2015-8931: Undefined behavior / signed integer overflow in mtree parser (bsc#985689).
- CVE-2015-8932: Compress handler left shifting larger than int size (bsc#985665).
- CVE-2015-8933: Undefined behavior / signed integer overflow in TAR parser (bsc#985688).
- CVE-2015-8934: Out of bounds read in RAR (bsc#985673).
- CVE-2016-4300: Heap buffer overflow vulnerability in the 7zip read_SubStreamsInfo (bsc#985832).
- CVE-2016-4301: Stack buffer overflow in the mtree parse_device (bsc#985826).
- CVE-2016-4302: Heap buffer overflow in the Rar decompression functionality (bsc#985835).
- CVE-2016-4809: Memory allocate error with symbolic links in cpio archives (bsc#984990).


-----------------------------------------
Patch: SUSE-2016-1124
Released: Fri Jul 29 13:27:52 2016
Summary: Recommended update for libxcb
Severity: low
References: 984368
Description:

This update for libxcb provides the following fixes:

- Fix encoding of 64-bit elements in PRESENT extension. (bsc#984368)


-----------------------------------------
Patch: SUSE-2016-1126
Released: Sat Jul 30 00:39:03 2016
Summary: Recommended update for kmod
Severity: low
References: 983754,989788
Description:

This update for kmod fixes libkmod to handle very long lines in /proc/modules.


-----------------------------------------
Patch: SUSE-2016-1138
Released: Wed Aug  3 13:04:55 2016
Summary: Recommended update for dbus-1
Severity: low
References: 941352,978477,980928
Description:

This update for dbus-1 fixes the following issues:

- Correctly reset timeouts for pending file descriptors. (bsc#978477)
- Increase listen() backlog of AF_UNIX sockets to SOMAXCONN. (bsc#980928)
- Account for openSUSE:Leap in the conditional for choosing right 
  local state directories (boo#941352)


-----------------------------------------
Patch: SUSE-2016-1149
Released: Thu Aug  4 14:06:16 2016
Summary: Recommended update for gcc48
Severity: low
References: 981311
Description:

This update for gcc48 fixes a miscompilation issue specific to the aarch64 architecture.


-----------------------------------------
Patch: SUSE-2016-1152
Released: Thu Aug  4 15:02:18 2016
Summary: Recommended update for binutils
Severity: low
References: 970239,985642
Description:

GNU Binutils was updated to version 2.26.1, which brings several fixes and
enhancements:

- Add -mrelax-relocations on x86 but keep it disabled on old products.
- Add --fix-stm32l4xx-629360 to the ARM linker to enable a link-time workaround
  for a bug in the bus matrix / memory controller for some of the STM32 Cortex-M4
  based products (STM32L4xx).
- Add a configure option --enable-compressed-debug-sections={all,ld} to decide
  whether DWARF debug sections should be compressed by default.
- Add support for the ARC EM/HS, and ARC600/700 architectures.
- Experimental support for linker garbage collection (--gc-sections) has been
  enabled for COFF and PE based targets.
- New command line option for ELF targets to compress DWARF debug sections,
  --compress-debug-sections=[none|zlib|zlib-gnu|zlib-gabi].
- New command line option, --orphan-handling=[place|warn|error|discard], to
  adjust how orphan sections are handled.  The default is 'place' which gives
  the current behavior, 'warn' and 'error' issue a warning or error respectively
  when orphan sections are found, and 'discard' will discard all orphan sections.
- Add support for LLVM plugin.
- Add --print-memory-usage option to report memory blocks usage.
- Add --require-defined option, it's like --undefined except the new symbol must
  be defined by the end of the link.
- Add a configure option --enable-compressed-debug-sections={all,gas} to decide
  whether DWARF debug sections should be compressed by default.
- Add support for the ARC EM/HS, and ARC600/700 architectures.  Remove assembler
  support for Argonaut RISC architectures.
- Add option to objcopy to insert new symbols into a file:
  --add-symbol <name>=[<section>:]<value>[,<flags>]
- Add support for the ARC EM/HS, and ARC600/700 architectures.
- Extend objcopy --compress-debug-sections option to support
  --compress-debug-sections=[none|zlib|zlib-gnu|zlib-gabi] for ELF targets.
- Add --update-section option to objcopy.
- Add --output-separator option to strings.
- Fix internal error when applying TLSDESC relocations with no TLS segment
- Fix wrong insn type for troo insn.
- Change default common-page-size to 64K on aarch64.


-----------------------------------------
Patch: SUSE-2016-1168
Released: Tue Aug  9 12:02:10 2016
Summary: Recommended update for aaa_base
Severity: moderate
References: 992144
Description:

This update for aaa_base provides the following fixes:

- Do not use the = sign for setenv in /etc/profile.d/lang.csh (bsc#992144)


-----------------------------------------
Patch: SUSE-2016-1205
Released: Thu Aug 11 15:02:18 2016
Summary: Recommended update for rpm
Severity: low
References: 829717,894610,940315,953532,965322,967728
Description:

This update for rpm provides the following fixes:

- Add is_opensuse and leap_version macros to suse_macros. (bsc#940315)
- Add option to make postinstall scriptlet errors fatal. (bsc#967728)
- Normalize big blocksizes to 4096 bytes. (bsc#894610, bsc#829717, bsc#965322)
- Fix updating of sources/patches when recursing because of a BuildArch. (bsc#953532)


-----------------------------------------
Patch: SUSE-2016-1212
Released: Fri Aug 12 18:08:44 2016
Summary: Recommended update for p11-kit
Severity: low
References: 936598
Description:

This update for p11-kit fixes a potential segmentation fault in expand_homedir().


-----------------------------------------
Patch: SUSE-2016-1228
Released: Tue Aug 16 09:29:01 2016
Summary: Security update for libidn
Severity: moderate
References: 923241,990189,990190,990191,CVE-2015-2059,CVE-2015-8948,CVE-2016-6261,CVE-2016-6262,CVE-2016-6263
Description:

This update for libidn fixes the following issues:

- CVE-2016-6262 and CVE-2015-8948: Out-of-bounds-read when reading one zero byte as input (bsc#990189)

- CVE-2016-6261: Out-of-bounds stack read in idna_to_ascii_4i (bsc#990190) 

- CVE-2016-6263: stringprep_utf8_nfkc_normalize reject invalid UTF-8 (bsc#990191)

- CVE-2015-2059: out-of-bounds read with stringprep on invalid UTF-8 (bsc#923241) 



-----------------------------------------
Patch: SUSE-2016-1240
Released: Thu Aug 18 14:37:23 2016
Summary: Recommended update for gtk3
Severity: low
References: 957399,960612
Description:

This update for gtk3 fixes the following issues:

- Fix crash caused by signals that were not disconnected at program termination. (bsc#960612)
- Don't abort when trying to paint a surface with an error. (bsc#957399)


-----------------------------------------
Patch: SUSE-2016-1247
Released: Fri Aug 19 12:58:39 2016
Summary: Security update for cracklib
Severity: moderate
References: 992966,CVE-2016-6318
Description:

This update for cracklib fixes the following issues:

- Add patch to fix a buffer overflow in GECOS parser (bsc#992966 CVE-2016-6318)



-----------------------------------------
Patch: SUSE-2016-1252
Released: Mon Aug 22 15:12:43 2016
Summary: Recommended update for timezone
Severity: low
References: 988184
Description:

This update for timezone adds a positive leap second at the end of 2016-12-31.


-----------------------------------------
Patch: SUSE-2016-1257
Released: Tue Aug 23 15:21:19 2016
Summary: Security update for krb5
Severity: moderate
References: 991088,CVE-2016-3120
Description:

This update for krb5 fixes the following issues:

- CVE-2016-3120: KDC NULL Pointer Dereference Denial Of Service Vulnerability (bsc#991088)


-----------------------------------------
Patch: SUSE-2016-1259
Released: Tue Aug 23 17:25:28 2016
Summary: Recommended update for libpcap
Severity: low
References: 874131,992262
Description:

This update for libpcap provides the following fixes:

- Do not apply userspace filter until VLAN tag is reconstructed. (bsc#874131)
- Use TPID value passed by kernel rather than wild-guess 802.1Q. (bsc#874131)
- In 'vlan' filter BPF code, check also for 802.1ad (0x88a8) TPID in addition to
  802.1Q (0x8100) and non-standard 0x9100 Q-in-Q. (bsc#874131)
- Add missing DLT_INFINIBAND to dlt_choices table. (bsc#992262, fate#319438)


-----------------------------------------
Patch: SUSE-2016-1263
Released: Wed Aug 24 13:55:39 2016
Summary: Security update for dosfstools
Severity: moderate
References: 912607,980364,980377,CVE-2015-8872,CVE-2016-4804
Description:
dosfstools was updated to fix two security issues.

These security issues were fixed:
- CVE-2015-8872: The set_fat function in fat.c in dosfstools might have allowed attackers to corrupt a FAT12 filesystem or cause a denial of service (invalid memory read and crash) by writing an odd number of clusters to the third to last entry on a FAT12 filesystem, which triggers an 'off-by-two error (bsc#980364).
- CVE-2016-4804: The read_boot function in boot.c in dosfstools allowed attackers to cause a denial of service (crash) via a crafted filesystem, which triggers a heap-based buffer overflow in the (1) read_fat function or an out-of-bounds heap read in (2) get_fat function (bsc#980377).

This non-security issue was fixed:
- bsc#912607: Attempt to rename root dir in fsck due to uninitialized fields.
  

-----------------------------------------
Patch: SUSE-2016-1267
Released: Wed Aug 24 15:43:49 2016
Summary: Security update for rsync
Severity: moderate
References: 915410,CVE-2014-9512
Description:
rsync was updated to fix one security issue.

- CVE-2014-9512: rsync allowed remote attackers to write to arbitrary files via a symlink attack on a file in the synchronization path (bsc#915410).
  

-----------------------------------------
Patch: SUSE-2016-1277
Released: Fri Aug 26 14:35:54 2016
Summary: Recommended update for libbluray
Severity: low
References: 981767
Description:

This update for libbluray prevents logging of debug messages to standard error.


-----------------------------------------
Patch: SUSE-2016-1294
Released: Tue Aug 30 09:52:19 2016
Summary: Security update for fontconfig
Severity: low
References: 992534,CVE-2016-5384
Description:

This update for fontconfig fixes the following issues:

- security update:
  * CVE-2016-5384: Possible double free due to insufficiently validated cache files [bsc#992534]


-----------------------------------------
Patch: SUSE-2016-1309
Released: Fri Sep  2 13:37:41 2016
Summary: Security update for wget
Severity: moderate
References: 937096,958342,984060,CVE-2015-2059,CVE-2016-4971
Description:

This update for wget fixes the following issues:

 - Fix for HTTP to a FTP redirection file name confusion vulnerability
   (bsc#984060, CVE-2016-4971).
 - Work around a libidn  vulnerability
   (bsc#937096, CVE-2015-2059).
 - Fix for wget fails with basicauth: Failed writing HTTP request:
   Bad file descriptor
   (bsc#958342)


-----------------------------------------
Patch: SUSE-2016-1310
Released: Fri Sep  2 14:39:19 2016
Summary: Recommended update for apparmor
Severity: low
References: 990006,991901
Description:

This update for apparmor provides the necessary profile adjustments for compatibility
with Samba 4.4.x.


-----------------------------------------
Patch: SUSE-2016-1326
Released: Thu Sep  8 11:37:44 2016
Summary: Security update for perl
Severity: moderate
References: 928292,932894,967082,984906,987887,988311,CVE-2015-8853,CVE-2016-1238,CVE-2016-2381,CVE-2016-6185
Description:

This update for Perl fixes the following issues:

- CVE-2016-6185: Xsloader looking at a '(eval)' directory. (bsc#988311)
- CVE-2016-1238: Searching current directory for optional modules. (bsc#987887)
- CVE-2015-8853: Regular expression engine hanging on bad utf8. (bsc)
- CVE-2016-2381: Environment dup handling bug. (bsc#967082)
- 'Insecure dependency in require' error in taint mode. (bsc#984906)
- Memory leak in 'use utf8' handling. (bsc#928292)
- Missing lock prototype to the debugger. (bsc#932894)


-----------------------------------------
Patch: SUSE-2016-1330
Released: Fri Sep  9 09:00:53 2016
Summary: Security update for tiff
Severity: moderate
References: 964225,973340,984808,984831,984837,984842,987351,CVE-2015-8781,CVE-2015-8782,CVE-2015-8783,CVE-2016-3186,CVE-2016-5314,CVE-2016-5316,CVE-2016-5317,CVE-2016-5320,CVE-2016-5875
Description:

This update for tiff fixes the following issues:

* CVE-2015-8781, CVE-2015-8782, CVE-2015-8783: Out-of-bounds writes for invalid images (bsc#964225)
* CVE-2016-3186: Buffer overflow in gif2tiff (bnc#973340).
* CVE-2016-5875: heap-based buffer overflow when using the PixarLog compressionformat (bsc#987351)
* CVE-2016-5316: Out-of-bounds read in PixarLogCleanup() function in tif_pixarlog.c (bsc#984837)
* CVE-2016-5314: Out-of-bounds write in PixarLogDecode() function (bsc#984831)
* CVE-2016-5317: Out-of-bounds write in PixarLogDecode() function in libtiff.so (bsc#984842)
* CVE-2016-5320: Out-of-bounds write in PixarLogDecode() function in tif_pixarlog.c (bsc#984808) 



-----------------------------------------
Patch: SUSE-2016-1331
Released: Fri Sep  9 13:21:17 2016
Summary: Recommended update for cairo
Severity: low
References: 987617
Description:

This update for cairo fixes a potential crash when calculating polygon intersections.


-----------------------------------------
Patch: SUSE-2016-1332
Released: Fri Sep  9 15:40:05 2016
Summary: Security update for openssh
Severity: moderate
References: 948902,981654,989363,992533,CVE-2016-6210,CVE-2016-6515
Description:

This update for openssh fixes the following issues:

- Prevent user enumeration through the timing of password
  processing (bsc#989363, CVE-2016-6210)
  [-prevent_timing_user_enumeration]
- Allow lowering the DH groups parameter limit in server as well
  as when GSSAPI key exchange is used (bsc#948902)
- limit accepted password length (prevents possible DoS)
  (bsc#992533, CVE-2016-6515)

Bug fixes:
- avoid complaining about unset DISPLAY variable (bsc#981654)


-----------------------------------------
Patch: SUSE-2016-1344
Released: Tue Sep 13 18:10:21 2016
Summary: Recommended update for kbd
Severity: low
References: 984958
Description:

This update for kbd adds mapping for two keycodes to br-abnt2 map:

- Slash (/): alt-gr + q
- Question mark (?): alt-gr + w


-----------------------------------------
Patch: SUSE-2016-1347
Released: Wed Sep 14 09:12:04 2016
Summary: Security update for gd
Severity: moderate
References: 982176,987577,988032,991436,991622,991710,995034,CVE-2016-5116,CVE-2016-6128,CVE-2016-6132,CVE-2016-6161,CVE-2016-6207,CVE-2016-6214,CVE-2016-6905
Description:

This update for gd fixes the following issues:

  * CVE-2016-6214: Buffer over-read issue when parsing crafted TGA file [bsc#991436]
  * CVE-2016-6132: read out-of-bands was found in the parsing of TGA files using libgd [bsc#987577]
  * CVE-2016-6128: Invalid color index not properly handled [bsc#991710]
  * CVE-2016-6207: Integer overflow error within _gdContributionsAlloc() [bsc#991622]
  * CVE-2016-6161: global out of bounds read when encoding gif from malformed input withgd2togif [bsc#988032]
  * CVE-2016-5116: avoid stack overflow (read) with large names [bsc#982176]
  * CVE-2016-6905: Out-of-bounds read in function read_image_tga in gd_tga.c [bsc#995034]



-----------------------------------------
Patch: SUSE-2016-1355
Released: Thu Sep 15 14:52:37 2016
Summary: Recommended update for growpart
Severity: low
References: 998378
Description:

This update provides growpart 0.29, which brings the following enhancements and
fixes:

- Fix use of partx with newer util-linux versions.
- Fix some issues in error path reporting.
- Capture output of 'partx --help' as older versions do not support that flag and
  send output to standard error.
- Fix bug when growing partitions on disks greater than 2TB.
- Support sfdisk 2.26 or newer, and support gpt partitions with sfdisk.


-----------------------------------------
Patch: SUSE-2016-1358
Released: Thu Sep 15 20:54:21 2016
Summary: Optional update for gcc6
Severity: low
References: 983206
Description:

This update ships the GNU Compiler Collection (GCC) in version 6.2.

This update is shipped in two parts:

- SUSE Linux Enterprise Server 12 and Desktop:

  The runtime libraries libgcc_s1, libstdc++6, libatomic1, libgomp1, libitm1
  and some others can now be used by GCC 6 built binaries.

- SUSE Linux Enterprise 12 Toolchain Module:

  The Toolchain module received the GCC 6 compiler suite with this update.

Changes:

- The default mode for C++ is now -std=gnu++14 instead of -std=gnu++98.

Generic Optimization improvements:

- UndefinedBehaviorSanitizer gained a new sanitization option,
  -fsanitize=bounds-strict, which enables strict checking of array
  bounds. In particular, it enables -fsanitize=bounds as well as
  instrumentation of flexible array member-like arrays.
- Type-based alias analysis now disambiguates accesses to different
  pointers. This improves precision of the alias oracle by about 20-30%
  on higher-level C++ programs. Programs doing invalid type punning of
  pointer types may now need -fno-strict-aliasing to work correctly.
- Alias analysis now correctly supports weakref and alias attributes. This
  makes it possible to access both a variable and its alias in one
  translation unit which is common with link-time optimization.
- Value range propagation now assumes that the this pointer of C++
  member functions is non-null. This eliminates common null pointer checks
  but also breaks some non-conforming code-bases (such as Qt-5, Chromium,
  KDevelop). As a temporary work-around -fno-delete-null-pointer-checks
  can be used. Wrong code can be identified by using -fsanitize=undefined.
- Various Link-time optimization improvements.
- Inter-procedural optimization improvements:
    - Basic jump threading is now performed before profile construction
      and inline analysis, resulting in more realistic size and time
      estimates that drive the heuristics of the of inliner and function
      cloning passes.
    - Function cloning now more aggressively eliminates unused function
      parameters.
- Compared to GCC 5, the GCC 6 release series includes a much improved
  implementation of the OpenACC 2.0a specification.

C language specific improvements:

- Version 4.5 of the OpenMP specification is now supported in the C and C++ compilers.
- Source locations for the C and C++ compilers are now tracked as ranges,
  rather than just points, making it easier to identify the subexpression
  of interest within a complicated expression. In addition, there is
  now initial support for precise diagnostic locations within strings,
- Diagnostics can now contain 'fix-it hints', which are displayed in
  context underneath the relevant source code.
- The C and C++ compilers now offer suggestions for misspelled field names.
- New command-line options have been added for the C and C++ compilers:
    - -Wshift-negative-value warns about left shifting a negative value.
    - -Wshift-overflow warns about left shift overflows. This warning is
      enabled by default. -Wshift-overflow=2 also warns about left-shifting
      1 into the sign bit.
    - -Wtautological-compare warns if a self-comparison always evaluates
      to true or false. This warning is enabled by -Wall.
    - -Wnull-dereference warns if the compiler detects paths that
      trigger erroneous or undefined behavior due to dereferencing a null
      pointer. This option is only active when -fdelete-null-pointer-checks
      is active, which is enabled by optimizations in most targets. The
      precision of the warnings depends on the optimization options used.
    - -Wduplicated-cond warns about duplicated conditions in an if-else-if chain.
    - -Wmisleading-indentation warns about places where the indentation
      of the code gives a misleading idea of the block structure of the
      code to a human reader. This warning is enabled by -Wall.
- The C and C++ compilers now emit saner error messages if merge-conflict markers
  are present in a source file.

C improvements:

- It is possible to disable warnings when an initialized field
  of a structure or a union with side effects is being overridden
  when using designated initializers via a new warning option
  -Woverride-init-side-effects.
- A new type attribute scalar_storage_order applying to structures
  and unions has been introduced. It specifies the storage order (aka
  endianness) in memory of scalar fields in structures or unions.

C++ improvements:

- The default mode has been changed to -std=gnu++14.
- C++ Concepts are now supported when compiling with -fconcepts.
- -flifetime-dse is more aggressive in dead-store elimination in situations where
  a memory store to a location precedes a constructor to that memory location.
- G++ now supports C++17 fold expressions, u8 character literals, extended static_assert,
  and nested namespace definitions.
- G++ now allows constant evaluation for all non-type template arguments.
- G++ now supports C++ Transactional Memory when compiling with -fgnu-tm.

libstdc++ improvements:

- Extensions to the C++ Library to support mathematical special functions
  (ISO/IEC 29124:2010), thanks to Edward Smith-Rowland.
- Experimental support for C++17.
- An experimental implementation of the File System TS.
- Experimental support for most features of the second version of the
  Library Fundamentals TS. This includes polymorphic memory resources and
  array support in shared_ptr, thanks to Fan You.
- Some assertions checked by Debug Mode can now also be enabled by
  _GLIBCXX_ASSERTIONS. The subset of checks enabled by the new macro have
  less run-time overhead than the full _GLIBCXX_DEBUG checks and don't
  affect the library ABI, so can be enabled per-translation unit.

Fortran improvements:

- Fortran 2008 SUBMODULE support.
- Fortran 2015 EVENT_TYPE, EVENT_POST, EVENT_WAIT, and EVENT_QUERY support.
- Improved support for Fortran 2003 deferred-length character variables.
- Improved support for OpenMP and OpenACC.
- The MATMUL intrinsic is now inlined for straightforward cases if
  front-end optimization is active. The maximum size for inlining can be
  set to n with the -finline-matmul-limit=n option and turned off with
  -finline-matmul-limit=0.
- The -Wconversion-extra option will warn about REAL constants which
  have excess precision for their kind.
- The -Winteger-division option has been added, which warns about
  divisions of integer constants which are truncated. This option is
  included in -Wall by default.

Architecture improvements:

- AArch64 received a lot of improvements.

IA-32/x86-64 improvements:

- GCC now supports the Intel CPU named Skylake with AVX-512 extensions
  through -march=skylake-avx512. The switch enables the following ISA
  extensions: AVX-512F, AVX512VL, AVX-512CD, AVX-512BW, AVX-512DQ.
- Support for new AMD instructions monitorx and mwaitx has been
  added. This includes new intrinsic and built-in support. It is enabled
  through option -mmwaitx. The instructions monitorx and mwaitx implement
  the same functionality as the old monitor and mwait instructions. In
  addition mwaitx adds a configurable timer. The timer value is received
  as third argument and stored in register %ebx.
- x86-64 targets now allow stack realignment from a word-aligned stack
  pointer using the command-line option -mstackrealign or __attribute__
  ((force_align_arg_pointer)). This allows functions compiled with
  a vector-aligned stack to be invoked from objects that keep only
  word-alignment.
- Support for address spaces __seg_fs, __seg_gs, and __seg_tls. These
  can be used to access data via the %fs and %gs segments without having
  to resort to inline assembly.
- Support for AMD Zen (family 17h) processors is now available through
  the -march=znver1 and -mtune=znver1 options.

PowerPC / PowerPC64 / RS6000 improvements:

- PowerPC64 now supports IEEE 128-bit floating-point using the
  __float128 data type. In GCC 6, this is not enabled by default, but you
  can enable it with -mfloat128. The IEEE 128-bit floating-point support
  requires the use of the VSX instruction set. IEEE 128-bit floating-point
  values are passed and returned as a single vector value. The software
  emulator for IEEE 128-bit floating-point support is only built on
  PowerPC GNU/Linux systems where the default CPU is at least power7. On
  future ISA 3.0 systems (POWER 9 and later), you will be able to use the
  -mfloat128-hardware option to use the ISA 3.0 instructions that support
  IEEE 128-bit floating-point. An additional type (__ibm128) has been added
  to refer to the IBM extended double type that normally implements long
  double. This will allow for a future transition to implementing long
  double with IEEE 128-bit floating-point.
- Basic support has been added for POWER9 hardware that will use the
  recently published OpenPOWER ISA 3.0 instructions. The following new
  switches are available:
     - -mcpu=power9: Implement all of the ISA 3.0 instructions supported by
       the compiler.
     - -mtune=power9: In the future, apply tuning for POWER9 systems. Currently,
       POWER8 tunings are used.
     - -mmodulo: Generate code using the ISA 3.0 integer instructions (modulus,
       count trailing zeros, array index support, integer multiply/add).
     - -mpower9-fusion: Generate code to suitably fuse instruction sequences for
       a POWER9 system.
     - -mpower9-dform: Generate code to use the new D-form (register+offset) memory
       instructions for the vector registers.
     - -mpower9-vector: Generate code using the new ISA 3.0 vector (VSX or Altivec)
       instructions.
     - -mpower9-minmax: Reserved for future development.
     - -mtoc-fusion: Keep TOC entries together to provide more fusion opportunities.
- New constraints have been added to support IEEE 128-bit floating-point and ISA 3.0
  instructions.
- Support has been added for __builtin_cpu_is() and __builtin_cpu_supports(),
  allowing for very fast access to AT_PLATFORM, AT_HWCAP, and AT_HWCAP2 values.
  This requires use of glibc 2.23 or later.
- All hardware transactional memory builtins now correctly behave as
  memory barriers. Programmers can use #ifdef __TM_FENCE__ to determine
  whether their 'old' compiler treats the builtins as barriers.
- Split-stack support has been added for gccgo on PowerPC64 for both
  big- and little-endian (but not for 32-bit). The gold linker from at
  least binutils 2.25.1 must be available in the PATH when configuring and
  building gccgo to enable split stack. (The requirement for binutils 2.25.1
  applies to PowerPC64 only.) The split-stack feature allows a small initial
  stack size to be allocated for each goroutine, which increases as needed.
- GCC on PowerPC now supports the standard lround function.
- The 'q', 'S', 'T', and 't' asm-constraints have been removed.
- The 'b', 'B', 'm', 'M', and 'W' format modifiers have been removed.

S/390, System z, IBM z Systems improvements:

- Support for the IBM z13 processor has been added. When using the
  -march=z13 option, the compiler will generate code making use of the
  new instructions and registers introduced with the vector extension
  facility. The -mtune=z13 option enables z13 specific instruction
  scheduling without making use of new instructions.
- Compiling code with -march=z13 reduces the default alignment of vector
  types bigger than 8 bytes to 8. This is an ABI change and care must be
  taken when linking modules compiled with different arch levels which
  interchange variables containing vector type values. For newly compiled
  code the GNU linker will emit a warning.
- The -mzvector option enables a C/C++ language extension. This extension
  provides a new keyword vector which can be used to define vector type
  variables. (Note: This is not available when enforcing strict standard
  compliance e.g. with -std=c99. Either enable GNU extensions with
  e.g. -std=gnu99 or use __vector instead of vector.)
- Additionally a set of overloaded builtins is provided which is partially
  compatible to the PowerPC Altivec builtins. In order to make use of
  these builtins the vecintrin.h header file needs to be included.
- The new command line options -march=native, and -mtune=native are now
  available on native IBM z Systems. Specifying these options will cause
  GCC to auto-detect the host CPU and rewrite these options to the optimal
  setting for that system. If GCC is unable to detect the host CPU these
  options have no effect.
- The IBM z Systems port now supports target attributes and
  pragmas. Please refer to the documentation for details of available
  attributes and pragmas as well as usage instructions.
- -fsplit-stack is now supported as part of the IBM z Systems port. This
  feature requires a recent gold linker to be used.
- Support for the g5 and g6 -march=/-mtune= CPU level switches has been
  deprecated and will be removed in a future GCC release. -m31 from now
  on defaults to -march=z900 if not specified otherwise. -march=native on
  a g5/g6 machine will default to -march=z900.

An even more detailed list of features can be found at:
https://gcc.gnu.org/gcc-6/changes.html


-----------------------------------------
Patch: SUSE-2016-1364
Released: Fri Sep 16 17:13:43 2016
Summary: Security update for curl
Severity: moderate
References: 991389,991390,991391,991746,997420,CVE-2016-5419,CVE-2016-5420,CVE-2016-5421,CVE-2016-7141
Description:

This update for curl fixes the following issues:

Security issues fixed:
- CVE-2016-5419: TLS session resumption client cert bypass (bsc#991389)
- CVE-2016-5420: Re-using connections with wrong client cert (bsc#991390)
- CVE-2016-5421: use of connection struct after free (bsc#991391)
- CVE-2016-7141: Fixed incorrect reuse of client certificates with NSS (bsc#997420)

Also the following bug was fixed:
- fixing a performance issue (bsc#991746)


-----------------------------------------
Patch: SUSE-2016-1370
Released: Wed Sep 21 12:58:14 2016
Summary: Security update for libgcrypt
Severity: moderate
References: 994157,CVE-2016-6313
Description:

This update for libgcrypt fixes the following issues:

  - RNG prediction vulnerability (bsc#994157, CVE-2016-6313)



-----------------------------------------
Patch: SUSE-2016-1375
Released: Thu Sep 22 22:38:58 2016
Summary: Recommended update for aaa_base
Severity: moderate
References: 996442
Description:

This update for aaa_base fixes the following issues:

- Fix regression introducted by fix for bnc#971567: wrong return code of chkconfig (bsc#996442) 


-----------------------------------------
Patch: SUSE-2016-1378
Released: Fri Sep 23 12:15:54 2016
Summary: Security update for libstorage
Severity: moderate
References: 986971,CVE-2016-5746
Description:

This update for libstorage fixes the following issues:

- Use stdin, not tmp files for passwords (bsc#986971, CVE-2016-5746)


-----------------------------------------
Patch: SUSE-2016-1383
Released: Mon Sep 26 10:18:37 2016
Summary: Recommended update for mutt
Severity: low
References: 961470,968699,983722
Description:

The Mutt mail client was updated to version 1.6.0, which brings many new features,
fixes and enhancements:

- Enable UTF-8 mailbox support for IMAP.
- New expandos %r and %R for comma separated list of To: and Cc: recipients respectively.
- Improved support for internationalized email and SMTPUTF8 (RFCs 653[0-3]).
- Option $use_idn has been renamed to $idn_decode.
- New option $idn_encode controls whether outgoing email address domains will be IDNA
  encoded. If your MTA supports it, unset to use utf-8 email address domains.
- The S/MIME message digest algorithm is now specified using the option
  $smime_sign_digest_alg. Note that $smime_sign_command should be modified
  to include '-md %d'. Please see contrib/smime.rc.
- New option $reflow_space_quotes allows format=flowed email quotes to be displayed
  with spacing between them.
- Multipart draft files are now supported.
- The '-E' command line argument causes mutt to edit draft or include files.
  All changes made in mutt will be saved back out to those files.
- New option $resume_draft_files and $resume_edited_draft_files control how mutt
  processes draft files.
- For classic gpg mode, $pgp_decryption_okay should be set to verify multipart/encrypted
  are actually encrypted. Please see contrib/gpg.rc for the suggested value.
- mailto URL header parameters by default are now restricted to 'body' and 'subject'.
- mailto_allow and unmailto_allow can be used to add or remove allowed mailto header
  parameters.
- The method of setting $hostname has been changed. Instead of scanning /etc/resolv.conf,
  the domain will now be determined using DNS calls.
- Add terminal status-line (TS) support, a.k.a. xterm title. See the following variables:
  $ts_enabled, $ts_icon_format, $ts_status_format.
- Option $ssl_use_sslv3 is now disabled by default.
- New command-line arguments: -H now combines template and command-line address arguments.
- GnuPG signature name is set to signature.asc.
- New color object 'prompt' added.
- Ability to encrypt postponed messages. See $postpone_encrypt and $postpone_encrypt_as.
- History ring now has a scratch buffer.
- mail-key is implemented for GPGME.
- Removed GPG_AGENT_INFO check for GnuPG 2.1 compatibility. Please set pgp_use_gpg_agent
  if using GnuPG 2.1 or later.
- Option $smime_encrypt_with now defaults to aes256.
- GnuPG fingerprints are used internally when possible. '--with-fingerprint' should be
  added to $pgp_list_pubring_command and $pgp_list_secring_command to enable this. Please
  see contrib/gpg.rc. Fingerprints may also be used at the prompts for key selection.
- Option $crypt_opportunistic_encrypt automatically enables/disables encryption based on
  message recipients.
- Attachments for signed, unencrypted emails may be deleted.
- Multiple crypt-hooks may be defined for the same regexp. This means multiple keys may be
  used for a recipient.
- Option $crypt_confirmhook allows the confirmation prompt for crypt-hooks to be disabled.
- Option $ssl_ciphers allows the SSL ciphers to be directly set.
- sime_keys better handles importing certificate chains.
- sime_keys now records certificate purposes (sign/encrypt). Run 'sime_keys refresh' to
  update smime index files.
- Option $maildir_check_cur polls the maildir 'cur' directory for new mail.
- Add support for TLS 1.1/1.2.
- Correctly shorten imaps://imap.example.com/INBOX to INBOX, not to NBOX. (bsc#961470)
- Recommend installation of perl(Expect) as a useful helper script below the samples
  depends on it. (bsc#968699)

A comprehensive list of changes is available at http://www.mutt.org/doc/ChangeLog
 

-----------------------------------------
Patch: SUSE-2016-1386
Released: Mon Sep 26 16:00:51 2016
Summary: Security update for openssl
Severity: important
References: 979475,982575,982745,983249,988591,990419,993819,994749,994844,995075,995324,995359,995377,998190,999665,999666,999668,CVE-2016-2177,CVE-2016-2178,CVE-2016-2179,CVE-2016-2180,CVE-2016-2181,CVE-2016-2182,CVE-2016-2183,CVE-2016-6302,CVE-2016-6303,CVE-2016-6304,CVE-2016-6306
Description:

This update for openssl fixes the following issues:

OpenSSL Security Advisory [22 Sep 2016] (bsc#999665)

Severity: High
* OCSP Status Request extension unbounded memory growth (CVE-2016-6304) (bsc#999666)

Severity: Low
* Pointer arithmetic undefined behaviour (CVE-2016-2177) (bsc#982575)
* Constant time flag not preserved in DSA signing (CVE-2016-2178) (bsc#983249)
* DTLS buffered message DoS (CVE-2016-2179) (bsc#994844)
* OOB read in TS_OBJ_print_bio() (CVE-2016-2180) (bsc#990419)
* DTLS replay protection DoS (CVE-2016-2181) (bsc#994749)
* OOB write in BN_bn2dec() (CVE-2016-2182) (bsc#993819)
* Birthday attack against 64-bit block ciphers (SWEET32) (CVE-2016-2183) (bsc#995359)
* Malformed SHA512 ticket DoS (CVE-2016-6302) (bsc#995324)
* OOB write in MDC2_Update() (CVE-2016-6303) (bsc#995377)
* Certificate message OOB reads (CVE-2016-6306) (bsc#999668)

More information can be found on: https://www.openssl.org/news/secadv/20160922.txt

Also following bugs were fixed:
* update expired S/MIME certs (bsc#979475)
* improve s390x performance (bsc#982745)
* allow >= 64GB AESGCM transfers (bsc#988591)
* fix crash in print_notice (bsc#998190)
* resume reading from /dev/urandom when interrupted by a signal (bsc#995075)


-----------------------------------------
Patch: SUSE-2016-1388
Released: Mon Sep 26 20:30:52 2016
Summary: Recommended update for flac
Severity: low
References: 998612
Description:

This update fixes a low severity issue that manifests itself only when building
certain packages against flac-devel.


-----------------------------------------
Patch: SUSE-2016-1390
Released: Tue Sep 27 15:11:15 2016
Summary: Security update for flex, at, bogofilter, cyrus-imapd, kdelibs4, libQtWebKit4, libbonobo, mdbtools, netpbm, openslp, sgmltool, virtuoso, libqt5-qtwebkit
Severity: moderate
References: 954210,990856,CVE-2015-8079,CVE-2016-6354
Description:

Various packages included vulnerable parsers generated by 'flex'.

This update provides a fixed 'flex' package and also rebuilds of packages
that might have security issues caused by the auto generated code.

Flex itself was updated to fix a buffer overflow in the generated scanner
(bsc#990856, CVE-2016-6354)

Packages that were rebuilt with the fixed flex:
- at
- bogofilter
- cyrus-imapd
- kdelibs4
- libQtWebKit4
- libbonobo
- mdbtools
- netpbm
- openslp
- sgmltool
- virtuoso

Also libqt5-qtwebkit received an additional security fix:
- CVE-2015-8079: QtWebKit logs visited URLs to WebpageIcons.db in private browsing mode (bsc#954210).


-----------------------------------------
Patch: SUSE-2016-1400
Released: Tue Sep 27 18:03:14 2016
Summary: Security update for bind
Severity: critical
References: 1000362,CVE-2016-2776
Description:

The nameserver bind was updated to fix a remote denial of service
vulnerability, where a crafted packet could cause the nameserver to abort. (CVE-2016-2776, bsc#1000362)
  

-----------------------------------------
Patch: SUSE-2016-1406
Released: Thu Sep 29 11:22:48 2016
Summary: Optional update for DirectFB, fltk, libgnomecups, libgsm, mlocate, vlan
Severity: low
References: 1001359
Description:

This update provides rebuilds of a few packages in order to synchronize their binaries on all
architectures of SUSE Linux Enterprise Server 12.

The following packages have been rebuilt: DirectFB, fltk, libgnomecups, libgsm, mlocate, vlan.


-----------------------------------------
Patch: SUSE-2016-1419
Released: Fri Sep 30 15:47:59 2016
Summary: Recommended update for autofs
Severity: low
References: 968918
Description:

This update for autofs fixes the following issues:

- Fix spurious ELOOP errors caused by incorrect error handling in the NSS lookup
  module. (bsc#968918)


-----------------------------------------
Patch: SUSE-2016-1424
Released: Tue Oct  4 12:34:53 2016
Summary: Recommended update for rsync
Severity: low
References: 999847
Description:

This update for rsync provides the following fixes:

- Don't depend on insserv(8) and fillup(8) as they're not needed or used
  under systemd. (bsc#999847)


-----------------------------------------
Patch: SUSE-2016-1447
Released: Fri Oct  7 17:16:11 2016
Summary: Security update for systemd
Severity: important
References: 1000435,1001765,954374,970293,982210,982211,982251,987173,987857,990074,996269,CVE-2016-7796
Description:

This update for systemd fixes the following security issue:

- CVE-2016-7796: A zero-length message received over systemd's notification socket
  could make manager_dispatch_notify_fd() return an error and, as a side effect,
  disable the notification handler completely. As the notification socket is
  world-writable, this could have allowed a local user to perform a denial-of-service
  attack against systemd. (bsc#1001765)

Additionally, the following non-security fixes are included:

- Fix HMAC calculation when appending a data object to journal. (bsc#1000435)
- Never accept file descriptors from file systems with mandatory locking enabled.
  (bsc#954374)
- Do not warn about missing install info with 'preset'. (bsc#970293)  
- Save /run/systemd/users/UID before starting user@.service. (bsc#996269)
- Make sure that /var/lib/systemd/sysv-convert/database is always initialized.
  (bsc#982211)
- Remove daylight saving time handling and tzfile parser. (bsc#990074)
- Make sure directory watch is started before cryptsetup. (bsc#987173)
- Introduce sd_pid_notify() and sd_pid_notifyf() APIs. (bsc#987857)
- Set KillMode=mixed for our daemons that fork worker processes.
- Add nosuid and nodev options to tmp.mount.
- Don't start console-getty.service when /dev/console is missing. (bsc#982251)
- Correct segmentation fault in udev/path_id due to missing NULL check. (bsc#982210)


-----------------------------------------
Patch: SUSE-2016-1452
Released: Mon Oct 10 13:23:17 2016
Summary: Recommended update for lsof
Severity: low
References: 919358,995061
Description:

This update for lsof provides the following fixes:

- Fix printing of export entries by 'lsof -N' when two NFS volumes from the same
  server are mounted. (bsc#919358)
- Prevent 'lsof -b' from hanging  when NFS server is unavailable. (bsc#995061)


-----------------------------------------
Patch: SUSE-2016-1454
Released: Mon Oct 10 16:25:51 2016
Summary: Recommended update for timezone
Severity: low
References: 997830
Description:

This update provides the latest timezone information (2016g) for your system,
including the following changes:

- Turkey will remain on UTC+03 after 2016-10-30. (bsc#997830)
- Antarctica and nautical time zones now use numeric time zone abbreviations instead
  of obsolete alphanumeric ones.
- Renamed Asia/Rangoon to Asia/Yangon.

This release also includes changes affecting past time stamps and documentation.


-----------------------------------------
Patch: SUSE-2016-1457
Released: Tue Oct 11 12:44:34 2016
Summary: Recommended update for irqbalance
Severity: moderate
References: 1000291,979303
Description:

This update for irqbalance provides the following fixes:

- Fix find_best_object() for the same d->load value. (bsc#979303)
- Fix irq_info->load miscalculation for cache domain and others. (bsc#979303)
- Fix a memory leak on systems without PCI devices like AWS EC2 PV VMs. (bsc#1000291)


-----------------------------------------
Patch: SUSE-2016-1461
Released: Wed Oct 12 11:31:33 2016
Summary: Security update for tiff
Severity: moderate
References: 974449,974614,974618,975069,975070,CVE-2016-3622,CVE-2016-3623,CVE-2016-3945,CVE-2016-3990,CVE-2016-3991
Description:
This update for tiff fixes the following security issues:

- CVE-2016-3622: Specially crafted TIFF images could trigger a crash in tiff2rgba (bsc#974449)
- Various out-of-bound write vulnerabilities with unspecified impact (MSVR 35093, MSVR 35094, MSVR 35095, MSVR 35096, MSVR 35097, MSVR 35098)
- CVE-2016-3623: Specially crafted TIFF images could trigger a crash in rgb2ycbcr (bsc#974618)
- CVE-2016-3945: Specially crafted TIFF images could trigger a crash or allow for arbitrary command execution via tiff2rgba (bsc#974614)
- CVE-2016-3990: Specially crafted TIFF images could trigger a crash or allow for arbitrary command execution (bsc#975069)
- CVE-2016-3991: Specially crafted TIFF images could trigger a crash or allow for arbitrary command execution via the tiffcrop tool (bsc#975070)


-----------------------------------------
Patch: SUSE-2016-1464
Released: Wed Oct 12 11:36:01 2016
Summary: Security update for X Window System client libraries
Severity: moderate
References: 1002991,1002995,1002998,1003000,1003002,1003012,1003017,1003023,CVE-2016-5407,CVE-2016-7942,CVE-2016-7944,CVE-2016-7945,CVE-2016-7946,CVE-2016-7947,CVE-2016-7948,CVE-2016-7949,CVE-2016-7950,CVE-2016-7951,CVE-2016-7952,CVE-2016-7953
Description:
This update for the X Window System client libraries fixes a class of privilege escalation issues.

A malicious X Server could send specially crafted data to X clients, which allowed for triggering crashes, or privilege escalation if this relationship was untrusted or crossed user or permission level boundaries.

libX11, libXfixes, libXi, libXrandr, libXrender, libXtst, libXv, libXvMC were fixed, specifically:

libX11:
- CVE-2016-7942: insufficient validation of data from the X server allowed out of boundary memory read (bsc#1002991)

libXfixes:
- CVE-2016-7944: insufficient validation of data from the X server can cause an integer overflow on 32 bit architectures (bsc#1002995)

libXi:
- CVE-2016-7945, CVE-2016-7946: insufficient validation of data from the X server can cause out of boundary memory access or endless loops (Denial of Service) (bsc#1002998)

libXtst:
- CVE-2016-7951, CVE-2016-7952: insufficient validation of data from the X server can cause out of boundary memory access or endless loops (Denial of Service) (bsc#1003012)

libXv:
- CVE-2016-5407: insufficient validation of data from the X server can cause out of boundary memory and memory corruption (bsc#1003017)

libXvMC:
- CVE-2016-7953: insufficient validation of data from the X server can cause a one byte buffer read underrun (bsc#1003023)

libXrender:
- CVE-2016-7949, CVE-2016-7950: insufficient validation of data from the X server can cause out of boundary memory writes (bsc#1003002)

libXrandr:
- CVE-2016-7947, CVE-2016-7948: insufficient validation of data from the X server can cause out of boundary memory writes (bsc#1003000)


-----------------------------------------
Patch: SUSE-2016-1502
Released: Wed Oct 19 11:20:12 2016
Summary: Security update for dbus-1
Severity: moderate
References: 1003898
Description:
This update for dbus-1 to version 1.8.22 fixes one security issue and bugs.

The following security issue was fixed:

- bsc#1003898: Do not treat ActivationFailure message received from root-owned systemd name as a format string.

The following upstream changes are included:

- Change the default configuration for the session bus to only allow EXTERNAL authentication (secure kernel-mediated credentials-passing), as was already done for the system bus.
- Fix a memory leak when GetConnectionCredentials() succeeds (fdo#91008)
- Ensure that dbus-monitor does not reply to messages intended for others (fdo#90952)
- Add locking to DBusCounter's reference count and notify function (fdo#89297)
- Ensure that DBusTransport's reference count is protected by the corresponding DBusConnection's lock (fdo#90312)
- Correctly release DBusServer mutex before early-return if we run out of memory while copying authentication mechanisms (fdo#90021)
- Correctly initialize all fields of DBusTypeReader (fdo#90021)
- Fix some missing \n in verbose (debug log) messages (fdo#90004)
- Clean up some memory leaks in test code (fdo#90021)


-----------------------------------------
Patch: SUSE-2016-1503
Released: Wed Oct 19 11:39:35 2016
Summary: Recommended update for ksh
Severity: low
References: 988213
Description:

This update for ksh fixes a locking error in spawn implementation.


-----------------------------------------
Patch: SUSE-2016-1506
Released: Wed Oct 19 18:09:49 2016
Summary: Security update for samba
Severity: moderate
References: 1005065,969522,975131,981566,986228,986869,991564,CVE-2016-2119
Description:
This update for samba provides the following fix:
    
Following security issue was fixed:
- CVE-2016-2119: Prevent client-side SMB2 signing downgrade. (bsc#986869)

Also the following bugs were fixed:
- Fix possible ctdb crash when opening sockets with htons(IPPROTO_RAW). (bsc#969522)
- Honor smb.conf socket options in winbind. (bsc#975131)
- Fix ntlm-auth segmentation fault with squid. (bsc#986228)
- Implement new '--no-dns-updates' option in 'net ads' command. (bsc#991564)
- Fix population of ctdb sysconfig after source merge. (bsc#981566)


-----------------------------------------
Patch: SUSE-2016-1510
Released: Thu Oct 20 14:04:39 2016
Summary: Recommended update for boost
Severity: low
References: 925309,970706,996917
Description:

This update for boost adapts paths for our GCC versions:

- Boost assumes /usr/include/c++/x.y.z/ existence for GCC 4.x onward while our
  version of GCC only has /usr/include/c++/x.y for 4.x GCC and /usr/include/c++/x/
  for 5.x onward. (bsc#996917)
- Fix regression in asio library. (bsc#925309)
- Add libboost_context to the -devel dependencies when it is built. (bsc#970706)


-----------------------------------------
Patch: SUSE-2016-1524
Released: Fri Oct 21 17:57:01 2016
Summary: Security update for the Linux Kernel
Severity: important
References: 1001419,1002165,1004418,904970,907150,920615,920633,930408,CVE-2016-5195
Description:

The SUSE Linux Enterprise 12 GA LTSS kernel was updated to fix two issues.

This security bug was fixed:

- CVE-2016-5195: Local privilege escalation using MAP_PRIVATE. It is reportedly exploited in the wild (bsc#1004418).

This non-security bug was fixed:

- sched/core: Fix a race between try_to_wake_up() and a woken up task (bsc#1002165, bsc#1001419).


-----------------------------------------
Patch: SUSE-2016-1555
Released: Wed Oct 26 14:30:46 2016
Summary: Security update for libxml2
Severity: moderate
References: 1005544,CVE-2016-4658
Description:

This update for libxml2 fixes the following issues:

- CVE-2016-4658: Use after free via namespace node in XPointer ranges (bsc#1005544).


-----------------------------------------
Patch: SUSE-2016-1565
Released: Thu Oct 27 13:06:35 2016
Summary: Security update for openslp
Severity: moderate
References: 1001600,974655,980722,994989,CVE-2016-4912,CVE-2016-7567
Description:
This update for openslp fixes two security issues and two bugs.

The following vulnerabilities were fixed:
- CVE-2016-4912: A remote attacker could have crashed the server with a large number of packages (bsc#980722)
- CVE-2016-7567: A remote attacker could cause a memory corruption having unspecified impact (bsc#1001600)

The following bugfix changes are included:
- bsc#994989: Removed convenience code as changes bytes in the message buffer breaking the verification code
- bsc#974655: Removed no longer needed slpd init file


-----------------------------------------
Patch: SUSE-2016-1571
Released: Fri Oct 28 14:54:49 2016
Summary: Security update for gd
Severity: important
References: 1001900,1004924,1005274,CVE-2016-6911,CVE-2016-7568,CVE-2016-8670
Description:

This update for gd fixes the following security issues:

- CVE-2016-7568: A specially crafted image file could cause an application crash or potentially execute arbitrary code
                 when the image is converted to webp (bsc#1001900)
- CVE-2016-8670: Stack Buffer Overflow in GD dynamicGetbuf (bsc#1004924)
- CVE-2016-6911: Check for out-of-bound read in dynamicGetbuf() (bsc#1005274)


-----------------------------------------
Patch: SUSE-2016-1581
Released: Mon Oct 31 14:47:06 2016
Summary: Recommended update for rubygem-ruby-shadow
Severity: low
References: 920720,981565
Description:

This update for rubygem-ruby-shadow provides the following fixes:

- Fix bug in shadow implementations where sp_expired field was incorrectly set as nil.
  From now on, -1 is used to indicate not set. (bsc#981565)
- Simplified compatibility check, removing check for function not actually used
  in pwd.h implementations.


-----------------------------------------
Patch: SUSE-2016-1587
Released: Wed Nov  2 09:33:40 2016
Summary: Security update for bind
Severity: important
References: 1007829,CVE-2016-8864
Description:

This update for bind fixes the following security issue:

- A defect in BIND's handling of responses containing a DNAME answer had the
potential to trigger assertion errors in the server remotely, thereby
facilitating a denial-of-service attack. (CVE-2016-8864, bsc#1007829).
  

-----------------------------------------
Patch: SUSE-2016-1591
Released: Wed Nov  2 12:07:51 2016
Summary: Security update for curl
Severity: important
References: 1005633,1005634,1005635,1005637,1005638,1005640,1005642,1005643,1005645,1005646,998760,CVE-2016-7167,CVE-2016-8615,CVE-2016-8616,CVE-2016-8617,CVE-2016-8618,CVE-2016-8619,CVE-2016-8620,CVE-2016-8621,CVE-2016-8622,CVE-2016-8623,CVE-2016-8624
Description:
This update for curl fixes the following security issues:

- CVE-2016-8624: invalid URL parsing with '#' (bsc#1005646)
- CVE-2016-8623: Use-after-free via shared cookies (bsc#1005645)
- CVE-2016-8622: URL unescape heap overflow via integer truncation (bsc#1005643)
- CVE-2016-8621: curl_getdate read out of bounds (bsc#1005642)
- CVE-2016-8620: glob parser write/read out of bounds (bsc#1005640)
- CVE-2016-8619: double-free in krb5 code (bsc#1005638)
- CVE-2016-8618: double-free in curl_maprintf (bsc#1005637)
- CVE-2016-8617: OOB write via unchecked multiplication (bsc#1005635)
- CVE-2016-8616: case insensitive password comparison (bsc#1005634)
- CVE-2016-8615: cookie injection for other servers (bsc#1005633)
- CVE-2016-7167: escape and unescape integer overflows (bsc#998760)


-----------------------------------------
Patch: SUSE-2016-1613
Released: Mon Nov  7 19:45:50 2016
Summary: Recommended update for shadow
Severity: low
References: 1002975,994486
Description:

This update for shadow provides the following fixes:

- Set file modes according to the permissions package and don't attempt to
  manipulate them in %files section. (bsc#1002975)
- Include shadow(5) man page. (bsc#994486)


-----------------------------------------
Patch: SUSE-2016-1617
Released: Tue Nov  8 10:03:25 2016
Summary: Recommended update for libesmtp
Severity: low
References: 1005909
Description:

This update for libesmtp provides the following fixes:

- All TLS clients must support and use the highest TLS version available if
  possible, not only TLS 1.0. (bsc#1005909)


-----------------------------------------
Patch: SUSE-2016-1621
Released: Tue Nov  8 16:20:57 2016
Summary: Recommended update for timezone
Severity: low
References: 1007725,1007726
Description:

This update provides the latest timezone information (2016i) for your system,
including the following changes:

- Pacific/Tongatapu begins DST on 2016-11-06 at 02:00, ending on 2017-01-15 at 03:00.
  (bsc#1007725)
- Northern Cyprus is now +03 year round, causing a split in Cyprus time zones starting
  2016-10-30 at 04:00. This creates a zone Asia/Famagusta. (bsc#1007726)
- Antarctica/Casey switched from +08 to +11 on 2016-10-22.
- Asia/Gaza and Asia/Hebron end DST on 2016-10-29 at 01:00, not 2016-10-21 at 00:00.
- Asia/Colombo now uses numeric time zone abbreviations.

This release also includes changes affecting past time stamps and documentation.


-----------------------------------------
Patch: SUSE-2016-1634
Released: Thu Nov 10 11:26:56 2016
Summary: Recommended update for pciutils
Severity: low
References: 1001888
Description:

This update for pciutils fixes the following issues:

- lspci(8) incorrectly tested bit 4, not bit 0, for 'CRS Software Visibility' in
  the Root Capabilities register, so it showed 'RootCap: CRSVisible-' even for
  devices that do support Software Visibility. This update fixes it to use the
  correct definition for PCI_EXP_RTCAP_CRSVIS. (bsc#1001888)


-----------------------------------------
Patch: SUSE-2016-1639
Released: Thu Nov 10 18:05:34 2016
Summary: Security update for jasper
Severity: moderate
References: 1005084,1005090,1005242,1006591,1006593,1006597,1006598,1006599,1006836,1006839,1007009,392410,941919,942553,961886,963983,968373,CVE-2008-3522,CVE-2014-8158,CVE-2015-5203,CVE-2015-5221,CVE-2016-1577,CVE-2016-1867,CVE-2016-2089,CVE-2016-2116,CVE-2016-8690,CVE-2016-8691,CVE-2016-8692,CVE-2016-8693,CVE-2016-8880,CVE-2016-8881,CVE-2016-8882,CVE-2016-8883,CVE-2016-8884,CVE-2016-8885,CVE-2016-8886,CVE-2016-8887
Description:

This update for jasper to version 1.900.14 fixes several issues.

These security issues were fixed:
- CVE-2016-8887: NULL pointer dereference in jp2_colr_destroy (jp2_cod.c) (bsc#1006836)
- CVE-2016-8886: memory allocation failure in jas_malloc (jas_malloc.c) (bsc#1006599)
- CVE-2016-8884,CVE-2016-8885: two null pointer dereferences in bmp_getdata (incomplete fix for CVE-2016-8690) (bsc#1007009)
- CVE-2016-8883: assert in jpc_dec_tiledecode() (bsc#1006598)
- CVE-2016-8882: segfault / null pointer access in jpc_pi_destroy (bsc#1006597)
- CVE-2016-8881: Heap overflow in jpc_getuint16() (bsc#1006593)
- CVE-2016-8880: Heap overflow in jpc_dec_cp_setfromcox() (bsc#1006591)
- CVE-2016-8693 Double free vulnerability in mem_close (bsc#1005242)
- CVE-2016-8691, CVE-2016-8692: Divide by zero in jpc_dec_process_siz (bsc#1005090)
- CVE-2016-8690: Null pointer dereference in bmp_getdata triggered by crafted BMP image (bsc#1005084)
- CVE-2016-2116: Memory leak in the jas_iccprof_createfrombuf function in JasPer allowed remote attackers to cause a denial of service (memory consumption) via a crafted ICC color profile in a JPEG 2000 image file (bsc#968373) 
- CVE-2016-2089: invalid read in the JasPer's jas_matrix_clip() function (bsc#963983)
- CVE-2016-1867: Out-of-bounds Read in the JasPer's jpc_pi_nextcprl() function (bsc#961886)
- CVE-2015-5221: Use-after-free (and double-free) in Jasper JPEG-200 (bsc#942553).
- CVE-2015-5203: Double free corruption in JasPer JPEG-2000 implementation (bsc#941919)
- CVE-2008-3522: Buffer overflow in the jas_stream_printf function in libjasper/base/jas_stream.c in JasPer might have allowed context-dependent attackers to have an unknown impact via vectors related to the mif_hdr_put function and use of vsprintf (bsc#392410)
- jasper: NULL pointer dereference in jp2_colr_destroy (jp2_cod.c) (incomplete fix for CVE-2016-8887) (bsc#1006839)

For additional change description please have a look at the changelog.


-----------------------------------------
Patch: SUSE-2016-1668
Released: Thu Nov 17 14:34:38 2016
Summary: Security update for X Window System client libraries
Severity: moderate
References: 1002991,1002995,1002998,1003000,1003002,1003012,1003017,1003023,CVE-2016-5407,CVE-2016-7942,CVE-2016-7944,CVE-2016-7945,CVE-2016-7946,CVE-2016-7947,CVE-2016-7948,CVE-2016-7949,CVE-2016-7950,CVE-2016-7951,CVE-2016-7952,CVE-2016-7953
Description:

This update for the X Window System client libraries fixes a class of privilege escalation issues.

A malicious X Server could send specially crafted data to X clients, which allowed for triggering
crashes, or privilege escalation if this relationship was untrusted or crossed user or permission
level boundaries.

libX11, libXfixes, libXi, libXrandr, libXrender, libXtst, libXv, libXvMC were fixed, specifically:

libX11:
- CVE-2016-7942: insufficient validation of data from the X server allowed out of boundary memory
  read (bsc#1002991)

libXfixes:
- CVE-2016-7944: insufficient validation of data from the X server can cause an integer overflow
  on 32 bit architectures (bsc#1002995)

libXi:
- CVE-2016-7945, CVE-2016-7946: insufficient validation of data from the X server can cause out of
  boundary memory access or endless loops (Denial of Service) (bsc#1002998)

libXtst:
- CVE-2016-7951, CVE-2016-7952: insufficient validation of data from the X server can cause out of
  boundary memory access or endless loops (Denial of Service) (bsc#1003012)

libXv:
- CVE-2016-5407: insufficient validation of data from the X server can cause out of boundary memory
  and memory corruption (bsc#1003017)

libXvMC:
- CVE-2016-7953: insufficient validation of data from the X server can cause a one byte buffer read
  underrun (bsc#1003023)

libXrender:
- CVE-2016-7949, CVE-2016-7950: insufficient validation of data from the X server can cause out of
  boundary memory writes (bsc#1003002)

libXrandr:
- CVE-2016-7947, CVE-2016-7948: insufficient validation of data from the X server can cause out of
  boundary memory writes (bsc#1003000)


-----------------------------------------
Patch: SUSE-2016-1675
Released: Fri Nov 18 12:40:36 2016
Summary: Recommended update for boost
Severity: low
References: 925309,970706,996917
Description:

This update for boost adapts paths for our GCC versions:

- Boost assumes /usr/include/c++/x.y.z/ existence for GCC 4.x onward while our
  version of GCC only has /usr/include/c++/x.y for 4.x GCC and /usr/include/c++/x/
  for 5.x onward. (bsc#996917)
- Fix regression in asio library. (bsc#925309)
- Add libboost_context to the -devel dependencies when it is built. (bsc#970706)


-----------------------------------------
Patch: SUSE-2016-1681
Released: Tue Nov 22 12:12:02 2016
Summary: Security update for bash
Severity: moderate
References: 1000396,1001299,1001759,898812,898884,CVE-2014-6277,CVE-2014-6278,CVE-2016-0634,CVE-2016-7543
Description:

This update for bash fixes the following issues:

- CVE-2016-7543: Local attackers could have executed arbitrary commands via specially crafted SHELLOPTS+PS4 variables (bsc#1001299)
- CVE-2016-0634: Malicious hostnames could have allowed arbitrary command execution when $HOSTNAME was expanded in the prompt (bsc#1000396)
- CVE-2014-6277: More troubles with functions (bsc#898812, bsc#1001759)
- CVE-2014-6278: Code execution after original 6271 fix (bsc#898884)


-----------------------------------------
Patch: SUSE-2016-1690
Released: Thu Nov 24 08:36:43 2016
Summary: Security update for tar
Severity: moderate
References: 1007188,913058,CVE-2016-6321
Description:

This update for tar fixes the following issues:

- Fix the POINTYFEATHER vulnerability - GNU tar archiver can be tricked into extracting
  files and directories in the given destination, regardless of the
  path name(s) specified on the command line [bsc#1007188]
  [CVE-2016-6321]
- Fix Amanda integration issue (bsc#913058)



-----------------------------------------
Patch: SUSE-2016-1692
Released: Thu Nov 24 14:30:39 2016
Summary: Security update for sudo
Severity: moderate
References: 1007501,1007766,899252,917806,979531,CVE-2014-9680,CVE-2016-7032,CVE-2016-7076
Description:

This update for sudo fixes the following security issues:

- Fix two security vulnerabilities that allowed users to bypass sudo's NOEXEC functionality:
  * noexec bypass via system() and popen() [CVE-2016-7032, bsc#1007766]
  * noexec bypass via wordexp() [CVE-2016-7076, bsc#1007501]
- Fix unsafe handling of TZ environment variable. [CVE-2014-9680, bsc#917806]

Additionally, these non-security fixes are included in the update:

- Fix 'ignoring time stamp from the future' message after each boot with !tty_tickets. [bsc#899252]
- Enable support for SASL-based authentication. [bsc#979531]


-----------------------------------------
Patch: SUSE-2016-1698
Released: Fri Nov 25 12:32:27 2016
Summary: Security update for libarchive
Severity: moderate
References: 1005070,1005072,1005076,986566,989980,998677,CVE-2015-2304,CVE-2016-5418,CVE-2016-5844,CVE-2016-6250,CVE-2016-8687,CVE-2016-8688,CVE-2016-8689
Description:

This update for libarchive fixes several issues.

These security issues were fixed:

- CVE-2016-8687: Buffer overflow when printing a filename (bsc#1005070).
- CVE-2016-8689: Heap overflow when reading corrupted 7Zip files (bsc#1005072).
- CVE-2016-8688: Use after free because of incorrect calculation in next_line (bsc#1005076).
- CVE-2016-5844: Integer overflow in the ISO parser in libarchive allowed remote attackers to cause a denial of service (application crash) via a crafted ISO file (bsc#986566).
- CVE-2016-6250: Integer overflow in the ISO9660 writer in libarchive allowed remote attackers to cause a denial of service (application crash) or execute arbitrary code via vectors related to verifying filename lengths when writing an ISO9660 archive, which trigger a buffer overflow (bsc#989980).
- CVE-2016-5418: The sandboxing code in libarchive mishandled hardlink archive entries of non-zero data size, which might allowed remote attackers to write to arbitrary files via a crafted archive file (bsc#998677).


-----------------------------------------
Patch: SUSE-2016-1721
Released: Tue Nov 29 13:12:31 2016
Summary: Security update for vim
Severity: important
References: 1010685,988903,CVE-2016-1248
Description:

This update for vim fixes the following security issues:

- Fixed CVE-2016-1248 an arbitrary command execution vulnerability
  (bsc#1010685)

This update for vim fixes the following issues:

- Fix build with Python 3.5. (bsc#988903)


-----------------------------------------
Patch: SUSE-2016-1734
Released: Thu Dec  1 10:34:07 2016
Summary: Recommended update for timezone
Severity: low
References: 1011797
Description:

This update provides the latest timezone information (2016j) for your system,
including the following changes:

- Saratov, Russia switches from +03 to +04 on 2016-12-04 at 02:00. This change
  introduces a new zone Europe/Saratov split from Europe/Volgograd.

This release also includes changes affecting past time stamps. For a comprehensive
list, please refer to the release announcement from ICANN:

http://mm.icann.org/pipermail/tz-announce/2016-November/000044.html


-----------------------------------------
Patch: SUSE-2016-1744
Released: Fri Dec  2 11:42:41 2016
Summary: Security update for pcre
Severity: moderate
References: 906574,924960,933288,933878,936227,942865,957566,957567,957598,957600,960837,971741,972127,CVE-2014-8964,CVE-2015-2325,CVE-2015-2327,CVE-2015-2328,CVE-2015-3210,CVE-2015-3217,CVE-2015-5073,CVE-2015-8380,CVE-2015-8381,CVE-2015-8382,CVE-2015-8383,CVE-2015-8384,CVE-2015-8385,CVE-2015-8386,CVE-2015-8387,CVE-2015-8388,CVE-2015-8389,CVE-2015-8390,CVE-2015-8391,CVE-2015-8392,CVE-2015-8393,CVE-2015-8394,CVE-2015-8395,CVE-2016-1283,CVE-2016-3191
Description:

This update for pcre to version 8.39 (bsc#972127) fixes several issues.

If you use pcre extensively please be aware that this is an update to a new version. Please
make sure that your software works with the updated version.

This version fixes a number of vulnerabilities that affect pcre
and applications using the libary when accepting untrusted input
as regular expressions or as part thereof. Remote attackers could
have caused the application to crash, disclose information or
potentially execute arbitrary code. These security issues were fixed:

- CVE-2014-8964: Heap-based buffer overflow in PCRE allowed remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats (bsc#906574).
- CVE-2015-2325: Heap buffer overflow in compile_branch() (bsc#924960).
- CVE-2015-3210: Heap buffer overflow in pcre_compile2() / compile_regex() (bsc#933288)
- CVE-2015-3217: PCRE Library Call Stack Overflow Vulnerability in match() (bsc#933878).
- CVE-2015-5073: Library Heap Overflow Vulnerability in find_fixedlength() (bsc#936227).
- bsc#942865: heap overflow in compile_regex()
- CVE-2015-8380: The pcre_exec function in pcre_exec.c mishandled a // pattern with a \01 string, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957566).
- CVE-2015-2327: PCRE mishandled certain patterns with internal recursive back references, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957567).
- bsc#957598: Various security issues 
- CVE-2015-8381: Heap Overflow in compile_regex() (bsc#957598).
- CVE-2015-8382: Regular Expression Uninitialized Pointer Information Disclosure Vulnerability (ZDI-CAN-2547)(bsc#957598).
- CVE-2015-8383: Buffer overflow caused by repeated conditional group(bsc#957598).
- CVE-2015-8384: Buffer overflow caused by recursive back reference by name within certain group(bsc#957598).
- CVE-2015-8385: Buffer overflow caused by forward reference by name to certain group(bsc#957598).
- CVE-2015-8386: Buffer overflow caused by lookbehind assertion(bsc#957598).
- CVE-2015-8387: Integer overflow in subroutine calls(bsc#957598).
- CVE-2015-8388: Buffer overflow caused by certain patterns with an unmatched closing parenthesis(bsc#957598).
- CVE-2015-8389: Infinite recursion in JIT compiler when processing certain patterns(bsc#957598).
- CVE-2015-8390: Reading from uninitialized memory when processing certain patterns(bsc#957598).
- CVE-2015-8391: Some pathological patterns causes pcre_compile() to run for a very long time(bsc#957598).
- CVE-2015-8392: Buffer overflow caused by certain patterns with duplicated named groups(bsc#957598).
- CVE-2015-8393: Information leak when running pcgrep -q on crafted binary(bsc#957598).
- CVE-2015-8394: Integer overflow caused by missing check for certain conditions(bsc#957598).
- CVE-2015-8395: Buffer overflow caused by certain references(bsc#957598).
- CVE-2015-2328: PCRE mishandled the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression (bsc#957600).
- CVE-2016-1283: The pcre_compile2 function in pcre_compile.c in PCRE mishandled certain patterns with named subgroups, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression (bsc#960837).
- CVE-2016-3191: The compile_branch function in pcre_compile.c in pcre2_compile.c mishandled patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allowed remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression (bsc#971741).

These non-security issues were fixed:
- JIT compiler improvements
- performance improvements
- The Unicode data tables have been updated to Unicode 7.0.0.


-----------------------------------------
Patch: SUSE-2016-1746
Released: Fri Dec  2 13:55:49 2016
Summary: Recommended update for libpciaccess
Severity: low
References: 1006827
Description:

This update for libpciaccess provides the following fixes:

- Ignore 32bit PCI domains. They are now supported by the Linux kernel but not
  by the user land library, and this inconsistency can lead to problems such as
  startx(1) terminating with a segmentation fault. 32-bit PCI domains are not
  needed to start the X server.


-----------------------------------------
Patch: SUSE-2016-1749
Released: Mon Dec  5 09:28:00 2016
Summary: Security update for libX11
Severity: moderate
References: 1002991,CVE-2016-7942
Description:

libX11 was updated to fix a memory leak that was introduced with the
security fix for CVE-2016-7942.


-----------------------------------------
Patch: SUSE-2016-1754
Released: Mon Dec  5 18:03:45 2016
Summary: Security update for MozillaFirefox, mozilla-nss
Severity: important
References: 1009026,1010395,1010401,1010402,1010404,1010410,1010422,1010427,1010517,992549,CVE-2016-5285,CVE-2016-5290,CVE-2016-5291,CVE-2016-5296,CVE-2016-5297,CVE-2016-9064,CVE-2016-9066,CVE-2016-9074
Description:
This update for MozillaFirefox, mozilla-nss fixes security issues and bugs.

The following vulnerabilities were fixed in Firefox ESR 45.5 (bsc#1009026):

- CVE-2016-5297: Incorrect argument length checking in Javascript (bsc#1010401)
- CVE-2016-9066: Integer overflow leading to a buffer overflow in nsScriptLoadHandler (bsc#1010404)
- CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1 (bsc#1010395)
- CVE-2016-9064: Addons update must verify IDs match between current and new versions (bsc#1010402)
- CVE-2016-5290: Memory safety bugs fixed in Firefox 50 and Firefox ESR 45.5 (bsc#1010427)
- CVE-2016-5291: Same-origin policy violation using local HTML file and saved shortcut file (bsc#1010410)

The following vulnerabilities were fixed in mozilla-nss 3.21.3:

- CVE-2016-9074: Insufficient timing side-channel resistance in divSpoiler (bsc#1010422)
- CVE-2016-5285: Missing NULL check in PK11_SignWithSymKey / ssl3_ComputeRecordMACConstantTime causes server crash (bsc#1010517)  

The following bugs were fixed:

- Firefox would fail to go into fullscreen mode with some window managers (bsc#992549)

The Mozilla Firefox changelog was amended to document patched dropped in a previous update.


-----------------------------------------
Patch: SUSE-2016-1767
Released: Wed Dec  7 16:43:38 2016
Summary: Security update for libXi
Severity: moderate
References: 1002998,CVE-2016-7945,CVE-2016-7946
Description:

libXi was updated to fix two security issues.

These security issues were fixed:
- CVE-2016-7945: Integer overflows in libXI can cause out of boundary memory access or endless loops (Denial of Service) (bsc#1002998).
- CVE-2016-7946: Insufficient validation of data in libXI can cause out of boundary memory access or endless loops (Denial of Service) (bsc#1002998).
  

-----------------------------------------
Patch: SUSE-2016-1774
Released: Thu Dec  8 11:05:39 2016
Summary: Security update for w3m
Severity: moderate
References: 1011283,1011284,1011285,1011286,1011287,1011288,1011289,1011290,1011291,1011292,1011293,1012021,1012022,1012023,1012024,1012025,1012026,1012027,1012028,1012029,1012030,1012031,1012032,CVE-2016-9434,CVE-2016-9435,CVE-2016-9436,CVE-2016-9437,CVE-2016-9438,CVE-2016-9439,CVE-2016-9440,CVE-2016-9441,CVE-2016-9442,CVE-2016-9443,CVE-2016-9621,CVE-2016-9622,CVE-2016-9623,CVE-2016-9624,CVE-2016-9625,CVE-2016-9626,CVE-2016-9627,CVE-2016-9628,CVE-2016-9629,CVE-2016-9630,CVE-2016-9631,CVE-2016-9632,CVE-2016-9633
Description:

This update for w3m fixes the following issues:

- update to debian git version (bsc#1011293)
  addressed security issues:
         CVE-2016-9622: w3m: null deref (bsc#1012021)
         CVE-2016-9623: w3m: null deref (bsc#1012022)
         CVE-2016-9624: w3m: near-null deref (bsc#1012023)
         CVE-2016-9625: w3m: stack overflow (bsc#1012024)
         CVE-2016-9626: w3m: stack overflow (bsc#1012025)
         CVE-2016-9627: w3m: heap overflow read + deref (bsc#1012026)
         CVE-2016-9628: w3m: null deref (bsc#1012027)
         CVE-2016-9629: w3m: null deref (bsc#1012028)
         CVE-2016-9630: w3m: global-buffer-overflow read (bsc#1012029)
         CVE-2016-9631: w3m: null deref (bsc#1012030)
         CVE-2016-9632: w3m: global-buffer-overflow read (bsc#1012031)
         CVE-2016-9633: w3m: OOM (bsc#1012032)
         CVE-2016-9434: w3m: null deref (bsc#1011283)
         CVE-2016-9435: w3m: use uninit value (bsc#1011284)
         CVE-2016-9436: w3m: use uninit value (bsc#1011285)
         CVE-2016-9437: w3m: write to rodata (bsc#1011286)
         CVE-2016-9438: w3m: null deref (bsc#1011287)
         CVE-2016-9439: w3m: stack overflow (bsc#1011288)
         CVE-2016-9440: w3m: near-null deref (bsc#1011289)
         CVE-2016-9441: w3m: near-null deref (bsc#1011290)
         CVE-2016-9442: w3m: potential heap buffer corruption (bsc#1011291)
         CVE-2016-9443: w3m: null deref (bsc#1011292)


-----------------------------------------
Patch: SUSE-2016-1775
Released: Thu Dec  8 11:06:08 2016
Summary: Security update for gc
Severity: moderate
References: 1011276,CVE-2016-9427
Description:

This update for gc fixes the following issues:

- integer overflow in GC_MALLOC_ATOMIC() (CVE-2016-9427, bsc#1011276)



-----------------------------------------
Patch: SUSE-2016-1781
Released: Fri Dec  9 09:13:35 2016
Summary: Security update for the Linux Kernel
Severity: important
References: 1008831,1011685,1012754,CVE-2016-8632,CVE-2016-8655,CVE-2016-9555
Description:


The SUSE Linux Enterprise 12 kernel was updated to receive critical security fixes.

The following security bugs were fixed:

- CVE-2016-8655: A race condition in the af_packet packet_set_ring
  function could be used by local attackers to crash the kernel or gain
  privileges (bsc#1012754).
- CVE-2016-8632: The tipc_msg_build function in net/tipc/msg.c in
  the Linux kernel did not validate the relationship between the minimum
  fragment length and the maximum packet size, which allowed local users to
  gain privileges or cause a denial of service (heap-based buffer overflow)
  by leveraging the CAP_NET_ADMIN capability (bnc#1008831).
- CVE-2016-9555: The sctp_sf_ootb function in net/sctp/sm_statefuns.c in
  the Linux kernel lacks chunk-length checking for the first chunk, which
  allowed remote attackers to cause a denial of service (out-of-bounds slab
  access) or possibly have unspecified other impact via crafted SCTP data
  (bnc#1011685).



-----------------------------------------
Patch: SUSE-2016-1827
Released: Thu Dec 15 12:41:10 2016
Summary: Security update for pcre
Severity: moderate
References: 906574,924960,933288,933878,936227,942865,957566,957567,957598,957600,960837,971741,972127,CVE-2014-8964,CVE-2015-2325,CVE-2015-2327,CVE-2015-2328,CVE-2015-3210,CVE-2015-3217,CVE-2015-5073,CVE-2015-8380,CVE-2015-8381,CVE-2015-8382,CVE-2015-8383,CVE-2015-8384,CVE-2015-8385,CVE-2015-8386,CVE-2015-8387,CVE-2015-8388,CVE-2015-8389,CVE-2015-8390,CVE-2015-8391,CVE-2015-8392,CVE-2015-8393,CVE-2015-8394,CVE-2015-8395,CVE-2016-1283,CVE-2016-3191
Description:

This update for pcre to version 8.39 (bsc#972127) fixes several issues.

If you use pcre extensively please be aware that this is an update to a new version. Please
make sure that your software works with the updated version.

This version fixes a number of vulnerabilities that affect pcre
and applications using the libary when accepting untrusted input
as regular expressions or as part thereof. Remote attackers could
have caused the application to crash, disclose information or
potentially execute arbitrary code. These security issues were fixed:

- CVE-2014-8964: Heap-based buffer overflow in PCRE allowed remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats (bsc#906574).
- CVE-2015-2325: Heap buffer overflow in compile_branch() (bsc#924960).
- CVE-2015-3210: Heap buffer overflow in pcre_compile2() / compile_regex() (bsc#933288)
- CVE-2015-3217: PCRE Library Call Stack Overflow Vulnerability in match() (bsc#933878).
- CVE-2015-5073: Library Heap Overflow Vulnerability in find_fixedlength() (bsc#936227).
- bsc#942865: heap overflow in compile_regex()
- CVE-2015-8380: The pcre_exec function in pcre_exec.c mishandled a // pattern with a \01 string, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957566).
- CVE-2015-2327: PCRE mishandled certain patterns with internal recursive back references, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957567).
- bsc#957598: Various security issues 
- CVE-2015-8381: Heap Overflow in compile_regex() (bsc#957598).
- CVE-2015-8382: Regular Expression Uninitialized Pointer Information Disclosure Vulnerability (ZDI-CAN-2547)(bsc#957598).
- CVE-2015-8383: Buffer overflow caused by repeated conditional group(bsc#957598).
- CVE-2015-8384: Buffer overflow caused by recursive back reference by name within certain group(bsc#957598).
- CVE-2015-8385: Buffer overflow caused by forward reference by name to certain group(bsc#957598).
- CVE-2015-8386: Buffer overflow caused by lookbehind assertion(bsc#957598).
- CVE-2015-8387: Integer overflow in subroutine calls(bsc#957598).
- CVE-2015-8388: Buffer overflow caused by certain patterns with an unmatched closing parenthesis(bsc#957598).
- CVE-2015-8389: Infinite recursion in JIT compiler when processing certain patterns(bsc#957598).
- CVE-2015-8390: Reading from uninitialized memory when processing certain patterns(bsc#957598).
- CVE-2015-8391: Some pathological patterns causes pcre_compile() to run for a very long time(bsc#957598).
- CVE-2015-8392: Buffer overflow caused by certain patterns with duplicated named groups(bsc#957598).
- CVE-2015-8393: Information leak when running pcgrep -q on crafted binary(bsc#957598).
- CVE-2015-8394: Integer overflow caused by missing check for certain conditions(bsc#957598).
- CVE-2015-8395: Buffer overflow caused by certain references(bsc#957598).
- CVE-2015-2328: PCRE mishandled the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression (bsc#957600).
- CVE-2016-1283: The pcre_compile2 function in pcre_compile.c in PCRE mishandled certain patterns with named subgroups, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression (bsc#960837).
- CVE-2016-3191: The compile_branch function in pcre_compile.c in pcre2_compile.c mishandled patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allowed remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression (bsc#971741).

These non-security issues were fixed:
- JIT compiler improvements
- performance improvements
- The Unicode data tables have been updated to Unicode 7.0.0.


-----------------------------------------
Patch: SUSE-2016-1831
Released: Thu Dec 15 17:47:09 2016
Summary: Recommended update for tar
Severity: important
References: 1012633
Description:

This update for tar fixes a regression caused by the previous security update (bsc#1007188),
which limited append and create operations (bsc#1012633)


-----------------------------------------
Patch: SUSE-2016-1841
Released: Fri Dec 16 14:57:16 2016
Summary: Recommended update for suse-build-key
Severity: moderate
References: 1014151
Description:

This update for suse-build-key extends the lifetime of the build@suse.de
GPG key that is signing the SUSE Linux Enterprise 12 repositories. (bsc#1014151)

UID:
  pub  2048R/39DB7C82 2013-01-31 [expires: 2020-12-06]
  uid                            SuSE Package Signing Key <build@suse.de>


-----------------------------------------
Patch: SUSE-2016-1844
Released: Fri Dec 16 16:48:59 2016
Summary: Recommended update for libsolv, libzypp, zypper
Severity: low
References: 1003748,1004096,1010712,731333,964932,980263,980901,982379,983141,984494,986694,992302
Description:

The Software Update Stack was updated for fixes and enhancements.

libsolv:

- Fix segmentation fault in cshash dedup code. (bsc#980901)
- Fix bug in ignoreinst logic. (bsc#983141)
- Add pool->setdisttype to the bindings.
- Fix error in repo_deb that could lead to missing packages.
- Add pool_whatcontainsdep, selection_make_matchdepid, and SELECTION_MATCH_DEPSTR.
- Add SOLVER_FAVOR and SOLVER_DISFAVOR job types.
- Allow unknown archs in pool_setarch.
- Add the SOLVER_FLAG_URPM_REORDER solver flag.
- Fix supplements handling when implicitobsoleteusescolors is set.

libzypp:

- Let 'dup --from' leave updateTestcase logs in /var/log. (bsc#1004096)
- Allow parsing multiple gpgkey= URLs. (bsc#1003748)
- Fix parsing of multiline url entries. (bsc#964932)
- Report numeric curl error if code is unrecognized. (bsc#992302)
- Fix bug in removeRepository which may keep an empty .repo file rather than
  deleting it. (bsc#984494)

zypper:

- Do not warn about processes using deleted files when using --root. (bsc#731333)
- Properly escape patch script output in xml mode. (bsc#1010712)
- Do not require --ignore-unknown in non interactive remove-command. (bsc#980263)
- Document in man page the known limitations when searching with --file-list. (bsc#982379)
- Fix Brazilian Portuguese translation of options' prompt. (bsc#986694)


-----------------------------------------
Patch: SUSE-2016-1852
Released: Mon Dec 19 17:07:35 2016
Summary: Security update for ntp
Severity: moderate
References: 1009434,1011377,1011390,1011395,1011398,1011404,1011406,1011411,1011417,943216,956365,981252,988028,992038,992606,CVE-2015-5219,CVE-2016-7426,CVE-2016-7427,CVE-2016-7428,CVE-2016-7429,CVE-2016-7431,CVE-2016-7433,CVE-2016-7434,CVE-2016-9310,CVE-2016-9311
Description:

This update for ntp fixes the following issues:

ntp was updated to 4.2.8p9.

Security issues fixed:

- CVE-2016-9311, CVE-2016-9310, bsc#1011377: Mode 6
  unauthenticated trap information disclosure and DDoS vector.
- CVE-2016-7427, bsc#1011390:
  Broadcast Mode Replay Prevention DoS.
- CVE-2016-7428, bsc#1011417:
  Broadcast Mode Poll Interval Enforcement DoS.
- CVE-2016-7431, bsc#1011395:
  Regression: 010-origin: Zero Origin Timestamp Bypass.
- CVE-2016-7434, bsc#1011398:
  Null pointer dereference in _IO_str_init_static_internal().
- CVE-2016-7429, bsc#1011404: Interface selection attack.
- CVE-2016-7426, bsc#1011406:
  Client rate limiting and server responses.
- CVE-2016-7433, bsc#1011411: Reboot sync calculation problem.
- CVE-2015-5219: An endless loop due to incorrect precision to
  double conversion (bsc#943216).

Non-security issues fixed:

- Fix a spurious error message.
- Other bugfixes, see /usr/share/doc/packages/ntp/ChangeLog.
- Fix a regression in 'trap' (bsc#981252).
- Reduce the number of netlink groups to listen on for changes to
  the local network setup (bsc#992606).
- Fix segfault in 'sntp -a' (bsc#1009434).
- Silence an OpenSSL version warning (bsc#992038).
- Make the resolver task change user and group IDs to the same
  values as the main task. (bsc#988028)
- Simplify ntpd's search for its own executable to prevent AppArmor
  warnings (bsc#956365).



-----------------------------------------
Patch: SUSE-2016-1863
Released: Wed Dec 21 10:41:35 2016
Summary: Recommended updated for pth
Severity: low
References: 1013286
Description:

This update adds the 32bit version of libpth20 to SUSE Linux Enterprise 12 SP1 and 12 SP2.


-----------------------------------------
Patch: SUSE-2016-1868
Released: Wed Dec 21 16:24:02 2016
Summary: Security update for gd
Severity: moderate
References: 1015187,CVE-2016-9933
Description:

This update for gd fixes the following issues:

* CVE-2016-9933 possible stackoverflow on malicious truecolor images [bsc#1015187]



-----------------------------------------
Patch: SUSE-2016-1871
Released: Wed Dec 21 17:18:14 2016
Summary: Initial release of cloud-regionsrv
Severity: low
References: 979331
Description:

This update adds cloud-regionsrv to the Public Cloud Module for SUSE Linux Enterprise
Server 12.

