SUSE Container Update Advisory: suse/sles12sp5 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2019:627-1 Container Tags : suse/sles12sp5:5.2.257 , suse/sles12sp5:latest Container Release : 5.2.257 Severity : important Type : security References : 1000396 1000662 1001299 1003714 1005544 1008325 1009470 1009745 1009966 1010675 1010675 1010845 1010996 1013286 1013930 1014151 1014471 1014873 1015565 1017497 1019276 1020108 1020143 1024989 1025743 1026567 1026825 1027925 1028305 1028410 1029561 1030472 1030476 1030621 1031702 1032445 1032680 1033084 1033085 1033087 1033088 1033089 1033090 1034563 1035062 1035371 1035818 1036304 1036659 1036736 1036895 1037396 1037824 1038189 1038444 1038549 1038984 1038984 1039063 1039063 1039064 1039064 1039066 1039066 1039069 1039069 1039661 1039661 1039941 1040613 1040621 1041764 1042326 1042781 1043059 1043218 1043237 1043333 1043333 1043580 1043886 1044232 1044337 1044840 1044887 1044894 1045735 1045735 1045735 1045943 1046417 1046607 1046659 1046853 1046853 1046858 1046858 1047008 1047178 1047233 1047236 1047240 1047247 1047785 1047785 1047964 1047965 1048315 1049344 1049577 1049825 1049825 1051626 1052182 1053409 1053671 1054028 1054088 1054671 1055920 1056126 1056127 1056127 1056128 1056128 1056129 1056129 1056131 1056131 1056132 1056132 1056136 1056136 1056437 1056995 1057188 1057452 1057634 1057640 1057662 1057721 1057724 1058695 1058722 1058783 1059065 1059723 1061384 1061667 1062561 1062591 1062592 1063269 1064397 1064455 1064455 1064455 1064999 1065083 1065274 1067605 1068565 1068565 1068708 1068967 1069934 1070851 1070878 1070958 1071152 1071390 1071466 1073313 1073879 1074621 1074687 1075449 1075978 1076192 1076415 1076810 1076832 1076909 1077635 1077692 1077993 1078806 1078813 1079334 1079674 1079991 1080078 1081725 1082022 1082216 1082216 1082216 1082233 1082233 1082233 1082234 1082234 1082234 1082318 1083189 1083290 1083671 1083926 1083927 1083946 1084812 1084812 1084842 1085003 1085512 1085664 1086247 1086602 1087481 1087550 1087550 1087930 1088279 1088524 1088601 1088705 1088921 1089640 1089884 1090766 1090766 1090766 1091624 1092100 1092100 1092100 1092413 1093414 1094121 1094222 1095148 1095969 1096282 1096282 1096282 1096718 1096718 1096745 1096803 1096974 1096984 1097410 1097410 1097410 1097665 1098535 1099847 1099982 1100028 1100078 1100396 1100415 1101349 1102046 1102145 1102310 1102429 1102564 1104780 1105166 1105435 1106390 1107067 1107430 1109877 1109893 1110146 1110542 1110661 1110797 1111319 1111973 1112209 1112723 1112726 1112911 1113100 1113117 1113296 1113534 1113652 1113742 1114674 1115500 1115929 1116544 1116995 1117355 1117951 1117993 1119496 1120489 1120629 1120630 1120631 1121446 1121450 1121753 1122729 1123685 1123919 1124847 1125007 1125535 1126117 1126118 1126119 1126613 1127080 1127155 1127223 1127308 1128383 1128574 1128598 1130324 1131291 1131823 1131830 1131994 1132678 1134226 1134550 1135709 1136298 1137977 1139083 1139083 1139937 1139942 1140039 1140914 1141093 1143194 1143273 1144169 1145521 1145716 1146415 1148987 1149429 1150003 1150250 1150734 1152101 1153386 1153557 1154036 1154037 1155199 1157198 408814 556664 658010 661410 829717 888308 888534 889138 889990 892431 894610 896202 896435 898003 899524 899871 900275 900276 901202 901845 902367 903543 905483 906574 906574 906803 907074 907456 908128 908516 910252 910252 910253 910253 911228 911662 912922 913650 913651 917152 917169 918089 918090 919274 920057 920057 920386 922534 924525 924687 924960 924960 926412 926826 927993 928292 928740 929919 930176 931932 932232 932894 933029 933288 933288 933878 933878 934689 934920 936050 936227 936227 937823 938343 938657 939392 939460 940315 941234 941922 942865 942865 943457 943457 944903 945842 945899 952151 952347 953130 953532 953659 953831 953831 954002 954661 955382 955753 957566 957566 957567 957567 957598 957598 957600 957600 959693 960820 960837 960837 962765 963448 964063 964468 965322 965780 965902 966220 967082 967728 967838 968771 969569 970260 970882 971741 971741 972127 972127 972331 973042 979261 979441 979629 979906 980391 981114 981616 983206 983215 983216 984906 985657 986783 986935 987887 988311 992966 994157 994794 996511 999735 CVE-2009-5155 CVE-2012-6702 CVE-2013-6435 CVE-2014-3591 CVE-2014-3710 CVE-2014-8116 CVE-2014-8116 CVE-2014-8117 CVE-2014-8117 CVE-2014-8118 CVE-2014-8964 CVE-2014-8964 CVE-2014-9087 CVE-2014-9112 CVE-2014-9447 CVE-2014-9620 CVE-2014-9621 CVE-2014-9653 CVE-2015-0837 CVE-2015-1283 CVE-2015-1606 CVE-2015-1607 CVE-2015-2325 CVE-2015-2325 CVE-2015-2327 CVE-2015-2327 CVE-2015-2328 CVE-2015-2328 CVE-2015-3210 CVE-2015-3210 CVE-2015-3217 CVE-2015-3217 CVE-2015-3238 CVE-2015-5073 CVE-2015-5073 CVE-2015-5180 CVE-2015-5186 CVE-2015-5276 CVE-2015-7511 CVE-2015-8380 CVE-2015-8380 CVE-2015-8381 CVE-2015-8381 CVE-2015-8382 CVE-2015-8382 CVE-2015-8383 CVE-2015-8383 CVE-2015-8384 CVE-2015-8384 CVE-2015-8385 CVE-2015-8385 CVE-2015-8386 CVE-2015-8386 CVE-2015-8387 CVE-2015-8387 CVE-2015-8388 CVE-2015-8388 CVE-2015-8389 CVE-2015-8389 CVE-2015-8390 CVE-2015-8390 CVE-2015-8391 CVE-2015-8391 CVE-2015-8392 CVE-2015-8392 CVE-2015-8393 CVE-2015-8393 CVE-2015-8394 CVE-2015-8394 CVE-2015-8395 CVE-2015-8395 CVE-2015-8853 CVE-2016-0634 CVE-2016-0718 CVE-2016-10254 CVE-2016-10255 CVE-2016-10739 CVE-2016-1238 CVE-2016-1283 CVE-2016-1283 CVE-2016-1839 CVE-2016-2037 CVE-2016-2381 CVE-2016-3189 CVE-2016-3191 CVE-2016-3191 CVE-2016-4574 CVE-2016-4579 CVE-2016-4658 CVE-2016-5131 CVE-2016-5300 CVE-2016-6185 CVE-2016-6313 CVE-2016-6318 CVE-2016-7543 CVE-2016-9063 CVE-2016-9318 CVE-2016-9318 CVE-2016-9401 CVE-2016-9597 CVE-2017-0663 CVE-2017-10684 CVE-2017-10684 CVE-2017-10685 CVE-2017-10685 CVE-2017-11112 CVE-2017-11113 CVE-2017-11462 CVE-2017-12837 CVE-2017-12883 CVE-2017-13728 CVE-2017-13728 CVE-2017-13729 CVE-2017-13729 CVE-2017-13730 CVE-2017-13730 CVE-2017-13731 CVE-2017-13731 CVE-2017-13732 CVE-2017-13732 CVE-2017-13733 CVE-2017-13733 CVE-2017-13734 CVE-2017-15088 CVE-2017-15412 CVE-2017-17740 CVE-2017-18258 CVE-2017-5130 CVE-2017-5969 CVE-2017-6512 CVE-2017-6891 CVE-2017-7375 CVE-2017-7376 CVE-2017-7435 CVE-2017-7436 CVE-2017-7436 CVE-2017-7500 CVE-2017-7500 CVE-2017-7501 CVE-2017-7501 CVE-2017-7526 CVE-2017-7607 CVE-2017-7608 CVE-2017-7610 CVE-2017-7611 CVE-2017-7612 CVE-2017-7613 CVE-2017-8872 CVE-2017-9047 CVE-2017-9047 CVE-2017-9048 CVE-2017-9048 CVE-2017-9049 CVE-2017-9049 CVE-2017-9050 CVE-2017-9050 CVE-2017-9233 CVE-2017-9269 CVE-2017-9269 CVE-2017-9287 CVE-2017-9526 CVE-2018-0495 CVE-2018-0495 CVE-2018-0495 CVE-2018-0734 CVE-2018-1000654 CVE-2018-10360 CVE-2018-10754 CVE-2018-1122 CVE-2018-1122 CVE-2018-1122 CVE-2018-1123 CVE-2018-1123 CVE-2018-1123 CVE-2018-1124 CVE-2018-1124 CVE-2018-1124 