The region service provides functionality to correlate SMT server information with the
region in which they are deployed and provide this information to a guest that connects
using the region server client.

For detailed setup instructions see the best practices guide:
https://www.suse.com/documentation/suse-best-practices/publiccloudinfra/data/publiccloudinfra.html


-----------------------------------------
Patch: SUSE-2016-1876
Released: Wed Dec 21 17:53:28 2016
Summary: Security update for the Linux Kernel
Severity: important
References: 1013533,1013604,CVE-2016-9576,CVE-2016-9794
Description:

The SUSE Linux Enterprise 12 kernel was updated to receive two security fixes.

The following security bugs were fixed:

- CVE-2016-9576: A use-after-free vulnerability in the SCSI generic driver allows users with write access to /dev/sg* or /dev/bsg* to elevate their privileges (bsc#1013604).
- CVE-2016-9794: A use-after-free vulnerability in the ALSA pcm layer allowed local users to cause a denial of service, memory corruption or possibly even to elevate their privileges (bsc#1013533).


-----------------------------------------
Patch: SUSE-2016-1883
Released: Thu Dec 22 10:27:40 2016
Summary: Recommended update for supportutils
Severity: low
References: 995387,997615
Description:

This update for supportutils fixes the following issues:

- Add limits to journalctl to speed up data collection. (bsc#997615)
- Restore missing vgs and lvs commands to lvm.txt. (bsc#995387)
- Collect information about network namespaces.


-----------------------------------------
Patch: SUSE-2016-1901
Released: Thu Dec 22 17:33:41 2016
Summary: Optional update for SLE 12 Modules for ARM64
Severity: low
References: 1002576
Description:

This update introduces many packages that were missing in the ARM64 version of
the Web and Scripting, Manager Tools and Public Cloud Modules for SUSE Linux
Enterprise Server 12 SP2.


-----------------------------------------
Patch: SUSE-2016-1908
Released: Fri Dec 23 14:45:12 2016
Summary: Recommended update for pciutils
Severity: low
References: 1006827
Description:

This update for pciutils provides the following fixes:

- Enable proper support for 32-bit PCI domain numbers. (bsc#1006827)


-----------------------------------------
Patch: SUSE-2016-1911
Released: Fri Dec 23 18:02:19 2016
Summary: Security update for wget
Severity: moderate
References: 1005091,1012677,995964,CVE-2016-7098
Description:

This update for wget fixes the following issues:

Security issues fixed:
- CVE-2016-7098: Fixed a potential race condition by creating files with .tmp ext
  and making them accessible to the current user only. (bsc#995964)

Non security issues fixed:
- bsc#1005091: Don't call xfree() on string returned by usr_error()  
- bsc#1012677: Add support for enforcing TLSv1.1 and TLSv1.2 (TLS 1.2 support was already present, but it was not enforcable).


-----------------------------------------
Patch: SUSE-2016-1935
Released: Thu Dec 29 20:46:16 2016
Summary: Security update for samba
Severity: moderate
References: 1001203,1009085,1014437,1014441,1014442,975299,986675,991564,994500,997833,CVE-2016-2123,CVE-2016-2125,CVE-2016-2126
Description:

This update for samba fixes the following issues:

Security issues fixed:

- CVE-2016-2125: Don't send delegated credentials to all servers. (bsc#1014441).
- CVE-2016-2126: Denial of service due to a client triggered crash in the winbindd
  parent process. (bsc#1014442).
- CVE-2016-2123: Heap-based Buffer Overflow Remote Code Execution Vulnerability. (bsc#1014437).
  This issue does not affect our packages, as the component is not built.

Non security issues fixed:

- s3/client: obey 'disable netbios' smb.conf param, don't connect via NBT port (bsc#1009085)
- Add doc changes for net ads --no-dns-updates switch (bsc#991564)
- Include vfstest in samba-test (bsc#1001203).
- s3/winbindd: using default domain with user@domain.com format fails (bsc#997833).
- Fix illegal memory access after memory has been deleted (bsc#975299).
- Fix bug in tevent poll backend causing winbind to loop tightly (bsc#994500).
- Various fixes for spnego/ntlm (bsc#986675).


-----------------------------------------
Patch: SUSE-2016-1937
Released: Thu Dec 29 20:47:49 2016
Summary: Security update for tiff
Severity: moderate
References: 1007280,1010161,1010163,1011103,1011107,914890,974449,974840,984813,984815,987351,CVE-2014-8127,CVE-2016-3622,CVE-2016-3658,CVE-2016-5321,CVE-2016-5323,CVE-2016-5652,CVE-2016-5875,CVE-2016-9273,CVE-2016-9297,CVE-2016-9448,CVE-2016-9453
Description:

The tiff library and tools were updated to version 4.0.7 fixing various bug and security issues.

- CVE-2014-8127: out-of-bounds read with malformed TIFF image in multiple tools [bnc#914890]
- CVE-2016-9297: tif_dirread.c read outside buffer in _TIFFPrintField() [bnc#1010161]
- CVE-2016-3658: Illegal read in TIFFWriteDirectoryTagLongLong8Array function in tiffset / tif_dirwrite.c [bnc#974840]
- CVE-2016-9273: heap overflow [bnc#1010163]
- CVE-2016-3622: divide By Zero in the tiff2rgba tool [bnc#974449]
- CVE-2016-5652: tiff2pdf JPEG Compression Tables Heap Buffer Overflow [bnc#1007280]
- CVE-2016-9453: out-of-bounds Write memcpy and less bound check in tiff2pdf [bnc#1011107]
- CVE-2016-5875: heap-based buffer overflow when using the PixarLog compressionformat [bnc#987351]
- CVE-2016-9448: regression introduced by fixing CVE-2016-9297 [bnc#1011103]
- CVE-2016-5321: out-of-bounds read in tiffcrop /  DumpModeDecode() function [bnc#984813]
- CVE-2016-5323: Divide-by-zero in _TIFFFax3fillruns() function (null ptr dereference?) [bnc#984815]


-----------------------------------------
Patch: SUSE-2017-3
Released: Mon Jan  2 08:36:51 2017
Summary: Security update for zlib
Severity: moderate
References: 1003577,1003579,1003580,1013882,CVE-2016-9840,CVE-2016-9841,CVE-2016-9842,CVE-2016-9843
Description:

This update for zlib fixes the following issues:

CVE-2016-9843: Big-endian out-of-bounds pointer (bsc#1013882)

CVE-2016-9842: Undefined Left Shift of Negative Number (bsc#1003580) 

CVE-2016-9840 CVE-2016-9841: Out-of-bounds pointer arithmetic in inftrees.c (bsc#1003579)

Incompatible declarations for external linkage function deflate (bsc#1003577)



-----------------------------------------
Patch: SUSE-2017-5
Released: Mon Jan  2 16:10:06 2017
Summary: Recommended update for alsa, pulseaudio
Severity: low
References: 1010690
Description:

This update for alsa and pulseaudio provides a new UCM profile for Cherry
Trail audio devices.


-----------------------------------------
Patch: SUSE-2017-16
Released: Thu Jan  5 11:28:08 2017
Summary: Recommended update for irqbalance
Severity: low
References: 998399
Description:

This update for irqbalance increases the maximum number of files that can be
opened simultaneously to 4096.


-----------------------------------------
Patch: SUSE-2017-27
Released: Sun Jan  8 13:11:03 2017
Summary: Security update for jasper
Severity: important
References: 1010977,1010979,1011830,1012530,1015993,CVE-2016-8654,CVE-2016-9395,CVE-2016-9398,CVE-2016-9560,CVE-2016-9591
Description:

This update for jasper fixes the following issues:

- CVE-2016-8654: Heap-based buffer overflow in QMFB code in JPC codec. (bsc#1012530)
- CVE-2016-9395: Invalid jasper files could lead to abort of the library caused by attacker provided image. (bsc#1010977)
- CVE-2016-9398: Invalid jasper files could lead to abort of the library caused by attacker provided image. (bsc#1010979)
- CVE-2016-9560: Stack-based buffer overflow in jpc_tsfb_getbands2. (bsc#1011830)
- CVE-2016-9591: Use-after-free on heap in jas_matrix_destroy. (bsc#1015993)


-----------------------------------------
Patch: SUSE-2017-32
Released: Mon Jan  9 11:50:42 2017
Summary: Recommended update for dirmngr
Severity: low
References: 994794
Description:

This update for dirmngr enables support for daemon mode.


-----------------------------------------
Patch: SUSE-2017-52
Released: Wed Jan 11 22:56:05 2017
Summary: Security update for bind
Severity: important
References: 1018699,1018700,1018701,1018702,965748,CVE-2016-9131,CVE-2016-9147,CVE-2016-9444
Description:

This update for bind fixes the following issues:

- Fix a potential assertion failure that could have been triggered by a
  malformed response to an ANY query, thereby facilitating a denial-of-service
  attack. [CVE-2016-9131, bsc#1018700, bsc#1018699]

- Fix a potential assertion failure that could have been triggered by
  responding to a query with inconsistent DNSSEC information, thereby
  facilitating a denial-of-service attack. [CVE-2016-9147, bsc#1018701,
  bsc#1018699]

- Fix potential assertion failure that could have been triggered by DNS
  responses that contain unusually-formed DS resource records, facilitating a
  denial-of-service attack. [CVE-2016-9444, bsc#1018702, bsc#1018699]

- Fixed ldapdump to use a temporary pseudo nameserver that conforms to BIND's
  expected syntax. Prior versions would not work correctly with an LDAP backed
  DNS server. [bsc#965748]


-----------------------------------------
Patch: SUSE-2017-98
Released: Thu Jan 19 10:17:55 2017
Summary: Recommended update for kmod
Severity: low
References: 998906
Description:

This update for kmod fixes a rare race condition while loading modules.


-----------------------------------------
Patch: SUSE-2017-101
Released: Thu Jan 19 17:11:14 2017
Summary: Recommended update for rsyslog
Severity: low
References: 1000488,992146
Description:

This update for rsyslog fixes the following issues:

- Fixed mutex locking when timeout occurs (bsc#1000488)
- Added support for newer json-c (bsc#992146)



-----------------------------------------
Patch: SUSE-2017-145
Released: Tue Jan 24 20:10:54 2017
Summary: Recommended update for yast2-ruby-bindings
Severity: low
References: 1014458,945299
Description:

This update for yast2-ruby-bindings fixes the following issues:

- Do not crash when FastGettext is unable to find the empty.mo file (bsc#1014458)
- Fix 'method to_s called on terminated object' message during package installation (bsc#945299)



-----------------------------------------
Patch: SUSE-2017-150
Released: Wed Jan 25 15:29:40 2017
Summary: Security update for pcsc-lite
Severity: moderate
References: 1017902,CVE-2016-10109
Description:

pcsc-lite was updated to fix one security issue.

This security issue was fixed:

- CVE-2016-10109: This use-after-free and double-free issue allowed local attacker to cause a Denial of Service and possible privilege escalation (bsc#1017902).
  

-----------------------------------------
Patch: SUSE-2017-153
Released: Thu Jan 26 12:34:04 2017
Summary: Security update for dbus-1
Severity: moderate
References: 1003898,1018556
Description:
This update for dbus-1 to version 1.8.22 fixes one security issue and bugs.

The following security issue was fixed:

- bsc#1003898: Do not treat ActivationFailure message received from root-owned systemd name as a format string.

The following upstream changes are included:

- Change the default configuration for the session bus to only allow EXTERNAL authentication (secure kernel-mediated credentials-passing), as was already done for the system bus.
- Fix a memory leak when GetConnectionCredentials() succeeds (fdo#91008)
- Ensure that dbus-monitor does not reply to messages intended for others (fdo#90952)
- Add locking to DBusCounter's reference count and notify function (fdo#89297)
- Ensure that DBusTransport's reference count is protected by the corresponding DBusConnection's lock (fdo#90312)
- Correctly release DBusServer mutex before early-return if we run out of memory while copying authentication mechanisms (fdo#90021)
- Correctly initialize all fields of DBusTypeReader (fdo#90021)
- Fix some missing \n in verbose (debug log) messages (fdo#90004)
- Clean up some memory leaks in test code (fdo#90021)


-----------------------------------------
Patch: SUSE-2017-170
Released: Mon Jan 30 19:13:36 2017
Summary: Initial release of Salt
Severity: low
References: 989693
Description:

This update adds Salt to the Advanced Systems Management 12 Module.

Salt is a distributed remote execution system used to execute commands and
query data. It was developed in order to bring the best solutions found in
the world of remote execution together and make them better, faster and more
malleable. Salt accomplishes this via its ability to handle larger loads of
information, and not just dozens, but hundreds or even thousands of individual
servers, handle them quickly and through a simple and manageable interface.


-----------------------------------------
Patch: SUSE-2017-177
Released: Wed Feb  1 08:19:13 2017
Summary: Security update for gnutls
Severity: important
References: 1005879,1018832,999646,CVE-2016-7444,CVE-2016-8610,CVE-2017-5335,CVE-2017-5336,CVE-2017-5337
Description:

This update for gnutls fixes the following security issues:

- GnuTLS could have crashed when processing maliciously crafted OpenPGP
  certificates (GNUTLS-SA-2017-2, bsc#1018832, CVE-2017-5335, CVE-2017-5337,
  CVE-2017-5336)
- GnuTLS could have falsely accepted certificates when using OCSP
  (GNUTLS-SA-2016-3, bsc#999646, CVE-2016-7444)
- GnuTLS could have suffered from 100% CPU load DoS attacks by using SSL alert
  packets during the handshake (bsc#1005879, CVE-2016-8610)


-----------------------------------------
Patch: SUSE-2017-185
Released: Thu Feb  2 18:22:37 2017
Summary: Security update for cpio
Severity: moderate
References: 1020108,963448,CVE-2016-2037
Description:

This update for cpio fixes two issues.

This security issue was fixed:

- CVE-2016-2037: The cpio_safer_name_suffix function in util.c in cpio allowed remote attackers to cause a denial of service (out-of-bounds write) via a crafted cpio file (bsc#963448).

This non-security issue was fixed:

- bsc#1020108: Always use 32 bit CRC to prevent checksum errors for files greater than 32MB


-----------------------------------------
Patch: SUSE-2017-210
Released: Tue Feb  7 17:35:06 2017
Summary: Recommended update for crash
Severity: moderate
References: 1002876
Description:

This update for crash fixes an incompatibility with recent kernel updates released
for SUSE Linux Enterprise Server 12.

Crash would fail with the message 'invalid structure member offset' when attempting
to read the vmcore.


-----------------------------------------
Patch: SUSE-2017-212
Released: Wed Feb  8 13:07:24 2017
Summary: Security update for expat
Severity: moderate
References: 983215,983216,CVE-2012-6702,CVE-2016-5300
Description:

This update for expat fixes the following security issues:

- CVE-2012-6702: Expat, when used in a parser that has not
  called XML_SetHashSalt or passed it a seed of 0, made it easier for
  context-dependent attackers to defeat cryptographic protection mechanisms
  via vectors involving use of the srand function.  (bsc#983215)
- CVE-2016-5300: The XML parser in Expat did not use sufficient entropy
  for hash initialization, which allowed context-dependent attackers to
  cause a denial of service (CPU consumption) via crafted identifiers in
  an XML document. NOTE: this vulnerability exists because of an incomplete
  fix for CVE-2012-0876.  (bsc#983216)


-----------------------------------------
Patch: SUSE-2017-231
Released: Mon Feb 13 11:40:25 2017
Summary: Security update for tiff
Severity: moderate
References: 1019611,1022103,CVE-2017-5225
Description:

This update for tiff fixes the following issues:

- A crafted TIFF image could cause a crash and potential code execution when
processed by the 'tiffcp' utility (CVE-2017-5225, bsc#1019611).

Also a regression from the version update to 4.0.7 was fixed in
handling TIFFTAG_FAXRECVPARAMS. (bsc#1022103)



-----------------------------------------
Patch: SUSE-2017-240
Released: Wed Feb 15 07:29:29 2017
Summary: Security update for libXpm
Severity: moderate
References: 1021315,CVE-2016-10164
Description:

This update for libXpm fixes the following issues:

- A heap overflow in XPM handling could be used by attackers supplying XPM files to 
  crash or potentially execute code. (bsc#1021315)


-----------------------------------------
Patch: SUSE-2017-241
Released: Wed Feb 15 07:30:57 2017
Summary: Security update for gd
Severity: moderate
References: 1022263,1022264,1022265,1022283,1022284,1022553,CVE-2016-10166,CVE-2016-10167,CVE-2016-10168,CVE-2016-6906,CVE-2016-6912,CVE-2016-9317
Description:

This update for gd fixes the following security issues:

- CVE-2016-6906: An out-of-bounds read in TGA decompression was fixed which could have lead to crashes. (bsc#1022553)
- CVE-2016-6912: Double free vulnerability in the gdImageWebPtr function
  in the GD Graphics Library (aka libgd) allowed remote attackers to have
  unspecified impact via large width and height values. (bsc#1022284)
- CVE-2016-9317: The gdImageCreate function in the GD Graphics Library
  (aka libgd) allowed remote attackers to cause a denial of service
  (system hang) via an oversized image.  (bsc#1022283)
- CVE-2016-10166: A potential unsigned underflow in gd interpolation
  functions could lead to memory corruption in the GD Graphics Library (aka libgd) (bsc#1022263)
- CVE-2016-10167: A denial of service problem in gdImageCreateFromGd2Ctx()
  could lead to libgd running out of memory even on small files. (bsc#1022264)
- CVE-2016-10168: A signed integer overflow in the GD Graphics Library (aka libgd) could lead
  to memory corruption (bsc#1022265)


-----------------------------------------
Patch: SUSE-2017-247
Released: Wed Feb 15 17:20:25 2017
Summary: Security update for the Linux Kernel
Severity: important
References: 1003153,1003925,1004462,1004517,1005666,1007197,1008833,1008979,1009969,1010040,1010475,1010478,1010501,1010502,1010507,1010612,1010711,1010716,1011820,1012422,1013038,1013531,1013540,1013542,1014746,1016482,1017410,1017589,1017710,1019300,1019851,1020602,1021258,881008,915183,958606,961257,970083,971989,976195,978094,980371,980560,981038,981597,981709,982282,982544,983619,983721,983977,984148,984419,984755,985978,986362,986365,986445,986569,986572,986811,986941,987542,987565,987576,989152,990384,991608,991665,993392,993890,993891,994296,994748,994881,995968,997708,998795,999584,999600,999932,999943,CVE-2014-9904,CVE-2015-8956,CVE-2015-8962,CVE-2015-8963,CVE-2015-8964,CVE-2016-10088,CVE-2016-4470,CVE-2016-4997,CVE-2016-5696,CVE-2016-5828,CVE-2016-5829,CVE-2016-6130,CVE-2016-6327,CVE-2016-6480,CVE-2016-6828,CVE-2016-7042,CVE-2016-7097,CVE-2016-7425,CVE-2016-7910,CVE-2016-7911,CVE-2016-7913,CVE-2016-7914,CVE-2016-8399,CVE-2016-8633,CVE-2016-8645,CVE-2016-8658,CVE-2016-9083,CVE-2016-9084,CVE-2016-9756,CVE-2016-9793,CVE-2016-9806,CVE-2017-2583,CVE-2017-2584,CVE-2017-5551
Description:


The SUSE Linux Enterprise 12 GA LTSS kernel was updated to 3.12.61 to receive various security and bugfixes.

The following feature was implemented:

- The ext2 filesystem got reenabled and supported to allow support for 'XIP' (Execute In Place) (FATE#320805).


The following security bugs were fixed:

- CVE-2017-5551: The tmpfs filesystem implementation in the Linux kernel preserved the setgid bit during a setxattr call, which allowed local users to gain group privileges by leveraging the existence of a setgid program with restrictions on execute permissions (bsc#1021258).
- CVE-2016-7097: The filesystem implementation in the Linux kernel preserved the setgid bit during a setxattr call, which allowed local users to gain group privileges by leveraging the existence of a setgid program with restrictions on execute permissions (bnc#995968).
- CVE-2017-2583: A Linux kernel built with the Kernel-based Virtual Machine (CONFIG_KVM) support was vulnerable to an incorrect segment selector(SS) value error. A user/process inside guest could have used this flaw to crash the guest resulting in DoS or potentially escalate their privileges inside guest. (bsc#1020602).
- CVE-2017-2584: arch/x86/kvm/emulate.c in the Linux kernel allowed local users to obtain sensitive information from kernel memory or cause a denial of service (use-after-free) via a crafted application that leverages instruction emulation for fxrstor, fxsave, sgdt, and sidt (bnc#1019851).
- CVE-2016-10088: The sg implementation in the Linux kernel did not properly restrict write operations in situations where the KERNEL_DS option is set, which allowed local users to read or write to arbitrary kernel memory locations or cause a denial of service (use-after-free) by leveraging access to a /dev/sg device, related to block/bsg.c and drivers/scsi/sg.c.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-9576 (bnc#1017710).
- CVE-2016-8645: The TCP stack in the Linux kernel mishandled skb truncation, which allowed local users to cause a denial of service (system crash) via a crafted application that made sendto system calls, related to net/ipv4/tcp_ipv4.c and net/ipv6/tcp_ipv6.c (bnc#1009969).
- CVE-2016-8399: An elevation of privilege vulnerability in the kernel networking subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Moderate because it first requires compromising a privileged process and current compiler optimizations restrict access to the vulnerable code. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31349935 (bnc#1014746).
- CVE-2016-9806: Race condition in the netlink_dump function in net/netlink/af_netlink.c in the Linux kernel allowed local users to cause a denial of service (double free) or possibly have unspecified other impact via a crafted application that made sendmsg system calls, leading to a free operation associated with a new dump that started earlier than anticipated (bnc#1013540).
- CVE-2016-9756: arch/x86/kvm/emulate.c in the Linux kernel did not properly initialize Code Segment (CS) in certain error cases, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application (bnc#1013038).
- CVE-2016-9793: The sock_setsockopt function in net/core/sock.c in the Linux kernel mishandled negative values of sk_sndbuf and sk_rcvbuf, which allowed local users to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact by leveraging the CAP_NET_ADMIN capability for a crafted setsockopt system call with the (1) SO_SNDBUFFORCE or (2) SO_RCVBUFFORCE option (bnc#1013531).
- CVE-2016-7910: Use-after-free vulnerability in the disk_seqf_stop function in block/genhd.c in the Linux kernel allowed local users to gain privileges by leveraging the execution of a certain stop operation even if the corresponding start operation had failed (bnc#1010716).
- CVE-2015-8962: Double free vulnerability in the sg_common_write function in drivers/scsi/sg.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (memory corruption and system crash) by detaching a device during an SG_IO ioctl call (bnc#1010501).
- CVE-2016-7913: The xc2028_set_config function in drivers/media/tuners/tuner-xc2028.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (use-after-free) via vectors involving omission of the firmware name from a certain data structure (bnc#1010478).
- CVE-2016-7911: Race condition in the get_task_ioprio function in block/ioprio.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (use-after-free) via a crafted ioprio_get system call (bnc#1010711).
- CVE-2015-8964: The tty_set_termios_ldisc function in drivers/tty/tty_ldisc.c in the Linux kernel allowed local users to obtain sensitive information from kernel memory by reading a tty data structure (bnc#1010507).
- CVE-2015-8963: Race condition in kernel/events/core.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (use-after-free) by leveraging incorrect handling of an swevent data structure during a CPU unplug operation (bnc#1010502).
- CVE-2016-7914: The assoc_array_insert_into_terminal_node function in lib/assoc_array.c in the Linux kernel did not check whether a slot is a leaf, which allowed local users to obtain sensitive information from kernel memory or cause a denial of service (invalid pointer dereference and out-of-bounds read) via an application that uses associative-array data structures, as demonstrated by the keyutils test suite (bnc#1010475).
- CVE-2016-8633: drivers/firewire/net.c in the Linux kernel allowed remote attackers to execute arbitrary code via crafted fragmented packets (bnc#1008833).
- CVE-2016-9083: drivers/vfio/pci/vfio_pci.c in the Linux kernel allowed local users to bypass integer overflow checks, and cause a denial of service (memory corruption) or have unspecified other impact, by leveraging access to a vfio PCI device file for a VFIO_DEVICE_SET_IRQS ioctl call, aka a 'state machine confusion bug (bnc#1007197).
- CVE-2016-9084: drivers/vfio/pci/vfio_pci_intrs.c in the Linux kernel misused the kzalloc function, which allowed local users to cause a denial of service (integer overflow) or have unspecified other impact by leveraging access to a vfio PCI device file (bnc#1007197).
- CVE-2016-7042: The proc_keys_show function in security/keys/proc.c in the Linux kernel uses an incorrect buffer size for certain timeout data, which allowed local users to cause a denial of service (stack memory corruption and panic) by reading the /proc/keys file (bnc#1004517).
- CVE-2015-8956: The rfcomm_sock_bind function in net/bluetooth/rfcomm/sock.c in the Linux kernel allowed local users to obtain sensitive information or cause a denial of service (NULL pointer dereference) via vectors involving a bind system call on a Bluetooth RFCOMM socket (bnc#1003925).
- CVE-2016-8658: Stack-based buffer overflow in the brcmf_cfg80211_start_ap function in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux kernel allowed local users to cause a denial of service (system crash) or possibly have unspecified other impact via a long SSID Information Element in a command to a Netlink socket (bnc#1004462).
- CVE-2016-7425: The arcmsr_iop_message_xfer function in drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel did not restrict a certain length field, which allowed local users to gain privileges or cause a denial of service (heap-based buffer overflow) via an ARCMSR_MESSAGE_WRITE_WQBUFFER control code (bnc#999932).
- CVE-2016-6327: drivers/infiniband/ulp/srpt/ib_srpt.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) by using an ABORT_TASK command to abort a device write operation (bnc#994748).
- CVE-2016-6828: The tcp_check_send_head function in include/net/tcp.h in the Linux kernel did not properly maintain certain SACK state after a failed data copy, which allowed local users to cause a denial of service (tcp_xmit_retransmit_queue use-after-free and system crash) via a crafted SACK option (bnc#994296).
- CVE-2016-5696: net/ipv4/tcp_input.c in the Linux kernel did not properly determine the rate of challenge ACK segments, which made it easier for remote attackers to hijack TCP sessions via a blind in-window attack (bnc#989152).
- CVE-2016-6130: Race condition in the sclp_ctl_ioctl_sccb function in drivers/s390/char/sclp_ctl.c in the Linux kernel allowed local users to obtain sensitive information from kernel memory by changing a certain length value, aka a 'double fetch' vulnerability (bnc#987542).
- CVE-2016-6480: Race condition in the ioctl_send_fib function in drivers/scsi/aacraid/commctrl.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds access or system crash) by changing a certain size value, aka a 'double fetch' vulnerability (bnc#991608).
- CVE-2016-4998: The IPT_SO_SET_REPLACE setsockopt implementation in the netfilter subsystem in the Linux kernel allowed local users to cause a denial of service (out-of-bounds read) or possibly obtain sensitive information from kernel heap memory by leveraging in-container root access to provide a crafted offset value that leads to crossing a ruleset blob boundary (bnc#986362 bnc#986365).
- CVE-2016-5828: The start_thread function in arch/powerpc/kernel/process.c in the Linux kernel on powerpc platforms mishandled transactional state, which allowed local users to cause a denial of service (invalid process state or TM Bad Thing exception, and system crash) or possibly have unspecified other impact by starting and suspending a transaction before an exec system call (bnc#986569).
- CVE-2014-9904: The snd_compress_check_input function in sound/core/compress_offload.c in the ALSA subsystem in the Linux kernel did not properly check for an integer overflow, which allowed local users to cause a denial of service (insufficient memory allocation) or possibly have unspecified other impact via a crafted SNDRV_COMPRESS_SET_PARAMS ioctl call (bnc#986811).
- CVE-2016-5829: Multiple heap-based buffer overflows in the hiddev_ioctl_usage function in drivers/hid/usbhid/hiddev.c in the Linux kernel allow local users to cause a denial of service or possibly have unspecified other impact via a crafted (1) HIDIOCGUSAGES or (2) HIDIOCSUSAGES ioctl call (bnc#986572).
- CVE-2016-4470: The key_reject_and_link function in security/keys/key.c in the Linux kernel did not ensure that a certain data structure is initialized, which allowed local users to cause a denial of service (system crash) via vectors involving a crafted keyctl request2 command (bnc#984755).

The following non-security bugs were fixed:

- base: make module_create_drivers_dir race-free (bnc#983977).
- btrfs-8448-improve-performance-on-fsync-against-new-inode.patch: Disable (bsc#981597).
- btrfs: account for non-CoW'd blocks in btrfs_abort_transaction (bsc#983619).
- btrfs: be more precise on errors when getting an inode from disk (bsc#981038).
- btrfs: do not create or leak aliased root while cleaning up orphans (bsc#994881).
- btrfs: ensure that file descriptor used with subvol ioctls is a dir (bsc#999600).
- btrfs: fix relocation incorrectly dropping data references (bsc#990384).
- btrfs: handle quota reserve failure properly (bsc#1005666).
- btrfs: improve performance on fsync against new inode after rename/unlink (bsc#981038).
- btrfs: increment ctx->pos for every emitted or skipped dirent in readdir (bsc#981709).
- btrfs: remove old tree_root dirent processing in btrfs_real_readdir() (bsc#981709).
- cdc-acm: added sanity checking for probe() (bsc#993891).
- ext2: Enable ext2 driver in config files (bsc#976195, fate#320805)
- ext4: Add parameter for tuning handling of ext2 (bsc#976195).
- ext4: Fixup handling for custom configs in tuning.
- ftrace/x86: Set ftrace_stub to weak to prevent gcc from using short jumps to it (bsc#984419).
- ipv6: Fix improper use or RCU in patches.kabi/ipv6-add-complete-rcu-protection-around-np-opt.kabi.patch. (bsc#961257)
- ipv6: KABI workaround for ipv6: add complete rcu protection around np->opt.
- kabi: prevent spurious modversion changes after bsc#982544 fix (bsc#982544).
- kabi: reintroduce sk_filter (kabi).
- kaweth: fix firmware download (bsc#993890).
- kaweth: fix oops upon failed memory allocation (bsc#993890).
- kgraft/iscsi-target: Do not block kGraft in iscsi_np kthread (bsc#1010612, fate#313296).
- kgraft/xen: Do not block kGraft in xenbus kthread (bsc#1017410, fate#313296).
- kgr: ignore zombie tasks during the patching (bnc#1008979).
- mm/swap.c: flush lru pvecs on compound page arrival (bnc#983721).
- mm: thp: fix SMP race condition between THP page fault and MADV_DONTNEED (VM Functionality, bnc#986445).
- modsign: Print appropriate status message when accessing UEFI variable (bsc#958606).
- mpi: Fix NULL ptr dereference in mpi_powm() [ver #3] (bsc#1011820).
- mpt3sas: Fix panic when aer correct error occurred (bsc#997708, bsc#999943).
- netfilter: allow logging fron non-init netns (bsc#970083).
- netfilter: bridge: do not leak skb in error paths (bsc#982544).
- netfilter: bridge: forward IPv6 fragmented packets (bsc#982544).
- netfilter: bridge: Use __in6_dev_get rather than in6_dev_get in br_validate_ipv6 (bsc#982544).
- nfs: Do not write enable new pages while an invalidation is proceeding (bsc#999584).
- nfs: Fix a regression in the read() syscall (bsc#999584).
- pci/aer: Clear error status registers during enumeration and restore (bsc#985978).
- ppp: defer netns reference release for ppp channel (bsc#980371).
- reiserfs: fix race in prealloc discard (bsc#987576).
- scsi: ibmvfc: Fix I/O hang when port is not mapped (bsc#971989)
- scsi: Increase REPORT_LUNS timeout (bsc#982282).
- series.conf: move stray netfilter patches to the right section
- squashfs3: properly handle dir_emit() failures (bsc#998795).
- supported.conf: Add ext2
- timers: Use proper base migration in add_timer_on() (bnc#993392).
- tty: audit: Fix audit source (bsc#1016482).
- tty: Prevent ldisc drivers from re-using stale tty fields (bnc#1010507).
- usb: fix typo in wMaxPacketSize validation (bsc#991665).
- usb: validate wMaxPacketValue entries in endpoint descriptors (bnc#991665).
- xen: Fix refcnt regression in xen netback introduced by changes made for bug#881008 (bnc#978094)
- xfs: allow lazy sb counter sync during filesystem freeze sequence (bsc#980560).
- xfs: fixed signedness of error code in xfs_inode_buf_verify (bsc#1003153).
- xfs: fix premature enospc on inode allocation (bsc#984148).
- xfs: get rid of XFS_IALLOC_BLOCKS macros (bsc#984148).
- xfs: get rid of XFS_INODE_CLUSTER_SIZE macros (bsc#984148).
- xfs: refactor xlog_recover_process_data() (bsc#1019300).
- xfs: Silence warnings in xfs_vm_releasepage() (bnc#915183 bsc#987565).
- xhci: silence warnings in switch (bnc#991665).


-----------------------------------------
Patch: SUSE-2017-261
Released: Mon Feb 20 11:00:28 2017
Summary: Recommended update for dirmngr
Severity: low
References: 1019276
Description:

This update for dirmngr fixes the following issues:

- Properly initialize the dirmngr tmpfilesd files right away and not
  just during reboot
- Own the /usr/lib/tmpfiles.d/ folder as it is needed in older systemds
  wrt (bsc#1019276)
- Proprely require logrotate as we need it for the dirmngr configs


-----------------------------------------
Patch: SUSE-2017-290
Released: Thu Feb 23 08:49:22 2017
Summary: Security update for util-linux
Severity: important
References: 1008965,1012504,1012632,1019332,1020077,1023041,947494,966891,978993,982331,983164,987176,988361,CVE-2016-5011,CVE-2017-2616
Description:
This update for util-linux fixes a number of bugs and two security issues.

The following security bugs were fixed:

- CVE-2016-5011: Infinite loop DoS in libblkid while parsing DOS partition (bsc#988361)
- CVE-2017-2616: In su with PAM support it was possible for local users to send SIGKILL to selected other processes with root privileges (bsc#1023041).

The following non-security bugs were fixed:

- bsc#1008965: Ensure that the option 'users,exec,dev,suid' work as expected on NFS mounts 
- bsc#1012504: Fix regressions in safe loop re-use patch set for libmount 
- bsc#1012632: Disable ro checks for mtab 
- bsc#1020077: fstrim: De-duplicate btrfs sub-volumes for 'fstrim -a' and bind mounts 
- bsc#947494: mount -a would fail to recognize btrfs already mounted, address loop re-use in libmount
- bsc#966891: Conflict in meaning of losetup -L. This switch in SLE12 SP1 and SP2 continues to carry the meaning of --logical-blocksize instead of upstream --nooverlap
- bsc#978993: cfdisk would mangle some text output
- bsc#982331: libmount: ignore redundant slashes
- bsc#983164: mount uid= and gid= would reject valid non UID/GID values
- bsc#987176: When mounting a subfolder of a CIFS share, mount -a would show the mount as busy
- bsc#1019332: lscpu: Implement WSL detection and work around crash


-----------------------------------------
Patch: SUSE-2017-310
Released: Thu Mar  2 15:24:42 2017
Summary: Security update for bind
Severity: moderate
References: 1024130,CVE-2017-3135
Description:

This update for bind fixes the following issues:

- Fixed a possible denial of service vulnerability (affected only
  configurations using both DNS64 and RPZ, CVE-2017-3135, bsc#1024130)


-----------------------------------------
Patch: SUSE-2017-325
Released: Mon Mar  6 11:25:54 2017
Summary: Security update for openssh
Severity: moderate
References: 1005480,1005893,1006221,1016366,1016369,CVE-2016-10009,CVE-2016-10011,CVE-2016-8858
Description:

This update for openssh fixes the following issues:

- CVE-2016-8858: prevent resource depletion during key exchange (bsc#1005480)
- CVE-2016-10009: limit directories for loading PKCS11 modules to avoid privilege escalation (bsc#1016366)
- CVE-2016-10011: Prevent possible leaks of host private keys to low-privilege process handling authentication (bsc#1016369)

- Fix suggested command for removing conflicting server keys from the known_hosts file (bsc#1006221)
- Properly verify CIDR masks in the AllowUsers and DenyUsers configuration lists (bsc#1005893)


-----------------------------------------
Patch: SUSE-2017-332
Released: Tue Mar  7 13:04:31 2017
Summary: Recommended update for boost
Severity: low
References: 1017048,1019896
Description:

This update for boost provides the following fixes:

- Enable build of 32bit version of libboost_locale1_54_0. (bsc#1017048)
- Ship ppc64le and s390x versions of libboost_random1_54_0. (bsc#1019896)


-----------------------------------------
Patch: SUSE-2017-333
Released: Tue Mar  7 13:09:08 2017
Summary: Recommended update for coreutils
Severity: low
References: 1024551,954222,994678
Description:

This update for coreutils provides the following fixes:

- Fix hanging df when remote mounts are inaccessible. (bsc#954222)
- Fix erroneous warnings with chmod(1) -R --changes. (bsc#994678)
- Allow install(1) options -D and -t to be used together. (bsc#1024551)


-----------------------------------------
Patch: SUSE-2017-354
Released: Thu Mar  9 11:31:22 2017
Summary: Recommended update for timezone
Severity: low
References: 1024676,1024677
Description:

This update provides the latest timezone information (2017a) for your system, including the
following changes:

- Mongolia no longer observes DST. (bsc#1024676)
- Chile's Region of Magallanes moves from -04/-03 to -03 year-round starting 2017-05-13 23:00.
  Split from America/Santiago creating a new zone America/Punta_Arenas.
  Also affects Antarctica/Palmer. (bsc#1024677)
- Fixes to historical time stamps: Spain, Ecuador, Atyrau, Oral.
- Switch to numeric, or commonly used time zone abbreviations.
- zic(8) no longer mishandles some transitions in January 2038.
- date and strftime now cause %z to generate '-0000' instead of '+0000' when the UT offset is
  zero and the time zone abbreviation begins with '-'.


-----------------------------------------
Patch: SUSE-2017-357
Released: Thu Mar  9 15:12:40 2017
Summary: Recommended update for jasper
Severity: low
References: 1028070
Description:

This update for jasper provides the following fixes:

- Add -D_BSD_SOURCE to fix redefinition of system types in jas_config.h, which
  could lead to build failures on ppc64le, s390 and s390x. (bsc#1028070)


-----------------------------------------
Patch: SUSE-2017-375
Released: Wed Mar 15 00:44:27 2017
Summary: Recommended update for systemd
Severity: moderate
References: 1001790,1005404,1005497,1012266,1012591,1013989,1018399,1020083,909418,912715,945340,963290,964168,968183,990538,997682
Description:

This update for systemd provides the following fixes:

- rule: Don't automatically online standby memory on s390x. (bsc#997682)
- systemctl: Remove duplicate entries showed by list-dependencies. (bsc#1012266)
- systemctl: Add ConsistsOf as the inverse of PartOf. (bsc#1020083)
- man: Reword list-dependencies description.
- man: Improve description of systemctl's --after/--before.
- rules: Set SYSTEMD_READY=0 on DM_UDEV_DISABLE_OTHER_RULES_FLAG=1 only with ADD event. (bsc#963290, bsc#990538)
- core: Make sure to not call device_is_bound_by_mounts() when dev is null. (bsc#1018399)
- core: Make mount units from /proc/self/mountinfo possibly bind to a device. (bsc#909418, bsc#912715, bsc#945340)
- core: Do not bind a mount unit to a device, if it was from mountinfo.
- rules: Don't ignore CDROM devices even if not ready.
- unit: Use weaker dependencies between mount and device units in --user mode.
- rules: Clean up stale CD drive mounts after ejection.
- core: Add dependencies to dynamically mounted mounts too.
- fstab-generator: Remove bogus condition. (bsc#1013989)
- coredumpctl: Let gdb handle the SIGINT signal. (bsc#1012591)
- Rename kbd-model-map-extra into kbd-model-map.legacy.
- man: Explain that *KeyIgnoreInhibited only apply to a subset of locks.
- Revert 'logind: really handle *KeyIgnoreInhibited options in logind.conf'. (bsc#1001790, bsc#1005404)
- systemctl: Make sure list-jobs doesn't return failure on success. (bsc#1005497)
- manager: Be stricter with incoming notifications, warn properly about too large ones.
- manager: Don't ever busy loop when we get a notification message we can't process.
- Disable seccomp for ppc64le. (bsc#964168)
- Add 'mac-us' to kbd-model-map-extra. (bsc#968183)
- Add kbd-model-map-extra file which contains the additional maps needed by YaST.
- Drop localfs.service: unused and not needed anymore.


-----------------------------------------
Patch: SUSE-2017-376
Released: Wed Mar 15 11:50:38 2017
Summary: Recommended update for dbus-1
Severity: low
References: 1025950,1025951,974092
Description:

This update for dbus-1 fixes the following issues:

Security issues fixed:
- Symlink attack in nonce-tcp transport. (bsc#1025950)
- Symlink attack in unit tests. (bsc#1025951)

Bugfixes:
- Remove sysvinit script, not used under systemd. (bsc#974092)


-----------------------------------------
Patch: SUSE-2017-445
Released: Tue Mar 21 18:27:18 2017
Summary: Recommended update for man
Severity: low
References: 1025597,786679,986211
Description:

This update for man provides the following fixes:

- Stop using the wrapper that squashed root privileges down to uid man. (bsc#986211, bsc#1025597)
- Add description of MAN_POSIXLY_CORRECT in man.man1. (bsc#786679)


-----------------------------------------
Patch: SUSE-2017-451
Released: Wed Mar 22 15:55:40 2017
Summary: Security update for wget
Severity: moderate
References: 1028301,CVE-2017-6508
Description:

This update for wget fixes the following issues:

Security issue fixed:
- CVE-2017-6508: (url_parse): Reject control characters in host part of URL (bsc#1028301).


-----------------------------------------
Patch: SUSE-2017-457
Released: Fri Mar 24 12:35:18 2017
Summary: Recommended update for timezone
Severity: low
References: 1030417
Description:

This update provides the latest timezone information (2017b) for your system, including following changes:

- Haiti resumed observance of DST in 2017.
- Liberia changed from -004430 to +00 on 1972-01-07, not 1972-05-01.
- Use 'MMT' to abbreviate Liberia's time zone before 1972.


-----------------------------------------
Patch: SUSE-2017-458
Released: Fri Mar 24 13:49:49 2017
Summary: Recommended update for fdupes
Severity: low
References: 1005386
Description:

This update for fdupes provides the following fixes and enhancements:

- Add new options: --nohidden, --permissions, --order, --reverse, --immediate.
- Speed up file comparison.
- Fix bug where fdupes fails to consistently ignore hardlinks, depending on
  file processing order, when F_CONSIDERHARDLINKS flag is not set.
- Using tty for interactive input instead of regular stdin. This is to allow
  feeding filenames via stdin in future versions of fdupes without breaking
  interactive deletion feature.
- Sort the output of fdupes by filename to make it deterministic for parallel
  builds. (bsc#1005386)


-----------------------------------------
Patch: SUSE-2017-478
Released: Wed Mar 29 13:02:30 2017
Summary: Security update for libpng16
Severity: moderate
References: 1017646,CVE-2016-10087
Description:

This update for libpng16 fixes the following issues:

Security issues fixed:
- CVE-2016-10087: NULL pointer dereference in png_set_text_2() (bsc#1017646)


-----------------------------------------
Patch: SUSE-2017-481
Released: Wed Mar 29 15:39:24 2017
Summary: Security update for samba
Severity: important
References: 1019416,1024416,1027147,993692,993707,CVE-2017-2619
Description:

This update for samba fixes the following issues:

Security issues fixed:
- CVE-2017-2619: Symlink race permits opening files outside share directory (bsc#1027147).

Bugfixes:
- Don't package man pages for VFS modules that aren't built (bsc#993707).
- sync_req: make async_connect_send() 'reentrant'; (bso#12105); (bsc#1024416).
- Document 'winbind: ignore domains' parameter; (bsc#1019416).
- Prevent core, make sure response->extra_data.data is always cleared out; (bsc#993692).


-----------------------------------------
Patch: SUSE-2017-482
Released: Wed Mar 29 15:40:19 2017
Summary: Security update for libpng12
Severity: moderate
References: 1017646,958791,CVE-2015-8540,CVE-2016-10087
Description:

This update for libpng12 fixes the following issues:

Security issues fixed:
- CVE-2015-8540: read underflow in libpng (bsc#958791)
- CVE-2016-10087: NULL pointer dereference in png_set_text_2() (bsc#1017646)


-----------------------------------------
Patch: SUSE-2017-486
Released: Thu Mar 30 00:09:34 2017
Summary: Security update for the Linux Kernel
Severity: important
References: 1027565,1028372,1030573,CVE-2017-2636,CVE-2017-7184
Description:

The SUSE Linux Enterprise 12 kernel was updated to fix the following security bugs:

- CVE-2017-7184: The Linux kernel allowed local users to obtain root privileges or cause a denial of service (heap-based out-of-bounds access) via unspecified vectors, as demonstrated during a Pwn2Own competition at CanSecWest 2017 (bnc#1030573, bnc#1028372).
- CVE-2017-2636: Race condition in drivers/tty/n_hdlc.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (double free) by setting the HDLC line discipline (bnc#1027565).


-----------------------------------------
Patch: SUSE-2017-538
Released: Tue Apr  4 13:31:44 2017
Summary: Recommended update for libzypp, zypper
Severity: moderate
References: 1014265,1024909,1028492,1030136,1030827,1030919,985390
Description:

This update for libzypp, zypper fixes the following issues:

libzypp:

- Fix X-libcurl-Empty-Header-Workaround. (bsc#1030919, bsc#1030827)
- Treat HTTP response 410 (Gone) like 404 (Not Found). (bsc#1030136)
- Properly escape XML node content. (bsc#1024909)
- Add parsable XML output for listing locks. (bsc#985390)
- Don't raise FileCheckException if user accepted a package with wrong digest. (bsc#1014265)
- Add more details to pattern documentation.

zypper:

- Don't show installed system packages if list command is restricted to repos. (bsc#1028492)
- Fix invalid XML in GPG key info output. (bsc#1024909)
- Add parsable XML output to 'zypper locks'. (bsc#985390)


-----------------------------------------
Patch: SUSE-2017-542
Released: Wed Apr  5 14:26:21 2017
Summary: Security update for audiofile
Severity: low
References: 1026978,1026979,1026980,1026981,1026982,1026983,1026984,1026985,1026986,1026987,1026988,949399,CVE-2015-7747,CVE-2017-6827,CVE-2017-6828,CVE-2017-6829,CVE-2017-6830,CVE-2017-6831,CVE-2017-6832,CVE-2017-6833,CVE-2017-6834,CVE-2017-6835,CVE-2017-6836,CVE-2017-6837,CVE-2017-6838,CVE-2017-6839
Description:

This audiofile update fixes the following issue:

Security issues fixed:
- CVE-2015-7747: Fixed buffer overflow issue when changing both number of channels and sample format. (bsc#949399)
- CVE-2017-6827: heap-based buffer overflow in MSADPCM::initializeCoefficients (MSADPCM.cpp) (bsc#1026979)
- CVE-2017-6828: heap-based buffer overflow in readValue (FileHandle.cpp) (bsc#1026980)
- CVE-2017-6829: global buffer overflow in decodeSample (IMA.cpp) (bsc#1026981)
- CVE-2017-6830: heap-based buffer overflow in alaw2linear_buf (G711.cpp) (bsc#1026982)
- CVE-2017-6831: heap-based buffer overflow in IMA::decodeBlockWAVE (IMA.cpp) (bsc#1026983)
- CVE-2017-6832: heap-based buffer overflow in MSADPCM::decodeBlock (MSADPCM.cpp) (bsc#1026984)
- CVE-2017-6833: divide-by-zero in BlockCodec::runPull (BlockCodec.cpp) (bsc#1026985)
- CVE-2017-6834: heap-based buffer overflow in ulaw2linear_buf (G711.cpp) (bsc#1026986)
- CVE-2017-6835: divide-by-zero in BlockCodec::reset1 (BlockCodec.cpp) (bsc#1026988)
- CVE-2017-6836: heap-based buffer overflow in Expand3To4Module::run (SimpleModule.h) (bsc#1026987)
- CVE-2017-6837, CVE-2017-6838, CVE-2017-6839: multiple ubsan crashes (bsc#1026978)


-----------------------------------------
Patch: SUSE-2017-551
Released: Thu Apr  6 14:28:02 2017
Summary: Security update for jasper
Severity: moderate
References: 1015400,1018088,1020353,1021868,1029497,CVE-2016-10251,CVE-2016-9583,CVE-2016-9600,CVE-2017-5498,CVE-2017-6850
Description:

This update for jasper fixes the following issues:

Security issues fixed:
- CVE-2016-9600: Null Pointer Dereference due to missing check for UNKNOWN color space in JP2 encoder (bsc#1018088)
- CVE-2016-10251: Use of uninitialized value in jpc_pi_nextcprl (jpc_t2cod.c) (bsc#1029497)
- CVE-2017-5498: left-shift undefined behaviour (bsc#1020353)
- CVE-2017-6850: NULL pointer dereference in jp2_cdef_destroy (jp2_cod.c) (bsc#1021868)
- CVE-2016-9583: Out of bounds heap read in jpc_pi_nextpcrl() (bsc#1015400)


-----------------------------------------
Patch: SUSE-2017-580
Released: Wed Apr 12 23:58:47 2017
Summary: Recommended update for cpio
Severity: important
References: 1028410
Description:

This update for cpio fixes the following issues:

- A regression caused cpio to crash for tar and ustar archive types
  [bsc#1028410]


-----------------------------------------
Patch: SUSE-2017-581
Released: Thu Apr 13 02:32:18 2017
Summary: Security update for bind
Severity: important
References: 1033466,1033467,1033468,987866,989528,CVE-2016-2775,CVE-2016-6170,CVE-2017-3136,CVE-2017-3137,CVE-2017-3138
Description:

This update for bind fixes the following issues:

CVE-2017-3137 (bsc#1033467):
Mistaken assumptions about the ordering of records in the answer
section of a response containing CNAME or DNAME resource records
could have been exploited to cause a denial of service of a bind
server performing recursion.

CVE-2017-3136 (bsc#1033466):
An attacker could have constructed a query that would cause a denial
of service of servers configured to use DNS64.

CVE-2017-3138 (bsc#1033468):
An attacker with access to the BIND control channel could have caused
the server to stop by triggering an assertion failure.

CVE-2016-6170 (bsc#987866):
Primary DNS servers could have caused a denial of service of secondary DNS servers via a large AXFR response.
IXFR servers could have caused a denial of service of IXFR clients via a large IXFR response.
Remote authenticated users could have caused a denial of service of primary DNS servers via a large UPDATE message.

CVE-2016-2775 (bsc#989528):
When lwresd or the named lwres option were enabled, bind allowed remote attackers to cause a denial of service 
(daemon crash) via a long request that uses the lightweight resolver protocol.



-----------------------------------------
Patch: SUSE-2017-589
Released: Thu Apr 13 13:12:45 2017
Summary: Recommended update for libtool
Severity: moderate
References: 1010802
Description:

This update for libtool prevents a segmentation fault caused by insufficient error
handling on out-of-memory situations.


-----------------------------------------
Patch: SUSE-2017-598
Released: Mon Apr 17 22:56:57 2017
Summary: Recommended update for ruby-common, rubygem-gem2rpm
Severity: low
References: 963710
Description:

This update for ruby-common, rubygem-gem2rpm fixes the following issues:

ruby-common:

- Since rubygems 2.5.0 the default version in the gem bin stub changed from '>= 0'
  to '>= 0.a'. This was done to allow pre-release versions. Our patching script
  didn't take the '.a' into account and generated version fields like '= 0.10.1.a'
  instead of the expected '= 0.10.1'. This fix accounts for the '.a'.

Changes in rubygem-gem2rpm:

- Fix 'gem2rpm --fetch': prefer https for accessing rubygems.org. (bsc#963710)
- Add support for Ruby 2.3.0 and 2.4.0.
- Add :post_patch hook to run commands before we rebuild the gem used by libv8.
- Add support for rubinius 2.5 and remove support for 2.2.
- No longer require the Ruby version inside the sub-package. With BuildRequires
  we already make sure that the package is only built if we find a recent enough
  ABI. Then the normal $interpreter(abi) requires generated by rpm is enough.
- Move to new packaging templates by default.


-----------------------------------------
Patch: SUSE-2017-607
Released: Tue Apr 18 11:20:18 2017
Summary: Security update for libsndfile
Severity: moderate
References: 1033053,1033054,1033914,1033915,CVE-2017-7585,CVE-2017-7586,CVE-2017-7741,CVE-2017-7742
Description:

This update for libsndfile fixes the following security issues:

- CVE-2017-7586: A stack-based buffer overflow via a specially crafted FLAC
  file was fixed (error in the 'header_read()' function) (bsc#1033053)
- CVE-2017-7585,CVE-2017-7741, CVE-2017-7742: Several stack-based buffer overflows via a specially crafted FLAC
  file (error in the 'flac_buffer_copy()' function) were fixed (bsc#1033054,bsc#1033915,bsc#1033914).


-----------------------------------------
Patch: SUSE-2017-609
Released: Tue Apr 18 11:28:14 2017
Summary: Security update for curl
Severity: moderate
References: 1015332,1027712,1032309,CVE-2016-9586,CVE-2017-7407
Description:

This update for curl fixes the following issues:

Security issue fixed:

- CVE-2016-9586: libcurl printf floating point buffer overflow (bsc#1015332)
- CVE-2017-7407: The ourWriteOut function in tool_writeout.c in curl might have allowed physically proximate attackers to obtain sensitive information from process memory in opportunistic circumstances by reading a workstation screen during use of a --write-out argument ending in a '%' character, which lead to a heap-based buffer over-read (bsc#1032309).

With this release new default ciphers are active (SUSE_DEFAULT, bsc#1027712).


-----------------------------------------
Patch: SUSE-2017-610
Released: Tue Apr 18 11:29:22 2017
Summary: Security update for tiff
Severity: important
References: 1031247,1031249,1031250,1031254,1031255,1031262,1031263,CVE-2016-10266,CVE-2016-10267,CVE-2016-10268,CVE-2016-10269,CVE-2016-10270,CVE-2016-10271,CVE-2016-10272
Description:

This update for tiff fixes the following issues:

Security issues fixed:
- CVE-2016-10272: LibTIFF 4.0.7 allows remote attackers to cause a denial of service (heap-based
  buffer overflow) or possibly have unspecified other impact via a crafted TIFF image, related to
  'WRITE of size 2048' and libtiff/tif_next.c:64:9 (bsc#1031247).
- CVE-2016-10271: tools/tiffcrop.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of
  service (heap-based buffer over-read and buffer overflow) or possibly have unspecified other
  impact via a crafted TIFF image, related to 'READ of size 1' and libtiff/tif_fax3.c:413:13
  (bsc#1031249).
- CVE-2016-10270: LibTIFF 4.0.7 allows remote attackers to cause a denial of service (heap-based
  buffer over-read) or possibly have unspecified other impact via a crafted TIFF image, related to
  'READ of size 8' and libtiff/tif_read.c:523:22 (bsc#1031250).
- CVE-2016-10269: LibTIFF 4.0.7 allows remote attackers to cause a denial of service (heap-based
  buffer over-read) or possibly have unspecified other impact via a crafted TIFF image, related to
  'READ of size 512' and libtiff/tif_unix.c:340:2 (bsc#1031254).
- CVE-2016-10268: tools/tiffcp.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of
  service (integer underflow and heap-based buffer under-read) or possibly have unspecified other
  impact via a crafted TIFF image, related to 'READ of size 78490' and libtiff/tif_unix.c:115:23
  (bsc#1031255).
- CVE-2016-10267: LibTIFF 4.0.7 allows remote attackers to cause a denial of service
  (divide-by-zero error and application crash) via a crafted TIFF image, related to
  libtiff/tif_ojpeg.c:816:8 (bsc#1031262).
- CVE-2016-10266: LibTIFF 4.0.7 allows remote attackers to cause a denial of service
  (divide-by-zero error and application crash) via a crafted TIFF image, related to
  libtiff/tif_read.c:351:22. (bsc#1031263).


-----------------------------------------
Patch: SUSE-2017-612
Released: Tue Apr 18 16:06:12 2017
Summary: Security update for ntp
Severity: moderate
References: 1014172,1030050,CVE-2016-9042,CVE-2017-6451,CVE-2017-6458,CVE-2017-6460,CVE-2017-6462,CVE-2017-6463,CVE-2017-6464
Description:

This ntp update to version 4.2.8p10 fixes serveral issues.

This updated enables leap smearing. See
/usr/share/doc/packages/ntp/README.leapsmear for details.

Security issues fixed (bsc#1030050):

- CVE-2017-6464: Denial of Service via Malformed Config
- CVE-2017-6462: Buffer Overflow in DPTS Clock
- CVE-2017-6463: Authenticated DoS via Malicious Config Option
- CVE-2017-6458: Potential Overflows in ctl_put() functions
- CVE-2017-6451: Improper use of snprintf() in mx4200_send()
- CVE-2017-6460: Buffer Overflow in ntpq when fetching reslist
- CVE-2016-9042: 0rigin (zero origin) DoS.
- ntpq_stripquotes() returns incorrect Value
- ereallocarray()/eallocarray() underused
- Copious amounts of Unused Code
- Off-by-one in Oncore GPS Receiver
- Makefile does not enforce Security Flags

Bugfixes:

- Remove spurious log messages (bsc#1014172).
- clang scan-build findings
- Support for openssl-1.1.0 without compatibility modes
- Bugfix 3072 breaks multicastclient
- forking async worker: interrupted pipe I/O
- (...) time_pps_create: Exec format error
- Incorrect Logic for Peer Event Limiting
- Change the process name of forked DNS worker
- Trap Configuration Fail
- Nothing happens if minsane < maxclock < minclock
- allow -4/-6 on restrict line with mask
- out-of-bound pointers in ctl_putsys and decode_bitflags
- Move ntp-kod to /var/lib/ntp, because /var/db is not a standard directory and causes problems for
  transactional updates.


-----------------------------------------
Patch: SUSE-2017-624
Released: Thu Apr 20 08:35:35 2017
Summary: Security update for ruby2.1
Severity: important
References: 1014863,1018808,887877,909695,926974,936032,959495,986630,CVE-2014-4975,CVE-2015-1855,CVE-2015-3900,CVE-2015-7551,CVE-2016-2339
Description:

This ruby2.1 update to version 2.1.9 fixes the following issues:

Security issues fixed:
- CVE-2016-2339: heap overflow vulnerability in the Fiddle::Function.new'initialize' (bsc#1018808)
- CVE-2015-7551: Unsafe tainted string usage in Fiddle and DL (bsc#959495)
- CVE-2015-3900: hostname validation does not work when fetching gems or making API requests (bsc#936032)
- CVE-2015-1855: Ruby'a OpenSSL extension suffers a vulnerability through overly permissive matching of
  hostnames (bsc#926974)
- CVE-2014-4975: off-by-one stack-based buffer overflow in the encodes() function (bsc#887877)

Bugfixes:
- SUSEconnect doesn't handle domain wildcards in no_proxy environment variable properly (bsc#1014863)
- Segmentation fault after pack & ioctl & unpack (bsc#909695)
- Ruby:HTTP Header injection in 'net/http' (bsc#986630)

ChangeLog:
- http://svn.ruby-lang.org/repos/ruby/tags/v2_1_9/ChangeLog


-----------------------------------------
Patch: SUSE-2017-643
Released: Tue Apr 25 19:11:45 2017
Summary: Recommended update for ruby2.1
Severity: important
References: 1014863,1035988
Description:

This update for ruby2.1 fixes a regression introduced by a previous update that
was intended to fix insufficient support for domain wildcards in the $no_proxy
environment variable.


-----------------------------------------
Patch: SUSE-2017-644
Released: Wed Apr 26 17:31:22 2017
Summary: Security update for tcpdump, libpcap
Severity: moderate
References: 1020940,1035686,905870,905871,905872,922220,922221,922222,922223,927637,CVE-2014-8767,CVE-2014-8768,CVE-2014-8769,CVE-2015-0261,CVE-2015-2153,CVE-2015-2154,CVE-2015-2155,CVE-2015-3138,CVE-2016-7922,CVE-2016-7923,CVE-2016-7924,CVE-2016-7925,CVE-2016-7926,CVE-2016-7927,CVE-2016-7928,CVE-2016-7929,CVE-2016-7930,CVE-2016-7931,CVE-2016-7932,CVE-2016-7933,CVE-2016-7934,CVE-2016-7935,CVE-2016-7936,CVE-2016-7937,CVE-2016-7938,CVE-2016-7939,CVE-2016-7940,CVE-2016-7973,CVE-2016-7974,CVE-2016-7975,CVE-2016-7983,CVE-2016-7984,CVE-2016-7985,CVE-2016-7986,CVE-2016-7992,CVE-2016-7993,CVE-2016-8574,CVE-2016-8575,CVE-2017-5202,CVE-2017-5203,CVE-2017-5204,CVE-2017-5205,CVE-2017-5341,CVE-2017-5342,CVE-2017-5482,CVE-2017-5483,CVE-2017-5484,CVE-2017-5485,CVE-2017-5486
Description:

This update for tcpdump to version 4.9.0 and libpcap to version 1.8.1 fixes the several issues.

These security issues were fixed in tcpdump:

- CVE-2016-7922: The AH parser in tcpdump had a buffer overflow in print-ah.c:ah_print() (bsc#1020940).
- CVE-2016-7923: The ARP parser in tcpdump had a buffer overflow in print-arp.c:arp_print() (bsc#1020940).
- CVE-2016-7924: The ATM parser in tcpdump had a buffer overflow in print-atm.c:oam_print() (bsc#1020940).
- CVE-2016-7925: The compressed SLIP parser in tcpdump had a buffer overflow in print-sl.c:sl_if_print() (bsc#1020940).
- CVE-2016-7926: The Ethernet parser in tcpdump had a buffer overflow in print-ether.c:ethertype_print() (bsc#1020940).
- CVE-2016-7927: The IEEE 802.11 parser in tcpdump had a buffer overflow in print-802_11.c:ieee802_11_radio_print() (bsc#1020940).
- CVE-2016-7928: The IPComp parser in tcpdump had a buffer overflow in print-ipcomp.c:ipcomp_print() (bsc#1020940).
- CVE-2016-7929: The Juniper PPPoE ATM parser in tcpdump had a buffer overflow in print-juniper.c:juniper_parse_header() (bsc#1020940).
- CVE-2016-7930: The LLC/SNAP parser in tcpdump had a buffer overflow in print-llc.c:llc_print() (bsc#1020940).
- CVE-2016-7931: The MPLS parser in tcpdump had a buffer overflow in print-mpls.c:mpls_print() (bsc#1020940).
- CVE-2016-7932: The PIM parser in tcpdump had a buffer overflow in print-pim.c:pimv2_check_checksum() (bsc#1020940).
- CVE-2016-7933: The PPP parser in tcpdump had a buffer overflow in print-ppp.c:ppp_hdlc_if_print() (bsc#1020940).
- CVE-2016-7934: The RTCP parser in tcpdump had a buffer overflow in print-udp.c:rtcp_print() (bsc#1020940).
- CVE-2016-7935: The RTP parser in tcpdump had a buffer overflow in print-udp.c:rtp_print() (bsc#1020940).
- CVE-2016-7936: The UDP parser in tcpdump had a buffer overflow in print-udp.c:udp_print() (bsc#1020940).
- CVE-2016-7937: The VAT parser in tcpdump had a buffer overflow in print-udp.c:vat_print() (bsc#1020940).
- CVE-2016-7938: The ZeroMQ parser in tcpdump had an integer overflow in print-zeromq.c:zmtp1_print_frame() (bsc#1020940).
- CVE-2016-7939: The GRE parser in tcpdump had a buffer overflow in print-gre.c, multiple functions (bsc#1020940).
- CVE-2016-7940: The STP parser in tcpdump had a buffer overflow in print-stp.c, multiple functions (bsc#1020940).
- CVE-2016-7973: The AppleTalk parser in tcpdump had a buffer overflow in print-atalk.c, multiple functions (bsc#1020940).
- CVE-2016-7974: The IP parser in tcpdump had a buffer overflow in print-ip.c, multiple functions (bsc#1020940).
- CVE-2016-7975: The TCP parser in tcpdump had a buffer overflow in print-tcp.c:tcp_print() (bsc#1020940).
- CVE-2016-7983: The BOOTP parser in tcpdump had a buffer overflow in print-bootp.c:bootp_print() (bsc#1020940).
- CVE-2016-7984: The TFTP parser in tcpdump had a buffer overflow in print-tftp.c:tftp_print() (bsc#1020940).
- CVE-2016-7985: The CALM FAST parser in tcpdump had a buffer overflow in print-calm-fast.c:calm_fast_print() (bsc#1020940).
- CVE-2016-7986: The GeoNetworking parser in tcpdump had a buffer overflow in print-geonet.c, multiple functions (bsc#1020940).
- CVE-2016-7992: The Classical IP over ATM parser in tcpdump had a buffer overflow in print-cip.c:cip_if_print() (bsc#1020940).
- CVE-2016-7993: A bug in util-print.c:relts_print() in tcpdump could cause a buffer overflow in multiple protocol parsers (DNS, DVMRP, HSRP, IGMP, lightweight resolver protocol, PIM) (bsc#1020940).
- CVE-2016-8574: The FRF.15 parser in tcpdump had a buffer overflow in print-fr.c:frf15_print() (bsc#1020940).
- CVE-2016-8575: The Q.933 parser in tcpdump had a buffer overflow in print-fr.c:q933_print(), a different vulnerability than CVE-2017-5482 (bsc#1020940).
- CVE-2017-5202: The ISO CLNS parser in tcpdump had a buffer overflow in print-isoclns.c:clnp_print() (bsc#1020940).
- CVE-2017-5203: The BOOTP parser in tcpdump had a buffer overflow in print-bootp.c:bootp_print() (bsc#1020940).
- CVE-2017-5204: The IPv6 parser in tcpdump had a buffer overflow in print-ip6.c:ip6_print() (bsc#1020940).
- CVE-2017-5205: The ISAKMP parser in tcpdump had a buffer overflow in print-isakmp.c:ikev2_e_print() (bsc#1020940).
- CVE-2017-5341: The OTV parser in tcpdump had a buffer overflow in print-otv.c:otv_print() (bsc#1020940).
- CVE-2017-5342: In tcpdump a bug in multiple protocol parsers (Geneve, GRE, NSH, OTV, VXLAN and VXLAN GPE) could cause a buffer overflow in print-ether.c:ether_print() (bsc#1020940).
- CVE-2017-5482: The Q.933 parser in tcpdump had a buffer overflow in print-fr.c:q933_print(), a different vulnerability than CVE-2016-8575 (bsc#1020940).
- CVE-2017-5483: The SNMP parser in tcpdump had a buffer overflow in print-snmp.c:asn1_parse() (bsc#1020940).
- CVE-2017-5484: The ATM parser in tcpdump had a buffer overflow in print-atm.c:sig_print() (bsc#1020940).
- CVE-2017-5485: The ISO CLNS parser in tcpdump had a buffer overflow in addrtoname.c:lookup_nsap() (bsc#1020940).
- CVE-2017-5486: The ISO CLNS parser in tcpdump had a buffer overflow in print-isoclns.c:clnp_print() (bsc#1020940).
- CVE-2015-3138: Fixed potential denial of service in print-wb.c (bsc#927637).
- CVE-2015-0261: Integer signedness error in the mobility_opt_print function in the IPv6 mobility printer in tcpdump allowed remote attackers to cause a denial of service (out-of-bounds read and crash) or possibly execute arbitrary code via a negative length value (bsc#922220).
- CVE-2015-2153: The rpki_rtr_pdu_print function in print-rpki-rtr.c in the TCP printer in tcpdump allowed remote attackers to cause a denial of service (out-of-bounds read or write and crash) via a crafted header length in an RPKI-RTR Protocol Data Unit (PDU) (bsc#922221).
- CVE-2015-2154: The osi_print_cksum function in print-isoclns.c in the ethernet printer in tcpdump allowed remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted (1) length, (2) offset, or (3) base pointer checksum value (bsc#922222).
- CVE-2015-2155: The force printer in tcpdump allowed remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unspecified vectors (bsc#922223).
- CVE-2014-8767: Integer underflow in the olsr_print function in tcpdump 3.9.6 when in verbose mode, allowed remote attackers to cause a denial of service (crash) via a crafted length value in an OLSR frame (bsc#905870).
- CVE-2014-8768: Multiple Integer underflows in the geonet_print function in tcpdump when run in verbose mode, allowed remote attackers to cause a denial of service (segmentation fault and crash) via a crafted length value in a Geonet frame (bsc#905871).
- CVE-2014-8769: tcpdump might have allowed remote attackers to obtain sensitive information from memory or cause a denial of service (packet loss or segmentation fault) via a crafted Ad hoc On-Demand Distance Vector (AODV) packet, which triggers an out-of-bounds memory access (bsc#905872).

These non-security issues were fixed in tcpdump:

- PPKI to Router Protocol: Fix Segmentation Faults and other problems
- RPKI to Router Protocol: print strings with fn_printn()
- Added a short option '#', same as long option '--number'
- nflog, mobile, forces, pptp, AODV, AHCP, IPv6, OSPFv4, RPL, DHCPv6 enhancements/fixes
- M3UA decode added.
- Added bittok2str().
- A number of unaligned access faults fixed
- The -A flag does not consider CR to be printable anymore
- fx.lebail took over coverity baby sitting
- Default snapshot size increased to 256K for accomodate USB captures

These non-security issues were fixed in libpcap:

- Provide a -devel-static subpackage that contains the static
  libraries and all the extra dependencies which are not needed
  for dynamic linking.
- Fix handling of packet count in the TPACKET_V3 inner loop
- Filter out duplicate looped back CAN frames.
- Fix the handling of loopback filters for IPv6 packets.
- Add a link-layer header type for RDS (IEC 62106) groups.
- Handle all CAN captures with pcap-linux.c, in cooked mode.
- Removes the need for the 'host-endian' link-layer header type.
- Have separate DLTs for big-endian and host-endian SocketCAN headers.
- Properly check for sock_recv() errors.
- Re-impose some of Winsock's limitations on sock_recv().
- Replace sprintf() with pcap_snprintf().
- Fix signature of pcap_stats_ex_remote().
- Have rpcap_remoteact_getsock() return a SOCKET and supply an 'is active' flag.
- Clean up {DAG, Septel, Myricom SNF}-only builds.
- pcap_create_interface() needs the interface name on Linux.
- Clean up hardware time stamp support: the 'any' device does not support any time stamp types.
- Recognize 802.1ad nested VLAN tag in vlan filter.
- Support for filtering Geneve encapsulated packets.
- Fix handling of zones for BPF on Solaris
- Added bpf_filter1() with extensions
- EBUSY can now be returned by SNFv3 code.
- Don't crash on filters testing a non-existent link-layer type field.
- Fix sending in non-blocking mode on Linux with memory-mapped capture.
- Fix timestamps when reading pcap-ng files on big-endian machines.
- Fixes for byte order issues with NFLOG captures
- Handle using cooked mode for DLT_NETLINK in activate_new().


-----------------------------------------
Patch: SUSE-2017-668
Released: Tue May  2 16:45:00 2017
Summary: Security update for graphite2
Severity: important
References: 1035204,CVE-2017-5436
Description:

This update for graphite2 fixes one issue.

This security issues was fixed:

- CVE-2017-5436: An out-of-bounds write triggered with a maliciously crafted Graphite font could lead to a crash or potentially code execution (bsc#1035204).


-----------------------------------------
Patch: SUSE-2017-669
Released: Wed May  3 09:08:38 2017
Summary: Security update for apparmor
Severity: moderate
References: 1000201,1016259,1022610,1029696,1031529,CVE-2017-6507
Description:

This update for apparmor provides the following fixes:

This security issue was fixed:

- CVE-2017-6507: Preserve unknown profiles when reloading apparmor.service (bsc#1029696)

These non-security issues were fixed:

- Add tunables/kernelvars abstraction. (bsc#1031529)
- Update flags of ntpd profile. (bsc#1022610)
- Force AppArmor to start after /var/lib mounts. (bsc#1016259)
- Update mlmmj profiles. (bsc#1000201)


-----------------------------------------
Patch: SUSE-2017-693
Released: Thu May  4 13:46:08 2017
Summary: Recommended update for SuSEfirewall2
Severity: moderate
References: 1014987,785299,841046,847193,906136,938727,961258
Description:

This update for SuSEfirewall2 fixes the following issues:

- Install symlink to SuSEfirewall2 with the updated SUSE spelling. (bsc#938727, fate#316521)
- Remove basic.target to avoid loop with SuSEfirewall2. (bsc#961258)
- Ignore the bootlock when incremental updates for hotplugged or virtual devices
  are coming in during boot. This prevents lockups for example when drbd is used
  with FW_BOOT_FULL_INIT. (bsc#785299)
- Support for IPv6 in FW_TRUSTED_NETS config variable. (bsc#841046)
- Don't log dropped broadcast IPv6 broadcast/multicast packets by default to avoid cluttering
  the kernel log. (bsc#847193)
- Only apply FW_KERNEL_SECURITY proc settings, if not overriden by the administrator in
  /etc/sysctl.conf. This allows you to benefit from some of the kernel security settings,
  while overwriting others. (bsc#906136)
- Fix a race condition in systemd unit files that could cause the SuSEfirewall2_init unit
  to sporadically fail, because /tmp was not there/writable yet. (bsc#1014987)


-----------------------------------------
Patch: SUSE-2017-707
Released: Mon May  8 13:35:58 2017
Summary: Recommended update for gtk3
Severity: low
References: 1007453
Description:

This update for gtk3 provides the following fixes:

- Add dependency on 'gdk-pixbuf-loader-rsvg', required to load SVG icons included in
  adwaita-icon-theme. (bsc#1007453)


-----------------------------------------
Patch: SUSE-2017-711
Released: Mon May  8 15:35:02 2017
Summary: Recommended update for samba
Severity: moderate
References: 1036283,CVE-2017-2619
Description:

This update for samba fixes the following issues:

- Fix CVE-2017-2619 regression with 'follow symlinks = no'; (bsc#1036283, bso#12721).


-----------------------------------------
Patch: SUSE-2017-726
Released: Tue May  9 18:07:06 2017
Summary: Recommended update for yast2-registration
Severity: low
References: 1035084,941403,941739
Description:

This update for yast2-registration provides fixes required to support online
migration to SUSE Linux Enterprise 12 SP3.

- Added a step for checking registered but not installed addons to the migration
  workflow. In case of existence, allow the user to install the release package
  or deactivate the products.
- In case of abort, only registered products are downgraded and synced.
- Added to the migration summary information about products not offering migrations.
- Fix user messages when registration does not happen during installation.
  (bsc#941403, bsc#941739)


-----------------------------------------
Patch: SUSE-2017-731
Released: Wed May 10 12:48:31 2017
Summary: Recommended update for SUSEConnect
Severity: low
References: 1018190,975484,982630,990475,998583
Description:

This update for SUSEConnect provides the following fixes:

- Better error message for network request failure (bsc#982630)
- Fix error message for --product with malformed identifier (bsc#1018190)
- Fix some errors and formatting in manpages and help output
- Better error message for --list-extensions on unregistered systems
- Update man page to include the --list-extensions option (bsc#998583)
- Support for aarch64 hardware info (bsc#990475)
- Better error message if SMT is too old (bsc#975484)
- Add method to YaST class to get Installer-Updates repositories (fate#319716)


-----------------------------------------
Patch: SUSE-2017-732
Released: Wed May 10 14:03:43 2017
Summary: Recommended update for procps
Severity: low
References: 1030621
Description:

This update for procps fixes the following issues:

- Command w(1) with option -n doesn't work. (bsc#1030621)


-----------------------------------------
Patch: SUSE-2017-735
Released: Wed May 10 15:43:46 2017
Summary: Recommended update for gpg2
Severity: low
References: 1036736,986783
Description:

This update for gpg2 provides the following fixes:

- Do not install CAcert and other root certificates which are not needed with
  Let's Encrypt. (bsc#1036736)
- Initialize the trustdb before import attempt. (bsc#986783)


-----------------------------------------
Patch: SUSE-2017-748
Released: Thu May 11 16:23:31 2017
Summary: Security update for MozillaFirefox, mozilla-nss, mozilla-nspr, java-1_8_0-openjdk
Severity: important
References: 1015499,1015547,1021636,1026102,1030071,1035082,983639,CVE-2016-1950,CVE-2016-2834,CVE-2016-8635,CVE-2016-9574,CVE-2017-5429,CVE-2017-5432,CVE-2017-5433,CVE-2017-5434,CVE-2017-5435,CVE-2017-5436,CVE-2017-5437,CVE-2017-5438,CVE-2017-5439,CVE-2017-5440,CVE-2017-5441,CVE-2017-5442,CVE-2017-5443,CVE-2017-5444,CVE-2017-5445,CVE-2017-5446,CVE-2017-5447,CVE-2017-5448,CVE-2017-5459,CVE-2017-5460,CVE-2017-5461,CVE-2017-5462,CVE-2017-5464,CVE-2017-5465,CVE-2017-5469
Description:

Mozilla Firefox was updated to the Firefox ESR release 45.9.

Mozilla NSS was updated to support TLS 1.3 (close to release draft) and various new 
ciphers, PRFs, Diffie Hellman key agreement and support for more hashes.

Security issues fixed in Firefox (bsc#1035082)

- MFSA 2017-11/CVE-2017-5469: Potential Buffer overflow in flex-generated code
- MFSA 2017-11/CVE-2017-5429: Memory safety bugs fixed in Firefox 53, Firefox ESR 45.9, and Firefox ESR 52.1
- MFSA 2017-11/CVE-2017-5439: Use-after-free in nsTArray Length() during XSLT processing
- MFSA 2017-11/CVE-2017-5438: Use-after-free in nsAutoPtr during XSLT processing
- MFSA 2017-11/CVE-2017-5437: Vulnerabilities in Libevent library
- MFSA 2017-11/CVE-2017-5436: Out-of-bounds write with malicious font in Graphite 2
- MFSA 2017-11/CVE-2017-5435: Use-after-free during transaction processing in the editor
- MFSA 2017-11/CVE-2017-5434: Use-after-free during focus handling
- MFSA 2017-11/CVE-2017-5433: Use-after-free in SMIL animation functions
- MFSA 2017-11/CVE-2017-5432: Use-after-free in text input selection
- MFSA 2017-11/CVE-2017-5464: Memory corruption with accessibility and DOM manipulation
- MFSA 2017-11/CVE-2017-5465: Out-of-bounds read in ConvolvePixel
- MFSA 2017-11/CVE-2017-5460: Use-after-free in frame selection
- MFSA 2017-11/CVE-2017-5448: Out-of-bounds write in ClearKeyDecryptor
- MFSA 2017-11/CVE-2017-5446: Out-of-bounds read when HTTP/2 DATA frames are sent with incorrect data
- MFSA 2017-11/CVE-2017-5447: Out-of-bounds read during glyph processing
- MFSA 2017-11/CVE-2017-5444: Buffer overflow while parsing application/http-index-format content
- MFSA 2017-11/CVE-2017-5445: Uninitialized values used while parsing application/http-index-format content
- MFSA 2017-11/CVE-2017-5442: Use-after-free during style changes
- MFSA 2017-11/CVE-2017-5443: Out-of-bounds write during BinHex decoding
- MFSA 2017-11/CVE-2017-5440: Use-after-free in txExecutionState destructor during XSLT processing
- MFSA 2017-11/CVE-2017-5441: Use-after-free with selection during scroll events
- MFSA 2017-11/CVE-2017-5459: Buffer overflow in WebGL

Mozilla NSS was updated to 3.29.5, bringing new features and fixing bugs:

- Update to NSS 3.29.5:
  * MFSA 2017-11/CVE-2017-5461: Rare crashes in the base 64 decoder and encoder were fixed.
  * MFSA 2017-11/CVE-2017-5462: A carry over bug in the RNG was fixed.
  * CVE-2016-9574: Remote DoS during session handshake when using SessionTicket extention and ECDHE-ECDSA (bsc#1015499).
  * requires NSPR >= 4.13.1

- Update to NSS 3.29.3

  * enables TLS 1.3 by default

- Fixed a bug in hash computation (and build with
  GCC 7 which complains about shifts of boolean values).
  (bsc#1030071, bmo#1348767)

- Update to NSS 3.28.3

  This is a patch release to fix binary compatibility issues.

- Update to NSS 3.28.1

  This is a patch release to update the list of root CA certificates.

  * The following CA certificates were Removed

    CN = Buypass Class 2 CA 1
    CN = Root CA Generalitat Valenciana
    OU = RSA Security 2048 V3

  * The following CA certificates were Added

    OU = AC RAIZ FNMT-RCM
    CN = Amazon Root CA 1
    CN = Amazon Root CA 2
    CN = Amazon Root CA 3
    CN = Amazon Root CA 4
    CN = LuxTrust Global Root 2
    CN = Symantec Class 1 Public Primary Certification Authority - G4
    CN = Symantec Class 1 Public Primary Certification Authority - G6
    CN = Symantec Class 2 Public Primary Certification Authority - G4
    CN = Symantec Class 2 Public Primary Certification Authority - G6

  * The version number of the updated root CA list has been set to 2.11

- Update to NSS 3.28

  New functionality:

  * NSS includes support for TLS 1.3 draft -18. This includes a number
    of improvements to TLS 1.3:

    - The signed certificate timestamp, used in certificate
      transparency, is supported in TLS 1.3.
    - Key exporters for TLS 1.3 are supported. This includes the early
      key exporter, which can be used if 0-RTT is enabled. Note that
      there is a difference between TLS 1.3 and key exporters in older
      versions of TLS. TLS 1.3 does not distinguish between an empty
      context and no context.
    - The TLS 1.3 (draft) protocol can be enabled, by defining
      NSS_ENABLE_TLS_1_3=1 when building NSS.
    - NSS includes support for the X25519 key exchange algorithm,
      which is supported and enabled by default in all versions of TLS.

  Notable Changes:

  * NSS can no longer be compiled with support for additional elliptic curves.
    This was previously possible by replacing certain NSS source files.
  * NSS will now detect the presence of tokens that support additional
    elliptic curves and enable those curves for use in TLS.
    Note that this detection has a one-off performance cost, which can be
    avoided by using the SSL_NamedGroupConfig function to limit supported
    groups to those that NSS provides.
  * PKCS#11 bypass for TLS is no longer supported and has been removed.
  * Support for 'export' grade SSL/TLS cipher suites has been removed.
  * NSS now uses the signature schemes definition in TLS 1.3.
    This also affects TLS 1.2. NSS will now only generate signatures with the
    combinations of hash and signature scheme that are defined in TLS 1.3,
    even when negotiating TLS 1.2.

    - This means that SHA-256 will only be used with P-256 ECDSA certificates,
      SHA-384 with P-384 certificates, and SHA-512 with P-521 certificates.
      SHA-1 is permitted (in TLS 1.2 only) with any certificate for backward
      compatibility reasons.
    - NSS will now no longer assume that default signature schemes are
      supported by a peer if there was no commonly supported signature scheme.

  * NSS will now check if RSA-PSS signing is supported by the token that holds
    the private key prior to using it for TLS.
  * The certificate validation code contains checks to no longer trust
    certificates that are issued by old WoSign and StartCom CAs after
    October 21, 2016. This is equivalent to the behavior that Mozilla will
    release with Firefox 51.

- Update to NSS 3.27.2
  * Fixed SSL_SetTrustAnchors leaks (bmo#1318561)

  - raised the minimum softokn/freebl version to 3.28 as reported in (boo#1021636)

- Update to NSS 3.26.2

  New Functionality:

  * the selfserv test utility has been enhanced to support ALPN
    (HTTP/1.1) and 0-RTT
  * added support for the System-wide crypto policy available on
    Fedora Linux see http://fedoraproject.org/wiki/Changes/CryptoPolicy
  * introduced build flag NSS_DISABLE_LIBPKIX that allows compilation
    of NSS without the libpkix library

  Notable Changes:

  * The following CA certificate was Added
    CN = ISRG Root X1
  * NPN is disabled and ALPN is enabled by default
  * the NSS test suite now completes with the experimental TLS 1.3
    code enabled
  * several test improvements and additions, including a NIST known answer test

  Changes in 3.26.2
  * MD5 signature algorithms sent by the server in CertificateRequest
    messages are now properly ignored. Previously, with rare server
    configurations, an MD5 signature algorithm might have been selected
    for client authentication and caused the client to abort the
    connection soon after.

- Update to NSS 3.25

  New functionality:

  * Implemented DHE key agreement for TLS 1.3
  * Added support for ChaCha with TLS 1.3
  * Added support for TLS 1.2 ciphersuites that use SHA384 as the PRF
  * In previous versions, when using client authentication with TLS 1.2,
    NSS only supported certificate_verify messages that used the same
    signature hash algorithm as used by the PRF. This limitation has
    been removed.

  Notable changes:

  * An SSL socket can no longer be configured to allow both TLS 1.3 and SSLv3
  * Regression fix: NSS no longer reports a failure if an application
    attempts to disable the SSLv2 protocol.
  * The list of trusted CA certificates has been updated to version 2.8
  * The following CA certificate was Removed
    Sonera Class1 CA
  * The following CA certificates were Added
    Hellenic Academic and Research Institutions RootCA 2015
    Hellenic Academic and Research Institutions ECC RootCA 2015
    Certplus Root CA G1
    Certplus Root CA G2
    OpenTrust Root CA G1
    OpenTrust Root CA G2
    OpenTrust Root CA G3

- Update to NSS 3.24

  New functionality:

  * NSS softoken has been updated with the latest National Institute
    of Standards and Technology (NIST) guidance (as of 2015):
    - Software integrity checks and POST functions are executed on
      shared library load. These checks have been disabled by default,
      as they can cause a performance regression. To enable these
      checks, you must define symbol NSS_FORCE_FIPS when building NSS.
    - Counter mode and Galois/Counter Mode (GCM) have checks to
      prevent counter overflow.
    - Additional CSPs are zeroed in the code.
    - NSS softoken uses new guidance for how many Rabin-Miller tests
      are needed to verify a prime based on prime size.
  * NSS softoken has also been updated to allow NSS to run in FIPS
    Level 1 (no password). This mode is triggered by setting the
    database password to the empty string. In FIPS mode, you may move
    from Level 1 to Level 2 (by setting an appropriate password),
    but not the reverse.
  * A SSL_ConfigServerCert function has been added for configuring
    SSL/TLS server sockets with a certificate and private key. Use
    this new function in place of SSL_ConfigSecureServer,
    SSL_ConfigSecureServerWithCertChain, SSL_SetStapledOCSPResponses,
    and SSL_SetSignedCertTimestamps. SSL_ConfigServerCert automatically
    determines the certificate type from the certificate and private key.
    The caller is no longer required to use SSLKEAType explicitly to
    select a 'slot' into which the certificate is configured (which
    incorrectly identifies a key agreement type rather than a certificate).
    Separate functions for configuring Online Certificate Status Protocol
    (OCSP) responses or Signed Certificate Timestamps are not needed,
    since these can be added to the optional SSLExtraServerCertData struct
    provided to SSL_ConfigServerCert.  Also, partial support for RSA
    Probabilistic Signature Scheme (RSA-PSS) certificates has been added.
    Although these certificates can be configured, they will not be
    used by NSS in this version.
  * Deprecate the member attribute authAlgorithm of type SSLCipherSuiteInfo.
    Instead, applications should use the newly added attribute authType.
  * Add a shared library (libfreeblpriv3) on Linux platforms that
    define FREEBL_LOWHASH.
  * Remove most code related to SSL v2, including the ability to actively
    send a SSLv2-compatible client hello. However, the server-side
    implementation of the SSL/TLS protocol still supports processing
    of received v2-compatible client hello messages.
  * Disable (by default) NSS support in optimized builds for logging SSL/TLS
    key material to a logfile if the SSLKEYLOGFILE environment variable
    is set. To enable the functionality in optimized builds, you must define
    the symbol NSS_ALLOW_SSLKEYLOGFILE when building NSS.
  * Update NSS to protect it against the Cachebleed attack.
  * Disable support for DTLS compression.
  * Improve support for TLS 1.3. This includes support for DTLS 1.3.
    Note that TLS 1.3 support is experimental and not suitable for
    production use.

- Update to NSS 3.23

  New functionality:

  * ChaCha20/Poly1305 cipher and TLS cipher suites now supported
  * Experimental-only support TLS 1.3 1-RTT mode (draft-11).
    This code is not ready for production use.

  Notable changes:

  * The list of TLS extensions sent in the TLS handshake has been
    reordered to increase compatibility of the Extended Master Secret
    with with servers
  * The build time environment variable NSS_ENABLE_ZLIB has been
    renamed to NSS_SSL_ENABLE_ZLIB
  * The build time environment variable NSS_DISABLE_CHACHAPOLY was
    added, which can be used to prevent compilation of the
    ChaCha20/Poly1305 code.
  * The following CA certificates were Removed

    - Staat der Nederlanden Root CA
    - NetLock Minositett Kozjegyzoi (Class QA) Tanusitvanykiado
    - NetLock Kozjegyzoi (Class A) Tanusitvanykiado
    - NetLock Uzleti (Class B) Tanusitvanykiado
    - NetLock Expressz (Class C) Tanusitvanykiado
    - VeriSign Class 1 Public PCA - G2
    - VeriSign Class 3 Public PCA
    - VeriSign Class 3 Public PCA - G2
    - CA Disig

  * The following CA certificates were Added

    + SZAFIR ROOT CA2
    + Certum Trusted Network CA 2

  * The following CA certificate had the Email trust bit turned on

    + Actalis Authentication Root CA

  Security fixes:
  * CVE-2016-2834: Memory safety bugs (boo#983639)
    MFSA-2016-61 bmo#1206283 bmo#1221620 bmo#1241034 bmo#1241037

- Update to NSS 3.22.3
  * Increase compatibility of TLS extended master secret,
    don't send an empty TLS extension last in the handshake
    (bmo#1243641)
  * Fixed a heap-based buffer overflow related to the parsing of
    certain ASN.1 structures. An attacker could create a specially-crafted
    certificate which, when parsed by NSS, would cause a crash or
    execution of arbitrary code with the permissions of the user.
    (CVE-2016-1950, bmo#1245528)

- Update to NSS 3.22.2

  New functionality:

  * RSA-PSS signatures are now supported (bmo#1215295)
  * Pseudorandom functions based on hashes other than SHA-1 are now supported
  * Enforce an External Policy on NSS from a config file (bmo#1009429)

- CVE-2016-8635: Fix for DH small subgroup confinement attack (bsc#1015547)

Mozilla NSPR was updated to version 4.13.1:

  The previously released version 4.13 had changed pipes to be
  nonblocking by default, and as a consequence, PollEvent was
  changed to not block on clear.
  The NSPR development team received reports that these changes
  caused regressions in some applications that use NSPR, and it
  has been decided to revert the changes made in NSPR 4.13.
  NSPR 4.13.1 restores the traditional behavior of pipes and
  PollEvent.

Mozilla NSPR update to version 4.13 had these changes:

- PL_strcmp (and others) were fixed to return consistent results
    when one of the arguments is NULL.
- PollEvent was fixed to not block on clear.
- Pipes are always nonblocking.
- PR_GetNameForIdentity: added thread safety lock and bound checks.
- Removed the PLArena freelist.
- Avoid some integer overflows.
- fixed several comments.

This update also contains java-1_8_0-openjdk that needed to be rebuilt against the new
mozilla-nss version.


-----------------------------------------
Patch: SUSE-2017-749
Released: Thu May 11 16:24:07 2017
Summary: Security update for the Linux Kernel
Severity: important
References: 1003077,1015703,1021256,1021762,1023377,1023762,1023992,1024938,1025235,1026024,1026722,1026914,1027066,1027149,1027178,1027189,1027190,1028415,1028895,1029986,1030118,1030213,1030901,1031003,1031052,1031440,1031579,1032344,1033336,914939,954763,968697,979215,983212,989056,CVE-2015-1350,CVE-2016-10044,CVE-2016-10200,CVE-2016-10208,CVE-2016-2117,CVE-2016-3070,CVE-2016-5243,CVE-2016-7117,CVE-2016-9588,CVE-2017-2671,CVE-2017-5669,CVE-2017-5897,CVE-2017-5970,CVE-2017-5986,CVE-2017-6074,CVE-2017-6214,CVE-2017-6345,CVE-2017-6346,CVE-2017-6348,CVE-2017-6353,CVE-2017-7187,CVE-2017-7261,CVE-2017-7294,CVE-2017-7308,CVE-2017-7616
Description:


The SUSE Linux Enterprise 12 GA LTSS kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

- CVE-2015-1350: The VFS subsystem in the Linux kernel provided an incomplete set of requirements for setattr operations that underspecifies removing extended privilege attributes, which allowed local users to cause a denial of service (capability stripping) via a failed invocation of a system call, as demonstrated by using chown to remove a capability from the ping or Wireshark dumpcap program (bnc#914939).
- CVE-2016-2117: The atl2_probe function in drivers/net/ethernet/atheros/atlx/atl2.c in the Linux kernel incorrectly enabled scatter/gather I/O, which allowed remote attackers to obtain sensitive information from kernel memory by reading packet data (bnc#968697).
- CVE-2016-3070: The trace_writeback_dirty_page implementation in include/trace/events/writeback.h in the Linux kernel improperly interacted with mm/migrate.c, which allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by triggering a certain page move (bnc#979215).
- CVE-2016-5243: The tipc_nl_compat_link_dump function in net/tipc/netlink_compat.c in the Linux kernel did not properly copy a certain string, which allowed local users to obtain sensitive information from kernel stack memory by reading a Netlink message (bnc#983212).
- CVE-2016-7117: Use-after-free vulnerability in the __sys_recvmmsg function in net/socket.c in the Linux kernel allowed remote attackers to execute arbitrary code via vectors involving a recvmmsg system call that is mishandled during error processing (bnc#1003077).
- CVE-2016-9588: arch/x86/kvm/vmx.c in the Linux kernel mismanages the #BP and #OF exceptions, which allowed guest OS users to cause a denial of service (guest OS crash) by declining to handle an exception thrown by an L2 guest (bnc#1015703).
- CVE-2016-10044: The aio_mount function in fs/aio.c in the Linux kernel did not properly restrict execute access, which made it easier for local users to bypass intended SELinux W^X policy restrictions, and consequently gain privileges, via an io_setup system call (bnc#1023992).
- CVE-2016-10200: Race condition in the L2TPv3 IP Encapsulation feature in the Linux kernel allowed local users to gain privileges or cause a denial of service (use-after-free) by making multiple bind system calls without properly ascertaining whether a socket has the SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and net/l2tp/l2tp_ip6.c (bnc#1028415).
- CVE-2016-10208: The ext4_fill_super function in fs/ext4/super.c in the Linux kernel did not properly validate meta block groups, which allowed physically proximate attackers to cause a denial of service (out-of-bounds read and system crash) via a crafted ext4 image (bnc#1023377).
- CVE-2017-2671: The ping_unhash function in net/ipv4/ping.c in the Linux kernel is too late in obtaining a certain lock and consequently cannot ensure that disconnect function calls are safe, which allowed local users to cause a denial of service (panic) by leveraging access to the protocol value of IPPROTO_ICMP in a socket system call (bnc#1031003).
- CVE-2017-5669: The do_shmat function in ipc/shm.c in the Linux kernel did not restrict the address calculated by a certain rounding operation, which allowed local users to map page zero, and consequently bypass a protection mechanism that exists for the mmap system call, by making crafted shmget and shmat system calls in a privileged context (bnc#1026914).
- CVE-2017-5897: The ip6gre_err function in net/ipv6/ip6_gre.c in the Linux kernel allowed remote attackers to have unspecified impact via vectors involving GRE flags in an IPv6 packet, which trigger an out-of-bounds access (bnc#1023762).
- CVE-2017-5970: The ipv4_pktinfo_prepare function in net/ipv4/ip_sockglue.c in the Linux kernel allowed attackers to cause a denial of service (system crash) via (1) an application that made crafted system calls or possibly (2) IPv4 traffic with invalid IP options (bnc#1024938).
- CVE-2017-5986: Race condition in the sctp_wait_for_sndbuf function in net/sctp/socket.c in the Linux kernel allowed local users to cause a denial of service (assertion failure and panic) via a multithreaded application that peels off an association in a certain buffer-full state (bnc#1025235).
- CVE-2017-6074: The dccp_rcv_state_process function in net/dccp/input.c in the Linux kernel mishandled DCCP_PKT_REQUEST packet data structures in the LISTEN state, which allowed local users to obtain root privileges or cause a denial of service (double free) via an application that made an IPV6_RECVPKTINFO setsockopt system call (bnc#1026024).
- CVE-2017-6214: The tcp_splice_read function in net/ipv4/tcp.c in the Linux kernel allowed remote attackers to cause a denial of service (infinite loop and soft lockup) via vectors involving a TCP packet with the URG flag (bnc#1026722).
- CVE-2017-6345: The LLC subsystem in the Linux kernel did not ensure that a certain destructor exists in required circumstances, which allowed local users to cause a denial of service (BUG_ON) or possibly have unspecified other impact via crafted system calls (bnc#1027190).
- CVE-2017-6346: Race condition in net/packet/af_packet.c in the Linux kernel allowed local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a multithreaded application that made PACKET_FANOUT setsockopt system calls (bnc#1027189).
- CVE-2017-6348: The hashbin_delete function in net/irda/irqueue.c in the Linux kernel improperly managed lock dropping, which allowed local users to cause a denial of service (deadlock) via crafted operations on IrDA devices (bnc#1027178).
- CVE-2017-6353: net/sctp/socket.c in the Linux kernel did not properly restrict association peel-off operations during certain wait states, which allowed local users to cause a denial of service (invalid unlock and double free) via a multithreaded application.  NOTE: this vulnerability exists because of an incorrect fix for CVE-2017-5986 (bnc#1027066).
- CVE-2017-7187: The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel allowed local users to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a large command size in an SG_NEXT_CMD_LEN ioctl call, leading to out-of-bounds write access in the sg_write function (bnc#1030213).
- CVE-2017-7261: The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not check for a zero value of certain levels data, which allowed local users to cause a denial of service (ZERO_SIZE_PTR dereference, and GPF and possibly panic) via a crafted ioctl call for a /dev/dri/renderD* device (bnc#1031052).
- CVE-2017-7294: The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not validate addition of certain levels data, which allowed local users to trigger an integer overflow and out-of-bounds write, and cause a denial of service (system hang or crash) or possibly gain privileges, via a crafted ioctl call for a /dev/dri/renderD* device (bnc#1031440).
- CVE-2017-7308: The packet_set_ring function in net/packet/af_packet.c in the Linux kernel did not properly validate certain block-size data, which allowed local users to cause a denial of service (overflow) or possibly have unspecified other impact via crafted system calls (bnc#1031579).
- CVE-2017-7616: Incorrect error handling in the set_mempolicy and mbind compat syscalls in mm/mempolicy.c in the Linux kernel allowed local users to obtain sensitive information from uninitialized stack data by triggering failure of a certain bitmap operation (bnc#1033336).

The following non-security bugs were fixed:

- ext4: fix fencepost in s_first_meta_bg validation (bsc#1029986).
- hwrng: virtio - ensure reads happen after successful probe (bsc#954763 bsc#1032344).
- kgr/module: make a taint flag module-specific (fate#313296).
- l2tp: fix address test in __l2tp_ip6_bind_lookup() (bsc#1028415).
- l2tp: fix lookup for sockets not bound to a device in l2tp_ip (bsc#1028415).
- l2tp: fix racy socket lookup in l2tp_ip and l2tp_ip6 bind() (bsc#1028415).
- l2tp: hold socket before dropping lock in l2tp_ip{, 6}_recv() (bsc#1028415).
- l2tp: hold tunnel socket when handling control frames in l2tp_ip and l2tp_ip6 (bsc#1028415).
- l2tp: lock socket before checking flags in connect() (bsc#1028415).
- mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp (bnc#1030118).
- module: move add_taint_module() to a header file (fate#313296).
- netfilter: bridge: Fix the build when IPV6 is disabled (bsc#1027149).
- nfs: flush out dirty data on file fput() (bsc#1021762).
- powerpc: Blacklist GCC 5.4 6.1 and 6.2 (boo#1028895).
- powerpc: Reject binutils 2.24 when building little endian (boo#1028895).
- revert 'procfs: mark thread stack correctly in proc/<pid>/maps' (bnc#1030901).
- taint/module: Clean up global and module taint flags handling (fate#313296).
- usb: serial: kl5kusb105: fix line-state error handling (bsc#1021256).
- xfs_dmapi: fix the debug compilation of xfs_dmapi (bsc#989056).
- xfs: fix buffer overflow dm_get_dirattrs/dm_get_dirattrs2 (bsc#989056).


-----------------------------------------
Patch: SUSE-2017-750
Released: Thu May 11 16:34:15 2017
Summary: Recommended update for supportutils
Severity: low
References: 1014481,1023308,1030657,995625
Description:

This update for supportutils provides the following fixes:

- Added URI to zypper repos list (bsc#995625)
- Added curl timeout for shorter access times (bsc#1014481)
- Fixed detailed unit information on sle12sp2 (bsc#1023308)
- Added PPC commands and logs (bsc#1030657)



-----------------------------------------
Patch: SUSE-2017-789
Released: Tue May 16 13:47:16 2017
Summary: Recommended update for autofs
Severity: low
References: 1031533,998078
Description:

This update for autofs fixes the following issues:

- Do not add wildcard key to negative cache. (bsc#1031533)
- Fix typo in DEFAULT_AUTH_CONFIG_FILE definition. (bsc#998078)


-----------------------------------------
Patch: SUSE-2017-793
Released: Tue May 16 15:40:43 2017
Summary: Security update for libxslt
Severity: moderate
References: 1005591,1035905,934119,952474,CVE-2015-7995,CVE-2015-9019,CVE-2016-4738,CVE-2017-5029
Description:

 This update for libxslt fixes the following issues:
 

- CVE-2017-5029: The xsltAddTextString function in transform.c lacked a check 
for integer overflow during a size calculation, which allowed a remote attacker 
to perform an out of bounds memory write via a crafted HTML page (bsc#1035905).

- CVE-2016-4738: Fix heap overread in xsltFormatNumberConversion: An empty decimal-separator 
could cause a heap overread. This can be exploited to leak a couple of bytes after 
the buffer that holds the pattern string (bsc#1005591).

- CVE-2015-9019: Properly initialize random generator (bsc#934119).

- CVE-2015-7995: Vulnerability in function xsltStylePreCompute' in preproc.c could cause a 
type confusion leading to DoS. (bsc#952474)

 

-----------------------------------------
Patch: SUSE-2017-806
Released: Thu May 18 12:29:30 2017
Summary: Recommended update for SUSEConnect
Severity: low
References: 1028660,1039213
Description:

This update for SUSEConnect implements a new feature to allow users to deactivate
modules and extensions.


-----------------------------------------
Patch: SUSE-2017-812
Released: Thu May 18 13:21:00 2017
Summary: Recommended update for Mesa
Severity: moderate
References: 1015012,981975,985650
Description:

This update for Mesa provides the following fixes:

- Fix hangs with Radeon due to a use-after-free bug in Gallium. (bsc#1015012)
- Initialize AMD RSxxx chipsets correctly, fixing corruption of the graphical
  login screen. (bsc#985650)
- Force link to libLLVMCodegen to fix cyclic linking problems. (bsc#981975)


-----------------------------------------
Patch: SUSE-2017-815
Released: Thu May 18 15:28:16 2017
Summary: Recommended update for systemd
Severity: low
References: 1018106,1023220,1025398,1025886,1026775,1029183,1029691,904214
Description:

This update for systemd fixes the following issues:

- vconsole: Don't do GIO_SCRNMAP / GIO_UNISCRNMAP. (bsc#1029691, bsc#904214)
- core: Deprecate mount.timeout= and rd.timeout= kernel command line params.
- core: Fix parsing of mount.timeout in mount-fix-timeouts(.) (bsc#1023220)
- udev: Add a persistent rule for ibmvnic devices. (bsc#1029183)
- udev: Support predictable ifnames on vio buses. (bsc#1029183)
- journald: Do not strip leading whitespace from messages. (bsc#1026775)
- units: Do not throw a warning in emergency mode if plymouth is not installed. (bsc#1025398)
- udev-rules: Perform whitespace replacement for symlink subst values. (bsc#1025886)
- virt: When detecting containers and /run/systemd/container cannot be read, check /proc/1/environ.
  (bsc#1018106)


-----------------------------------------
Patch: SUSE-2017-833
Released: Mon May 22 10:37:25 2017
Summary: Security update for libxml2
Severity: moderate
References: 1010675,1013930,1014873,1017497,876652,CVE-2014-0191,CVE-2016-9318,CVE-2016-9597
Description:

 This update for libxml2 fixes the following issues:
 
* Fix NULL dereference in xpointer.c when in recovery mode [bsc#1014873]
* CVE-2016-9597: An XML document with many opening tags could have caused a overflow of the stack not detected by the recursion limits, allowing for DoS (bsc#1017497)
* CVE-2014-0191: External parameter entity loaded when entity substitution is disabled could cause a DoS. (bsc#876652)
* CVE-2016-9318: XML External Entity (XXE) could be abused via crafted document. (bsc#1010675)
 
 

-----------------------------------------
Patch: SUSE-2017-834
Released: Mon May 22 10:38:07 2017
Summary: Security update for libsndfile
Severity: moderate
References: 1033054,1033914,1033915,1036943,1036944,1036945,1036946,1038856,CVE-2017-7585,CVE-2017-7741,CVE-2017-7742,CVE-2017-8361,CVE-2017-8362,CVE-2017-8363,CVE-2017-8365
Description:

This update for libsndfile fixes the following issues:

- CVE-2017-8361: Global buffer overflow in flac_buffer_copy. (bsc#1036946)
- CVE-2017-8362: Invalid memory read in flac_buffer_copy. (bsc#1036943)
- CVE-2017-8363: Heap-based buffer overflow in flac_buffer_copy. (bsc#1036945)
- CVE-2017-7585, CVE-2017-7741, CVE-2017-7742: Stack-based buffer overflows via specially
  crafted FLAC files. (bsc#1033054)


-----------------------------------------
Patch: SUSE-2017-852
Released: Wed May 24 10:21:58 2017
Summary: Security update for samba
Severity: important
References: 1038231,CVE-2017-7494
Description:

This update for samba fixes the following issue:

- An unprivileged user with access to the samba server could cause smbd to load
  a specially crafted shared library, which then had the ability to execute
  arbitrary code on the server as 'root'. [CVE-2017-7494, bso#12780, bsc#1038231]


-----------------------------------------
Patch: SUSE-2017-865
Released: Wed May 24 16:23:20 2017
Summary: Security update for pam
Severity: moderate
References: 1015565,1037824,934920,CVE-2015-3238
Description:

This update for pam fixes the following issues:
 

- CVE-2015-3238: pam_unix in conjunction with SELinux allowed for DoS attacks (bsc#934920).
- log a hint to syslog if /etc/nologin is present, but empty (bsc#1015565).
- If /etc/nologin is present, but empty, log a hint to syslog. (bsc#1015565)
- Added support for libowcrypt.so, if present, to configure support for BLOWFISH (bsc#1037824)

 

-----------------------------------------
Patch: SUSE-2017-869
Released: Thu May 25 12:48:03 2017
Summary: Recommended update for os-prober
Severity: low
References: 1008444,997465
Description:

This update for os-prober provides the following fixes:

- Remove the wildcard test for ld.so. It is inaccurate, slow and could hang
  for a long time in some circumstances. (bsc#1008444)
- Parse /etc/os-release for openSUSE Tumbleweed. (bsc#997465)


-----------------------------------------
Patch: SUSE-2017-873
Released: Fri May 26 16:19:47 2017
Summary: Recommended update for e2fsprogs
Severity: low
References: 1009532,960273
Description:

This update for e2fsprogs provides the following fixes:

- Fix 32/64-bit overflow when multiplying by blocks/clusters per group. This allows
  resize2fs(8) to resize file systems larger than 20 TB. (bsc#1009532)
- Update spec file to regenerate initrd when e2fsprogs is updated or uninstalled.
  (bsc#960273)


-----------------------------------------
Patch: SUSE-2017-877
Released: Mon May 29 15:11:48 2017
Summary: Recommended update for cryptsetup
Severity: low
References: 1031998
Description:

This update for cryptsetup provides the following fix:

- Don't use a zero-filled empty key, because in FIPS, XTS mode key parts mustn't be equivalent (bsc#1031998)


-----------------------------------------
Patch: SUSE-2017-888
Released: Tue May 30 17:51:37 2017
Summary: Security update for sudo
Severity: important
References: 1015351,1024145,1039361,981124,CVE-2017-1000367
Description:

This update for sudo fixes the following issues:

CVE-2017-1000367:
- Due to incorrect assumptions in /proc/[pid]/stat parsing,
  a local attacker can pretend that his tty is any file on the filesystem,
  thus gaining arbitrary file write access on SELinux-enabled systems. [bsc#1039361]
- Fix FQDN for hostname. [bsc#1024145]
- Filter netgroups, they aren't handled by SSSD. [bsc#1015351]
- Fix problems related to 'krb5_ccname' option [bsc#981124]


-----------------------------------------
Patch: SUSE-2017-894
Released: Wed May 31 14:34:51 2017
Summary: Recommended update for puppet
Severity: low
References: 1032103,971223,995975
Description:

This update provides Puppet 4 client for the Advanced Systems Management 12 Module.

The Puppet Server package for SLES is provided by upstream now and can be downloaded at
https://yum.puppetlabs.com/sles/12/PC1/x86_64/

For a period of 6 months after the release of the Puppet 4 package, SUSE will continue
to provide and support packages for Puppet 3. SUSE will not support the migration of
the server package.

Before updating the client packages to version 4, see the prerequisites listed at
https://docs.puppet.com/puppet/4.8/ (Section 'Installing and upgrading', Subsection
'Upgrade: From Puppet 3.x').


-----------------------------------------
Patch: SUSE-2017-910
Released: Fri Jun  2 15:02:55 2017
Summary: Security update for libnettle
Severity: moderate
References: 991464,CVE-2016-6489
Description:
This update for libnettle fixes the following issues:

-  CVE-2016-6489:
  * Reject invalid RSA keys with even modulo.
  * Check for invalid keys, with even p, in dsa_sign().
  * Use function mpz_powm_sec() instead of mpz_powm() (bsc#991464).


-----------------------------------------
Patch: SUSE-2017-936
Released: Fri Jun  9 13:31:48 2017
Summary: Recommended update for supportutils
Severity: low
References: 1013119,1026175,1030448,1035683
Description:

This update for supportutils provides the following fixes:

- Fixed IFS in iscsi_info. (bsc#1030448)
- Added -T to dmesg for readability. (bsc#1013119)
- Removed kpagecgroup in proc.txt. (bsc#1026175)
- Fixed ocfs2 processing when not configured. (bsc#1035683)


-----------------------------------------
Patch: SUSE-2017-943
Released: Mon Jun 12 16:44:20 2017
Summary: Recommended update for cups
Severity: low
References: 1021133,955432,990045
Description:

This update for cups fixes the following issues:

- Avahi sends an ALL_FOR_NOW event when it finishes sending its cache contents.
  This patch makes cupsEnumDests finish when the signal is received so it doesn't
  block the caller until the timeout finishes. (bsc#955432, fate#322052)
- The scheduler didn't log messages for jobs at LogLevel 'info'. (bsc#1021133, bsc#990045)


-----------------------------------------
Patch: SUSE-2017-959
Released: Wed Jun 14 14:38:11 2017
Summary: Recommended update for gcc5
Severity: low
References: 1043580
Description:

This update for gcc5 fixes the version of libffi in its pkg-config configuration file.


-----------------------------------------
Patch: SUSE-2017-975
Released: Fri Jun 16 17:00:26 2017
Summary: Security update for libxml2
Severity: moderate
References: 1039063,1039064,1039066,1039069,1039661,CVE-2017-9047,CVE-2017-9048,CVE-2017-9049,CVE-2017-9050
Description:

This update for libxml2 fixes the following issues:

  -  CVE-2017-9050: heap-based buffer overflow (xmlDictAddString func) [bsc#1039069, bsc#1039661]
  -  CVE-2017-9049: heap-based buffer overflow (xmlDictComputeFastKey func) [bsc#1039066]
  -  CVE-2017-9048: stack overflow vulnerability (xmlSnprintfElementContent func) [bsc#1039063]
  -  CVE-2017-9047: stack overflow vulnerability (xmlSnprintfElementContent func) [bsc#1039064]
     


-----------------------------------------
Patch: SUSE-2017-985
Released: Mon Jun 19 14:57:41 2017
Summary: Security update for libgcrypt
Severity: moderate
References: 1042326,931932,CVE-2017-9526
Description:
This update for libgcrypt fixes the following issues:

- CVE-2017-9526: Store the session key in secure memory to ensure that constant
  time point operations are used in the MPI library.  (bsc#1042326)

- Don't require secure memory for the fips selftests, this prevents the
  'Oops, secure memory pool already initialized' warning. (bsc#931932)


-----------------------------------------
Patch: SUSE-2017-988
Released: Mon Jun 19 17:17:40 2017
Summary: Security update for glibc
Severity: important
References: 1038690,1039357,987216,CVE-2017-1000366
Description:
This update for glibc fixes the following issues:

- CVE-2017-1000366: Fix a potential privilege escalation vulnerability that
  allowed unprivileged system users to manipulate the stack of setuid binaries
  to gain special privileges. [bsc#1039357]

- The incorrectly defined constant O_TMPFILE has been fixed. [bsc#1038690]

- A defect in glibc's regression test suite has been remedied to avoid false
  positives. [bsc#987216]


-----------------------------------------
Patch: SUSE-2017-995
Released: Mon Jun 19 17:44:00 2017
Summary: Security update for the Linux Kernel
Severity: critical
References: 1039348,1042292,CVE-2017-1000364
Description:

The SUSE Linux Enterprise 12 kernel was updated to receive various security and bugfixes.


The following security bugs were fixed:

- CVE-2017-1000364: The default stack guard page was too small and could be 'jumped over' by userland programs using 
  more than one page of stack in functions and so lead to memory corruption. This update extends the stack guard page
  to 1 MB (for 4k pages) and 16 MB (for 64k pages) to reduce this attack vector. This is not a kernel bugfix, but a 
  hardening measure against this kind of userland attack.(bsc#1039348)

The following non-security bugs were fixed:

netfilter: A use-after-free was fixed that could cause a kernel panic on a system shutdown.
 (bsc#1042292)



-----------------------------------------
Patch: SUSE-2017-1001
Released: Tue Jun 20 13:18:28 2017
Summary: Security update for sudo
Severity: important
References: 1034560,1042146,CVE-2017-1000368
Description:
This update for sudo fixes the following issues:

- CVE-2017-1000368: A follow-up fix to CVE-2017-1000367, the Linux process name could also contain a
  newline, which could be used to trick sudo to read/write to an
  arbitrary open terminal.  (bsc#1042146)

Also the following non security bug was fixed:

- Link the 'system_group' plugin with sudo_util library to resolve the missing sudo_dso_findsym symbol (bsc#1034560)



-----------------------------------------
Patch: SUSE-2017-1024
Released: Thu Jun 22 15:19:17 2017
Summary: Recommended update for SUSEConnect, libzypp, yast2-pkg-bindings, zypper
Severity: low
References: 1032152,1032259,1037210,1037783,1041889
Description:

The Software Update Stack was updated to receive fixes and enhancements.

SUSEConnect:

- Fix license auto-agreement support. (bsc#1037783)

zypper:

- Accept --auto-agree-with-product-licenses from SUSEConnect. (bsc#1037783)
- Describe supported SSL related URL options in man page. (bsc#1032152)

yast2-pkg-bindings:

- Fix pkgGpgCheck callback crashing when reporting SrcPackages. (bsc#1037210)


-----------------------------------------
Patch: SUSE-2017-1033
Released: Fri Jun 23 16:38:55 2017
Summary: Recommended update for e2fsprogs
Severity: low
References: 1038194
Description:

This update for e2fsprogs provides the following fixes:

- Don't ignore fsync errors in libext2fs. (bsc#1038194)
- Fix fsync(2) detection in libext2fs. (bsc#1038194)


-----------------------------------------
Patch: SUSE-2017-1063
Released: Wed Jun 28 21:15:03 2017
Summary: Security update for vim
Severity: moderate
References: 1018870,1024724,1027053,1027057,CVE-2017-5953,CVE-2017-6349,CVE-2017-6350
Description:

This update for vim fixes the following issues:

Security issues fixed:

- CVE-2017-5953: Fixed a possible overflow with corrupted spell file (bsc#1024724)
- CVE-2017-6350: Fixed a possible overflow when reading a corrupted undo file (bsc#1027053)
- CVE-2017-6349: Fixed a possible overflow when reading a corrupted undo file (bsc#1027057)


Non security issues fixed:

- Speed up YAML syntax highlighting (bsc#1018870)



-----------------------------------------
Patch: SUSE-2017-1075
Released: Thu Jun 29 18:18:50 2017
Summary: Recommended update for python-PyYAML
Severity: low
References: 1002895
Description:

This update for python-PyYAML fixes the following issues:

- Adding an implicit resolver to a derived loader should not affect the base loader.
- Uniform representation for OrderedDict? across different versions of Python.
- Fixed comparison to None warning.


-----------------------------------------
Patch: SUSE-2017-1077
Released: Thu Jun 29 19:14:26 2017
Summary: Security update for the Linux kernel
Severity: important
References: 1045340,CVE-2017-1000364
Description:
This Linux kernel update for SUSE Linux Enterprise 12 fixes the following issues:

- A previous security update to address CVE-2017-1000364 caused unintended
  side-effects in several other tools, most notably Java. These issues have
  been remedied. [bsc#1045340]


-----------------------------------------
Patch: SUSE-2017-1078
Released: Thu Jun 29 22:20:12 2017
Summary: Security update for bind
Severity: important
References: 1046554,1046555,CVE-2017-3142,CVE-2017-3143
Description:
This update for bind fixes the following issues:

- An attacker with the ability to send and receive messages to an authoritative
  DNS server was able to circumvent TSIG authentication of AXFR requests. A
  server that relied solely on TSIG keys for protection could be manipulated
  into (1) providing an AXFR of a zone to an unauthorized recipient and (2)
  accepting bogus Notify packets. [bsc#1046554, CVE-2017-3142]

- An attacker who with the ability to send and receive messages to an
  authoritative DNS server and who had knowledge of a valid TSIG key name for
  the zone and service being targeted was able to manipulate BIND into
  accepting an unauthorized dynamic update. [bsc#1046555, CVE-2017-3143]


-----------------------------------------
Patch: SUSE-2017-1082
Released: Fri Jun 30 10:54:06 2017
Summary: Recommended update for dirmngr
Severity: low
References: 1045943
Description:
This update for dirmngr provides the following fix:

- Change logrotate from Requires to Recommends (bsc#1045943)


-----------------------------------------
Patch: SUSE-2017-1106
Released: Tue Jul  4 16:35:54 2017
Summary: Security update for sudo
Severity: important
References: 1045986,CVE-2017-1000368
Description:
This update for sudo fixes the following issues:

- A regression in the fix for the CVE-2017-1000368 that broke sudo with the
  'requiretty' flag (bsc#1045986)


-----------------------------------------
Patch: SUSE-2017-1116
Released: Thu Jul  6 11:37:18 2017
Summary: Security update for libgcrypt
Severity: moderate
References: 1046607,CVE-2017-7526
Description:
This update for libgcrypt fixes the following issues:

- CVE-2017-7526: Hardening against a local side-channel attack in RSA key handling has been added (bsc#1046607)


-----------------------------------------
Patch: SUSE-2017-1119
Released: Fri Jul  7 11:23:20 2017
Summary: Recommended update for ncurses
Severity: important
References: 1000662,1046853,1046858,CVE-2017-10684,CVE-2017-10685
Description:
This update for ncurses fixes the following issues:

Security issues fixed:
- CVE-2017-10684: Possible RCE via stack-based buffer overflow in the fmt_entry function. (bsc#1046858)
- CVE-2017-10685: Possible RCE with format string vulnerability in the fmt_entry function. (bsc#1046853)

Bugfixes:
- Drop patch ncurses-5.9-environment.dif as YaST2 ncurses GUI does
  not need it anymore and as well as it causes bug bsc#1000662 


-----------------------------------------
Patch: SUSE-2017-1124
Released: Fri Jul  7 19:32:38 2017
Summary: Recommended update for binutils
Severity: moderate
References: 1031508
Description:

This update for binutils fixes an issue that prevented ld(1) from correctly linking
the 32 bit version of libclntshcore.so.12.1 from the Oracle 12 Client.


-----------------------------------------
Patch: SUSE-2017-1125
Released: Fri Jul  7 21:21:39 2017
Summary: Security update for libreoffice
Severity: moderate
References: 1015115,1015118,1015360,1017925,1021369,1021373,1028817,1034192,1034329,1034568,1035087,1036975,1042828,948058,959926,962777,963436,972777,975283,976831,989564,CVE-2015-8947,CVE-2016-10327,CVE-2016-2052,CVE-2017-7870,CVE-2017-7882,CVE-2017-8358,CVE-2017-9433
Description:

LibreOffice was updated to version 5.3.3.2, bringing new features and enhancements:

Writer:

- New 'Go to Page' dialog for quickly jumping to another page.
- Support for 'Table Styles'.
- New drawing tools were added.
- Improvements in the toolbar.
- Borderless padding is displayed.

Calc:

- New drawing tools were added.
- In new installations the default setting for new documents is now 'Enable wildcards in formulas'
  instead of regular expressions.
- Improved compatibility with ODF 1.2

Impress:

- Images inserted via 'Photo Album' can now be linked instead of embedded in the document.
- When launching Impress, a Template Selector allows you to choose a Template to start with.
- Two new default templates: Vivid and Pencil.
- All existing templates have been improved.

Draw:

- New arrow endings, including Crow's foot notation's ones.

Base:

- Firebird has been upgraded to version 3.0.0. It is unable to read back Firebird 2.5 data,
  so embedded Firebird odb files created in LibreOffice version up to 5.2 cannot be opened
  with LibreOffice 5.3.

Some security issues have also been fixed:

- CVE-2017-7870: An out-of-bounds write caused by a heap-based buffer overflow related to
  the tools::Polygon::Insert function.
- CVE-2017-7882: An out-of-bounds write related to the HWPFile::TagsRead function.
- CVE-2017-8358: an out-of-bounds write caused by a heap-based buffer overflow related to
  the ReadJPEG function.
- CVE-2016-10327: An out-of-bounds write caused by a heap-based buffer overflow related to
  the EnhWMFReader::ReadEnhWMF function.
- CVE-2017-9433: An out-of-bounds write caused by a heap-based buffer overflow related to
  the MsWrd1Parser::readFootnoteCorrespondance function in libmwaw.

A comprehensive list of new features and changes in this release is available at:
https://wiki.documentfoundation.org/ReleaseNotes/5.3


-----------------------------------------
Patch: SUSE-2017-1126
Released: Fri Jul  7 21:23:02 2017
Summary: Recommended update for python-requests
Severity: low
References: 967128
Description:

This update provides python-requests 2.11.1, which brings many fixes and enhancements:

- Strip Content-Type and Transfer-Encoding headers from the header block when following a
  redirect that transforms the verb from POST/PUT to GET.
- Added support for the ALL_PROXY environment variable.
- Reject header values that contain leading whitespace or newline characters to reduce risk
  of header smuggling.
- Fixed occasional TypeError when attempting to decode a JSON response that occurred in an
  error case. Now correctly returns a ValueError.
- Requests would incorrectly ignore a non-CIDR IP address in the NO_PROXY environment variables:
  Requests now treats it as a specific IP.
- Fixed a bug when sending JSON data that could cause us to encounter obscure OpenSSL errors
  in certain network conditions.
- Added type checks to ensure that iter_content only accepts integers and None for chunk sizes.
- Fixed issue where responses whose body had not been fully consumed would have the underlying
  connection closed but not returned to the connection pool, which could cause Requests to hang
  in situations where the HTTPAdapter had been configured to use a blocking connection pool.
- Change built-in CaseInsensitiveDict to use OrderedDict as its underlying datastore.
- Don't use redirect_cache if allow_redirects=False.
- When passed objects that throw exceptions from tell(), send them via chunked transfer encoding
  instead of failing.
- Raise a ProxyError for proxy related connection issues.
- The verify keyword argument now supports being passed a path to a directory of CA certificates,
  not just a single-file bundle.
- Warnings are now emitted when sending files opened in text mode.
- Added the 511 Network Authentication Required status code to the status code registry.
- For file-like objects that are not seeked to the very beginning, we now send the content length
  for the number of bytes we will actually read, rather than the total size of the file, allowing
  partial file uploads.
- When uploading file-like objects, if they are empty or have no obvious content length we set
  Transfer-Encoding: chunked rather than Content-Length: 0.
- We correctly receive the response in buffered mode when uploading chunked bodies.
- We now handle being passed a query string as a bytestring on Python 3, by decoding it as UTF-8.
- Sessions are now closed in all cases (exceptional and not) when using the functional API rather
  than leaking and waiting for the garbage collector to clean them up.
- Correctly handle digest auth headers with a malformed qop directive that contains no token,
  by treating it the same as if no qop directive was provided at all.
- Minor performance improvements when removing specific cookies by name.


-----------------------------------------
Patch: SUSE-2017-1133
Released: Tue Jul 11 17:55:52 2017
Summary: Security update for gnutls
Severity: moderate
References: 1034173,1038337,1043398,CVE-2017-7507,CVE-2017-7869
Description:
This update for gnutls fixes the following issues:

- GNUTLS-SA-2017-4 / CVE-2017-7507: Fix crash in status response TLS extension decoding (bsc#1043398)
- GNUTLS-SA-2017-3 / CVE-2017-7869: Fix out-of-bounds write in OpenPGP certificate decoding (bsc#1034173)
- Address read of 4 bytes past the end of buffer in OpenPGP certificate parsing (bsc#1038337)


-----------------------------------------
Patch: SUSE-2017-1191
Released: Thu Jul 20 17:16:11 2017
Summary: Security update for jasper
Severity: moderate
References: 1009994,1010756,1010757,1010766,1010774,1010782,1010968,1010975,1047958,CVE-2016-9262,CVE-2016-9388,CVE-2016-9389,CVE-2016-9390,CVE-2016-9391,CVE-2016-9392,CVE-2016-9393,CVE-2016-9394,CVE-2017-1000050
Description:
This update for jasper fixes the following issues:

Security issues fixed:
- CVE-2016-9262: Multiple integer overflows in the jas_realloc function in base/jas_malloc.c and
  mem_resize function in base/jas_stream.c allow remote attackers to cause a denial of service via
  a crafted image, which triggers use after free vulnerabilities. (bsc#1009994)
- CVE-2016-9388: The ras_getcmap function in ras_dec.c allows remote attackers to cause a denial
  of service (assertion failure) via a crafted image file. (bsc#1010975)
- CVE-2016-9389: The jpc_irct and jpc_iict functions in jpc_mct.c allow remote attackers to cause a
  denial of service (assertion failure). (bsc#1010968)
- CVE-2016-9390: The jas_seq2d_create function in jas_seq.c allows remote attackers to cause a
  denial of service (assertion failure) via a crafted image file. (bsc#1010774)
- CVE-2016-9391: The jpc_bitstream_getbits function in jpc_bs.c allows remote attackers to cause a
  denial of service (assertion failure) via a very large integer. (bsc#1010782)
- CVE-2017-1000050: The jp2_encode function in jp2_enc.c allows remote attackers to cause a denial
  of service. (bsc#1047958)

CVEs already fixed with previous update:
- CVE-2016-9392: The calcstepsizes function in jpc_dec.c allows remote attackers to cause a denial
  of service (assertion failure) via a crafted file. (bsc#1010757)
- CVE-2016-9393: The jpc_pi_nextrpcl function in jpc_t2cod.c allows remote attackers to cause a
  denial of service (assertion failure) via a crafted file. (bsc#1010766)
- CVE-2016-9394: The jas_seq2d_create function in jas_seq.c allows remote attackers to cause a
  denial of service (assertion failure) via a crafted file. (bsc#1010756)


-----------------------------------------
Patch: SUSE-2017-1192
Released: Thu Jul 20 20:07:36 2017
Summary: Recommended update for iptables
Severity: low
References: 1045130
Description:
This update for iptables provides the following fix:

- Fix a locking issue of iptables-batch when other programs modify the iptables rules in parallel (bsc#1045130)


-----------------------------------------
Patch: SUSE-2017-1198
Released: Fri Jul 21 14:04:23 2017
Summary: Recommended update for python-boto, python-simplejson
Severity: low
References: 1002895
Description:

This update provides python-boto 2.42.0 and python-simplejson 3.8.2, which bring
many fixes and enhancements.

python-boto:

- Respect is_secure parameter in generate_url_sigv4
- Update MTurk API
- Update endpoints.json
- Allow s3 bucket lifecycle policies with multiple transitions
- Fixes upload parts for glacier
- Autodetect sigv4 for ap-northeast-2
- Added support for ap-northeast-2
- Remove VeriSign Class 3 CA from trusted certs
- Add note about boto3 on all pages of boto docs
- Fix for listing EMR steps based on cluster_states filter
- Fixed param name in set_contents_from_string docstring
- Spelling and documentation fixes
- Add deprecation notice to emr methods
- Add some GovCloud endpoints.

python-simplejson:

- Fix issue with iterable_as_array and indent option
- New iterable_as_array encoder option to perform lazy serialization of any iterable objects,
  without having to convert to tuple or list
- Do not cache Decimal class in encoder, only reference the decimal module
- No longer trust custom str/repr methods for int, long, float subclasses: these instances are
  now formatted as if they were exact instances of those types
- Fix reference leak when an error occurs during dict encoding
- Fix dump when only sort_keys is set
- Automatically strip any UTF-8 BOM from input to more closely follow the latest specs
- Fix lower bound checking in scan_once / raw_decode API
- Consistently reject int_as_string_bitcount settings that are not positive integers
- Add int_as_string_bitcount encoder option
- Fix potential crash when encoder created with incorrect options
- Documentation updates.


-----------------------------------------
Patch: SUSE-2017-1222
Released: Wed Jul 26 17:15:18 2017
Summary: Recommended update for procps
Severity: low
References: 1034563,1039941
Description:

This update for procps provides the following fixes:

- Make pmap handle LazyFree in /proc/smaps (bsc#1034563)
- Allow reading and writing content lines longer than 1024 characters under /proc/sys (bsc#1039941)
- Avoid printing messages when /proc/sys/net/ipv6/conf/*/stable_secret is not set


-----------------------------------------
Patch: SUSE-2017-1250
Released: Thu Aug  3 13:49:24 2017
Summary: Recommended update for binutils
Severity: moderate
References: 1031508
Description:

This update for binutils fixes an issue that prevented ld(1) from correctly linking
the 32 bit version of libclntshcore.so.12.1 from the Oracle 12 Client.


-----------------------------------------
Patch: SUSE-2017-1277
Released: Mon Aug  7 14:23:47 2017
Summary: Security update for the Linux Kernel
Severity: important
References: 1049483,CVE-2017-7533
Description:

The SUSE Linux Enterprise 12 kernel was updated to 3.12.61 to receive
the following security update:

- CVE-2017-7533: Bug in inotify code allowed privilege escalation (bnc#1049483).


-----------------------------------------
Patch: SUSE-2017-1279
Released: Mon Aug  7 14:46:40 2017
Summary: Security update for ncurses
Severity: moderate
References: 1046853,1046858,1047964,1047965,1049344,CVE-2017-10684,CVE-2017-10685,CVE-2017-11112,CVE-2017-11113
Description:
This update for ncurses fixes the following issues:

Security issues fixed:
- CVE-2017-11112: Illegal address access in append_acs. (bsc#1047964)
- CVE-2017-11113: Dereferencing NULL pointer in _nc_parse_entry. (bsc#1047965)
- CVE-2017-10684, CVE-2017-10685: Add modified upstream fix from ncurses 6.0 to avoid broken
  termcap format (bsc#1046853, bsc#1046858, bsc#1049344)



-----------------------------------------
Patch: SUSE-2017-1310
Released: Wed Aug  9 09:43:36 2017
Summary: Security update for puppet
Severity: important
References: 1040151,CVE-2017-2295
Description:
This update for puppet fixes the following issues:

Security issue fixed:
- CVE-2017-2295: Possible code execution vulnerability where an attacker could force YAML
  deserialization in an unsafe manner. In default, this update breaks a backwards compatibility
  with Puppet agents older than 3.2.2 as the SLE12 master doesn't support other fact formats than
  pson in default anymore.
  In order to allow users to continue using their SLE12 master/SLE11 agents setup and fix
  CVE-2017-2295 for the others, a new puppet master boolean option 'dangerous_fact_formats' was
  added. When it's set to true it enables using dangerous fact formats (e.g. YAML). When it's set
  to false, only PSON fact format is accepted. (bsc#1040151)


-----------------------------------------
Patch: SUSE-2017-1316
Released: Thu Aug 10 13:54:27 2017
Summary: Recommended update for cyrus-sasl
Severity: moderate
References: 1014471,1026825,1044840,938657
Description:

This update for cyrus-sasl provides the following fixes:

- Fix SASL GSSAPI mechanism acceptor wrongly returns zero maxbufsize
- Fix unknown authentication mechanism: kerberos5 (bsc#1026825)
- Really use SASLAUTHD_PARAMS variable (bsc#938657)
- Make sure /usr/sbin/rcsaslauthd exists   
- Add /usr/sbin/rcsaslauthd symbolic link to /usr/sbin/service (bsc#1014471)
- Silence 'GSSAPI client step 1' debug log message (bsc#1044840)


-----------------------------------------
Patch: SUSE-2017-1317
Released: Thu Aug 10 14:56:37 2017
Summary: Security update for libsoup
Severity: important
References: 1052916,CVE-2017-2885
Description:
This update for libsoup fixes the following issues:

- A bug in the HTTP Chunked Encoding code has been fixed that could have been
  exploited by attackers to cause a stack-based buffer overflow in client or
  server code running libsoup (bsc#1052916, CVE-2017-2885).


-----------------------------------------
Patch: SUSE-2017-1322
Released: Fri Aug 11 16:22:24 2017
Summary: Recommended update for xfsprogs
Severity: moderate
References: 1045597
Description:
This update for xfsprogs provides the following fixes:

- Clear bad flags observed on PowerPC64 systems after a file system corruption. (bsc#1045597)


-----------------------------------------
Patch: SUSE-2017-1327
Released: Fri Aug 11 17:11:22 2017
Summary: Security update for the Linux Kernel
Severity: important
References: 1052311,1052365,CVE-2017-1000111,CVE-2017-1000112
Description:

The SUSE Linux Enterprise 12 kernel was updated to 3.12.61 to the following security updates:

- CVE-2017-1000111: fix race condition in net-packet code that could be
  exploited to cause out-of-bounds memory access (bsc#1052365).
- CVE-2017-1000112: fix race condition in net-packet code that could have been
  exploited by unprivileged users to gain root access. (bsc#1052311).


-----------------------------------------
Patch: SUSE-2017-1330
Released: Mon Aug 14 18:41:29 2017
Summary: Recommended update for sed
Severity: low
References: 954661
Description:
This update for sed provides the following fixes:

- Don't terminate with a segmentation fault if close of last file descriptor fails. (bsc#954661)


-----------------------------------------
Patch: SUSE-2017-1335
Released: Wed Aug 16 11:24:21 2017
Summary: Security update for curl
Severity: moderate
References: 1051643,1051644,CVE-2017-1000100,CVE-2017-1000101
Description:
This update for curl fixes the following issues:

- CVE-2017-1000100: TFP sends more than buffer size and it could lead to a denial of service (bsc#1051644)
- CVE-2017-1000101: URL globbing out of bounds read could lead to a denial of service (bsc#1051643)


-----------------------------------------
Patch: SUSE-2017-1344
Released: Thu Aug 17 12:20:25 2017
Summary: Recommended update for python-simplejson
Severity: low
References: 1002895
Description:
This update provides python-simplejson 3.8.2, which brings many fixes and enhancements:

- Fix issue with iterable_as_array and indent option
- New iterable_as_array encoder option to perform lazy serialization of any iterable objects,
  without having to convert to tuple or list
- Do not cache Decimal class in encoder, only reference the decimal module
- No longer trust custom str/repr methods for int, long, float subclasses: these instances are
  now formatted as if they were exact instances of those types
- Fix reference leak when an error occurs during dict encoding
- Fix dump when only sort_keys is set
- Automatically strip any UTF-8 BOM from input to more closely follow the latest specs
- Fix lower bound checking in scan_once / raw_decode API
- Consistently reject int_as_string_bitcount settings that are not positive integers
- Add int_as_string_bitcount encoder option
- Fix potential crash when encoder created with incorrect options
- Documentation updates.


-----------------------------------------
Patch: SUSE-2017-1347
Released: Fri Aug 18 11:03:57 2017
Summary: Recommended update for procps
Severity: important
References: 1053409
Description:
This update for procps fixes the following issues:

- Fix a regression introduced in a previous update that would result in sysctl
  dying with a SIGSEGV error (bsc#1053409).


-----------------------------------------
Patch: SUSE-2017-1349
Released: Fri Aug 18 12:31:07 2017
Summary: Recommended update for lua51
Severity: low
References: 1051626
Description:
This update for lua51 provides the following fixes:

- Add Lua(API) and Lua(devel) symbols to fix building of lua51-luasocket. (bsc#1051626)


-----------------------------------------
Patch: SUSE-2017-1362
Released: Tue Aug 22 14:04:34 2017
Summary: Recommended update for SuSEfirewall2
Severity: low
References: 1044523,906136,946325,963740
Description:
This update for SuSEfirewall2 provides the following fixes:

- Make SuSEfirewall2 check for existing configuration in more sysctl.d style directories to
  allow packages and the user to create overrides easily (bsc#1044523)
- Add support for customizing the sysctl paths to be scanned for existing configuration by
  changing the FW_SYSCTL_PATHS configuration variable (bsc#906136)
- Correct the initialization order between SuSEfirewall2 and NFS components to make sure
  NFS server ports are correctly opened when both services are enabled in systemd, and to
  fix NFS clients not receiving callbacks from the server when started before SuSEfirewall2.
  (bsc#946325, bsc#963740)


-----------------------------------------
Patch: SUSE-2017-1364
Released: Tue Aug 22 14:59:14 2017
Summary: Recommended update for supportutils
Severity: low
References: 1001224,1051237
Description:
This update for supportutils fixes the following issues:

- Add Infiniband for SLES 12-SP3. (bsc#1051237)
- Fix Infiniband detection on SLES 12. (bsc#1001224)
- Fix path to virt-manager log file.


-----------------------------------------
Patch: SUSE-2017-1412
Released: Tue Aug 29 18:29:00 2017
Summary: Recommended update for python-requests
Severity: low
References: 967128
Description:

This update provides python-requests 2.11.1, which brings many fixes and enhancements:

- Strip Content-Type and Transfer-Encoding headers from the header block when following a
  redirect that transforms the verb from POST/PUT to GET.
- Added support for the ALL_PROXY environment variable.
- Reject header values that contain leading whitespace or newline characters to reduce risk
  of header smuggling.
- Fixed occasional TypeError when attempting to decode a JSON response that occurred in an
  error case. Now correctly returns a ValueError.
- Requests would incorrectly ignore a non-CIDR IP address in the NO_PROXY environment variables:
  Requests now treats it as a specific IP.
- Fixed a bug when sending JSON data that could cause us to encounter obscure OpenSSL errors
  in certain network conditions.
- Added type checks to ensure that iter_content only accepts integers and None for chunk sizes.
- Fixed issue where responses whose body had not been fully consumed would have the underlying
  connection closed but not returned to the connection pool, which could cause Requests to hang
  in situations where the HTTPAdapter had been configured to use a blocking connection pool.
- Change built-in CaseInsensitiveDict to use OrderedDict as its underlying datastore.
- Don't use redirect_cache if allow_redirects=False.
- When passed objects that throw exceptions from tell(), send them via chunked transfer encoding
  instead of failing.
- Raise a ProxyError for proxy related connection issues.
- The verify keyword argument now supports being passed a path to a directory of CA certificates,
  not just a single-file bundle.
- Warnings are now emitted when sending files opened in text mode.
- Added the 511 Network Authentication Required status code to the status code registry.
- For file-like objects that are not seeked to the very beginning, we now send the content length
  for the number of bytes we will actually read, rather than the total size of the file, allowing
  partial file uploads.
- When uploading file-like objects, if they are empty or have no obvious content length we set
  Transfer-Encoding: chunked rather than Content-Length: 0.
- We correctly receive the response in buffered mode when uploading chunked bodies.
- We now handle being passed a query string as a bytestring on Python 3, by decoding it as UTF-8.
- Sessions are now closed in all cases (exceptional and not) when using the functional API rather
  than leaking and waiting for the garbage collector to clean them up.
- Correctly handle digest auth headers with a malformed qop directive that contains no token,
  by treating it the same as if no qop directive was provided at all.
- Minor performance improvements when removing specific cookies by name.


-----------------------------------------
Patch: SUSE-2017-1419
Released: Wed Aug 30 15:38:22 2017
Summary: Security update for expat
Severity: moderate
References: 1047236,1047240,CVE-2016-9063,CVE-2017-9233
Description:
This update for expat fixes the following issues:

- CVE-2016-9063: Possible integer overflow to fix inside XML_Parse leading to unexpected behaviour (bsc#1047240)
- CVE-2017-9233: External Entity Vulnerability could lead to denial of service (bsc#1047236)




-----------------------------------------
Patch: SUSE-2017-1420
Released: Wed Aug 30 15:59:26 2017
Summary: Recommended update for the Linux Kernel
Severity: important
References: 1043652
Description:

The SUSE Linux Enterprise 12 GA kernel was patched to receive the following bugfix:

- bcache: avoid data corruption if the caching device goes offline (bsc#1043652).


-----------------------------------------
Patch: SUSE-2017-1424
Released: Thu Aug 31 17:46:42 2017
Summary: Recommended update for tcsh
Severity: low
References: 1028864
Description:
This update for tcsh provides the following fix:

- Avoid closing sockets that were not opened by tcsh itself. (bsc#1028864)

-----------------------------------------
Patch: SUSE-2017-1430
Released: Thu Aug 31 21:43:54 2017
Summary: Security update for icu
Severity: moderate
References: 929629,CVE-2014-8146,CVE-2014-8147
Description:
icu was updated to fix two security issues.

These security issues were fixed:
- CVE-2014-8147: The resolveImplicitLevels function in common/ubidi.c in the Unicode Bidirectional
  Algorithm implementation in ICU4C in International Components for Unicode (ICU) used an integer
  data type that is inconsistent with a header file, which allowed remote attackers to cause a
  denial of service (incorrect malloc followed by invalid free) or possibly execute arbitrary code
  via crafted text (bsc#929629).
- CVE-2014-8146: The resolveImplicitLevels function in common/ubidi.c in the Unicode Bidirectional
  Algorithm implementation in ICU4C in International Components for Unicode (ICU) did not properly
  track directionally isolated pieces of text, which allowed remote attackers to cause a denial of
  service (heap-based buffer overflow) or possibly execute arbitrary code via crafted text
  (bsc#929629).
  

-----------------------------------------
Patch: SUSE-2017-1450
Released: Mon Sep  4 16:36:07 2017
Summary: Recommended update for insserv-compat
Severity: low
References: 1035062,944903
Description:

This update for insserv-compat fixes the following issues:

- Add /etc/init.d hierarchy from former 'filesystem' package. (bsc#1035062)
- Fix directory argument parsing. (bsc#944903)
- Add perl(Getopt::Long) to list of requirements.


-----------------------------------------
Patch: SUSE-2017-1453
Released: Mon Sep  4 21:23:50 2017
Summary: Recommended update for libgcrypt
Severity: moderate
References: 1043333,1046659,1047008
Description:
This update for libgcrypt fixes the following issues:

- libgcrypt stored an open file descriptor to the random device in
  a static variable between invocations.
  gnome-keyring-daemon on initialization reopened descriptors 0-2
  with /dev/null which caused an infinite loop when libgcrypt
  attempted to read from the random device (bsc#1043333)
- Avoid seeding the DRBG during FIPS power-up selftests (bsc#1046659)
  * don't call gcry_drbg_instantiate() in healthcheck sanity test to
    save entropy
  * turn off blinding for RSA decryption in selftests_rsa to avoid
    allocation of a random integer
- fix a bug in gcry_drbg_healthcheck_sanity() which caused skipping
  some of the tests (bsc#1046659)
- dlsym returns PLT address on s390x, dlopen libgcrypt20.so before
  calling dlsym (bsc#1047008)


-----------------------------------------
Patch: SUSE-2017-1457
Released: Tue Sep  5 14:40:16 2017
Summary: Security update for python-pycrypto
Severity: important
References: 1017420,1047666,CVE-2013-7459
Description:
This update for python-pycrypto fixes the following issues:

- CVE-2013-7459: Fixed a potential heap buffer overflow in ALGnew (bsc#1017420).

python-paramiko was adjusted to work together with this python-pycrypto change. (bsc#1047666)



-----------------------------------------
Patch: SUSE-2017-1549
Released: Fri Sep 15 18:26:57 2017
Summary: Recommended update for at
Severity: low
References: 988890
Description:

This update for at fixes the following issues:

- The systemd atd.service will now run After=nss-user-lookup.target not after
  systemd-user-sessions.service
- Make systemd atd.service run After=time-sync.target (bsc#988890)


-----------------------------------------
Patch: SUSE-2017-1556
Released: Mon Sep 18 09:24:26 2017
Summary: Recommended update for python-boto
Severity: low
References: 1002895
Description:
This update provides python-boto 2.42.0, which brings fixes and enhancements:

- Respect is_secure parameter in generate_url_sigv4
- Update MTurk API
- Update endpoints.json
- Allow s3 bucket lifecycle policies with multiple transitions
- Fixes upload parts for glacier
- Autodetect sigv4 for ap-northeast-2
- Added support for ap-northeast-2
- Remove VeriSign Class 3 CA from trusted certs
- Add note about boto3 on all pages of boto docs
- Fix for listing EMR steps based on cluster_states filter
- Fixed param name in set_contents_from_string docstring
- Spelling and documentation fixes
- Add deprecation notice to emr methods
- Add some GovCloud endpoints.


-----------------------------------------
Patch: SUSE-2017-1564
Released: Tue Sep 19 18:38:16 2017
Summary: Security update for gcc48
Severity: moderate
References: 1011348,1022062,1028744,1039513,1044016,1050947,988274,CVE-2017-11671
Description:
This update for gcc48 fixes the following issues:

Security issues fixed:

- A new option -fstack-clash-protection is now offered, which mitigates the stack clash type of attacks. [bnc#1039513]
  Future maintenance releases of packages will be built with this option.
- CVE-2017-11671: Fixed rdrand/rdseed code generation issue [bsc#1050947]

Bugs fixed:

- Enable LFS support in 32bit libgcov.a.  [bsc#1044016]
- Bump libffi version in libffi.pc to 3.0.11.
- Fix libffi issue for armv7l.  [bsc#988274]
- Properly diagnose missing -fsanitize=address support on ppc64le.  [bnc#1028744]
- Backport patch for PR65612.  [bnc#1022062]
- Fixed DR#1288.  [bnc#1011348]


-----------------------------------------
Patch: SUSE-2017-1569
Released: Wed Sep 20 16:35:21 2017
Summary: Security update for the Linux Kernel
Severity: important
References: 1057389,CVE-2017-1000251
Description:

The SUSE Linux Enterprise 12 GA kernel was updated to receive the following security fixes:

- CVE-2017-1000251: The native Bluetooth stack in the Linux Kernel was
  vulnerable to a stack overflow while processing L2CAP configuration
  responses, resulting in a potential remote denial-of-service vulnerability
  but no remote code execution due to use of CONFIG_CC_STACKPROTECTOR.
  [bnc#1057389]
  

-----------------------------------------
Patch: SUSE-2017-1580
Released: Fri Sep 22 11:18:11 2017
Summary: Recommended update for systemd
Severity: moderate
References: 1030461,1032538,1032660,1033855,1036962,1042235,1046750,961120,982303
Description:
This update for systemd provides the following fixes:

- mount: Add remote filesystem dependencies if needed after changes are detected
  (bsc#1036962, bsc#1030461)
- mount: Check options as well as the filesystem type to determine if the mount requires
  network access
- fstab-generator: Do not skip the dependency ordering for noauto mountpoints
- vconsole-setup: Do not skip keyboard settings if NumLock BIOS reading fails (bsc#961120)
- journal: Do not remove leading spaces in service logs (bsc#1033855)
- core: When a unit's SourcePath points to API VFS, do not report as out-of-date
  (bsc#1032538)
- core: Fix detecting when a reload of the daemon is necessary because of per-unit drop-ins
  changing (bsc#1032538)
- core: Treat masked files as 'unchanged' (bsc#1032538)
- Update systemd-sysv-convert to work with packages that start shipping service units
  (bsc#982303)
- Add minimal support for boot.d/* scripts in systemd-sysv-convert (bsc#1046750)
- Restart logind on package update. (bsc#1032660)


-----------------------------------------
Patch: SUSE-2017-1586
Released: Mon Sep 25 17:16:58 2017
Summary: Recommended update for xinetd
Severity: low
References: 1054532,943484,947475,972691
Description:
This update for xinetd provides the following fixes:

- Specifying multiple log targets in the configuration caused a crash in xinetd, so make
  sure this is not allowed and in case of misconfiguration handle it correctly.
  (bsc#1054532)
- Fix a race condition that was causing xinetd not to be running after receiving a SIGHUP
  and a call to bind() failing with error EADDRINUSE. The fix exposes a sysconfig variable
  named XINETD_BIND_DELAY that can be used to delay calls to bind(). (bsc#972691)
- Fix an error that was causing a failure in xinetd when trying to fallback from IPv6 to
  IPv4. (bsc#947475)
- Update the documentation about the maximum allowed size of server parameters. (bsc#943484)


-----------------------------------------
Patch: SUSE-2017-1589
Released: Tue Sep 26 09:58:51 2017
Summary: Security update for tiff
Severity: moderate
References: 1033109,1033111,1033112,1033113,1033118,1033120,1033126,1033127,1033128,1033129,1033131,1038438,1042804,1042805,CVE-2016-10371,CVE-2017-7592,CVE-2017-7593,CVE-2017-7594,CVE-2017-7595,CVE-2017-7596,CVE-2017-7597,CVE-2017-7598,CVE-2017-7599,CVE-2017-7600,CVE-2017-7601,CVE-2017-7602,CVE-2017-9403,CVE-2017-9404
Description:
This update for tiff to version 4.0.8 fixes a several bugs and security issues:

These security issues were fixed:

- CVE-2017-7595: The JPEGSetupEncode function allowed remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted image (bsc#1033127).
- CVE-2016-10371: The TIFFWriteDirectoryTagCheckedRational function allowed remote attackers to cause a denial of service (assertion failure and application exit) via a crafted TIFF file (bsc#1038438).
- CVE-2017-7598: Error in tif_dirread.c allowed remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted image (bsc#1033118).
- CVE-2017-7596: Undefined behavior because of floats outside their expected value range, which allowed remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image (bsc#1033126).
- CVE-2017-7597: Undefined behavior because of floats outside their expected value range, which allowed remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image (bsc#1033120).
- CVE-2017-7599: Undefined behavior because of shorts outside their expected value range, which allowed remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image (bsc#1033113).
- CVE-2017-7600: Undefined behavior because of chars outside their expected value range, which allowed remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image (bsc#1033112).
- CVE-2017-7601: Because of a shift exponent too large for 64-bit type long undefined behavior was caused, which allowed remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image (bsc#1033111).
- CVE-2017-7602: Prevent signed integer overflow, which allowed remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image (bsc#1033109).
- CVE-2017-7592: The putagreytile function had a left-shift undefined behavior issue, which might allowed remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image (bsc#1033131).
- CVE-2017-7593: Ensure that tif_rawdata is properly initialized, to prevent remote attackers to obtain sensitive information from process memory via a crafted image (bsc#1033129).
- CVE-2017-7594: The OJPEGReadHeaderInfoSecTablesDcTable function allowed remote attackers to cause a denial of service (memory leak) via a crafted image (bsc#1033128).
- CVE-2017-9403: Prevent memory leak in function TIFFReadDirEntryLong8Array, which allowed attackers to cause a denial of service via a crafted file (bsc#1042805).
- CVE-2017-9404: Fixed memory leak vulnerability in function OJPEGReadHeaderInfoSecTablesQTable, which allowed attackers to cause a denial of service via a crafted file (bsc#1042804).

These various other issues were fixed:

- Fix uint32 overflow in TIFFReadEncodedStrip() that caused an
  integer division by zero. Reported by Agostino Sarubbo.
- fix heap-based buffer overflow on generation of PixarLog / LUV
  compressed files, with ColorMap, TransferFunction attached and
  nasty plays with bitspersample. The fix for LUV has not been
  tested, but suffers from the same kind of issue of PixarLog.
- modify ChopUpSingleUncompressedStrip() to instanciate compute
  ntrips as TIFFhowmany_32(td->td_imagelength, rowsperstrip),
  instead of a logic based on the total size of data. Which is
  faulty is the total size of data is not sufficient to fill the
  whole image, and thus results in reading outside of the
  StripByCounts/StripOffsets arrays when using
  TIFFReadScanline()
- make OJPEGDecode() early exit in case of failure in
  OJPEGPreDecode(). This will avoid a divide by zero, and
  potential other issues.
- fix misleading indentation as warned by GCC.
- revert change done on 2016-01-09 that made Param member of
  TIFFFaxTabEnt structure a uint16 to reduce size of the
  binary. It happens that the Hylafax software uses the tables
  that follow this typedef (TIFFFaxMainTable, TIFFFaxWhiteTable,
  TIFFFaxBlackTable), although they are not in a public libtiff
  header.
- add TIFFReadRGBAStripExt() and TIFFReadRGBATileExt() variants
  of the functions without ext, with an extra argument to control
  the stop_on_error behaviour.
- fix potential memory leaks in error code path of
  TIFFRGBAImageBegin().
- increase libjpeg max memory usable to 10 MB instead of libjpeg
  1MB default. This helps when creating files with 'big' tile,
  without using libjpeg temporary files.
- add _TIFFcalloc()
- return 0 in Encode functions instead of -1 when
  TIFFFlushData1() fails.
- only run JPEGFixupTagsSubsampling() if the YCbCrSubsampling
  tag is not explicitly present. This helps a bit to reduce the
  I/O amount when the tag is present (especially on cloud hosted
  files).
- in LZWPostEncode(), increase, if necessary, the code bit-width
  after flushing the remaining code and before emitting the EOI
  code.
- fix memory leak in error code path of PixarLogSetupDecode().
- fix potential memory leak in
  OJPEGReadHeaderInfoSecTablesQTable,
  OJPEGReadHeaderInfoSecTablesDcTable and
  OJPEGReadHeaderInfoSecTablesAcTable
- avoid crash in Fax3Close() on empty file.
- TIFFFillStrip(): add limitation to the number of bytes read
  in case td_stripbytecount[strip] is bigger than reasonable,
  so as to avoid excessive memory allocation.
- fix memory leak when the underlying codec (ZIP, PixarLog)
  succeeds its setupdecode() method, but PredictorSetup fails.
- TIFFFillStrip() and TIFFFillTile(): avoid excessive memory
  allocation in case of shorten files. Only effective on 64 bit
  builds and non-mapped cases.
- TIFFFillStripPartial() / TIFFSeek(), avoid potential integer
  overflows with read_ahead in CHUNKY_STRIP_READ_SUPPORT mode.
- avoid excessive memory allocation in case of shorten files.
  Only effective on 64 bit builds.
- update tif_rawcc in CHUNKY_STRIP_READ_SUPPORT mode with
  tif_rawdataloaded when calling TIFFStartStrip() or
  TIFFFillStripPartial(). 
- avoid potential int32 overflow in TIFFYCbCrToRGBInit() Fixes
- avoid potential int32 overflows in multiply_ms() and add_ms().
- fix out-of-buffer read in PackBitsDecode() Fixes
- LogL16InitState(): avoid excessive memory allocation when
  RowsPerStrip tag is missing.
- update dec_bitsleft at beginning of LZWDecode(), and update
  tif_rawcc at end of LZWDecode(). This is needed to properly
  work with the latest chnges in tif_read.c in
  CHUNKY_STRIP_READ_SUPPORT mode.
- PixarLogDecode(): resync tif_rawcp with next_in and tif_rawcc
  with avail_in at beginning and end of function, similarly to
  what is done in LZWDecode(). Likely needed so that it works
  properly with latest chnges in tif_read.c in
  CHUNKY_STRIP_READ_SUPPORT mode.
- initYCbCrConversion(): add basic validation of luma and
  refBlackWhite coefficients (just check they are not NaN for
  now), to avoid potential float to int overflows.
- _TIFFVSetField(): fix outside range cast of double to float.
- initYCbCrConversion(): check luma[1] is not zero to avoid division by zero
- _TIFFVSetField(): fix outside range cast of double to float.
- initYCbCrConversion(): check luma[1] is not zero to avoid
  division by zero.
- initYCbCrConversion(): stricter validation for refBlackWhite
  coefficients values.
- avoid uint32 underflow in cpDecodedStrips that can cause
  various issues, such as buffer overflows in the library.
- fix readContigStripsIntoBuffer() in -i (ignore) mode so that
  the output buffer is correctly incremented to avoid write
  outside bounds.
- add 3 extra bytes at end of strip buffer in
  readSeparateStripsIntoBuffer() to avoid read outside of heap
  allocated buffer.
- fix integer division by zero when BitsPerSample is missing.
- fix null pointer dereference in -r mode when the image has no
  StripByteCount tag.
- avoid potential division by zero is BitsPerSamples tag is
  missing.
- when TIFFGetField(, TIFFTAG_NUMBEROFINKS, ) is called, limit
  the return number of inks to SamplesPerPixel, so that code
  that parses ink names doesn't go past the end of the buffer.
- avoid potential division by zero is BitsPerSamples tag is
  missing.
- fix uint32 underflow/overflow that can cause heap-based buffer
  overflow.
- replace assert( (bps % 8) == 0 ) by a non assert check.
- fix 2 heap-based buffer overflows (in PSDataBW and
  PSDataColorContig).
- prevent heap-based buffer overflow in -j mode on a paletted
  image.
- fix wrong usage of memcpy() that can trigger unspecified behaviour.
- avoid potential invalid memory read in t2p_writeproc.
- avoid potential heap-based overflow in t2p_readwrite_pdf_image_tile().
- remove extraneous TIFFClose() in error code path, that caused
  double free.
- error out cleanly in cpContig2SeparateByRow and
  cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap
  based overflow.
- avoid integer division by zero.
- call TIFFClose() in error code paths.
- emit appropriate message if the input file is empty.
- close TIFF handle in error code path.


-----------------------------------------
Patch: SUSE-2017-1606
Released: Thu Sep 28 15:52:49 2017
Summary: Recommended update for xinetd
Severity: important
References: 1060432
Description:
This update for xinetd fixes a regression that could cause a crash when an 'IPv6' flag was specified
without a 'bind' option (bsc#1060432)


-----------------------------------------
Patch: SUSE-2017-1622
Released: Mon Oct  2 20:06:28 2017
Summary: Recommended update for yast2-xml
Severity: low
References: 1047449
Description:
This update for yast2-xml provides the following fix:

- Omit libxml2 memory cleanup to prevent a crash if rubygem-nokogiri is installed.
  (bsc#1047449)


-----------------------------------------
Patch: SUSE-2017-1657
Released: Mon Oct  9 15:38:23 2017
Summary: Optional update for SUSE Manager Server 3.1
Severity: low
References: 1051948
Description:
This update adds the following new packages to SUSE Manager Server 3.1 to provide kubernetes support for Salt:

python-fasteners:
Provides locking decorators, reader-writer locks, inter-process locks and generic helpers.

python-httplib2:
A comprehensive HTTP client library that supports many features left out of other HTTP libraries.

python-monotonic:
This module provides a 'monotonic()' function which returns the value (in fractional seconds) of a clock which
never goes backwards.

python-oauth2client:
This is a Python library for accessing resources protected by OAuth 2.0.

python-websocket-client:
This provides the low level APIs for WebSocket. All APIs are synchronous functions.

python-rsa:
Supports encryption and decryption, signing and verifying signatures, and key generation according to
PKCS#1 version 1.5.


-----------------------------------------
Patch: SUSE-2017-1662
Released: Tue Oct 10 11:58:50 2017
Summary: Security update for MozillaFirefox, mozilla-nss
Severity: important
References: 1060445,1061005,CVE-2017-7793,CVE-2017-7805,CVE-2017-7810,CVE-2017-7814,CVE-2017-7818,CVE-2017-7819,CVE-2017-7823,CVE-2017-7824,CVE-2017-7825
Description:
This update for MozillaFirefox to ESR 52.4, mozilla-nss fixes the following issues:

This security issue was fixed for mozilla-nss:

- CVE-2017-7805: Prevent use-after-free in TLS 1.2 when generating handshake hashes (bsc#1061005)

These security issues were fixed for Firefox 

- CVE-2017-7825: Fixed some Tibetan and Arabic unicode characters rendering (bsc#1060445).
- CVE-2017-7805: Prevent Use-after-free in TLS 1.2 generating handshake hashes (bsc#1060445).
- CVE-2017-7819: Prevent Use-after-free while resizing images in design mode (bsc#1060445).
- CVE-2017-7818: Prevent Use-after-free during ARIA array manipulation (bsc#1060445).
- CVE-2017-7793: Prevent Use-after-free with Fetch API (bsc#1060445).
- CVE-2017-7824: Prevent Buffer overflow when drawing and validating elements with ANGLE (bsc#1060445).
- CVE-2017-7810: Fixed several memory safety bugs (bsc#1060445).
- CVE-2017-7823: CSP sandbox directive did not create a unique origin (bsc#1060445).
- CVE-2017-7814: Blob and data URLs bypassed phishing and malware protection warnings (bsc#1060445).


-----------------------------------------
Patch: SUSE-2017-1669
Released: Tue Oct 10 15:55:30 2017
Summary: Security update for dracut
Severity: moderate
References: 1005410,1006118,1007925,1008340,1008648,1017695,1032576,1035743,935320,959803,986734,986838,CVE-2016-8637
Description:

This update for dracut fixes the following issues:

Security issues fixed:

- CVE-2016-8637: When the early microcode loading was enabled during initrd creation, the initrd
  would be read-only available for all users, allowing local users to retrieve secrets stored in
  the initial ramdisk. (bsc#1008340)

Non-security issues fixed:

- Skip iBFT discovery for qla4xxx flashnode session. (bsc#935320)
- Set MTU and LLADDR for DHCP if specified. (bsc#959803)
- Allow booting from degraded MD arrays with systemd. (bsc#1017695)
- Start multipath services before local-fs-pre.target. (bsc#1005410, bsc#1006118, bsc#1007925,
  bsc#986734, bsc#986838)
- Fixed /sbin/installkernel to handle kernel packages built with 'make bin-rpmpkg'. (bsc#1008648)
- Fixed typo in installkernel script. (bsc#1032576)
- Fixed subnet calculation in mkinitrd. (bsc#1035743)


-----------------------------------------
Patch: SUSE-2017-1670
Released: Tue Oct 10 15:55:39 2017
Summary: Recommended update for multipath-tools
Severity: moderate
References: 1003972,1005255,1005414,1005546,1006118,1006469,1008691,1017009,1019181,1019798,1022996,1030314,1032487,1033541,1037299,1039045,941954,979280,980933,983167,984669,986734,986838,991432,999522
Description:

This update for multipath-tools provides the following fixes:

- Add /usr/lib/dracut/dracut.conf.d/50-multipath-tools.conf. (bsc#1039045, bsc#1030314,
  bsc#1032487, bsc#1037299)
- Fix sanitize delete partitions in kpartx. (bsc#1033541)
- Fix check for new path states. (bsc#1019798)
- Use existing alias from bindings file. (bsc#1005255)
- Fix memory corruption problem in multipathd. (bsc#1022996)
- Sanitize how kpartx delete partitions. (bsc#1008691)
- Issue systemd READY after initial configuration. (bsc#1006469, bsc#1006118)
- Re-add 'Before: lvm2-activation-early.service' to multipathd.service. (bsc#1019181)
- Fix filtering of device-mapper devices. (bsc#1017009)
- Do not load invalid maps. (bsc#1005546)
- Calculate priority even for ghost paths. (bsc#1005546)
- Skip conf==NULL check in socket listener thread. (bsc#1005414)
- Set DI_SERIAL in 'multipath -ll' output. (bsc#991432)
- Fall back to search paths by devt. (bsc#1003972)
- Add new 'find_multipaths' configuration option. (bsc#999522)
- Add 'need_suspend' parameter. (bsc#986838)
- Check partitions unused before removing. (bsc#986838)
- Start multipathd daemon after udev trigger. (bsc#986734, bsc#984669)
- Fix check from udev rules. (bsc#986734, bsc#984669)
- Remove calls to dm_udev_complete. (bsc#986838)
- Add 'wwn' and 'serial' keywords to weightedpath prioritizer. (bsc#991432)
- Update multipath.rules to deal with partition devices. (bsc#979280)
- Avoid potential memory overflow allocating polls in uxlsnr.
- Correctly zero out cookie in libmultipath's dm_simplecmd.
- Ensure multipathd enters IDLE mode before sleeping in checkerloop().
- Prevent multipathd from accessing configuration in IDLE mode.
- Fix loss of the complete multipath map after single path loss. (bsc#980933)
- Fix systemd build requirements. (bsc#983167)
- Add fixes for md_monitor on zFCP. (fate#319070)


-----------------------------------------
Patch: SUSE-2017-1676
Released: Wed Oct 11 15:49:25 2017
Summary: Recommended update for supportutils
Severity: important
References: 1061282
Description:
This update for supportutils fixes the following issues:

* A core_pattern containing pipe could have lead to a filesystem corruption (bsc#1061282)



-----------------------------------------
Patch: SUSE-2017-1678
Released: Wed Oct 11 17:16:04 2017
Summary: Security update for samba
Severity: moderate
References: 1042419,1058565,1058622,1058624,CVE-2017-12150,CVE-2017-12151,CVE-2017-12163
Description:
This update for samba fixes several issues.

These security issues were fixed:

- CVE-2017-12163: Prevent client short SMB1 write from writing server memory to
  file, leaking information from the server to the client (bsc#1058624).
- CVE-2017-12150: Always enforce smb signing when it is configured (bsc#1058622).
- CVE-2017-12151: Keep required encryption across SMB3 dfs redirects (bsc#1058565).

These non-security issues were fixed:

- Fixed error where short name length was read as 2 bytes, should be 1 (bsc#1042419)


-----------------------------------------
Patch: SUSE-2017-1695
Released: Tue Oct 17 11:06:57 2017
Summary: Recommended update for netcat-openbsd
Severity: low
References: 1061165
Description:
This update for netcat-openbsd provides the following fix:

- Fix a logic error that would prevent netcat from sending out UDP packets. (bsc#1061165)


-----------------------------------------
Patch: SUSE-2017-1696
Released: Tue Oct 17 11:08:04 2017
Summary: Recommended update for pcsc-lite
Severity: low
References: 1056255,782368
Description:
This update for pcsc-lite fixes the following issues:

- Add Requires on libpcsclite1 for main package to make pcsc-lite work correctly.
  (bsc#782368, bsc#1056255)


-----------------------------------------
Patch: SUSE-2017-1703
Released: Tue Oct 17 13:20:12 2017
Summary: Recommended update for audit
Severity: low
References: 1042781
Description:
This update for audit provides the following fix:

- Make auditd start by forking the systemd service to fix some initialization failures.
  (bsc#1042781)


-----------------------------------------
Patch: SUSE-2017-1758
Released: Mon Oct 23 08:47:47 2017
Summary: Security update for curl
Severity: moderate
References: 1060653,1061876,1063824,CVE-2017-1000254,CVE-2017-1000257
Description:
This update for curl fixes the following issues:

Security issues fixed:

- CVE-2017-1000254: FTP PWD response parser out of bounds read (bsc#1061876)
- CVE-2017-1000257: IMAP FETCH response out of bounds read (bsc#1063824)

Bugs fixed:

- Fixed error 'error:1408F10B:SSL routines' when connecting to ftps via proxy (bsc#1060653)



-----------------------------------------
Patch: SUSE-2017-1766
Released: Tue Oct 24 20:05:54 2017
Summary: Recommended update for logrotate
Severity: low
References: 1028353,1057801
Description:
This update for logrotate provides the following fixes:

- Fixed an error while renaming to already existing files that was causing logs to stop
  rotating. (bsc#1028353)
- Make sure log files continue to rotate properly when a stale status file is found. (bsc#1057801)


-----------------------------------------
Patch: SUSE-2017-1776
Released: Thu Oct 26 09:44:44 2017
Summary: Security update for tcpdump
Severity: moderate
References: 1047873,1057247,CVE-2017-11108,CVE-2017-11541,CVE-2017-11542,CVE-2017-11543,CVE-2017-12893,CVE-2017-12894,CVE-2017-12895,CVE-2017-12896,CVE-2017-12897,CVE-2017-12898,CVE-2017-12899,CVE-2017-12900,CVE-2017-12901,CVE-2017-12902,CVE-2017-12985,CVE-2017-12986,CVE-2017-12987,CVE-2017-12988,CVE-2017-12989,CVE-2017-12990,CVE-2017-12991,CVE-2017-12992,CVE-2017-12993,CVE-2017-12994,CVE-2017-12995,CVE-2017-12996,CVE-2017-12997,CVE-2017-12998,CVE-2017-12999,CVE-2017-13000,CVE-2017-13001,CVE-2017-13002,CVE-2017-13003,CVE-2017-13004,CVE-2017-13005,CVE-2017-13006,CVE-2017-13007,CVE-2017-13008,CVE-2017-13009,CVE-2017-13010,CVE-2017-13011,CVE-2017-13012,CVE-2017-13013,CVE-2017-13014,CVE-2017-13015,CVE-2017-13016,CVE-2017-13017,CVE-2017-13018,CVE-2017-13019,CVE-2017-13020,CVE-2017-13021,CVE-2017-13022,CVE-2017-13023,CVE-2017-13024,CVE-2017-13025,CVE-2017-13026,CVE-2017-13027,CVE-2017-13028,CVE-2017-13029,CVE-2017-13030,CVE-2017-13031,CVE-2017-13032,CVE-2017-13033,CVE-2017-13034,CVE-2017-13035,CVE-2017-13036,CVE-2017-13037,CVE-2017-13038,CVE-2017-13039,CVE-2017-13040,CVE-2017-13041,CVE-2017-13042,CVE-2017-13043,CVE-2017-13044,CVE-2017-13045,CVE-2017-13046,CVE-2017-13047,CVE-2017-13048,CVE-2017-13049,CVE-2017-13050,CVE-2017-13051,CVE-2017-13052,CVE-2017-13053,CVE-2017-13054,CVE-2017-13055,CVE-2017-13687,CVE-2017-13688,CVE-2017-13689,CVE-2017-13690,CVE-2017-13725
Description:
This update for tcpdump to version 4.9.2 fixes several issues.