CVE-2018-1125 CVE-2018-1125 CVE-2018-1125 CVE-2018-1126 CVE-2018-1126 CVE-2018-1126 CVE-2018-12015 CVE-2018-12015 CVE-2018-12020 CVE-2018-14404 CVE-2018-14567 CVE-2018-16062 CVE-2018-16403 CVE-2018-18310 CVE-2018-18311 CVE-2018-18520 CVE-2018-18521 CVE-2018-19211 CVE-2018-20217 CVE-2018-20532 CVE-2018-20533 CVE-2018-20534 CVE-2018-20843 CVE-2018-5407 CVE-2018-5729 CVE-2018-5730 CVE-2018-6003 CVE-2018-6797 CVE-2018-6797 CVE-2018-6797 CVE-2018-6798 CVE-2018-6798 CVE-2018-6798 CVE-2018-6913 CVE-2018-6913 CVE-2018-6913 CVE-2018-7685 CVE-2018-9251 CVE-2019-12900 CVE-2019-12900 CVE-2019-13050 CVE-2019-13057 CVE-2019-13565 CVE-2019-13627 CVE-2019-14866 CVE-2019-1547 CVE-2019-1559 CVE-2019-1563 CVE-2019-15903 CVE-2019-17594 CVE-2019-17595 CVE-2019-3688 CVE-2019-3690 CVE-2019-5094 CVE-2019-7150 CVE-2019-7665 CVE-2019-8905 CVE-2019-8906 CVE-2019-8907 CVE-2019-9169 CVE-2019-9924 SLE-10396 SLE-7081 SLE-7257 ----------------------------------------------------------------- The container suse/sles12sp5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2014:85-1 Released: Tue Nov 4 16:29:29 2014 Summary: Recommended update for dirmngr Type: recommended Severity: moderate References: 901845 This update for dirmngr fixes a segmentation fault at start up. (bnc#901845) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2014:66-1 Released: Thu Nov 6 06:23:15 2014 Summary: Recommended update for gcc48 Type: recommended Severity: moderate References: 899871 This update for gcc48 fixes a performance degradation issue caused by generation of unneeded code whe using option -pg. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2014:97-1 Released: Fri Nov 28 10:20:32 2014 Summary: Security update for file Type: security Severity: moderate References: 888308,902367,CVE-2014-3710 file was updated to fix one security issue. This security issue was fixed: - Out-of-bounds read in elf note headers (CVE-2014-3710). This non-security issues was fixed: - Correctly identify GDBM files created by libgdbm4 (bnc#888308). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2014:113-1 Released: Tue Dec 2 18:17:57 2014 Summary: Security update for cpio Type: security Severity: moderate References: 658010,907456,CVE-2014-9112 This cpio security update fixes the following buffer overflow issue and two non security issues: - fix an OOB write with cpio -i (bnc#907456) (CVE-2014-9112) - prevent cpio from extracting over a symlink (bnc#658010) - fix a truncation check in mt ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:16-1 Released: Thu Dec 11 09:25:27 2014 Summary: Security update for libksba Type: security Severity: moderate References: 907074,CVE-2014-9087 This libksba update fixes the following security issue: - bnc#907074: buffer overflow in OID processing (CVE-2014-9087) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2014:126-1 Released: Fri Dec 19 20:16:00 2014 Summary: Security update for file Type: security Severity: moderate References: 910252,910253,CVE-2014-8116,CVE-2014-8117 This file update fixes the following security issues: - bsc#910252: multiple denial of service issues (resource consumption) (CVE-2014-8116) - bsc#910253: denial of service issue (resource consumption) (CVE-2014-8117) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:50-1 Released: Thu Jan 15 16:33:18 2015 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 888534 The system root SSL certificates were updated to match Mozilla NSS 2.2. Some removed/disabled 1024 bit certificates were temporarily reenabled/readded, as openssl and gnutls have a different handling of intermediates than mozilla nss and would otherwise not recognize SSL certificates from commonly used sites like Amazon. Updated to 2.2 (bnc#888534) - The following CAs were added: + COMODO_RSA_Certification_Authority codeSigning emailProtection serverAuth + GlobalSign_ECC_Root_CA_-_R4 codeSigning emailProtection serverAuth + GlobalSign_ECC_Root_CA_-_R5 codeSigning emailProtection serverAuth + USERTrust_ECC_Certification_Authority codeSigning emailProtection serverAuth + USERTrust_RSA_Certification_Authority codeSigning emailProtection serverAuth + VeriSign-C3SSA-G2-temporary-intermediate-after-1024bit-removal - The following CAs were changed: + Equifax_Secure_eBusiness_CA_1 remote code signing and https trust, leave email trust + Verisign_Class_3_Public_Primary_Certification_Authority_-_G2 only trust emailProtection - Updated to 2.1 (bnc#888534) - The following 1024-bit CA certificates were removed - Entrust.net Secure Server Certification Authority - ValiCert Class 1 Policy Validation Authority - ValiCert Class 2 Policy Validation Authority - ValiCert Class 3 Policy Validation Authority - TDC Internet Root CA - The following CA certificates were added: - Certification Authority of WoSign - CA 沃通根证书 - DigiCert Assured ID Root G2 - DigiCert Assured ID Root G3 - DigiCert Global Root G2 - DigiCert Global Root G3 - DigiCert Trusted Root G4 - QuoVadis Root CA 1 G3 - QuoVadis Root CA 2 G3 - QuoVadis Root CA 3 G3 - The Trust Bits were changed for the following CA certificates - Class 3 Public Primary Certification Authority - Class 3 Public Primary Certification Authority - Class 2 Public Primary Certification Authority - G2 - VeriSign Class 2 Public Primary Certification Authority - G3 - AC Raíz Certicámara S.A. - NetLock Uzleti (Class B) Tanusitvanykiado - NetLock Expressz (Class C) Tanusitvanykiado Temporary reenable some root ca trusts, as openssl/gnutls have trouble using intermediates as root CA. - GTE CyberTrust Global Root - Thawte Server CA - Thawte Premium Server CA - ValiCert Class 1 VA - ValiCert Class 2 VA - RSA Root Certificate 1 - Entrust.net Secure Server CA - America Online Root Certification Authority 1 - America Online Root Certification Authority 2 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:40-1 Released: Thu Jan 15 18:35:11 2015 Summary: Security update for rpm Type: security Severity: important References: 892431,906803,908128,911228,CVE-2013-6435,CVE-2014-8118 This rpm update fixes the following security and non-security issues: - bnc#908128: Check for bad invalid name sizes (CVE-2014-8118) - bnc#906803: Create files with mode 0 (CVE-2013-6435) - bnc#892431: Honor --noglob in install mode - bnc#911228: Fix noglob patch, it broke files with space. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:76-1 Released: Fri Jan 30 15:01:03 2015 Summary: Security update for elfutils Type: security Severity: moderate References: 911662,CVE-2014-9447 elfutils was updated to fix one security issue. This security issue was fixed: - Directory traversal vulnerability in the read_long_names function (CVE-2014-9447). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:121-1 Released: Tue Feb 3 16:30:16 2015 Summary: Recommended update for pam Type: recommended Severity: low References: 912922 This update for pam fixes updating of NIS passwords. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:275-1 Released: Wed Mar 18 18:21:44 2015 Summary: Recommended update for procps Type: recommended Severity: low References: 901202,908516 This update for procps provides the following fixes: - Add description of pgrep's --list-full parameter to usage instructions (--help). (bsc#901202) - Fix handling of arguments to -s option in free(1). (bsc#908516) - Correct package name in descriptions: procps, not props. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:296-1 Released: Thu Jun 11 15:46:59 2015 Summary: Security update for libgcrypt Type: security Severity: moderate References: 896202,896435,898003,899524,900275,900276,905483,920057,928740,929919,CVE-2014-3591 This update of libgcrypt fixes one security issue and brings various FIPS 140-2 related improvements. libgcrypt now uses ciphertext blinding for Elgamal decryption (CVE-2014-3591) FIPS 140-2 related changes: * The library performs its self-tests when the module is complete (the -hmac file is also installed). * Added a NIST 800-90a compliant DRBG. * Change DSA key generation to be FIPS 186-4 compliant. * Change RSA key generation to be FIPS 186-4 compliant. * Enable HW support in fips mode (bnc#896435) * Make DSA selftest use 2048 bit keys (bnc#898003) * Added ECDSA selftests and add support for it to the CAVS testing framework (bnc#896202) * Various CAVS testing improvements. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:361-1 Released: Wed Jul 15 08:26:27 2015 Summary: Recommended update for gcc48, libffi48, libgcj48 Type: recommended Severity: moderate References: 889990,917169,919274,922534,924525,924687,927993,930176,934689 The system compiler gcc48 was updated to the GCC 4.8.5 release, fixing a lot of bugs and bringing some improvements. It includes various bug fixes found by our customers: * Fixes bogus integer overflow in constant expression. [bnc#934689] * Fixes ICE with atomics on aarch64. [bnc#930176] * Includes fix for -imacros bug. [bnc#917169] * Includes fix for incorrect -Warray-bounds warnings. [bnc#919274] * Includes updated -mhotpatch for s390x. [bnc#924525] * Includes fix for ppc64le issue with doubleword vector extract. [bnc#924687] * Includes patches to allow building against ISL 0.14. * Backport rework of the memory allocator for C++ exceptions used in OOM situations. [bnc#889990] * Fix a reload issue on S390 (GCC PR66306). * Avoid accessing invalid memory when passing aggregates by value. [bnc#922534] ----------------------------------------------------------------- Advisory ID: SUSE-OU-2015:422-1 Released: Tue Jul 28 06:25:51 2015 Summary: The Toolchain module containing GCC 5.2 Type: optional Severity: low References: 926412,936050,937823 This update contains the release of the new SUSE Linux Enterprise Toolchain module. Its major feature is the GNU Compiler Collection 5.2, please see https://gcc.gnu.org/gcc-5/changes.html for important changes. This update also includes a version update of binutils to 2.25 release branch to provide features and bugfixes. Following features have been added to binutils: * IBM zSeries z13 hardware support (fate#318036, bnc#936050). * various IBM Power8 improvements (fate#318238, bnc#926412). * AVX512 support on the Intel EM64T platform (fate#318520). The GNU Debugger gdb was updated to version 7.9.1 bringing various features and lots of bugfixes. Also IBM zSeries z13 hardware support has been added to gdb. (fate#318039) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:500-1 Released: Mon Aug 17 11:36:33 2015 Summary: Security update for libgcrypt Type: security Severity: moderate References: 920057,938343,CVE-2015-0837 This update fixes the following issues: Security: * Fixed data-dependent timing variations in modular exponentiation [related to CVE-2015-0837, Last-Level Cache Side-Channel Attacks are Practical] (bsc#920057) Bugfixes: * don't drop privileges when locking secure memory (bsc#938343) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:530-1 Released: Wed Aug 26 03:07:07 2015 Summary: Recommended update for sed Type: recommended Severity: low References: 933029 This update for sed fixes the behavior of --follow-symlinks when reading from the standard input (stdin). The behavior of 'sed --follow-symlinks -' is now identical to 'sed -'. In both cases, sed will read from the standard input and no longer from a file named '-'. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:568-1 Released: Wed Sep 16 13:30:12 2015 Summary: Recommended update for grep Type: recommended Severity: low References: 920386 This update for grep fixes undefined behaviour with -P and non-utf-8 data. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:922-1 Released: Tue Dec 22 08:44:25 2015 Summary: Security update for gpg2 Type: security Severity: moderate References: 918089,918090,952347,955753,CVE-2015-1606,CVE-2015-1607 The gpg2 package was updated to fix the following security and non security issues: - CVE-2015-1606: Fixed invalid memory read using a garbled keyring (bsc#918089). - CVE-2015-1607: Fixed memcpy with overlapping ranges (bsc#918090). - bsc#955753: Fixed a regression of 'gpg --recv' due to keyserver import filter (also boo#952347). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:869-1 Released: Wed Dec 23 10:01:16 2015 Summary: Recommended update for libksba Type: security Severity: moderate References: 926826 The libksba package was updated to fix the following security issues: - Fixed an integer overflow, an out of bounds read and a stack overflow issues (bsc#926826). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:862-1 Released: Wed Dec 23 17:40:51 2015 Summary: Recommended update for acl Type: recommended Severity: moderate References: 945899 This update for acl provides the following fixes: - Fix segmentation fault of getfacl -e on overly long group name. - Make sure that acl_from_text() always sets errno when it fails. - Fix memory and resource leaks in getfacl. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:46-1 Released: Fri Jan 8 12:37:34 2016 Summary: Recommended update for gcr, gnome-keyring, libgcrypt, libsecret Type: recommended Severity: moderate References: 932232 This update for gcr, gnome-keyring, libgcrypt, libsecret fixes issues when the system operates in FIPS mode. The various GNOME libraries and tool have been changed to use the default libgcrypt allocators. GNOME keyring was changed not to use MD5 anymore. libgcrypt was adjusted to free the DRBG on exit to avoid crashes. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:371-1 Released: Thu Mar 3 15:58:18 2016 Summary: Recommended update for insserv-compat Type: recommended Severity: low References: 960820 This update for insserv-compat fixes the name of the ntpd service. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:462-1 Released: Wed Mar 16 18:17:59 2016 Summary: Recommended update for libcap Type: recommended Severity: low References: 967838 This update for libcap adds two new capabilities (CAP_WAKE_ALARM and CAP_BLOCK_SUSPEND) which are available in Linux Kernel 3.12. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:543-1 Released: Fri Apr 1 18:44:16 2016 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 970882 This update for libgcrypt fixes a crash in GPG key generation when operating in FIPS mode. (bsc#970882) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:565-1 Released: Wed Apr 6 16:26:42 2016 Summary: Security update for gcc5 Type: security Severity: moderate References: 939460,945842,952151,953831,954002,955382,962765,964468,966220,968771,CVE-2015-5276 The GNU Compiler Collection was updated to version 5.3.1, which brings several fixes and enhancements. The following security issue has been fixed: - Fix C++11 std::random_device short read issue that could lead to predictable randomness. (CVE-2015-5276, bsc#945842) The following non-security issues have been fixed: - Enable frame pointer for TARGET_64BIT_MS_ABI when stack is misaligned. Fixes internal compiler error when building Wine. (bsc#966220) - Fix a PowerPC specific issue in gcc-go that broke compilation of newer versions of Docker. (bsc#964468) - Fix HTM built-ins on PowerPC. (bsc#955382) - Fix libgo certificate lookup. (bsc#953831) - Suppress deprecated-declarations warnings for inline definitions of deprecated virtual methods. (bsc#939460) - Build s390[x] with '--with-tune=z9-109 --with-arch=z900' on SLE11 again. (bsc#954002) - Revert accidental libffi ABI breakage on aarch64. (bsc#968771) - On x86_64, set default 32bit code generation to -march=x86-64 rather than -march=i586. - Add experimental File System TS library. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:587-1 Released: Fri Apr 8 17:06:56 2016 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 973042 The root SSL certificate store ca-certificates-mozilla was updated to version 2.7 of the Mozilla NSS equivalent. (bsc#973042) - Newly added CAs: * CA WoSign ECC Root * Certification Authority of WoSign * Certification Authority of WoSign G2 * Certinomis - Root CA * Certum Trusted Network CA 2 * CFCA EV ROOT * COMODO RSA Certification Authority * DigiCert Assured ID Root G2 * DigiCert Assured ID Root G3 * DigiCert Global Root G2 * DigiCert Global Root G3 * DigiCert Trusted Root G4 * Entrust Root Certification Authority - EC1 * Entrust Root Certification Authority - G2 * GlobalSign * IdenTrust Commercial Root CA 1 * IdenTrust Public Sector Root CA 1 * OISTE WISeKey Global Root GB CA * QuoVadis Root CA 1 G3 * QuoVadis Root CA 2 G3 * QuoVadis Root CA 3 G3 * Staat der Nederlanden EV Root CA * Staat der Nederlanden Root CA - G3 * S-TRUST Universal Root CA * SZAFIR ROOT CA2 * TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5 * TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6 * USERTrust ECC Certification Authority * USERTrust RSA Certification Authority * 沃通根证书 - Removed CAs: * AOL CA * A Trust nQual 03 * Buypass Class 3 CA 1 * CA Disig * Digital Signature Trust Co Global CA 1 * Digital Signature Trust Co Global CA 3 * E Guven Kok Elektronik Sertifika Hizmet Saglayicisi * NetLock Expressz (Class C) Tanusitvanykiado * NetLock Kozjegyzoi (Class A) Tanusitvanykiado * NetLock Minositett Kozjegyzoi (Class QA) Tanusitvanykiado * NetLock Uzleti (Class B) Tanusitvanykiado * SG TRUST SERVICES RACINE * Staat der Nederlanden Root CA * TC TrustCenter Class 2 CA II * TC TrustCenter Universal CA I * TDC Internet Root CA * UTN DATACorp SGC Root CA * Verisign Class 1 Public Primary Certification Authority - G2 * Verisign Class 3 Public Primary Certification Authority * Verisign Class 3 Public Primary Certification Authority - G2 - Removed server trust from: * AC Raíz Certicámara S.A. * ComSign Secured CA * NetLock Uzleti (Class B) Tanusitvanykiado * NetLock Business (Class B) Root * NetLock Expressz (Class C) Tanusitvanykiado * TC TrustCenter Class 3 CA II * TURKTRUST Certificate Services Provider Root 1 * TURKTRUST Certificate Services Provider Root 2 * Equifax Secure Global eBusiness CA-1 * Verisign Class 4 Public Primary Certification Authority G3 - Enable server trust for: * Actalis Authentication Root CA ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:636-1 Released: Mon Apr 18 09:18:19 2016 Summary: Security update for libgcrypt Type: security Severity: moderate References: 965902,CVE-2015-7511 libgcrypt was updated to fix one security issue. This security issue was fixed: - CVE-2015-7511: Side-channel attack on ECDH with Weierstrass curves (bsc#965902). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:643-1 Released: Tue Apr 19 09:23:39 2016 Summary: Recommended update for bzip2 Type: recommended Severity: low References: 970260 This update for bzip2 fixes the following issues: - Fix bzgrep wrapper that always returns 0 as exit code when working on multiple archives, even when the pattern is not found. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:835-1 Released: Wed May 25 18:27:30 2016 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 979629 This update for libgcrypt fixes the following issue: - Fix failing reboot after installing fips pattern (bsc#979629) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:898-1 Released: Tue Jun 7 09:48:12 2016 Summary: Security update for expat Type: security Severity: important References: 979441,980391,CVE-2015-1283,CVE-2016-0718 This update for expat fixes the following issues: Security issue fixed: - CVE-2016-0718: Fix Expat XML parser that mishandles certain kinds of malformed input documents. (bsc#979441) - CVE-2015-1283: Fix multiple integer overflows. (bnc#980391) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:900-1 Released: Tue Jun 7 10:58:37 2016 Summary: Security update for libksba Type: security Severity: moderate References: 979261,979906,CVE-2016-4574,CVE-2016-4579 This update for libksba fixes the following issues: - CVE-2016-4579: Out-of-bounds read in _ksba_ber_parse_tl() - CVE-2016-4574: two OOB read access bugs (remote DoS) (bsc#979261) Also adding reliability fixes from v1.3.4. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:987-1 Released: Wed Jun 22 14:32:18 2016 Summary: Recommended update for procps Type: recommended Severity: low References: 981616 This update for procps fixes the following issues: - Improve pmap(1) to be compatible with kernel 4.4. (bsc#981616) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1028-1 Released: Thu Jul 7 11:50:47 2016 Summary: Recommended update for findutils Type: recommended Severity: moderate References: 986935 This update for findutils fixes the following issues: - find -exec + would not pass all arguments for certain specific filename lengths (bsc#986935) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1205-1 Released: Thu Aug 11 15:02:18 2016 Summary: Recommended update for rpm Type: recommended Severity: low References: 829717,894610,940315,953532,965322,967728 This update for rpm provides the following fixes: - Add is_opensuse and leap_version macros to suse_macros. (bsc#940315) - Add option to make postinstall scriptlet errors fatal. (bsc#967728) - Normalize big blocksizes to 4096 bytes. (bsc#894610, bsc#829717, bsc#965322) - Fix updating of sources/patches when recursing because of a BuildArch. (bsc#953532) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1247-1 Released: Fri Aug 19 12:58:39 2016 Summary: Security update for cracklib Type: security Severity: moderate References: 992966,CVE-2016-6318 This update for cracklib fixes the following issues: - Add patch to fix a buffer overflow in GECOS parser (bsc#992966 CVE-2016-6318) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1326-1 Released: Thu Sep 8 11:37:44 2016 Summary: Security update for perl Type: security Severity: moderate References: 928292,932894,967082,984906,987887,988311,CVE-2015-8853,CVE-2016-1238,CVE-2016-2381,CVE-2016-6185 This update for Perl fixes the following issues: - CVE-2016-6185: Xsloader looking at a '(eval)' directory. (bsc#988311) - CVE-2016-1238: Searching current directory for optional modules. (bsc#987887) - CVE-2015-8853: Regular expression engine hanging on bad utf8. (bsc) - CVE-2016-2381: Environment dup handling bug. (bsc#967082) - 'Insecure dependency in require' error in taint mode. (bsc#984906) - Memory leak in 'use utf8' handling. (bsc#928292) - Missing lock prototype to the debugger. (bsc#932894) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2016:1358-1 Released: Thu Sep 15 20:54:21 2016 Summary: Optional update for gcc6 Type: optional Severity: low References: 983206 This update ships the GNU Compiler Collection (GCC) in version 6.2. This update is shipped in two parts: - SUSE Linux Enterprise Server 12 and Desktop: The runtime libraries libgcc_s1, libstdc++6, libatomic1, libgomp1, libitm1 and some others can now be used by GCC 6 built binaries. - SUSE Linux Enterprise 12 Toolchain Module: The Toolchain module received the GCC 6 compiler suite with this update. Changes: - The default mode for C++ is now -std=gnu++14 instead of -std=gnu++98. Generic Optimization improvements: - UndefinedBehaviorSanitizer gained a new sanitization option, -fsanitize=bounds-strict, which enables strict checking of array bounds. In particular, it enables -fsanitize=bounds as well as instrumentation of flexible array member-like arrays. - Type-based alias analysis now disambiguates accesses to different pointers. This improves precision of the alias oracle by about 20-30% on higher-level C++ programs. Programs doing invalid type punning of pointer types may now need -fno-strict-aliasing to work correctly. - Alias analysis now correctly supports weakref and alias attributes. This makes it possible to access both a variable and its alias in one translation unit which is common with link-time optimization. - Value range propagation now assumes that the this pointer of C++ member functions is non-null. This eliminates common null pointer checks but also breaks some non-conforming code-bases (such as Qt-5, Chromium, KDevelop). As a temporary work-around -fno-delete-null-pointer-checks can be used. Wrong code can be identified by using -fsanitize=undefined. - Various Link-time optimization improvements. - Inter-procedural optimization improvements: - Basic jump threading is now performed before profile construction and inline analysis, resulting in more realistic size and time estimates that drive the heuristics of the of inliner and function cloning passes. - Function cloning now more aggressively eliminates unused function parameters. - Compared to GCC 5, the GCC 6 release series includes a much improved implementation of the OpenACC 2.0a specification. C language specific improvements: - Version 4.5 of the OpenMP specification is now supported in the C and C++ compilers. - Source locations for the C and C++ compilers are now tracked as ranges, rather than just points, making it easier to identify the subexpression of interest within a complicated expression. In addition, there is now initial support for precise diagnostic locations within strings, - Diagnostics can now contain 'fix-it hints', which are displayed in context underneath the relevant source code. - The C and C++ compilers now offer suggestions for misspelled field names. - New command-line options have been added for the C and C++ compilers: - -Wshift-negative-value warns about left shifting a negative value. - -Wshift-overflow warns about left shift overflows. This warning is enabled by default. -Wshift-overflow=2 also warns about left-shifting 1 into the sign bit. - -Wtautological-compare warns if a self-comparison always evaluates to true or false. This warning is enabled by -Wall. - -Wnull-dereference warns if the compiler detects paths that trigger erroneous or undefined behavior due to dereferencing a null pointer. This option is only active when -fdelete-null-pointer-checks is active, which is enabled by optimizations in most targets. The precision of the warnings depends on the optimization options used. - -Wduplicated-cond warns about duplicated conditions in an if-else-if chain. - -Wmisleading-indentation warns about places where the indentation of the code gives a misleading idea of the block structure of the code to a human reader. This warning is enabled by -Wall. - The C and C++ compilers now emit saner error messages if merge-conflict markers are present in a source file. C improvements: - It is possible to disable warnings when an initialized field of a structure or a union with side effects is being overridden when using designated initializers via a new warning option -Woverride-init-side-effects. - A new type attribute scalar_storage_order applying to structures and unions has been introduced. It specifies the storage order (aka endianness) in memory of scalar fields in structures or unions. C++ improvements: - The default mode has been changed to -std=gnu++14. - C++ Concepts are now supported when compiling with -fconcepts. - -flifetime-dse is more aggressive