These security issues were fixed:

- CVE-2017-11108: Prevent remote attackers to cause DoS (heap-based buffer over-read and application crash) via crafted packet data. The crash occured in the EXTRACT_16BITS function, called from the stp_print function for the Spanning Tree Protocol (bsc#1047873, bsc#1057247).
- CVE-2017-11543: Prevent buffer overflow in the sliplink_print function in print-sl.c that allowed remote DoS (bsc#1057247).
- CVE-2017-13011: Prevent buffer overflow in bittok2str_internal() that allowed remote DoS (bsc#1057247)
- CVE-2017-12989: Prevent infinite loop in the RESP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12990: Prevent infinite loop in the ISAKMP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12995: Prevent infinite loop in the DNS parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12997: Prevent infinite loop in the LLDP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-11541: Prevent heap-based buffer over-read in the lldp_print function in print-lldp.c, related to util-print.c that allowed remote DoS (bsc#1057247).
- CVE-2017-11542: Prevent heap-based buffer over-read in the pimv1_print function in print-pim.c that allowed remote DoS (bsc#1057247).
- CVE-2017-12893: Prevent buffer over-read in the SMB/CIFS parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12894: Prevent buffer over-read in several protocol parsers that allowed remote DoS (bsc#1057247)
- CVE-2017-12895: Prevent buffer over-read in the ICMP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12896: Prevent buffer over-read in the ISAKMP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12897: Prevent buffer over-read in the ISO CLNS parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12898: Prevent buffer over-read in the NFS parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12899: Prevent buffer over-read in the DECnet parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12900: Prevent buffer over-read in the in several protocol parsers that allowed remote DoS (bsc#1057247)
- CVE-2017-12901: Prevent buffer over-read in the EIGRP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12902: Prevent buffer over-read in the Zephyr parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12985: Prevent buffer over-read in the IPv6 parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12986: Prevent buffer over-read in the IPv6 routing header parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12987: Prevent buffer over-read in the 802.11 parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12988: Prevent buffer over-read in the telnet parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12991: Prevent buffer over-read in the BGP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12992: Prevent buffer over-read in the RIPng parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12993: Prevent buffer over-read in the Juniper protocols parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12994: Prevent buffer over-read in the BGP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12996: Prevent buffer over-read in the PIMv2 parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12998: Prevent buffer over-read in the IS-IS parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12999: Prevent buffer over-read in the IS-IS parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13000: Prevent buffer over-read in the IEEE 802.15.4 parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13001: Prevent buffer over-read in the NFS parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13002: Prevent buffer over-read in the AODV parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13003: Prevent buffer over-read in the LMP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13004: Prevent buffer over-read in the Juniper protocols parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13005: Prevent buffer over-read in the NFS parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13006: Prevent buffer over-read in the L2TP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13007: Prevent buffer over-read in the Apple PKTAP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13008: Prevent buffer over-read in the IEEE 802.11 parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13009: Prevent buffer over-read in the IPv6 mobility parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13010: Prevent buffer over-read in the BEEP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13012: Prevent buffer over-read in the ICMP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13013: Prevent buffer over-read in the ARP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13014: Prevent buffer over-read in the White Board protocol parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13015: Prevent buffer over-read in the EAP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13016: Prevent buffer over-read in the ISO ES-IS parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13017: Prevent buffer over-read in the DHCPv6 parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13018: Prevent buffer over-read in the PGM parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13019: Prevent buffer over-read in the PGM parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13020: Prevent buffer over-read in the VTP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13021: Prevent buffer over-read in the ICMPv6 parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13022: Prevent buffer over-read in the IP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13023: Prevent buffer over-read in the IPv6 mobility parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13024: Prevent buffer over-read in the IPv6 mobility parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13025: Prevent buffer over-read in the IPv6 mobility parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13026: Prevent buffer over-read in the ISO IS-IS parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13027: Prevent buffer over-read in the LLDP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13028: Prevent buffer over-read in the BOOTP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13029: Prevent buffer over-read in the PPP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13030: Prevent buffer over-read in the PIM parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13031: Prevent buffer over-read in the IPv6 fragmentation header parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13032: Prevent buffer over-read in the RADIUS parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13033: Prevent buffer over-read in the VTP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13034: Prevent buffer over-read in the PGM parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13035: Prevent buffer over-read in the ISO IS-IS parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13036: Prevent buffer over-read in the OSPFv3 parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13037: Prevent buffer over-read in the IP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13038: Prevent buffer over-read in the PPP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13039: Prevent buffer over-read in the ISAKMP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13040: Prevent buffer over-read in the MPTCP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13041: Prevent buffer over-read in the ICMPv6 parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13042: Prevent buffer over-read in the HNCP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13043: Prevent buffer over-read in the BGP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13044: Prevent buffer over-read in the HNCP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13045: Prevent buffer over-read in the VQP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13046: Prevent buffer over-read in the BGP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13047: Prevent buffer over-read in the ISO ES-IS parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13048: Prevent buffer over-read in the RSVP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13049: Prevent buffer over-read in the Rx protocol parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13050: Prevent buffer over-read in the RPKI-Router parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13051: Prevent buffer over-read in the RSVP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13052: Prevent buffer over-read in the CFM parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13053: Prevent buffer over-read in the BGP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13054: Prevent buffer over-read in the LLDP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13055: Prevent buffer over-read in the ISO IS-IS parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13687: Prevent buffer over-read in the Cisco HDLC parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13688: Prevent buffer over-read in the OLSR parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13689: Prevent buffer over-read in the IKEv1 parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13690: Prevent buffer over-read in the IKEv2 parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13725: Prevent buffer over-read in the IPv6 routing header parser that allowed remote DoS (bsc#1057247)
- Prevent segmentation fault in ESP decoder with OpenSSL 1.1 (bsc#1057247)


-----------------------------------------
Patch: SUSE-2017-1783
Released: Thu Oct 26 21:20:44 2017
Summary: Recommended update for dbus-1
Severity: moderate
References: 1043615,1046173
Description:
This update for dbus-1 fixes the following issues:

- Fix systemd-logind dbus disconnection by ensuring all required timeouts are restarted.
  (bsc#1043615)
- Remove call to initscripts related macros from the spec file as dbus-1 does not ship any
  initscript anymore. (bsc#1046173)


-----------------------------------------
Patch: SUSE-2017-1796
Released: Fri Oct 27 21:25:06 2017
Summary: Recommended update for pcre
Severity: moderate
References: 1058722
Description:


This update for pcre fixes the following issues:

- Fixed the pcre stack frame size detection because modern compilers
  break it due to cloning and inlining pcre match() function (bsc#1058722)


-----------------------------------------
Patch: SUSE-2017-1802
Released: Tue Oct 31 12:05:17 2017
Summary: Recommended update for iptables
Severity: low
References: 1045130
Description:
This update for iptables provides the following fix:

- Fix a locking issue of iptables-batch when other programs modify the iptables rules in parallel (bsc#1045130)


-----------------------------------------
Patch: SUSE-2017-1808
Released: Thu Nov  2 14:02:29 2017
Summary: Security update for the Linux Kernel
Severity: important
References: 1008353,1012422,1017941,1029850,1030593,1032268,1034405,1034670,1035576,1035877,1036752,1037182,1037183,1037306,1037994,1038544,1038879,1038981,1038982,1039348,1039349,1039354,1039456,1039721,1039882,1039883,1039885,1040069,1041431,1041958,1044125,1045327,1045487,1045922,1046107,1047408,1048275,1049645,1049882,1052593,1053148,1053152,1056588,1056982,1057179,1058038,1058410,1058507,1058524,1062520,1063667,1064388,938162,975596,977417,984779,985562,990682,CVE-2015-9004,CVE-2016-10229,CVE-2016-9604,CVE-2017-1000363,CVE-2017-1000365,CVE-2017-1000380,CVE-2017-10661,CVE-2017-11176,CVE-2017-12153,CVE-2017-12154,CVE-2017-12762,CVE-2017-13080,CVE-2017-14051,CVE-2017-14106,CVE-2017-14140,CVE-2017-15265,CVE-2017-15274,CVE-2017-15649,CVE-2017-2647,CVE-2017-6951,CVE-2017-7482,CVE-2017-7487,CVE-2017-7518,CVE-2017-7541,CVE-2017-7542,CVE-2017-7889,CVE-2017-8106,CVE-2017-8831,CVE-2017-8890,CVE-2017-8924,CVE-2017-8925,CVE-2017-9074,CVE-2017-9075,CVE-2017-9076,CVE-2017-9077,CVE-2017-9242
Description:


The SUSE Linux Enterprise 12 GA LTS kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

- CVE-2017-15649: net/packet/af_packet.c in the Linux kernel allowed local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346 (bnc#1064388).
- CVE-2015-9004: kernel/events/core.c in the Linux kernel mishandled counter grouping, which allowed local users to gain privileges via a crafted application, related to the perf_pmu_register and perf_event_open functions (bnc#1037306).
- CVE-2016-10229: udp.c in the Linux kernel allowed remote attackers to execute arbitrary code via UDP traffic that triggers an unsafe second checksum calculation during execution of a recv system call with the MSG_PEEK flag (bnc#1032268).
- CVE-2016-9604: The handling of keyrings starting with '.' in KEYCTL_JOIN_SESSION_KEYRING, which could have allowed local users to manipulate privileged keyrings, was fixed (bsc#1035576)
- CVE-2017-1000363: Linux drivers/char/lp.c Out-of-Bounds Write. Due to a missing bounds check, and the fact that parport_ptr integer is static, a 'secure boot' kernel command line adversary (can happen due to bootloader vulns, e.g. Google Nexus 6's CVE-2016-10277, where due to a vulnerability the adversary has partial control over the command line) can overflow the parport_nr array in the following code, by appending many (>LP_NO) 'lp=none' arguments to the command line (bnc#1039456).
- CVE-2017-1000365: The Linux Kernel imposes a size restriction on the arguments and environmental strings passed through RLIMIT_STACK/RLIM_INFINITY (1/4 of the size), but did not take the argument and environment pointers into account, which allowed attackers to bypass this limitation. (bnc#1039354).
- CVE-2017-1000380: sound/core/timer.c in the Linux kernel is vulnerable to a data race in the ALSA /dev/snd/timer driver resulting in local users being able to read information belonging to other users, i.e., uninitialized memory contents may be disclosed when a read and an ioctl happen at the same time (bnc#1044125).
- CVE-2017-10661: Race condition in fs/timerfd.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (list corruption or use-after-free) via simultaneous file-descriptor operations that leverage improper might_cancel queueing (bnc#1053152).
- CVE-2017-11176: The mq_notify function in the Linux kernel did not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allowed attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact (bnc#1048275).
- CVE-2017-12153: A security flaw was discovered in the nl80211_set_rekey_data() function in net/wireless/nl80211.c in the Linux kernel This function did not check whether the required attributes are present in a Netlink request. This request can be issued by a user with the CAP_NET_ADMIN capability and may result in a NULL pointer dereference and system crash (bnc#1058410).
- CVE-2017-12154: The prepare_vmcs02 function in arch/x86/kvm/vmx.c in the Linux kernel did not ensure that the 'CR8-load exiting' and 'CR8-store exiting' L0 vmcs02 controls exist in cases where L1 omits the 'use TPR shadow' vmcs12 control, which allowed KVM L2 guest OS users to obtain read and write access to the hardware CR8 register (bnc#1058507).
- CVE-2017-12762: In /drivers/isdn/i4l/isdn_net.c: A user-controlled buffer is copied into a local buffer of constant size using strcpy without a length check which can cause a buffer overflow. (bnc#1053148).
- CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2) allowed reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients (bnc#1063667).
- CVE-2017-14051: An integer overflow in the qla2x00_sysfs_write_optrom_ctl function in drivers/scsi/qla2xxx/qla_attr.c in the Linux kernel allowed local users to cause a denial of service (memory corruption and system crash) by leveraging root access (bnc#1056588).
- CVE-2017-14106: The tcp_disconnect function in net/ipv4/tcp.c in the Linux kernel allowed local users to cause a denial of service (__tcp_select_window divide-by-zero error and system crash) by triggering a disconnect within a certain tcp_recvmsg code path (bnc#1056982).
- CVE-2017-14140: The move_pages system call in mm/migrate.c in the Linux kernel doesn't check the effective uid of the target process, enabling a local attacker to learn the memory layout of a setuid executable despite ASLR (bnc#1057179).
- CVE-2017-15265: Use-after-free vulnerability in the Linux kernel allowed local users to have unspecified impact via vectors related to /dev/snd/seq (bnc#1062520).
- CVE-2017-15274: security/keys/keyctl.c in the Linux kernel did not consider the case of a NULL payload in conjunction with a nonzero length value, which allowed local users to cause a denial of service (NULL pointer dereference and OOPS) via a crafted add_key or keyctl system call, a different vulnerability than CVE-2017-12192 (bnc#1045327).
- CVE-2017-2647: The KEYS subsystem in the Linux kernel allowed local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) via vectors involving a NULL value for a certain match field, related to the keyring_search_iterator function in keyring.c (bnc#1030593).
- CVE-2017-6951: The keyring_search_aux function in security/keys/keyring.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and OOPS) via a request_key system call for the 'dead' type (bnc#1029850).
- CVE-2017-7482: A potential memory corruption was fixed in decoding of krb5 principals in the kernels kerberos handling. (bnc#1046107).
- CVE-2017-7487: The ipxitf_ioctl function in net/ipx/af_ipx.c in the Linux kernel mishandled reference counts, which allowed local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a failed SIOCGIFADDR ioctl call for an IPX interface (bnc#1038879).
- CVE-2017-7518: The Linux kernel was vulnerable to an incorrect debug exception(#DB) error. It could occur while emulating a syscall instruction and potentially lead to guest privilege escalation. (bsc#1045922).
- CVE-2017-7541: The brcmf_cfg80211_mgmt_tx function in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux kernel allowed local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted NL80211_CMD_FRAME Netlink packet (bnc#1049645).
- CVE-2017-7542: The ip6_find_1stfragopt function in net/ipv6/output_core.c in the Linux kernel allowed local users to cause a denial of service (integer overflow and infinite loop) by leveraging the ability to open a raw socket (bnc#1049882).
- CVE-2017-7889: The mm subsystem in the Linux kernel did not properly enforce the CONFIG_STRICT_DEVMEM protection mechanism, which allowed local users to read or write to kernel memory locations in the first megabyte (and bypass slab-allocation access restrictions) via an application that opens the /dev/mem file, related to arch/x86/mm/init.c and drivers/char/mem.c (bnc#1034405).
- CVE-2017-8106: The handle_invept function in arch/x86/kvm/vmx.c in the Linux kernel 3.12 allowed privileged KVM guest OS users to cause a denial of service (NULL pointer dereference and host OS crash) via a single-context INVEPT instruction with a NULL EPT pointer (bnc#1035877).
- CVE-2017-8831: The saa7164_bus_get function in drivers/media/pci/saa7164/saa7164-bus.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact by changing a certain sequence-number value, aka a 'double fetch' vulnerability (bnc#1037994).
- CVE-2017-8890: The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the Linux kernel allowed attackers to cause a denial of service (double free) or possibly have unspecified other impact by leveraging use of the accept system call (bnc#1038544).
- CVE-2017-8924: The edge_bulk_in_callback function in drivers/usb/serial/io_ti.c in the Linux kernel allowed local users to obtain sensitive information (in the dmesg ringbuffer and syslog) from uninitialized kernel memory by using a crafted USB device (posing as an io_ti USB serial device) to trigger an integer underflow (bnc#1037182 bsc#1038982).
- CVE-2017-8925: The omninet_open function in drivers/usb/serial/omninet.c in the Linux kernel allowed local users to cause a denial of service (tty exhaustion) by leveraging reference count mishandling (bnc#1037183 bsc#1038981).
- CVE-2017-9074: The IPv6 fragmentation implementation in the Linux kernel did not consider that the nexthdr field may be associated with an invalid option, which allowed local users to cause a denial of service (out-of-bounds read and BUG) or possibly have unspecified other impact via crafted socket and send system calls (bnc#1039882).
- CVE-2017-9075: The sctp_v6_create_accept_sk function in net/sctp/ipv6.c in the Linux kernel mishandled inheritance, which allowed local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890 (bnc#1039883).
- CVE-2017-9076: The dccp_v6_request_recv_sock function in net/dccp/ipv6.c in the Linux kernel mishandled inheritance, which allowed local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890 (bnc#1039885).
- CVE-2017-9077: The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel mishandled inheritance, which allowed local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890 (bnc#1040069).
- CVE-2017-9242: The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel is too late in checking whether an overwrite of an skb data structure may occur, which allowed local users to cause a denial of service (system crash) via crafted system calls (bnc#1041431).

The following non-security bugs were fixed:

- btrfs: Fix a data space underflow warning (bsc#985562, bsc#975596, bsc#984779, bsc#1008353, bsc#1017941).
- dm-mpath: always return reservation conflict. bsc#938162
- getcwd: Close race with d_move called by lustre (bsc#1052593).
- ipv4: Should use consistent conditional judgement for ip fragment in __ip_append_data and ip_finish_output (bsc#1041958).
- ipv6: Should use consistent conditional judgement for ip6 fragment between __ip6_append_data and ip6_finish_output (bsc#1041958).
- kabi: avoid bogus kabi errors in ip_output.c (bsc#1041958).
- keys: Disallow keyrings beginning with '.' to be joined as session keyrings (bnc#1035576).
- mm/mmap.c: do not blow on PROT_NONE MAP_FIXED holes in the stack (bnc#1039348).
- net: account for current skb length when deciding about UFO (bsc#1041958).
- nfsd4: minor NFSv2/v3 write decoding cleanup (bsc#1034670 CVE#2017-7645).
- nfsd: check for oversized NFSv2/v3 arguments (bsc#1034670 CVE#2017-7645).
- nfsd: stricter decoding of write-like NFSv2/v3 ops (bsc#1034670 CVE#2017-7645).
- printk: prevent userland from spoofing kernel messages (bsc#1039721).
- reiserfs: do not preallocate blocks for extended attributes (bsc#990682).
- tcp: do not inherit fastopen_req from parent (bsc#1038544).
- udp: disallow UFO for sockets with SO_NO_CHECK option (bsc#1041958).
- usb: wusbcore: fix NULL-deref at probe (bsc#1045487).
- vsock: Detach QP check should filter out non matching QPs (bsc#1036752 bsc#1047408).
- vsock: Fix lockdep issue (bsc#977417 bsc#1047408).
- vsock: sock_put wasn't safe to call in interrupt context (bsc#977417 bsc#1047408).
- xfs: XFS_IS_REALTIME_INODE() should be false if no rt device present (bsc#1058524).


-----------------------------------------
Patch: SUSE-2017-1814
Released: Mon Nov  6 09:38:32 2017
Summary: Security update for SuSEfirewall2
Severity: moderate
References: 1064127,CVE-2017-15638
Description:
This update for SuSEfirewall2 fixes the following issues:

- CVE-2017-15638: Fixed a security issue with too open implicit portmapper rules
  (bsc#1064127): A source net restriction for _rpc_ services
  was not taken into account for the implicitly added rules for port 111,
  making the portmap service accessible to everyone in the affected zone.


-----------------------------------------
Patch: SUSE-2017-1834
Released: Wed Nov  8 20:46:07 2017
Summary: Recommended update for SuSEfirewall2
Severity: important
References: 1067057
Description:
This update for SuSEfirewall2 fixes the following issues:

- Fixed a regression that was introduced by the previous security update. The
  regression caused some rpcinfo related configurations of SuSEfirewall2 to
  fail. For example the setting FW_CONFIGURATIONS_EXT='nfs-kernel-server' no
  longer correctly opened up the necessary ports for the nfs server,
  consequently making NFS unavailable (bsc#1067057).


-----------------------------------------
Patch: SUSE-2017-1794
Released: Thu Nov 16 11:17:40 2017
Summary: Security update for wget
Severity: important
References: 1064715,1064716,CVE-2017-13089,CVE-2017-13090
Description:


This update for wget fixes the following security issues:

- CVE-2017-13089,CVE-2017-13090: Missing checks for negative remaining_chunk_size in skip_short_body and fd_read_body could
  cause stack buffer overflows, which could have been exploited by malicious servers. (bsc#1064715,bsc#1064716)


-----------------------------------------
Patch: SUSE-2017-1881
Released: Wed Nov 22 16:29:58 2017
Summary: Security update for file
Severity: moderate
References: 1009966,1063269,910252,910253,913650,913651,917152,996511,CVE-2014-8116,CVE-2014-8117,CVE-2014-9620,CVE-2014-9621,CVE-2014-9653
Description:


The GNU file utility was updated to version 5.22.

Security issues fixed:

- CVE-2014-9621: The ELF parser in file allowed remote attackers to cause a denial of service via a long string. (bsc#913650)
- CVE-2014-9620: The ELF parser in file allowed remote attackers to cause a denial of service via a large number of notes. (bsc#913651)
- CVE-2014-9653: readelf.c in file did not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory access) or possibly have unspecified other impact via a crafted ELF file. (bsc#917152)
- CVE-2014-8116: The ELF parser (readelf.c) in file allowed remote attackers to cause a denial of service (CPU consumption or crash) via a large number of (1) program or (2) section headers or (3) invalid capabilities. (bsc#910253)
- CVE-2014-8117: softmagic.c in file did not properly limit recursion, which allowed remote attackers to cause a denial of service (CPU consumption or crash) via unspecified vectors. (bsc#910253)

Version update to file version 5.22

* add indirect relative for TIFF/Exif
* restructure elf note printing to avoid repeated messages
* add note limit, suggested by Alexander Cherepanov
* Bail out on partial pread()'s (Alexander Cherepanov)
* Fix incorrect bounds check in file_printable (Alexander Cherepanov)
* PR/405: ignore SIGPIPE from uncompress programs
* change printable -> file_printable and use it in more places for safety
* in ELF, instead of '(uses dynamic libraries)' when PT_INTERP is present print the interpreter name.

Version update to file version 5.21

* there was an incorrect free in magic_load_buffers()
* there was an out of bounds read for some pascal strings
* there was a memory leak in magic lists
* don't interpret strings printed from files using the current
  locale, convert them to ascii format first.
* there was an out of bounds read in elf note reads

Update to file version 5.20

* recognize encrypted CDF documents
* add magic_load_buffers from Brooks Davis
* add thumbs.db support

Additional non-security bug fixes:

* Fixed a memory corruption during rpmbuild (bsc#1063269)
* Backport of a fix for an increased printable string length as found in file 5.30 (bsc#996511)
* file command throws 'Composite Document File V2 Document, corrupt: Can't read SSAT' error against excel 97/2003 file format. (bsc#1009966)



-----------------------------------------
Patch: SUSE-2017-1882
Released: Wed Nov 22 16:58:12 2017
Summary: Recommended update for timezone
Severity: low
References: 1064571
Description:
This update provides the latest timezone information (2017c) for your system, including following changes:

- Northern Cyprus switches from +03 to +02/+03 on 2017-10-29
- Fiji ends DST 2018-01-14, not 2018-01-21
- Namibia switches from +01/+02 to +02 on 2018-04-01
- Sudan switches from +03 to +02 on 2017-11-01
- Tonga likely switches from +13/+14 to +13 on 2017-11-05
- Turks and Caicos switches from -04 to -05/-04 on 2018-11-04
- Corrections to past DST transitions
- Move oversized Canada/East-Saskatchewan to 'backward' file
- zic(8) and the reference runtime now reject multiple leap seconds within 28 days
  of each other, or leap seconds before the Epoch.


-----------------------------------------
Patch: SUSE-2017-1903
Released: Fri Nov 24 16:19:37 2017
Summary: Security update for perl
Severity: moderate
References: 1047178,1057721,1057724,999735,CVE-2017-12837,CVE-2017-12883,CVE-2017-6512
Description:
This update for perl fixes the following issues:

Security issues fixed:
- CVE-2017-12837: Heap-based buffer overflow in the S_regatom function in regcomp.c in Perl 5 before
  5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to cause a denial of service
  (out-of-bounds write) via a regular expression with a '\N{}' escape and the case-insensitive
  modifier. (bnc#1057724)
- CVE-2017-12883: Buffer overflow in the S_grok_bslash_N function in regcomp.c in Perl 5 before
  5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to disclose sensitive information
  or cause a denial of service (application crash) via a crafted regular expression with an invalid
  '\N{U+...}' escape. (bnc#1057721)
- CVE-2017-6512: Race condition in the rmtree and remove_tree functions in the File-Path module
  before 2.13 for Perl allows attackers to set the mode on arbitrary files via vectors involving
  directory-permission loosening logic. (bnc#1047178)

Bug fixes:
- backport set_capture_string changes from upstream (bsc#999735)
- reformat baselibs.conf as source validator workaround


-----------------------------------------
Patch: SUSE-2017-1916
Released: Fri Nov 24 20:15:01 2017
Summary: Recommended update for libgcrypt
Severity: important
References: 1043333,1059723
Description:
This update for libgcrypt provides the following fix:

- Fix a regression in a previous update which caused libgcrypt to leak file descriptors
  causing failures when starting rtkit-daemon. (bsc#1059723)


-----------------------------------------
Patch: SUSE-2017-1917
Released: Mon Nov 27 13:32:07 2017
Summary: Optional update for gcc7
Severity: low
References: 1056437,1062591,1062592
Description:

The GNU Compiler GCC 7 is being added to the Toolchain Module by this update.

New features:

- Support for specific IBM Power9 processor instructions.
- Support for specific IBM zSeries z14 processor instructions.
- New packages cross-npvtx-gcc7 and nvptx-tools added to the Toolchain Module for
  specific NVIDIA Card offload support.

The update also supplies gcc7 compatible libstdc++, libgcc_s1 and other gcc derived
libraries for the base products of SUSE Linux Enterprise 12.

Various optimizers have been improved in GCC 7, several of bugs fixed, quite some new
warnings added and the error pin-pointing and fix-suggestions have been greatly improved.

The GNU Compiler page for GCC 7 contains a summary of all the changes that have happened:

	https://gcc.gnu.org/gcc-7/changes.html


-----------------------------------------
Patch: SUSE-2017-1969
Released: Thu Nov 30 19:50:53 2017
Summary: Recommended update for libtool
Severity: low
References: 1056381
Description:
This update for libtool provides the following fix:

- Add missing dependencies and provides to baselibs.conf to make sure libltdl libraries
  are properly installed. (bsc#1056381)


-----------------------------------------
Patch: SUSE-2017-1971
Released: Thu Nov 30 22:58:14 2017
Summary: Security update for binutils
Severity: moderate
References: 1003846,1025282,1029907,1029908,1029909,1029995,1030296,1030297,1030298,1030583,1030584,1030585,1030588,1030589,1031590,1031593,1031595,1031638,1031644,1031656,1033122,1037052,1037057,1037061,1037062,1037066,1037070,1037072,1037273,1038874,1038875,1038876,1038877,1038878,1038880,1038881,1044891,1044897,1044901,1044909,1044925,1044927,1046094,1052061,1052496,1052503,1052507,1052509,1052511,1052514,1052518,1053347,1056312,1056437,1057139,1057144,1057149,1058480,1059050,1060599,1060621,1061241,437293,445037,546106,561142,578249,590820,691290,698346,713504,776968,863764,938658,970239,CVE-2014-9939,CVE-2017-12448,CVE-2017-12450,CVE-2017-12452,CVE-2017-12453,CVE-2017-12454,CVE-2017-12456,CVE-2017-12799,CVE-2017-13757,CVE-2017-14128,CVE-2017-14129,CVE-2017-14130,CVE-2017-14333,CVE-2017-14529,CVE-2017-14729,CVE-2017-14745,CVE-2017-14974,CVE-2017-6965,CVE-2017-6966,CVE-2017-6969,CVE-2017-7209,CVE-2017-7210,CVE-2017-7223,CVE-2017-7224,CVE-2017-7225,CVE-2017-7226,CVE-2017-7227,CVE-2017-7299,CVE-2017-7300,CVE-2017-7301,CVE-2017-7302,CVE-2017-7303,CVE-2017-7304,CVE-2017-7614,CVE-2017-8392,CVE-2017-8393,CVE-2017-8394,CVE-2017-8395,CVE-2017-8396,CVE-2017-8397,CVE-2017-8398,CVE-2017-8421,CVE-2017-9038,CVE-2017-9039,CVE-2017-9040,CVE-2017-9041,CVE-2017-9042,CVE-2017-9043,CVE-2017-9044,CVE-2017-9746,CVE-2017-9747,CVE-2017-9748,CVE-2017-9750,CVE-2017-9755,CVE-2017-9756,CVE-2017-9954,CVE-2017-9955
Description:


GNU binutil was updated to the 2.29.1 release, bringing various new features, fixing a lot of bugs and security issues.

Following security issues are being addressed by this release:

  * 18750 bsc#1030296 CVE-2014-9939
  * 20891 bsc#1030585 CVE-2017-7225
  * 20892 bsc#1030588 CVE-2017-7224
  * 20898 bsc#1030589 CVE-2017-7223
  * 20905 bsc#1030584 CVE-2017-7226
  * 20908 bsc#1031644 CVE-2017-7299
  * 20909 bsc#1031656 CVE-2017-7300
  * 20921 bsc#1031595 CVE-2017-7302
  * 20922 bsc#1031593 CVE-2017-7303
  * 20924 bsc#1031638 CVE-2017-7301
  * 20931 bsc#1031590 CVE-2017-7304
  * 21135 bsc#1030298 CVE-2017-7209 
  * 21137 bsc#1029909 CVE-2017-6965
  * 21139 bsc#1029908 CVE-2017-6966
  * 21156 bsc#1029907 CVE-2017-6969
  * 21157 bsc#1030297 CVE-2017-7210
  * 21409 bsc#1037052 CVE-2017-8392
  * 21412 bsc#1037057 CVE-2017-8393
  * 21414 bsc#1037061 CVE-2017-8394
  * 21432 bsc#1037066 CVE-2017-8396
  * 21440 bsc#1037273 CVE-2017-8421
  * 21580 bsc#1044891 CVE-2017-9746
  * 21581 bsc#1044897 CVE-2017-9747
  * 21582 bsc#1044901 CVE-2017-9748
  * 21587 bsc#1044909 CVE-2017-9750
  * 21594 bsc#1044925 CVE-2017-9755
  * 21595 bsc#1044927 CVE-2017-9756
  * 21787 bsc#1052518 CVE-2017-12448
  * 21813 bsc#1052503, CVE-2017-12456, bsc#1052507, CVE-2017-12454, bsc#1052509, CVE-2017-12453, bsc#1052511, CVE-2017-12452, bsc#1052514, CVE-2017-12450, bsc#1052503, CVE-2017-12456, bsc#1052507, CVE-2017-12454, bsc#1052509, CVE-2017-12453, bsc#1052511, CVE-2017-12452, bsc#1052514, CVE-2017-12450
  * 21933 bsc#1053347 CVE-2017-12799
  * 21990 bsc#1058480 CVE-2017-14333
  * 22018 bsc#1056312 CVE-2017-13757
  * 22047 bsc#1057144 CVE-2017-14129
  * 22058 bsc#1057149 CVE-2017-14130
  * 22059 bsc#1057139 CVE-2017-14128
  * 22113 bsc#1059050 CVE-2017-14529
  * 22148 bsc#1060599 CVE-2017-14745
  * 22163 bsc#1061241 CVE-2017-14974
  * 22170 bsc#1060621 CVE-2017-14729

Update to binutils 2.29. [fate#321454, fate#321494, fate#323293]:

  * The MIPS port now supports microMIPS eXtended Physical Addressing (XPA)
    instructions for assembly and disassembly.
  * The MIPS port now supports the microMIPS Release 5 ISA for assembly and
    disassembly.
  * The MIPS port now supports the Imagination interAptiv MR2 processor,
    which implements the MIPS32r3 ISA, the MIPS16e2 ASE as well as a couple
    of implementation-specific regular MIPS and MIPS16e2 ASE instructions.
  * The SPARC port now supports the SPARC M8 processor, which implements the
    Oracle SPARC Architecture 2017.
  * The MIPS port now supports the MIPS16e2 ASE for assembly and disassembly.
  * Add support for ELF SHF_GNU_MBIND and PT_GNU_MBIND_XXX.
  * Add support for the wasm32 ELF conversion of the WebAssembly file format.
  * Add --inlines option to objdump, which extends the --line-numbers option
    so that inlined functions will display their nesting information.
  * Add --merge-notes options to objcopy to reduce the size of notes in
    a binary file by merging and deleting redundant notes.
  * Add support for locating separate debug info files using the build-id
    method, where the separate file has a name based upon the build-id of
    the original file.

- GAS specific:

  * Add support for ELF SHF_GNU_MBIND.
  * Add support for the WebAssembly file format and wasm32 ELF conversion.
  * PowerPC gas now checks that the correct register class is used in
    instructions.  For instance, 'addi %f4,%cr3,%r31' warns three times
    that the registers are invalid.
  * Add support for the Texas Instruments PRU processor.
  * Support for the ARMv8-R architecture and Cortex-R52 processor has been
    added to the ARM port.

- GNU ld specific:

  * Support for -z shstk in the x86 ELF linker to generate
    GNU_PROPERTY_X86_FEATURE_1_SHSTK in ELF GNU program properties.
  * Add support for GNU_PROPERTY_X86_FEATURE_1_SHSTK in ELF GNU program
    properties in the x86 ELF linker.
  * Add support for GNU_PROPERTY_X86_FEATURE_1_IBT in ELF GNU program
    properties in the x86 ELF linker.
  * Support for -z ibtplt in the x86 ELF linker to generate IBT-enabled
    PLT.
  * Support for -z ibt in the x86 ELF linker to generate IBT-enabled
    PLT as well as GNU_PROPERTY_X86_FEATURE_1_IBT in ELF GNU program
    properties.
  * Add support for ELF SHF_GNU_MBIND and PT_GNU_MBIND_XXX.
  * Add support for ELF GNU program properties.
  * Add support for the Texas Instruments PRU processor.
  * When configuring for arc*-*-linux* targets the default linker emulation will
    change if --with-cpu=nps400 is used at configure time.
  * Improve assignment of LMAs to orphan sections in some edge cases where a
    mixture of both AT>LMA_REGION and AT(LMA) are used.
  * Orphan sections placed after an empty section that has an AT(LMA) will now
    take an load memory address starting from LMA.
  * Section groups can now be resolved (the group deleted and the group members
    placed like normal sections) at partial link time either using the new
    linker option --force-group-allocation or by placing FORCE_GROUP_ALLOCATION
    into the linker script.

- Add riscv64 target, tested with gcc7 and downstream newlib 2.4.0
- Prepare riscv32 target (gh#riscv/riscv-newlib#8)
- Make compressed debug section handling explicit, disable for
  old products and enable for gas on all architectures otherwise. [bsc#1029995]
- Remove empty rpath component removal optimization from to workaround
  CMake rpath handling.  [bsc#1025282]


  Minor security bugs fixed:
  PR 21147, PR 21148, PR 21149, PR 21150, PR 21151, PR 21155, PR 21158, PR 21159

- Update to binutils 2.28.

  * Add support for locating separate debug info files using the build-id
    method, where the separate file has a name based upon the build-id of
    the original file.
  * This version of binutils fixes a problem with PowerPC VLE 16A and 16D
    relocations which were functionally swapped, for example,
    R_PPC_VLE_HA16A performed like R_PPC_VLE_HA16D while R_PPC_VLE_HA16D
    performed like R_PPC_VLE_HA16A.  This could have been fixed by
    renumbering relocations, which would keep object files created by an
    older version of gas compatible with a newer ld.  However, that would
    require an ABI update, affecting other assemblers and linkers that
    create and process the relocations correctly.  It is recommended that
    all VLE object files be recompiled, but ld can modify the relocations
    if --vle-reloc-fixup is passed to ld.  If the new ld command line
    option is not used, ld will ld warn on finding relocations inconsistent
    with the instructions being relocated.
  * The nm program has a new command line option (--with-version-strings)
    which will display a symbol's version information, if any, after the
    symbol's name.
  * The ARC port of objdump now accepts a -M option to specify the extra
    instruction class(es) that should be disassembled.
  * The --remove-section option for objcopy and strip now accepts section
    patterns starting with an exclamation point to indicate a non-matching
    section.  A non-matching section is removed from the set of sections
    matched by an earlier --remove-section pattern.
  * The --only-section option for objcopy now accepts section patterns
    starting with an exclamation point to indicate a non-matching section.
    A non-matching section is removed from the set of sections matched by
    an earlier --only-section pattern.
  * New --remove-relocations=SECTIONPATTERN option for objcopy and strip.
    This option can be used to remove sections containing relocations.
    The SECTIONPATTERN is the section to which the relocations apply, not
    the relocation section itself.

- GAS specific:

  * Add support for the RISC-V architecture.
  * Add support for the ARM Cortex-M23 and Cortex-M33 processors.

- GNU ld specific:

  * The EXCLUDE_FILE linker script construct can now be applied outside of the
    section list in order for the exclusions to apply over all input sections
    in the list.
  * Add support for the RISC-V architecture.
  * The command line option --no-eh-frame-hdr can now be used in ELF based
    linkers to disable the automatic generation of .eh_frame_hdr sections.
  * Add --in-implib=<infile> to the ARM linker to enable specifying a set of
    Secure Gateway veneers that must exist in the output import library
    specified by --out-implib=<outfile> and the address they must have.
    As such, --in-implib is only supported in combination with --cmse-implib.
  * Extended the --out-implib=<file> option, previously restricted to x86 PE
    targets, to any ELF based target.  This allows the generation of an import
    library for an ELF executable, which can then be used by another application
    to link against the executable.

- GOLD specific:

  * Add -z bndplt option (x86-64 only) to support Intel MPX.
  * Add --orphan-handling option.
  * Add --stub-group-multi option (PowerPC only).
  * Add --target1-rel, --target1-abs, --target2 options (Arm only).
  * Add -z stack-size option.
  * Add --be8 option (Arm only).
  * Add HIDDEN support in linker scripts.
  * Add SORT_BY_INIT_PRIORITY support in linker scripts.

- Other fixes:

  * Fix section alignment on .gnu_debuglink. [bso#21193]
  * Add s390x to gold_archs.
  * Fix alignment frags for aarch64 (bsc#1003846)
  * Call ldconfig for libbfd
  * Fix an assembler problem with clang on ARM.
  * Restore monotonically increasing section offsets.


- Update to binutils 2.27.

  * Add a configure option, --enable-64-bit-archive, to force use of a
    64-bit format when creating an archive symbol index.
  * Add --elf-stt-common= option to objcopy for ELF targets to control
    whether to convert common symbols to the STT_COMMON type.

- GAS specific:

  * Default to --enable-compressed-debug-sections=gas for Linux/x86 targets.
  * Add --no-pad-sections to stop the assembler from padding the end of output
    sections up to their alignment boundary.
  * Support for the ARMv8-M architecture has been added to the ARM port.
    Support for the ARMv8-M Security and DSP Extensions has also been added
    to the ARM port.
  * ARC backend accepts .extInstruction, .extCondCode, .extAuxRegister, and
    .extCoreRegister pseudo-ops that allow an user to define custom
    instructions, conditional codes, auxiliary and core registers.
  * Add a configure option --enable-elf-stt-common to decide whether ELF
    assembler should generate common symbols with the STT_COMMON type by
    default.  Default to no.
  * New command line option --elf-stt-common= for ELF targets to control
    whether to generate common symbols with the STT_COMMON type.
  * Add ability to set section flags and types via numeric values for ELF
    based targets.
  * Add a configure option --enable-x86-relax-relocations to decide whether
    x86 assembler should generate relax relocations by default.  Default to
    yes, except for x86 Solaris targets older than Solaris 12.
  * New command line option -mrelax-relocations= for x86 target to control
    whether to generate relax relocations.
  * New command line option -mfence-as-lock-add=yes for x86 target to encode
    lfence, mfence and sfence as 'lock addl $0x0, (%[re]sp)'.
  * Add assembly-time relaxation option for ARC cpus.
  * Add --with-cpu=TYPE configure option for ARC gas.  This allows the default
    cpu type to be adjusted at configure time.

- GOLD specific:

  * Add a configure option --enable-relro to decide whether -z relro should
    be enabled by default.  Default to yes.
  * Add support for s390, MIPS, AArch64, and TILE-Gx architectures.
  * Add support for STT_GNU_IFUNC symbols.
  * Add support for incremental linking (--incremental).

- GNU ld specific:

  * Add a configure option --enable-relro to decide whether -z relro should
    be enabled in ELF linker by default.  Default to yes for all Linux
    targets except FRV, HPPA, IA64 and MIPS.
  * Support for -z noreloc-overflow in the x86-64 ELF linker to disable
    relocation overflow check.
  * Add -z common/-z nocommon options for ELF targets to control whether to
    convert common symbols to the STT_COMMON type during a relocatable link.
  * Support for -z nodynamic-undefined-weak in the x86 ELF linker, which
    avoids dynamic relocations against undefined weak symbols in executable.
  * The NOCROSSREFSTO command was added to the linker script language.
  * Add --no-apply-dynamic-relocs to the AArch64 linker to do not apply
    link-time values for dynamic relocations.



-----------------------------------------
Patch: SUSE-2017-1974
Released: Fri Dec  1 11:30:25 2017
Summary: Recommended update for zip
Severity: low
References: 1068346
Description:

This update for zip provides the following fix:

- Fix memory leaks when appending files (bsc#1068346)


-----------------------------------------
Patch: SUSE-2017-2000
Released: Tue Dec  5 17:38:55 2017
Summary: Security update for libXcursor
Severity: moderate
References: 1065386,CVE-2017-16612
Description:
This update for libXcursor fixes the following issues:

Security issue fixed:

- CVE-2017-16612: Fix integeroverflow while parsing images and a signedness issue while parsing comments (bsc#1065386).


-----------------------------------------
Patch: SUSE-2017-2021
Released: Fri Dec  8 10:11:04 2017
Summary: Recommended update for file
Severity: moderate
References: 1070878,1070958
Description:
This update for file fixes detection of JPEG files.

-----------------------------------------
Patch: SUSE-2017-2024
Released: Fri Dec  8 12:42:18 2017
Summary: Security update for the Linux Kernel
Severity: important
References: 1043652,1047626,1066192,1066471,1066472,1066573,1066606,1066618,1066625,1066650,1066671,1066700,1066705,1067085,1067086,1067997,1069496,1069702,1069708,1070307,1070781,860993,CVE-2014-0038,CVE-2017-1000405,CVE-2017-12193,CVE-2017-15102,CVE-2017-16525,CVE-2017-16527,CVE-2017-16529,CVE-2017-16531,CVE-2017-16535,CVE-2017-16536,CVE-2017-16537,CVE-2017-16649,CVE-2017-16650,CVE-2017-16939
Description:

The SUSE Linux Enterprise 12 kernel was updated to 3.12.61 to receive various security and bugfixes.

The following security bugs were fixed:

- CVE-2017-16939: The XFRM dump policy implementation in net/xfrm/xfrm_user.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (use-after-free) via a crafted SO_RCVBUF setsockopt system call in conjunction with XFRM_MSG_GETPOLICY Netlink messages (bnc#1069702 1069708).
- CVE-2017-1000405: The Linux Kernel had a problematic use of pmd_mkdirty() in the touch_pmd() function inside the THP implementation. touch_pmd() could be reached by get_user_pages(). In such case, the pmd would become dirty. This scenario breaks the new can_follow_write_pmd()'s logic - pmd could become dirty without going through a COW cycle. This bug was not as severe as the original 'Dirty cow' because an ext4 file (or any other regular file) could not be mapped using THP. Nevertheless, it did allow us to overwrite read-only huge pages. For example, the zero huge page and sealed shmem files could be overwritten (since their mapping could be populated using THP). Note that after the first write page-fault to the zero page, it will be replaced with a new fresh (and zeroed) thp (bnc#1069496 1070307).
- CVE-2017-16649: The usbnet_generic_cdc_bind function in drivers/net/usb/cdc_ether.c in the Linux kernel allowed local users to cause a denial of service (divide-by-zero error and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1067085).
- CVE-2014-0038: The compat_sys_recvmmsg function in net/compat.c in the Linux kernel, when CONFIG_X86_X32 is enabled, allowed local users to gain privileges via a recvmmsg system call with a crafted timeout pointer parameter (bnc#860993).
- CVE-2017-16650: The qmi_wwan_bind function in drivers/net/usb/qmi_wwan.c in the Linux kernel allowed local users to cause a denial of service (divide-by-zero error and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1067086).
- CVE-2017-16535: The usb_get_bos_descriptor function in drivers/usb/core/config.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066700).
- CVE-2017-15102: The tower_probe function in drivers/usb/misc/legousbtower.c in the Linux kernel allowed local users (who are physically proximate for inserting a crafted USB device) to gain privileges by leveraging a write-what-where condition that occurs after a race condition and a NULL pointer dereference (bnc#1066705).
- CVE-2017-16531: drivers/usb/core/config.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device, related to the USB_DT_INTERFACE_ASSOCIATION descriptor (bnc#1066671).
- CVE-2017-12193: The assoc_array_insert_into_terminal_node function in lib/assoc_array.c in the Linux kernel mishandled node splitting, which allowed local users to cause a denial of service (NULL pointer dereference and panic) via a crafted application, as demonstrated by the keyring key type, and key addition and link creation operations (bnc#1066192).
- CVE-2017-16529: The snd_usb_create_streams function in sound/usb/card.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066650).
- CVE-2017-16525: The usb_serial_console_disconnect function in drivers/usb/serial/console.c in the Linux kernel allowed local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via a crafted USB device, related to disconnection and failed setup (bnc#1066618).
- CVE-2017-16537: The imon_probe function in drivers/media/rc/imon.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066573).
- CVE-2017-16536: The cx231xx_usb_probe function in drivers/media/usb/cx231xx/cx231xx-cards.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066606).
- CVE-2017-16527: sound/usb/mixer.c in the Linux kernel allowed local users to cause a denial of service (snd_usb_mixer_interrupt use-after-free and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066625).

The following non-security bugs were fixed:

- Define sock_efree (bsc#1067997).
- bcache: Add bch_keylist_init_single() (bsc#1047626).
- bcache: Add btree_map() functions (bsc#1047626).
- bcache: Add on error panic/unregister setting (bsc#1047626).
- bcache: Convert gc to a kthread (bsc#1047626).
- bcache: Delete some slower inline asm (bsc#1047626).
- bcache: Drop unneeded blk_sync_queue() calls (bsc#1047626).
- bcache: Fix a bug recovering from unclean shutdown (bsc#1047626).
- bcache: Fix a journalling reclaim after recovery bug (bsc#1047626).
- bcache: Fix a null ptr deref in journal replay (bsc#1047626).
- bcache: Fix an infinite loop in journal replay (bsc#1047626).
- bcache: Fix bch_ptr_bad() (bsc#1047626).
- bcache: Fix discard granularity (bsc#1047626).
- bcache: Fix for can_attach_cache() (bsc#1047626).
- bcache: Fix heap_peek() macro (bsc#1047626).
- bcache: Fix moving_pred() (bsc#1047626).
- bcache: Fix to remove the rcu_sched stalls (bsc#1047626).
- bcache: Improve bucket_prio() calculation (bsc#1047626).
- bcache: Improve priority_stats (bsc#1047626).
- bcache: Minor btree cache fix (bsc#1047626).
- bcache: Move keylist out of btree_op (bsc#1047626).
- bcache: New writeback PD controller (bsc#1047626).
- bcache: PRECEDING_KEY() (bsc#1047626).
- bcache: Performance fix for when journal entry is full (bsc#1047626).
- bcache: Remove redundant block_size assignment (bsc#1047626).
- bcache: Remove redundant parameter for cache_alloc() (bsc#1047626).
- bcache: Remove/fix some header dependencies (bsc#1047626).
- bcache: Trivial error handling fix (bsc#1047626).
- bcache: Use ida for bcache block dev minor (bsc#1047626).
- bcache: allows use of register in udev to avoid 'device_busy' error (bsc#1047626).
- bcache: bch_allocator_thread() is not freezable (bsc#1047626).
- bcache: bch_gc_thread() is not freezable (bsc#1047626).
- bcache: bugfix - gc thread now gets woken when cache is full (bsc#1047626).
- bcache: bugfix - moving_gc now moves only correct buckets (bsc#1047626).
- bcache: cleaned up error handling around register_cache() (bsc#1047626).
- bcache: clear BCACHE_DEV_UNLINK_DONE flag when attaching a backing device (bsc#1047626).
- bcache: defensively handle format strings (bsc#1047626).
- bcache: fix BUG_ON due to integer overflow with GC_SECTORS_USED (bsc#1047626).
- bcache: fix a livelock when we cause a huge number of cache misses (bsc#1047626).
- bcache: fix crash in bcache_btree_node_alloc_fail tracepoint (bsc#1047626).
- bcache: fix for gc and writeback race (bsc#1047626).
- bcache: fix for gc crashing when no sectors are used (bsc#1047626).
- bcache: kill index() (bsc#1047626).
- bcache: only recovery I/O error for writethrough mode (bsc#1043652).
- bcache: register_bcache(): call blkdev_put() when cache_alloc() fails (bsc#1047626).
- bcache: stop moving_gc marking buckets that can't be moved (bsc#1047626).
- mac80211: do not compare TKIP TX MIC key in reinstall prevention (bsc#1066472).
- mac80211: use constant time comparison with keys (bsc#1066471).
- powerpc/powernv: Remove OPAL v1 takeover (bsc#1070781).
- powerpc/vdso64: Use double word compare on pointers
- powerpc: Convert cmp to cmpd in idle enter sequence


-----------------------------------------
Patch: SUSE-2017-2031
Released: Mon Dec 11 12:55:57 2017
Summary: Recommended update for gzip
Severity: low
References: 1067891
Description:

This update for gzip provides the following fix:

- Fix mishandling of leading zeros in the end-of-block code (bsc#1067891)


-----------------------------------------
Patch: SUSE-2017-2042
Released: Wed Dec 13 20:09:44 2017
Summary: Recommended update for libXext
Severity: low
References: 1067406
Description:
This update for libXext provides the following fix:

- Remove warning messages about missing Xge extension when translating events in a mixed
  Xlib/xcb scenario, causing the ~/.xsession-errors file to be massively filled. (bsc#1067406)


-----------------------------------------
Patch: SUSE-2017-2044
Released: Thu Dec 14 09:54:35 2017
Summary: Recommended update for psmisc
Severity: low
References: 908068
Description:
This update for psmisc provides the following fixes:

- Use mountinfo to distinguish different mounts with same device number as it happens with NFS shares. (bsc#908068)
- Smaller cleanup as support of chroot environments and older systems.
- Add support for name_to_handle_at() system call to get the real mount ID for each file.
- Run even on older kernels missing mnt_id tag in fdinfo.


-----------------------------------------
Patch: SUSE-2017-2105
Released: Tue Dec 19 13:47:17 2017
Summary: Recommended update for dracut
Severity: important
References: 1072424
Description:
This update for dracut fixes the following issues:

- Support AMD CPU families 0x16 and 0x17 (bsc#1072424)


-----------------------------------------
Patch: SUSE-2017-2139
Released: Thu Dec 21 17:51:50 2017
Summary: Recommended update for dbus-1
Severity: moderate
References: 1071698
Description:
This update for dbus-1 provides the following fix:

- The previously released fix for systemd-logind dbus disconnections was missing in some
  parts of the package, so properly apply it. (bsc#1071698)


-----------------------------------------
Patch: SUSE-2017-2145
Released: Fri Dec 22 16:38:01 2017
Summary: Recommended update for tk and tcl
Severity: low
References: 903017
Description:

This update of tk and tcl to version 8.6.7 brings many improvements and fixes including,
but not limited to, the following highlights:

- Fix a bug in Itcl that was causing the floor tool to print lots of errors and abort.
  (bsc#903017)
- Fix a crash in asynchronous connection to hosts when no address is given.
- Fix possible crashes when closing multithreaded applications.
- Fix a memory leak in [history] destruction.
- Fix a crash in Tcl_ListObjReplace().
- Invalidate VFS mounts on sytem encoding change.
- Repair drifts in timer clock when calling Tcl_GetTime from tcl-clock module.
- Fix a crash when requesting too much character data in binary scan.
- Fix a memory leak when calling geturl from the http package.
- Fix an integer overflow in [lsort] on very long lists.
- Fix a memory leak when calling TclJoinPath.
- Fix a memory leak due to a reference cycle in foreach loops.
- Fix a crash caused by an optimization in the compilation of [string replace].
- Fix a memory corruption in assembler exceptions.
- Fix a crash due to [vwait] trace undo fail.
- Fix a crash when invoking [glob -path a].
- Fix a crash in [dict update] after using lassign in an item.
- Fix a crash in [chan configure -dictionary].
- Make it possible to specify different values for the -accept option when running multiple
  asynchronous http: requests without incurring in race conditions.
- Fix a crash when calling the [expr] command while the application is being traced.
- Avoid leaking memory in Tcl_ZlibInflate when running into error conditions.
- Fix some writes beyond buffer bounds.
- Fix a memory leak in array when unsetting keys from a proc.
- Fix a lock in forking a process under heavy multithreading.
- Fix a crash caused by an allocation overflow when parsing a very large expression.
- Many fixes and improvements to regexp engine from Postgres.
- Fix a segmentation fault due to an integer overflow in TranslateInputEOL().
- Fix multiple crashes in OO teardown.
- Stop crashes when extension var resolvers misbehave.
- Fix using [read] to read past the EOF so that it works on serial devices.
- Fix a regression causing a crash in [oo::class destroy].
- Fix a segmentation fault in mangled bytecode.
- Fix a hang in some [read]s of limited size in UTF-8 channels.
- Fix a segmentation fault in [array set] of traced array.

The following fixes might show some potential incompatibilities with existing software:
- Allow an empty command to be the target of an alias.
- Reconcile libtommath updates, purging some unused files.
- Handle invalid UTF-8 characters correctly in Tcl_UtfToUniChar() to prevent the injection
  of unexpected characters.
- Update Unicode data to 10.0
- Fix some problems in the compilation of [lreplace].
- Fix using parameters with spaces in error messages.
- Make it possible to use [namespace upvar] when the target variable is also a variable of
  the class.
- Change the default transfer encoding to gzip in the http package to be more compatible.
- Limit $... and bareword parsing to ASCII characters only.


-----------------------------------------
Patch: SUSE-2018-15
Released: Thu Jan  4 11:47:08 2018
Summary: Security update for libvorbis
Severity: moderate
References: 1059809,1059811,CVE-2017-14632,CVE-2017-14633
Description:
This update for libvorbis fixes the following issues:

- CVE-2017-14633: out-of-bounds array read vulnerability exists in
  function mapping0_forward() could lead to remote denial of service (bsc#1059811)
- CVE-2017-14632: Remote Code Execution upon freeing uninitialized
  memory in function vorbis_analysis_headerout(bsc#1059809)


-----------------------------------------
Patch: SUSE-2018-17
Released: Thu Jan  4 11:49:33 2018
Summary: Recommended update for gcc48
Severity: moderate
References: 1059075
Description:


This update for gcc48 fixes the following issues with an earlier security fix:

- Add support for zero-sized VLAs and allocas with -fstack-clash-protection.  (bnc#1059075)



-----------------------------------------
Patch: SUSE-2018-22
Released: Fri Jan  5 11:42:02 2018
Summary: Recommended update for python-configobj
Severity: low
References: 1035106
Description:
This update for python-configobj provides the following fixes:

- Improves error messages in certain edge cases
- Added runtime dependency: python-six
- Fix error when writing out config files to disk with non-ascii characters
- Documentation corrections


-----------------------------------------
Patch: SUSE-2018-36
Released: Tue Jan  9 11:50:12 2018
Summary: Initial release of galera-python-clustercheck
Severity: low
References: 1072588
Description:
This update adds the galera-python-clustercheck package, which provides improved haproxy failover detection for MariaDB
with Galera.

-----------------------------------------
Patch: SUSE-2018-38
Released: Tue Jan  9 14:56:43 2018
Summary: Recommended update for kmod
Severity: low
References: 1070209
Description:

This update for kmod provides the following fix:

- Fix resolving .TOC. in modules on 4.4 and older kernel (bsc#1070209)
- Fix kernel master build for ppc64le (bsc#1070209)


-----------------------------------------
Patch: SUSE-2018-54
Released: Fri Jan 12 09:44:01 2018
Summary: Security update for glibc
Severity: important
References: 1043984,1074293,CVE-2014-9984,CVE-2018-1000001
Description:
This update for glibc fixes the following issues:

- A privilege escalation bug in the realpath() function has been fixed.
  [CVE-2018-1000001, bsc#1074293]

- A buffer manipulation vulnerability in nscd has been fixed that could
  possibly have lead to an nscd daemon crash or code execution as the user
  running nscd. [CVE-2014-9984, bsc#1043984]


-----------------------------------------
Patch: SUSE-2018-59
Released: Fri Jan 12 11:18:44 2018
Summary: Security update for tiff
Severity: important
References: 1017690,1069213,960341,969783,983436,CVE-2014-8128,CVE-2015-7554,CVE-2016-10095,CVE-2016-5318,CVE-2017-16232
Description:
This update for tiff to version 4.0.9 fixes the following issues:

Security issues fixed:

- CVE-2014-8128: Fix out-of-bounds read with malformed TIFF image in multiple tools (bsc#969783).
- CVE-2015-7554: Fix invalid write in tiffsplit / _TIFFVGetField (bsc#960341).
- CVE-2016-10095: Fix stack-based buffer overflow in _TIFFVGetField (tif_dir.c) (bsc#1017690).
- CVE-2016-5318: Fix stackoverflow in thumbnail (bsc#983436).
- CVE-2017-16232: Fix memory-based DoS in tiff2bw (bsc#1069213).


-----------------------------------------
Patch: SUSE-2018-68
Released: Mon Jan 15 11:30:39 2018
Summary: Security update for openslp
Severity: moderate
References: 1001600,974655,980722,994989,CVE-2016-4912,CVE-2016-7567
Description:
This update for openslp fixes two security issues and two bugs.

The following vulnerabilities were fixed:

- CVE-2016-4912: A remote attacker could have crashed the server with a large
  number of packages (bsc#980722)
- CVE-2016-7567: A remote attacker could cause a memory corruption having
  unspecified impact (bsc#1001600)

The following bugfix changes are included:

- bsc#994989: Removed convenience code as changes bytes in the message buffer
  breaking the verification code
- bsc#974655: Removed no longer needed slpd init file


-----------------------------------------
Patch: SUSE-2018-79
Released: Tue Jan 16 13:36:29 2018
Summary: Security update for openssl
Severity: important
References: 1000677,1001502,1001912,1004499,1005878,1019334,1021641,1022085,1022271,1027908,1032261,1055825,1056058,1065363,990592,CVE-2016-2108,CVE-2016-7056,CVE-2016-8610,CVE-2017-3731,CVE-2017-3735
Description:
This update for openssl fixes the following issues:

Security issues fixed:

- CVE-2016-7056: ECSDA P-256 timing attack key recovery (bsc#1019334)
- CVE-2017-3731: Truncated packet could crash via OOB read (bsc#1022085)
- CVE-2016-8610: remote denial of service in SSL alert handling (bsc#1005878)
- CVE-2017-3735: Malformed X.509 IPAdressFamily could cause OOB read (bsc#1056058)

Bug fixes:

- support alternate root ca chains (bsc#1032261)
- X509_get_default_cert_file() returns an incorrect path (bsc#1022271)
- Segmentation fault in 'openssl speed' when engine library file cannot be found (bsc#1000677)
- adjust DEFAULT_SUSE to meet 1.0.2 and current state (bsc#1027908)
- Missing important ciphers in openssl 1.0.1i-47.1 on SLES12 SP1 (bsc#990592)
- out of bounds read+crash in DES_fcrypt (bsc#1065363)
- tracker bug for January 26th 2017 release (bsc#1021641)
- patch for CVE-2016-2108 fails negative zero exploit (bsc#1001502)
- Birthday attacks on 64-bit block ciphers aka triple-des (SWEET32) (bsc#1001912)
- Include additional patch for CVE-2016-2108 (bsc#1004499)
- openssl DEFAULT_SUSE cipher list is missing ECDHE-ECDSA ciphers (bsc#1055825)


-----------------------------------------
Patch: SUSE-2018-83
Released: Tue Jan 16 17:21:57 2018
Summary: Security update for the Linux Kernel
Severity: important
References: 1045205,1050231,1066569,1066693,1068032,1068671,1070771,1070781,1071074,1071470,1071693,1071694,1071695,1072561,1072876,CVE-2017-11600,CVE-2017-13167,CVE-2017-15115,CVE-2017-15868,CVE-2017-16534,CVE-2017-16538,CVE-2017-17448,CVE-2017-17449,CVE-2017-17450,CVE-2017-17558,CVE-2017-5715,CVE-2017-5753,CVE-2017-5754,CVE-2017-8824
Description:


The SUSE Linux Enterprise 12 GA LTSS kernel was updated to receive various security and bugfixes.

This update adds mitigations for various side channel attacks against
modern CPUs that could disclose content of otherwise unreadable memory
(bnc#1068032).

- CVE-2017-5753 / 'SpectreAttack': Local attackers on systems with modern
  CPUs featuring deep instruction pipelining could use attacker
  controllable speculative execution over code patterns in the Linux
  Kernel to leak content from otherwise not readable memory in the same
  address space, allowing retrieval of passwords, cryptographic keys
  and other secrets.

  This problem is mitigated by adding speculative fencing on affected
  code paths throughout the Linux kernel.

  This issue is addressed for the x86_64, the IBM Power and IBM zSeries
  architecture.

- CVE-2017-5715 / 'SpectreAttack': Local attackers on systems with modern
  CPUs featuring branch prediction could use mispredicted branches to
  speculatively execute code patterns that in turn could be made to
  leak other non-readable content in the same address space, an attack
  similar to CVE-2017-5753.

  This problem is mitigated by disabling predictive branches, depending
  on CPU architecture either by firmware updates and/or fixes in the
  user-kernel privilege boundaries.

  This is done with help of Linux Kernel fixes on the Intel/AMD x86_64
  and IBM zSeries architectures. On x86_64, this requires also updates
  of the CPU microcode packages, delivered in seperate updates.

  For IBM Power and zSeries the required firmware updates are supplied
  over regular channels by IBM.

  As this feature can have a performance impact, it can be disabled
  using the 'nospec' kernel commandline option.

- CVE-2017-5754 / 'MeltdownAttack': Local attackers on systems with
  modern CPUs featuring deep instruction pipelining could use code
  patterns in userspace to speculative executive code that would read
  otherwise read protected memory, an attack similar to CVE-2017-5753.

  This problem is mitigated by unmapping the Linux Kernel from the user
  address space during user code execution, following a approach called
  'KAISER'. The terms used here are 'KAISER' / 'Kernel Address Isolation'
  and 'PTI' / 'Page Table Isolation'.

  This update does this on the x86_64 architecture, it is not required
  on the IBM zSeries architecture.

  This feature can be enabled / disabled by the 'pti=[on|off|auto]' or
  'nopti' commandline options.

The following security bugs were fixed:

- CVE-2017-15868: The bnep_add_connection function in net/bluetooth/bnep/core.c in the Linux kernel did not ensure that an l2cap socket is available, which allowed local users to gain privileges via a crafted application (bnc#1071470).
- CVE-2017-13167: An elevation of privilege vulnerability in the kernel sound timer. (bnc#1072876).
- CVE-2017-16538: drivers/media/usb/dvb-usb-v2/lmedm04.c in the Linux kernel allowed local users to cause a denial of service (general protection fault and system crash) or possibly have unspecified other impact via a crafted USB device, related to a missing warm-start check and incorrect attach timing (dm04_lme2510_frontend_attach versus dm04_lme2510_tuner) (bnc#1066569).
- CVE-2017-17558: The usb_destroy_configuration function in drivers/usb/core/config.c in the USB core subsystem in the Linux kernel did not consider the maximum number of configurations and interfaces before attempting to release resources, which allowed local users to cause a denial of service (out-of-bounds write access) or possibly have unspecified other impact via a crafted USB device (bnc#1072561).
- CVE-2017-17450: net/netfilter/xt_osf.c in the Linux kernel did not require the CAP_NET_ADMIN capability for add_callback and remove_callback operations, which allowed local users to bypass intended access restrictions because the xt_osf_fingers data structure is shared across all net namespaces (bnc#1071695).
- CVE-2017-17449: The __netlink_deliver_tap_skb function in net/netlink/af_netlink.c in the Linux kernel through 4.14.4, when CONFIG_NLMON is enabled, did not restrict observations of Netlink messages to a single net namespace, which allowed local users to obtain sensitive information by leveraging the CAP_NET_ADMIN capability to sniff an nlmon interface for all Netlink activity on the system (bnc#1071694).
- CVE-2017-17448: net/netfilter/nfnetlink_cthelper.c in the Linux kernel did not require the CAP_NET_ADMIN capability for new, get, and del operations, which allowed local users to bypass intended access restrictions because the nfnl_cthelper_list data structure is shared across all net namespaces (bnc#1071693).
- CVE-2017-8824: The dccp_disconnect function in net/dccp/proto.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (use-after-free) via an AF_UNSPEC connect system call during the DCCP_LISTEN state (bnc#1070771).
- CVE-2017-15115: The sctp_do_peeloff function in net/sctp/socket.c in the Linux kernel did not check whether the intended netns is used in a peel-off action, which allowed local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via crafted system calls (bnc#1068671).
- CVE-2017-11600: net/xfrm/xfrm_policy.c in the Linux kernel through 4.12.3, when CONFIG_XFRM_MIGRATE is enabled, did not ensure that the dir value of xfrm_userpolicy_id is XFRM_POLICY_MAX or less, which allowed local users to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via an XFRM_MSG_MIGRATE xfrm Netlink message (bnc#1050231).
- CVE-2017-16534: The cdc_parse_cdc_header function in drivers/usb/core/message.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066693).

The following non-security bugs were fixed:

- kvm: svm: Do not intercept new speculative control MSRs (bsc#1068032).
- audit: Fix use after free in audit_remove_watch_rule() (bsc#1045205).
- bpf: prevent speculative execution in eBPF interpreter (bnc#1068032).
- carl9170: prevent speculative execution (bnc#1068032).
- fs: prevent speculative execution (bnc#1068032).
- kaiser: make kernel_stack user-mapped
- kvm: x86: Add speculative control CPUID support for guests (bsc#1068032).
- locking/barriers: introduce new memory barrier gmb() (bnc#1068032).
- p54: prevent speculative execution (bnc#1068032).
- powerpc/barrier: add gmb.
- powerpc: Convert cmp to cmpd in idle enter sequence (bsc#1070781).
- powerpc/vdso64: Use double word compare on pointers (bsc#1070781). Conflicts: 	series.conf
- ptrace: Add a new thread access check (bsc#1068032).
- s390: introduce CPU alternatives (bsc#1068032).
- s390/spinlock: add gmb memory barrier.
- s390/spinlock: add ppa to system call path.
- uas: Only complain about missing sg if all other checks succeed (bsc#1071074).
- udf: prevent speculative execution (bnc#1068032).
- usb: uas: fix bug in handling of alternate settings (bsc#1071074).
- uvcvideo: prevent speculative execution (bnc#1068032).
- x86/CPU/AMD: Add speculative control support for AMD (bsc#1068032).
- x86/CPU/AMD: Make the LFENCE instruction serialized (bsc#1068032).
- x86/CPU/AMD: Remove now unused definition of MFENCE_RDTSC feature (bsc#1068032).
- x86/CPU: Check speculation control CPUID bit (bsc#1068032).
- x86/enter: Add macros to set/clear IBRS and set IBPB (bsc#1068032).
- x86/entry: Add a function to overwrite the RSB (bsc#1068032).
- x86/entry: Stuff RSB for entry to kernel for non-SMEP platform (bsc#1068032).
- x86/entry: Use IBRS on entry to kernel space (bsc#1068032).
- x86/feature: Enable the x86 feature to control Speculation (bsc#1068032).
- x86/idle: Disable IBRS when offlining a CPU and re-enable on wakeup (bsc#1068032).
- x86/idle: Toggle IBRS when going idle (bsc#1068032).
- x86/kaiser: Move feature detection up (bsc#1068032).
- x86/kvm: Add MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD to kvm (bsc#1068032).
- x86/kvm: Flush IBP when switching VMs (bsc#1068032).
- x86/kvm: Pad RSB on VM transition (bsc#1068032).
- x86/kvm: Toggle IBRS on VM entry and exit (bsc#1068032).
- x86/microcode/AMD: Add support for fam17h microcode loading (bsc#1068032).
- x86/mm: Only set IBPB when the new thread cannot ptrace current thread (bsc#1068032).
- x86/mm: Set IBPB upon context switch (bsc#1068032).
- x86/MSR: Move native_*msr(.. u64) to msr.h (bsc#1068032).
- x86/spec: Add IBRS control functions (bsc#1068032).
- x86/spec: Add 'nospec' chicken bit (bsc#1068032).
- x86/spec: Check CPUID direclty post microcode reload to support IBPB feature (bsc#1068032).
- x86/spec_ctrl: Add an Indirect Branch Predictor barrier (bsc#1068032).
- x86/spec_ctrl: Check whether IBPB is enabled before using it (bsc#1068032).
- x86/spec_ctrl: Check whether IBRS is enabled before using it (bsc#1068032).
- x86/svm: Add code to clear registers on VM exit (bsc#1068032).
- x86/svm: Clobber the RSB on VM exit (bsc#1068032).
- x86/svm: Set IBPB when running a different VCPU (bsc#1068032).
- x86/svm: Set IBRS value on VM entry and exit (bsc#1068032).


-----------------------------------------
Patch: SUSE-2018-84
Released: Wed Jan 17 08:31:32 2018
Summary: Security update for rsync
Severity: moderate
References: 1028842,1062063,1066644,1071459,1071460,CVE-2017-16548,CVE-2017-17433,CVE-2017-17434
Description:
This update for rsync fixes several issues.

These security issues were fixed:

- CVE-2017-17434: The daemon in rsync did not check for fnamecmp filenames in
  the daemon_filter_list data structure (in the recv_files function in
  receiver.c) and also did not apply the sanitize_paths protection mechanism to
  pathnames found in 'xname follows' strings (in the read_ndx_and_attrs function
  in rsync.c), which allowed remote attackers to bypass intended access
  restrictions' (bsc#1071460).
- CVE-2017-17433: The recv_files function in receiver.c in the daemon in rsync,
  proceeded with certain file metadata updates before checking for a filename in
  the daemon_filter_list data structure, which allowed remote attackers to bypass
  intended access restrictions (bsc#1071459).
- CVE-2017-16548: The receive_xattr function in xattrs.c in rsync did not check
  for a trailing '\\0' character in an xattr name, which allowed remote attackers
  to cause a denial of service (heap-based buffer over-read and application
  crash) or possibly have unspecified other impact by sending crafted data to the
  daemon (bsc#1066644).

This non-security issue was fixed:

- Stop file upload after errors like a full disk (bsc#1062063)
- Ensure -X flag works even when setting owner/group (bsc#1028842)


-----------------------------------------
Patch: SUSE-2018-86
Released: Wed Jan 17 09:38:17 2018
Summary: Security update for ncurses
Severity: moderate
References: 1056127,1056128,1056129,1056131,1056132,1056136,CVE-2017-13728,CVE-2017-13729,CVE-2017-13730,CVE-2017-13731,CVE-2017-13732,CVE-2017-13733
Description:
This update for ncurses fixes the following issues:

Security issues fixed:

- CVE-2017-13728: Fix infinite loop in the next_char function in comp_scan.c (bsc#1056136).
- CVE-2017-13730: Fix illegal address access in the function _nc_read_entry_source() (bsc#1056131).
- CVE-2017-13733: Fix illegal address access in the fmt_entry function (bsc#1056127).
- CVE-2017-13729: Fix illegal address access in the _nc_save_str (bsc#1056132).
- CVE-2017-13732: Fix illegal address access in the function dump_uses() (bsc#1056128).
- CVE-2017-13731: Fix illegal address access in the function postprocess_termcap() (bsc#1056129).


-----------------------------------------
Patch: SUSE-2018-88
Released: Wed Jan 17 14:41:17 2018
Summary: Security update for curl
Severity: moderate
References: 1069222,1069226,CVE-2017-8816,CVE-2017-8817
Description:
This update for curl fixes the following issues:

Security issues fixed:

- CVE-2017-8816: Buffer overrun flaw in the NTLM authentication code (bsc#1069226).
- CVE-2017-8817: Read out of bounds flaw in the FTP wildcard function (bsc#1069222).


-----------------------------------------
Patch: SUSE-2018-89
Released: Wed Jan 17 14:42:04 2018
Summary: Security update for perl-XML-LibXML
Severity: moderate
References: 1046848,CVE-2017-10672
Description:
This update for perl-XML-LibXML fixes the following issues:

Security issue fixed:

- CVE-2017-10672: Fix use-after-free that allows remote attackers to execute arbitrary code by controlling the arguments to a replaceChild call (bsc#1046848).


-----------------------------------------
Patch: SUSE-2018-100
Released: Thu Jan 18 14:40:35 2018
Summary: Security update for gd
Severity: moderate
References: 1056993,CVE-2017-6362
Description:
This update for gd fixes one issues.

This security issue was fixed:

- CVE-2017-6362: Prevent double-free in gdImagePngPtr() that potentially allowed for DoS or remote code execution (bsc#1056993).


-----------------------------------------
Patch: SUSE-2018-108
Released: Fri Jan 19 16:02:13 2018
Summary: Recommended update for gcc48
Severity: moderate
References: 1074621
Description:

  
This update for gcc48 fixes the following issues:

Added support for generation of retpolines on x86_64. [bnc#1074621]

This support is used for building the Linux Kernel with retpoline support
to mitigate the Spectre Variant 2 attack.

New compiler options have been added to specify specific code generation:

* -mindirect-branch=keep
* -mindirect-branch=thunk
* -mindirect-branch=thunk-extern
* -mindirect-branch=thunk-inline
* -mindirect-branch-register
* -mfunction-return=keep
* -mfunction-return=thunk
* -mfunction-return=thunk-extern
* -mfunction-return=thunk-inline



-----------------------------------------
Patch: SUSE-2018-113
Released: Mon Jan 22 10:24:56 2018
Summary: Recommended update for puppet, facter, rubygem-hiera, rubygem-hiera-1
Severity: low
References: 1040363,1046263
Description:
This update for puppet, facter, rubygem-hiera, rubygem-hiera-1 fixes the following issues:

puppet:

- Use hiera 1.2.1 when more versions are installed in parallel. (bsc#1046263)

facter:

- Correctly recognize VLAN tagged interfaces. (bsc#1040363)

rubygem-hiera-1:

- Adjust Provides and Obsoletes in order to let update alternatives work correctly and to allow
  installation of multiple hiera versions concurrently. (bsc#1046263)

rubygem-hiera:

- Remove Conflicts with rubygem-hiera-1 to fix deployment of patches with SUSE Manager. (bsc#1046263)


-----------------------------------------
Patch: SUSE-2018-116
Released: Mon Jan 22 12:53:29 2018
Summary: Security update for rsync
Severity: moderate
References: 1076503,CVE-2018-5764
Description:
This update for rsync fixes one issues.

This security issue was fixed:

- CVE-2018-5764: The parse_arguments function in options.c did not prevent
  multiple --protect-args uses, which allowed remote attackers to bypass an
  argument-sanitization protection mechanism (bsc#1076503).


-----------------------------------------
Patch: SUSE-2018-118
Released: Mon Jan 22 13:37:47 2018
Summary: Security update for procmail
Severity: moderate
References: 1068648,CVE-2017-16844
Description:
This update for procmail fixes the following issues:

- CVE-2017-16844: Heap-based buffer overflow in loadbuf function could lead to remote denial of service (bsc#1068648)
  


-----------------------------------------
Patch: SUSE-2018-127
Released: Tue Jan 23 13:37:09 2018
Summary: Security update for libvpx
Severity: moderate
References: 1075992,CVE-2017-13194
Description:
This update for libvpx fixes one issues.

This security issue was fixed: 

- CVE-2017-13194: Fixed incorrect memory allocation related to odd frame width (bsc#1075992).


-----------------------------------------
Patch: SUSE-2018-136
Released: Wed Jan 24 12:14:31 2018
Summary: Security update for libexif
Severity: moderate
References: 1055857,1059893,CVE-2016-6328,CVE-2017-7544
Description:
This update for libexif fixes several issues.

These security issues were fixed:

- CVE-2016-6328: Fixed integer overflow in parsing MNOTE entry data of the input
  file (bsc#1055857)
- CVE-2017-7544: Fixed out-of-bounds heap read vulnerability in
  exif_data_save_data_entry function in libexif/exif-data.c caused by improper
  length computation of the allocated data of an ExifMnote entry which can cause
  denial-of-service or possibly information disclosure (bsc#1059893)


-----------------------------------------
Patch: SUSE-2018-143
Released: Wed Jan 24 17:37:04 2018
Summary: Security update for libevent
Severity: moderate
References: 1022917,1022918,1022919,CVE-2016-10195,CVE-2016-10196,CVE-2016-10197
Description:
This update for libevent fixes the following security issues:

- CVE-2016-10195: DNS remote stack overread vulnerability (bsc#1022917) 
- CVE-2016-10196: stack/buffer overflow in evutil_parse_sockaddr_port() (bsc#1022918) 
- CVE-2016-10197: out-of-bounds read in search_make_new() (bsc#1022919) 


-----------------------------------------
Patch: SUSE-2018-149
Released: Thu Jan 25 13:38:37 2018
Summary: Security update for curl
Severity: moderate
References: 1077001,CVE-2018-1000007
Description:
This update for curl fixes one issues.

This security issue was fixed:

- CVE-2018-1000007: Prevent leaking authentication data to third parties when following redirects (bsc#1077001)


-----------------------------------------
Patch: SUSE-2018-178
Released: Mon Jan 29 09:55:25 2018
Summary: Security update for gd
Severity: moderate
References: 1076391,CVE-2018-5711
Description:
This update for gd fixes one issues.

This security issue was fixed:

- CVE-2018-5711: Prevent integer signedness error that could have lead to an
  infinite loop via a crafted GIF file allowing for DoS (bsc#1076391)


-----------------------------------------
Patch: SUSE-2018-184
Released: Mon Jan 29 16:05:12 2018
Summary: Recommended update for mozilla-nss
Severity: moderate
References: 1043853,1049673,1055271,1074009
Description:
This update for mozilla-nss provides the following fixes:

- Change DRBG to use the getrandom() kernel interface instead of /dev/urandom (bsc#1043853).
- Add patches for strengthening and FIPS compliance (bsc#1055271, bsc#1049673):
  * Use getrandom() instead of /dev/random and /dev/urandom where available.
  * Remove continuous DRBG test. This is no longer required for FIPS compliance.
  * Add DSA known answer POST.
  * Add ECDSA known answer POST.
  * Use FIPS compliant hash length in pairwise consistency check.
  * Make RSA key generation parameters more strict in order to meet FIPS criteria.
  * Add DH and ECDH known answer POSTs.
  * Add KDF135 CAVS test.
  * Add keywrapping CAVS test.
  * Add KAS FFC CAVS test.
  * Add KAS ECC CAVS test.
  * Restrict number of bytes generated per GCM IV for FIPS compliance.
  * Add helpers required by new CAVS tests.
  * Add fixes to make DSA CAVS tests pass.
  * Add fixes to make RSA CAVS tests pass.
  * Add constructor POSTs.
  * Disable weak ciphers in FIPS mode.
  * Prevent wraparounds in CTR mode.
  * Clear various sensitive parameters from memory when no longer in use.
  * Allow TLS 1.0 PRF to work in FIPS mode, even though it relies on MD5, which is
    otherwise banned.
  * Use strong random pool (/dev/random or getrandom() with GRND_RANDOM instead of their
    more dilute counterparts) in FIPS mode.
- We allow AESNI by default now. This can be disabled at runtime by defining NSS_DISABLE_HW_AES
  in the environment.
- Export NSS_FORCE_FIPS=1 for build, since this is needed now to prevent NSS from passing
  -DNSS_NO_INIT_SUPPORT, which disables on-load FIPS POSTs.


-----------------------------------------
Patch: SUSE-2018-209
Released: Tue Jan 30 10:53:43 2018
Summary: Security update for ncurses
Severity: moderate
References: 1056126,1056127,1056128,1056129,1056131,1056132,1056136,CVE-2017-13728,CVE-2017-13729,CVE-2017-13730,CVE-2017-13731,CVE-2017-13732,CVE-2017-13733,CVE-2017-13734
Description:
This update for ncurses fixes several issues.

These security issues were fixed:

- CVE-2017-13734: Prevent illegal address access in the _nc_safe_strcat
  function in strings.c that might have lead to a remote denial of service attack
  (bsc#1056126).
- CVE-2017-13733: Prevent illegal address access in the fmt_entry function in
  progs/dump_entry.c that might have lead to a remote denial of service attack
  (bsc#1056127).
- CVE-2017-13732: Prevent illegal address access in the function dump_uses() in
  progs/dump_entry.c that might have lead to a remote denial of service attack
  (bsc#1056128).
- CVE-2017-13731: Prevent illegal address access in the function
  postprocess_termcap() in parse_entry.c that might have lead to a remote denial
  of service attack (bsc#1056129).
- CVE-2017-13730: Prevent illegal address access in the function
  _nc_read_entry_source() in progs/tic.c that might have lead to a remote denial
  of service attack (bsc#1056131).
- CVE-2017-13729: Prevent illegal address access in the _nc_save_str function
  in alloc_entry.c that might have lead to a remote denial of service attack
  (bsc#1056132).
- CVE-2017-13728: Prevent infinite loop in the next_char function in
  comp_scan.c that might have lead to a remote denial of service attack
  (bsc#1056136).


-----------------------------------------
Patch: SUSE-2018-238
Released: Thu Feb  1 16:35:51 2018
Summary: Security update for jasper
Severity: moderate
References: 1009994,1010756,1010757,1010766,1010774,1010782,1010968,1010975,1047958,CVE-2016-9262,CVE-2016-9388,CVE-2016-9389,CVE-2016-9390,CVE-2016-9391,CVE-2016-9392,CVE-2016-9393,CVE-2016-9394,CVE-2017-1000050
Description:
This update for jasper fixes the following issues:

Security issues fixed:
- CVE-2016-9262: Multiple integer overflows in the jas_realloc function in base/jas_malloc.c and
  mem_resize function in base/jas_stream.c allow remote attackers to cause a denial of service via
  a crafted image, which triggers use after free vulnerabilities. (bsc#1009994)
- CVE-2016-9388: The ras_getcmap function in ras_dec.c allows remote attackers to cause a denial
  of service (assertion failure) via a crafted image file. (bsc#1010975)
- CVE-2016-9389: The jpc_irct and jpc_iict functions in jpc_mct.c allow remote attackers to cause a
  denial of service (assertion failure). (bsc#1010968)
- CVE-2016-9390: The jas_seq2d_create function in jas_seq.c allows remote attackers to cause a
  denial of service (assertion failure) via a crafted image file. (bsc#1010774)
- CVE-2016-9391: The jpc_bitstream_getbits function in jpc_bs.c allows remote attackers to cause a
  denial of service (assertion failure) via a very large integer. (bsc#1010782)
- CVE-2017-1000050: The jp2_encode function in jp2_enc.c allows remote attackers to cause a denial
  of service. (bsc#1047958)

CVEs already fixed with previous update:
- CVE-2016-9392: The calcstepsizes function in jpc_dec.c allows remote attackers to cause a denial
  of service (assertion failure) via a crafted file. (bsc#1010757)
- CVE-2016-9393: The jpc_pi_nextrpcl function in jpc_t2cod.c allows remote attackers to cause a
  denial of service (assertion failure) via a crafted file. (bsc#1010766)
- CVE-2016-9394: The jas_seq2d_create function in jas_seq.c allows remote attackers to cause a
  denial of service (assertion failure) via a crafted file. (bsc#1010756)


-----------------------------------------
Patch: SUSE-2018-243
Released: Fri Feb  2 09:13:13 2018
Summary: Recommended update for mozilla-nss
Severity: important
References: 1078190,1078333
Description:
This update for mozilla-nss fixes the following issue:

- This update remedies a regression caused by a previous update of mozilla-nss
  that affected users of FIPS mode. [bsc#1078333, bsc#1078190]


-----------------------------------------
Patch: SUSE-2018-247
Released: Fri Feb  2 12:33:37 2018
Summary: Security update for libsndfile
Severity: moderate
References: 1043978,1059911,1059912,1059913,1069874,CVE-2017-14245,CVE-2017-14246,CVE-2017-14634,CVE-2017-16942,CVE-2017-6892
Description:
This update for libsndfile fixes the following issues:

- CVE-2017-16942: Divide-by-zero in the function wav_w64_read_fmt_chunk(), which may lead to Denial of service (bsc#1069874). 
- CVE-2017-6892:  Fixed an out-of-bounds read memory access in the aiff_read_chanmap() (bsc#1043978).
- CVE-2017-14634: In libsndfile 1.0.28, a divide-by-zero error exists in the function double64_init() in double64.c, which may lead to DoS when playing a crafted audio file. (bsc#1059911)
- CVE-2017-14245: An out of bounds read in the function d2alaw_array() in alaw.c of libsndfile 1.0.28 may lead to a remote DoS attack or information disclosure, related to mishandling of 
                  the NAN and INFINITY floating-point values. (bsc#1059912)
- CVE-2017-14246: An out of bounds read in the function d2ulaw_array() in ulaw.c of libsndfile 1.0.28 may lead to a remote DoS attack or information disclosure, related to mishandling of 
                  the NAN and INFINITY floating-point values.(bsc#1059913)


-----------------------------------------
Patch: SUSE-2018-250
Released: Fri Feb  2 17:33:48 2018
Summary: Recommended update for timezone, timezone-java
Severity: low
References: 1073275
Description:
This update provides the latest timezone information (2018c) for your system, including following changes:

- Sao Tome and Principe switched from +00 to +01 on 2018-01-01.
- Southern Brazil's DST will now start on November's first Sunday. (bsc#1073275)
- New zic option -t to specify the time zone file if TZ is unset.


-----------------------------------------
Patch: SUSE-2018-261
Released: Tue Feb  6 11:24:15 2018
Summary: Security update for libjpeg-turbo
Severity: moderate
References: 1062937,CVE-2017-15232
Description:
This update for libjpeg-turbo fixes the following issues:

Feature update:

- Update from version 1.3.1 to version 1.5.2 (fate#324061).
  
Security issue fixed:

- CVE-2017-15232: Fix NULL pointer dereference in jdpostct.c and jquant1.c (bsc#1062937).


-----------------------------------------
Patch: SUSE-2018-265
Released: Tue Feb  6 14:58:28 2018
Summary: Recommended update for ca-certificates-mozilla
Severity: moderate
References: 1010996,1071152,1071390
Description:

  
This update for ca-certificates-mozilla fixes the following issues:

The system SSL root certificate store was updated to Mozilla certificate
version 2.22 from January 2018.  (bsc#1071152 bsc#1071390 bsc#1010996)

We removed the old 1024 bit legacy CAs that were temporary left in to allow
in-chain root certificates as openssl is now able to handle it.

Further changes coming from Mozilla:

- New Root CAs added:

  * Amazon Root CA 1: (email protection, server auth)
  * Amazon Root CA 2: (email protection, server auth)
  * Amazon Root CA 3: (email protection, server auth)
  * Amazon Root CA 4: (email protection, server auth)
  * Certplus Root CA G1: (email protection, server auth)
  * Certplus Root CA G2: (email protection, server auth)
  * D-TRUST Root CA 3 2013: (email protection)
  * GDCA TrustAUTH R5 ROOT: (server auth)
  * Hellenic Academic and Research Institutions ECC RootCA 2015: (email protection, server auth)
  * Hellenic Academic and Research Institutions RootCA 2015: (email protection, server auth)
  * ISRG Root X1: (server auth)
  * LuxTrust Global Root 2: (server auth)
  * OpenTrust Root CA G1: (email protection, server auth)
  * OpenTrust Root CA G2: (email protection, server auth)
  * OpenTrust Root CA G3: (email protection, server auth)
  * SSL.com EV Root Certification Authority ECC: (server auth)
  * SSL.com EV Root Certification Authority RSA R2: (server auth)
  * SSL.com Root Certification Authority ECC: (email protection, server auth)
  * SSL.com Root Certification Authority RSA: (email protection, server auth)
  * Symantec Class 1 Public Primary Certification Authority - G4: (email protection)
  * Symantec Class 1 Public Primary Certification Authority - G6: (email protection)
  * Symantec Class 2 Public Primary Certification Authority - G4: (email protection)
  * Symantec Class 2 Public Primary Certification Authority - G6: (email protection)
  * TrustCor ECA-1: (email protection, server auth)
  * TrustCor RootCert CA-1: (email protection, server auth)
  * TrustCor RootCert CA-2: (email protection, server auth)
  * TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1: (server auth)

- Removed root CAs:

  * AddTrust Public Services Root
  * AddTrust Public CA Root
  * AddTrust Qualified CA Root
  * ApplicationCA - Japanese Government
  * Buypass Class 2 CA 1
  * CA Disig Root R1
  * CA WoSign ECC Root
  * Certification Authority of WoSign G2
  * Certinomis - Autorité Racine
  * Certum Root CA
  * China Internet Network Information Center EV Certificates Root
  * CNNIC ROOT
  * Comodo Secure Services root
  * Comodo Trusted Services root
  * ComSign Secured CA
  * EBG Elektronik Sertifika Hizmet Sağlayıcısı
  * Equifax Secure CA
  * Equifax Secure eBusiness CA 1
  * Equifax Secure Global eBusiness CA
  * GeoTrust Global CA 2
  * IGC/A
  * Juur-SK
  * Microsec e-Szigno Root CA
  * PSCProcert
  * Root CA Generalitat Valenciana
  * RSA Security 2048 v3
  * Security Communication EV RootCA1
  * Sonera Class 1 Root CA
  * StartCom Certification Authority
  * StartCom Certification Authority G2
  * S-TRUST Authentication and Encryption Root CA 2005 PN
  * Swisscom Root CA 1
  * Swisscom Root EV CA 2
  * TÜBİTAK UEKAE Kök Sertifika Hizmet Sağlayıcısı - Sürüm 3
  * TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı
  * TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6
  * UTN USERFirst Hardware Root CA
  * UTN USERFirst Object Root CA
  * VeriSign Class 3 Secure Server CA - G2
  * Verisign Class 1 Public Primary Certification Authority
  * Verisign Class 2 Public Primary Certification Authority - G2
  * Verisign Class 3 Public Primary Certification Authority
  * WellsSecure Public Root Certificate Authority
  * Certification Authority of WoSign
  * WoSign China

- Removed Code Signing rights from a lot of CAs (not listed here).

- Removed Server Auth rights from:

  * AddTrust Low-Value Services Root
  * Camerfirma Chambers of Commerce Root
  * Camerfirma Global Chambersign Root
  * Swisscom Root CA 2



-----------------------------------------
Patch: SUSE-2018-268
Released: Wed Feb  7 10:58:42 2018
Summary: Recommended update for python-ecdsa
Severity: low
References: 152667
Description:

This update syncs the python-ecdsa versions between the SUSE Linux Enterprise 12 Public Cloud Modules.
  

-----------------------------------------
Patch: SUSE-2018-301
Released: Tue Feb 13 15:24:01 2018
Summary: Security update for the Linux Kernel
Severity: important
References: 1012382,1047626,1068032,1070623,1073311,1073792,1073874,1075091,1075908,1075994,1076017,1076110,1076154,1076278,1077355,1077560,1077922,893777,893949,902893,951638,CVE-2015-1142857,CVE-2017-13215,CVE-2017-17741,CVE-2017-17805,CVE-2017-17806,CVE-2017-18079,CVE-2017-5715,CVE-2018-1000004
Description:

The SUSE Linux Enterprise 12 GA LTSS kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

- CVE-2017-5715: Systems with microprocessors utilizing speculative
  execution and indirect branch prediction may allow unauthorized disclosure
  of information to an attacker with local user access via a side-channel
  analysis (bnc#1068032).

  The previous fix using CPU Microcode has been complemented by building
  the Linux Kernel with return trampolines aka 'retpolines'.

- CVE-2017-18079: drivers/input/serio/i8042.c allowed attackers to cause a
  denial of service (NULL pointer dereference and system crash) or possibly have
  unspecified other impact because the port->exists value can change after it is
  validated (bnc#1077922)
- CVE-2015-1142857: Prevent guests from sending ethernet flow control pause
  frames via the PF (bnc#1077355)
- CVE-2017-17741: KVM allowed attackers to obtain potentially sensitive
  information from kernel memory, aka a write_mmio stack-based out-of-bounds read
  (bnc#1073311)
- CVE-2017-13215: Prevent elevation of privilege (bnc#1075908)
- CVE-2018-1000004: Prevent race condition in the sound system, this could have
  lead a deadlock and denial of service condition (bnc#1076017)
- CVE-2017-17806: The HMAC implementation did not validate that the underlying
  cryptographic hash algorithm is unkeyed, allowing a local attacker able to use
  the AF_ALG-based hash interface (CONFIG_CRYPTO_USER_API_HASH) and the SHA-3
  hash algorithm (CONFIG_CRYPTO_SHA3) to cause a kernel stack buffer overflow by
  executing a crafted sequence of system calls that encounter a missing SHA-3
  initialization (bnc#1073874)
- CVE-2017-17805: The Salsa20 encryption algorithm did not correctly handle
  zero-length inputs, allowing a local attacker able to use the AF_ALG-based
  skcipher interface (CONFIG_CRYPTO_USER_API_SKCIPHER) to cause a denial of
  service (uninitialized-memory free and kernel crash) or have unspecified other
  impact by executing a crafted sequence of system calls that use the
  blkcipher_walk API. Both the generic implementation (crypto/salsa20_generic.c)
  and x86 implementation (arch/x86/crypto/salsa20_glue.c) of Salsa20 were
  vulnerable (bnc#1073792)

The following non-security bugs were fixed:

- bcache allocator: send discards with correct size (bsc#1047626).
- bcache.txt: standardize document format (bsc#1076110).
- bcache: Abstract out stuff needed for sorting (bsc#1076110).
- bcache: Add a cond_resched() call to gc (bsc#1076110).
- bcache: Add a real GC_MARK_RECLAIMABLE (bsc#1076110).
- bcache: Add bch_bkey_equal_header() (bsc#1076110).
- bcache: Add bch_btree_keys_u64s_remaining() (bsc#1076110).
- bcache: Add bch_keylist_init_single() (bsc#1047626).
- bcache: Add btree_insert_node() (bnc#951638).
- bcache: Add btree_map() functions (bsc#1047626).
- bcache: Add btree_node_write_sync() (bsc#1076110).
- bcache: Add explicit keylist arg to btree_insert() (bnc#951638).
- bcache: Add make_btree_freeing_key() (bsc#1076110).
- bcache: Add on error panic/unregister setting (bsc#1047626).
- bcache: Add struct bset_sort_state (bsc#1076110).
- bcache: Add struct btree_keys (bsc#1076110).
- bcache: Allocate bounce buffers with GFP_NOWAIT (bsc#1076110).
- bcache: Avoid deadlocking in garbage collection (bsc#1076110).
- bcache: Avoid nested function definition (bsc#1076110).
- bcache: Better alloc tracepoints (bsc#1076110).
- bcache: Better full stripe scanning (bsc#1076110).
- bcache: Bkey indexing renaming (bsc#1076110).
- bcache: Break up struct search (bsc#1076110).
- bcache: Btree verify code improvements (bsc#1076110).
- bcache: Bypass torture test (bsc#1076110).
- bcache: Change refill_dirty() to always scan entire disk if necessary (bsc#1076110).
- bcache: Clean up cache_lookup_fn (bsc#1076110).
- bcache: Clean up keylist code (bnc#951638).
- bcache: Convert bch_btree_insert() to bch_btree_map_leaf_nodes() (bsc#1076110).
- bcache: Convert bch_btree_read_async() to bch_btree_map_keys() (bsc#1076110).
- bcache: Convert btree_insert_check_key() to btree_insert_node() (bnc#951638).
- bcache: Convert btree_iter to struct btree_keys (bsc#1076110).
- bcache: Convert bucket_wait to wait_queue_head_t (bnc#951638).
- bcache: Convert debug code to btree_keys (bsc#1076110).
- bcache: Convert gc to a kthread (bsc#1047626).
- bcache: Convert sorting to btree_keys (bsc#1076110).
- bcache: Convert try_wait to wait_queue_head_t (bnc#951638).
- bcache: Convert writeback to a kthread (bsc#1076110).
- bcache: Correct return value for sysfs attach errors (bsc#1076110).
- bcache: Debug code improvements (bsc#1076110).
- bcache: Delete some slower inline asm (bsc#1047626).
- bcache: Do bkey_put() in btree_split() error path (bsc#1076110).
- bcache: Do not bother with bucket refcount for btree node allocations (bsc#1076110).
- bcache: Do not reinvent the wheel but use existing llist API (bsc#1076110).
- bcache: Do not return -EINTR when insert finished (bsc#1076110).
- bcache: Do not touch bucket gen for dirty ptrs (bsc#1076110).
- bcache: Do not use op->insert_collision (bsc#1076110).
- bcache: Drop some closure stuff (bsc#1076110).
- bcache: Drop unneeded blk_sync_queue() calls (bsc#1047626).
- bcache: Explicitly track btree node's parent (bnc#951638).
- bcache: Fix a bug recovering from unclean shutdown (bsc#1047626).
- bcache: Fix a bug when detaching (bsc#951638).
- bcache: Fix a journal replay bug (bsc#1076110).
- bcache: Fix a journalling performance bug (bnc#893777).
- bcache: Fix a journalling reclaim after recovery bug (bsc#1047626).
- bcache: Fix a lockdep splat (bnc#893777).
- bcache: Fix a lockdep splat in an error path (bnc#951638).
- bcache: Fix a null ptr deref in journal replay (bsc#1047626).
- bcache: Fix a race when freeing btree nodes (bsc#1076110).
- bcache: Fix a shutdown bug (bsc#951638).
- bcache: Fix an infinite loop in journal replay (bsc#1047626).
- bcache: Fix another bug recovering from unclean shutdown (bsc#1076110).
- bcache: Fix another compiler warning on m68k (bsc#1076110).
- bcache: Fix auxiliary search trees for key size > cacheline size (bsc#1076110).
- bcache: Fix bch_ptr_bad() (bsc#1047626).
- bcache: Fix building error on MIPS (bsc#1076110).
- bcache: Fix dirty_data accounting (bsc#1076110).
- bcache: Fix discard granularity (bsc#1047626).
- bcache: Fix flash_dev_cache_miss() for real this time (bsc#1076110).
- bcache: Fix for can_attach_cache() (bsc#1047626).
- bcache: Fix heap_peek() macro (bsc#1047626).
- bcache: Fix leak of bdev reference (bsc#1076110).
- bcache: Fix more early shutdown bugs (bsc#951638).
- bcache: Fix moving_gc deadlocking with a foreground write (bsc#1076110).
- bcache: Fix moving_pred() (bsc#1047626).
- bcache: Fix sysfs splat on shutdown with flash only devs (bsc#951638).
- bcache: Fix to remove the rcu_sched stalls (bsc#1047626).
- bcache: Have btree_split() insert into parent directly (bsc#1076110).
- bcache: Improve bucket_prio() calculation (bsc#1047626).
- bcache: Improve priority_stats (bsc#1047626).
- bcache: Incremental gc (bsc#1076110).
- bcache: Insert multiple keys at a time (bnc#951638).
- bcache: Kill bch_next_recurse_key() (bsc#1076110).
- bcache: Kill btree_io_wq (bsc#1076110).
- bcache: Kill bucket->gc_gen (bsc#1076110).
- bcache: Kill dead cgroup code (bsc#1076110).
- bcache: Kill op->cl (bsc#1076110).
- bcache: Kill op->replace (bsc#1076110).
- bcache: Kill sequential_merge option (bsc#1076110).
- bcache: Kill unaligned bvec hack (bsc#1076110).
- bcache: Kill unused freelist (bsc#1076110).
- bcache: Make bch_keylist_realloc() take u64s, not nptrs (bsc#1076110).
- bcache: Make gc wakeup sane, remove set_task_state() (bsc#1076110).
- bcache: Minor btree cache fix (bsc#1047626).
- bcache: Minor fixes from kbuild robot (bsc#1076110).
- bcache: Move insert_fixup() to btree_keys_ops (bsc#1076110).
- bcache: Move keylist out of btree_op (bsc#1047626).
- bcache: Move sector allocator to alloc.c (bsc#1076110).
- bcache: Move some stuff to btree.c (bsc#1076110).
- bcache: Move spinlock into struct time_stats (bsc#1076110).
- bcache: New writeback PD controller (bsc#1047626).
- bcache: PRECEDING_KEY() (bsc#1047626).
- bcache: Performance fix for when journal entry is full (bsc#1047626).
- bcache: Prune struct btree_op (bsc#1076110).
- bcache: Pull on disk data structures out into a separate header (bsc#1076110).
- bcache: RESERVE_PRIO is too small by one when prio_buckets() is a power of two (bsc#1076110).
- bcache: Really show state of work pending bit (bsc#1076110).
- bcache: Refactor bset_tree sysfs stats (bsc#1076110).
- bcache: Refactor journalling flow control (bnc#951638).
- bcache: Refactor read request code a bit (bsc#1076110).
- bcache: Refactor request_write() (bnc#951638).
- bcache: Remove deprecated create_workqueue (bsc#1076110).
- bcache: Remove redundant block_size assignment (bsc#1047626).
- bcache: Remove redundant parameter for cache_alloc() (bsc#1047626).
- bcache: Remove redundant set_capacity (bsc#1076110).
- bcache: Remove unnecessary check in should_split() (bsc#1076110).
- bcache: Remove/fix some header dependencies (bsc#1047626).
- bcache: Rename/shuffle various code around (bsc#1076110).
- bcache: Rework allocator reserves (bsc#1076110).
- bcache: Rework btree cache reserve handling (bsc#1076110).
- bcache: Split out sort_extent_cmp() (bsc#1076110).
- bcache: Stripe size isn't necessarily a power of two (bnc#893949).
- bcache: Trivial error handling fix (bsc#1047626).
- bcache: Update continue_at() documentation (bsc#1076110).
- bcache: Use a mempool for mergesort temporary space (bsc#1076110).
- bcache: Use blkdev_issue_discard() (bnc#951638).
- bcache: Use ida for bcache block dev minor (bsc#1047626).
- bcache: Use uninterruptible sleep in writeback (bsc#1076110).
- bcache: Zero less memory (bsc#1076110).
- bcache: add a comment in journal bucket reading (bsc#1076110).
- bcache: add mutex lock for bch_is_open (bnc#902893).
- bcache: allows use of register in udev to avoid 'device_busy' error (bsc#1047626).
- bcache: bcache_write tracepoint was crashing (bsc#1076110).
- bcache: bch_(btree|extent)_ptr_invalid() (bsc#1076110).
- bcache: bch_allocator_thread() is not freezable (bsc#1047626).
- bcache: bch_gc_thread() is not freezable (bsc#1047626).
- bcache: bch_writeback_thread() is not freezable (bsc#1076110).
- bcache: btree locking rework (bsc#1076110).
- bcache: bugfix - gc thread now gets woken when cache is full (bsc#1047626).
- bcache: bugfix - moving_gc now moves only correct buckets (bsc#1047626).
- bcache: bugfix for race between moving_gc and bucket_invalidate (bsc#1076110).
- bcache: check ca->alloc_thread initialized before wake up it (bsc#1076110).
- bcache: check return value of register_shrinker (bsc#1076110).
- bcache: cleaned up error handling around register_cache() (bsc#1047626).
- bcache: clear BCACHE_DEV_UNLINK_DONE flag when attaching a backing device (bsc#1047626).
- bcache: correct cache_dirty_target in __update_writeback_rate() (bsc#1076110).
- bcache: defensively handle format strings (bsc#1047626).
- bcache: do not embed 'return' statements in closure macros (bsc#1076110).
- bcache: do not subtract sectors_to_gc for bypassed IO (bsc#1076110).
- bcache: do not write back data if reading it failed (bsc#1076110).
- bcache: documentation formatting, edited for clarity, stripe alignment notes (bsc#1076110).
- bcache: documentation updates and corrections (bsc#1076110).
- bcache: explicitly destroy mutex while exiting (bsc#1076110).
- bcache: fix BUG_ON due to integer overflow with GC_SECTORS_USED (bsc#1047626).
- bcache: fix a comments typo in bch_alloc_sectors() (bsc#1076110).
- bcache: fix a livelock when we cause a huge number of cache misses (bsc#1047626).
- bcache: fix bch_hprint crash and improve output (bsc#1076110).
- bcache: fix crash in bcache_btree_node_alloc_fail tracepoint (bsc#1047626).
- bcache: fix crash on shutdown in passthrough mode (bsc#1076110).
- bcache: fix for gc and write-back race (bsc#1076110).
- bcache: fix for gc and writeback race (bsc#1047626).
- bcache: fix for gc crashing when no sectors are used (bsc#1047626).
- bcache: fix lockdep warnings on shutdown (bsc#1047626).
- bcache: fix race of writeback thread starting before complete initialization (bsc#1076110).
- bcache: fix sequential large write IO bypass (bsc#1076110).
- bcache: fix sparse non static symbol warning (bsc#1076110).
- bcache: fix typo in bch_bkey_equal_header (bsc#1076110).
- bcache: fix uninterruptible sleep in writeback thread (bsc#1076110).
- bcache: fix use-after-free in btree_gc_coalesce() (bsc#1076110).
- bcache: fix wrong cache_misses statistics (bsc#1076110).
- bcache: gc does not work when triggering by manual command (bsc#1076110).
- bcache: implement PI controller for writeback rate (bsc#1076110).
- bcache: increase the number of open buckets (bsc#1076110).
- bcache: initialize dirty stripes in flash_dev_run() (bsc#1076110).
- bcache: kill closure locking code (bsc#1076110).
- bcache: kill closure locking usage (bnc#951638).
- bcache: kill index() (bsc#1047626).
- bcache: kthread do not set writeback task to INTERUPTIBLE (bsc#1076110).
- bcache: only permit to recovery read error when cache device is clean (bsc#1076110).
- bcache: partition support: add 16 minors per bcacheN device (bsc#1076110).
- bcache: pr_err: more meaningful error message when nr_stripes is invalid (bsc#1076110).
- bcache: prevent crash on changing writeback_running (bsc#1076110).
- bcache: rearrange writeback main thread ratelimit (bsc#1076110).
- bcache: recover data from backing when data is clean (bsc#1076110).
- bcache: register_bcache(): call blkdev_put() when cache_alloc() fails (bsc#1047626).
- bcache: remove nested function usage (bsc#1076110).
- bcache: remove unused parameter (bsc#1076110).
- bcache: rewrite multiple partitions support (bsc#1076110).
- bcache: safeguard a dangerous addressing in closure_queue (bsc#1076110).
- bcache: silence static checker warning (bsc#1076110).
- bcache: smooth writeback rate control (bsc#1076110).
- bcache: stop moving_gc marking buckets that can't be moved (bsc#1047626).
- bcache: try to set b->parent properly (bsc#1076110).
- bcache: update bch_bkey_try_merge (bsc#1076110).
- bcache: update bio->bi_opf bypass/writeback REQ_ flag hints (bsc#1076110).
- bcache: update bucket_in_use in real time (bsc#1076110).
- bcache: update document info (bsc#1076110).
- bcache: use kmalloc to allocate bio in bch_data_verify() (bsc#1076110).
- bcache: use kvfree() in various places (bsc#1076110).
- bcache: use llist_for_each_entry_safe() in __closure_wake_up() (bsc#1076110).
- bcache: wait for buckets when allocating new btree root (bsc#1076110).
- bcache: writeback rate clamping: make 32 bit safe (bsc#1076110).
- bcache: writeback rate shouldn't artifically clamp (bsc#1076110).
- fork: clear thread stack upon allocation (bsc#1077560). 
- gcov: disable for COMPILE_TEST (bnc#1012382).
- kaiser: Set _PAGE_NX only if supported (bnc#1012382, bnc#1076154).
- kaiser: Set _PAGE_NX only if supported (bnc#1012382, bnc#1076278).
- md: more open-coded offset_in_page() (bsc#1076110).
- nfsd: do not share group_info among threads (bsc@1070623).
- sysfs/cpu: Add vulnerability folder (bnc#1012382).
- sysfs: spectre_v2, handle spec_ctrl (bsc#1075994 bsc#1075091).
- x86/cpu: Implement CPU vulnerabilites sysfs functions (bnc#1012382).
- x86/cpufeatures: Add X86_BUG_CPU_INSECURE (bnc#1012382).
- x86/cpufeatures: Add X86_BUG_SPECTRE_V[12] (bnc#1012382).
- x86/cpufeatures: Make CPU bugs sticky (bnc#1012382).
- x86/pti: Rename BUG_CPU_INSECURE to BUG_CPU_MELTDOWN (bnc#1012382).
- x86/retpolines/spec_ctrl: disable IBRS on !SKL if retpolines are active (bsc#1068032).
- x86/spectre_v2: fix ordering in IBRS initialization (bsc#1075994 bsc#1075091).
- x86/spectre_v2: nospectre_v2 means nospec too (bsc#1075994 bsc#1075091).


-----------------------------------------
Patch: SUSE-2018-336
Released: Wed Feb 21 14:26:52 2018
Summary: Security update for libdb-4_8
Severity: moderate
References: 1043886
Description:
This update for libdb-4_8 fixes the following issues:

- A DB_CONFIG file in the current working directory allowed local
  users to obtain sensitive information via a symlink attack
  involving a setgid or setuid application using libdb-4_8. (bsc#1043886)


-----------------------------------------
Patch: SUSE-2018-369
Released: Tue Feb 27 18:27:19 2018
Summary: Recommended update for the Linux Kernel
Severity: important
References: 1081317
Description:


The SUSE Linux Enterprise 12 GA kernel was updated to fix a regression that
caused inability to load the KVM kernel module.



-----------------------------------------
Patch: SUSE-2018-375
Released: Wed Feb 28 16:33:37 2018
Summary: Recommended update for net-tools
Severity: low
References: 1009905,1063910
Description:

This update for net-tools provides the following fix:

- netstat: fix handling of large socket numbers (bsc#1063910)


-----------------------------------------
Patch: SUSE-2018-379
Released: Thu Mar  1 14:34:09 2018
Summary: Security update for puppet
Severity: moderate
References: 1080288,CVE-2017-10689
Description:
This update for puppet fixes the following issues:

- CVE-2017-10689: Reset permissions when unpacking tar in PMT.
  When using minitar, files were unpacked with whatever permissions are in the tarball.
  This is potentially unsafe, as tarballs can be easily created with weird permissions
  (bsc#1080288)


-----------------------------------------
Patch: SUSE-2018-410
Released: Mon Mar  5 10:42:31 2018
Summary: Security update for cups
Severity: important
References: 1081557,CVE-2017-18190
Description:
This update for cups fixes the following issues:

- CVE-2017-18190: Removed localhost.localdomain from list
  of trustworthy hosts in scheduler/client.c to avoid arbitrary IPP
  command execution in conjunction with DNS rebinding.
  (bsc#1081557)


-----------------------------------------
Patch: SUSE-2018-417
Released: Mon Mar  5 20:11:31 2018
Summary: Recommended update for supportutils
Severity: low
References: 1051237,1074866,1074867,1074868
Description:
This update for supportutils provides the following fixes:

- Fix picking up Infiniband data by requiring rdma-core. (bsc#1051237)
- route replaced with ip route list (bsc#1074866)
- Added systemd-delta to systemd.txt (bsc#1074867)
- Changed from repos -u to repos -d to get the repos service included in supportconfig.
  (bsc#1074868)


-----------------------------------------
Patch: SUSE-2018-418
Released: Mon Mar  5 20:26:08 2018
Summary: Recommended update for SuSEfirewall2
Severity: low
References: 1069760,1074933
Description:
This update for SuSEfirewall2 provides the following fixes:

- Remove duplicate rules created in the context of dynamic RPC rules. (bsc#1069760)
- Fix an issue in the logging logic to show the correct PID and avoid losing log lines.
- Fix an error message in logs when no RPC ports have been configured at all.
- Set RPC related rules also for IPv6. (bsc#1074933)


-----------------------------------------
Patch: SUSE-2018-440
Released: Fri Mar  9 14:06:00 2018
Summary: Security update for augeas
Severity: low
References: 1054171,CVE-2017-7555
Description:
This update for augeas fixes the following issues:

Security issue fixed:

- CVE-2017-7555: Fix a memory corruption bug could have lead to arbitrary code execution
  by passing crafted strings that would be mis-handled by parse_name() (bsc#1054171).


-----------------------------------------
Patch: SUSE-2018-459
Released: Wed Mar 14 17:02:51 2018
Summary: Security update for libcdio
Severity: moderate
References: 1082877,CVE-2017-18201
Description:
This update for libcdio fixes the following issues:

- CVE-2017-18201: Fixed a double free vulnerability (bsc#1082877).


-----------------------------------------
Patch: SUSE-2018-522
Released: Thu Mar 22 08:20:46 2018
Summary: Security update for curl
Severity: moderate
References: 1084521,1084524,1084532,CVE-2018-1000120,CVE-2018-1000121,CVE-2018-1000122
Description:
This update for curl fixes the following issues:

Following security issues were fixed:

- CVE-2018-1000120: A buffer overflow exists in the FTP URL handling that allowed an attacker to cause a denial of service or possible code execution (bsc#1084521).
- CVE-2018-1000121: A NULL pointer dereference exists in the LDAP code that allowed an attacker to cause a denial of service (bsc#1084524).
- CVE-2018-1000122: A buffer over-read exists in the RTSP+RTP handling code that allowed an attacker to cause a denial of service or information leakage (bsc#1084532).


-----------------------------------------
Patch: SUSE-2018-531
Released: Fri Mar 23 09:24:33 2018
Summary: Security update for libvorbis
Severity: moderate
References: 1085687,CVE-2018-5146
Description:
This update for libvorbis fixes the following issues:

- CVE-2018-5146: Fixed out of bounds memory write while processing Vorbis audio data (bsc#1085687).


-----------------------------------------
Patch: SUSE-2018-558
Released: Wed Mar 28 16:17:43 2018
Summary: Security update for the Linux Kernel
Severity: important
References: 1010470,1012382,1045330,1062568,1063416,1066001,1067118,1068032,1072689,1072865,1074488,1075617,1075621,1077560,1078669,1078672,1078673,1078674,1080255,1080464,1080757,1082299,1083244,1083483,1083494,1083640,1084323,1085107,1085114,1085279,1085447,CVE-2016-7915,CVE-2017-12190,CVE-2017-13166,CVE-2017-15299,CVE-2017-16644,CVE-2017-16911,CVE-2017-16912,CVE-2017-16913,CVE-2017-16914,CVE-2017-18017,CVE-2017-18204,CVE-2017-18208,CVE-2017-18221,CVE-2018-1066,CVE-2018-1068,CVE-2018-5332,CVE-2018-5333,CVE-2018-6927,CVE-2018-7566
Description:

The SUSE Linux Enterprise 12 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

- CVE-2018-1068: Fixed flaw in the implementation of 32-bit syscall interface
  for bridging. This allowed a privileged user to arbitrarily write to a limited
  range of kernel memory (bnc#1085107).
- CVE-2017-18221: The __munlock_pagevec function allowed local users to cause a
  denial of service (NR_MLOCK accounting corruption) via crafted use of mlockall
  and munlockall system calls (bnc#1084323).
- CVE-2018-1066: Prevent NULL pointer dereference in
  fs/cifs/cifsencrypt.c:setup_ntlmv2_rsp() that allowed an attacker controlling a
  CIFS server to kernel panic a client that has this server mounted, because an
  empty TargetInfo field in an NTLMSSP setup negotiation response was mishandled
  during session recovery (bnc#1083640).
- CVE-2017-13166: Prevent elevation of privilege vulnerability in the kernel
  v4l2 video driver (bnc#1072865).
- CVE-2017-16911: The vhci_hcd driver allowed local attackers to disclose
  kernel memory addresses. Successful exploitation required that a USB device was
  attached over IP (bnc#1078674).
- CVE-2017-15299: The KEYS subsystem mishandled use of add_key for a key that
  already exists but is uninstantiated, which allowed local users to cause a
  denial of service (NULL pointer dereference and system crash) or possibly have
  unspecified other impact via a crafted system call (bnc#1063416).
- CVE-2017-18208: The madvise_willneed function kernel allowed local users to
  cause a denial of service (infinite loop) by triggering use of MADVISE_WILLNEED
  for a DAX mapping (bnc#1083494).
- CVE-2018-7566: The ALSA sequencer core initializes the event pool on demand
  by invoking snd_seq_pool_init() when the first write happens and the pool is
  empty. A user could have reset the pool size manually via ioctl concurrently,
  which may have lead UAF or out-of-bound access (bsc#1083483).
- CVE-2017-18204: The ocfs2_setattr function allowed local users to cause a
  denial of service (deadlock) via DIO requests (bnc#1083244).
- CVE-2017-16644: The hdpvr_probe function allowed local users to cause a
  denial of service (improper error handling and system crash) or possibly have
  unspecified other impact via a crafted USB device (bnc#1067118).
- CVE-2018-6927: The futex_requeue function allowed attackers to cause a denial
  of service (integer overflow) or possibly have unspecified other impact by
  triggering a negative wake or requeue value (bnc#1080757).
- CVE-2017-16914: The 'stub_send_ret_submit()' function allowed attackers to
  cause a denial of service (NULL pointer dereference) via a specially crafted
  USB over IP packet (bnc#1078669).
- CVE-2016-7915: The hid_input_field function allowed physically proximate
  attackers to obtain sensitive information from kernel memory or cause a denial
  of service (out-of-bounds read) by connecting a device (bnc#1010470).
- CVE-2017-12190: The bio_map_user_iov and bio_unmap_user functions did
  unbalanced refcounting when a SCSI I/O vector had small consecutive buffers
  belonging to the same page. The bio_add_pc_page function merged them into one,
  but the page reference was never dropped. This caused a memory leak and
  possible system lockup (exploitable against the host OS by a guest OS user, if
  a SCSI disk is passed through to a virtual machine) due to an out-of-memory
  condition (bnc#1062568).
- CVE-2017-16912: The 'get_pipe()' function allowed attackers to cause a denial
  of service (out-of-bounds read) via a specially crafted USB over IP packet
  (bnc#1078673).
- CVE-2017-16913: The 'stub_recv_cmd_submit()' function when handling
  CMD_SUBMIT packets allowed attackers to cause a denial of service (arbitrary
  memory allocation) via a specially crafted USB over IP packet (bnc#1078672).
- CVE-2018-5332: The rds_message_alloc_sgs() function did not validate a value
  that is used during DMA page allocation, leading to a heap-based out-of-bounds
  write (related to the rds_rdma_extra_size function in net/rds/rdma.c)
  (bnc#1075621).
- CVE-2018-5333: The rds_cmsg_atomic function in net/rds/rdma.c mishandled
  cases where page pinning fails or an invalid address is supplied, leading to an
  rds_atomic_free_op NULL pointer dereference (bnc#1075617).
- CVE-2017-18017: The tcpmss_mangle_packet function allowed remote attackers to
  cause a denial of service (use-after-free and memory corruption) or possibly
  have unspecified other impact by leveraging the presence of xt_TCPMSS in an
  iptables action (bnc#1074488).

The following non-security bugs were fixed:

- Fix build on arm64 by defining empty gmb() (bnc#1068032).
- KEYS: do not let add_key() update an uninstantiated key (bnc#1063416).
- KEYS: fix writing past end of user-supplied buffer in keyring_read() (bsc#1066001).
- KEYS: return full count in keyring_read() if buffer is too small (bsc#1066001).
- include/stddef.h: Move offsetofend() from vfio.h to a generic kernel header (bsc#1077560).
- ipc/msg: introduce msgctl(MSG_STAT_ANY) (bsc#1072689).
- ipc/sem: introduce semctl(SEM_STAT_ANY) (bsc#1072689).
- ipc/shm: introduce shmctl(SHM_STAT_ANY) (bsc#1072689).
- x86/kaiser: use trampoline stack for kernel entry (bsc#1077560)
- leds: do not overflow sysfs buffer in led_trigger_show (bsc#1080464).
- livepatch: __kgr_shadow_get_or_alloc() is local to shadow.c. Shadow variables support (bsc#1082299).
- livepatch: introduce shadow variable API. Shadow variables support (bsc#1082299)
- media: v4l2-compat-ioctl32.c: add missing VIDIOC_PREPARE_BUF (bnc#1012382).
- media: v4l2-compat-ioctl32.c: avoid sizeof(type) (bnc#1012382).
- media: v4l2-compat-ioctl32.c: copy clip list in put_v4l2_window32 (bnc#1012382).
- media: v4l2-compat-ioctl32.c: copy m.userptr in put_v4l2_plane32 (bnc#1012382).
- media: v4l2-compat-ioctl32.c: do not copy back the result for certain errors (bnc#1012382).
- media: v4l2-compat-ioctl32.c: drop pr_info for unknown buffer type (bnc#1012382).
- media: v4l2-compat-ioctl32.c: fix the indentation (bnc#1012382).
- media: v4l2-compat-ioctl32.c: move 'helper' functions to __get/put_v4l2_format32 (bnc#1012382).
- media: v4l2-compat-ioctl32: Copy v4l2_window->global_alpha (bnc#1012382).
- media: v4l2-ioctl.c: do not copy back the result for -ENOTTY (bnc#1012382).
- netfilter: ebtables: CONFIG_COMPAT: do not trust userland offsets (bsc#1085107).
- netfilter: ebtables: fix erroneous reject of last rule (bsc#1085107).
- packet: only call dev_add_pack() on freshly allocated fanout instances
- pipe: cap initial pipe capacity according to pipe-max-size limit (bsc#1045330).
- x86/espfix: Fix return stack in do_double_fault() (bsc#1085279).


-----------------------------------------
Patch: SUSE-2018-560
Released: Wed Mar 28 16:39:25 2018
Summary: Recommended update for suse-build-key
Severity: moderate
References: 1082022,1085512
Description:


This update for suse-build-key fixes the following issues:

- The lifetime of the SUSE Linux Enterprise 11 signing key was extended (bsc#1085512)

- A new security@suse.de E-Mail key was added (bsc#1082022)

  pub   rsa4096/0x21FE92322BA9E067 2018-03-15 [SC] [expires: 2020-03-14]
        Key fingerprint = EC7C 5EAB 2C34 09A6 4F3B  BE6E 21FE 9232 2BA9 E067
  uid                             SUSE Security Team <security@suse.com>
  uid                             SUSE Security Team <security@suse.de>
  sub   rsa4096/0xFF97314EC1E11A0E 2018-03-15 [E] [expires: 2020-03-14]



-----------------------------------------
Patch: SUSE-2018-573
Released: Tue Apr  3 11:59:01 2018
Summary: Security update for graphite2
Severity: moderate
References: 1084850,CVE-2018-7999
Description:
This update for graphite2 fixes the following issues:

- CVE-2018-7999: Fixed a NULL pointer dereference vulnerability in Segment.cpp that may cause a denial of serivce (bsc#1084850).


-----------------------------------------
Patch: SUSE-2018-590
Released: Wed Apr  4 15:04:46 2018
Summary: Recommended update for growpart
Severity: low
References: 1064755
Description:
This update for growpart fixes the following issues:

- Add rootgrow script to wrap growpart to the Public Cloud Module.
- Ignore sfdisk failure in 2.28.1 when due to reread failing.
- Add service file to start growpart via systemd.


-----------------------------------------
Patch: SUSE-2018-594
Released: Thu Apr  5 17:22:37 2018
Summary: Security update for libidn
Severity: moderate
References: 1056450,CVE-2017-14062
Description:
This update for libidn fixes one issues.

This security issue was fixed:

- CVE-2017-14062: Prevent integer overflow in the decode_digit function that
  allowed remote attackers to cause a denial of service or possibly have
  unspecified other impact (bsc#1056450).


-----------------------------------------
Patch: SUSE-2018-608
Released: Mon Apr  9 21:43:07 2018
Summary: Security update for openssl
Severity: important
References: 1087102,CVE-2018-0739
Description:
This update for openssl fixes the following issues:

-  CVE-2018-0739: Constructed ASN.1 types with a recursive definition could exceed
    the stack. This could result in a Denial Of Service attack. (bsc#1087102)



-----------------------------------------
Patch: SUSE-2018-615
Released: Tue Apr 10 16:13:34 2018
Summary: Initial release of python3-cffi and -pyasn1
Severity: low
References: 1073879
Description:
This update provides the following new Python 3 modules for the SUSE Linux Enterprise Server:

- python3-cffi
- python3-pyasn1

-----------------------------------------
Patch: SUSE-2018-651
Released: Mon Apr 16 19:25:08 2018
Summary: Initial release of python3-cssselect, -lxml, -pycparser, -simplejson and -pycurl
Severity: low
References: 1073879
Description:
This update provides the following new Python 3 modules for the SUSE Linux Enterprise Server:

- python3-cssselect
- python3-lxml
- python3-pycparser
- python3-pycurl
- python3-simplejson

-----------------------------------------
Patch: SUSE-2018-656
Released: Wed Apr 18 12:08:13 2018
Summary: Recommended update for timezone, timezone-java
Severity: low
References: 1086729
Description:
This update provides the latest timezone information (2018d) for your system, including following changes:

- In 2018, Palestine starts DST on March 24, not March 31.
- Casey Station in Antarctica changed from +11 to +08 on
  2018-03-11 at 04:00 (bsc#1086729).
- corrections for historical transitions.


-----------------------------------------
Patch: SUSE-2018-661
Released: Thu Apr 19 08:39:29 2018
Summary: Initial release of python3-six
Severity: low
References: 1073879
Description:
This update provides the following new Python 3 module for the SUSE Linux Enterprise Server and the Public Cloud 
Module:

- python3-six

-----------------------------------------
Patch: SUSE-2018-730
Released: Wed Apr 25 14:14:41 2018
Summary: Security update for perl
Severity: moderate
References: 1082216,1082233,1082234,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913
Description:
This update for perl fixes the following issues:

Security issues fixed:

- CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216).
- CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233).
- CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234).


-----------------------------------------
Patch: SUSE-2018-733
Released: Wed Apr 25 14:15:35 2018
Summary: Security update for zsh
Severity: important
References: 1082885,1082975,1082977,1082991,1082998,1083002,1083250,1084656,1087026,896914,CVE-2014-10070,CVE-2014-10071,CVE-2014-10072,CVE-2016-10714,CVE-2017-18205,CVE-2017-18206,CVE-2018-1071,CVE-2018-1083,CVE-2018-7549
Description:
This update for zsh fixes the following issues:

  - CVE-2014-10070: environment variable injection could lead to local privilege escalation (bnc#1082885)

  - CVE-2014-10071: buffer overflow in exec.c could lead to denial of service. (bnc#1082977)

  - CVE-2014-10072: buffer overflow In utils.c when scanning 
very long directory paths for symbolic links. (bnc#1082975)

  - CVE-2016-10714: In zsh before 5.3, an off-by-one error resulted in 
undersized buffers that were intended to support PATH_MAX characters. (bnc#1083250)

  - CVE-2017-18205: In builtin.c when sh compatibility mode is used, a NULL pointer dereference 
could lead to denial of service (bnc#1082998)

  - CVE-2018-1071: exec.c:hashcmd() function vulnerability could lead to denial of service. (bnc#1084656)
 
  - CVE-2018-1083: Autocomplete vulnerability could lead to privilege escalation. (bnc#1087026)

  - CVE-2018-7549: In params.c in zsh through 5.4.2, there is a crash during a copy of an empty hash table, 
as demonstrated by typeset -p. (bnc#1082991)
  
  - CVE-2017-18206: buffer overrun in xsymlinks could lead to denial of service (bnc#1083002)
    
  - Autocomplete and REPORTTIME broken (bsc#896914)



-----------------------------------------
Patch: SUSE-2018-735
Released: Wed Apr 25 14:16:36 2018
Summary: Recommended update for LibreOffice
Severity: low
References: 1042829,1077375,1080249,1083213,1083993,1088662,1089124,CVE-2017-9432,CVE-2017-9433,CVE-2018-1055,CVE-2018-6871
Description:

LibreOffice was updated to version 6.0.3.

Following new features were added:

- The Notebookbar, although still an experimental feature, has been
  enriched with two new variants: Grouped Bar Full for Writer, Calc and
  Impress, and Tabbed Compact for Writer. The Special Characters dialog
  has been reworked, with the addition of lists for Recent and Favorite
  characters, along with a Search field. The Customize dialog has also
  been redesigned, and is now more modern and intuitive.
- In Writer, a Form menu has been added, making it easier to access one
  of the most powerful – and often unknown – LibreOffice features: the
  ability to design forms, and create standards-compliant PDF forms. The
  Find toolbar has been enhanced with a drop-down list of search types, to
  speed up navigation. A new default table style has been added, together
  with a new collection of table styles to reflect evolving visual trends.
- The Mail Merge function has been improved, and it is now possible to
  use either a Writer document or an XLSX file as data source.
- In Calc, ODF 1.2-compliant functions SEARCHB, FINDB and REPLACEB have
  been added, to improve support for the ISO standard format. Also, a
  cell range selection or a selected group of shapes (images) can be now
  exported in PNG or JPG format.
- In Impress, the default slide size has been switched to 16:9, to support
  the most recent form factors of screens and projectors. As a consequence,
  10 new Impress templates have been added, and a couple of old templates
  have been updated.

Changes in components:

- The old WikiHelp has been replaced by the new Help Online system, with
  attractive web pages that can also be displayed on mobile devices. In
  general, LibreOffice Help has been updated both in terms of contents and
  code, with other improvements due all along the life of the LibreOffice
  6 family.
- User dictionaries now allow automatic affixation or compounding. This
  is a general spell checking improvement in LibreOffice which can speed
  up work for Writer users. Instead of manually handling several forms of a
  new word in a language with rich morphology or compounding, the Hunspell
  spell checker can automatically recognize a new word with affixes or
  compounds, based on a “Grammar By” model.

Security features and changes:

- OpenPGP keys can be used to sign ODF documents on all desktop operating
  systems, with experimental support for OpenPGP-based encryption. To enable
  this feature, users will have to install the specific GPG software for
  their operating systems.

- Document classification has also been improved, and allows multiple
  policies (which are now exported to OOXML files). In Writer, marking
  and signing are now supported at paragraph level.

Interoperability changes:

- OOXML interoperability has been improved in several areas: import of
  SmartArt and import/export of ActiveX controls, support of embedded text
  documents and spreadsheets, export of embedded videos to PPTX, export
  of cross-references to DOCX, export of MailMerge fields to DOCX, and
  improvements to the PPTX filter to prevent the creation of broken files.
- New filters for exporting Writer documents to ePub and importing
  QuarkXPress files have also been added, together with an improved filter
  for importing EMF+ (Enhanced Metafile Format Plus) files as used by
  Microsoft Office documents. Some improvements have also been added
  to the ODF export filter, making it easier for other ODF readers to
  display visuals.

The full blog entry for the 6.0 release can be found here:

	https://blog.documentfoundation.org/blog/2018/01/31/libreoffice-6/

The full release notes can be found here:

	https://wiki.documentfoundation.org/ReleaseNotes/6.0

The libraries that LibreOffice depends on also have been udpated to their current versions.
  

-----------------------------------------
Patch: SUSE-2018-739
Released: Wed Apr 25 16:52:10 2018
Summary: Recommended update for supportutils
Severity: important
References: 1069457
Description:

This update for supportutils fixes the following issues:

- correctly detect CaaS Platforms docker installation (bsc#1069457)


-----------------------------------------
Patch: SUSE-2018-743
Released: Thu Apr 26 15:40:28 2018
Summary: Initial release of python3-psutil and -pycrypto
Severity: low
References: 1073879
Description:
This update provides the following new Python 3 modules:

- python3-psutil
- python3-pycrypto

-----------------------------------------
Patch: SUSE-2018-769
Released: Tue May  1 20:38:36 2018
Summary: Recommended update for gcc48
Severity: moderate
References: 1082130,1083945,1087932
Description:

This update for the system compiler gcc48 fixes the following issues:

- Support for generating IBM Z series Spectre Variant 2 fix method 'expolines' was added (bsc#1083945)
- A miscompilation of SPECcpu2017 526.blender was fixed. (bsc#1082130)
- ARM Arch64 Cortex-A53 errata 843419 and 835769 were enabled by default, which could have lead
  to crashes of built binaries. (bsc#1087932)

  

-----------------------------------------
Patch: SUSE-2018-777
Released: Wed May  2 17:46:46 2018
Summary: Security update for patch
Severity: important
References: 1080918,1080951,1088420,CVE-2016-10713,CVE-2018-1000156,CVE-2018-6951
Description:
This update for patch fixes the following issues:

Security issues fixed:

- CVE-2018-1000156: Malicious patch files cause ed to execute arbitrary commands (bsc#1088420).
- CVE-2018-6951: Fixed NULL pointer dereference in the intuit_diff_type function in pch.c (bsc#1080918).
- CVE-2016-10713: Fixed out-of-bounds access within pch_write_line() in pch.c (bsc#1080918).



-----------------------------------------
Patch: SUSE-2018-779
Released: Wed May  2 22:16:26 2018
Summary: Recommended update for rpm
Severity: low
References: 1003714,1027925,1069934
Description:

This update for rpm provides the following fixes:

- Fix find-lang.sh to handle special case of .qm file paths correctly. (bsc#1027925)
- Add %sle_version macro to suse_macros. (bsc#1003714)
- Added a %rpm_vercmp macro which accepts two versions as parameters and returns -1, 0, 1
  if the first version is less than, equal or greater than the second version respectively.
- Added a %pkg_version macro that accepts a package or capability name as argument and
  returns the version number of the installed package. If no package provides the argument,
  it returns the string '~~~'.
- Added a %pkg_vcmp macro that accepts 3 parameters. The first parameter is a package name
  or provided capability name, the second argument is an operator ( < <= = >= > != )
  and the third parameter is a version string to be compared to the installed version of
  the first argument.
- Added a %pkg_version_cmp macro which accepts a package or capability name as first argument
  and a version number as second argument and returns -1, 0, 1 or '~~~'. The number values
  have the same meaning as in %rpm_vercmp and the '~~~' string is returned if the package
  or capability can't be found. (bsc#1069934)


-----------------------------------------
Patch: SUSE-2018-797
Released: Mon May  7 07:07:38 2018
Summary: Recommended update for gcc7
Severity: important
References: 1061667,1068967,1074621,1083290,1083946,1084812,1087550,1087930
Description:

  
This update for gcc7 to 7.3 release fixes the following issues:

- Update to GCC 7.3 release and further updated to gcc-7-branch head (r258812).
- The Spectre v2 mitigation patch for s390x is now included. [bsc#1083946]
- Adds backport of x86 retpoline support via -mindirect-branch=, -mfunction-return= and friends. [bsc#1074621]
- Update includes a fix for chromium build failure.  [bsc#1083290]
- Various AArch64 compile fixes are included:

  * Picks fix to no longer enable -mpc-relative-literal-loads by default
    with --enable-fix-cortex-a53-843419.
  * Enable --enable-fix-cortex-a53-843419 for aarch64.  [bsc#1084812] [bsc#1087930]
  * Enable --enable-fix-cortex-a53-835769 for aarch64.
  * Contains fix for PR82445 which is about a RPI1 bootloader miscompile. [bsc#1061667]
  * Fixed bogus stack probe instruction on ARM. [bsc#1068967]

- Revert the ios_base::failure ABI back to compatible behavior with the default ABI.  [bsc#1087550]

- Fix nvptx offload target compiler install so GCC can pick up
  required files.  Split out the newlib part into cross-nvptx-newlib7-devel
  and avoid conflicts with GCC 8 variant via Provides/Conflicts
  of cross-nvptx-newlib-devel.



-----------------------------------------
Patch: SUSE-2018-806
Released: Tue May  8 12:31:07 2018
Summary: Initial release of python3-MarkupSafe
Severity: low
References: 1073879
Description:
This update provides the following new Python 3 module:

- python3-MarkupSafe


-----------------------------------------
Patch: SUSE-2018-809
Released: Tue May  8 17:18:48 2018
Summary: Initial release of python3-Jinja2
Severity: low
References: 1073879
Description:
This update provides the following new Python 3 module:

- python3-Jinja2


-----------------------------------------
Patch: SUSE-2018-810
Released: Tue May  8 17:20:51 2018
Summary: Initial release of python3-PyYAML
Severity: low
References: 1073879
Description:
This update provides the following new Python 3 module:

- python3-PyYAML

-----------------------------------------
Patch: SUSE-2018-822
Released: Wed May  9 14:01:33 2018
Summary: Security update for tiff
Severity: moderate
References: 1046077,1074318,1081690,CVE-2017-17973,CVE-2017-9935,CVE-2018-5784
Description:
This update for tiff fixes the following issues:

- CVE-2017-9935: There was a heap-based buffer overflow in the t2p_write_pdf function in tools/tiff2pdf.c. This heap overflow could lead to different damages. For example, a crafted TIFF document can lead to an out-of-bounds read in TIFFCleanup, an invalid free in TIFFClose or t2p_free, memory corruption in t2p_readwrite_pdf_image, or a double free in t2p_free. Given these possibilities, it probably could cause arbitrary code execution (bsc#1046077)
- CVE-2017-17973: There is a heap-based use-after-free in the t2p_writeproc function in tiff2pdf.c. (bsc#1074318)
- CVE-2018-5784: There is an uncontrolled resource consumption in the TIFFSetDirectory function of tif_dir.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted tif file. This occurs because the declared number of directory entries is not validated against the actual number of directory entries (bsc#1081690)



-----------------------------------------
Patch: SUSE-2018-844
Released: Fri May 11 17:16:19 2018
Summary: Security update for the Linux Kernel
Severity: important
References: 1076537,1082299,1083125,1083242,1084536,1085331,1086162,1087088,1087209,1087260,1088147,1088260,1088261,1089608,1089752,1090643,CVE-2017-0861,CVE-2017-11089,CVE-2017-13220,CVE-2017-18203,CVE-2018-10087,CVE-2018-10124,CVE-2018-1087,CVE-2018-7757,CVE-2018-8781,CVE-2018-8822,CVE-2018-8897
Description:


The SUSE Linux Enterprise 12 GA LTSS kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

- CVE-2018-1087: And an unprivileged KVM guest user could use this flaw to potentially escalate their privileges inside a guest. (bsc#1087088)
- CVE-2018-8897: An unprivileged system user could use incorrect set up interrupt stacks to crash the Linux kernel resulting in DoS issue. (bsc#1087088)
- CVE-2018-8781: The udl_fb_mmap function in drivers/gpu/drm/udl/udl_fb.c had an integer-overflow vulnerability allowing local users with access to the udldrmfb driver to obtain full read and write permissions on kernel physical pages, resulting in a code execution in kernel space (bnc#1090643).
- CVE-2018-10124: The kill_something_info function in kernel/signal.c might allow local users to cause a denial of service via an INT_MIN argument (bnc#1089752).
- CVE-2018-10087: The kernel_wait4 function in kernel/exit.c might allow local users to cause a denial of service by triggering an attempted use of the -INT_MIN value (bnc#1089608).
- CVE-2018-7757: Memory leak in the sas_smp_get_phy_events function in drivers/scsi/libsas/sas_expander.c allowed local users to cause a denial of service (memory consumption) via many read accesses to files in the /sys/class/sas_phy directory, as demonstrated by the /sys/class/sas_phy/phy-1:0:12/invalid_dword_count file (bnc#1084536 1087209).
- CVE-2017-13220: An elevation of privilege vulnerability in the Upstream kernel bluez was fixed. (bnc#1076537).
- CVE-2017-11089: A buffer overread was observed in nl80211_set_station when user space application sends attribute NL80211_ATTR_LOCAL_MESH_POWER_MODE with data of size less than 4 bytes   (bnc#1088261).
- CVE-2017-0861: Use-after-free vulnerability in the snd_pcm_info function in the ALSA subsystem allowed attackers to gain privileges via unspecified vectors (bnc#1088260).
- CVE-2018-8822: Incorrect buffer length handling in the ncp_read_kernel function in fs/ncpfs/ncplib_kernel.c could be exploited by malicious NCPFS servers to crash the kernel or execute code (bnc#1086162).
- CVE-2017-18203: The dm_get_from_kobject function in drivers/md/dm.c allow local users to cause a denial of service (BUG) by leveraging a race condition with __dm_destroy during creation and removal of DM devices (bnc#1083242).

The following non-security bugs were fixed:

- Integrate fixes resulting from bsc#1088147 More info in the respective commit messages.
- KABI: x86/kaiser: properly align trampoline stack (bsc#1087260).
- kGraft: fix small race in reversion code (bsc#1083125).
- kabi/severities: Ignore kgr_shadow_* kABI changes
- kvm/x86: fix icebp instruction handling (bsc#1087088).
- livepatch: Allow to call a custom callback when freeing shadow variables (bsc#1082299 fate#313296).
- livepatch: Initialize shadow variables safely by a custom callback (bsc#1082299 fate#313296).
- x86/entry/64: Do not use IST entry for #BP stack (bsc#1087088).
- x86/kaiser: properly align trampoline stack (bsc#1087260).
- x86/retpoline: do not perform thunk calls in ring3 vsyscall code (bsc#1085331).


-----------------------------------------
Patch: SUSE-2018-906
Released: Mon May 14 15:18:26 2018
Summary: Recommended update for binutils
Severity: moderate
References: 1075418
Description:
This update for binutils fixes the following issues:

- Fix pacemaker libqb problem with section start/stop symbols. (bsc#1075418)


-----------------------------------------
Patch: SUSE-2018-907
Released: Mon May 14 17:22:18 2018
Summary: Recommended update for python-Jinja2
Severity: moderate
References: 1092928
Description:
This update for python-Jinja2 fixes the following issues:

- Restore provides for python-jinja2. (bsc#1092928)


-----------------------------------------
Patch: SUSE-2018-909
Released: Tue May 15 10:34:21 2018
Summary: Recommended update for filesystem
Severity: low
References: 1082318
Description:
This update for filesystem provides the following fix:

- Become owner of /usr/share/licenses to support %license tags in RPM, as explained in
  http://rpm.org/wiki/Releases/4.11.0 . (bsc#1082318)


-----------------------------------------
Patch: SUSE-2018-910
Released: Tue May 15 12:21:24 2018
Summary: Recommended update for timezone, timezone-java
Severity: low
References: 1073299
Description:
This update provides the latest timezone information (2018e) for your system, including following changes:

- North Korea switches back from +0830 to +09 on 2018-05-05.
- Ireland's standard time is in the summer, with negative DST
  offset to standard time used in Winter (bsc#1073299)


-----------------------------------------
Patch: SUSE-2018-919
Released: Tue May 15 16:30:21 2018
Summary: Initial release of python3-tornado
Severity: low
References: 1073879
Description:
This update provides the following new Python 3 module:

- python3-tornado


-----------------------------------------
Patch: SUSE-2018-922
Released: Wed May 16 08:27:07 2018
Summary: Recommended update for SUSEConnect
Severity: important
References: 1044493,1047153,1064264,1086420,1089320,914297,964013
Description:
This update for SUSEConnect fixes the following issues:

- Fix rollback mechanism on SLE15 systems (bsc#1089320)
- Don't try to delete directory of nonexistent service files (bsc#1086420)
- Fix list-extensions to show the full SLE 15 tree (bsc#1064264)
- Enable automatic activation of recommended extensions/modules
- Automatically deregister all installed extensions/modules when deregistering a system
- virt-create-rootfs connects to SMT server without breaking (bsc#914297)
- Properly refresh zypper services when deactivating a product on SMT (bsc#1047153)
- Fix --namespace parameter persistence (bsc#1044493)

-----------------------------------------
Patch: SUSE-2018-925
Released: Wed May 16 10:09:28 2018
Summary: Initial release of python3-requests
Severity: low
References: 1073879
Description:
This update provides the following new Python 3 module:

- python3-requests


-----------------------------------------
Patch: SUSE-2018-929
Released: Wed May 16 16:17:08 2018
Summary: Recommended update for libzypp, zypper
Severity: moderate
References: 1008325,1033236,1036659,1038132,1043218,1068708,1074687,1076415,1079334,637791
Description:
This update for libzypp and zypper provides the following fixes:

libzypp:
- Don't filter procs with a different mnt namespace. (bsc#1068708)
- Support signing with subkeys. (bsc#1008325)
- Fix gpg-pubkey release (creation time) computation. (bsc#1036659)
- Show more specific exception message if GPG binary is missing. (bsc#637791)
- Fix a potential crash if repository has no baseurl. (bsc#1043218)
- plugin: Do not reject header values containing a ':'. (bsc#1074687)
- RpmDb::checkPackage: Fix parsing localized rpm output. (bsc#1076415)
- Adapt loop mounting of iso images. (bsc#1038132, bsc#1033236)

zypper:
- Do not recommend cron as it is not a direct dependency of zypper. (bsc#1079334)


-----------------------------------------
Patch: SUSE-2018-934
Released: Wed May 16 21:36:22 2018
Summary: Security update for libvorbis
Severity: moderate
References: 1059812,1091072,CVE-2017-14160,CVE-2018-10393
Description:
This update for libvorbis fixes the following issues:

Security issues fixed:

- CVE-2018-10393: Fixed stack-based buffer over-read in bark_noise_hybridm (bsc#1091072).
- CVE-2017-14160: Fixed out-of-bounds access inside bark_noise_hybridmp function (bsc#1059812).



-----------------------------------------
Patch: SUSE-2018-939
Released: Thu May 17 08:41:30 2018
Summary: Security update for curl
Severity: moderate
References: 1086825,1092098,CVE-2018-1000301
Description:
This update for curl fixes several issues:

Security issues fixed:

- CVE-2018-1000301: Fixed a RTSP bad headers buffer over-read could crash the curl client (bsc#1092098)

Non security issues fixed:

- If the DEFAULT_SUSE cipher list is not available use the HIGH cipher alias before failing.
  (bsc#1086825)


-----------------------------------------
Patch: SUSE-2018-957
Released: Tue May 22 15:14:05 2018
Summary: Security update for wget
Severity: moderate
References: 1092061,CVE-2018-0494
Description:
This update for wget fixes the following issues:

- CVE-2018-0494: Fixed a cookie injection vulnerability by checking for
  and joining continuation lines. (bsc#1092061)



-----------------------------------------
Patch: SUSE-2018-959
Released: Tue May 22 15:20:57 2018
Summary: Security update for the Linux Kernel
Severity: important
References: 1087082,1087845,1089895,1091755,1092497,1093215,1094019,985025,CVE-2018-1000199,CVE-2018-10675,CVE-2018-3639
Description:


The SUSE Linux Enterprise 12 GA LTSS kernel was updated to receive several security fixes.

The following security bugs were fixed:

- CVE-2018-3639: Information leaks using 'Memory Disambiguation' feature
  in modern CPUs were mitigated, aka 'Spectre Variant 4' (bnc#1087082).

  A new boot commandline option was introduced,
  'spec_store_bypass_disable', which can have following values:

  - auto: Kernel detects whether your CPU model contains an implementation
    of Speculative Store Bypass and picks the most appropriate mitigation.
  - on: disable Speculative Store Bypass
  - off: enable Speculative Store Bypass
  - prctl: Control Speculative Store Bypass per thread via
    prctl. Speculative Store Bypass is enabled for a process by default. The
    state of the control is inherited on fork.
  - seccomp: Same as 'prctl' above, but all seccomp threads will disable
    SSB unless they explicitly opt out.

  The default is 'seccomp', meaning programs need explicit opt-in into the mitigation.

  Status can be queried via the /sys/devices/system/cpu/vulnerabilities/spec_store_bypass file, containing:

  - 'Vulnerable'
  - 'Mitigation: Speculative Store Bypass disabled'
  - 'Mitigation: Speculative Store Bypass disabled via prctl'
  - 'Mitigation: Speculative Store Bypass disabled via prctl and seccomp'

- CVE-2018-1000199: An address corruption flaw was discovered while
  modifying a h/w breakpoint via 'modify_user_hw_breakpoint' routine, an
  unprivileged user/process could use this flaw to crash the system kernel
  resulting in DoS OR to potentially escalate privileges on a the system. (bsc#1089895)
- CVE-2018-10675: The do_get_mempolicy function in mm/mempolicy.c allowed
  local users to cause a denial of service (use-after-free) or possibly
  have unspecified other impact via crafted system calls (bnc#1091755).

The following non-security bugs were fixed:

- x86/bugs: Make sure that _TIF_SSBD does not end up in _TIF_ALLWORK_MASK (bsc#1093215).
- x86/bugs: correctly force-disable IBRS on !SKL systems (bsc#1092497).
- x86/cpu/intel: Introduce macros for Intel family numbers (bsc#985025).
- x86/cpu/intel: Introduce macros for Intel family numbers (bsc985025).
- x86/speculation: Remove Skylake C2 from Speculation Control microcode blacklist (bsc#1087845).


-----------------------------------------
Patch: SUSE-2018-979
Released: Wed May 23 19:52:26 2018
Summary: Security update for icu
Severity: moderate
References: 1034674,1034678,1067203,1072193,1077999,1087932,929629,990636,CVE-2014-8146,CVE-2014-8147,CVE-2016-6293,CVE-2017-14952,CVE-2017-15422,CVE-2017-17484,CVE-2017-7867,CVE-2017-7868
Description:
icu was updated to fix two security issues.

These security issues were fixed:
- CVE-2014-8147: The resolveImplicitLevels function in common/ubidi.c
  in the Unicode Bidirectional Algorithm implementation in ICU4C in
  International Components for Unicode (ICU) used an integer data type
  that is inconsistent with a header file, which allowed remote attackers
  to cause a denial of service (incorrect malloc followed by invalid free)
  or possibly execute arbitrary code via crafted text (bsc#929629).
- CVE-2014-8146: The resolveImplicitLevels function in common/ubidi.c
  in the Unicode Bidirectional Algorithm implementation in ICU4C in
  International Components for Unicode (ICU) did not properly track
  directionally isolated pieces of text, which allowed remote attackers
  to cause a denial of service (heap-based buffer overflow) or possibly
  execute arbitrary code via crafted text (bsc#929629).
- CVE-2016-6293: The uloc_acceptLanguageFromHTTP function in
  common/uloc.cpp in International Components for Unicode (ICU) for C/C++
  did not ensure that there is a '\0' character at the end of a certain
  temporary array, which allowed remote attackers to cause a denial of
  service (out-of-bounds read) or possibly have unspecified other impact
  via a call with a long httpAcceptLanguage argument (bsc#990636).
- CVE-2017-7868: International Components for Unicode (ICU) for C/C++
  2017-02-13 has an out-of-bounds write caused by a heap-based buffer
  overflow related to the utf8TextAccess function in common/utext.cpp and
  the utext_moveIndex32* function (bsc#1034674)
- CVE-2017-7867: International Components for Unicode (ICU) for C/C++
  2017-02-13 has an out-of-bounds write caused by a heap-based buffer
  overflow related to the utf8TextAccess function in common/utext.cpp and
  the utext_setNativeIndex* function (bsc#1034678)
- CVE-2017-14952: Double free in i18n/zonemeta.cpp in International
  Components for Unicode (ICU) for C/C++ allowed remote attackers to
  execute arbitrary code via a crafted string, aka a 'redundant UVector
  entry clean up function call' issue (bnc#1067203)
- CVE-2017-17484: The ucnv_UTF8FromUTF8 function in ucnv_u8.cpp
  in International Components for Unicode (ICU) for C/C++ mishandled
  ucnv_convertEx calls for UTF-8 to UTF-8 conversion, which allowed remote
  attackers to cause a denial of service (stack-based buffer overflow
  and application crash) or possibly have unspecified other impact via a
  crafted string, as demonstrated by ZNC  (bnc#1072193)
- CVE-2017-15422: An integer overflow in icu during persian calendar
  date processing could lead to incorrect years shown (bnc#1077999)



-----------------------------------------
Patch: SUSE-2018-982
Released: Fri May 25 15:05:15 2018
Summary: Security update for jasper
Severity: low
References: 1087020,CVE-2018-9055
Description:
This update for jasper fixes the following issues:

   - CVE-2018-9055: denial of service via
      a reachable assertion in the function jpc_firstone in
      libjasper/jpc/jpc_math.c could lead to denial of service. (bsc#1087020)


-----------------------------------------
Patch: SUSE-2018-983
Released: Fri May 25 15:05:44 2018
Summary: Security update for krb5
Severity: moderate
References: 1054028,1055851,1081725,CVE-2017-7562
Description:
This update for krb5 provides the following fixes:

Security issues fixed:

- CVE-2017-7562: Improper validation of certificate EKU and SAN could lead to authentication
  bypass. (bsc#1055851)

Non-security issues fixed:

- Set 'rdns' and 'dns_canonicalize_hostname' to false in krb5.conf in order to improve
  client security in handling service principle names. (bsc#1054028)
- Fix a GSS failure in legacy applications by not indicating deprecated GSS mechanisms in
  gss_indicate_mech() list. (bsc#1081725)


-----------------------------------------
Patch: SUSE-2018-998
Released: Tue May 29 11:35:50 2018
Summary: Recommended update for pciutils-ids
Severity: moderate
References: 1081065
Description:
This update provides the latest PCI ID definitions for pciutils-ids (bsc#1081065)

-----------------------------------------
Patch: SUSE-2018-1000
Released: Tue May 29 16:44:37 2018
Summary: Security update for ntp
Severity: moderate
References: 1034892,1077445,1082063,1082210,1083417,1083420,1083422,1083424,1083426,CVE-2016-1549,CVE-2018-7170,CVE-2018-7182,CVE-2018-7183,CVE-2018-7184,CVE-2018-7185
Description:
This update for ntp fixes the following issues:

- Update to 4.2.8p11 (bsc#1082210):
  * CVE-2016-1549: Sybil vulnerability: ephemeral association
    attack. While fixed in ntp-4.2.8p7, there are significant
    additional protections for this issue in 4.2.8p11.
  * CVE-2018-7182: ctl_getitem(): buffer read overrun
    leads to undefined behavior and information leak. (bsc#1083426)
  * CVE-2018-7170: Multiple authenticated ephemeral
    associations. (bsc#1083424)
  * CVE-2018-7184: Interleaved symmetric mode cannot
    recover from bad state. (bsc#1083422)
  * CVE-2018-7185: Unauthenticated packet can reset
    authenticated interleaved association. (bsc#1083420)
  * CVE-2018-7183: ntpq:decodearr() can write beyond its
    buffer limit.(bsc#1083417)
- Don't use libevent's cached time stamps in sntp. (bsc#1077445)
- Fix systemd migration in %pre (bsc#1034892).



-----------------------------------------
Patch: SUSE-2018-1022
Released: Mon Jun  4 17:35:43 2018
Summary: Security update for xdg-utils
Severity: moderate
References: 1093086,CVE-2017-18266
Description:
This update for xdg-utils fixes the following issues:

Security issue:

- CVE-2017-18266: Fix an argument injection when BROWSER contains %s (bsc#1093086).


-----------------------------------------
Patch: SUSE-2018-1028
Released: Tue Jun  5 13:20:44 2018
Summary: Recommended update for pam
Severity: low
References: 1089884
Description:
This update for pam fixes the following issues:

- Fix order of accessed configuration files in man page. (bsc#1089884)


-----------------------------------------
Patch: SUSE-2018-1081
Released: Thu Jun  7 11:43:48 2018
Summary: Security update for libvorbis
Severity: moderate
References: 1091070,CVE-2018-10392
Description:
This update for libvorbis fixes the following issues:
  
The following security issue was fixed:
  
- Fixed the validation of channels in mapping0_forward(), which previously
  allowed remote attackers to cause a denial of service via specially crafted
  files (CVE-2018-10392, bsc#1091070)


-----------------------------------------
Patch: SUSE-2018-1082
Released: Thu Jun  7 12:58:56 2018
Summary: Recommended update for rpm
Severity: moderate
References: 1073879,1080078,964063
Description:
This update for rpm fixes the following issues:

- Backport support for no_recompute_build_ids macro. (bsc#964063)
- Fix code execution when evaluating common python-related macros. (bsc#1080078)

Additionally, this update adds python3-rpm to the SUSE Linux Enterprise Server.


-----------------------------------------
Patch: SUSE-2018-1141
Released: Fri Jun 15 13:41:08 2018
Summary: Security update for gpg2
Severity: important
References: 1096745,CVE-2018-12020
Description:
This update for gpg2 fixes the following security issue:

- CVE-2018-12020: GnuPG mishandled the original filename during decryption and
  verification actions, which allowed remote attackers to spoof the output that
  GnuPG sends on file descriptor 2 to other programs that use the '--status-fd 2'
  option (bsc#1096745)


-----------------------------------------
Patch: SUSE-2018-1153
Released: Mon Jun 18 22:04:14 2018
Summary: Recommended update for reiserfs
Severity: low
References: 1094401
Description:
This update for reiserfs provides the following fix:

- Move libreiserfscore.so.0 into the libreiserfscore0 package. (bsc#1094401)


-----------------------------------------
Patch: SUSE-2018-1156
Released: Tue Jun 19 15:10:45 2018
Summary: Recommended update for openslp
Severity: moderate
References: 1076035,1080964
Description:
This update for openslp provides the following fixes:

- Fix slpd using the peer address as local address for TCP connections. (bsc#1076035)
- Use TCP connections for unicast requests. (bsc#1080964)


-----------------------------------------
Patch: SUSE-2018-1184
Released: Wed Jun 20 11:43:54 2018
Summary: Security update for the Linux Kernel
Severity: important
References: 1046610,1079152,1082962,1083900,1087007,1087012,1087082,1087086,1087095,1092552,1092813,1092904,1094033,1094353,1094823,1096140,1096242,1096281,1096480,1096728,1097356,CVE-2017-13305,CVE-2018-1000204,CVE-2018-1092,CVE-2018-1093,CVE-2018-1094,CVE-2018-1130,CVE-2018-3665,CVE-2018-5803,CVE-2018-5848,CVE-2018-7492
Description:

The SUSE Linux Enterprise 12 GA LTSS kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

- CVE-2018-3665: Prevent disclosure of FPU registers (including XMM and AVX
  registers) between processes. These registers might contain encryption keys
  when doing SSE accelerated AES enc/decryption (bsc#1087086)
- CVE-2018-5848: In the function wmi_set_ie(), the length validation code did
  not handle unsigned integer overflow properly. As a result, a large value of
  the 'ie_len' argument could have caused a buffer overflow (bnc#1097356)
- CVE-2018-1000204: Prevent infoleak caused by incorrect handling of the SG_IO
  ioctl (bsc#1096728)
- CVE-2017-13305: Prevent information disclosure vulnerability in
  encrypted-keys (bsc#1094353)
- CVE-2018-1094: The ext4_fill_super function did not always initialize the
  crc32c checksum driver, which allowed attackers to cause a denial of service
  (ext4_xattr_inode_hash NULL pointer dereference and system crash) via a crafted
  ext4 image (bsc#1087007)
- CVE-2018-1093: The ext4_valid_block_bitmap function allowed attackers to
  cause a denial of service (out-of-bounds read and system crash) via a crafted
  ext4 image because balloc.c and ialloc.c do not validate bitmap block numbers
  (bsc#1087095)
- CVE-2018-1092: The ext4_iget function mishandled the case of a root directory
  with a zero i_links_count, which allowed attackers to cause a denial of service
  (ext4_process_freed_data NULL pointer dereference and OOPS) via a crafted ext4
  image (bsc#1087012)
- CVE-2018-1130: NULL pointer dereference in dccp_write_xmit() function that
  allowed a local user to cause a denial of service by a number of certain
  crafted system calls (bsc#1092904)
- CVE-2018-5803: Prevent error in the '_sctp_make_chunk()' function when
  handling SCTP packets length that could have been exploited to cause a kernel
  crash (bnc#1083900)
- CVE-2018-7492: Prevent NULL pointer dereference in the net/rds/rdma.c
  __rds_rdma_map() function that allowed local attackers to cause a system panic
  and a denial-of-service, related to RDS_GET_MR and RDS_GET_MR_FOR_DEST
  (bsc#1082962)

The following non-security bugs were fixed:

- Fix excessive newline in /proc/*/status (bsc#1094823).
- KVM: x86: Sync back MSR_IA32_SPEC_CTRL to VCPU data structure (bsc#1096242, bsc#1096281).
- ipv6: add mtu lock check in __ip6_rt_update_pmtu (bsc#1092552).
- kABI: work around BPF SSBD removal (bsc#1087082).
- kgraft/bnx2fc: Do not block kGraft in bnx2fc_l2_rcv kthread (bsc#1094033).
- mm, page_alloc: do not break __GFP_THISNODE by zonelist reset (bsc#1079152).
- usbip: usbip_host: fix NULL-ptr deref and use-after-free errors (bsc#1096480).
- usbip: usbip_host: fix bad unlock balance during stub_probe() (bsc#1096480).
- x86/boot: Fix early command-line parsing when matching at end (bsc#1096281).
- x86/boot: Fix early command-line parsing when partial word matches (bsc#1096281).
- x86/bugs: spec_ctrl must be cleared from cpu_caps_set when being disabled (bsc#1096140).
- x86/kaiser: export symbol kaiser_set_shadow_pgd() (bsc#1092813)
- xen-netfront: fix req_prod check to avoid RX hang when index wraps (bsc#1046610).


-----------------------------------------
Patch: SUSE-2018-1193
Released: Wed Jun 20 18:48:16 2018
Summary: Recommended update for openslp
Severity: moderate
References: 1076035,1080964
Description:
This update for openslp provides the following fixes:

- Fix slpd using the peer address as local address for TCP connections. (bsc#1076035)
- Use TCP connections for unicast requests. (bsc#1080964)


-----------------------------------------
Patch: SUSE-2018-1203
Released: Fri Jun 22 07:53:41 2018
Summary: Recommended update for llvm and ninja
Severity: low
References: 936459,945912
Description:

This update provides various packages to enable rust and cargo builds
for SUSE Linux Enterprise 12.

- llvm is updated to fix for various compile time bugs and also to enable aarch64 builds.

The following packages are copied from the SP2 codestream to the GA codestream to enable
cargo and rust builds:
- ninja
- libgit2
- http-parser

  

-----------------------------------------
Patch: SUSE-2018-1233
Released: Wed Jun 27 12:45:13 2018
Summary: Security update for tiff
Severity: moderate
References: 1007276,1074317,1082332,1082825,1086408,1092949,974621,CVE-2016-3632,CVE-2016-8331,CVE-2017-11613,CVE-2017-13726,CVE-2017-18013,CVE-2018-10963,CVE-2018-7456,CVE-2018-8905
Description:
This update for tiff fixes the following issues:

These security issues were fixed:

- CVE-2017-18013: There was a Null-Pointer Dereference in the tif_print.c TIFFPrintDirectory function, as demonstrated by a tiffinfo crash.  (bsc#1074317)
- CVE-2018-10963: The TIFFWriteDirectorySec() function in tif_dirwrite.c allowed remote attackers to cause a denial of service (assertion failure and application crash) via a crafted file, a different vulnerability than CVE-2017-13726.  (bsc#1092949)
- CVE-2018-7456: Prevent a NULL Pointer dereference in the function TIFFPrintDirectory when using the tiffinfo tool to print crafted TIFF information, a different vulnerability than CVE-2017-18013 (bsc#1082825)
- CVE-2017-11613: Prevent denial of service in the TIFFOpen function. During the TIFFOpen process, td_imagelength is not checked. The value of td_imagelength can be directly controlled by an input file. In the ChopUpSingleUncompressedStrip function, the _TIFFCheckMalloc function is called based on td_imagelength. If the value of td_imagelength is set close to the amount of system memory, it will hang the system or trigger the OOM killer (bsc#1082332)
- CVE-2018-8905: Prevent heap-based buffer overflow in the function LZWDecodeCompat via a crafted TIFF file (bsc#1086408)
- CVE-2016-8331: Prevent remote code execution because of incorrect handling of TIFF images. A crafted TIFF document could have lead to a type confusion vulnerability resulting in remote code execution. This vulnerability could have been be triggered via a TIFF file delivered to the application using LibTIFF's tag extension functionality (bsc#1007276)
- CVE-2016-3632: The _TIFFVGetField function allowed remote attackers to cause a denial of service (out-of-bounds write) or execute arbitrary code via a crafted TIFF image (bsc#974621)


-----------------------------------------
Patch: SUSE-2018-1242
Released: Thu Jun 28 13:44:16 2018
Summary: Security update for procps
Severity: moderate
References: 1092100,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126
Description:
This update for procps fixes the following security issues:

- CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top
  with HOME unset in an attacker-controlled directory, the attacker could have
  achieved privilege escalation by exploiting one of several vulnerabilities in
  the config_file() function (bsc#1092100).
- CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow.
  Inbuilt protection in ps maped a guard page at the end of the overflowed
  buffer, ensuring that the impact of this flaw is limited to a crash (temporary
  denial of service) (bsc#1092100).
- CVE-2018-1124: Prevent multiple integer overflows leading to a heap
  corruption in file2strvec function. This allowed a privilege escalation for a
  local attacker who can create entries in procfs by starting processes, which
  could result in crashes or arbitrary code execution in proc utilities run by
  other users (bsc#1092100).
- CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was
  mitigated by FORTIFY limiting the impact to a crash (bsc#1092100).
- CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent
  truncation/integer overflow issues (bsc#1092100).


-----------------------------------------
Patch: SUSE-2018-1328
Released: Tue Jul 17 08:07:57 2018
Summary: Security update for perl
Severity: important
References: 1068565,1082216,1082233,1082234,1096718,CVE-2018-12015,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913
Description:
This update for perl fixes the following issues:

These security issue were fixed: 

- CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216).
- CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233).
- CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234).
- CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a
  directory-traversal protection mechanism and overwrite arbitrary files
  (bsc#1096718)

This non-security issue was fixed: 

- fix debugger crash in tab completion with Term::ReadLine::Gnu [bsc#1068565]



-----------------------------------------
Patch: SUSE-2018-1329
Released: Tue Jul 17 08:08:20 2018
Summary: Security update for python-paramiko
Severity: important
References: 1085276,CVE-2018-7750
Description:
This update for python-paramiko fixes the following issues:

- CVE-2018-7750: transport.py in the SSH server implementation of Paramiko did
  not properly check whether authentication is completed processing other
  requests. A customized SSH client could have skipped the authentication step
  (bsc#1085276)


-----------------------------------------
Patch: SUSE-2018-1344
Released: Wed Jul 18 10:31:11 2018
Summary: Recommended update for supportutils
Severity: moderate
References: 1043311,1046681,1051797,1069457,1071545
Description:
This update for supportutils fixes the following issues:

- Added only cpu0 with sched_domain info
- Added missed sched_domain to blacklist
- Blacklisted sched_domain from proc.txt (bsc#1046681)
- Added kdumptool calibrate to crash.txt
- Added tuned feature OPTION_TUNED tuned.txt (bsc#1071545)
- Fixed udev service reference (bsc#1051797)
- Fixed device error with sfdisk (bsc#1043311)
- Fixed docker package detection (bsc#1069457)

-----------------------------------------
Patch: SUSE-2018-1354
Released: Thu Jul 19 09:54:05 2018
Summary: Security update for shadow
Severity: important
References: 1099310,CVE-2016-6252
Description:
This update for shadow fixes the following issues:

- CVE-2016-6252: Fixed incorrect integer handling that could results in a local privilege escalation (bsc#1099310)


-----------------------------------------
Patch: SUSE-2018-1405
Released: Thu Jul 26 16:44:00 2018
Summary: Security update for libsndfile
Severity: moderate
References: 1071767,1071777,1100167,CVE-2017-17456,CVE-2017-17457,CVE-2018-13139
Description:
This update for libsndfile fixes the following issues:

Security issues fixed:

- CVE-2018-13139: Fix a stack-based buffer overflow in psf_memset in common.c that allows remote attackers to cause a denial of service (bsc#1100167).
- CVE-2017-17456: Prevent segmentation fault in the function d2alaw_array() that may have lead to a remote DoS (bsc#1071777)
- CVE-2017-17457: Prevent segmentation fault in the function d2ulaw_array() that may have lead to a remote DoS, a different vulnerability than CVE-2017-14246 (bsc#1071767)


-----------------------------------------
Patch: SUSE-2018-1413
Released: Fri Jul 27 12:41:13 2018
Summary: Security update for libgcrypt
Severity: moderate
References: 1064455,1090766,1097410,CVE-2018-0495
Description:
This update for libgcrypt fixes the following issues:

The following security vulnerability was addressed:

- CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for
  ECDSA signatures (bsc#1097410).