in dead-store elimination in situations where a memory store to a location precedes a constructor to that memory location. - G++ now supports C++17 fold expressions, u8 character literals, extended static_assert, and nested namespace definitions. - G++ now allows constant evaluation for all non-type template arguments. - G++ now supports C++ Transactional Memory when compiling with -fgnu-tm. libstdc++ improvements: - Extensions to the C++ Library to support mathematical special functions (ISO/IEC 29124:2010), thanks to Edward Smith-Rowland. - Experimental support for C++17. - An experimental implementation of the File System TS. - Experimental support for most features of the second version of the Library Fundamentals TS. This includes polymorphic memory resources and array support in shared_ptr, thanks to Fan You. - Some assertions checked by Debug Mode can now also be enabled by _GLIBCXX_ASSERTIONS. The subset of checks enabled by the new macro have less run-time overhead than the full _GLIBCXX_DEBUG checks and don't affect the library ABI, so can be enabled per-translation unit. Fortran improvements: - Fortran 2008 SUBMODULE support. - Fortran 2015 EVENT_TYPE, EVENT_POST, EVENT_WAIT, and EVENT_QUERY support. - Improved support for Fortran 2003 deferred-length character variables. - Improved support for OpenMP and OpenACC. - The MATMUL intrinsic is now inlined for straightforward cases if front-end optimization is active. The maximum size for inlining can be set to n with the -finline-matmul-limit=n option and turned off with -finline-matmul-limit=0. - The -Wconversion-extra option will warn about REAL constants which have excess precision for their kind. - The -Winteger-division option has been added, which warns about divisions of integer constants which are truncated. This option is included in -Wall by default. Architecture improvements: - AArch64 received a lot of improvements. IA-32/x86-64 improvements: - GCC now supports the Intel CPU named Skylake with AVX-512 extensions through -march=skylake-avx512. The switch enables the following ISA extensions: AVX-512F, AVX512VL, AVX-512CD, AVX-512BW, AVX-512DQ. - Support for new AMD instructions monitorx and mwaitx has been added. This includes new intrinsic and built-in support. It is enabled through option -mmwaitx. The instructions monitorx and mwaitx implement the same functionality as the old monitor and mwait instructions. In addition mwaitx adds a configurable timer. The timer value is received as third argument and stored in register %ebx. - x86-64 targets now allow stack realignment from a word-aligned stack pointer using the command-line option -mstackrealign or __attribute__ ((force_align_arg_pointer)). This allows functions compiled with a vector-aligned stack to be invoked from objects that keep only word-alignment. - Support for address spaces __seg_fs, __seg_gs, and __seg_tls. These can be used to access data via the %fs and %gs segments without having to resort to inline assembly. - Support for AMD Zen (family 17h) processors is now available through the -march=znver1 and -mtune=znver1 options. PowerPC / PowerPC64 / RS6000 improvements: - PowerPC64 now supports IEEE 128-bit floating-point using the __float128 data type. In GCC 6, this is not enabled by default, but you can enable it with -mfloat128. The IEEE 128-bit floating-point support requires the use of the VSX instruction set. IEEE 128-bit floating-point values are passed and returned as a single vector value. The software emulator for IEEE 128-bit floating-point support is only built on PowerPC GNU/Linux systems where the default CPU is at least power7. On future ISA 3.0 systems (POWER 9 and later), you will be able to use the -mfloat128-hardware option to use the ISA 3.0 instructions that support IEEE 128-bit floating-point. An additional type (__ibm128) has been added to refer to the IBM extended double type that normally implements long double. This will allow for a future transition to implementing long double with IEEE 128-bit floating-point. - Basic support has been added for POWER9 hardware that will use the recently published OpenPOWER ISA 3.0 instructions. The following new switches are available: - -mcpu=power9: Implement all of the ISA 3.0 instructions supported by the compiler. - -mtune=power9: In the future, apply tuning for POWER9 systems. Currently, POWER8 tunings are used. - -mmodulo: Generate code using the ISA 3.0 integer instructions (modulus, count trailing zeros, array index support, integer multiply/add). - -mpower9-fusion: Generate code to suitably fuse instruction sequences for a POWER9 system. - -mpower9-dform: Generate code to use the new D-form (register+offset) memory instructions for the vector registers. - -mpower9-vector: Generate code using the new ISA 3.0 vector (VSX or Altivec) instructions. - -mpower9-minmax: Reserved for future development. - -mtoc-fusion: Keep TOC entries together to provide more fusion opportunities. - New constraints have been added to support IEEE 128-bit floating-point and ISA 3.0 instructions. - Support has been added for __builtin_cpu_is() and __builtin_cpu_supports(), allowing for very fast access to AT_PLATFORM, AT_HWCAP, and AT_HWCAP2 values. This requires use of glibc 2.23 or later. - All hardware transactional memory builtins now correctly behave as memory barriers. Programmers can use #ifdef __TM_FENCE__ to determine whether their 'old' compiler treats the builtins as barriers. - Split-stack support has been added for gccgo on PowerPC64 for both big- and little-endian (but not for 32-bit). The gold linker from at least binutils 2.25.1 must be available in the PATH when configuring and building gccgo to enable split stack. (The requirement for binutils 2.25.1 applies to PowerPC64 only.) The split-stack feature allows a small initial stack size to be allocated for each goroutine, which increases as needed. - GCC on PowerPC now supports the standard lround function. - The 'q', 'S', 'T', and 't' asm-constraints have been removed. - The 'b', 'B', 'm', 'M', and 'W' format modifiers have been removed. S/390, System z, IBM z Systems improvements: - Support for the IBM z13 processor has been added. When using the -march=z13 option, the compiler will generate code making use of the new instructions and registers introduced with the vector extension facility. The -mtune=z13 option enables z13 specific instruction scheduling without making use of new instructions. - Compiling code with -march=z13 reduces the default alignment of vector types bigger than 8 bytes to 8. This is an ABI change and care must be taken when linking modules compiled with different arch levels which interchange variables containing vector type