The following other issues were fixed:

- Extended the fipsdrv dsa-sign and dsa-verify commands with the
  --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455).
- Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766)


-----------------------------------------
Patch: SUSE-2018-1415
Released: Fri Jul 27 12:45:43 2018
Summary: Security update for mutt
Severity: important
References: 1061343,1094717,1101428,1101566,1101567,1101568,1101569,1101570,1101571,1101573,1101576,1101577,1101578,1101581,1101582,1101583,1101588,1101589,980830,982129,986534,CVE-2014-9116,CVE-2018-14349,CVE-2018-14350,CVE-2018-14351,CVE-2018-14352,CVE-2018-14353,CVE-2018-14354,CVE-2018-14355,CVE-2018-14356,CVE-2018-14357,CVE-2018-14358,CVE-2018-14359,CVE-2018-14360,CVE-2018-14361,CVE-2018-14362,CVE-2018-14363
Description:
This update for mutt fixes the following issues:

Security issues fixed:

- bsc#1101428: Mutt 1.10.1 security release update.
- CVE-2018-14351: Fix imap/command.c that mishandles long IMAP status mailbox literal count size (bsc#1101583).
- CVE-2018-14353: Fix imap_quote_string in imap/util.c that has an integer underflow (bsc#1101581).
- CVE-2018-14362: Fix pop.c that does not forbid characters that may have unsafe interaction with message-cache pathnames (bsc#1101567).
- CVE-2018-14354: Fix arbitrary command execution from remote IMAP servers via backquote characters (bsc#1101578).
- CVE-2018-14352: Fix imap_quote_string in imap/util.c that does not leave room for quote characters (bsc#1101582).
- CVE-2018-14356: Fix pop.c that mishandles a zero-length UID (bsc#1101576).
- CVE-2018-14355: Fix imap/util.c that mishandles '..' directory traversal in a mailbox name (bsc#1101577).
- CVE-2018-14349: Fix imap/command.c that mishandles a NO response without a message (bsc#1101589).
- CVE-2018-14350: Fix imap/message.c that has a stack-based buffer overflow for a FETCH response with along INTERNALDATE field (bsc#1101588).
- CVE-2018-14363: Fix newsrc.c that does not properlyrestrict '/' characters that may have unsafe interaction with cache pathnames (bsc#1101566).
- CVE-2018-14359: Fix buffer overflow via base64 data (bsc#1101570).
- CVE-2018-14358: Fix imap/message.c that has a stack-based buffer overflow for a FETCH response with along RFC822.SIZE field (bsc#1101571).
- CVE-2018-14360: Fix nntp_add_group in newsrc.c that has a stack-based buffer overflow because of incorrect sscanf usage (bsc#1101569).
- CVE-2018-14357: Fix that remote IMAP servers are allowed to execute arbitrary commands via backquote characters (bsc#1101573).
- CVE-2018-14361: Fix that nntp.c proceeds even if memory allocation fails for messages data (bsc#1101568).

Bug fixes:

- mutt reports as neomutt and incorrect version (bsc#1094717)
- No sidebar available in mutt 1.6.1 from Tumbleweed snapshot 20160517 (bsc#980830)
- mutt-1.6.1 unusable when built with --enable-sidebar (bsc#982129)
- (neo)mutt displaying times in Zulu time (bsc#1061343)
- mutt unconditionally segfaults when displaying a message (bsc#986534)


-----------------------------------------
Patch: SUSE-2018-1450
Released: Mon Jul 30 10:10:45 2018
Summary: Recommended update for pam
Severity: low
References: 1096282
Description:
This update for pam provides the following fix:

- Added  /etc/security/limits.d to the pam package. (bsc#1096282)


-----------------------------------------
Patch: SUSE-2018-1461
Released: Tue Jul 31 13:43:56 2018
Summary: Recommended update for libseccomp
Severity: low
References: 1019900,1099151
Description:


This updates libseccomp to version 2.3.1 to allow seccomp confinement support in the docker engine.



-----------------------------------------
Patch: SUSE-2018-1468
Released: Wed Aug  1 13:56:48 2018
Summary: Security update for polkit
Severity: moderate
References: 1099031,CVE-2018-1116
Description:
This update for polkit fixes the following issues:

Security issue fixed:

- CVE-2018-1116: Fix uid comparison lacking in polkit_backend_interactive_authority_check_authorization (bsc#1099031).


-----------------------------------------
Patch: SUSE-2018-1471
Released: Wed Aug  1 14:02:11 2018
Summary: Security update for cups
Severity: moderate
References: 1050082,1061066,1087018,1096405,1096406,1096407,1096408,CVE-2017-18248,CVE-2018-4180,CVE-2018-4181,CVE-2018-4182,CVE-2018-4183
Description:
This update for cups fixes the following issues:

The following security vulnerabilities were fixed:

- CVE-2017-18248: Handle invalid characters properly in printing jobs. This fixes a problem that
  was causing the DBUS library to abort the calling process. (bsc#1061066 bsc#1087018)
- Fixed a local privilege escalation to root and sandbox bypasses in the
  scheduler
- CVE-2018-4180: Fixed a local privilege escalation to root in dnssd backend
  (bsc#1096405)
- CVE-2018-4181: Limited local file reads as root via cupsd.conf include
  directive (bsc#1096406)
- CVE-2018-4182: Fixed a sandbox bypass due to insecure error handling
  (bsc#1096407)
- CVE-2018-4183: Fixed a sandbox bypass due to profile misconfiguration
  (bsc#1096408)

The following other issue was fixed:

- Fixed authorization check for clients (like samba) connected through the
  local socket when Kerberos authentication is enabled (bsc#1050082)


-----------------------------------------
Patch: SUSE-2018-1484
Released: Fri Aug  3 15:56:19 2018
Summary: Security update for glibc
Severity: important
References: 1051791,1064569,1064580,1064583,1074293,1094161,CVE-2017-12132,CVE-2017-15670,CVE-2017-15671,CVE-2017-15804,CVE-2018-1000001,CVE-2018-11236
Description:
This update for glibc fixes the following issues:

Security issues fixed:

- CVE-2017-15804: Fix buffer overflow during unescaping of user names in the glob function in glob.c (bsc#1064580).
- CVE-2017-15670: Fix buffer overflow in glob with GLOB_TILDE (bsc#1064583).
- CVE-2017-15671: Fix memory leak in glob with GLOB_TILDE (bsc#1064569).
- CVE-2018-11236: Fix 32bit arch integer overflow in stdlib/canonicalize.c when processing very long pathname arguments (bsc#1094161).
- CVE-2017-12132: Reduce advertised EDNS0 buffer size to guard against fragmentation attacks (bsc#1051791).
- CVE-2018-1000001: Avoid underflow of malloced area (bsc#1074293).


-----------------------------------------
Patch: SUSE-2018-1515
Released: Tue Aug  7 20:19:04 2018
Summary: Introduce packages added to SLES 12 SP3 after release
Severity: low
References: 1102861
Description:
This update adds packages to the SUSE Linux Enterprise Server 12 SP3 for Teradata
which were added after the released of SLES 12 SP3.
  

-----------------------------------------
Patch: SUSE-2018-1559
Released: Tue Aug 14 14:40:50 2018
Summary: Security update for samba
Severity: important
References: 1027593,1060427,1063008,1081741,1103411,CVE-2017-14746,CVE-2017-15275,CVE-2018-1050,CVE-2018-10858
Description:
This update for samba fixes the following issues:

Security issues fixed:

- CVE-2018-1050: Fixed denial of service vulnerability when SPOOLSS is run externally (bsc#1081741).
- CVE-2017-14746: Fixed use-after-free vulnerability (bsc#1060427).
- CVE-2017-15275: Fixed server heap memory information leak (bsc#1063008).
- CVE-2018-10858: smbc_urlencode helper function is a subject to buffer overflow (bsc#1103411)

Bug fixes:

- bsc#1027593: Update 'winbind expand groups' doc in smb.conf man page. 


-----------------------------------------
Patch: SUSE-2018-1605
Released: Thu Aug 16 09:08:33 2018
Summary: Security update for the Linux Kernel
Severity: important
References: 1012382,1064232,1068032,1087081,1089343,1098016,1099924,1100416,1100418,1103119,CVE-2018-13053,CVE-2018-13405,CVE-2018-13406,CVE-2018-14734,CVE-2018-3620,CVE-2018-3646
Description:


The SUSE Linux Enterprise 12 GA LTSS kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

- CVE-2018-13053: The alarm_timer_nsleep function in kernel/time/alarmtimer.c had an integer overflow via a large relative timeout because ktime_add_safe is not used (bnc#1099924).
- CVE-2018-13405: The inode_init_owner function in fs/inode.c allowed local users to create files with an unintended group ownership, in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of that group. Here, the non-member can trigger creation of a plain file whose group ownership is that group. The intended behavior was that the non-member can trigger creation of a directory (but not a plain file) whose group ownership is that group. The non-member can escalate privileges by making the plain file executable and SGID (bnc#1100416).
- CVE-2018-13406: An integer overflow in the uvesafb_setcmap function in drivers/video/fbdev/uvesafb.c could result in local attackers being able to crash the kernel or potentially elevate privileges because kmalloc_array is not used (bnc#1098016 bnc#1100418).
- CVE-2018-14734: drivers/infiniband/core/ucma.c allowed ucma_leave_multicast to access a certain data structure after a cleanup step in ucma_process_join, which allowed attackers to cause a denial of service (use-after-free) (bnc#1103119).
- CVE-2018-3620: Local attackers on baremetal systems could use speculative code patterns on hyperthreaded processors to read data present in the L1 Datacache used by other hyperthreads on the same CPU core, potentially leaking sensitive data. (bnc#1087081).
- CVE-2018-3646: Local attackers in virtualized guest systems could use speculative code patterns on hyperthreaded processors to read data present in the L1 Datacache used by other hyperthreads on the same CPU core, potentially leaking sensitive data, even from other virtual machines or the host system. (bnc#1089343).

The following non-security bugs were fixed:

- bcache: Add __printf annotation to __bch_check_keys() (bsc#1064232).
- bcache: Annotate switch fall-through (bsc#1064232).
- bcache: Fix a compiler warning in bcache_device_init() (bsc#1064232).
- bcache: Fix indentation (bsc#1064232).
- bcache: Fix kernel-doc warnings (bsc#1064232).
- bcache: Fix, improve efficiency of closure_sync() (bsc#1064232).
- bcache: Reduce the number of sparse complaints about lock imbalances (bsc#1064232).
- bcache: Remove an unused variable (bsc#1064232).
- bcache: Suppress more warnings about set-but-not-used variables (bsc#1064232).
- bcache: Use PTR_ERR_OR_ZERO() (bsc#1064232).
- bcache: add CACHE_SET_IO_DISABLE to struct cache_set flags (bsc#1064232).
- bcache: add backing_request_endio() for bi_end_io (bsc#1064232).
- bcache: add io_disable to struct cached_dev (bsc#1064232).
- bcache: add journal statistic (bsc#1064232).
- bcache: add stop_when_cache_set_failed option to backing device (bsc#1064232).
- bcache: add wait_for_kthread_stop() in bch_allocator_thread() (bsc#1064232).
- bcache: closures: move control bits one bit right (bsc#1064232).
- bcache: correct flash only vols (check all uuids) (bsc#1064232).
- bcache: count backing device I/O error for writeback I/O (bsc#1064232).
- bcache: do not attach backing with duplicate UUID (bsc#1064232).
- bcache: fix cached_dev->count usage for bch_cache_set_error() (bsc#1064232).
- bcache: fix crashes in duplicate cache device register (bsc#1064232).
- bcache: fix error return value in memory shrink (bsc#1064232).
- bcache: fix for allocator and register thread race (bsc#1064232).
- bcache: fix for data collapse after re-attaching an attached device (bsc#1064232).
- bcache: fix high CPU occupancy during journal (bsc#1064232).
- bcache: fix incorrect sysfs output value of strip size (bsc#1064232).
- bcache: fix kcrashes with fio in RAID5 backend dev (bsc#1064232).
- bcache: fix misleading error message in bch_count_io_errors() (bsc#1064232).
- bcache: fix using of loop variable in memory shrink (bsc#1064232).
- bcache: fix writeback target calc on large devices (bsc#1064232).
- bcache: fix wrong return value in bch_debug_init() (bsc#1064232).
- bcache: mark closure_sync() __sched (bsc#1064232).
- bcache: move closure debug file into debug directory (bsc#1064232).
- bcache: properly set task state in bch_writeback_thread() (bsc#1064232).
- bcache: quit dc->writeback_thread when BCACHE_DEV_DETACHING is set (bsc#1064232).
- bcache: reduce cache_set devices iteration by devices_max_used (bsc#1064232).
- bcache: ret IOERR when read meets metadata error (bsc#1064232).
- bcache: return 0 from bch_debug_init() if CONFIG_DEBUG_FS=n (bsc#1064232).
- bcache: return attach error when no cache set exist (bsc#1064232).
- bcache: segregate flash only volume write streams (bsc#1064232).
- bcache: set CACHE_SET_IO_DISABLE in bch_cached_dev_error() (bsc#1064232).
- bcache: set dc->io_disable to true in conditional_stop_bcache_device() (bsc#1064232).
- bcache: set error_limit correctly (bsc#1064232).
- bcache: set writeback_rate_update_seconds in range [1, 60] seconds (bsc#1064232).
- bcache: stop bcache device when backing device is offline (bsc#1064232).
- bcache: stop dc->writeback_rate_update properly (bsc#1064232).
- bcache: stop writeback thread after detaching (bsc#1064232).
- bcache: store disk name in struct cache and struct cached_dev (bsc#1064232).
- bcache: use pr_info() to inform duplicated CACHE_SET_IO_DISABLE set (bsc#1064232).
- cpu/hotplug: Add sysfs state interface (bsc#1089343).
- cpu/hotplug: Provide knobs to control SMT (bsc#1089343).
- cpu/hotplug: Provide knobs to control SMT (bsc#1089343).
- cpu/hotplug: Split do_cpu_down() (bsc#1089343).
- x86/CPU/AMD: Do not check CPUID max ext level before parsing SMP info (bsc#1089343).
- x86/CPU/AMD: Move TOPOEXT reenablement before reading smp_num_siblings (bsc#1089343).
- x86/Xen: disable IBRS around CPU stopper function invocation (none so far).
- x86/cpu/AMD: Evaluate smp_num_siblings early (bsc#1089343).
- x86/cpu/AMD: Evaluate smp_num_siblings early (bsc#1089343).
- x86/cpu/AMD: Remove the pointless detect_ht() call (bsc#1089343).
- x86/cpu/common: Provide detect_ht_early() (bsc#1089343).
- x86/cpu/intel: Evaluate smp_num_siblings early (bsc#1089343).
- x86/cpu/topology: Provide detect_extended_topology_early() (bsc#1089343).
- x86/cpu: Remove the pointless CPU printout (bsc#1089343).
- x86/cpufeatures: Add X86_BUG_SPECTRE_V[12] (bnc#1012382).
- x86/mm: Simplify p[g4um]xen: d_page() macros (bnc#1087081).
- x86/smp: Provide topology_is_primary_thread() (bsc#1089343).
- x86/smpboot: Do not use smp_num_siblings in __max_logical_packages calculation (bsc#1089343).
- x86/topology: Add topology_max_smt_threads() (bsc#1089343).
- x86/topology: Provide topology_smt_supported() (bsc#1089343).
- xen/x86/cpu/common: Provide detect_ht_early() (bsc#1089343).
- xen/x86/cpu/topology: Provide detect_extended_topology_early() (bsc#1089343).
- xen/x86/cpu: Remove the pointless CPU printout (bsc#1089343).
- xen/x86/cpufeatures: Add X86_BUG_CPU_INSECURE (bnc#1012382).
- xen/x86/cpufeatures: Make CPU bugs sticky (bnc#1012382).
- xen/x86/entry: Add a function to overwrite the RSB (bsc#1068032).
- xen/x86/entry: Stuff RSB for entry to kernel for non-SMEP platform (bsc#1068032).
- xen/x86/entry: Use IBRS on entry to kernel space (bsc#1068032).
- xen/x86/mm: Set IBPB upon context switch (bsc#1068032).
- xen/x86/pti: Rename BUG_CPU_INSECURE to BUG_CPU_MELTDOWN (bnc#1012382).


-----------------------------------------
Patch: SUSE-2018-1609
Released: Thu Aug 16 14:04:20 2018
Summary: Security update for cups
Severity: moderate
References: 1050082,1061066,1087018,1096405,1096406,1096407,1096408,CVE-2017-18248,CVE-2018-4180,CVE-2018-4181,CVE-2018-4182,CVE-2018-4183
Description:
This update for cups fixes the following issues:

The following security vulnerabilities were fixed:

- CVE-2017-18248: Handle invalid characters properly in printing jobs. This fixes a problem that
  was causing the DBUS library to abort the calling process. (bsc#1061066 bsc#1087018)
- Fixed a local privilege escalation to root and sandbox bypasses in the
  scheduler
- CVE-2018-4180: Fixed a local privilege escalation to root in dnssd backend
  (bsc#1096405)
- CVE-2018-4181: Limited local file reads as root via cupsd.conf include
  directive (bsc#1096406)
- CVE-2018-4182: Fixed a sandbox bypass due to insecure error handling
  (bsc#1096407)
- CVE-2018-4183: Fixed a sandbox bypass due to profile misconfiguration
  (bsc#1096408)

The following other issue was fixed:

- Fixed authorization check for clients (like samba) connected through the
  local socket when Kerberos authentication is enabled (bsc#1050082)


-----------------------------------------
Patch: SUSE-2018-1610
Released: Thu Aug 16 14:04:25 2018
Summary: Security update for libgcrypt
Severity: moderate
References: 1064455,1090766,1097410,CVE-2018-0495
Description:
This update for libgcrypt fixes the following issues:

The following security vulnerability was addressed:

- CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for
  ECDSA signatures (bsc#1097410).

The following other issues were fixed:

- Extended the fipsdrv dsa-sign and dsa-verify commands with the
  --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455).
- Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766)


-----------------------------------------
Patch: SUSE-2018-1613
Released: Thu Aug 16 14:04:43 2018
Summary: Security update for libsndfile
Severity: moderate
References: 1071767,1071777,1100167,CVE-2017-17456,CVE-2017-17457,CVE-2018-13139
Description:
This update for libsndfile fixes the following issues:

Security issues fixed:

- CVE-2018-13139: Fix a stack-based buffer overflow in psf_memset in common.c that allows remote attackers to cause a denial of service (bsc#1100167).
- CVE-2017-17456: Prevent segmentation fault in the function d2alaw_array() that may have lead to a remote DoS (bsc#1071777)
- CVE-2017-17457: Prevent segmentation fault in the function d2ulaw_array() that may have lead to a remote DoS, a different vulnerability than CVE-2017-14246 (bsc#1071767)


-----------------------------------------
Patch: SUSE-2018-1621
Released: Thu Aug 16 14:49:51 2018
Summary: Security update for polkit
Severity: moderate
References: 1099031,CVE-2018-1116
Description:
This update for polkit fixes the following issues:

Security issue fixed:

- CVE-2018-1116: Fix uid comparison lacking in polkit_backend_interactive_authority_check_authorization (bsc#1099031).


-----------------------------------------
Patch: SUSE-2018-1623
Released: Thu Aug 16 14:50:00 2018
Summary: Security update for mutt
Severity: important
References: 1061343,1094717,1101428,1101566,1101567,1101568,1101569,1101570,1101571,1101573,1101576,1101577,1101578,1101581,1101582,1101583,1101588,1101589,980830,982129,986534,CVE-2014-9116,CVE-2018-14349,CVE-2018-14350,CVE-2018-14351,CVE-2018-14352,CVE-2018-14353,CVE-2018-14354,CVE-2018-14355,CVE-2018-14356,CVE-2018-14357,CVE-2018-14358,CVE-2018-14359,CVE-2018-14360,CVE-2018-14361,CVE-2018-14362,CVE-2018-14363
Description:
This update for mutt fixes the following issues:

Security issues fixed:

- bsc#1101428: Mutt 1.10.1 security release update.
- CVE-2018-14351: Fix imap/command.c that mishandles long IMAP status mailbox literal count size (bsc#1101583).
- CVE-2018-14353: Fix imap_quote_string in imap/util.c that has an integer underflow (bsc#1101581).
- CVE-2018-14362: Fix pop.c that does not forbid characters that may have unsafe interaction with message-cache pathnames (bsc#1101567).
- CVE-2018-14354: Fix arbitrary command execution from remote IMAP servers via backquote characters (bsc#1101578).
- CVE-2018-14352: Fix imap_quote_string in imap/util.c that does not leave room for quote characters (bsc#1101582).
- CVE-2018-14356: Fix pop.c that mishandles a zero-length UID (bsc#1101576).
- CVE-2018-14355: Fix imap/util.c that mishandles '..' directory traversal in a mailbox name (bsc#1101577).
- CVE-2018-14349: Fix imap/command.c that mishandles a NO response without a message (bsc#1101589).
- CVE-2018-14350: Fix imap/message.c that has a stack-based buffer overflow for a FETCH response with along INTERNALDATE field (bsc#1101588).
- CVE-2018-14363: Fix newsrc.c that does not properlyrestrict '/' characters that may have unsafe interaction with cache pathnames (bsc#1101566).
- CVE-2018-14359: Fix buffer overflow via base64 data (bsc#1101570).
- CVE-2018-14358: Fix imap/message.c that has a stack-based buffer overflow for a FETCH response with along RFC822.SIZE field (bsc#1101571).
- CVE-2018-14360: Fix nntp_add_group in newsrc.c that has a stack-based buffer overflow because of incorrect sscanf usage (bsc#1101569).
- CVE-2018-14357: Fix that remote IMAP servers are allowed to execute arbitrary commands via backquote characters (bsc#1101573).
- CVE-2018-14361: Fix that nntp.c proceeds even if memory allocation fails for messages data (bsc#1101568).

Bug fixes:

- mutt reports as neomutt and incorrect version (bsc#1094717)
- No sidebar available in mutt 1.6.1 from Tumbleweed snapshot 20160517 (bsc#980830)
- mutt-1.6.1 unusable when built with --enable-sidebar (bsc#982129)
- (neo)mutt displaying times in Zulu time (bsc#1061343)
- mutt unconditionally segfaults when displaying a message (bsc#986534)


-----------------------------------------
Patch: SUSE-2018-1636
Released: Thu Aug 16 15:30:11 2018
Summary: Recommended update for pam
Severity: low
References: 1096282
Description:
This update for pam provides the following fix:

- Added  /etc/security/limits.d to the pam package. (bsc#1096282)


-----------------------------------------
Patch: SUSE-2018-1643
Released: Thu Aug 16 17:41:07 2018
Summary: Recommended update for ca-certificates-mozilla
Severity: moderate
References: 1100415
Description:

The systemwide Root CA certificates were updated to the 2.24 state of the Mozilla NSS Certificate store.

Following CAs were removed:

* S-TRUST_Universal_Root_CA
* TC_TrustCenter_Class_3_CA_II
* TURKTRUST_Elektronik_Sertifika_Hizmet_Saglayicisi_H5
  

-----------------------------------------
Patch: SUSE-2018-1688
Released: Mon Aug 20 09:02:23 2018
Summary: Recommended update for openslp
Severity: moderate
References: 1076035,1080964
Description:
This update for openslp provides the following fixes:

- Fix slpd using the peer address as local address for TCP connections. (bsc#1076035)
- Use TCP connections for unicast requests. (bsc#1080964)


-----------------------------------------
Patch: SUSE-2018-1689
Released: Mon Aug 20 09:02:24 2018
Summary: Recommended update for pam
Severity: low
References: 1096282
Description:
This update for pam provides the following fix:

- Added  /etc/security/limits.d to the pam package. (bsc#1096282)


-----------------------------------------
Patch: SUSE-2018-1690
Released: Mon Aug 20 09:02:27 2018
Summary: Recommended update for reiserfs
Severity: low
References: 1094401
Description:
This update for reiserfs provides the following fix:

- Move libreiserfscore.so.0 into the libreiserfscore0 package. (bsc#1094401)


-----------------------------------------
Patch: SUSE-2018-1695
Released: Mon Aug 20 09:19:20 2018
Summary: Security update for perl
Severity: important
References: 1068565,1082216,1082233,1082234,1096718,CVE-2018-12015,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913
Description:
This update for perl fixes the following issues:

These security issue were fixed: 

- CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216).
- CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233).
- CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234).
- CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a
  directory-traversal protection mechanism and overwrite arbitrary files
  (bsc#1096718)

This non-security issue was fixed: 

- fix debugger crash in tab completion with Term::ReadLine::Gnu [bsc#1068565]



-----------------------------------------
Patch: SUSE-2018-1755
Released: Fri Aug 24 17:12:33 2018
Summary: Recommended update for growpart
Severity: moderate
References: 1082318,1097455,1098681
Description:
This update for growpart provides the following fix:

- Support btrfs resize and handle ro setup in rootgrow. (bsc#1097455, bsc#1098681)
- Use %license instead of %doc in the package. (bsc#1082318)


-----------------------------------------
Patch: SUSE-2018-1763
Released: Mon Aug 27 09:30:15 2018
Summary: Recommended update for ca-certificates-mozilla
Severity: moderate
References: 1104780
Description:
This update for ca-certificates-mozilla fixes the following issues:

The Root CA store was updated to 2.26 state of the Mozilla NSS Certificate store. (bsc#1104780)

- Removed server auth from following CAs:

  - Certplus Root CA G1
  - Certplus Root CA G2
  - OpenTrust Root CA G1
   - OpenTrust Root CA G2
   - OpenTrust Root CA G3

- Removed CAs

    - ComSign CA

- Added new CAs

    - GlobalSign


-----------------------------------------
Patch: SUSE-2018-1773
Released: Tue Aug 28 12:39:19 2018
Summary: Recommended update for blktrace
Severity: important
References: 1105396
Description:
This update for blktrace fixes the following issues:

- repair: shift inode back into place if corrupted by bad log replay
  (bsc#1105396).


-----------------------------------------
Patch: SUSE-2018-1876
Released: Tue Sep 11 10:50:41 2018
Summary: Security update for openssh
Severity: moderate
References: 1016370,1017099,1023275,1048367,1053972,1065000,1069509,1076957,1092582,CVE-2008-1483,CVE-2016-10012,CVE-2016-10708,CVE-2017-15906
Description:
This update for openssh provides the following fixes:

Security issues fixed:

- CVE-2017-15906: Stricter checking of operations in read-only mode in sftp server (bsc#1065000).
- CVE-2016-10012: Remove pre-auth compression support from the server to prevent possible cryptographic attacks (bsc#1016370).
- CVE-2008-1483: Refine handling of sockets for X11 forwarding to remove reintroduced CVE-2008-1483 (bsc#1069509).
- CVE-2016-10708: Prevent DoS due to crashes caused by out-of-sequence NEWKEYS message (bsc#1076957).

Bug fixes:

- bsc#1017099: Enable case-insensitive hostname matching.
- bsc#1023275: Add a new switch for printing diagnostic messages in sftp client's batch mode.
- bsc#1048367: systemd integration to work around various race conditions.
- bsc#1053972: Remove duplicate KEX method.
- bsc#1092582: Add missing piece of systemd integration.
- Remove the limit on the amount of tasks sshd can run.


-----------------------------------------
Patch: SUSE-2018-1879
Released: Tue Sep 11 14:59:53 2018
Summary: Security update for libzypp, zypper
Severity: important
References: 1036304,1037210,1038984,1045735,1048315,1054088,1070851,1076192,1079334,1088705,1091624,1092413,1096803,1099847,1100028,1101349,1102429,CVE-2017-7435,CVE-2017-7436,CVE-2017-9269,CVE-2018-7685
Description:
This update for libzypp, zypper fixes the following issues:

libzypp security fixes:

- PackageProvider: Validate delta rpms before caching
  (bsc#1091624, bsc#1088705, CVE-2018-7685)
- PackageProvider: Validate downloaded rpm package signatures before caching
  (bsc#1091624, bsc#1088705, CVE-2018-7685)
- Be sure bad packages do not stay in the cache (bsc#1045735, CVE-2017-9269)
- Fix repo gpg check workflows, mainly for unsigned repos and packages
  (bsc#1045735, bsc#1038984, CVE-2017-7435, CVE-2017-7436, CVE-2017-9269)

libzypp other changes/bugs fixed:

- Update to version 14.45.17
- RepoInfo: add enum GpgCheck for convenient gpgcheck mode handling (bsc#1045735)
- repo refresh: Re-probe if the repository type changes (bsc#1048315)
- Use common workflow for downloading packages and srcpackages. This includes a
  common way of handling and reporting gpg signature and checks. (bsc#1037210)
- PackageProvider: as well support downloading SrcPackage (for bsc#1037210)
- Adapt to work with GnuPG 2.1.23 (bsc#1054088)
- repo refresh: Re-probe if the repository type changes (bsc#1048315)
- Handle http error 502 Bad Gateway in curl backend (bsc#1070851)
- RepoManager: Explicitly request repo2solv to generate application pseudo
  packages.
- Prefer calling 'repo2solv' rather than 'repo2solv.sh'
- libzypp-devel should not require cmake (bsc#1101349)
- HardLocksFile: Prevent against empty commit without Target having been been
  loaded (bsc#1096803)
- Avoid zombie tar processes (bsc#1076192)
- lsof: use '-K i' if lsof supports it (bsc#1099847, bsc#1036304)

zypper security fixes:

- Improve signature check callback messages (bsc#1045735, CVE-2017-9269)
- add/modify repo: Add options to tune the GPG check settings (bsc#1045735,
  CVE-2017-9269)
- Adapt download callback to report and handle unsigned packages (bsc#1038984,
  CVE-2017-7436)

zypper other changes/bugs fixed:

- Update to version 1.11.70
- Bugfix: Prevent ESC sequence strings from going out of scope (bsc#1092413)
- XML <install-summary> attribute `packages-to-change` added (bsc#1102429)
- man: Strengthen that `--config FILE' affects zypper.conf, not zypp.conf (bsc#1100028)
- ansi.h: Prevent ESC sequence strings from going out of scope (bsc#1092413)
- do not recommend cron (bsc#1079334)


-----------------------------------------
Patch: SUSE-2018-1903
Released: Fri Sep 14 12:46:21 2018
Summary: Security update for curl
Severity: moderate
References: 1089533,1106019,CVE-2018-14618
Description:
This update for curl fixes the following issues:

This security issue was fixed:

- CVE-2018-14618: Prevent integer overflow in the NTLM authentication code (bsc#1106019)

This non-security issue was fixed:

- Fixed erroneous debug message when paired with OpenSSL (bsc#1089533)


-----------------------------------------
Patch: SUSE-2018-1942
Released: Fri Sep 21 07:51:02 2018
Summary: Security update for openslp
Severity: important
References: 1090638,CVE-2017-17833
Description:
This update for openslp fixes the following issues:

- CVE-2017-17833: Prevent heap-related memory corruption issue which may have
  manifested itself as a denial-of-service or a remote code-execution
  vulnerability (bsc#1090638)
- Prevent out of bounds reads in message parsing


-----------------------------------------
Patch: SUSE-2018-1945
Released: Fri Sep 21 07:52:19 2018
Summary: Security update for python-paramiko
Severity: important
References: 1085276,1106148,CVE-2018-7750
Description:
This update for python-paramiko to version 1.18.5 fixes the following issues:

This security issue was fixed:

- CVE-2018-7750: transport.py in the SSH server implementation of Paramiko did
  not properly check whether authentication is completed processing other
  requests. A customized SSH client could have skipped the authentication step
  (bsc#1085276)

This non-security issue was fixed:

- Prevent connection problems with ssh servers due to no acceptable macs being
  available (bsc#1106148)

For additional changes please check the changelog.

-----------------------------------------
Patch: SUSE-2018-1948
Released: Fri Sep 21 11:30:58 2018
Summary: Recommended update for lsof
Severity: low
References: 1036304,1099847
Description:
This update for lsof provides the following fix:

- Enhance -K option with the form '-K i' to direct lsof to ignore tasks. (bsc#1036304)
- Add 'Provides: backported-option-Ki' to indicate that '-K i' option is supported so
  libzypp can safely use it (bsc#1099847)


-----------------------------------------
Patch: SUSE-2018-1977
Released: Mon Sep 24 10:10:47 2018
Summary: Security update for gnutls
Severity: moderate
References: 1047002,1105437,1105459,1105460,CVE-2017-10790,CVE-2018-10844,CVE-2018-10845,CVE-2018-10846
Description:
This update for gnutls fixes the following issues:

This update for gnutls fixes the following issues:

Security issues fixed:

- Improved mitigations against Lucky 13 class of attacks
- 'Just in Time' PRIME + PROBE cache-based side channel attack can lead to plaintext recovery (CVE-2018-10846, bsc#1105460)
- HMAC-SHA-384 vulnerable to Lucky thirteen attack due to use of wrong constant (CVE-2018-10845, bsc#1105459)
- HMAC-SHA-256 vulnerable to Lucky thirteen attack due to not enough dummy function calls (CVE-2018-10844, bsc#1105437)
- The _asn1_check_identifier function in Libtasn1 caused a NULL pointer dereference and crash (CVE-2017-10790, bsc#1047002)


-----------------------------------------
Patch: SUSE-2018-1986
Released: Mon Sep 24 12:52:43 2018
Summary: Security update for libXcursor
Severity: moderate
References: 1103511,CVE-2015-9262
Description:
This update for libXcursor fixes the following security issue:

- CVE-2015-9262: _XcursorThemeInherits allowed remote attackers to cause denial
  of service or potentially code execution via a one-byte heap overflow
  (bsc#1103511).


-----------------------------------------
Patch: SUSE-2018-1989
Released: Mon Sep 24 12:54:37 2018
Summary: Security update for tiff
Severity: moderate
References: 1074186,1092480,983440,CVE-2016-5319,CVE-2017-17942,CVE-2018-10779
Description:
This update for tiff fixes the following issues:

Security issues fixed:

- CVE-2018-10779: Fixed a heap-based buffer overflow in TIFFWriteScanline()
  in tif_write.c (bsc#1092480)
- CVE-2017-17942: Fixed a heap-based buffer overflow in the function
  PackBitsEncode in tif_packbits.c. (bsc#1074186)
- CVE-2016-5319: Fixed a beap-based buffer overflow in bmp2tiff (bsc#983440)


-----------------------------------------
Patch: SUSE-2018-1991
Released: Mon Sep 24 12:55:19 2018
Summary: Security update for gd
Severity: moderate
References: 1105434,CVE-2018-1000222
Description:
This update for gd fixes the following issues:

Security issue fixed:

- CVE-2018-1000222: Fixed a double free vulnerability in gdImageBmpPtr() that
  could result in remote code execution. This could have been exploited via a
  specially crafted JPEG image files. (bsc#1105434)


-----------------------------------------
Patch: SUSE-2018-2038
Released: Wed Sep 26 12:27:58 2018
Summary: Recommended update for gcc48
Severity: moderate
References: 1093797
Description:
This update for gcc48 fixes the following issues:

- Fixed a reload bug on aarch64 causing a kernel miscompile.  [bsc#1093797]



-----------------------------------------
Patch: SUSE-2018-2117
Released: Tue Oct  2 16:30:51 2018
Summary: Security update for unzip
Severity: moderate
References: 1013992,1013993,1080074,910683,914442,950110,950111,CVE-2014-9636,CVE-2014-9913,CVE-2015-7696,CVE-2015-7697,CVE-2016-9844,CVE-2018-1000035
Description:
This update for unzip fixes the following security issues:

- CVE-2014-9913: Specially crafted zip files could trigger invalid memory
  writes possibly resulting in DoS or corruption (bsc#1013993)
- CVE-2015-7696: Specially crafted zip files with password protection could
  trigger a crash and lead to denial of service (bsc#950110)
- CVE-2015-7697: Specially crafted zip files could trigger an endless loop and
  lead to denial of service (bsc#950111)
- CVE-2016-9844: Specially crafted zip files could trigger invalid memory
  writes possibly resulting in DoS or corruption (bsc#1013992)
- CVE-2018-1000035: Prevent heap-based buffer overflow in the processing of
  password-protected archives that allowed an attacker to perform a denial of
  service or to possibly achieve code execution (bsc#1080074).
- CVE-2014-9636: Prevent denial of service (out-of-bounds read or write and
  crash) via an extra field with an uncompressed size smaller than the compressed
  field size in a zip archive that advertises STORED method compression
  (bsc#914442).

This non-security issue was fixed:

+- Allow processing of Windows zip64 archives (Windows archivers set
  total_disks field to 0 but per standard, valid values are 1 and higher)
  (bnc#910683)


-----------------------------------------
Patch: SUSE-2018-2132
Released: Thu Oct  4 06:47:56 2018
Summary: Security update for openslp
Severity: important
References: 1090638,CVE-2017-17833
Description:
This update for openslp fixes the following issues:

- CVE-2017-17833: Prevent heap-related memory corruption issue which may have
  manifested itself as a denial-of-service or a remote code-execution
  vulnerability (bsc#1090638)
- Prevent out of bounds reads in message parsing


-----------------------------------------
Patch: SUSE-2018-2178
Released: Tue Oct  9 09:00:27 2018
Summary: Recommended update for at
Severity: low
References: 879402
Description:
This update for at fixes the following issues:

- introduced -o <timeformat> switch for atq (bsc#879402)


-----------------------------------------
Patch: SUSE-2018-2185
Released: Tue Oct  9 13:15:21 2018
Summary: Security update for the Linux Kernel
Severity: important
References: 1012382,1062604,1064232,1065999,1092903,1093215,1096547,1097104,1099811,1099813,1099844,1099845,1099846,1099849,1099863,1099864,1099922,1100001,1100089,1102870,1103445,1104319,1104495,1104906,1105322,1105412,1106095,1106369,1106509,1106511,1107689,1108399,1108912,CVE-2018-10853,CVE-2018-10876,CVE-2018-10877,CVE-2018-10878,CVE-2018-10879,CVE-2018-10880,CVE-2018-10881,CVE-2018-10882,CVE-2018-10883,CVE-2018-10902,CVE-2018-10940,CVE-2018-12896,CVE-2018-13093,CVE-2018-14617,CVE-2018-14634,CVE-2018-16276,CVE-2018-16658,CVE-2018-17182,CVE-2018-6554,CVE-2018-6555
Description:

The SUSE Linux Enterprise 12 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

- CVE-2018-14634: Prevent integer overflow in create_elf_tables that allowed a
  local attacker to exploit this vulnerability via a SUID-root binary and obtain
  full root privileges (bsc#1108912)
- CVE-2018-14617: Prevent NULL pointer dereference and panic in
  hfsplus_lookup() when opening a file (that is purportedly a hard link) in an
  hfs+ filesystem that has malformed catalog data, and is mounted read-only
  without a metadata directory (bsc#1102870)
- CVE-2018-16276: Incorrect bounds checking in the yurex USB driver in
  yurex_read allowed local attackers to use user access read/writes to crash the
  kernel or potentially escalate privileges (bsc#1106095)
- CVE-2018-12896: Prevent integer overflow in the POSIX timer code that was
  caused by the way the overrun accounting works. Depending on interval and
  expiry time values, the overrun can be larger than INT_MAX, but the accounting
  is int based. This basically made the accounting values, which are visible to
  user space via timer_getoverrun(2) and siginfo::si_overrun, random. This
  allowed a local user to cause a denial of service (signed integer overflow) via
  crafted mmap, futex, timer_create, and timer_settime system calls (bnc#1099922)
- CVE-2018-13093: Prevent NULL pointer dereference and panic in lookup_slow()
  on a NULL inode->i_ops pointer when doing pathwalks on a corrupted xfs image.
  This occured because of a lack of proper validation that cached inodes are free
  during allocation (bnc#1100001)
- CVE-2018-10940: The cdrom_ioctl_media_changed function allowed local
  attackers to use a incorrect bounds check in the CDROM driver
  CDROM_MEDIA_CHANGED ioctl to read out kernel memory (bsc#1092903)
- CVE-2018-16658: Prevent information leak in cdrom_ioctl_drive_status that
  could have been used by local attackers to read kernel memory (bnc#1107689)
- CVE-2018-6555: The irda_setsockopt function allowed local users to cause a
  denial of service (ias_object use-after-free and system crash) or possibly have
  unspecified other impact via an AF_IRDA socket (bnc#1106511)
- CVE-2018-6554: Prevent memory leak in the irda_bind function that allowed
  local users to cause a denial of service (memory consumption) by repeatedly
  binding an AF_IRDA socket (bnc#1106509)
- CVE-2018-10853: The KVM hypervisor did not check current privilege(CPL) level
  while emulating unprivileged instructions. An unprivileged guest user/process
  could have used this flaw to potentially escalate privileges inside guest
  (bsc#1097104)
- CVE-2018-10902: Protect against concurrent access to prevent double realloc
  (double free) in snd_rawmidi_input_params() and snd_rawmidi_output_status(). A
  malicious local attacker could have used this for privilege escalation
  (bnc#1105322).
- CVE-2018-10879: A local user could have caused a use-after-free in
  ext4_xattr_set_entry function and a denial of service or unspecified other
  impact by renaming a file in a crafted ext4 filesystem image (bsc#1099844)
- CVE-2018-10883: A local user could have caused an out-of-bounds write in
  jbd2_journal_dirty_metadata(), a denial of service, and a system crash by
  mounting and operating on a crafted ext4 filesystem image (bsc#1099863)
- CVE-2018-10880: Prevent stack-out-of-bounds write in the ext4 filesystem code
  when mounting and writing to a crafted ext4 image in ext4_update_inline_data().
  An attacker could have used this to cause a system crash and a denial of
  service (bsc#1099845)
- CVE-2018-10882: A local user could have caused an out-of-bound write, a
  denial of service, and a system crash by unmounting a crafted ext4 filesystem
  image (bsc#1099849)
- CVE-2018-10881: A local user could have caused an out-of-bound access in
  ext4_get_group_info function, a denial of service, and a system crash by
  mounting and operating on a crafted ext4 filesystem image (bsc#1099864)
- CVE-2018-10877: Prevent out-of-bound access in the ext4_ext_drop_refs()
  function when operating on a crafted ext4 filesystem image (bsc#1099846)
- CVE-2018-10876: A use-after-free was possible in ext4_ext_remove_space()
  function when mounting and operating a crafted ext4 image (bsc#1099811)
- CVE-2018-10878: A local user could have caused an out-of-bounds write and a
  denial of service or unspecified other impact by mounting and operating a
  crafted ext4 filesystem image (bsc#1099813)
- CVE-2018-17182: An issue was discovered in the Linux kernel The
  vmacache_flush_all function in mm/vmacache.c mishandled sequence number
  overflows. An attacker can trigger a use-after-free (and possibly gain
  privileges) via certain thread creation, map, unmap, invalidation,
  and dereference operations (bnc#1108399).

The following non-security bugs were fixed:

- bcache: avoid unncessary cache prefetch bch_btree_node_get().
- bcache: calculate the number of incremental GC nodes according to the total of btree nodes.
- bcache: display rate debug parameters to 0 when writeback is not running.
- bcache: do not check return value of debugfs_create_dir().
- bcache: finish incremental GC.
- bcache: fix error setting writeback_rate through sysfs interface (bsc#1064232).
- bcache: fix I/O significant decline while backend devices registering.
- bcache: free heap cache_set->flush_btree in bch_journal_free.
- bcache: make the pr_err statement used for ENOENT only in sysfs_attatch section.
- bcache: release dc->writeback_lock properly in bch_writeback_thread().
- bcache: set max writeback rate when I/O request is idle (bsc#1064232).
- bcache: simplify the calculation of the total amount of flash dirty data.
- Do not report CPU affected by L1TF when ARCH_CAP_RDCL_NO bit is set (bsc#1104906).
- ext4: check for allocation block validity with block group locked (bsc#1104495).
- ext4: do not update checksum of new initialized bitmaps (bnc#1012382).
- ext4: fix check to prevent initializing reserved inodes (bsc#1104319).
- ext4: fix false negatives *and* false positives in ext4_check_descriptors() (bsc#1103445).
- kABI: protect struct x86_emulate_ops (kabi).
- KEYS: prevent creating a different user's keyrings (bnc#1065999).
- KVM: MMU: always terminate page walks at level 1 (bsc#1062604).
- KVM: MMU: simplify last_pte_bitmap (bsc#1062604).
- KVM: nVMX: update last_nonleaf_level when initializing nested EPT (bsc#1062604).
- KVM: VMX: fixes for vmentry_l1d_flush module parameter (bsc#1106369).
- KVM: VMX: Work around kABI breakage in 'enum vmx_l1d_flush_state' (bsc#1106369).
- updated sssbd handling (bsc#1093215, bsc#1105412).
- usbip: vhci_sysfs: fix potential Spectre v1 (bsc#1096547).
- x86/speculation: Use ARCH_CAPABILITIES to skip L1D flush on vmentry (bsc#1106369).
- sched/sysctl: Check user input value of sysctl_sched_time_avg (bsc#1100089).


-----------------------------------------
Patch: SUSE-2018-2196
Released: Thu Oct 11 07:45:16 2018
Summary: Optional update for gcc8
Severity: low
References: 1084812,1084842,1087550,1094222,1102564
Description:

The GNU Compiler GCC 8 is being added to the Toolchain Module by this
update.

The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other
gcc derived libraries for the base products of SUSE Linux Enterprise 12.

Various optimizers have been improved in GCC 8, several of bugs fixed,
quite some new warnings added and the error pin-pointing and
fix-suggestions have been greatly improved.

The GNU Compiler page for GCC 8 contains a summary of all the changes that
have happened:

        https://gcc.gnu.org/gcc-8/changes.html

Also changes needed or common pitfalls when porting software are described on:

        https://gcc.gnu.org/gcc-8/porting_to.html




-----------------------------------------
Patch: SUSE-2018-2202
Released: Thu Oct 11 20:46:27 2018
Summary: Security update for libX11 and libxcb
Severity: moderate
References: 1094327,1102062,1102068,1102073,CVE-2018-14598,CVE-2018-14599,CVE-2018-14600
Description:
This update for libX11 and libxcb fixes the following issue:

libX11:

These security issues were fixed:

- CVE-2018-14599: The function XListExtensions was vulnerable to an off-by-one
  error caused by malicious server responses, leading to DoS or possibly
  unspecified other impact (bsc#1102062).
- CVE-2018-14600: The function XListExtensions interpreted a variable as signed
  instead of unsigned, resulting in an out-of-bounds write (of up to 128 bytes),
  leading to DoS or remote code execution (bsc#1102068).
- CVE-2018-14598: A malicious server could have sent a reply in which the first
  string overflows, causing a variable to be set to NULL that will be freed later
  on, leading to DoS (segmentation fault) (bsc#1102073).

This non-security issue was fixed:

- Make use of the new 64-bit sequence number API in XCB 1.11.1 to avoid the 32-bit
  sequence number wrap in libX11 (bsc#1094327).

libxcb:

- Expose 64-bit sequence number from XCB API so that Xlib and others can use it even
  on 32-bit environment. (bsc#1094327)


-----------------------------------------
Patch: SUSE-2018-2297
Released: Wed Oct 17 16:56:44 2018
Summary: Security update for binutils
Severity: moderate
References: 1029907,1029908,1029909,1030296,1030297,1030298,1030584,1030585,1030588,1030589,1031590,1031593,1031595,1031638,1031644,1031656,1037052,1037057,1037061,1037066,1037273,1044891,1044897,1044901,1044909,1044925,1044927,1065643,1065689,1065693,1068640,1068643,1068887,1068888,1068950,1069176,1069202,1074741,1077745,1079103,1079741,1080556,1081527,1083528,1083532,1085784,1086608,1086784,1086786,1086788,1090997,1091015,1091365,1091368,CVE-2014-9939,CVE-2017-15938,CVE-2017-15939,CVE-2017-15996,CVE-2017-16826,CVE-2017-16827,CVE-2017-16828,CVE-2017-16829,CVE-2017-16830,CVE-2017-16831,CVE-2017-16832,CVE-2017-6965,CVE-2017-6966,CVE-2017-6969,CVE-2017-7209,CVE-2017-7210,CVE-2017-7223,CVE-2017-7224,CVE-2017-7225,CVE-2017-7226,CVE-2017-7299,CVE-2017-7300,CVE-2017-7301,CVE-2017-7302,CVE-2017-7303,CVE-2017-7304,CVE-2017-8392,CVE-2017-8393,CVE-2017-8394,CVE-2017-8396,CVE-2017-8421,CVE-2017-9746,CVE-2017-9747,CVE-2017-9748,CVE-2017-9750,CVE-2017-9755,CVE-2017-9756,CVE-2018-10372,CVE-2018-10373,CVE-2018-10534,CVE-2018-10535,CVE-2018-6323,CVE-2018-6543,CVE-2018-6759,CVE-2018-6872,CVE-2018-7208,CVE-2018-7568,CVE-2018-7569,CVE-2018-7570,CVE-2018-7642,CVE-2018-7643,CVE-2018-8945
Description:
This update for binutils to 2.31 fixes the following issues:

These security issues were fixed:

- CVE-2017-15996: readelf allowed remote attackers to cause a denial of service
  (excessive memory allocation) or possibly have unspecified other impact via a
  crafted ELF file that triggered a buffer overflow on fuzzed archive header
  (bsc#1065643).
- CVE-2017-15939: Binary File Descriptor (BFD) library (aka libbfd) mishandled
  NULL files in a .debug_line file table, which allowed remote attackers to cause
  a denial of service (NULL pointer dereference and application crash) via a
  crafted ELF file, related to concat_filename (bsc#1065689).
- CVE-2017-15938: the Binary File Descriptor (BFD) library (aka libbfd)
  miscalculated DW_FORM_ref_addr die refs in the case of a relocatable object
  file, which allowed remote attackers to cause a denial of service
  (find_abstract_instance_name invalid memory read, segmentation fault, and
  application crash) (bsc#1065693).
- CVE-2017-16826: The coff_slurp_line_table function the Binary File Descriptor
  (BFD) library (aka libbfd) allowed remote attackers to cause a denial of
  service (invalid memory access and application crash) or possibly have
  unspecified other impact via a crafted PE file (bsc#1068640).
- CVE-2017-16832: The pe_bfd_read_buildid function in the Binary File
  Descriptor (BFD) library (aka libbfd) did not validate size and offset values
  in the data dictionary, which allowed remote attackers to cause a denial of
  service (segmentation violation and application crash) or possibly have
  unspecified other impact via a crafted PE file (bsc#1068643).
- CVE-2017-16831: Binary File Descriptor (BFD) library (aka libbfd) did not
  validate the symbol count, which allowed remote attackers to cause a denial of
  service (integer overflow and application crash, or excessive memory
  allocation) or possibly have unspecified other impact via a crafted PE file
  (bsc#1068887).
- CVE-2017-16830: The print_gnu_property_note function did not have
  integer-overflow protection on 32-bit platforms, which allowed remote attackers
  to cause a denial of service (segmentation violation and application crash) or
  possibly have unspecified other impact via a crafted ELF file (bsc#1068888).
- CVE-2017-16829: The _bfd_elf_parse_gnu_properties function in the Binary File
  Descriptor (BFD) library (aka libbfd) did not prevent negative pointers, which
  allowed remote attackers to cause a denial of service (out-of-bounds read and
  application crash) or possibly have unspecified other impact via a crafted ELF
  file (bsc#1068950).
- CVE-2017-16828: The display_debug_frames function allowed remote attackers to
  cause a denial of service (integer overflow and heap-based buffer over-read,
  and application crash) or possibly have unspecified other impact via a crafted
  ELF file (bsc#1069176).
- CVE-2017-16827: The aout_get_external_symbols function in the Binary File
  Descriptor (BFD) library (aka libbfd) allowed remote attackers to cause a
  denial of service (slurp_symtab invalid free and application crash) or possibly
  have unspecified other impact via a crafted ELF file (bsc#1069202).
- CVE-2018-6323: The elf_object_p function in the Binary File Descriptor (BFD)
  library (aka libbfd) had an unsigned integer overflow because bfd_size_type
  multiplication is not used. A crafted ELF file allowed remote attackers to
  cause a denial of service (application crash) or possibly have unspecified
  other impact (bsc#1077745).
- CVE-2018-6543: Prevent integer overflow in the function
  load_specific_debug_section() which resulted in `malloc()` with 0 size. A
  crafted ELF file allowed remote attackers to cause a denial of service
  (application crash) or possibly have unspecified other impact (bsc#1079103).
- CVE-2018-6759: The bfd_get_debug_link_info_1 function in the Binary File
  Descriptor (BFD) library (aka libbfd) had an unchecked strnlen operation.
  Remote attackers could have leveraged this vulnerability to cause a denial of
  service (segmentation fault) via a crafted ELF file (bsc#1079741).
- CVE-2018-6872: The elf_parse_notes function in the Binary File Descriptor
  (BFD) library (aka libbfd) allowed remote attackers to cause a denial of
  service (out-of-bounds read and segmentation violation) via a note with a large
  alignment (bsc#1080556).
- CVE-2018-7208: In the coff_pointerize_aux function in the Binary File
  Descriptor (BFD) library (aka libbfd) an index was not validated, which allowed
  remote attackers to cause a denial of service (segmentation fault) or possibly
  have unspecified other impact via a crafted file, as demonstrated by objcopy of
  a COFF object (bsc#1081527).
- CVE-2018-7570: The assign_file_positions_for_non_load_sections function in
  the Binary File Descriptor (BFD) library (aka libbfd) allowed remote attackers
  to cause a denial of service (NULL pointer dereference and application crash)
  via an ELF file with a RELRO segment that lacks a matching LOAD segment, as
  demonstrated by objcopy (bsc#1083528).
- CVE-2018-7569: The Binary File Descriptor (BFD) library (aka libbfd) allowed
  remote attackers to cause a denial of service (integer underflow or overflow,
  and application crash) via an ELF file with a corrupt DWARF FORM block, as
  demonstrated by nm (bsc#1083532).
- CVE-2018-8945: The bfd_section_from_shdr function in the Binary File
  Descriptor (BFD) library (aka libbfd) allowed remote attackers to cause a
  denial of service (segmentation fault) via a large attribute section
  (bsc#1086608).
- CVE-2018-7643: The display_debug_ranges function allowed remote attackers to
  cause a denial of service (integer overflow and application crash) or possibly
  have unspecified other impact via a crafted ELF file, as demonstrated by
  objdump (bsc#1086784).
- CVE-2018-7642: The swap_std_reloc_in function in the Binary File Descriptor
  (BFD) library (aka libbfd) allowed remote attackers to cause a denial of
  service (aout_32_swap_std_reloc_out NULL pointer dereference and application
  crash) via a crafted ELF file, as demonstrated by objcopy (bsc#1086786).
- CVE-2018-7568: The parse_die function in the Binary File Descriptor (BFD)
  library (aka libbfd) allowed remote attackers to cause a denial of service
  (integer overflow and application crash) via an ELF file with corrupt dwarf1
  debug information, as demonstrated by nm (bsc#1086788).
- CVE-2018-10373: concat_filename in the Binary File Descriptor (BFD) library
  (aka libbfd) allowed remote attackers to cause a denial of service (NULL
  pointer dereference and application crash) via a crafted binary file, as
  demonstrated by nm-new (bsc#1090997).
- CVE-2018-10372: process_cu_tu_index allowed remote attackers to cause a
  denial of service (heap-based buffer over-read and application crash) via a
  crafted binary file, as demonstrated by readelf (bsc#1091015).
- CVE-2018-10535: The ignore_section_sym function in the Binary File Descriptor
  (BFD) library (aka libbfd) did not validate the output_section pointer in the
  case of a symtab entry with a 'SECTION' type that has a '0' value, which
  allowed remote attackers to cause a denial of service (NULL pointer dereference
  and application crash) via a crafted file, as demonstrated by objcopy
  (bsc#1091365).
- CVE-2018-10534: The _bfd_XX_bfd_copy_private_bfd_data_common function in the
  Binary File Descriptor (BFD) library (aka libbfd) processesed a negative Data
  Directory size with an unbounded loop that increased the value of
  (external_IMAGE_DEBUG_DIRECTORY) *edd so that the address exceeded its own
  memory region, resulting in an out-of-bounds memory write, as demonstrated by
  objcopy copying private info with _bfd_pex64_bfd_copy_private_bfd_data_common
  in pex64igen.c (bsc#1091368).

These non-security issues were fixed:

- The AArch64 port now supports showing disassembly notes which are emitted
  when inconsistencies are found with the instruction that may result in the
  instruction being invalid. These can be turned on with the option -M notes
  to objdump.
- The AArch64 port now emits warnings when a combination of an instruction and
  a named register could be invalid.
- Added O modifier to ar to display member offsets inside an archive
- The ADR and ADRL pseudo-instructions supported by the ARM assembler
  now only set the bottom bit of the address of thumb function symbols
  if the -mthumb-interwork command line option is active.
- Add --generate-missing-build-notes=[yes|no] option to create (or not) GNU
  Build Attribute notes if none are present in the input sources.  Add a
  --enable-generate-build-notes=[yes|no] configure time option to set the
  default behaviour.  Set the default if the configure option is not used
  to 'no'.
- Remove -mold-gcc command-line option for x86 targets.
- Add -O[2|s] command-line options to x86 assembler to enable alternate
  shorter instruction encoding.
- Add support for .nops directive.  It is currently supported only for
  x86 targets.
- Speed up direct linking with DLLs for Cygwin and Mingw targets.
- Add a configure option --enable-separate-code to decide whether
  -z separate-code should be enabled in ELF linker by default.  Default
  to yes for Linux/x86 targets. Note that -z separate-code can increase
  disk and memory size.
- RISC-V: Fix symbol address problem with versioned symbols 
- Restore riscv64-elf cross prefix via symlinks
- RISC-V: Don't enable relaxation in relocatable link
- Prevent linking faiures on i386 with assertion (bsc#1085784)
- Fix symbol size bug when relaxation deletes bytes
- Add --debug-dump=links option to readelf and --dwarf=links option to objdump
  which displays the contents of any .gnu_debuglink or .gnu_debugaltlink
  sections.
  Add a --debug-dump=follow-links option to readelf and a --dwarf=follow-links
  option to objdump which causes indirect links into separate debug info files
  to be followed when dumping other DWARF sections.
- Add support for loaction views in DWARF debug line information.
- Add -z separate-code to generate separate code PT_LOAD segment.
- Add '-z undefs' command line option as the inverse of the '-z defs' option.
- Add -z globalaudit command line option to force audit libraries to be run
  for every dynamic object loaded by an executable - provided that the loader
  supports this functionality.
- Tighten linker script grammar around file name specifiers to prevent the use
  of SORT_BY_ALIGNMENT and SORT_BY_INIT_PRIORITY on filenames.  These would
  previously be accepted but had no effect.
- The EXCLUDE_FILE directive can now be placed within any SORT_* directive
  within input section lists.
- Fix linker relaxation with --wrap
- Add arm-none-eabi symlinks (bsc#1074741)

Former updates of binutils also fixed the following security issues, for which
there was not CVE assigned at the time the update was released or no mapping
between code change and CVE existed:

- CVE-2014-9939: Prevent stack buffer overflow when printing bad bytes in Intel
  Hex objects (bsc#1030296).
- CVE-2017-7225: The find_nearest_line function in addr2line did not handle the
  case where the main file name and the directory name are both empty, triggering
  a NULL pointer dereference and an invalid write, and leading to a program crash
  (bsc#1030585).
- CVE-2017-7224: The find_nearest_line function in objdump was vulnerable to an
  invalid write (of size 1) while disassembling a corrupt binary that contains an
  empty function name, leading to a program crash (bsc#1030588).
- CVE-2017-7223: GNU assembler in was vulnerable to a global buffer overflow
  (of size 1) while attempting to unget an EOF character from the input stream,
  potentially leading to a program crash (bsc#1030589).
- CVE-2017-7226: The pe_ILF_object_p function in the Binary File Descriptor
  (BFD) library (aka libbfd) was vulnerable to a heap-based buffer over-read of
  size 4049 because it used the strlen function instead of strnlen, leading to
  program crashes in several utilities such as addr2line, size, and strings. It
  could lead to information disclosure as well (bsc#1030584).
- CVE-2017-7299: The Binary File Descriptor (BFD) library (aka libbfd) had an
  invalid read (of size 8) because the code to emit relocs (bfd_elf_final_link
  function in bfd/elflink.c) did not check the format of the input file trying to
  read the ELF reloc section header. The vulnerability leads to a GNU linker (ld)
  program crash (bsc#1031644).
- CVE-2017-7300: The Binary File Descriptor (BFD) library (aka libbfd) had an
  aout_link_add_symbols function in bfd/aoutx.h that is vulnerable to a
  heap-based buffer over-read (off-by-one) because of an incomplete check for
  invalid string offsets while loading symbols, leading to a GNU linker (ld)
  program crash (bsc#1031656).
- CVE-2017-7302: The Binary File Descriptor (BFD) library (aka libbfd) had a
  swap_std_reloc_out function in bfd/aoutx.h that is vulnerable to an invalid
  read (of size 4) because of missing checks for relocs that could not be
  recognised. This vulnerability caused Binutils utilities like strip to crash
  (bsc#1031595).
- CVE-2017-7303: The Binary File Descriptor (BFD) library (aka libbfd) was
  vulnerable to an invalid read (of size 4) because of missing a check (in the
  find_link function) for null headers attempting to match them. This
  vulnerability caused Binutils utilities like strip to crash (bsc#1031593).
- CVE-2017-7301: The Binary File Descriptor (BFD) library (aka libbfd) had an
  aout_link_add_symbols function in bfd/aoutx.h that has an off-by-one
  vulnerability because it did not carefully check the string offset. The
  vulnerability could lead to a GNU linker (ld) program crash (bsc#1031638).
- CVE-2017-7304: The Binary File Descriptor (BFD) library (aka libbfd) was
  vulnerable to an invalid read (of size 8) because of missing a check (in the
  copy_special_section_fields function) for an invalid sh_link field attempting
  to follow it. This vulnerability caused Binutils utilities like strip to crash
  (bsc#1031590).
- CVE-2017-8392: The Binary File Descriptor (BFD) library (aka libbfd) was
  vulnerable to an invalid read of size 8 because of missing a check to determine
  whether symbols are NULL in the _bfd_dwarf2_find_nearest_line function. This
  vulnerability caused programs that conduct an analysis of binary programs using
  the libbfd library, such as objdump, to crash (bsc#1037052).
- CVE-2017-8393: The Binary File Descriptor (BFD) library (aka libbfd) was
  vulnerable to a global buffer over-read error because of an assumption made by
  code that runs for objcopy and strip, that SHT_REL/SHR_RELA sections are always
  named starting with a .rel/.rela prefix. This vulnerability caused programs
  that conduct an analysis of binary programs using the libbfd library, such as
  objcopy and strip, to crash (bsc#1037057).
- CVE-2017-8394: The Binary File Descriptor (BFD) library (aka libbfd) was
  vulnerable to an invalid read of size 4 due to NULL pointer dereferencing of
  _bfd_elf_large_com_section. This vulnerability caused programs that conduct an
  analysis of binary programs using the libbfd library, such as objcopy, to crash
  (bsc#1037061).
- CVE-2017-8396: The Binary File Descriptor (BFD) library (aka libbfd) was
  vulnerable to an invalid read of size 1 because the existing reloc offset range
  tests didn't catch small negative offsets less than the size of the reloc
  field. This vulnerability caused programs that conduct an analysis of binary
  programs using the libbfd library, such as objdump, to crash (bsc#1037066).
- CVE-2017-8421: The function coff_set_alignment_hook in Binary File Descriptor
  (BFD) library (aka libbfd) had a memory leak vulnerability which can cause
  memory exhaustion in objdump via a crafted PE file (bsc#1037273).
- CVE-2017-9746: The disassemble_bytes function in objdump.c allowed remote
  attackers to cause a denial of service (buffer overflow and application crash)
  or possibly have unspecified other impact via a crafted binary file, as
  demonstrated by mishandling of rae insns printing for this file during 'objdump
  -D' execution (bsc#1044891).
- CVE-2017-9747: The ieee_archive_p function in the Binary File Descriptor
  (BFD) library (aka libbfd) might have allowed remote attackers to cause a
  denial of service (buffer overflow and application crash) or possibly have
  unspecified other impact via a crafted binary file, as demonstrated by
  mishandling of this file during 'objdump -D' execution (bsc#1044897).
- CVE-2017-9748: The ieee_object_p function in the Binary File Descriptor (BFD)
  library (aka libbfd) might have allowed remote attackers to cause a denial of
  service (buffer overflow and application crash) or possibly have unspecified
  other impact via a crafted binary file, as demonstrated by mishandling of this
  file during 'objdump -D' execution (bsc#1044901).
- CVE-2017-9750: opcodes/rx-decode.opc lacked bounds checks for certain scale
  arrays, which allowed remote attackers to cause a denial of service (buffer
  overflow and application crash) or possibly have unspecified other impact via a
  crafted binary file, as demonstrated by mishandling of this file during
  'objdump -D' execution (bsc#1044909).
- CVE-2017-9755: Not considering the the number of registers for bnd mode
  allowed remote attackers to cause a denial of service (buffer overflow and
  application crash) or possibly have unspecified other impact via a crafted
  binary file, as demonstrated by mishandling of this file during 'objdump -D'
  execution (bsc#1044925).
- CVE-2017-9756: The aarch64_ext_ldst_reglist function allowed remote attackers
  to cause a denial of service (buffer overflow and application crash) or
  possibly have unspecified other impact via a crafted binary file, as
  demonstrated by mishandling of this file during 'objdump -D' execution
  (bsc#1044927).
- CVE-2017-7209: The dump_section_as_bytes function in readelf accessed a NULL
  pointer while reading section contents in a corrupt binary, leading to a
  program crash (bsc#1030298).
- CVE-2017-6965: readelf wrote to illegal addresses while processing corrupt
  input files containing symbol-difference relocations, leading to a heap-based
  buffer overflow (bsc#1029909).
- CVE-2017-6966: readelf had a use-after-free (specifically read-after-free)
  error while processing multiple, relocated sections in an MSP430 binary. This
  is caused by mishandling of an invalid symbol index, and mishandling of state
  across invocations (bsc#1029908).
- CVE-2017-6969: readelf was vulnerable to a heap-based buffer over-read while
  processing corrupt RL78 binaries. The vulnerability can trigger program
  crashes. It may lead to an information leak as well (bsc#1029907).
- CVE-2017-7210: objdump was vulnerable to multiple heap-based buffer
  over-reads (of size 1 and size 8) while handling corrupt STABS enum type
  strings in a crafted object file, leading to program crash (bsc#1030297).
  

-----------------------------------------
Patch: SUSE-2018-2299
Released: Thu Oct 18 11:58:01 2018
Summary: Security update for fuse
Severity: moderate
References: 1101797,CVE-2018-10906
Description:
This update for fuse fixes the following security issue:

- CVE-2018-10906: fusermount was vulnerable to a restriction bypass when
  SELinux is active. This allowed non-root users to mount a FUSE file system with
  the 'allow_other' mount option regardless of whether 'user_allow_other' is set
  in the fuse configuration. An attacker may use this flaw to mount a FUSE file
  system, accessible by other users, and trick them into accessing files on that
  file system, possibly causing Denial of Service or other unspecified effects
  (bsc#1101797)


-----------------------------------------
Patch: SUSE-2018-2318
Released: Fri Oct 19 07:21:02 2018
Summary: Recommended update for krb5
Severity: moderate
References: 1046415,1057662,1088921
Description:
This update for krb5 provides the following fix:

- Resolve krb5 GSS credentials immediately if the application requests the lifetime.
  (bsc#1088921)
- Workaround a compatibilitiy issue in legacy GSS client applications by setting environment
  variable GSSAPI_ASSUME_MECH_MATCH to a non-empty value. (bsc#1057662 bsc#1046415)


-----------------------------------------
Patch: SUSE-2018-2341
Released: Sat Oct 20 09:50:41 2018
Summary: Recommended update for pciutils
Severity: moderate
References: 1098094,1098228
Description:
This update for pciutils provides the following fixes:

- Fix the displaying of the gen4 speed for GEN 4 cards like Mellanox CX5. (bsc#1098094)
- Add support for commonly used vendor specific VPD keywords described in 'Table 160.
  LoPAPR VPD Fields' of the Linux on Power Architecture Platform Reference (LoPAPR).
  (bsc#1098228)


-----------------------------------------
Patch: SUSE-2018-2373
Released: Mon Oct 22 14:43:47 2018
Summary: Security update for rpm
Severity: moderate
References: 1077692,943457,CVE-2017-7500,CVE-2017-7501
Description:
This update for rpm fixes the following issues:

These security issues were fixed:

- CVE-2017-7500: rpm did not properly handle RPM installations when a
  destination path was a symbolic link to a directory, possibly changing
  ownership and permissions of an arbitrary directory, and RPM files being placed
  in an arbitrary destination (bsc#943457).
- CVE-2017-7501: rpm used temporary files with predictable names when
  installing an RPM. An attacker with ability to write in a directory where files
  will be installed could create symbolic links to an arbitrary location and
  modify content, and possibly permissions to arbitrary files, which could be
  used for denial of service or possibly privilege escalation (bsc#943457)

This non-security issue was fixed:

- Use ksym-provides tool [bsc#1077692]


-----------------------------------------
Patch: SUSE-2018-2375
Released: Mon Oct 22 15:30:22 2018
Summary: Security update for tiff
Severity: moderate
References: 1106853,1108627,1108637,1110358,CVE-2017-11613,CVE-2017-9935,CVE-2018-16335,CVE-2018-17100,CVE-2018-17101,CVE-2018-17795
Description:
This update for tiff fixes the following issues:

- CVE-2018-17100: There is a int32 overflow in multiply_ms in tools/ppm2tiff.c, which can cause a denial of service (crash) or possibly have unspecified other impact via a crafted image file. (bsc#1108637)
- CVE-2018-17101: There are two out-of-bounds writes in cpTags in tools/tiff2bw.c and tools/pal2rgb.c, which can cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image file. (bsc#1108627)
- CVE-2018-17795: The function t2p_write_pdf in tiff2pdf.c allowed remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file, a similar issue to CVE-2017-9935. (bsc#1110358)
- CVE-2018-16335: newoffsets handling in ChopUpSingleUncompressedStrip in tif_dirread.c allowed remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file, as demonstrated by tiff2pdf. This is a different vulnerability than CVE-2018-15209. (bsc#1106853)


-----------------------------------------
Patch: SUSE-2018-2390
Released: Tue Oct 23 11:13:23 2018
Summary: Security update for net-snmp
Severity: important
References: 1111122,CVE-2018-18065
Description:
This update for net-snmp fixes the following issues:

- CVE-2018-18065: _set_key in agent/helpers/table_container.c had a NULL Pointer Exception bug that can be used by an authenticated attacker to remotely cause the instance to crash via a crafted UDP packet, resulting in Denial of Service. (bsc#1111122)


-----------------------------------------
Patch: SUSE-2018-2399
Released: Tue Oct 23 16:01:04 2018
Summary: Security update for ntp
Severity: moderate
References: 1083424,1098531,1111853,CVE-2018-12327,CVE-2018-7170
Description:

NTP was updated to 4.2.8p12 (bsc#1111853):

- CVE-2018-12327: Fixed stack buffer overflow in the openhost() command-line call of NTPQ/NTPDC. (bsc#1098531)
- CVE-2018-7170: Add further tweaks to improve the fix for the ephemeral association time spoofing additional protection (bsc#1083424)

Please also see https://www.nwtime.org/network-time-foundation-publishes-ntp-4-2-8p12/ for more information.



-----------------------------------------
Patch: SUSE-2018-2413
Released: Tue Oct 23 17:28:39 2018
Summary: Recommended update for supportutils
Severity: moderate
References: 1105849
Description:
This update for supportutils provides the following fix:

- Add vulnerabilities check. (bsc#1105849)


-----------------------------------------
Patch: SUSE-2018-2415
Released: Tue Oct 23 17:29:38 2018
Summary: Recommended update for several Python modules
Severity: moderate
References: 1054413
Description:
This update adds the Python 3 variants of the following modules to the Public Cloud Module:

- python-Pygments
- python-coverage
- python-ecdsa
- python-isodate

Additionally, the following packages have been updated:

python-Pygments from version 1.6 to 2.2.0
python-coverage from version 3.7 to 4.5.1

For a detailed description of all changes, please refer to the changelog.

-----------------------------------------
Patch: SUSE-2018-2455
Released: Thu Oct 25 11:20:07 2018
Summary: Recommended update for rsync
Severity: low
References: 1083017
Description:
This update for rsync provides the following fix:

- Do not send useless keepalive messages to sender if the file list is still being sent.
  This may cause a crash in older versions of rsync. (bsc#1083017)


-----------------------------------------
Patch: SUSE-2018-2471
Released: Thu Oct 25 16:53:41 2018
Summary: Recommended update for apparmor
Severity: moderate
References: 1040898,1046784,1047937,1057150,1111344,906858
Description:

This update for apparmor provides the following fixes:

- Add permission to open dnsmasq log files. (bsc#1111344)
- Add profile for usr.bin.lessopen.sh (bsc#906858)
- Fix dovecot apparmor profile (bsc#1057150)
- Add chown operation in adding to tree (bsc#1047937)
- Strip capability variable leading and trailing spaces (bsc#1046784)
- Force apparmor to start after local-fs.target as opposed to /var/lib (bsc#1040898)
- Avoid creating duplicate capability rules when scanning the same system log multiple times (bsc#1046784)
- Fix creating profile rules from scanned logs when the chown operation is used (bsc#1047937)


-----------------------------------------
Patch: SUSE-2018-2473
Released: Thu Oct 25 16:55:27 2018
Summary: Recommended update for tar
Severity: low
References: 1071340
Description:
This update for tar provides the following fix:

- Revert an upstream commit meant for optimizing sparse files as it causes a regression on
  offline files. (bsc#1071340)


-----------------------------------------
Patch: SUSE-2018-2474
Released: Thu Oct 25 16:55:52 2018
Summary: Recommended update for libzypp, zypper
Severity: moderate
References: 1021291,1099982,1109877,1109893,408814,556664,939392
Description:
This update for libzypp and zypper fixes the following issues:

libzypp has received the following fixes and improvements:

- Add filesize check for downloads with known size (bsc#408814)
- MediaMultiCurl: Trigger aliveCallback when downloading metalink
  files (bsc#1021291)
- Fix conversion of string and glob to regex when compiling queries
  (bsc#1099982, bsc#939392, bsc#556664)
- Fix blocking wait for finished child process (bsc#1109877)

zypper has received the following fixes:

- Always warn if no repos are defined, but don't return
  ZYPPER_EXIT_NO_REPOS(6) in install commands (bsc#1109893)
- man: Remove links to missing metadata section (fixes #140)


-----------------------------------------
Patch: SUSE-2018-2476
Released: Thu Oct 25 16:57:26 2018
Summary: Recommended update for fping
Severity: important
References: 988195
Description:
This update for fping provides the following fix:

-  Fix a problem that was causing fping to flood /tmp after a network stop. (bsc#988195)


-----------------------------------------
Patch: SUSE-2018-2488
Released: Fri Oct 26 12:39:59 2018
Summary: Recommended update for cpio
Severity: low
References: 1076810,889138
Description:
This update for cpio provides the following fix:

- Remove an obsolete patch that was causing cpio not to preserve folder permissions.
  (bsc#1076810, bsc#889138)


-----------------------------------------
Patch: SUSE-2018-2500
Released: Fri Oct 26 15:18:38 2018
Summary: Recommended update for SUSEConnect
Severity: important
References: 1093658,1094348,1098220,1101470,1104183,1112702
Description:
This update for SUSEConnect fixes the following issues:

- Changed 'openssl' recommendation to 'openssl(cli)' on SLE 12 SP3+ and SLE 15+ (bsc#1101470).
- Fix s390 activation fails due to unavailable 'dmidecode'. (bsc#1112702)
- Fix migration targets sorting. (bsc#1104183)
- Detect if system is in cloud provider (AWS/Google/Azure). (fate#320935)
- Don't fail when trying to parse an empty body. (bsc#1098220)
- Don't install release packages if they are already present.
- Recommend dependencies of rmt-client-setup script. (bsc#1094348, bsc#1093658)
- Enhance error message generation.
- Add not supported operation exception to PackageSearch API.
- Prevent the automatic registration of recommended products that are not mirrored by the registration proxy.


-----------------------------------------
Patch: SUSE-2018-2516
Released: Mon Oct 29 16:14:48 2018
Summary: Recommended update for console-setup, kbd
Severity: moderate
References: 1010880,1027379,1056449,1062303,1069468,1085432,360993,675317,825385,830805,958562,963942,984958
Description:
This update for kbd and console-setup provides the following fixes:

Changes in console-setup:

- Add console-setup to SLE 12 to make it possible for kbd to provide converted X keymaps.
  (fate#325454, fate#318426)
- Make the package build reproducible. (bsc#1062303)
- Removed unneeded requires to kbd in order to resolve build cycle between kbd and
  console-setup. (bsc#963942)

Changes in kbd:
- Update to version 2.0.4, including the following fixes (FATE#325454):
    * Disable characters greater than or equal to =U+F000 as they do not work properly.
      (bsc#1085432)
    * Move initial NumLock handling from systemd back to kbd:
      * Add kbdsettings service. (bsc#1010880)
      * Exclude numlockbios support for non x86 platforms
    * Drop references to KEYTABLE and COMPOSETABLE. (bsc#1010880)
    * Drop from some fill-up templates and a couple of sysconfig variables not read by
      systemd anymore. (fate#319454)
    * Replace references to /var/adm/fillup-templates with new %_fillupdir macro. (bsc#1069468)
    * Add vlock.pamd PAM file. (bsc#1056449)
    * Enable vlock (bsc#1056449).
    * Revert dropping of kdb-legacy requirement as there are still packages and installation
      flows that needs this to be present. (bsc#1027379)
    * Fix data/keymaps/i386/querty/br-abnt2.map. (bsc#984958)
    * Fix missing dependency on coreutils for initrd macros. (bsc#958562)
    * Call missing initrd macro at postun. (bsc#958562)
    * Add the genmap4systemd.sh tool to generate entries for systemd's kbd-model-map table
      from xkeyboard-config converted keymaps. (fate#318426)
    * genmap4systemd.sh: Use 'abnt2' model for 'br' layouts, 'jp106' model for 'jp' layouts
      and 'microsoftpro' for anything else (instead of 'pc105' previously used). (fate#318426)
    * Include xkb layouts from xkeyboard-config converted to console
      keymaps. (fate#318426)
    * euro.map, euro1.map and euro2.map now produce correct unicode character for Euro sign.
      (bsc#360993)
    * Drop doshell reference from openvt.1 man page. (bsc#675317)
    * Drop the --userwait option as it is not used. (bsc#830805)
    * Fix a typo in the mac-querty-layout.inc. (bsc#825385)


-----------------------------------------
Patch: SUSE-2018-2533
Released: Tue Oct 30 16:14:24 2018
Summary: Recommended update for cronie
Severity: moderate
References: 1017160,1077979
Description:
This update for cronie provides the following fixes:

- Prefer flock locking instead of fcntl locking that has different semantics. It caused a
  bug where it was possible to run more than one cron process as the locking was not
  successful. (bsc#1017160)
- Check the existence of the user at the time the job is run and do not ignore jobs for
  users that were not existing at database reload. This prevents cron from ignoring jobs
  in user crontab for users that changed group meanwhile. (bsc#1077979)


-----------------------------------------
Patch: SUSE-2018-2542
Released: Wed Oct 31 10:45:41 2018
Summary: Security update for audiofile
Severity: moderate
References: 1111586,CVE-2018-17095
Description:
This update for audiofile fixes the following issues:

- CVE-2018-17095: A heap-based buffer overflow in Expand3To4Module::run could occurred when running sfconvert leading to crashes or code execution when handling untrusted soundfiles (bsc#1111586).


-----------------------------------------
Patch: SUSE-2018-2549
Released: Wed Oct 31 15:03:45 2018
Summary: Security update for MozillaFirefox, MozillaFirefox-branding-SLE, llvm4, mozilla-nspr, mozilla-nss, apache2-mod_nss
Severity: important
References: 1012260,1021577,1026191,1041469,1041894,1049703,1061204,1064786,1065464,1066489,1073210,1078436,1091551,1092697,1094767,1096515,1107343,1108771,1108986,1109363,1109465,1110506,1110507,703591,839074,857131,893359,CVE-2017-16541,CVE-2018-12376,CVE-2018-12377,CVE-2018-12378,CVE-2018-12379,CVE-2018-12381,CVE-2018-12383,CVE-2018-12385,CVE-2018-12386,CVE-2018-12387
Description:
This update for MozillaFirefox to ESR 60.2.2 fixes several issues.

These general changes are part of the version 60 release.

- New browser engine with speed improvements
- Redesigned graphical user interface elements
- Unified address and search bar for new installations
- New tab page listing top visited, recently visited and recommended pages
- Support for configuration policies in enterprise deployments via JSON files
- Support for Web Authentication, allowing the use of USB tokens for
  authentication to web sites

The following changes affect compatibility:
    
- Now exclusively supports extensions built using the WebExtension API.
- Unsupported legacy extensions will no longer work in Firefox 60 ESR
- TLS certificates issued by Symantec before June 1st, 2016 are no longer trusted 
  The 'security.pki.distrust_ca_policy' preference can be set to 0 to reinstate
  trust in those certificates

The following issues affect performance:

- new format for storing private keys, certificates and certificate trust
  If the user home or data directory is on a network file system, it is
  recommended that users set the following environment variable to avoid
  slowdowns: NSS_SDB_USE_CACHE=yes
  This setting is not recommended for local, fast file systems. 

These security issues were fixed:

- CVE-2018-12381: Dragging and dropping Outlook email message results in page navigation (bsc#1107343).
- CVE-2017-16541: Proxy bypass using automount and autofs (bsc#1107343).
- CVE-2018-12376: Various memory safety bugs (bsc#1107343).
- CVE-2018-12377: Use-after-free in refresh driver timers (bsc#1107343).
- CVE-2018-12378: Use-after-free in IndexedDB (bsc#1107343).
- CVE-2018-12379: Out-of-bounds write with malicious MAR file (bsc#1107343).
- CVE-2018-12386: Type confusion in JavaScript allowed remote code execution (bsc#1110506)
- CVE-2018-12387: Array.prototype.push stack pointer vulnerability may enable exploits in the sandboxed content process (bsc#1110507)
- CVE-2018-12385: Crash in TransportSecurityInfo due to cached data  (bsc#1109363)
- CVE-2018-12383: Setting a master password did not delete unencrypted previously stored passwords  (bsc#1107343)

This update for mozilla-nspr to version 4.19 fixes the follwing issues

- Added TCP Fast Open functionality
- A socket without PR_NSPR_IO_LAYER will no longer trigger
  an assertion when polling

This update for mozilla-nss to version 3.36.4 fixes the follwing issues

- Connecting to a server that was recently upgraded to TLS 1.3
  would result in a SSL_RX_MALFORMED_SERVER_HELLO error.
- Fix a rare bug with PKCS#12 files.
- Replaces existing vectorized ChaCha20 code with verified
  HACL* implementation.
- TLS 1.3 support has been updated to draft -23.
- Added formally verified implementations of non-vectorized Chacha20
  and non-vectorized Poly1305 64-bit.
- The following CA certificates were Removed:
  OU = Security Communication EV RootCA1
  CN = CA Disig Root R1
  CN = DST ACES CA X6
  Certum CA, O=Unizeto Sp. z o.o.
  StartCom Certification Authority
  StartCom Certification Authority G2
  TÜBİTAK UEKAE Kök Sertifika Hizmet Sağlayıcısı - Sürüm 3
  ACEDICOM Root
  Certinomis - Autorité Racine
  TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı
  PSCProcert
  CA 沃通根证书, O=WoSign CA Limited
  Certification Authority of WoSign
  Certification Authority of WoSign G2
  CA WoSign ECC Root
  Subject CN = VeriSign Class 3 Secure Server CA - G2
  O = Japanese Government, OU = ApplicationCA
  CN = WellsSecure Public Root Certificate Authority
  CN = TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6
  CN = Microsec e-Szigno Root
* The following CA certificates were Removed:
  AddTrust Public CA Root
  AddTrust Qualified CA Root
  China Internet Network Information Center EV Certificates Root
  CNNIC ROOT
  ComSign Secured CA
  GeoTrust Global CA 2
  Secure Certificate Services
  Swisscom Root CA 1
  Swisscom Root EV CA 2
  Trusted Certificate Services
  UTN-USERFirst-Hardware
  UTN-USERFirst-Object
* The following CA certificates were Added
  CN = D-TRUST Root CA 3 2013
  CN = TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1
  GDCA TrustAUTH R5 ROOT
  SSL.com Root Certification Authority RSA
  SSL.com Root Certification Authority ECC
  SSL.com EV Root Certification Authority RSA R2
  SSL.com EV Root Certification Authority ECC
  TrustCor RootCert CA-1
  TrustCor RootCert CA-2
  TrustCor ECA-1
* The Websites (TLS/SSL) trust bit was turned off for the following
  CA certificates:
  CN = Chambers of Commerce Root
  CN = Global Chambersign Root
* TLS servers are able to handle a ClientHello statelessly, if the
  client supports TLS 1.3.  If the server sends a HelloRetryRequest,
  it is possible to discard the server socket, and make a new socket
  to handle any subsequent ClientHello. This better enables stateless
  server operation. (This feature is added in support of QUIC, but it
  also has utility for DTLS 1.3 servers.)

Due to the update of mozilla-nss apache2-mod_nss needs to be updated to 
change to the SQLite certificate database, which is now the default (bsc#1108771)
  

-----------------------------------------
Patch: SUSE-2018-2563
Released: Fri Nov  2 17:09:49 2018
Summary: Security update for curl
Severity: moderate
References: 1112758,1113660,CVE-2018-16840,CVE-2018-16842
Description:
This update for curl fixes the following issues:

- CVE-2018-16840: A use after free in closing SASL handles was fixed (bsc#1112758)
- CVE-2018-16842: A Out-of-bounds Read in tool_msgs.c was fixed which could lead to crashes (bsc#1113660)



-----------------------------------------
Patch: SUSE-2018-2582
Released: Mon Nov  5 17:58:21 2018
Summary: Security update for opensc
Severity: moderate
References: 1104812,1106998,1106999,1107033,1107034,1107037,1107038,1107039,1107097,1107107,1108318,CVE-2018-16391,CVE-2018-16392,CVE-2018-16393,CVE-2018-16418,CVE-2018-16419,CVE-2018-16420,CVE-2018-16422,CVE-2018-16423,CVE-2018-16426,CVE-2018-16427
Description:
This update for opensc fixes the following issues:

- CVE-2018-16391: Fixed a denial of service when handling responses from a Muscle Card (bsc#1106998)
- CVE-2018-16392: Fixed a denial of service when handling responses from a TCOS Card (bsc#1106999)
- CVE-2018-16393: Fixed buffer overflows when handling responses from Gemsafe V1 Smartcards (bsc#1108318)
- CVE-2018-16418: Fixed buffer overflow when handling string concatenation in util_acl_to_str (bsc#1107039)
- CVE-2018-16419: Fixed several buffer overflows when handling responses from a Cryptoflex card (bsc#1107107)
- CVE-2018-16420: Fixed buffer overflows when handling responses from an ePass 2003 Card (bsc#1107097)
- CVE-2018-16422: Fixed single byte buffer overflow when handling responses from an esteid Card (bsc#1107038)
- CVE-2018-16423: Fixed double free when handling responses from a smartcard (bsc#1107037)
- CVE-2018-16426: Fixed endless recursion when handling responses from an IAS-ECC card (bsc#1107034)
- CVE-2018-16427: Fixed out of bounds reads when handling responses in OpenSC (bsc#1107033)



-----------------------------------------
Patch: SUSE-2018-2593
Released: Wed Nov  7 11:04:00 2018
Summary: Recommended update for rpm
Severity: moderate
References: 1095148,1113100
Description:
This update for rpm fixes the following issues:

- Fix superfluous TOC. dependency on PowerPC64 (bsc#1113100)
- Update to current find-provides.ksyms and find-requires.ksyms
  scripts (bsc#1095148)

-----------------------------------------
Patch: SUSE-2018-2594
Released: Wed Nov  7 11:13:54 2018
Summary: Security update for libarchive
Severity: moderate
References: 1032089,1037008,1037009,1057514,1059100,1059134,1059139,CVE-2016-10209,CVE-2016-10349,CVE-2016-10350,CVE-2017-14166,CVE-2017-14501,CVE-2017-14502,CVE-2017-14503
Description:
This update for libarchive fixes the following issues:

- CVE-2016-10209: The archive_wstring_append_from_mbs function in archive_string.c allowed remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted archive file. (bsc#1032089)
- CVE-2016-10349: The archive_le32dec function in archive_endian.h allowed remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file. (bsc#1037008)
- CVE-2016-10350: The archive_read_format_cab_read_header function in archive_read_support_format_cab.c allowed remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file. (bsc#1037009)
- CVE-2017-14166: libarchive allowed remote attackers to cause a denial of service (xml_data heap-based buffer over-read and application crash) via a crafted xar archive, related to the mishandling of empty strings in the atol8 function in archive_read_support_format_xar.c. (bsc#1057514)
- CVE-2017-14501: An out-of-bounds read flaw existed in parse_file_info in archive_read_support_format_iso9660.c when extracting a specially crafted iso9660 iso file, related to archive_read_format_iso9660_read_header. (bsc#1059139)
- CVE-2017-14502: read_header in archive_read_support_format_rar.c suffered from an off-by-one error for UTF-16 names in RAR archives, leading to an out-of-bounds read in archive_read_format_rar_read_header. (bsc#1059134)
- CVE-2017-14503: libarchive suffered from an out-of-bounds read within lha_read_data_none() in archive_read_support_format_lha.c when extracting a specially crafted lha archive, related to lha_crc16. (bsc#1059100)



-----------------------------------------
Patch: SUSE-2018-2637
Released: Mon Nov 12 20:38:05 2018
Summary: Recommended update for timezone, timezone-java
Severity: moderate
References: 1104700,1113554
Description:
This update provides the latest time zone definitions (2018g), including the following changes:

- Morocco switched from +00/+01 to permanent +01 effective 2018-10-28 (bsc#1113554)
- Volgograd moves from +03 to +04 on 2018-10-28.
- Fiji ends DST 2019-01-13, not 2019-01-20.
- Most of Chile changes DST dates, effective 2019-04-06 (bsc#1104700)
- Corrections to past timestamps of DST transitions
- Use 'PST' and 'PDT' for Philippine time
- minor code changes to zic handling of the TZif format
- documentation updates



-----------------------------------------
Patch: SUSE-2018-2640
Released: Mon Nov 12 20:39:16 2018
Summary: Recommended update for nfsidmap
Severity: moderate
References: 1098217
Description:
This update for nfsidmap fixes the following issues:

- Improve support for SAMBA with Active Directory. (bsc#1098217)


-----------------------------------------
Patch: SUSE-2018-2698
Released: Fri Nov 16 16:02:16 2018
Summary: Security update for openssh
Severity: moderate
References: 1091396,1105010,1106163,964336,982273,CVE-2018-15473,CVE-2018-15919
Description:
This update for openssh fixes the following issues:

Following security issues have been fixed:

- CVE-2018-15919: Remotely observable behaviour in auth-gss2.c in OpenSSH could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. OpenSSH developers do not want to treat such a username enumeration (or 'oracle') as a vulnerability. (bsc#1106163)
- CVE-2018-15473: OpenSSH was prone to a user existance oracle vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c. (bsc#1105010)

Also the following security related hardening change was done:

- Remove arcfour,cast,blowfish from list of default ciphers. (bsc#982273)

And the following non-security issues were fixed:

- Stop leaking File descriptors (bsc#964336)
- sftp-client.c returns wrong error code upon failure (bsc#1091396)


-----------------------------------------
Patch: SUSE-2018-2722
Released: Tue Nov 20 18:35:52 2018
Summary: Recommended update for openssh
Severity: important
References: 1115654,1116577,CVE-2018-15919
Description:
This update for openssh fixes the following issues:

- Revert fix for CVE-2018-15919 which could have caused login problems
  with GSSAPI authentication (bsc#1115654, bsc#1116577)

  

-----------------------------------------
Patch: SUSE-2018-2734
Released: Thu Nov 22 13:27:05 2018
Summary: Recommended update for udisks2
Severity: moderate
References: 1091274
Description:
This update for udisks2 provides the following fix:

- Fix a watcher error for non-redundant raid devices. (bsc#1091274)


-----------------------------------------
Patch: SUSE-2018-2766
Released: Fri Nov 23 17:07:27 2018
Summary: Security update for rpm
Severity: important
References: 943457,CVE-2017-7500,CVE-2017-7501
Description:
This update for rpm fixes the following issues:

These security issues were fixed:

- CVE-2017-7500: rpm did not properly handle RPM installations when a
  destination path was a symbolic link to a directory, possibly changing
  ownership and permissions of an arbitrary directory, and RPM files being placed
  in an arbitrary destination (bsc#943457).
- CVE-2017-7501: rpm used temporary files with predictable names when
  installing an RPM. An attacker with ability to write in a directory where files
  will be installed could create symbolic links to an arbitrary location and
  modify content, and possibly permissions to arbitrary files, which could be
  used for denial of service or possibly privilege escalation (bsc#943457)

This is a reissue of the above security fixes for SUSE Linux Enterprise 12 GA, SP1 and SP2 LTSS,
they have already been released for SUSE Linux Enterprise Server 12 SP3.



-----------------------------------------
Patch: SUSE-2018-1697
Released: Fri Nov 23 17:08:32 2018
Summary: Security update for libgcrypt
Severity: moderate
References: 1064455,1090766,1097410,CVE-2018-0495
Description:
This update for libgcrypt fixes the following issues:

The following security vulnerability was addressed:

- CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for
  ECDSA signatures (bsc#1097410).

The following other issues were fixed:

- Extended the fipsdrv dsa-sign and dsa-verify commands with the
  --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455).
- Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766)


-----------------------------------------
Patch: SUSE-2018-1696
Released: Mon Nov 26 17:46:39 2018
Summary: Security update for procps
Severity: moderate
References: 1092100,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126
Description:
This update for procps fixes the following security issues:

- CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top
  with HOME unset in an attacker-controlled directory, the attacker could have
  achieved privilege escalation by exploiting one of several vulnerabilities in
  the config_file() function (bsc#1092100).
- CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow.
  Inbuilt protection in ps maped a guard page at the end of the overflowed
  buffer, ensuring that the impact of this flaw is limited to a crash (temporary
  denial of service) (bsc#1092100).
- CVE-2018-1124: Prevent multiple integer overflows leading to a heap
  corruption in file2strvec function. This allowed a privilege escalation for a
  local attacker who can create entries in procfs by starting processes, which
  could result in crashes or arbitrary code execution in proc utilities run by
  other users (bsc#1092100).
- CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was
  mitigated by FORTIFY limiting the impact to a crash (bsc#1092100).
- CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent
  truncation/integer overflow issues (bsc#1092100).


-----------------------------------------
Patch: SUSE-2018-2782
Released: Mon Nov 26 17:46:59 2018
Summary: Security update for tiff
Severity: moderate
References: 1099257,1113094,1113672,CVE-2018-12900,CVE-2018-18557,CVE-2018-18661
Description:
This update for tiff fixes the following issues:

Security issues fixed:

- CVE-2018-12900: Fixed heap-based buffer overflow in the cpSeparateBufToContigBuf (bsc#1099257).                                                                                             
- CVE-2018-18661: Fixed NULL pointer dereference in the function LZWDecode in the file tif_lzw.c (bsc#1113672).                                                                               
- CVE-2018-18557: Fixed JBIG decode can lead to out-of-bounds write (bsc#1113094).

Non-security issues fixed:

- asan_build: build ASAN included
- debug_build: build more suitable for debugging


-----------------------------------------
Patch: SUSE-2018-2789
Released: Tue Nov 27 00:24:07 2018
Summary: Recommended update for plymouth
Severity: moderate
References: 1000597,1031364,1036172,1043834,804607,894051,948975,981588
Description:

This update for plymouth provides the following fixes:

- If a drm enabled device fails to work, switch to regular framebuffer mode as a
  fallback. (bsc#981588)
- Use a device timeout instead of udev coldplug to prevent errors when initramfs
  finishes before udev has informed plymouth about the drm devices. (bsc#948975,
  bsc#1000597, bsc#1036172, bsc#1031364).
- Drop a previous fix for window size and use of the smallest screen size deliberately.
  (bsc#804607, bsc#894051)


-----------------------------------------
Patch: SUSE-2018-2824
Released: Mon Dec  3 15:34:09 2018
Summary: Security update for ncurses
Severity: important
References: 1115929,CVE-2018-19211
Description:
This update for ncurses fixes the following issue:

Security issue fixed:

- CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929).


-----------------------------------------
Patch: SUSE-2018-2839
Released: Wed Dec  5 09:32:05 2018
Summary: Recommended update for pcsc-lite
Severity: low
References: 974632
Description:
This update for pcsc-lite provides the following fix:

- Remove the initscript installation and rely on the already distributed systemd service.
  (bsc#974632)


-----------------------------------------
Patch: SUSE-2018-2842
Released: Wed Dec  5 10:00:35 2018
Summary: Recommended update for suse-build-key
Severity: moderate
References: 1044232
Description:
This update for suse-build-key fixes the following issues:

- Install the PTF key also to /usr/lib/rpm/gnupg/keys/ so it can exists also
  on systems where documentation is not installed. (bsc#1044232)


-----------------------------------------
Patch: SUSE-2018-2917
Released: Wed Dec 12 16:05:34 2018
Summary: Security update for cups
Severity: important
References: 1115750,CVE-2018-4700
Description:
This update for cups fixes the following issues:

Security issue fixed:

- CVE-2018-4700: Fixed extremely predictable cookie generation that is effectively breaking the CSRF protection of the CUPS web interface (bsc#1115750).


-----------------------------------------
Patch: SUSE-2018-2946
Released: Mon Dec 17 08:50:42 2018
Summary: Security update for tcpdump
Severity: moderate
References: 1117267,CVE-2018-19519
Description:
This update for tcpdump fixes the following issues:

Security issues fixed:

- CVE-2018-19519: Fixed a stack-based buffer over-read in the print_prefix function (bsc#1117267)


-----------------------------------------
Patch: SUSE-2018-2991
Released: Wed Dec 19 14:17:13 2018
Summary: Security update for tiff
Severity: moderate
References: 1017693,1054594,1115717,990460,CVE-2016-10092,CVE-2016-10093,CVE-2016-10094,CVE-2016-6223,CVE-2017-12944,CVE-2018-19210
Description:
This update for tiff fixes the following issues:

Security issues fixed:                                   
    
- CVE-2018-19210: Fixed NULL pointer dereference in the TIFFWriteDirectorySec function (bsc#1115717).
- CVE-2017-12944: Fixed denial of service issue in the TIFFReadDirEntryArray function (bsc#1054594).
- CVE-2016-10094: Fixed heap-based buffer overflow in the _tiffWriteProc function (bsc#1017693).
- CVE-2016-10093: Fixed heap-based buffer overflow in the _TIFFmemcpy function (bsc#1017693).
- CVE-2016-10092: Fixed heap-based buffer overflow in the TIFFReverseBits function (bsc#1017693).
- CVE-2016-6223: Fixed out-of-bounds read on memory-mapped files in TIFFReadRawStrip1() and TIFFReadRawTile1() (bsc#990460).


-----------------------------------------
Patch: SUSE-2018-3002
Released: Wed Dec 19 21:50:43 2018
Summary: Recommended update for psmisc
Severity: moderate
References: 1098697,1112780
Description:
This update for psmisc provides the following fix:

- Make the fuser option -m <block_device> work even with mountinfo. (bsc#1098697)
- Support also btrFS entries in mountinfo, that is use stat to determine the device of the
  mounted subvolume. (bsc#1098697, bsc#1112780)
- Respect that the seventh field(s) before the single hyphen of mountinfo are optional
  fields.


-----------------------------------------
Patch: SUSE-2018-3029
Released: Fri Dec 21 17:34:05 2018
Summary: Recommended update for libgcrypt
Severity: moderate
References: 1117355
Description:
This update for libgcrypt provides the following fix:

- Fail selftests when checksum file is missing in FIPS mode only. (bsc#1117355)


-----------------------------------------
Patch: SUSE-2018-3043
Released: Fri Dec 21 17:37:53 2018
Summary: Recommended update for python-six
Severity: low
References: 1057496,1113302
Description:

python-six was updated to 1.11.0.

Changes:

- `with_metaclass` now properly proxies `__prepare__` to the underlying metaclass.
- Allow `with_metaclass` to work with metaclasses implemented in C.
- Add parse_http_list and parse_keqv_list to moved urllib.request.
- Add unquote_to_bytes to moved urllib.parse.
- Add `six.moves.getoutput`.
- Add `six.moves.urllib_parse.splitvalue`.
- Add `six.moves.email_mime_image`.
- Avoid creating reference cycles through tracebacks in `reraise`.
- Improve the performance of `six.int2byte` on Python 3.
- Don't add the `winreg` module to `six.moves` on non-Windows platforms.
- Add `six.moves.getcwd` and `six.moves.getcwdu`.
- Add `create_unbound_method` to create unbound methods.



-----------------------------------------
Patch: SUSE-2018-3045
Released: Fri Dec 21 18:49:12 2018
Summary: Security update for MozillaFirefox, mozilla-nspr and mozilla-nss
Severity: important
References: 1097410,1106873,1119069,1119105,CVE-2018-0495,CVE-2018-12384,CVE-2018-12404,CVE-2018-12405,CVE-2018-17466,CVE-2018-18492,CVE-2018-18493,CVE-2018-18494,CVE-2018-18498
Description:
This update for MozillaFirefox, mozilla-nss and mozilla-nspr fixes the following issues:

Issues fixed in MozillaFirefox:

- Update to Firefox ESR 60.4 (bsc#1119105)
- CVE-2018-17466: Fixed a buffer overflow and out-of-bounds read in ANGLE library with TextureStorage11
- CVE-2018-18492: Fixed a use-after-free with select element
- CVE-2018-18493: Fixed a buffer overflow in accelerated 2D canvas with Skia
- CVE-2018-18494: Fixed a Same-origin policy violation using location attribute and performance.getEntries
  to steal cross-origin URLs
- CVE-2018-18498: Fixed a integer overflow when calculating buffer sizes for images
- CVE-2018-12405: Fixed a few memory safety bugs

Issues fixed in mozilla-nss:

- Update to NSS 3.40.1 (bsc#1119105)
- CVE-2018-12404: Fixed a cache side-channel variant of the Bleichenbacher attack (bsc#1119069)
- CVE-2018-12384: Fixed an issue in the SSL handshake. NSS responded to an
  SSLv2-compatible ClientHello with a ServerHello that had an all-zero random. (bsc#1106873)
- CVE-2018-0495: Fixed a memory-cache side-channel attack with ECDSA signatures (bsc#1097410)
- Fixed a decryption failure during FFDHE key exchange
- Various security fixes in the ASN.1 code

Issues fixed in mozilla-nspr:

- Update mozilla-nspr to 4.20 (bsc#1119105)


-----------------------------------------
Patch: SUSE-2019-19
Released: Fri Jan  4 12:37:51 2019
Summary: Security update for polkit
Severity: moderate
References: 1118277,CVE-2018-19788
Description:
This update for polkit fixes the following issues:

Security issue fixed:

- CVE-2018-19788: Fixed handling of UIDs over MAX_UINT (bsc#1118277)


-----------------------------------------
Patch: SUSE-2019-43
Released: Tue Jan  8 13:07:17 2019
Summary: Recommended update for acl
Severity: low
References: 953659
Description:
This update for acl fixes the following issues:

- quote: Escape literal backslashes (bsc#953659).


-----------------------------------------
Patch: SUSE-2019-52
Released: Wed Jan  9 17:36:15 2019
Summary: Recommended update for apparmor
Severity: moderate
References: 1111344
Description:
This update for apparmor fixes the following issues:

- The dnsmasq profile was adjusted to better handle the logfile pattern.  (bsc#1111344)


-----------------------------------------
Patch: SUSE-2019-53
Released: Wed Jan  9 22:07:57 2019
Summary: Security update for systemd
Severity: important
References: 1068588,1071558,1113665,1120323,CVE-2018-15686,CVE-2018-16864,CVE-2018-16865
Description:
This update for systemd fixes the following issues:

* Fix security vulnerabilities CVE-2018-16864 and CVE-2018-16865 (bsc#1120323):
  Both issues were memory corruptions via attacker-controlled alloca which could
  have been used to gain root privileges by a local attacker.

* Fix security vulnerability CVE-2018-15686 (bsc#1113665): A vulnerability in
  unit_deserialize of systemd used to allow an attacker to supply arbitrary
  state across systemd re-execution via NotifyAccess. This could have been used
  to improperly influence systemd execution and possibly lead to root privilege
  escalation.

* Remedy 2048 character line-length limit in systemd-sysctl code that would
  cause parser failures if /etc/sysctl.conf contained lines that exceeded this
  length (bsc#1071558).

* Fix a bug in systemd's core timer code that would cause timer looping under
  certain conditions, resulting in hundreds of syslog messages being written to
  the journal (bsc#1068588).


-----------------------------------------
Patch: SUSE-2019-101
Released: Tue Jan 15 18:02:39 2019
Summary: Recommended update for timezone
Severity: moderate
References: 1120402
Description:
This update for timezone fixes the following issues:

- Update 2018i:
  São Tomé and Príncipe switches from +01 to +00 on 2019-01-01. (bsc#1120402)
- Update 2018h:
  Qyzylorda, Kazakhstan moved from +06 to +05 on 2018-12-21
  New zone Asia/Qostanay because Qostanay, Kazakhstan didn't move
  Metlakatla, Alaska observes PST this winter only
  Guess Morocco will continue to adjust clocks around Ramadan
  Add predictions for Iran from 2038 through 2090  


-----------------------------------------
Patch: SUSE-2019-107
Released: Wed Jan 16 11:56:21 2019
Summary: Recommended update for mozilla-nss
Severity: moderate
References: 1090767,1121045,1121207
Description:
This update for mozilla-nss fixes the following issues:

- The hmac packages used for FIPS certification inadvertently removed in last update: re-added.  (bsc#1121207)
- Added 'Suggest:' for libfreebl3 and libsoftokn3 respective -hmac packages to avoid dependency issues during updates (bsc#1090767, bsc#1121045)


-----------------------------------------
Patch: SUSE-2019-113
Released: Thu Jan 17 14:19:52 2019
Summary: Security update for krb5
Severity: important
References: 1120489,CVE-2018-20217
Description:
This update for krb5 fixes the following issues:

Security issue fixed:

- CVE-2018-20217: Fixed an assertion issue with older encryption types (bsc#1120489)


-----------------------------------------
Patch: SUSE-2019-125
Released: Fri Jan 18 14:19:13 2019
Summary: Security update for openssh
Severity: important
References: 1121571,1121816,1121818,1121821,CVE-2018-20685,CVE-2019-6109,CVE-2019-6110,CVE-2019-6111
Description:
This update for openssh fixes the following issues:

Security issue fixed:

- CVE-2018-20685: Fixed an issue where scp client allows remote SSH servers to bypass intended access restrictions (bsc#1121571)
- CVE-2019-6109: Fixed an issue where the scp client would allow malicious remote SSH servers to manipulate terminal output via the object name, e.g. by inserting ANSI escape sequences (bsc#1121816)
- CVE-2019-6110: Fixed an issue where the scp client would allow malicious remote SSH servers to manipulate stderr output, e.g. by inserting ANSI escape sequences (bsc#1121818)
- CVE-2019-6111: Fixed an issue where the scp client would allow malicious remote SSH servers to execute directory traversal attacks and overwrite files (bsc#1121821)


-----------------------------------------
Patch: SUSE-2019-143
Released: Tue Jan 22 14:21:55 2019
Summary: Recommended update for ncurses
Severity: important
References: 1121450
Description:

This update for ncurses fixes the following issues:

- ncurses applications freezing (bsc#1121450)


-----------------------------------------
Patch: SUSE-2019-149
Released: Wed Jan 23 17:58:18 2019
Summary: Recommended update for ca-certificates-mozilla
Severity: moderate
References: 1121446
Description:
This update for ca-certificates-mozilla fixes the following issues:

The package was updated to the 2.30 version of the Mozilla NSS Certificate store. (bsc#1121446)

Removed Root CAs:

- AC Raiz Certicamara S.A.
- Certplus Root CA G1
- Certplus Root CA G2
- OpenTrust Root CA G1
- OpenTrust Root CA G2
- OpenTrust Root CA G3
- Visa eCommerce Root

Added Root CAs:

- Certigna Root CA (email and server auth)
- GTS Root R1 (server auth)
- GTS Root R2 (server auth)
- GTS Root R3 (server auth)
- GTS Root R4 (server auth)
- OISTE WISeKey Global Root GC CA (email and server auth)
- UCA Extended Validation Root (server auth)
- UCA Global G2 Root (email and server auth)


-----------------------------------------
Patch: SUSE-2019-213
Released: Thu Jan 31 13:06:26 2019
Summary: Recommended update for openssh
Severity: important
References: 1123028
Description:
This update for openssh fixes the following issues:

- A previously applied security patch unintendedly changed the behavior of
  OpenSSH's 'scp' utility such that server-side brace expansion would no longer
  be supported. Attempts to copy a set files from a remote machine to the local
  one by running 'scp 'remote:{file-a,file-b}' /tmp' would fail. This change in
  behavior broke Corosync and, potentially, many user scripts that relied on
  brace expansion. [bsc#1123028]


-----------------------------------------
Patch: SUSE-2019-218
Released: Thu Jan 31 20:30:20 2019
Summary: Recommended update for kmod
Severity: moderate
References: 1118629
Description:
This update for kmod fixes the following issues:

- Fix module dependency file corruption on parallel invocation (bsc#1118629).

-----------------------------------------
Patch: SUSE-2019-223
Released: Fri Feb  1 15:42:19 2019
Summary: Security update for python
Severity: important
References: 1122191,984751,985177,985348,989523,CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699,CVE-2019-5010
Description:
This update for python fixes the following issues:

Security issues fixed:

- CVE-2016-0772: smtplib vulnerability opens startTLS stripping attack (bsc#984751)
- CVE-2016-5636: heap overflow when importing malformed zip files (bsc#985177)
- CVE-2016-5699: incorrect validation of HTTP headers allow header injection (bsc#985348)
- CVE-2016-1000110: HTTPoxy vulnerability in urllib, fixed by disregarding HTTP_PROXY when REQUEST_METHOD is also set (bsc#989523)
- CVE-2019-5010: Fixed a denial-of-service vulnerability in the X509 certificate parser (bsc#1122191)


-----------------------------------------
Patch: SUSE-2019-249
Released: Wed Feb  6 08:36:16 2019
Summary: Security update for curl
Severity: important
References: 1123371,1123377,1123378,CVE-2018-16890,CVE-2019-3822,CVE-2019-3823
Description:
This update for curl fixes the following issues:

Security issues fixed:

- CVE-2019-3823: Fixed a heap out-of-bounds read in the code handling the end-of-response for SMTP (bsc#1123378).
- CVE-2019-3822: Fixed a stack based buffer overflow in the function creating an outgoing NTLM type-3 message (bsc#1123377).
- CVE-2018-16890: Fixed a heap buffer out-of-bounds read in the function handling incoming NTLM type-2 messages (bsc#1123371).


-----------------------------------------
Patch: SUSE-2019-336
Released: Tue Feb 12 14:16:02 2019
Summary: Security update for MozillaFirefox
Severity: important
References: 1120374,1122983,CVE-2018-18500,CVE-2018-18501,CVE-2018-18505
Description:
This update for MozillaFirefox fixes the following issues:

Security issues fixed:

CVE-2018-18500: Fixed a use-after-free parsing HTML5 stream (boo#1122983).
CVE-2018-18501: Fixed multiple memory safety bugs (boo#1122983).
CVE-2018-18505: Fixed a privilege escalation through IPC channel messages (boo#1122983).


-----------------------------------------
Patch: SUSE-2019-375
Released: Wed Feb 13 14:03:33 2019
Summary: Recommended update for boost
Severity: moderate
References: 1089363
Description:
This update for boost fixes the following issues:
    
- Fixes build issues caused by the Boost.Context library. (bnc#1089363)


-----------------------------------------
Patch: SUSE-2019-424
Released: Mon Feb 18 17:46:31 2019
Summary: Security update for systemd
Severity: important
References: 1125352,CVE-2019-6454
Description:
This update for systemd fixes the following issues:

Security vulnerability fixed:

- CVE-2019-6454: Fixed a crash of PID1 by sending specially crafted D-BUS
  message on the system bus by an unprivileged user (bsc#1125352)


-----------------------------------------
Patch: SUSE-2019-450
Released: Wed Feb 20 16:42:38 2019
Summary: Security update for procps
Severity: important
References: 1092100,1121753,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126
Description:

  
This update for procps fixes the following security issues:

- CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top
  with HOME unset in an attacker-controlled directory, the attacker could have
  achieved privilege escalation by exploiting one of several vulnerabilities in
  the config_file() function (bsc#1092100).
- CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow.
  Inbuilt protection in ps maped a guard page at the end of the overflowed
  buffer, ensuring that the impact of this flaw is limited to a crash (temporary
  denial of service) (bsc#1092100).
- CVE-2018-1124: Prevent multiple integer overflows leading to a heap
  corruption in file2strvec function. This allowed a privilege escalation for a
  local attacker who can create entries in procfs by starting processes, which
  could result in crashes or arbitrary code execution in proc utilities run by
  other users (bsc#1092100).
- CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was
  mitigated by FORTIFY limiting the impact to a crash (bsc#1092100).
- CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent
  truncation/integer overflow issues (bsc#1092100).

(These issues were previously released for SUSE Linux Enterprise 12 SP3 and SP4.)

Also the following non-security issue was fixed:

- Fix CPU summary showing old data. (bsc#1121753)


-----------------------------------------
Patch: SUSE-2019-510
Released: Thu Feb 28 09:53:08 2019
Summary: Security update for bluez
Severity: moderate
References: 1013721,1013732,1013877,1015173,1026652,1057342,CVE-2016-7837,CVE-2016-9800,CVE-2016-9801,CVE-2016-9804,CVE-2016-9918,CVE-2017-1000250
Description:
This update for bluez fixes the following issues:

Security issues fixed:

- CVE-2016-7837: Fixed possible buffer overflow, make sure we don't write past the end of the array.(bsc#1026652)
- CVE-2016-9800: Fix hcidump memory leak in pin_code_reply_dump() (bsc#1013721).
- CVE-2016-9801: Fixed a buffer overflow in set_ext_ctrl function (bsc#1013732)
- CVE-2016-9804: Fix hcidump buffer overflow in commands_dump() (bsc#1013877).
- CVE-2016-9918: Fixed an out-of-bounds read in packet_hexdump() (bsc#1015173)
- CVE-2017-1000250: Fixed a information leak in SDP (part of the recently published BlueBorne vulnerabilities) (bsc#1057342)


-----------------------------------------
Patch: SUSE-2019-558
Released: Wed Mar  6 14:06:36 2019
Summary: Recommended update for cups
Severity: moderate
References: 1118118
Description:
This update for cups fixes the following issues:

- Fixed a cups crash when using utf8 filenames (bsc#1118118)


-----------------------------------------
Patch: SUSE-2019-655
Released: Wed Mar 20 10:30:49 2019
Summary: Security update for libssh2_org
Severity: moderate
References: 1091236,1128471,1128472,1128474,1128476,1128480,1128481,1128490,1128492,1128493,CVE-2019-3855,CVE-2019-3856,CVE-2019-3857,CVE-2019-3858,CVE-2019-3859,CVE-2019-3860,CVE-2019-3861,CVE-2019-3862,CVE-2019-3863
Description:
This update for libssh2_org fixes the following issues:

Security issues fixed: 	  

- CVE-2019-3861: Fixed Out-of-bounds reads with specially crafted SSH packets (bsc#1128490).
- CVE-2019-3862: Fixed Out-of-bounds memory comparison with specially crafted message channel request packet (bsc#1128492).
- CVE-2019-3860: Fixed Out-of-bounds reads with specially crafted SFTP packets (bsc#1128481).
- CVE-2019-3863: Fixed an Integer overflow in user authenticate keyboard interactive which could allow out-of-bounds writes 
  with specially crafted keyboard responses (bsc#1128493).
- CVE-2019-3856: Fixed a potential Integer overflow in keyboard interactive handling which could allow out-of-bounds write 
  with specially crafted payload (bsc#1128472).
- CVE-2019-3859: Fixed Out-of-bounds reads with specially crafted payloads due to unchecked use of _libssh2_packet_require 
  and _libssh2_packet_requirev (bsc#1128480).
- CVE-2019-3855: Fixed a potential Integer overflow in transport read which could allow out-of-bounds write with specially 
  crafted payload (bsc#1128471).
- CVE-2019-3858: Fixed a potential zero-byte allocation which could lead to an out-of-bounds read with a specially crafted 
  SFTP packet (bsc#1128476).
- CVE-2019-3857: Fixed a potential Integer overflow which could lead to zero-byte allocation and out-of-bounds with specially 
  crafted message channel request SSH packet (bsc#1128474).

Other issue addressed: 

- Libbssh2 will stop using keys unsupported types in the known_hosts file (bsc#1091236).
 

-----------------------------------------
Patch: SUSE-2019-747
Released: Tue Mar 26 14:35:16 2019
Summary: Security update for gd
Severity: moderate
References: 1123361,1123522,CVE-2019-6977,CVE-2019-6978
Description:
This update for gd fixes the following issues:

Security issues fixed:

- CVE-2019-6977: Fixed a heap-based buffer overflow the GD Graphics Library used in the imagecolormatch function (bsc#1123361).
- CVE-2019-6978: Fixed a double free in the gdImage*Ptr() functions (bsc#1123522).


-----------------------------------------
Patch: SUSE-2019-775
Released: Wed Mar 27 11:38:37 2019
Summary: Security update for ntp
Severity: moderate
References: 1128525,CVE-2019-8936
Description:
This update for ntp fixes the following issues:
	  
Security issue fixed: 	  

- CVE-2019-8936: Fixed a null pointer exception which could allow an authenticated attcker to cause 
  segmentation fault to ntpd (bsc#1128525).

Other issues addressed:

- Fixed several bugs in the BANCOMM reclock driver.
- Fixed ntp_loopfilter.c snprintf compilation warnings.
- Fixed spurious initgroups() error message.
- Fixed STA_NANO struct timex units.
- Fixed GPS week rollover in libparse.
- Fixed incorrect poll interval in packet.
- Added a missing check for ENABLE_CMAC.


-----------------------------------------
Patch: SUSE-2019-776
Released: Wed Mar 27 11:39:14 2019
Summary: Security update for w3m
Severity: moderate
References: 1077559,1077568,1077572,CVE-2018-6196,CVE-2018-6197,CVE-2018-6198
Description:
This update for w3m fixes several issues.

These security issues were fixed:

- CVE-2018-6196: Prevent infinite recursion in HTMLlineproc0 caused by the feed_table_block_tag function which did not prevent a negative indent value (bsc#1077559)
- CVE-2018-6197: Prevent NULL pointer dereference in formUpdateBuffer (bsc#1077568)
- CVE-2018-6198: w3m did not properly handle temporary files when the ~/.w3m directory is unwritable, which allowed a local attacker to craft a symlink attack to overwrite arbitrary files (bsc#1077572)


-----------------------------------------
Patch: SUSE-2019-799
Released: Fri Mar 29 07:06:57 2019
Summary: Recommended update for timezone
Severity: moderate
References: 1130557
Description:
This update for timezone fixes the following issues:

timezone was update to 2019a (bsc#1130557):

* Palestine 'springs forward' on 2019-03-30 instead of 2019-03-23
* Metlakatla 'fell back' to rejoin Alaska Time on 2019-01-20 at 02:00
* Israel observed DST in 1980 (08-02/09-13) and 1984 (05-05/08-25)
* zic now has an -r option to limit the time range of output data


-----------------------------------------
Patch: SUSE-2019-839
Released: Tue Apr  2 13:13:21 2019
Summary: Security update for file
Severity: moderate
References: 1096974,1096984,1126117,1126118,1126119,CVE-2018-10360,CVE-2019-8905,CVE-2019-8906,CVE-2019-8907
Description:
This update for file fixes the following issues:

The following security vulnerabilities were addressed:

- Fixed an out-of-bounds read in the function do_core_note in readelf.c, which
  allowed remote attackers to cause a denial of service (application crash) via
  a crafted ELF file (bsc#1096974 CVE-2018-10360).
- CVE-2019-8905: Fixed a stack-based buffer over-read in do_core_note in readelf.c
  (bsc#1126118)
- CVE-2019-8906: Fixed an out-of-bounds read in do_core_note in readelf. c
  (bsc#1126119)
- CVE-2019-8907: Fixed a stack corruption in do_core_note in readelf.c
  (bsc#1126117)


-----------------------------------------
Patch: SUSE-2019-898
Released: Mon Apr  8 11:08:57 2019
Summary: Security update for bash
Severity: important
References: 1130324,CVE-2019-9924
Description:
This update for bash fixes the following issues:

Security issue fixed: 

- CVE-2019-9924: Fixed a vulnerability in which shell did not prevent user BASH_CMDS 
  allowing the user to execute any command with the permissions of the shell (bsc#1130324).


-----------------------------------------
Patch: SUSE-2019-899
Released: Mon Apr  8 11:09:45 2019
Summary: Security update for SDL
Severity: moderate
References: 1124799,1124800,1124802,1124803,1124805,1124806,1124824,1124825,1124826,1124827,1125099,CVE-2019-7572,CVE-2019-7573,CVE-2019-7574,CVE-2019-7575,CVE-2019-7576,CVE-2019-7577,CVE-2019-7578,CVE-2019-7635,CVE-2019-7636,CVE-2019-7637,CVE-2019-7638
Description:
This update for SDL fixes the following issues:
	  
Security issues fixed:	  

- CVE-2019-7572: Fixed a buffer over-read in IMA_ADPCM_nibble in audio/SDL_wave.c.(bsc#1124806).
- CVE-2019-7578: Fixed a heap-based buffer over-read in InitIMA_ADPCM in audio/SDL_wave.c (bsc#1125099).
- CVE-2019-7576: Fixed heap-based buffer over-read in InitMS_ADPCM in audio/SDL_wave.c (bsc#1124799).
- CVE-2019-7573: Fixed a heap-based buffer over-read in InitMS_ADPCM in audio/SDL_wave.c (bsc#1124805).
- CVE-2019-7635: Fixed a heap-based buffer over-read in Blit1to4 in video/SDL_blit_1.c. (bsc#1124827).
- CVE-2019-7636: Fixed a heap-based buffer over-read in SDL_GetRGB in video/SDL_pixels.c (bsc#1124826).
- CVE-2019-7638: Fixed a heap-based buffer over-read in Map1toN in video/SDL_pixels.c (bsc#1124824).
- CVE-2019-7574: Fixed a heap-based buffer over-read in IMA_ADPCM_decode in audio/SDL_wave.c (bsc#1124803).
- CVE-2019-7575: Fixed a heap-based buffer overflow in MS_ADPCM_decode in audio/SDL_wave.c (bsc#1124802).
- CVE-2019-7637: Fixed a heap-based buffer overflow in SDL_FillRect function in SDL_surface.c (bsc#1124825).
- CVE-2019-7577: Fixed a buffer over read in SDL_LoadWAV_RW in audio/SDL_wave.c (bsc#1124800). 


-----------------------------------------
Patch: SUSE-2019-931
Released: Thu Apr 11 11:11:13 2019
Summary: Security update for openldap2
Severity: important
References: 1031702,1037396,1041764,1065083,1073313,CVE-2017-17740,CVE-2017-9287
Description:
This update for openldap2 fixes the following issues:

Security issues fixed:

- CVE-2017-9287: A double free vulnerability in the mdb backend during search with page size 0 was fixed (bsc#1041764).
- CVE-2017-17740: Fixed a denial of service (slapd crash) via a member MODDN operation that could have been triggered when both the nops module and the memberof overlay are enabled (bsc#1073313).

Non-security issues fixed:

- Fix a regression in handling of non-blocking connections (bsc#1031702)
- Fix an uninitialised variable that causes startup failure (bsc#1037396)
- Fix libldap leaks socket descriptors issue (bsc#1065083)


-----------------------------------------
Patch: SUSE-2019-941
Released: Fri Apr 12 15:58:06 2019
Summary: Security update for openssh
Severity: moderate
References: 1090671,1115550,1119183,1121816,1121821,CVE-2019-6109,CVE-2019-6111
Description:
This update for openssh fixes the following issues:

Security vulnerabilities addressed:

- CVE-2019-6109: Fixed an character encoding issue in the progress display of
  the scp client that could be used to manipulate client output, allowing
  for spoofing during file transfers (bsc#1121816).
- CVE-2019-6111: Properly validate object names received by the scp client to
  prevent arbitrary file overwrites when interacting with a malicious SSH server
  (bsc#1121821).

Other issues fixed: 

- Fixed two race conditions in sshd relating to SIGHUP (bsc#1119183).
- Returned proper reason for port forwarding failures (bsc#1090671).
- Fixed SSHD termination of multichannel sessions with non-root users (bsc#1115550).


-----------------------------------------
Patch: SUSE-2019-956
Released: Tue Apr 16 13:07:38 2019
Summary: Security update for wget
Severity: important
References: 1131493,CVE-2019-5953
Description:
This update for wget fixes the following issues:

Security issue fixed:

- CVE-2019-5953: Fixed a buffer overflow vulnerability which might cause code execution (bsc#1131493).


-----------------------------------------
Patch: SUSE-2019-973
Released: Wed Apr 17 14:44:30 2019
Summary: Security update for sqlite3
Severity: moderate
References: 1119687,1131576,987394,CVE-2016-6153,CVE-2018-20346,CVE-2018-20506
Description:
This update for sqlite3 fixes the following issues:

Security issues fixed: 

- CVE-2018-20506: Fixed an integer overflow when FTS3 extension is enabled (bsc#1131576).    
- CVE-2018-20346: Fixed a remote code execution vulnerability in FTS3 (Magellan) (bsc#1119687).
- CVE-2016-6153: Fixed incorrect permissions when creating temporary files (bsc#987394).	  


-----------------------------------------
Patch: SUSE-2019-996
Released: Tue Apr 23 18:42:35 2019
Summary: Security update for curl
Severity: important
References: 1112758,1131886,CVE-2018-16839
Description:
This update for curl fixes the following issues:

Security issue fixed:

- CVE-2018-16839: Fixed a buffer overflow in the SASL authentication code (bsc#1112758).


-----------------------------------------
Patch: SUSE-2019-1046
Released: Fri Apr 26 11:06:45 2019
Summary: Recommended update for openssh
Severity: important
References: 1131709,1133386
Description:

This update for openssh fixes a regression.

- The port forwarding functionality of ssh was not working (bsc#1131709 bsc#1133386)
  

-----------------------------------------
Patch: SUSE-2019-1060
Released: Sat Apr 27 09:45:38 2019
Summary: Security update for libssh2_org
Severity: important
References: 1130103,1133528,CVE-2019-3859
Description:
This update for libssh2_org fixes the following issues:

 - Incorrect upstream fix for CVE-2019-3859 broke public key authentication [bsc#1133528, bsc#1130103]



-----------------------------------------
Patch: SUSE-2019-1104
Released: Tue Apr 30 12:09:07 2019
Summary: Recommended update for gcc48
Severity: moderate
References: 1131264,SLE-6738
Description:
This update for gcc48 fixes the following issues:

- Disable switch jump tables when retpolines are enabled to increase performance of code using retpolines (bsc#1131264, jsc#SLE-6738)



-----------------------------------------
Patch: SUSE-2019-1106
Released: Tue Apr 30 12:11:46 2019
Summary: Recommended update for glibc
Severity: important
References: 1100396,1103244
Description:
This update for glibc fixes the following issues:

- Add support for the new Japanese time era name that comes into
  effect on 2019-05-01. [bsc#1100396, bsc#1103244]


-----------------------------------------
Patch: SUSE-2019-1111
Released: Tue Apr 30 12:59:27 2019
Summary: Security update for libjpeg-turbo
Severity: moderate
References: 1096209,1098155,1128712,CVE-2018-1152,CVE-2018-11813,CVE-2018-14498
Description:
This update for libjpeg-turbo fixes the following issues:

The following security vulnerabilities were addressed:

- CVE-2018-14498: Fixed a heap-based buffer over read in get_8bit_row function
  which could allow to an attacker to cause denial of service (bsc#1128712).
- CVE-2018-11813: Fixed the end-of-file mishandling in read_pixel in rdtarga.c,
  which allowed remote attackers to cause a denial-of-service via crafted JPG
  files due to a large loop (bsc#1096209)
- CVE-2018-1152: Fixed a denial of service in start_input_bmp() rdbmp.c caused
  by a divide by zero when processing a crafted BMP image (bsc#1098155)


-----------------------------------------
Patch: SUSE-2019-1122
Released: Tue Apr 30 18:03:55 2019
Summary: Security update for hostinfo, supportutils
Severity: important
References: 1054979,1099498,1115245,1117751,1117776,1118460,1118462,1118463,1125623,1125666,CVE-2018-19636,CVE-2018-19637,CVE-2018-19638,CVE-2018-19639,CVE-2018-19640
Description:
This update for hostinfo, supportutils fixes the following issues:
	  
Security issues fixed for supportutils:

- CVE-2018-19640: Fixed an issue where  users could kill arbitrary processes (bsc#1118463).
- CVE-2018-19638: Fixed an issue where users could overwrite arbitrary log files (bsc#1118460).
- CVE-2018-19639: Fixed a code execution if run with -v (bsc#1118462).
- CVE-2018-19637: Fixed an issue where static temporary filename could allow overwriting of files (bsc#1117776).
- CVE-2018-19636: Fixed a local root exploit via inclusion of attacker controlled shell script (bsc#1117751).

Other issues fixed for supportutils:

- Fixed invalid exit code commands (bsc#1125666)
- SUSE separation in supportconfig (bsc#1125623)
- Clarified supportconfig(8) -x option (bsc#1115245)
- supportconfig: 3.0.127
- btrfs filesystem usage
- List products.d
- Dump lsof errors
- Added ha commands for corosync
- Dumped find errors in ib_info

Issues fixed in hostinfo:
- Removed extra kernel install dates (bsc#1099498)
- Resolved network bond issue (bsc#1054979)


-----------------------------------------
Patch: SUSE-2019-1131
Released: Thu May  2 15:39:59 2019
Summary: Recommended update for libidn
Severity: moderate
References: 1092034
Description:
This update for libidn fixes the following issues:

- Obsoletes now the libidn 32bit package (bsc#1092034)


-----------------------------------------
Patch: SUSE-2019-1133
Released: Thu May  2 17:57:10 2019
Summary: Recommended update for quota
Severity: moderate
References: 1055450,1069468,1104898,1131513,SLE-5734
Description:
This update for quota fixes the following issues:

Quota was updated to the 4.05 release (jsc#SLE-5734).

* This release includes mostly various smaller cleanups and fixes in various areas.
* Most visible changes are addition of f2fs and exfs among recognized filesystems.
* support for new kernel interface that allows for repquota(8) to work
  reliably also for XFS or ext4 with quota feature and generally other
  filesystem where quota files are not available to quota-tools
* IPv6 support for rpc.quotad and all other tools.
* Tons of various fixes

Other changes:

- Remove quot binary functionality could be achieved by using
  repquota instead
- Fixed high cpu load issue (bsc#1104898)
- Replace references to /var/adm/fillup-templates with new 
  %_fillupdir macro (bsc#1069468)
- Enable ldapmail feature (bsc#1055450)


-----------------------------------------
Patch: SUSE-2019-1158
Released: Mon May  6 13:47:06 2019
Summary: Recommended update for procinfo
Severity: moderate
References: 1131008,900125
Description:
This update for procinfo fixes the following issues:

- Fix a segfault during 'procinfo -a' by increasing the number of
  available devices. (bsc#900125, bsc#1131008)


-----------------------------------------
Patch: SUSE-2019-1167
Released: Tue May  7 11:21:44 2019
Summary: Recommended update for SUSEConnect
Severity: moderate
References: 1128969,959561
Description:
This update for SUSEConnect fixes the following issues:

- Does no longer try to remove a service during migration, if a zypper service plugin
  already exists (bsc#1128969)
- Shows non-enabled extensions with a remark about availability
- Adds output information about registration and unregistration progress
- Output proper message when SUSEConnect is called without parameters (bsc#959561)
- Default to https URI when no protocol prefix is provided for --url
- Support transactional-update systems (fate#326482)


-----------------------------------------
Patch: SUSE-2019-1194
Released: Wed May  8 17:05:23 2019
Summary: Security update for samba
Severity: moderate
References: 1106119,1131060,CVE-2019-3880
Description:
This update for samba fixes the following issues:

Security issue fixed:

- CVE-2019-3880: Save registry file outside share as unprivileged user (bsc#1131060).

Non-security issue fixed:

- Backport changes to support quotas with SMB2 (bsc#1106119).


-----------------------------------------
Patch: SUSE-2019-1232
Released: Tue May 14 17:07:56 2019
Summary: Security update for libxslt
Severity: moderate
References: 1132160,CVE-2019-11068
Description:
This update for libxslt fixes the following issues:

- CVE-2019-11068: Fixed a protection mechanism bypass where callers of 
  xsltCheckRead() and xsltCheckWrite() would permit access upon receiving an
  error (bsc#1132160).


-----------------------------------------
Patch: SUSE-2019-1284
Released: Fri May 17 13:19:53 2019
Summary: Recommended update for postfix
Severity: moderate
References: 1045264,1104543,771811
Description:
This update for postfix fixes the following issues:

- config.postfix does not start tlsmgr in master.cf
  when using POSTFIX_SMTP_TLS_CLIENT='must'. (bsc#1104543)

- L3: postmap error. Applying proposed patch of leen.meyer@ziggo.nl (bsc#1045264)


-----------------------------------------
Patch: SUSE-2019-1288
Released: Fri May 17 16:08:49 2019
Summary: Security update for the Linux Kernel
Severity: important
References: 1031240,1034862,1042863,1066674,1071021,1086535,1094825,1102517,1103097,1104367,1105025,1105296,1106913,1107829,1108498,1111331,1111516,1113751,1114648,1116345,1116841,1118152,1118319,1119714,1119946,1120743,1120758,1124728,1124732,1124735,1128166,1131416,1131427,1132828,1133188,CVE-2017-1000407,CVE-2017-16533,CVE-2017-7273,CVE-2017-7472,CVE-2018-14633,CVE-2018-15572,CVE-2018-16884,CVE-2018-18281,CVE-2018-18386,CVE-2018-18690,CVE-2018-18710,CVE-2018-19407,CVE-2018-19824,CVE-2018-19985,CVE-2018-20169,CVE-2018-5391,CVE-2018-9516,CVE-2018-9568,CVE-2019-11486,CVE-2019-3459,CVE-2019-3460,CVE-2019-3882,CVE-2019-6974,CVE-2019-7221,CVE-2019-7222,CVE-2019-9213,CVE-2019-9503
Description:


The SUSE Linux Enterprise 12 GA LTSS kernel was updated to receive various security and bugfixes.

Four new speculative execution information leak issues have been identified in Intel CPUs. (bsc#1111331)

- CVE-2018-12126: Microarchitectural Store Buffer Data Sampling (MSBDS)
- CVE-2018-12127: Microarchitectural Fill Buffer Data Sampling (MFBDS)
- CVE-2018-12130: Microarchitectural Load Port Data Samling (MLPDS)
- CVE-2019-11091: Microarchitectural Data Sampling Uncacheable Memory (MDSUM)

This kernel update contains software mitigations for these issues, which also utilize CPU microcode updates shipped in parallel.

For more information on this set of information leaks, check out https://www.suse.com/support/kb/doc/?id=7023736

The following security bugs were fixed:

- CVE-2018-15572: The spectre_v2_select_mitigation function in arch/x86/kernel/cpu/bugs.c in the Linux kernel did not always fill RSB upon a context switch, which made it easier for attackers to conduct userspace-userspace spectreRSB attacks (bnc#1102517 bnc#1105296).
- CVE-2019-11486: The Siemens R3964 line discipline driver in drivers/tty/n_r3964.c in the Linux kernel has multiple race conditions (bnc#1133188).
- CVE-2019-9503: Multiple brcmfmac frame validation bypasses have been fixed (bnc#1132828).
- CVE-2019-3882: A flaw was found in the vfio interface implementation that permits violation of the user's locked memory limit. If a device is bound to a vfio driver, such as vfio-pci, and the local attacker is administratively granted ownership of the device, it may cause a system memory exhaustion and thus a denial of service (DoS). (bnc#1131416 bnc#1131427).
- CVE-2019-9213: expand_downwards in mm/mmap.c lacked a check for the mmap minimum address, which made it easier for attackers to exploit kernel NULL pointer dereferences on non-SMAP platforms. This is related to a capability check for the wrong task (bnc#1128166).
- CVE-2019-3459: A heap address information leak while using L2CAP_GET_CONF_OPT was discovered in the Linux kernel (bnc#1120758).
- CVE-2019-3460: A heap data infoleak in multiple locations including L2CAP_PARSE_CONF_RSP was found in the Linux kernel (bnc#1120758).
- CVE-2019-7222: The KVM implementation had an Information Leak (bnc#1124735).
- CVE-2019-7221: The KVM implementation had a Use-after-Free (bnc#1124732).
- CVE-2019-6974: kvm_ioctl_create_device in virt/kvm/kvm_main.c mishandled reference counting because of a race condition, leading to a use-after-free (bnc#1124728).
- CVE-2018-5391: The Linux kernel was vulnerable to a denial of service attack with low rates of specially modified packets targeting IP fragment re-assembly. An attacker may cause a denial of service condition by sending specially crafted IP fragments. Various vulnerabilities in IP fragmentation have been discovered and fixed over the years. The current vulnerability (CVE-2018-5391) became exploitable in the Linux kernel with the increase of the IP fragment reassembly queue size (bnc#1103097).
- CVE-2018-19407: The vcpu_scan_ioapic function in arch/x86/kvm/x86.c allowed local users to cause a denial of service (NULL pointer dereference and BUG) via crafted system calls that reach a situation where ioapic is uninitialized (bnc#1116841).
- CVE-2018-19985: The function hso_get_config_data in drivers/net/usb/hso.c reads if_num from the USB device (as a u8) and uses it to index a small array, resulting in an object out-of-bounds (OOB) read that potentially allowed arbitrary read in the kernel address space (bnc#1120743).
- CVE-2018-16884: NFS41+ shares mounted in different network namespaces at the same time can make bc_svc_process() use wrong back-channel IDs and cause a use-after-free vulnerability. Thus a malicious container user can cause a host kernel memory corruption and a system panic. Due to the nature of the flaw, privilege escalation cannot be fully ruled out (bnc#1119946).
- CVE-2018-20169: The USB subsystem mishandled size checks during the reading of an extra descriptor, related to __usb_get_extra_descriptor in drivers/usb/core/usb.c (bnc#1119714).
- CVE-2018-9568: In sk_clone_lock of sock.c, there is a possible memory corruption due to type confusion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. (bnc#1118319).
- CVE-2018-19824: A local user could exploit a use-after-free in the ALSA driver by supplying a malicious USB Sound device (with zero interfaces) that is mishandled in usb_audio_probe in sound/usb/card.c (bnc#1118152).
- CVE-2018-18281: The mremap() syscall performs TLB flushes after dropping pagetable locks. If a syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle of mremap(), a stale TLB entry can remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused. (bnc#1113769).
- CVE-2018-18710: An information leak in cdrom_ioctl_select_disc in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940 and CVE-2018-16658 (bnc#1113751).
- CVE-2018-18690: A local attacker able to set attributes on an xfs filesystem could make this filesystem non-operational until the next mount by triggering an unchecked error condition during an xfs attribute change, because xfs_attr_shortform_addname in fs/xfs/libxfs/xfs_attr.c mishandled ATTR_REPLACE operations with conversion of an attr from short to long form (bnc#1105025).
- CVE-2018-18386: drivers/tty/n_tty.c allowed local attackers (who are able to access pseudo terminals) to hang/block further usage of any pseudo terminal devices due to an EXTPROC versus ICANON confusion in TIOCINQ (bnc#1094825).
- CVE-2017-7273: The cp_report_fixup function in drivers/hid/hid-cypress.c allowed physically proximate attackers to cause a denial of service (integer underflow) or possibly have unspecified other impact via a crafted HID report (bnc#1031240).
- CVE-2017-16533: The usbhid_parse function in drivers/hid/usbhid/hid-core.c allowed local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066674).
- CVE-2017-1000407: The Linux Kernel is affected by a denial of service, by flooding the diagnostic port 0x80 an exception can be triggered leading to a kernel panic (bnc#1071021).
- CVE-2018-9516: In hid_debug_events_read of drivers/hid/hid-debug.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. (bnc#1108498).
- CVE-2018-14633: A security flaw was found in the chap_server_compute_md5() function in the ISCSI target code in a way an authentication request from an ISCSI initiator is processed. An unauthenticated remote attacker can cause a stack buffer overflow and smash up to 17 bytes of the stack. The attack requires the iSCSI target to be enabled on the victim host. Depending on how the target's code was built (i.e. depending on a compiler, compile flags and hardware architecture) an attack may lead to a system crash and thus to a denial-of-service or possibly to a non-authorized access to data exported by an iSCSI target. (bnc#1107829).
- CVE-2017-7472: The KEYS subsystem allowed local users to cause a denial of service (memory consumption) via a series of KEY_REQKEY_DEFL_THREAD_KEYRING keyctl_set_reqkey_keyring calls (bnc#1034862).

The following non-security bugs were fixed:

- blkback/blktap: do not leak stack data via response ring (bsc#1042863 XSA-216).
- kvm: x86: Fix the duplicated failure path handling in vmx_init (bsc#1104367).
- kvm: x86: Report STIBP on GET_SUPPORTED_CPUID (bsc#1111331).
- locking/atomics, asm-generic: Move some macros from <linux/bitops.h> to a new <linux/bits.h> file (bsc#1111331).
- net: ipv4: do not handle duplicate fragments as overlapping (bsc#1116345).
- sched/core: Optimize SCHED_SMT (bsc#1111331)
- sched/smt: Expose sched_smt_present static key (bsc#1106913).
- sched/smt: Make sched_smt_present track topology (bsc#1106913).
- sched/smt: Update sched_smt_present at runtime (bsc#1111331)
- tcp: prevent bogus FRTO undos with non-SACK flows (bsc#1086535).
- x86/bugs: Rename SSBD_NO to SSB_NO (bsc#1111331)
- x86/cpu: Sanitize FAM6_ATOM naming (bsc#1111331).
- x86/kvm: Expose X86_FEATURE_MD_CLEAR to guests (bsc#1111331).
- x86/kvm/vmx: Add MDS protection when L1D Flush is not active (bsc#1111331).
- x86/mce: Improve error message when kernel cannot recover, p2 (bsc#1114648).
- x86/msr-index: Cleanup bit defines (bsc#1111331).
- x86/spec_ctrl: Fix spec_ctrl reporting (bsc#1106913, bsc#1111516).
- x86/speculation: Apply IBPB more strictly to avoid cross-process data leak (bsc#1106913).
- x86/speculation: Consolidate CPU whitelists (bsc#1111331).
- x86/speculation: Enable cross-hyperthread spectre v2 STIBP mitigation (bsc#1106913).
- x86/speculation/mds: Add basic bug infrastructure for MDS (bsc#1111331).
- x86/speculation/mds: Add BUG_MSBDS_ONLY (bsc#1111331).
- x86/speculation/mds: Add mds_clear_cpu_buffers() (bsc#1111331).
- x86/speculation/mds: Add mitigation control for MDS (bsc#1111331).
- x86/speculation/mds: Add mitigation mode VMWERV (bsc#1111331).
- x86/speculation/mds: Add sysfs reporting for MDS (bsc#1111331).
- x86/speculation/mds: Clear CPU buffers on exit to user (bsc#1111331).
- x86/speculation/mds: Conditionally clear CPU buffers on idle entry (bsc#1111331).
- x86/speculation: Remove redundant arch_smt_update() invocation (bsc#1111331).
- x86/speculation: Rework SMT state change (bsc#1111331).
- x86/speculation: Simplify the CPU bug detection logic (bsc#1111331).
- x86/uaccess: Do not leak the AC flag into __put_user() value evaluation (bsc#1114648).


-----------------------------------------
Patch: SUSE-2019-1323
Released: Thu May 23 15:16:25 2019
Summary: Security update for python-Jinja2
Severity: important
References: 1132174,CVE-2016-10745
Description:
This update for python-Jinja2 fixes the following issues:

Security issue fixed:

- CVE-2016-10745: Fixed a sandbox escape caused by an information disclosure via str.format


-----------------------------------------
Patch: SUSE-2019-1363
Released: Tue May 28 10:50:53 2019
Summary: Security update for curl
Severity: important
References: 1135170,CVE-2019-5436
Description:
This update for curl fixes the following issues:

Security issue fixed:

- CVE-2019-5436: Fixed a heap buffer overflow exists in tftp_receive_packet that receives data from a TFTP server (bsc#1135170).


-----------------------------------------
Patch: SUSE-2019-1384
Released: Thu May 30 08:12:10 2019
Summary: Recommended update for supportutils
Severity: important
References: 1081326,1088234,1100529,1120967,1132865,1133723,1134599
Description:
This update for supportutils fixes the following issues:

  * SUSE specific infrastructure is now used (bsc#1132865) 
  * Uploads now use https by default (bsc#1134599)
  * Support for FTPS has been added
  * Files in the tarball now have 660 permissions instead of 600
  * The supportconfig.conf man pages have been updated to add some missing paramaters and fix some incorrect 
  information (bsc#1088234)
  * Fix issues where some customers were unable to collect logs due to commands not timing out 
  (bsc#1100529) (bsc#1120967)
  * DRBD resource configs were missing in support config (bsc#1133723)
  * FTPES now uses the --ssl-reqd paramater instead of the depricated --ftp-ssl
  * sapconf and log were missing from tuned.txt (bsc#1081326)
  * Some deprecated chkconfig code has been removed


-----------------------------------------
Patch: SUSE-2019-1402
Released: Mon Jun  3 09:12:38 2019
Summary: Recommended update for kmod
Severity: moderate
References: 1097869,1118629
Description:
This update for kmod fixes the following issues:

- Fixes a potential buffer overflow in libkmod (bsc#1118629).


-----------------------------------------
Patch: SUSE-2019-1431
Released: Wed Jun  5 16:50:13 2019
Summary: Recommended update for xz
Severity: moderate
References: 1135709
Description:
This update for xz does only update the license:

- Add SUSE-Public-Domain license as some parts of xz utils (liblzma,
  xz, xzdec, lzmadec, documentation, translated messages, tests,
  debug, extra directory) are in public domain license (bsc#1135709)


-----------------------------------------
Patch: SUSE-2019-1449
Released: Fri Jun  7 13:00:08 2019
Summary: Security update for bind
Severity: important
References: 1104129,1126068,1126069,1133185,CVE-2018-5740,CVE-2018-5743,CVE-2018-5745,CVE-2019-6465
Description:
This update for bind fixes the following issues:

Security issues fixed:

- CVE-2018-5740: Fixed a denial of service vulnerability in the 'deny-answer-aliases' feature (bsc#1104129).
- CVE-2019-6465: Fixed an issue where controls for zone transfers may not be properly applied to Dynamically Loadable Zones (bsc#1126069).
- CVE-2018-5745: An assertion failure can occur if a trust anchor rolls over to an unsupported key algorithm when using managed-keys. (bsc#1126068)
- CVE-2018-5743: Limiting simultaneous TCP clients is ineffective. (bsc#1133185)



-----------------------------------------
Patch: SUSE-2019-1456
Released: Tue Jun 11 10:08:27 2019
Summary: Security update for vim
Severity: important
References: 1137443,CVE-2019-12735
Description:
This update for vim fixes the following issue:

Security issue fixed: 

- CVE-2019-12735: Fixed a potential arbitrary code execution vulnerability in getchar.c (bsc#1137443).


-----------------------------------------
Patch: SUSE-2019-1469
Released: Wed Jun 12 12:02:13 2019
Summary: Recommended update for pam_mount
Severity: moderate
References: 1135310,sle-6551
Description:
This update for pam_mount fixes the following issues:

- LUKS2 support has been added to pam_mount (bnc#1135310 jsc#sle-6551)


-----------------------------------------
Patch: SUSE-2019-1493
Released: Thu Jun 13 16:40:31 2019
Summary: Recommended update for binutils
Severity: moderate
References: 1137271,SLE-6206
Description:
This update for binutils fixes the following issues:

- Add support for new IBM zSeries z13 instructions. (fate#327074, jsc#SLE-6206,
  bsc#1137271)


-----------------------------------------
Patch: SUSE-2019-1506
Released: Fri Jun 14 11:15:38 2019
Summary: Recommended update for postfix
Severity: moderate
References: 1045264,1104543,771811
Description:
This update for postfix fixes the following issues:

- config.postfix does not start tlsmgr in master.cf
  when using POSTFIX_SMTP_TLS_CLIENT='must'. (bsc#1104543)

- L3: postmap error. Applying proposed patch of leen.meyer@ziggo.nl (bsc#1045264)


-----------------------------------------
Patch: SUSE-2019-1522
Released: Mon Jun 17 17:28:30 2019
Summary: Security update for sqlite3
Severity: important
References: 1085790,1132045,1136976,CVE-2017-10989,CVE-2018-8740,CVE-2019-8457
Description:
This update for sqlite3 fixes the following issues:

Security issue fixed:

- CVE-2019-8457: Fixed a Heap out-of-bound read in rtreenode() when handling invalid rtree tables (bsc#1136976).
- CVE-2018-8740: Fixed a NULL pointer dereference related to corrupted databases schemas (bsc#1085790).
- CVE-2017-10989: Fixed a heap-based buffer over-read in getNodeSize() (bsc#1132045).


-----------------------------------------
Patch: SUSE-2019-1553
Released: Tue Jun 18 18:29:23 2019
Summary: Security update for openssl
Severity: moderate
References: 1089039,1097158,1097624,1098592,1101470,1104789,1106197,1110018,1113534,1113652,1117951,1127080,1131291,CVE-2016-8610,CVE-2018-0732,CVE-2018-0734,CVE-2018-0737,CVE-2018-5407,CVE-2019-1559
Description:

  
This update for openssl fixes the following issues:

- CVE-2018-0732: Reject excessively large primes in DH key generation (bsc#1097158)
- CVE-2018-0734: Timing vulnerability in DSA signature generation (bsc#1113652)
- CVE-2018-0737: Cache timing vulnerability in RSA Key Generation (bsc#1089039)
- CVE-2018-5407: Elliptic curve scalar multiplication timing attack defenses (fixes 'PortSmash') (bsc#1113534)
- CVE-2019-1559: Fix 0-byte record padding oracle via SSL_shutdown (bsc#1127080)
- Fix One&Done side-channel attack on RSA (bsc#1104789)
- Reject invalid EC point coordinates (bsc#1131291)
- The 9 Lives of Bleichenbacher's CAT: Cache ATtacks on TLS Implementations (bsc#1117951)
- Add missing error string to CVE-2016-8610 fix (bsc#1110018#c9)
- blinding enhancements for ECDSA and DSA (bsc#1097624, bsc#1098592)

Non security fixes:

- correct the error detection in the fips patch (bsc#1106197)
- Add openssl(cli) Provide so the packages that require the openssl
  binary can require this instead of the new openssl meta package
  (bsc#1101470)



-----------------------------------------
Patch: SUSE-2019-1591
Released: Fri Jun 21 10:16:09 2019
Summary: Security update for dbus-1
Severity: important
References: 1137832,CVE-2019-12749
Description:
This update for dbus-1 fixes the following issue:
	  
Security issue fixed:     
    
- CVE-2019-12749: Fixed an implementation flaw in DBUS_COOKIE_SHA1 which 
  could have allowed local attackers to bypass authentication (bsc#1137832).   
  

-----------------------------------------
Patch: SUSE-2019-1596
Released: Fri Jun 21 10:18:00 2019
Summary: Security update for glib2
Severity: important
References: 1107116,1107121,1111499,1137001,CVE-2018-16428,CVE-2018-16429,CVE-2019-12450
Description:
This update for glib2 fixes the following issues:

Security issues fixed:    

- CVE-2019-12450: Fixed an improper file permission when copy operation
  takes place (bsc#1137001).     
- CVE-2018-16428: Avoid a NULL pointer dereference (bsc#1107121).
- CVE-2018-16429: Fixed out-of-bounds read vulnerability ing_markup_parse_context_parse() (bsc#1107116).
- Some exploitable parser bugs in GVariant and GDBus subsystems were fixed (bsc#1111499).



-----------------------------------------
Patch: SUSE-2019-1692
Released: Mon Jun 24 21:01:07 2019
Summary: Security update for the Linux Kernel
Severity: important
References: 1090078,1110785,1113769,1120843,1120885,1125580,1125931,1131543,1131587,1132374,1132472,1134848,1135281,1136424,1136446,1137586,CVE-2018-17972,CVE-2019-11190,CVE-2019-11477,CVE-2019-11478,CVE-2019-11479,CVE-2019-11833,CVE-2019-11884,CVE-2019-3846,CVE-2019-5489
Description:

The SUSE Linux Enterprise 12 kernel version 3.12.61 was updated to receive
various security and bugfixes.

The following security bugs were fixed:

- CVE-2019-11477: A sequence of SACKs may have been crafted by a remote
  attacker such that one can trigger an integer overflow, leading to a kernel
  panic. (bsc#1137586).

- CVE-2019-11478: It was possible to send a crafted sequence of SACKs which
  would fragment the TCP retransmission queue. A remote attacker may have been 
  able to further exploit the fragmented queue to cause an expensive linked-list
  walk for subsequent SACKs received for that same TCP connection.

- CVE-2019-11479: It was possible to send a crafted sequence of SACKs which
  would fragment the RACK send map. A remote attacker may have been able to further
  exploit the fragmented send map to cause an expensive linked-list walk for
  subsequent SACKs received for that same TCP connection. This would have
  resulted in excess resource consumption due to low mss values.

- CVE-2019-3846: A flaw that allowed an attacker to corrupt memory and possibly
  escalate privileges was found in the mwifiex kernel module while connecting
  to a malicious wireless network. (bnc#1136424)

- CVE-2019-5489: The mincore() implementation in mm/mincore.c in the Linux
  kernel allowed local attackers to observe page cache access patterns of other
  processes on the same system, potentially allowing sniffing of secret
  information. (Fixing this affects the output of the fincore program.) Limited
  remote exploitation may have been possible, as demonstrated by latency differences
  in accessing public files from an Apache HTTP Server. (bnc#1120843)

- CVE-2019-11833: fs/ext4/extents.c in the Linux kernel did not zero out the
  unused memory region in the extent tree block, which might have allowed local users
  to obtain sensitive information by reading uninitialized data in the
  filesystem. (bnc#1135281)

- CVE-2019-11190: The Linux kernel allowed local users to bypass ASLR on setuid
  programs (such as /bin/su) because install_exec_creds() is called too late in
  load_elf_binary() in fs/binfmt_elf.c, and thus the ptrace_may_access() check
  has a race condition when reading /proc/pid/stat. (bnc#1131543)

- CVE-2019-11884: The do_hidp_sock_ioctl function in net/bluetooth/hidp/sock.c
  in the Linux kernel allowed a local user to obtain potentially sensitive
  information from kernel stack memory via a HIDPCONNADD command, because a
  name field may not end with a '\0' character. (bnc#1134848)

- CVE-2018-17972: An issue was discovered in the proc_pid_stack function in
  fs/proc/base.c in the Linux kernel It did not ensure that only root may
  inspect the kernel stack of an arbitrary task, allowing a local attacker to
  exploit racy stack unwinding and leak kernel task stack contents.
  (bnc#1110785)

The following non-security bugs were fixed:

- kabi: drop LINUX_MIB_TCPWQUEUETOOBIG snmp counter (bsc#1137586).
- lib: add 'on'/'off' support to strtobool (bsc#1125931).
- powerpc/tm: Add commandline option to disable hardware transactional memory (bsc#1125580).
- powerpc/tm: Add TM Unavailable Exception (bsc#1125580).
- powerpc/tm: Flip the HTM switch default to disabled (bsc#1125580).
- powerpc/vdso32: fix CLOCK_MONOTONIC on PPC64 (bsc#1131587).
- powerpc/vdso64: Fix CLOCK_MONOTONIC inconsistencies across Y2038 (bsc#1131587).
- tcp: add tcp_min_snd_mss sysctl (bsc#1137586).
- tcp: enforce tcp_min_snd_mss in tcp_mtu_probing() (bsc#1137586).
- tcp: limit payload size of sacked skbs (bsc#1137586).
- tcp: tcp_fragment() should apply sane memory limits (bsc#1137586).


-----------------------------------------
Patch: SUSE-2019-1733
Released: Wed Jul  3 13:54:39 2019
Summary: Security update for elfutils
Severity: low
References: 1030472,1030476,1033084,1033085,1033087,1033088,1033089,1033090,1106390,1107067,1111973,1112723,1112726,1123685,1125007,CVE-2016-10254,CVE-2016-10255,CVE-2017-7607,CVE-2017-7608,CVE-2017-7610,CVE-2017-7611,CVE-2017-7612,CVE-2017-7613,CVE-2018-16062,CVE-2018-16403,CVE-2018-18310,CVE-2018-18520,CVE-2018-18521,CVE-2019-7150,CVE-2019-7665
Description:
This update for elfutils fixes the following issues:

Security issues fixed: 	  

- CVE-2018-16403: Fixed a heap-based buffer over-read that could have led to Denial of Service (bsc#1107067).  
- CVE-2016-10254: Fixed a memory allocation failure in alloxate_elf (bsc#1030472).
- CVE-2019-7665: NT_PLATFORM core file note should be a zero terminated string (bsc#1125007).
- CVE-2016-10255: Fixed a memory allocation failure in libelf_set_rawdata_wrlock (bsc#1030476).
- CVE-2019-7150: Added a missing check in dwfl_segment_report_module which could have allowed truncated files 
  to be read (bsc#1123685).
- CVE-2018-16062: Fixed a heap-buffer-overflow (bsc#1106390).
- CVE-2017-7611: Fixed a heap-based buffer over-read that could have led to Denial of Service (bsc#1033088).
- CVE-2017-7613: Fixed denial of service caused by the missing validation of the number of sections 
  and the number of segments in a crafted ELF file (bsc#1033090).
- CVE-2017-7607: Fixed a heap-based buffer overflow in handle_gnu_hash (bsc#1033084).
- CVE-2017-7608: Fixed a heap-based buffer overflow in ebl_object_note_type_name() (bsc#1033085).
- CVE-2017-7610: Fixed a heap-based buffer overflow in check_group (bsc#1033087).
- CVE-2018-18521: Fixed multiple divide-by-zero vulnerabilities in function arlib_add_symbols() (bsc#1112723).
- CVE-2017-7612: Fixed a denial of service in check_sysv_hash() via a crafted ELF file (bsc#1033089).
- CVE-2018-18310: Fixed an invalid address read in dwfl_segment_report_module.c (bsc#1111973).
- CVE-2018-18520: Fixed bad handling of ar files inside are files (bsc#1112726).


-----------------------------------------
Patch: SUSE-2019-1761
Released: Fri Jul  5 14:10:34 2019
Summary: Recommended update for e2fsprogs
Severity: moderate
References: 1128383,1135261
Description:
This update for e2fsprogs fixes the following issues:

- Revert 'mke2fs: prevent creation of unmountable ext4 with large flex_bg count'. (bsc#1135261)

- Place metadata blocks in the last flex_bg so they are contiguous. (bsc#1135261)

- Check and fix tails of all bitmaps. (bsc#1128383)


-----------------------------------------
Patch: SUSE-2019-1805
Released: Wed Jul 10 11:13:54 2019
Summary: Recommended update for python-MarkupSafe
Severity: moderate
References: 1139130,1139363
Description:
This update for python-MarkupSafe fixes the following issues:

python-MarkupSafe was updated to 0.23 (bsc#1139130 bsc#1139363)

* The update provides the missing EscapeFormatter class



-----------------------------------------
Patch: SUSE-2019-1818
Released: Thu Jul 11 07:48:39 2019
Summary: Recommended update for timezone
Severity: moderate
References: 1135262,1140016
Description:
This update for timezone fixes the following issues:

- Timezone update 2019b. (bsc#1140016):
  - Brazil no longer observes DST.
  - 'zic -b slim' outputs smaller TZif files.
  - Palestine's 2019 spring-forward transition was on 03-29, not 03-30.
  - Add info about the Crimea situation.


-----------------------------------------
Patch: SUSE-2019-1824
Released: Fri Jul 12 09:30:14 2019
Summary: Security update for glib2
Severity: important
References: 1139959,CVE-2019-13012
Description:
This update for glib2 fixes the following issues:

Security issue fixed:

- CVE-2019-13012: Fixed improper restriction of file permissions when creating directories (bsc#1139959).


-----------------------------------------
Patch: SUSE-2019-1834
Released: Fri Jul 12 17:55:14 2019
Summary: Security update for expat
Severity: moderate
References: 1139937,CVE-2018-20843
Description:
This update for expat fixes the following issues:

Security issue fixed:

- CVE-2018-20843: Fixed a denial of service triggered by high resource consumption 
  in the XML parser when XML names contain a large amount of colons (bsc#1139937).


-----------------------------------------
Patch: SUSE-2019-1844
Released: Mon Jul 15 07:13:09 2019
Summary: Recommended update for pam
Severity: low
References: 1116544
Description:
This update for pam fixes the following issues:

- restricted the number of file descriptors to close to a more sensible number based upon resource limits (bsc#1116544)
    

-----------------------------------------
Patch: SUSE-2019-1861
Released: Wed Jul 17 11:35:02 2019
Summary: Security update for MozillaFirefox
Severity: important
References: 1140868,CVE-2019-11709,CVE-2019-11711,CVE-2019-11712,CVE-2019-11713,CVE-2019-11715,CVE-2019-11717,CVE-2019-11719,CVE-2019-11729,CVE-2019-11730,CVE-2019-9811
Description:
This update for MozillaFirefox, mozilla-nss fixes the following issues:

MozillaFirefox to version ESR 60.8:

- CVE-2019-9811: Sandbox escape via installation of malicious language pack (bsc#1140868).
- CVE-2019-11711: Script injection within domain through inner window reuse (bsc#1140868).
- CVE-2019-11712: Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects (bsc#1140868).
- CVE-2019-11713: Use-after-free with HTTP/2 cached stream (bsc#1140868).
- CVE-2019-11729: Empty or malformed p256-ECDH public keys may trigger a segmentation fault (bsc#1140868).
- CVE-2019-11715: HTML parsing error can contribute to content XSS (bsc#1140868).
- CVE-2019-11717: Caret character improperly escaped in origins (bsc#1140868).
- CVE-2019-11719: Out-of-bounds read when importing curve25519 private key (bsc#1140868).
- CVE-2019-11730: Same-origin policy treats all files in a directory as having the same-origin (bsc#1140868).
- CVE-2019-11709: Multiple Memory safety bugs fixed (bsc#1140868).

mozilla-nss to version 3.44.1:

* Added IPSEC IKE support to softoken 
* Many new FIPS test cases


-----------------------------------------
Patch: SUSE-2019-1867
Released: Wed Jul 17 13:11:03 2019
Summary: Security update for libxslt
Severity: moderate
References: 1140095,1140101,CVE-2019-13117,CVE-2019-13118
Description:
This update for libxslt fixes the following issues:

Security issues fixed:

- CVE-2019-13118: Fixed a read of uninitialized stack data (bsc#1140101).
- CVE-2019-13117: Fixed a uninitialized read which allowed to discern whether a byte on the stack contains certain special characters (bsc#1140095).


-----------------------------------------
Patch: SUSE-2019-1902
Released: Fri Jul 19 12:46:19 2019
Summary: Recommended update for openssh
Severity: important
References: 1138936
Description:
This update for openssh fixes the following issues:

- Fix a regression in utf-8 handling that could cause crashes of scp (bsc#1138936).


-----------------------------------------
Patch: SUSE-2019-1955
Released: Tue Jul 23 11:42:41 2019
Summary: Security update for bzip2
Severity: important
References: 1139083,985657,CVE-2016-3189,CVE-2019-12900
Description:
This update for bzip2 fixes the following issues:

Security issue fixed:

- CVE-2019-12900: Fixed an out-of-bounds write in decompress.c with many selectors (bsc#1139083).
- CVE-2016-3189: Fixed a use-after-free in bzip2recover (bsc#985657).


-----------------------------------------
Patch: SUSE-2019-1988
Released: Fri Jul 26 09:02:08 2019
Summary: Recommended update for libXi
Severity: low
References: 1049681,1134167
Description:

This update for libXi provides the following fix:

- Fix a crash on X11 clients when tablet inputs are connected. (bsc#1049681)
- Fix a crash that would happen in case of a _XReply() call fails, freeing an uninitialized
  pointer. (bsc#1134167)


-----------------------------------------
Patch: SUSE-2019-1990
Released: Fri Jul 26 14:59:30 2019
Summary: Security update for cronie
Severity: low
References: 1128935,1128937,1130746,1133100,CVE-2019-9704,CVE-2019-9705
Description:
This update for cronie fixes the following issues:
	  
Security issues fixed:

- CVE-2019-9704: Fixed an insufficient check in the return value of calloc which
  could allow a local user to create Denial of Service by crashing the deamon (bsc#1128937).
- CVE-2019-9705: Fixed an implementation vulnerability which could allow a local user to
  exhaust the memory resulting in Denial of Service (bsc#1128935).  

Bug fixes:

- Manual start of cron is possible even when it's already started using systemd (bsc#1133100).
- Cron schedules only one job of crontab (bsc#1130746).


-----------------------------------------
Patch: SUSE-2019-2013
Released: Mon Jul 29 15:42:41 2019
Summary: Security update for bzip2
Severity: important
References: 1139083,CVE-2019-12900
Description:
This update for bzip2 fixes the following issues:

- Fixed a regression with the fix for CVE-2019-12900, which caused incompatibilities
  with files that used many selectors (bsc#1139083).


-----------------------------------------
Patch: SUSE-2019-2025
Released: Tue Jul 30 19:16:57 2019
Summary: Recommended update for mozilla-nspr, mozilla-nss
Severity: moderate
References: 1141322
Description:
This update for mozilla-nspr, mozilla-nss fixes the following issues:

mozilla-nss was updated to NSS 3.45 (bsc#1141322):

* New function in pk11pub.h: PK11_FindRawCertsWithSubject
* The following CA certificates were Removed:
  CN = Certinomis - Root CA (bmo#1552374)
* Implement Delegated Credentials (draft-ietf-tls-subcerts) (bmo#1540403)
  This adds a new experimental function SSL_DelegateCredential
  Note: In 3.45, selfserv does not yet support delegated credentials (See bmo#1548360).
  Note: In 3.45 the SSLChannelInfo is left unmodified, while an upcoming change in 3.46 will set SSLChannelInfo.authKeyBits to that of the delegated credential for better policy enforcement (See bmo#1563078).
* Replace ARM32 Curve25519 implementation with one from fiat-crypto (bmo#1550579)
* Expose a function PK11_FindRawCertsWithSubject for finding certificates with a given subject on a given slot (bmo#1552262)
* Add IPSEC IKE support to softoken (bmo#1546229)
* Add support for the Elbrus lcc compiler (<=1.23) (bmo#1554616)
* Expose an external clock for SSL (bmo#1543874)
  This adds new experimental functions: SSL_SetTimeFunc, 
  SSL_CreateAntiReplayContext, SSL_SetAntiReplayContext, and 
  SSL_ReleaseAntiReplayContext.
  The experimental function SSL_InitAntiReplay is removed.
* Various changes in response to the ongoing FIPS review (bmo#1546477)
  Note: The source package size has increased substantially 
  due to the new FIPS test vectors. This will likely 
  prompt follow-on work, but please accept our 
  apologies in the meantime.

mozilla-nspr was updated to version 4.21:

* Changed prbit.h to use builtin function on aarch64.



-----------------------------------------
Patch: SUSE-2019-2026
Released: Tue Jul 30 19:19:50 2019
Summary: Recommended update for Azure Python SDK
Severity: moderate
References: 1054413,1122523,979331
Description:
This update brings the following python modules for the Azure Python SDK:

- python-Flask
- python-Werkzeug
- python-click
- python-decorator
- python-httpbin
- python-idna
- python-itsdangerous
- python-py
- python-pytest-httpbin
- python-pytest-mock
- python-requests
  

-----------------------------------------
Patch: SUSE-2019-2035
Released: Thu Aug  1 17:34:22 2019
Summary: Security update for polkit
Severity: important
References: 1121826,CVE-2019-6133
Description:
This update for polkit fixes the following issues:

Security issue fixed:

- CVE-2019-6133: Fixed improper caching of auth decisions, which could bypass 
  uid checking in the interactive backend (bsc#1121826).


-----------------------------------------
Patch: SUSE-2019-2088
Released: Wed Aug  7 18:17:28 2019
Summary: Security update for tcpdump
Severity: moderate
References: 1068716,1142439,CVE-2017-16808,CVE-2019-1010220
Description:
This update for tcpdump fixes the following issues:

Security issues fixed:

- CVE-2019-1010220: Fixed a buffer over-read in print_prefix() which may expose data (bsc#1142439).
- CVE-2017-16808: Fixed a heap-based buffer over-read related to aoe_print() and lookup_emem() (bsc#1068716).


-----------------------------------------
Patch: SUSE-2019-2120
Released: Wed Aug 14 11:17:39 2019
Summary: Recommended update for pam
Severity: moderate
References: 1136298,SLE-7257
Description:
This update for pam fixes the following issues:

- Enable pam_userdb.so (SLE-7257,bsc#1136298)
- Upgraded pam_userdb to 1.3.1.  (bsc#1136298)


-----------------------------------------
Patch: SUSE-2019-1606
Released: Wed Aug 21 13:36:49 2019
Summary: Security update for libssh2_org
Severity: moderate
References: 1128481,1136570,CVE-2019-3860
Description:
This update for libssh2_org fixes the following issues:

- Fix the previous fix for CVE-2019-3860 (bsc#1136570, bsc#1128481)
  (Out-of-bounds reads with specially crafted SFTP packets)


-----------------------------------------
Patch: SUSE-2019-2240
Released: Wed Aug 28 14:57:51 2019
Summary: Recommended update for ca-certificates-mozilla
Severity: moderate
References: 1144169
Description:
This update for ca-certificates-mozilla fixes the following issues:

- Update to 2.34 state of the Mozilla NSS Certificate store. (bsc#1144169)

- Removed Root CAs:

  - Certinomis - Root CA

- Added root CAs from the 2.32 version:
  - emSign ECC Root CA - C3 (email and server auth)
  - emSign ECC Root CA - G3 (email and server auth)
  - emSign Root CA - C1 (email and server auth)
  - emSign Root CA - G1 (email and server auth)
  - Hongkong Post Root CA 3 (server auth)



-----------------------------------------
Patch: SUSE-2019-2264
Released: Mon Sep  2 09:07:12 2019
Summary: Security update for perl
Severity: important
References: 1114674,CVE-2018-18311
Description:
This update for perl fixes the following issues:

Security issue fixed:

- CVE-2018-18311: Fixed integer overflow with oversize environment (bsc#1114674).


-----------------------------------------
Patch: SUSE-2019-2303
Released: Thu Sep  5 12:10:29 2019
Summary: Recommended update for supportutils
Severity: moderate
References: 1137336,SLE-5560
Description:
This update for supportutils fixes the following issues:

- Added sed and gawk as a runtime dependency (bsc#1137336)
- Removed Novell references (SLE-5560)
- Update getappcore to use SUSE FTP server
- Added FTPES and HTTPS upload options. HTTPS will be the default.


-----------------------------------------
Patch: SUSE-2019-2339
Released: Thu Sep 12 14:17:53 2019
Summary: Security update for curl
Severity: important
References: 1149496,CVE-2019-5482
Description:
This update for curl fixes the following issues:

Security issue fixed:

- CVE-2019-5482: Fixed TFTP small blocksize heap buffer overflow (bsc#1149496).


-----------------------------------------
Patch: SUSE-2019-2440
Released: Mon Sep 23 17:15:13 2019
Summary: Security update for expat
Severity: moderate
References: 1149429,CVE-2019-15903
Description:
This update for expat fixes the following issues:

Security issue fixed:

- CVE-2019-15903: Fixed a heap-based buffer over-read caused by crafted XML documents. (bsc#1149429)


-----------------------------------------
Patch: SUSE-2019-2480
Released: Fri Sep 27 13:12:08 2019
Summary: Security update for gpg2
Severity: moderate
References: 1124847,1141093,CVE-2019-13050
Description:
This update for gpg2 fixes the following issues:

Security issue fixed:

- CVE-2019-13050: Fixed denial-of-service attacks via big keys. (bsc#1141093)

Non-security issue fixed:

- Allow coredumps in X11 desktop sessions (bsc#1124847).


-----------------------------------------
Patch: SUSE-2019-2505
Released: Tue Oct  1 13:10:17 2019
Summary: Recommended update for python-jmespath, python-jsonschema, python-paramiko, python-pexpect, python-pip, python-ply, python-pretend, python-process-tests, python-pycodestyle, python-pyflakes, python-pyxdg, python-tabulate, python-vcversioner
Severity: moderate
References: 1065275,CVE-2013-5123,CVE-2014-8991,CVE-2015-2296
Description:

This update for python-jmespath, python-jsonschema, python-paramiko, python-pexpect, python-pip, python-ply, python-pretend, python-process-tests, python-pycodestyle, python-pyflakes, python-pyxdg, python-tabulate, python-vcversioner fixes the following issues:

python-pip was updated to 10.0.1 (fate#324191, bsc#1065275)

Enable python3 build for:

- python-jmespath
- python-jsonschema
- python-paramiko
- python-pexpect
- python-pip
- python-ply
- python-pretend
- python-process-tests
- python-pycodestyle
- python-pyflakes
- python-pyxdg
- python-tabulate
- python-vcversioner




-----------------------------------------
Patch: SUSE-2019-2510
Released: Tue Oct  1 17:37:12 2019
Summary: Security update for libgcrypt
Severity: moderate
References: 1148987,CVE-2019-13627
Description:
This update for libgcrypt fixes the following issues:

Security issues fixed:
	  
- CVE-2019-13627: Mitigated ECDSA timing attack. (bsc#1148987)


-----------------------------------------
Patch: SUSE-2019-2513
Released: Wed Oct  2 10:48:28 2019
Summary: Security update for jasper
Severity: moderate
References: 1010783,1117505,1117507,1117508,1117511,CVE-2016-9396,CVE-2018-19539,CVE-2018-19540,CVE-2018-19541,CVE-2018-19542
Description:
This update for jasper fixes the following issues:

Security issues fixed:

- CVE-2018-19540: Fixed  a heap based overflow in jas_icctxtdesc_input (bsc#1117508).
- CVE-2018-19541: Fix heap based overread in jas_image_depalettize (bsc#1117507).
- CVE-2018-19542: Fixed a denial of service in jp2_decode (bsc#1117505).
- CVE-2018-19539: Fixed a denial of service in jas_image_readcmpt (bsc#1117511).
- CVE-2016-9396: Fixed a denial of service in jpc_cox_getcompparms (bsc#1010783).


-----------------------------------------
Patch: SUSE-2019-2556
Released: Fri Oct  4 13:36:49 2019
Summary: Recommended update for tcsh
Severity: moderate
References: 1134508,992577
Description:
This update for tcsh fixes the following issues:

- Make a copy of the file descriptor of the history file to be able not only to lock but
  also unlock the file. (bsc#992577, bsc#1134508)
- Add Shift-JIS Japanese character support. (fate#324487)


-----------------------------------------
Patch: SUSE-2019-2627
Released: Fri Oct 11 12:05:29 2019
Summary: Recommended update for python-setuptools and dependend packages
Severity: moderate
References: 1024540,1054413,1074247,1075812,1088358,1091826,1110422,CVE-2016-9015
Description:

All changes necessary for upgrade of python-setuptools to 40.6.2 (bsc#1075812)

New packages:
- python-cachetools
- python-google-auth
- python-packaging

Rebuilt without source changes:

- python-cffi
- python-cliff
- python-mock
- python-oauthlib
- python-pbr
- python-PyJWT
- python-pytest

Added python3 packages:

- python-hgtools
- python-pyasn1-modules
- python-rsa

Updated:

- python-kubernetes
  Updated to version 6.0

- python-pyparsing

  Was updated to version 2.2.0.

- python-setuptools

  Was upgraded to version 40.6.2.



-----------------------------------------
Patch: SUSE-2019-2650
Released: Mon Oct 14 10:52:46 2019
Summary: Security update for binutils
Severity: moderate
References: 1109412,1109413,1109414,1111996,1112534,1112535,1113247,1113252,1113255,1116827,1118830,1118831,1120640,1121034,1121035,1121056,1133131,1133232,1141913,1142772,CVE-2018-1000876,CVE-2018-17358,CVE-2018-17359,CVE-2018-17360,CVE-2018-17985,CVE-2018-18309,CVE-2018-18483,CVE-2018-18484,CVE-2018-18605,CVE-2018-18606,CVE-2018-18607,CVE-2018-19931,CVE-2018-19932,CVE-2018-20623,CVE-2018-20651,CVE-2018-20671,CVE-2019-1010180,ECO-368,SLE-6206
Description:
This update for binutils fixes the following issues:

binutils was updated to current 2.32 branch @7b468db3 [jsc#ECO-368]:

Includes the following security fixes:

- CVE-2018-17358: Fixed invalid memory access in _bfd_stab_section_find_nearest_line in syms.c (bsc#1109412)
- CVE-2018-17359: Fixed invalid memory access exists in bfd_zalloc in opncls.c (bsc#1109413)
- CVE-2018-17360: Fixed heap-based buffer over-read in bfd_getl32 in libbfd.c (bsc#1109414)
- CVE-2018-17985: Fixed a stack consumption problem caused by the cplus_demangle_type (bsc#1116827)
- CVE-2018-18309: Fixed an invalid memory address dereference was discovered in read_reloc in reloc.c (bsc#1111996)
- CVE-2018-18483: Fixed get_count function provided by libiberty that allowed attackers to cause a denial of service or other unspecified impact (bsc#1112535)
- CVE-2018-18484: Fixed stack exhaustion in the C++ demangling functions provided by libiberty, caused by recursive stack frames (bsc#1112534)
- CVE-2018-18605: Fixed a heap-based buffer over-read issue was discovered in the function sec_merge_hash_lookup causing a denial of service (bsc#1113255)
- CVE-2018-18606: Fixed a NULL pointer dereference in _bfd_add_merge_section when attempting to merge sections with large alignments, causing denial of service (bsc#1113252)
- CVE-2018-18607: Fixed a NULL pointer dereference in elf_link_input_bfd when used for finding STT_TLS symbols without any TLS section, causing denial of service (bsc#1113247)
- CVE-2018-19931: Fixed a heap-based buffer overflow in bfd_elf32_swap_phdr_in in elfcode.h (bsc#1118831)
- CVE-2018-19932: Fixed an integer overflow and infinite loop caused by the IS_CONTAINED_BY_LMA (bsc#1118830)
- CVE-2018-20623: Fixed a use-after-free in the error function in elfcomm.c (bsc#1121035)
- CVE-2018-20651: Fixed a denial of service via a NULL pointer dereference in elf_link_add_object_symbols in elflink.c (bsc#1121034)
- CVE-2018-20671: Fixed an integer overflow that can trigger a heap-based buffer overflow in  load_specific_debug_section in objdump.c (bsc#1121056)
- CVE-2018-1000876: Fixed integer overflow in bfd_get_dynamic_reloc_upper_bound,bfd_canonicalize_dynamic_reloc in objdump (bsc#1120640)
- CVE-2019-1010180: Fixed an out of bound memory access that could lead to crashes (bsc#1142772)

- Enable xtensa architecture (Tensilica lc6 and related)
- Use -ffat-lto-objects in order to provide assembly for static libs
  (bsc#1141913).
- Fixed some LTO problems (bsc#1133131 bsc#1133232).
- riscv: Don't check ABI flags if no code section

Update to binutils 2.32:

* The binutils now support for the C-SKY processor series.
* The x86 assembler now supports a -mvexwig=[0|1] option to control
  encoding of VEX.W-ignored (WIG) VEX instructions.
  It also has a new -mx86-used-note=[yes|no] option to generate (or
  not) x86 GNU property notes.
* The MIPS assembler now supports the Loongson EXTensions R2 (EXT2),
  the Loongson EXTensions (EXT) instructions, the Loongson Content
  Address Memory (CAM) ASE and the Loongson MultiMedia extensions
  Instructions (MMI) ASE.
* The addr2line, c++filt, nm and objdump tools now have a default
  limit on the maximum amount of recursion that is allowed whilst
  demangling strings.  This limit can be disabled if necessary.
* Objdump's --disassemble option can now take a parameter,
  specifying the starting symbol for disassembly.  Disassembly will
  continue from this symbol up to the next symbol or the end of the
  function.
* The BFD linker will now report property change in linker map file
  when merging GNU properties.
* The BFD linker's -t option now doesn't report members within
  archives, unless -t is given twice.  This makes it more useful
  when generating a list of files that should be packaged for a
  linker bug report.
* The GOLD linker has improved warning messages for relocations that
  refer to discarded sections.

- Improve relro support on s390 [fate#326356]
- Handle ELF compressed header alignment correctly.

  

-----------------------------------------
Patch: SUSE-2019-2668
Released: Tue Oct 15 13:16:08 2019
Summary: Security update for sudo
Severity: important
References: 1053911,1058297,1068003,1153674,CVE-2019-14287
Description:
This update for sudo provides the following fix:

Security issue fixed:     

- CVE-2019-14287: Fixed an issue where a user with sudo privileges 
  that allowed them to run commands with an arbitrary uid, could 
  run commands as root, despite being forbidden to do so in sudoers
  (bsc#1153674).

Other issues fixed:     

- Cache resolved group names as calling getgrgid() is expensive and 
  on systems connected to AD with many users, groups or sudo rules 
  it causes sudo to take a long time to run (bsc#1068003).
- Disable insults by default at build time. For new installations this 
  was done via sudoers file, but when upgrading from previous versions 
  it would accidentally be enabled (bsc#1053911).
- Enable support for zlib compressed I/O logs (bsc#1058297).


-----------------------------------------
Patch: SUSE-2019-2669
Released: Tue Oct 15 14:38:11 2019
Summary: Security update for libpcap
Severity: important
References: 1153332,CVE-2018-16301,CVE-2019-15165
Description:
This update for libpcap fixes the following issues:

- CVE-2019-15165: Added sanity checks for PHB header length before allocating memory (bsc#1153332).
- CVE-2018-16301: Fixed a buffer overflow (bsc#1153332).


-----------------------------------------
Patch: SUSE-2019-2703
Released: Thu Oct 17 10:05:41 2019
Summary: Recommended update for binutils
Severity: important
References: 1152590,1154016,1154025
Description:
This update for binutils fixes the following issues:

- Fixed a segfault in ld when building some versions of pacemaker. (bsc#1154025, bsc#1154016)
- Add avr, epiphany and rx to target_list so that the common binutils can handle all objects we can create with crosses.  (bsc#1152590)



-----------------------------------------
Patch: SUSE-2019-2740
Released: Tue Oct 22 15:34:30 2019
Summary: Recommended update for timezone
Severity: moderate
References: 1150451
Description:
This update for timezone fixes the following issues:

- Fiji observes DST from 2019-11-10 to 2020-01-12.
- Norfolk Island starts observing Australian-style DST.


-----------------------------------------
Patch: SUSE-2019-2761
Released: Thu Oct 24 07:08:33 2019
Summary: Recommended update for pciutils-ids
Severity: moderate
References: 1149149
Description:
This update for pciutils-ids fixes the following issues:

- updates the list of devices so that more devices will get identified (bsc#1149149)


-----------------------------------------
Patch: SUSE-2019-2800
Released: Mon Oct 28 17:11:35 2019
Summary: Recommended update for tcsh
Severity: moderate
References: 1151630,1153839
Description:
This update for tcsh fixes the following issues:

- An issue has been fixed where the csh reported 'Abort (core dumped)' by accident (bsc#1151630)


-----------------------------------------
Patch: SUSE-2019-2907
Released: Wed Nov  6 12:43:30 2019
Summary: Recommended update for glib2
Severity: moderate
References: 1150047
Description:
This update for glib2 provides the following fix:

- Remove code that parsed out and stored the unused isstd and isgmt fields to fix an
  assertion with the latest timezone package. (bsc#1150047)


-----------------------------------------
Patch: SUSE-2019-2936
Released: Fri Nov  8 13:19:55 2019
Summary: Security update for libssh2_org
Severity: moderate
References: 1154862,CVE-2019-17498
Description:
This update for libssh2_org fixes the following issue:

- CVE-2019-17498: Fixed an integer overflow in a bounds check that might have led to the disclosure of sensitive information or a denial of service (bsc#1154862).


-----------------------------------------
Patch: SUSE-2019-2972
Released: Thu Nov 14 12:04:52 2019
Summary: Security update for libjpeg-turbo
Severity: important
References: 1156402,CVE-2019-2201
Description:
This update for libjpeg-turbo fixes the following issues:

- CVE-2019-2201: Several integer overflow issues and subsequent segfaults occurred in libjpeg-turbo,
  when attempting to compress or decompress gigapixel images. [bsc#1156402]



-----------------------------------------
Patch: SUSE-2019-2976
Released: Thu Nov 14 18:46:41 2019
Summary: Security update for bash
Severity: important
References: 1138676,CVE-2012-6711
Description:
This update for bash fixes the following issues:

- CVE-2012-6711: Fixed a heap-based buffer overflow during echo of unsupported characters	  
  (bsc#1138676).


-----------------------------------------
Patch: SUSE-2019-3003
Released: Tue Nov 19 10:12:33 2019
Summary: Recommended update for procps
Severity: moderate
References: 1153386,SLE-10396
Description:
This update for procps provides the following fixes:

- Backport the MemAvailable patch into SLE12-SP4/SP5 procps. (jsc#SLE-10396)
- Add missing ShmemPmdMapped entry for pmap with newer kernels. (bsc#1153386)


-----------------------------------------
Patch: SUSE-2019-3005
Released: Tue Nov 19 10:13:32 2019
Summary: Recommended update for supportutils
Severity: moderate
References: 1111029,1154482
Description:
This update for supportutils provides the following fixes:

- Added free -h
- Removed LPM/DLPAR data for POWER. (bsc#1111029)
- Removed root .snapshots directory from full file list (bsc#1154482)


-----------------------------------------
Patch: SUSE-2019-3024
Released: Thu Nov 21 09:37:09 2019
Summary: Security update for python-ecdsa
Severity: moderate
References: 1153165,1154217,CVE-2019-14853,CVE-2019-14859
Description:
This update for python-ecdsa to version 0.13.3 fixes the following issues:

Security issues fixed:

- CVE-2019-14853: Fixed unexpected exceptions during signature decoding (bsc#1153165).
- CVE-2019-14859: Fixed a signature malleability caused by insufficient checks of DER encoding (bsc#1154217).


-----------------------------------------
Patch: SUSE-2019-3036
Released: Fri Nov 22 11:23:39 2019
Summary: Recommended update for python-rsa
Severity: moderate
References: 1154763
Description:
This update for python-rsa fixes the following issues:

- The error 'update-alternatives: error: alternative pyrsa-decrypt-bigfile can't be master' does no
  longer occur when updating to a newer package version (bsc#1154763)


-----------------------------------------
Patch: SUSE-2019-3057
Released: Mon Nov 25 17:31:37 2019
Summary: Security update for cups
Severity: important
References: 1146358,1146359,CVE-2019-8675,CVE-2019-8696
Description:
This update for cups fixes the following issues:

- CVE-2019-8675: Fixed a stack buffer overflow in libcups's asn1_get_type function(bsc#1146358). 
- CVE-2019-8696: Fixed a stack buffer overflow in libcups's asn1_get_packed function (bsc#1146359).


-----------------------------------------
Patch: SUSE-2019-3058
Released: Mon Nov 25 17:32:43 2019
Summary: Security update for tiff
Severity: moderate
References: 1108606,1121626,1125113,1146608,983268,CVE-2016-5102,CVE-2018-17000,CVE-2019-14973,CVE-2019-6128,CVE-2019-7663
Description:
This update for tiff fixes the following issues:

Security issues fixed:

- CVE-2019-14973: Fixed an improper check which was depended on the compiler
  which could have led to integer overflow (bsc#1146608).
- CVE-2016-5102: Fixed a buffer overflow in readgifimage() (bsc#983268)
- CVE-2018-17000: Fixed a NULL pointer dereference in the _TIFFmemcmp function (bsc#1108606).
- CVE-2019-6128: Fixed a memory leak in the TIFFFdOpen function in tif_unix.c (bsc#1121626).
- CVE-2019-7663: Fixed an invalid address dereference in the
  TIFFWriteDirectoryTagTransfer function in libtiff/tif_dirwrite.c (bsc#1125113)


-----------------------------------------
Patch: SUSE-2019-3064
Released: Mon Nov 25 18:44:36 2019
Summary: Security update for cpio
Severity: moderate
References: 1155199,CVE-2019-14866
Description:
This update for cpio fixes the following issues:
	  
- CVE-2019-14866: Fixed an improper validation of the values written 
  in the header of a TAR file through the to_oct() function which could 
  have led to unexpected TAR generation (bsc#1155199).


-----------------------------------------
Patch: SUSE-2019-3092
Released: Thu Nov 28 15:44:33 2019
Summary: Security update for libarchive
Severity: moderate
References: 1032089,1037008,1037009,1059134,1059139,1120653,1120654,1124341,1124342,1155079,CVE-2016-10209,CVE-2016-10349,CVE-2016-10350,CVE-2017-14501,CVE-2017-14502,CVE-2018-1000877,CVE-2018-1000878,CVE-2019-1000019,CVE-2019-1000020,CVE-2019-18408
Description:
This update for libarchive fixes the following issues:

Security issues fixed:

- CVE-2018-1000877: Fixed a double free vulnerability in RAR decoder (bsc#1120653).
- CVE-2018-1000878: Fixed a Use-After-Free vulnerability in RAR decoder (bsc#1120654).
- CVE-2019-1000019: Fixed an Out-Of-Bounds Read vulnerability in 7zip decompression (bsc#1124341).
- CVE-2019-1000020: Fixed an Infinite Loop vulnerability in ISO9660 parser (bsc#1124342).
- CVE-2019-18408: Fixed a use-after-free in RAR format support (bsc#1155079).


-----------------------------------------
Patch: SUSE-2019-3094
Released: Thu Nov 28 16:47:52 2019
Summary: Security update for ncurses
Severity: moderate
References: 1131830,1134550,1154036,1154037,CVE-2018-10754,CVE-2019-17594,CVE-2019-17595
Description:
This update for ncurses fixes the following issues:

Security issue fixed:

- CVE-2018-10754: Fixed a denial of service caused by a NULL Pointer Dereference in the _nc_parse_entry() (bsc#1131830).
- CVE-2019-17594: Fixed a heap-based buffer over-read in _nc_find_entry function in tinfo/comp_hash.c (bsc#1154036).
- CVE-2019-17595: Fixed a heap-based buffer over-read in fmt_entry function in tinfo/comp_hash.c (bsc#1154037).

Bug fixes:

- Fixed ppc64le build configuration (bsc#1134550).


-----------------------------------------
Patch: SUSE-2019-3130
Released: Tue Dec  3 05:51:37 2019
Summary: Recommended update for supportutils
Severity: moderate
References: 1023308,1089877,1145233,1156837,1157043
Description:
This update for supportutils contains the following fixes:

- Updated version 3.0.5 to 3.0.6:
  + Supportconfig takes a long time to complete on 32TB machine. (bsc#1157043)
  + Updated detailed unit information fix in systemd.txt. (bsc#1023308)
  + Dynamically select compression method. (bsc#1145233)
  + Strip trailing commas from process names. (bsc#1156837)
  + Include IPv6 routes. (bsc#1089877)


-----------------------------------------
Patch: SUSE-2019-3134
Released: Tue Dec  3 10:55:27 2019
Summary: Recommended update for cronie
Severity: moderate
References: 1155114
Description:
This update for cronie fixes the following issues:

- Update crontab so it doesn't print the headers of crontab with the 'crontab -l' command. (bsc#1155114)


-----------------------------------------
Patch: SUSE-2019-3135
Released: Tue Dec  3 10:56:05 2019
Summary: Recommended update for growpart, growpart-rootgrow
Severity: moderate
References: 1154357,ECO-550
Description:
This update for growpart, growpart-rootgrow contains the following fixes:

growpart:

- Removed rootgrow sub-package as it is a standalone package now. (bsc#1154357, jsc#ECO-550)

growpart-rootgrow:

- Added growpart-rootgrow as a standalone package. (bsc#1154357, jsc#ECO-550)
- Bump from version 1.0.0 to 1.0.1:
 - Fixed binary location in service unit file.

  

-----------------------------------------
Patch: SUSE-2019-3185
Released: Thu Dec  5 11:44:17 2019
Summary: Security update for Mesa
Severity: moderate
References: 1156015,CVE-2019-5068
Description:
This update for Mesa fixes the following issues:

Security issue fixed:

- CVE-2019-5068: Fixed exploitable shared memory permissions vulnerability (bsc#1156015).


-----------------------------------------
Patch: SUSE-2019-3342
Released: Thu Dec 19 11:04:35 2019
Summary: Recommended update for elfutils
Severity: moderate
References: 1151577
Description:
This update for elfutils fixes the following issues:

- Add require of 'libebl1' for 'libelf1'. (bsc#1151577)


-----------------------------------------
Patch: SUSE-2019-3364
Released: Thu Dec 19 19:20:52 2019
Summary: Recommended update for ncurses
Severity: moderate
References: 1158586,1159162
Description:
This update for ncurses fixes the following issues:

- Work around a bug of old upstream gen-pkgconfig (bsc#1159162) 
- Remove doubled library path options (bsc#1159162)
- Also remove private requirements as (lib)tinfo are binary compatible
  with normal and wide version of (lib)ncurses (bsc#1158586, bsc#1159162)
- Fix last change, that is add missed library linker paths as well
  as missed include directories for none standard paths (bsc#1158586,
  bsc#1159162)
- Do not mix include directories of different ncurses ABI (bsc#1158586) 


-----------------------------------------
Patch: SUSE-2020-86
Released: Mon Jan 13 14:12:22 2020
Summary: Security update for e2fsprogs
Severity: moderate
References: 1160571,CVE-2019-5188
Description:
This update for e2fsprogs fixes the following issues:

- CVE-2019-5188: Fixed a code execution vulnerability in the directory rehashing functionality (bsc#1160571).


-----------------------------------------
Patch: SUSE-2020-88
Released: Mon Jan 13 15:47:05 2020
Summary: Security update for mozilla-nspr, mozilla-nss
Severity: moderate
References: 1141322,1158527,1159819,CVE-2019-11745,CVE-2019-17006
Description:
This update for mozilla-nspr, mozilla-nss fixes the following issues:

mozilla-nss was updated to NSS 3.47.1:

Security issues fixed:

- CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819).
- CVE-2019-11745: EncryptUpdate should use maxout, not block size (bsc#1158527).
- CVE-2019-11727: Fixed vulnerability sign CertificateVerify with PKCS#1 v1.5 signatures issue (bsc#1141322).

mozilla-nspr was updated to version 4.23:

- Whitespace in C files was cleaned up and no longer uses tab characters for indenting.


-----------------------------------------
Patch: SUSE-2020-98
Released: Tue Jan 14 13:42:15 2020
Summary: Recommended update for gcc48
Severity: low
References: 1071995
Description:

This update for gcc48 fixes the following issues:

- Add changes needed for SLE15 live patching. (bsc#1071995, fate#323487)
- Provide .ipa-clones dump files. (bsc#1071995, fate#323487)



-----------------------------------------
Patch: SUSE-2020-102
Released: Tue Jan 14 16:25:22 2020
Summary: Security update for man
Severity: moderate
References: 1159105
Description:
This update for man fixes the following issues:

- Skip using 'safe-rm' in cron job below cache directory (bsc#1159105).


-----------------------------------------
Patch: SUSE-2020-106
Released: Wed Jan 15 12:50:55 2020
Summary: Recommended update for libgcrypt
Severity: important
References: 1155338,1155339
Description:
This update for libgcrypt fixes the following issues:

- Fix test dsa-rfc6979 in FIPS mode: Disabled tests in elliptic curves with 192 bits which are not recommended in FIPS mode
- Added CMAC AES and TDES FIPS self-tests: (bsc#1155339, bsc#1155338)


-----------------------------------------
Patch: SUSE-2020-390
Released: Tue Feb 18 09:23:06 2020
Summary: Security update for sudo
Severity: important
References: 1162202,CVE-2019-18634
Description:
This update for sudo fixes the following issue:

Security issue fixed:

- CVE-2019-18634: Fixed a buffer overflow in the passphrase prompt that could occur when pwfeedback was enabled in /etc/sudoers (bsc#1162202).


-----------------------------------------
Patch: SUSE-2020-424
Released: Wed Feb 19 17:07:40 2020
Summary: Security update for rsyslog
Severity: moderate
References: 1015203,1022804,1153451,1153459,CVE-2019-17041,CVE-2019-17042
Description:
This update for rsyslog fixes the following issues:

Security issues fixed:

- CVE-2019-17041: Fixed a heap overflow in the parser for AIX log messages (bsc#1153451).
- CVE-2019-17042: Fixed a heap overflow in the parser for Cisco log messages (bsc#1153459).

Non-security issues fixed:

- Handle multiline messages correctly when using the imfile module. (bsc#1015203)
- Fix a race condition in the shutdown sequence in wtp that was causing rsyslog not to
  shutdown properly. (bsc#1022804)


-----------------------------------------
Patch: SUSE-2020-457
Released: Tue Feb 25 11:00:36 2020
Summary: Security update for libexif
Severity: moderate
References: 1120943,1160770,CVE-2018-20030,CVE-2019-9278
Description:
This update for libexif fixes the following issues:

- CVE-2019-9278: Fixed an integer overflow (bsc#1160770).
- CVE-2018-20030: Fixed a denial of service by endless recursion (bsc#1120943).


-----------------------------------------
Patch: SUSE-2020-459
Released: Tue Feb 25 11:02:12 2020
Summary: Security update for libvpx
Severity: moderate
References: 1160613,1160614,CVE-2019-9232,CVE-2019-9433
Description:
This update for libvpx fixes the following issues:

- CVE-2019-9232: Fixed an out of bound memory access (bsc#1160613).
- CVE-2019-9433: Fixdd a use-after-free in vp8_deblock() (bsc#1160614).


-----------------------------------------
Patch: SUSE-2020-554
Released: Mon Mar  2 12:12:50 2020
Summary: Recommended update for supportutils
Severity: important
References: 1157852,1162357
Description:
This update for supportutils fixes the following issues:

- Exclude /proc/pagetypeinfo as it can be an expensive operation on some systems (bsc#1162357).
- Readded LPM/DLPAR data for Power (bsc#1157852).


-----------------------------------------
Patch: SUSE-2020-555
Released: Mon Mar  2 13:27:17 2020
Summary: Security update for python-aws-sam-translator, python-boto3, python-botocore, python-cfn-lint, python-jsonschema, python-nose2, python-parameterized, python-pathlib2, python-pytest-cov, python-requests, python-s3transfer
Severity: moderate
References: 1111622,1122668,CVE-2018-18074
Description:
This update for python-aws-sam-translator, python-boto3, python-botocore, python-cfn-lint, python-jsonschema, python-nose2, python-parameterized, python-pathlib2, python-pytest-cov, python-requests, python-s3transfer, python-jsonpatch, python-jsonpointer, python-scandir, python-PyYAML fixes the following issues:

python-cfn-lint was included as a new package in 0.21.4.


python-aws-sam-translator was updated to 1.11.0:

  * Add ReservedConcurrentExecutions to globals
  * Fix ElasticsearchHttpPostPolicy resource reference
  * Support using AWS::Region in Ref and Sub
  * Documentation and examples updates
  * Add VersionDescription property to Serverless::Function
  * Update ServerlessRepoReadWriteAccessPolicy
  * Add additional template validation

Upgrade to 1.10.0:

  * Add GSIs to DynamoDBReadPolicy and DynamoDBCrudPolicy
  * Add DynamoDBReconfigurePolicy
  * Add CostExplorerReadOnlyPolicy and OrganizationsListAccountsPolicy
  * Add EKSDescribePolicy
  * Add SESBulkTemplatedCrudPolicy
  * Add FilterLogEventsPolicy
  * Add SSMParameterReadPolicy
  * Add SESEmailTemplateCrudPolicy
  * Add s3:PutObjectAcl to S3CrudPolicy
  * Add allow_credentials CORS option
  * Add support for AccessLogSetting and CanarySetting Serverless::Api properties
  * Add support for X-Ray in Serverless::Api
  * Add support for MinimumCompressionSize in Serverless::Api
  * Add Auth to Serverless::Api globals
  * Remove trailing slashes from APIGW permissions
  * Add SNS FilterPolicy and an example application
  * Add Enabled property to Serverless::Function event sources
  * Add support for PermissionsBoundary in Serverless::Function
  * Fix boto3 client initialization
  * Add PublicAccessBlockConfiguration property to S3 bucket resource
  * Make PAY_PER_REQUEST default mode for Serverless::SimpleTable
  * Add limited support for resolving intrinsics in Serverless::LayerVersion
  * SAM now uses Flake8
  * Add example application for S3 Events written in Go
  * Updated several example applications

- Initial build
  + Version 1.9.0
- Add patch to drop compatible releases operator from setup.py,
  required for SLES12 as the setuptools version is too old
  + ast_drop-compatible-releases-operator.patch


python-jsonschema was updated to 2.6.0:

* Improved performance on CPython by adding caching around ref resolution

Update to version 2.5.0:

* Improved performance on CPython by adding caching around ref
  resolution (#203)

Update to version 2.4.0:

* Added a CLI (#134)
* Added absolute path and absolute schema path to errors (#120)
* Added ``relevance``
* Meta-schemas are now loaded via ``pkgutil``
* Added ``by_relevance`` and ``best_match`` (#91)
* Fixed ``format`` to allow adding formats for non-strings (#125)
* Fixed the ``uri`` format to reject URI references (#131)

- Install /usr/bin/jsonschema with update-alternatives support

python-nose2 was updated to 0.9.1:

* the prof plugin now uses cProfile instead of hotshot for profiling
* skipped tests now include the user's reason in junit XML's message field
* the prettyassert plugin mishandled multi-line function definitions
* Using a plugin's CLI flag when the plugin is already enabled via config
  no longer errors
* nose2.plugins.prettyassert, enabled with --pretty-assert
* Cleanup code for EOLed python versions
* Dropped support for distutils.
* Result reporter respects failure status set by other plugins
* JUnit XML plugin now includes the skip reason in its output

Upgrade to 0.8.0:

List of changes is too long to show here, see
https://github.com/nose-devs/nose2/blob/master/docs/changelog.rst
changes between 0.6.5 and 0.8.0

Update to 0.7.0:

* Added parameterized_class feature, for parameterizing entire test
  classes (many thanks to @TobyLL for their suggestions and help testing!)
* Fix DeprecationWarning on `inspect.getargs` (thanks @brettdh;
  https://github.com/wolever/parameterized/issues/67)
* Make sure that `setUp` and `tearDown` methods work correctly (#40)
* Raise a ValueError when input is empty (thanks @danielbradburn;
  https://github.com/wolever/parameterized/pull/48)
* Fix the order when number of cases exceeds 10 (thanks @ntflc;
  https://github.com/wolever/parameterized/pull/49)

python-scandir was included in version 2.3.2.

python-requests was updated to version 2.20.1 (bsc#1111622)

* Fixed bug with unintended Authorization header stripping for
  redirects using default ports (http/80, https/443).


* remove restriction for urllib3 < 1.24

Update to version 2.20.0:

* Bugfixes
  + Content-Type header parsing is now case-insensitive
    (e.g. charset=utf8 v Charset=utf8).
  + Fixed exception leak where certain redirect urls would raise
    uncaught urllib3 exceptions.
  + Requests removes Authorization header from requests redirected
    from https to http on the same hostname. (CVE-2018-18074)
  + should_bypass_proxies now handles URIs without hostnames
    (e.g. files).
* Dependencies
  + Requests now supports urllib3 v1.24.
* Deprecations
  + Requests has officially stopped support for Python 2.6.

Update to version 2.19.1:

* Fixed issue where status_codes.py’s init function failed trying
  to append to a __doc__ value of None.

Update to version 2.19.0:

* Improvements
  + Warn about possible slowdown with cryptography version < 1.3.4
  + Check host in proxy URL, before forwarding request to adapter.
  + Maintain fragments properly across redirects. (RFC7231 7.1.2)
  + Removed use of cgi module to expedite library load time.
  + Added support for SHA-256 and SHA-512 digest auth algorithms.
  + Minor performance improvement to Request.content.
  + Migrate to using collections.abc for 3.7 compatibility.
* Bugfixes
  + Parsing empty Link headers with parse_header_links() no longer
    return one bogus entry.
  + Fixed issue where loading the default certificate bundle from
    a zip archive would raise an IOError.
  + Fixed issue with unexpected ImportError on windows system
    which do not support winreg module.
  + DNS resolution in proxy bypass no longer includes the username
    and password in the request. This also fixes the issue of DNS
    queries failing on macOS.
  + Properly normalize adapter prefixes for url comparison.
  + Passing None as a file pointer to the files param no longer
    raises an exception.
  + Calling copy on a RequestsCookieJar will now preserve the
    cookie policy correctly.
* We now support idna v2.7 and urllib3 v1.23.

update to version 2.18.4:

* Improvements
  + Error messages for invalid headers now include the header name
    for easier debugging
* Dependencies
  + We now support idna v2.6.

update to version 2.18.3:

* Improvements
  + Running $ python -m requests.help now includes the installed
    version of idna.
* Bugfixes
  + Fixed issue where Requests would raise ConnectionError instead
    of SSLError when encountering SSL problems when using urllib3
    v1.22.


-----------------------------------------
Patch: SUSE-2020-561
Released: Mon Mar  2 17:24:59 2020
Summary: Recommended update for elfutils
Severity: moderate
References: 1110929,1157578
Description:
This update for elfutils fixes the following issues:

- Fix 'eu-nm' issue in elfutils: Symbol iteration will be set to start at 0 instead of 1 to avoid missing symbols in the output. (bsc#1157578)
- Fix for '.ko' file corruption in debug info. (bsc#1110929)


-----------------------------------------
Patch: SUSE-2020-569
Released: Tue Mar  3 11:43:43 2020
Summary: Security update for libpng16
Severity: moderate
References: 1124211,1141493,CVE-2017-12652,CVE-2019-7317
Description:
This update for libpng16 fixes the following issues:

Security issues fixed:

- CVE-2019-7317: Fixed a use-after-free vulnerability, triggered when
  png_image_free() was called under png_safe_execute (bsc#1124211).
- CVE-2017-12652: Fixed an Input Validation Error related to the length of chunks (bsc#1141493).


-----------------------------------------
Patch: SUSE-2020-571
Released: Tue Mar  3 13:23:35 2020
Summary: Recommended update for cyrus-sasl
Severity: moderate
References: 1162518
Description:
This update for cyrus-sasl fixes the following issues:

- Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF (bsc#1162518)
- Added support for retrieving negotiated SSF in gssapi plugin (bsc#1162518)


-----------------------------------------
Patch: SUSE-2020-596
Released: Thu Mar  5 15:23:51 2020
Summary: Recommended update for ca-certificates-mozilla
Severity: moderate
References: 1010996,1071152,1071390,1082318,1100415,1154871,1160160
Description:
This update for ca-certificates-mozilla fixes the following issues:

The following non-security bugs were fixed:

Updated to 2.40 state of the Mozilla NSS Certificate store (bsc#1160160):

Removed certificates:

- Certplus Class 2 Primary CA
- Deutsche Telekom Root CA 2
- CN=Swisscom Root CA 2
- UTN-USERFirst-Client Authentication and Email

Added certificates:

- Entrust Root Certification Authority - G4

- Export correct p11kit trust attributes so Firefox detects built in certificates (bsc#1154871).
- Updated to 2.24 state of the Mozilla NSS Certificate store (bsc#1100415).
- Use %license instead of %doc (bsc#1082318).
- Updated to 2.22 state of the Mozilla NSS Certificate store (bsc#1071152, bsc#1071390, bsc#1010996).


-----------------------------------------
Patch: SUSE-2020-608
Released: Fri Mar  6 14:59:10 2020
Summary: Recommended update for mozilla-nss
Severity: moderate
References: 1165270
Description:
This update for mozilla-nss fixes the following issues:

- Package also the cmac.h needed by blapi.h, needed for building tomcat (bsc#1165270)


-----------------------------------------
Patch: SUSE-2020-623
Released: Mon Mar  9 16:17:26 2020
Summary: Security update for gd
Severity: moderate
References: 1050241,1140120,1165471,CVE-2017-7890,CVE-2018-14553,CVE-2019-11038
Description:
This update for gd fixes the following issues:

- CVE-2017-7890: Fixed a buffer over-read into uninitialized memory (bsc#1050241).
- CVE-2018-14553: Fixed a null pointer dereference in gdImageClone() (bsc#1165471).
- CVE-2019-11038: Fixed a information disclosure in gdImageCreateFromXbm() (bsc#1140120).


-----------------------------------------
Patch: SUSE-2020-652
Released: Thu Mar 12 09:53:23 2020
Summary: Recommended update for ca-certificates-mozilla
Severity: important
References: 1165915,1165919,1166301
Description:
This update for ca-certificates-mozilla fixes the following issues:

This reverts a previous change to the generated pem structure, as it
require a p11-kit tools update installed first, which can not always
ensured correctly. (bsc#1166301 bsc#1165915 bsc#1165919)


-----------------------------------------
Patch: SUSE-2020-663
Released: Thu Mar 12 17:31:31 2020
Summary: Recommended update for suse-build-key
Severity: moderate
References: 1166334
Description:
This update for suse-build-key fixes the following issues:

- created a new security_at_suse.de key for email communication (bsc#1166334)


-----------------------------------------
Patch: SUSE-2020-708
Released: Wed Mar 18 06:48:30 2020
Summary: Recommended update for growpart
Severity: moderate
References: 1164736
Description:
This update for growpart fixes the following issues:

- Operation system disk is not automatically resized beyond 2TB on Azure hosts. (bsc#1164736)


-----------------------------------------
Patch: SUSE-2020-747
Released: Tue Mar 31 13:26:56 2020
Summary: Recommended update for supportutils
Severity: important
References: 1157852,1162539,1165474,1165475,1166128,1166774,915888
Description:
This update for supportutils fixes the following issues:

- Replaced obsolete Novell with SUSE FTP servers. (bsc#1165475)
- Implement core file validation and fix for hanging if the corefile is a directory. (bsc#1166128)
- Fix by adding default upload targets in 'getappcore'. (bsc#1165474)
- Changed filename prefixes for SUSE Customer Center. (bsc#1166774)
- Fix the issue when supportconfig is not collecting specific log files for power. (bsc#1162539, bsc#1157852)
- Fixed s390x typo. (bsc#915888)


-----------------------------------------
Patch: SUSE-2020-911
Released: Fri Apr  3 10:47:03 2020
Summary: Security update for libpng12
Severity: moderate
References: 1141493,CVE-2017-12652
Description:
This update for libpng12 fixes the following issues:

Security issue fixed:

- CVE-2017-12652: Fixed an Input Validation Error related to the length of chunks (bsc#1141493).


-----------------------------------------
Patch: SUSE-2020-920
Released: Fri Apr  3 17:13:04 2020
Summary: Security update for libxslt
Severity: moderate
References: 1154609,CVE-2019-18197
Description:
This update for libxslt fixes the following issue:

- CVE-2019-18197: Fixed a dangling pointer in xsltCopyText which may have led to information disclosure (bsc#1154609).


-----------------------------------------
Patch: SUSE-2020-394
Released: Tue Apr 14 17:25:16 2020
Summary: Security update for gcc9
Severity: moderate
References: 1114592,1135254,1141897,1142649,1142654,1148517,1149145,CVE-2019-14250,CVE-2019-15847
Description:
This update for gcc9 fixes the following issues:

The GNU Compiler Collection is shipped in version 9.

A detailed changelog on what changed in GCC 9 is available at https://gcc.gnu.org/gcc-9/changes.html

The compilers have been added to the SUSE Linux Enterprise Toolchain Module.

To use these compilers, install e.g. gcc9, gcc9-c++ and build with CC=gcc-9
CXX=g++-9 set.


For SUSE Linux Enterprise base products, the libstdc++6, libgcc_s1 and
other compiler libraries have been switched from their gcc8 variants to
their gcc9 variants.

Security issues fixed:

- CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145)
- CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649)

Non-security issues fixed:

- Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254)
- Fixed miscompilation for vector shift on s390. (bsc#1141897)


-----------------------------------------
Patch: SUSE-2020-1043
Released: Tue Apr 21 09:33:47 2020
Summary: Recommended update for libreoffice, QR-Code-generator, boost, myspell-dictionaries, xmlsec1
Severity: moderate
References: 1161816,1162152,1167223
Description:
This update for libreoffice, QR-Code-generator, boost, myspell-dictionaries, xmlsec1 fixes the following issues:

libreoffice was updated to 6.4.2.2 (jsc#SLE-11174 jsc#SLE-11175 jsc#SLE-11176 bsc#1167223)

Full Release Notes can be found on:

        https://wiki.documentfoundation.org/ReleaseNotes/6.4


xmlsec1 was update to 1.2.28:

* Added BoringSSL support (chenbd).
* Added gnutls-3.6.x support (alonbl).
* Added DSA and ECDSA key size getter for MSCNG (vmiklos).
* Added --enable-mans configuration option (alonbl).
* Added coninuous build integration for MacOSX (vmiklos).
* Several other small fixes (more details).

- Make sure to recommend at least one backend when you install
  just xmlsec1

- Drop the gnutls backend as based on the tests it is quite borked:
  * We still have nss and openssl backend for people to use

Version update to 1.2.27:

* Added AES-GCM support for OpenSSL and MSCNG (snargit).
* Added DSA-SHA256 and ECDSA-SHA384 support for NSS (vmiklos).
* Added RSA-OAEP support for MSCNG (vmiklos).
* Continuous build integration in Travis and Appveyor.
* Several other small fixes (more details).

QR-Code-generator was shipped new in support of LibreOffice.

myspell-dictionaries was updated to 20191219:

* Updated the English dictionaries: GB+US+CA+AU
* Bring shipped Spanish dictionary up to version 2.5

boost was updated to fix:
- add a backport of Boost.Optional::has_value() for LibreOffice



-----------------------------------------
Patch: SUSE-2020-1057
Released: Tue Apr 21 17:14:07 2020
Summary: Security update for puppet
Severity: moderate
References: 1167645,CVE-2020-7942
Description:
This update for puppet fixes the following issues:

- CVE-2020-7942: Added a warning for a vulnerable configuration option, which could allow
  for information disclosure in certain setups. Disabling it my break some setups. (bsc#1167645)


-----------------------------------------
Patch: SUSE-2020-1045
Released: Thu Apr 23 11:32:45 2020
Summary: Security update for cups
Severity: important
References: 1168422,CVE-2020-3898
Description:
This update for cups fixes the following issues:

- CVE-2020-3898: Fixed a heap buffer overflow in ppdFindOption() (bsc#1168422).


-----------------------------------------
Patch: SUSE-2020-1168
Released: Mon May  4 14:06:46 2020
Summary: Recommended update for libgcrypt
Severity: moderate
References: 1162879
Description:
This update for libgcrypt fixes the following issues:

- FIPS: Relax the entropy requirements on selftest during boot (bsc#1162879)


-----------------------------------------
Patch: SUSE-2020-1180
Released: Tue May  5 10:54:36 2020
Summary: Security update for icu
Severity: moderate
References: 1166844,CVE-2020-10531
Description:
This update for icu fixes the following issues:

- CVE-2020-10531: Fixed integer overflow in UnicodeString:doAppend() (bsc#1166844).


-----------------------------------------
Patch: SUSE-2020-1210
Released: Thu May  7 10:37:52 2020
Summary: Security update for openldap2
Severity: important
References: 1143194,1143273,1170771,CVE-2019-13057,CVE-2019-13565,CVE-2020-12243
Description:
This update for openldap2 fixes the following issues:

- CVE-2020-12243: Fixed a denial of service related to recursive filters (bsc#1170771).
- CVE-2019-13565: Fixed an authentication bypass caused by incorrect authorization of another connection, granting excess connection rights (bsc#1143194).
- CVE-2019-13057: Fixed an issue with improper authorization with delegated database admin privileges (bsc#1143273).


-----------------------------------------
Patch: SUSE-2020-1285
Released: Fri May 15 09:52:34 2020
Summary: Security update for python-PyYAML
Severity: important
References: 1165439,CVE-2020-1747
Description:
This update for python-PyYAML fixes the following issues:

- CVE-2020-1747: Fixed an arbitrary code execution when YAML files are parsed by FullLoader (bsc#1165439).


-----------------------------------------
Patch: SUSE-2020-1306
Released: Mon May 18 09:53:45 2020
Summary: Recommended update for psmisc
Severity: moderate
References: 1170247
Description:
This update for psmisc fixes the following issues:

- Allow not unique mounts as well as not unique mountpoint. (bsc#1170247)


-----------------------------------------
Patch: SUSE-2020-1312
Released: Mon May 18 10:36:15 2020
Summary: Recommended update for timezone
Severity: moderate
References: 1169582
Description:
This update for timezone fixes the following issues:

- timezone update 2020a (bsc#1169582)
  * Morocco springs forward on 2020-05-31, not 2020-05-24.
  * Canada's Yukon advanced to -07 year-round on 2020-03-08.
  * America/Nuuk renamed from America/Godthab.
  * zic now supports expiration dates for leap second lists.


-----------------------------------------
Patch: SUSE-2020-1329
Released: Mon May 18 17:17:54 2020
Summary: Recommended update for gcc9
Severity: moderate
References: 1149995,1152590,1167898
Description:
This update for gcc9 fixes the following issues:

This update ships the GCC 9.3 release.

- Includes a fix for Internal compiler error when building HepMC (bsc#1167898)
- Includes fix for binutils version parsing
- Add libstdc++6-pp provides and conflicts to avoid file conflicts
  with same minor version of libstdc++6-pp from gcc10.
- Add gcc9 autodetect -g at lto link (bsc#1149995)
- Install go tool buildid for bootstrapping go



-----------------------------------------
Patch: SUSE-2020-822
Released: Fri May 22 10:59:33 2020
Summary: Recommended update for pam
Severity: moderate
References: 1166510
Description:
This update for pam fixes the following issues:

- Moved pam_userdb to a separate package pam-extra  (bsc#1166510)


-----------------------------------------
Patch: SUSE-2020-1403
Released: Mon May 25 15:20:08 2020
Summary: Recommended update for tcsh
Severity: moderate
References: 1163593
Description:
This update for tcsh fixes the following issues:

- Fix for an issue with SLES4SAP when csh occurs system slowness and consumes a lot of memory due to '.history' corruption. (bsc#1163593)
  

-----------------------------------------
Patch: SUSE-2020-1489
Released: Wed May 27 18:29:21 2020
Summary: Recommended update for timezone
Severity: moderate
References: 1172055
Description:
This update for timezone fixes the following issue:

- zdump --version reported 'unknown' (bsc#1172055)


-----------------------------------------
Patch: SUSE-2020-1491
Released: Wed May 27 18:31:36 2020
Summary: Recommended update for groff
Severity: low
References: 1055985
Description:
This update for groff fixes the following issues:

- removed broken /usr/share/groff/1.22.2/current symlink (bsc#1055985)
  moved /usr/share/doc/packages/groff/pdf/mom-pdf.pdf
  to groff-doc package

- removed broken /usr/share/groff/1.22.2/current symlink (bsc#1055985)
  moved /usr/share/doc/packages/groff/pdf/mom-pdf.pdf
  to groff-doc package


-----------------------------------------
Patch: SUSE-2020-1534
Released: Thu Jun  4 10:34:50 2020
Summary: Security update for libexif
Severity: moderate
References: 1055857,1059893,1120943,1160770,1171475,1171847,1172105,1172116,1172121,CVE-2016-6328,CVE-2017-7544,CVE-2018-20030,CVE-2019-9278,CVE-2020-0093,CVE-2020-12767,CVE-2020-13112,CVE-2020-13113,CVE-2020-13114
Description:
This update for libexif fixes the following issues:

Security issues fixed:

- CVE-2016-6328: Fixed an integer overflow in parsing MNOTE entry data of the input file (bsc#1055857).
- CVE-2017-7544: Fixed an out-of-bounds heap read vulnerability in exif_data_save_data_entry function in libexif/exif-data.c (bsc#1059893).
- CVE-2018-20030: Fixed a denial of service by endless recursion (bsc#1120943).
- CVE-2019-9278: Fixed an integer overflow (bsc#1160770).
- CVE-2020-0093: Fixed an out-of-bounds read in exif_data_save_data_entry (bsc#1171847).
- CVE-2020-12767: Fixed a divide-by-zero error in exif_entry_get_value (bsc#1171475).
- CVE-2020-13112: Fixed a time consumption DoS when parsing canon array markers (bsc#1172121).
- CVE-2020-13113: Fixed a potential use of uninitialized memory (bsc#1172105).
- CVE-2020-13114: Fixed various buffer overread fixes due to integer overflows in maker notes (bsc#1172116).

Non-security issues fixed:

- libexif was updated to version 0.6.22:
  * New translations: ms
  * Updated translations for most languages
  * Some useful EXIF 2.3 tag added:
    * EXIF_TAG_GAMMA
    * EXIF_TAG_COMPOSITE_IMAGE
    * EXIF_TAG_SOURCE_IMAGE_NUMBER_OF_COMPOSITE_IMAGE
    * EXIF_TAG_SOURCE_EXPOSURE_TIMES_OF_COMPOSITE_IMAGE
    * EXIF_TAG_GPS_H_POSITIONING_ERROR
    * EXIF_TAG_CAMERA_OWNER_NAME
    * EXIF_TAG_BODY_SERIAL_NUMBER
    * EXIF_TAG_LENS_SPECIFICATION
    * EXIF_TAG_LENS_MAKE
    * EXIF_TAG_LENS_MODEL
    * EXIF_TAG_LENS_SERIAL_NUMBER


-----------------------------------------
Patch: SUSE-2020-1536
Released: Thu Jun  4 11:03:58 2020
Summary: Recommended update for puppet
Severity: moderate
References: 1171711
Description:
This update for puppet fixes the following issues:

- Fix for config tags to avoid overwrite the user defined  configuration files during package updates. (bsc#1171711)


-----------------------------------------
Patch: SUSE-2020-1550
Released: Mon Jun  8 09:29:49 2020
Summary: Security update for vim
Severity: moderate
References: 1172031,1172225,CVE-2019-20807
Description:
This update for vim fixes the following issues:

- CVE-2019-20807: Fixed an issue where escaping from the restrictive mode of vim 
  was possible using interfaces (bsc#1172225 and bsc#1172031).	  


-----------------------------------------
Patch: SUSE-2020-1570
Released: Tue Jun  9 11:15:12 2020
Summary: Security update for ruby2.1
Severity: important
References: 1043983,1048072,1055265,1056286,1056782,1058754,1058755,1058757,1062452,1069607,1069632,1073002,1078782,1082007,1082008,1082009,1082010,1082011,1082014,1082058,1087433,1087434,1087436,1087437,1087440,1087441,1112530,1112532,1130611,1130617,1130620,1130622,1130623,1130627,1152990,1152992,1152994,1152995,1171517,1172275,CVE-2015-9096,CVE-2016-2339,CVE-2016-7798,CVE-2017-0898,CVE-2017-0899,CVE-2017-0900,CVE-2017-0901,CVE-2017-0902,CVE-2017-0903,CVE-2017-10784,CVE-2017-14033,CVE-2017-14064,CVE-2017-17405,CVE-2017-17742,CVE-2017-17790,CVE-2017-9228,CVE-2017-9229,CVE-2018-1000073,CVE-2018-1000074,CVE-2018-1000075,CVE-2018-1000076,CVE-2018-1000077,CVE-2018-1000078,CVE-2018-1000079,CVE-2018-16395,CVE-2018-16396,CVE-2018-6914,CVE-2018-8777,CVE-2018-8778,CVE-2018-8779,CVE-2018-8780,CVE-2019-15845,CVE-2019-16201,CVE-2019-16254,CVE-2019-16255,CVE-2019-8320,CVE-2019-8321,CVE-2019-8322,CVE-2019-8323,CVE-2019-8324,CVE-2019-8325,CVE-2020-10663
Description:
This update for ruby2.1 fixes the following issues:

Security issues fixed:

- CVE-2015-9096: Fixed an SMTP command injection via CRLFsequences in a RCPT TO or MAIL FROM command (bsc#1043983).
- CVE-2016-7798: Fixed an IV Reuse in GCM Mode (bsc#1055265).
- CVE-2017-0898: Fixed a buffer underrun vulnerability in Kernel.sprintf (bsc#1058755).
- CVE-2017-0899: Fixed an issue with malicious gem specifications, insufficient sanitation when printing gem specifications could have included terminal characters (bsc#1056286).
- CVE-2017-0900: Fixed an issue with malicious gem specifications, the query command could have led to a denial of service attack against clients (bsc#1056286).
- CVE-2017-0901: Fixed an issue with malicious gem specifications, potentially overwriting arbitrary files on the client system (bsc#1056286).
- CVE-2017-0902: Fixed an issue with malicious gem specifications, that could have enabled MITM attacks against clients (bsc#1056286).
- CVE-2017-0903: Fixed an unsafe object deserialization vulnerability (bsc#1062452).
- CVE-2017-9228: Fixed a heap out-of-bounds write in bitset_set_range() during regex compilation (bsc#1069607).
- CVE-2017-9229: Fixed an invalid pointer dereference in left_adjust_char_head() in oniguruma (bsc#1069632).
- CVE-2017-10784: Fixed an escape sequence injection vulnerability in the Basic authentication of WEBrick (bsc#1058754).
- CVE-2017-14033: Fixed a buffer underrun vulnerability in OpenSSL ASN1 decode (bsc#1058757).
- CVE-2017-14064: Fixed an arbitrary memory exposure during a JSON.generate call (bsc#1056782).
- CVE-2017-17405: Fixed a command injection vulnerability in Net::FTP (bsc#1073002).
- CVE-2017-17742: Fixed an HTTP response splitting issue in WEBrick (bsc#1087434).
- CVE-2017-17790: Fixed a command injection in lib/resolv.rb:lazy_initialize() (bsc#1078782).
- CVE-2018-6914: Fixed an unintentional file and directory creation with directory traversal in tempfile and tmpdir (bsc#1087441).
- CVE-2018-8777: Fixed a potential DoS caused by large requests in WEBrick (bsc#1087436).
- CVE-2018-8778: Fixed a buffer under-read in String#unpack (bsc#1087433).
- CVE-2018-8779: Fixed an unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket (bsc#1087440).
- CVE-2018-8780: Fixed an unintentional directory traversal by poisoned NUL byte in Dir (bsc#1087437).
- CVE-2018-16395: Fixed an issue with OpenSSL::X509::Name equality checking (bsc#1112530).
- CVE-2018-16396: Fixed an issue with tainted string handling, where the flag was not propagated in Array#pack and String#unpack with some directives (bsc#1112532).
- CVE-2018-1000073: Fixed a path traversal issue (bsc#1082007).
- CVE-2018-1000074: Fixed an unsafe object deserialization vulnerability in gem owner, allowing arbitrary code execution with specially crafted YAML (bsc#1082008).
- CVE-2018-1000075: Fixed an infinite loop vulnerability due to negative size in tar header causes Denial of Service (bsc#1082014).
- CVE-2018-1000076: Fixed an improper verification of signatures in tarballs (bsc#1082009).
- CVE-2018-1000077: Fixed an improper URL validation in the homepage attribute of ruby gems (bsc#1082010).
- CVE-2018-1000078: Fixed a XSS vulnerability in the homepage attribute when displayed via gem server (bsc#1082011).
- CVE-2018-1000079: Fixed a path traversal issue during gem installation allows to write to arbitrary filesystem locations (bsc#1082058).
- CVE-2019-8320: Fixed a directory traversal issue when decompressing tar files (bsc#1130627).
- CVE-2019-8321: Fixed an escape sequence injection vulnerability in verbose (bsc#1130623).
- CVE-2019-8322: Fixed an escape sequence injection vulnerability in gem owner (bsc#1130622).
- CVE-2019-8323: Fixed an escape sequence injection vulnerability in API response handling (bsc#1130620).
- CVE-2019-8324: Fixed an issue with malicious gems that may have led to arbitrary code execution (bsc#1130617).
- CVE-2019-8325: Fixed an escape sequence injection vulnerability in errors (bsc#1130611).
- CVE-2019-15845: Fixed a NUL injection vulnerability in File.fnmatch and File.fnmatch? (bsc#1152994).
- CVE-2019-16201: Fixed a regular expression denial of service vulnerability in WEBrick's digest access authentication (bsc#1152995).
- CVE-2019-16254: Fixed an HTTP response splitting vulnerability in WEBrick (bsc#1152992).
- CVE-2019-16255: Fixed a code injection vulnerability in Shell#[] and Shell#test (bsc#1152990).
- CVE-2020-10663: Fixed an unsafe object creation vulnerability in JSON (bsc#1171517).

Non-security issue fixed:

- Add conflicts to libruby to make sure ruby and ruby-stdlib are also updated when libruby is updated (bsc#1048072).

Also yast2-ruby-bindings on SLES 12 SP2 LTSS was updated to handle the updated ruby interpreter. (bsc#1172275)


-----------------------------------------
Patch: SUSE-2020-1577
Released: Tue Jun  9 14:19:21 2020
Summary: Recommended update for openslp
Severity: moderate
References: 1117969,1136136
Description:
This update for openslp fixes the following issues:

- Use tcp connects to talk with other directory agents (DAs) (bsc#1117969)
- Fix segfault in predicate match if a registered service has
  a malformed attribute list (bsc#1136136)


-----------------------------------------
Patch: SUSE-2020-1612
Released: Fri Jun 12 09:43:17 2020
Summary: Security update for adns
Severity: important
References: 1172265,CVE-2017-9103,CVE-2017-9104,CVE-2017-9105,CVE-2017-9106,CVE-2017-9107,CVE-2017-9108,CVE-2017-9109
Description:
This update for adns fixes the following issues:
	  
- CVE-2017-9103,CVE-2017-9104,CVE-2017-9105,CVE-2017-9109: Fixed an issue in local recursive resolver
  which could have led to remote code execution (bsc#1172265).
- CVE-2017-9106: Fixed an issue with upstream DNS data sources which could have led to denial of 
  service (bsc#1172265).
- CVE-2017-9107: Fixed an issue when quering domain names which could have led to denial of service (bsc#1172265).
- CVE-2017-9108: Fixed an issue which could have led to denial of service (bsc#1172265).


-----------------------------------------
Patch: SUSE-2020-1619
Released: Fri Jun 12 12:03:20 2020
Summary: Security update for audiofile
Severity: low
References: 1100523,CVE-2018-13440
Description:
This update for audiofile fixes the following issues:

Security issue fixed:

- CVE-2018-13440: Return AF_FAIL instead of causing NULL pointer dereferences later (bsc#1100523).


-----------------------------------------
Patch: SUSE-2020-1662
Released: Thu Jun 18 11:13:05 2020
Summary: Security update for perl
Severity: important
References: 1102840,1160039,1170601,1171863,1171864,1171866,CVE-2020-10543,CVE-2020-10878,CVE-2020-12723
Description:
This update for perl fixes the following issues:

- CVE-2020-10543: Fixed a heap buffer overflow in regular expression compiler which could have 
  allowed overwriting of allocated memory with attacker's data (bsc#1171863).
- CVE-2020-10878: Fixed multiple integer overflows which could have allowed the insertion of 
  instructions into the compiled form of Perl regular expression (bsc#1171864).
- CVE-2020-12723: Fixed an attacker's corruption of the intermediate language state of a 
  compiled regular expression (bsc#1171866).
- Fixed utf8 handling in perldoc by useing 'term' instead of 'man' (bsc#1170601).
- Some packages make assumptions about the date and time they are built. 
  This update will solve the issues caused by calling the perl function timelocal
  expressing the year with two digit only instead of four digits. (bsc#1102840) (bsc#1160039)


-----------------------------------------
Patch: SUSE-2020-1732
Released: Wed Jun 24 09:42:55 2020
Summary: Security update for curl
Severity: important
References: 1173027,CVE-2020-8177
Description:
This update for curl fixes the following issues:

- CVE-2020-8177: Fixed an issue where curl could have been tricked by a malicious server to overwrite a local file when using the -J option (bsc#1173027).


-----------------------------------------
Patch: SUSE-2020-1794
Released: Mon Jun 29 11:09:55 2020
Summary: Security update for mutt
Severity: important
References: 1172906,1172935,1173197,CVE-2020-14093,CVE-2020-14154,CVE-2020-14954
Description:
This update for mutt fixes the following issues:

- CVE-2020-14954: Fixed a response injection due to a STARTTLS buffering issue which was
  affecting IMAP, SMTP, and POP3 (bsc#1173197).
- CVE-2020-14093: Fixed a potential IMAP Man-in-the-Middle attack via a PREAUTH response (bsc#1172906, bsc#1172935).
- CVE-2020-14154: Fixed an issue where Mutt was ignoring an expired certificate and was
  proceeding with a connection (bsc#1172906, bsc#1172935).


-----------------------------------------
Patch: SUSE-2020-1796
Released: Mon Jun 29 13:27:56 2020
Summary: Security update for unzip
Severity: moderate
References: 1110194,CVE-2018-18384
Description:
This update for unzip fixes the following issues:

- CVE-2018-18384: Fixed a buffer overflow when listing files (bsc#1110194)



-----------------------------------------
Patch: SUSE-2020-1839
Released: Fri Jul  3 12:46:12 2020
Summary: Security update for mozilla-nspr, mozilla-nss
Severity: important
References: 1159819,1168669,1169746,1170908,1171978,1173022,CVE-2019-17006,CVE-2020-12399,CVE-2020-12402
Description:
This update for mozilla-nspr, mozilla-nss fixes the following issues:

mozilla-nss was updated to version 3.53.1

- CVE-2020-12402: Fixed a potential side channel attack during RSA key generation (bsc#1173032).
- CVE-2020-12399: Fixed a timing attack on DSA signature generation (bsc#1171978).
- CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819).
- Fixed various FIPS issues in libfreebl3 which were causing segfaults in the test suite of chrony (bsc#1168669).
- Fixed an issue where Firefox tab was crashing (bsc#1170908).

Release notes: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.53_release_notes

mozilla-nspr to version 4.25


-----------------------------------------
Patch: SUSE-2020-2059
Released: Tue Jul 28 11:32:56 2020
Summary: Recommended update for grep
Severity: moderate
References: 1163834
Description:
This update for grep fixes the following issues:

Fix for an issue when command 'grep -i' produces bad performance by using multibyte with 'non-utf8' encoding. (bsc#1163834)


-----------------------------------------
Patch: SUSE-2020-2117
Released: Tue Aug  4 15:14:39 2020
Summary: Security update for libX11
Severity: important
References: 1174628,CVE-2020-14344
Description:
This update for libX11 fixes the following issues:

- Fixed XIM client heap overflows (CVE-2020-14344, bsc#1174628)


-----------------------------------------
Patch: SUSE-2020-2173
Released: Fri Aug  7 16:11:16 2020
Summary: Security update for perl-XML-Twig
Severity: moderate
References: 1008644,CVE-2016-9180
Description:
This update for perl-XML-Twig fixes the following issues:

- Security fix [bsc#1008644, CVE-2016-9180]
  * Added: the no_xxe option to XML::Twig::new, which causes the
    parse to fail if external entities are used (to prevent
    malicious XML to access the filesystem).
  * Setting expand_external_ents to 0 or -1 currently doesn't work
    as expected; To completely turn off expanding external entities
    use no_xxe.
  * Update documentation for XML::Twig to mention problems with
    expand_external_ents and add information about new no_xxe argument


-----------------------------------------
Patch: SUSE-2020-2196
Released: Tue Aug 11 13:31:24 2020
Summary: Security update for libX11
Severity: important
References: 1174628,CVE-2020-14344
Description:
This update for libX11 fixes the following issues:

- Fixed XIM client heap overflows (CVE-2020-14344, bsc#1174628).


-----------------------------------------
Patch: SUSE-2020-2261
Released: Tue Aug 18 11:48:30 2020
Summary: Recommended update for sysfsutils
Severity: moderate
References: 1155305
Description:
This update for sysfsutils fixes the following issue:

- Fix cdev name comparison. (bsc#1155305)


-----------------------------------------
Patch: SUSE-2020-2287
Released: Thu Aug 20 16:07:37 2020
Summary: Recommended update for grep
Severity: moderate
References: 1174080
Description:
This update for grep fixes the following issues:

- Fix for -P treating invalid UTF-8 input and causing incosistency. (bsc#1174080)


-----------------------------------------
Version 0.0.4-Build1.840 2020-09-02T07:54:24

-----------------------------------------
Patch: SUSE-2020-2410
Released: Tue Sep  1 13:15:48 2020
Summary: Recommended update for pam
Severity: low
References: 1173593
Description:

This update of pam fixes the following issue:

- On some SUSE Linux Enterprise 12 SP5 based media from build.suse.com
  a pam version with a higher release number than the last update of pam
  was delivered. This update releases pam with a  higher release number
  to align it with this media. (bsc#1173593)
  

-----------------------------------------
Patch: SUSE-2020-2428
Released: Tue Sep  1 22:07:35 2020
Summary: Recommended update for ca-certificates-mozilla
Severity: moderate
References: 1174673
Description:
This update for ca-certificates-mozilla fixes the following issues:

Update to 2.42 state of the Mozilla NSS Certificate store (bsc#1174673)

Removed CAs:

- AddTrust External CA Root
- AddTrust Class 1 CA Root
- LuxTrust Global Root 2
- Staat der Nederlanden Root CA - G2
- Symantec Class 1 Public Primary Certification Authority - G4
- Symantec Class 2 Public Primary Certification Authority - G4
- VeriSign Class 3 Public Primary Certification Authority - G3

Added CAs:

- certSIGN Root CA G2
- e-Szigno Root CA 2017
- Microsoft ECC Root Certificate Authority 2017
- Microsoft RSA Root Certificate Authority 2017


-----------------------------------------
Version 0.0.4-Build1.841 2020-09-04T07:54:17

-----------------------------------------
Patch: SUSE-2020-2475
Released: Thu Sep  3 12:10:58 2020
Summary: Security update for libX11
Severity: moderate
References: 1175239,CVE-2020-14363
Description:
This update for libX11 fixes the following issues:

- CVE-2020-14363: Fix an integer overflow in init_om() (bsc#1175239).


-----------------------------------------
Version 0.0.4-Build1.843 2020-09-09T07:54:28

-----------------------------------------
Patch: SUSE-2020-2570
Released: Tue Sep  8 14:59:35 2020
Summary: Security update for libjpeg-turbo
Severity: moderate
References: 1172491,CVE-2020-13790
Description:
This update for libjpeg-turbo fixes the following issues:

- CVE-2020-13790: Fixed a heap-based buffer over-read via a malformed PPM input file (bsc#1172491).


-----------------------------------------
Version 0.0.4-Build1.844 2020-09-10T07:54:05

-----------------------------------------
Patch: SUSE-2020-2587
Released: Wed Sep  9 22:03:04 2020
Summary: Recommended update for procps
Severity: moderate
References: 1174660
Description:
This update for procps fixes the following issues:

- Add fix for procps and its libraries to avoid issues with the 'free' tool. (bsc#1174660)


-----------------------------------------
Version 0.0.4-Build1.848 2020-09-23T08:17:55

-----------------------------------------
Patch: SUSE-2020-2687
Released: Mon Sep 21 10:54:58 2020
Summary: Security update for less
Severity: moderate
References: 921719,CVE-2014-9488
Description:
This update for less fixes the following issues:

Security issue fixed:

- CVE-2014-9488: Malformed UTF-8 data could have caused an out of bounds read in 
  the UTF-8 decoding routines, causing an invalid read access (bsc#921719).


-----------------------------------------
Patch: SUSE-2020-2690
Released: Mon Sep 21 10:57:00 2020
Summary: Security update for jasper
Severity: low
References: 1010786,1010979,1010980,1011829,1020451,1020456,1020458,1020460,1045450,1057152,1088278,1092115,1114498,1115637,1117328,1120805,1120807,CVE-2016-9397,CVE-2016-9398,CVE-2016-9399,CVE-2016-9557,CVE-2017-14132,CVE-2017-5499,CVE-2017-5503,CVE-2017-5504,CVE-2017-5505,CVE-2017-9782,CVE-2018-18873,CVE-2018-19139,CVE-2018-19543,CVE-2018-20570,CVE-2018-20622,CVE-2018-9154,CVE-2018-9252
Description:
This update for jasper fixes the following issues:

- CVE-2016-9398: Improved patch for already fixed issue (bsc#1010979).
- CVE-2016-9399: Fix assert in calcstepsizes (bsc#1010980).
- CVE-2016-9397: Fix assert in jpc_dequantize (bsc#1010786).
- CVE-2016-9557: Fix signed integer overflow (bsc#1011829).
- CVE-2017-5499: Validate component depth bit (bsc#1020451).
- CVE-2017-5503: Check bounds in jas_seq2d_bindsub() (bsc#1020456).
- CVE-2017-5504: Check bounds in jas_seq2d_bindsub() (bsc#1020458).
- CVE-2017-5505: Check bounds in jas_seq2d_bindsub() (bsc#1020460).
- CVE-2017-14132: Fix heap base overflow in by checking components (bsc#1057152).
- CVE-2018-9154: Fixed a potential denial of service in jpc_dec_process_sot() (bsc#1092115).
- CVE-2018-9252: Fix reachable assertion in jpc_abstorelstepsize (bsc#1088278).
- CVE-2018-18873: Fix null pointer deref in ras_putdatastd (bsc#1114498).
- CVE-2018-19139: Fix mem leaks by registering jpc_unk_destroyparms (bsc#1115637).
- CVE-2018-19543, bsc#1045450 CVE-2017-9782: Fix numchans mixup (bsc#1117328).
- CVE-2018-20570: Fix heap based buffer over-read in jp2_encode (bsc#1120807).
- CVE-2018-20622: Fix memory leak in jas_malloc.c (bsc#1120805).


-----------------------------------------
Patch: SUSE-2020-2711
Released: Tue Sep 22 17:06:59 2020
Summary: Security update for libmspack
Severity: moderate
References: 1113038,1113039,1130489,1141680,CVE-2018-18584,CVE-2018-18585,CVE-2019-1010305
Description:
This update for libmspack fixes the following issues:

Security issues fixed:

- CVE-2019-1010305: Fixed a buffer overflow triggered by a crafted chm file
  which could have led to information disclosure (bsc#1141680).
- CVE-2018-18584: The CAB block input buffer was one byte too small for the 
  maximal Quantum block, leading to an out-of-bounds write. (bsc#1113038)
- CVE-2018-18585: chmd_read_headers accepted a filename that has '\0' as its 
  first or second character (such as the '/\0' name). (bsc#1113039)
- Fix off-by-one bounds check on CHM PMGI/PMGL chunk numbers and reject empty filenames.


-----------------------------------------
Version 0.0.4-Build1.850 2020-10-01T07:55:31

-----------------------------------------
Patch: SUSE-2020-2802
Released: Wed Sep 30 09:59:28 2020
Summary: Recommended update for mozilla-nss
Severity: moderate
References: 1174697
Description:
This update for mozilla-nss fixes the following issues:

- Fixes an issue for Mozilla Firefox which has failed in fips mode (bsc#1174697)


-----------------------------------------
Patch: SUSE-2020-2806
Released: Wed Sep 30 14:36:08 2020
Summary: Security update for tar
Severity: moderate
References: 1120610,1130496,CVE-2018-20482,CVE-2019-9923
Description:
This update for tar fixes the following issues:

Security issues fixed:

- CVE-2019-9923: Fixed a denial of service while parsing certain archives with malformed extended headers in pax_decode_header() (bsc#1130496).
- CVE-2018-20482: Fixed a denial of service when the '--sparse' option mishandles file shrinkage during read access (bsc#1120610).


-----------------------------------------
Version 0.0.4-Build1.853 2020-10-15T07:59:02

-----------------------------------------
Patch: SUSE-2020-2897
Released: Tue Oct 13 14:00:25 2020
Summary: Recommended update for suse-build-key
Severity: moderate
References: 1170347,1176759
Description:
This update for suse-build-key fixes the following issues:

- This update extends the suse build key (bsc#1176759)
- The SUSE container key is different from the build key. (PM-1845 bsc#1170347)


-----------------------------------------
Version 0.0.4-Build1.854 2020-10-17T07:59:33

-----------------------------------------
Patch: SUSE-2020-2942
Released: Fri Oct 16 09:47:36 2020
Summary: Security update for blktrace
Severity: low
References: 1091942,CVE-2018-10689
Description:
blktrace was updated to fix a security issue:

- CVE-2018-10689: Prevent buffer overflow in the dev_map_read function because
  the device and devno arrays were too small (bsc#1091942)
  

-----------------------------------------
Version 0.0.4-Build1.856 2020-10-21T07:59:21

-----------------------------------------
Patch: SUSE-2020-2959
Released: Tue Oct 20 12:33:48 2020
Summary: Recommended update for file
Severity: moderate
References: 1176123
Description:
This update for file fixes the following issues:

- Fixes an issue when file displays broken 'ELF' interpreter. (bsc#1176123)


-----------------------------------------
Version 0.0.4-Build1.857 2020-10-26T09:41:08

-----------------------------------------
Patch: SUSE-2020-3023
Released: Fri Oct 23 14:21:32 2020
Summary: Security update for libcdio
Severity: low
References: 1082821,CVE-2017-18199
Description:
This update for libcdio fixes the following issues:

The following security vulnerability was addressed:

- CVE-2017-18199: Fixed a NULL pointer dereference in  realloc_symlink in
  rock.c, which allowed remote attackers to cause a denial of service via a
  crafted ISO file. (bsc#1082821)


-----------------------------------------
Version 0.0.4-Build1.858 2020-10-27T07:58:07

-----------------------------------------
Patch: SUSE-2020-3030
Released: Mon Oct 26 09:24:19 2020
Summary: Security update for SDL
Severity: moderate
References: 1141844,CVE-2019-13616
Description:
This update for SDL fixes the following issues:

Secuirty issue fixed:

- CVE-2019-13616: Fixed heap-based buffer over-read in BlitNtoN in video/SDL_blit_N.c when called from SDL_SoftBlit (bsc#1141844).


-----------------------------------------
Version 0.0.4-Build1.859 2020-10-30T07:59:43

-----------------------------------------
Patch: SUSE-2020-3096
Released: Thu Oct 29 18:08:01 2020
Summary: Security update for python-Jinja2
Severity: important
References: 1125815,1132323,CVE-2019-10906,CVE-2019-8341
Description:
This update for python-Jinja2 fixes the following issues:

- CVE-2019-10906: Fixed a sandbox escape due to information disclosure via str.format (bsc#1132323).
- CVE-2019-8341: Fixed a command injection in function from_string (bsc#1125815).


-----------------------------------------
Patch: SUSE-2020-3100
Released: Thu Oct 29 19:34:18 2020
Summary: Recommended update for timezone
Severity: moderate
References: 1177460
Description:
This update for timezone fixes the following issues:

- timezone update 2020b (bsc#1177460)
  * Revised predictions for Morocco's changes starting in 2023.
  * Canada's Yukon changes to -07 on 2020-11-01, not 2020-03-08.
  * Macquarie Island has stayed in sync with Tasmania since 2011.
  * Casey, Antarctica is at +08 in winter and +11 in summer.
  * zic no longer supports -y, nor the TYPE field of Rules.


-----------------------------------------
Version 0.0.4-Build1.862 2020-11-06T08:01:01

-----------------------------------------
Patch: SUSE-2020-3133
Released: Tue Nov  3 12:11:36 2020
Summary: Security update for opensc
Severity: low
References: 1122756,CVE-2019-6502
Description:
This update for opensc fixes the following issues:

Security issue fixed:

- CVE-2019-6502: Fixed a memory leak in sc_context_create() (bsc#1122756).


-----------------------------------------
Patch: SUSE-2020-3139
Released: Tue Nov  3 13:18:28 2020
Summary: Recommended update for timezone
Severity: important
References: 1177460,1178346,1178350,1178353
Description:
This update for timezone fixes the following issues:

- Generate 'fat' timezone files (was default before 2020b). (bsc#1178346, bsc#1178350, bsc#1178353)
- Palestine ends DST earlier than predicted, on 2020-10-24.
- Fiji starts DST later than usual, on 2020-12-20.


-----------------------------------------
Patch: SUSE-2020-3156
Released: Wed Nov  4 15:21:49 2020
Summary: Recommended update for ca-certificates-mozilla
Severity: moderate
References: 1177864
Description:
This update for ca-certificates-mozilla fixes the following issues:

The SSL Root CA store was updated to the 2.44 state of the Mozilla NSS Certificate store (bsc#1177864)

- Removed CAs:

  - EE Certification Centre Root CA
  - Taiwan GRCA

- Added CAs:

  - Trustwave Global Certification Authority
  - Trustwave Global ECC P256 Certification Authority
  - Trustwave Global ECC P384 Certification Authority


-----------------------------------------
Version 0.0.4-Build1.864 2020-11-11T08:00:09

-----------------------------------------
Patch: SUSE-2020-3263
Released: Tue Nov 10 09:48:14 2020
Summary: Security update for gcc10
Severity: moderate
References: 1172798,1172846,1173972,1174753,1174817,1175168,CVE-2020-13844
Description:
This update for gcc10 fixes the following issues:
This update provides the GCC10 compiler suite and runtime libraries.

The base SUSE Linux Enterprise libraries libgcc_s1, libstdc++6 are replaced by
the gcc10 variants.

The new compiler variants are available with '-10' suffix, you can specify them
via:

        CC=gcc-10
        CXX=g++-10

or similar commands.

For a detailed changelog check out https://gcc.gnu.org/gcc-10/changes.html
  

-----------------------------------------
Version 0.0.4-Build1.866 2020-11-18T08:00:50

-----------------------------------------
Patch: SUSE-2020-3360
Released: Tue Nov 17 13:40:54 2020
Summary: Security update for tcpdump
Severity: moderate
References: 1153098,1153332,1178466,CVE-2017-16808,CVE-2018-10103,CVE-2018-10105,CVE-2018-14461,CVE-2018-14462,CVE-2018-14463,CVE-2018-14464,CVE-2018-14465,CVE-2018-14466,CVE-2018-14467,CVE-2018-14468,CVE-2018-14469,CVE-2018-14470,CVE-2018-14879,CVE-2018-14880,CVE-2018-14881,CVE-2018-14882,CVE-2018-16227,CVE-2018-16228,CVE-2018-16229,CVE-2018-16230,CVE-2018-16300,CVE-2018-16301,CVE-2018-16451,CVE-2018-16452,CVE-2019-1010220,CVE-2019-15166,CVE-2019-15167,CVE-2020-8037
Description:
This update for tcpdump fixes the following issues:

- CVE-2020-8037: Fixed an issue where PPP decapsulator did not allocate the right buffer size (bsc#1178466).

The previous update of tcpdump already fixed variuous Buffer overflow/overread vulnerabilities [bsc#1153098, bsc#1153332]

- CVE-2017-16808 (AoE)
- CVE-2018-14468 (FrameRelay)
- CVE-2018-14469 (IKEv1)
- CVE-2018-14470 (BABEL)
- CVE-2018-14466 (AFS/RX)
- CVE-2018-14461 (LDP)
- CVE-2018-14462 (ICMP)
- CVE-2018-14465 (RSVP)
- CVE-2018-14464 (LMP)
- CVE-2019-15166 (LMP)
- CVE-2018-14880 (OSPF6)
- CVE-2018-14882 (RPL)
- CVE-2018-16227 (802.11)
- CVE-2018-16229 (DCCP)
- CVE-2018-14467 (BGP)
- CVE-2018-14881 (BGP)
- CVE-2018-16230 (BGP)
- CVE-2018-16300 (BGP)
- CVE-2018-14463 (VRRP)
- CVE-2019-15167 (VRRP)
- CVE-2018-14879 (tcpdump -V)
- CVE-2018-16228 (HNCP) is a duplicate of the already fixed CVE-2019-1010220
- CVE-2018-16301 (fixed in libpcap)
- CVE-2018-16451 (SMB)
- CVE-2018-16452 (SMB)
- CVE-2018-10103 (SMB - partially fixed, but SMB printing disabled)
- CVE-2018-10105 (SMB - too unreliably reproduced, SMB printing disabled)