values. For newly compiled code the GNU linker will emit a warning. - The -mzvector option enables a C/C++ language extension. This extension provides a new keyword vector which can be used to define vector type variables. (Note: This is not available when enforcing strict standard compliance e.g. with -std=c99. Either enable GNU extensions with e.g. -std=gnu99 or use __vector instead of vector.) - Additionally a set of overloaded builtins is provided which is partially compatible to the PowerPC Altivec builtins. In order to make use of these builtins the vecintrin.h header file needs to be included. - The new command line options -march=native, and -mtune=native are now available on native IBM z Systems. Specifying these options will cause GCC to auto-detect the host CPU and rewrite these options to the optimal setting for that system. If GCC is unable to detect the host CPU these options have no effect. - The IBM z Systems port now supports target attributes and pragmas. Please refer to the documentation for details of available attributes and pragmas as well as usage instructions. - -fsplit-stack is now supported as part of the IBM z Systems port. This feature requires a recent gold linker to be used. - Support for the g5 and g6 -march=/-mtune= CPU level switches has been deprecated and will be removed in a future GCC release. -m31 from now on defaults to -march=z900 if not specified otherwise. -march=native on a g5/g6 machine will default to -march=z900. An even more detailed list of features can be found at: https://gcc.gnu.org/gcc-6/changes.html ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1370-1 Released: Wed Sep 21 12:58:14 2016 Summary: Security update for libgcrypt Type: security Severity: moderate References: 994157,CVE-2016-6313 This update for libgcrypt fixes the following issues: - RNG prediction vulnerability (bsc#994157, CVE-2016-6313) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1744-1 Released: Fri Dec 2 11:42:41 2016 Summary: Security update for pcre Type: security Severity: moderate References: 906574,924960,933288,933878,936227,942865,957566,957567,957598,957600,960837,971741,972127,CVE-2014-8964,CVE-2015-2325,CVE-2015-2327,CVE-2015-2328,CVE-2015-3210,CVE-2015-3217,CVE-2015-5073,CVE-2015-8380,CVE-2015-8381,CVE-2015-8382,CVE-2015-8383,CVE-2015-8384,CVE-2015-8385,CVE-2015-8386,CVE-2015-8387,CVE-2015-8388,CVE-2015-8389,CVE-2015-8390,CVE-2015-8391,CVE-2015-8392,CVE-2015-8393,CVE-2015-8394,CVE-2015-8395,CVE-2016-1283,CVE-2016-3191 This update for pcre to version 8.39 (bsc#972127) fixes several issues. If you use pcre extensively please be aware that this is an update to a new version. Please make sure that your software works with the updated version. This version fixes a number of vulnerabilities that affect pcre and applications using the libary when accepting untrusted input as regular expressions or as part thereof. Remote attackers could have caused the application to crash, disclose information or potentially execute arbitrary code. These security issues were fixed: - CVE-2014-8964: Heap-based buffer overflow in PCRE allowed remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats (bsc#906574). - CVE-2015-2325: Heap buffer overflow in compile_branch() (bsc#924960). - CVE-2015-3210: Heap buffer overflow in pcre_compile2() / compile_regex() (bsc#933288) - CVE-2015-3217: PCRE Library Call Stack Overflow Vulnerability in match() (bsc#933878). - CVE-2015-5073: Library Heap Overflow Vulnerability in find_fixedlength() (bsc#936227). - bsc#942865: heap overflow in compile_regex() - CVE-2015-8380: The pcre_exec function in pcre_exec.c mishandled a // pattern with a \01 string, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957566). - CVE-2015-2327: PCRE mishandled certain patterns with internal recursive back references, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957567). - bsc#957598: Various security issues - CVE-2015-8381: Heap Overflow in compile_regex() (bsc#957598). - CVE-2015-8382: Regular Expression Uninitialized Pointer Information Disclosure Vulnerability (ZDI-CAN-2547)(bsc#957598). - CVE-2015-8383: Buffer overflow caused by repeated conditional group(bsc#957598). - CVE-2015-8384: Buffer overflow caused by recursive back reference by name within certain group(bsc#957598). - CVE-2015-8385: Buffer overflow caused by forward reference by name to certain group(bsc#957598). - CVE-2015-8386: Buffer overflow caused by lookbehind assertion(bsc#957598). - CVE-2015-8387: Integer overflow in subroutine calls(bsc#957598). - CVE-2015-8388: Buffer overflow caused by certain patterns with an unmatched closing parenthesis(bsc#957598). - CVE-2015-8389: Infinite recursion in JIT compiler when processing certain patterns(bsc#957598). - CVE-2015-8390: Reading from uninitialized memory when processing certain patterns(bsc#957598). - CVE-2015-8391: Some pathological patterns causes pcre_compile() to run for a very long time(bsc#957598). - CVE-2015-8392: Buffer overflow caused by certain patterns with duplicated named groups(bsc#957598). - CVE-2015-8393: Information leak when running pcgrep -q on crafted binary(bsc#957598). - CVE-2015-8394: Integer overflow caused by missing check for certain conditions(bsc#957598). - CVE-2015-8395: Buffer overflow caused by certain references(bsc#957598). - CVE-2015-2328: PCRE mishandled the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression (bsc#957600). - CVE-2016-1283: The pcre_compile2 function in pcre_compile.c in PCRE mishandled certain patterns with named subgroups, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression (bsc#960837). - CVE-2016-3191: The compile_branch function in pcre_compile.c in pcre2_compile.c mishandled patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allowed remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression (bsc#971741). These non-security issues were fixed: - JIT compiler improvements - performance improvements - The Unicode data tables have been updated to Unicode 7.0.0. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1827-1 Released: Thu Dec 15 12:41:10 2016 Summary: Security update for pcre Type: security Severity: moderate References: 906574,924960,933288,933878,936227,942865,957566,957567,957598,957600,960837,971741,972127,CVE-2014-8964,CVE-2015-2325,CVE-2015-2327,CVE-2015-2328,CVE-2015-3210,CVE-2015-3217,CVE-2015-5073,CVE-2015-8380,CVE-2015-8381,CVE-2015-8382,CVE-2015-8383,CVE-2015-8384,CVE-2015-8385,CVE-2015-8386,CVE-2015-8387,CVE-2015-8388,CVE-2015-8389,CVE-2015-8390,CVE-2015-8391,CVE-2015-8392,CVE-2015-8393,CVE-2015-8394,CVE-2015-8395,CVE-2016-1283,CVE-2016-3191 This update for pcre to version 8.39 (bsc#972127) fixes several issues. If you use pcre extensively please be aware that this is an update to a new version. Please make sure that your software works with the updated version. This version fixes a number of vulnerabilities that affect pcre and applications using the libary when accepting untrusted input as regular expressions or as part thereof. Remote attackers could have caused the application to crash, disclose information or potentially execute arbitrary code. These security issues were fixed: - CVE-2014-8964: Heap-based buffer overflow in PCRE allowed remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats (bsc#906574). - CVE-2015-2325: Heap buffer overflow in compile_branch() (bsc#924960). - CVE-2015-3210: Heap buffer overflow in pcre_compile2() / compile_regex() (bsc#933288) - CVE-2015-3217: PCRE Library Call Stack Overflow Vulnerability in match() (bsc#933878). - CVE-2015-5073: Library Heap Overflow Vulnerability in find_fixedlength() (bsc#936227). - bsc#942865: heap overflow in compile_regex() - CVE-2015-8380: The pcre_exec function in pcre_exec.c mishandled a // pattern with a \01 string, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957566). - CVE-2015-2327: PCRE mishandled certain patterns with internal recursive back references, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957567). - bsc#957598: Various security issues - CVE-2015-8381: Heap Overflow in compile_regex() (bsc#957598). - CVE-2015-8382: Regular Expression Uninitialized Pointer Information Disclosure Vulnerability (ZDI-CAN-2547)(bsc#957598). - CVE-2015-8383: Buffer overflow caused by repeated conditional group(bsc#957598). - CVE-2015-8384: Buffer overflow caused by recursive back reference by name within certain group(bsc#957598). - CVE-2015-8385: Buffer overflow caused by forward reference by name to certain group(bsc#957598). - CVE-2015-8386: Buffer overflow caused by lookbehind assertion(bsc#957598). - CVE-2015-8387: Integer overflow in subroutine calls(bsc#957598). - CVE-2015-8388: Buffer overflow caused by certain patterns with an unmatched closing parenthesis(bsc#957598). - CVE-2015-8389: Infinite recursion in JIT compiler when processing certain patterns(bsc#957598). - CVE-2015-8390: Reading from uninitialized memory when processing certain patterns(bsc#957598). - CVE-2015-8391: Some pathological patterns causes pcre_compile() to run for a very long time(bsc#957598). - CVE-2015-8392: Buffer overflow caused by certain patterns with duplicated named groups(bsc#957598). - CVE-2015-8393: Information leak when running pcgrep -q on crafted binary(bsc#957598). - CVE-2015-8394: Integer overflow caused by missing check for certain conditions(bsc#957598). - CVE-2015-8395: Buffer overflow caused by certain references(bsc#957598). - CVE-2015-2328: PCRE mishandled the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression (bsc#957600). - CVE-2016-1283: The pcre_compile2 function in pcre_compile.c in PCRE mishandled certain patterns with named subgroups, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression (bsc#960837). - CVE-2016-3191: The compile_branch function in pcre_compile.c in pcre2_compile.c mishandled patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allowed remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression (bsc#971741). These non-security issues were fixed: - JIT compiler improvements - performance improvements - The Unicode data tables have been updated to Unicode 7.0.0. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1841-1 Released: Fri Dec 16 14:57:16 2016 Summary: Recommended update for suse-build-key Type: recommended Severity: moderate References: 1014151 This update for suse-build-key extends the lifetime of the build@suse.de GPG key that is signing the SUSE Linux Enterprise 12 repositories. (bsc#1014151) UID: pub 2048R/39DB7C82 2013-01-31 [expires: 2020-12-06] uid SuSE Package Signing Key ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1863-1 Released: Wed Dec 21 10:41:35 2016 Summary: Recommended updated for pth Type: recommended Severity: low References: 1013286 This update adds the 32bit version of libpth20 to SUSE Linux Enterprise 12 SP1 and 12 SP2. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:32-1 Released: Mon Jan 9 11:50:42 2017 Summary: Recommended update for dirmngr Type: recommended Severity: low References: 994794 This update for dirmngr enables support for daemon mode. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:185-1 Released: Thu Feb 2 18:22:37 2017 Summary: Security update for cpio Type: security Severity: moderate References: 1020108,963448,CVE-2016-2037 This update for cpio fixes two issues. This security issue was fixed: - CVE-2016-2037: The cpio_safer_name_suffix function in util.c in cpio allowed remote attackers to cause a denial of service (out-of-bounds write) via a crafted cpio file (bsc#963448). This non-security issue was fixed: - bsc#1020108: Always use 32 bit CRC to prevent checksum errors for files greater than 32MB ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:192-1 Released: Fri Feb 3 18:46:05 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1005544,1010675,1013930,1014873,1017497,CVE-2016-4658,CVE-2016-9318,CVE-2016-9597 This update for libxml2 fixes the following issues: * CVE-2016-4658: use-after-free error could lead to crash [bsc#1005544] * Fix NULL dereference in xpointer.c when in recovery mode [bsc#1014873] * CVE-2016-9597: An XML document with many opening tags could have caused a overflow of the stack not detected by the recursion limits, allowing for DoS (bsc#1017497). For CVE-2016-9318 we decided not to ship a fix since it can break existing setups. Please take appropriate actions if you parse untrusted XML files and use the new -noxxe flag if possible (bnc#1010675, bnc#1013930). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:212-1 Released: Wed Feb 8 13:07:24 2017 Summary: Security update for expat Type: security Severity: moderate References: 983215,983216,CVE-2012-6702,CVE-2016-5300 This update for expat fixes the following security issues: - CVE-2012-6702: Expat, when used in a parser that has not called XML_SetHashSalt or passed it a seed of 0, made it easier for context-dependent attackers to defeat cryptographic protection mechanisms via vectors involving use of the srand function. (bsc#983215) - CVE-2016-5300: The XML parser in Expat did not use sufficient entropy for hash initialization, which allowed context-dependent attackers to cause a denial of service (CPU consumption) via crafted identifiers in an XML document. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0876. (bsc#983216) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:261-1 Released: Mon Feb 20 11:00:28 2017 Summary: Recommended update for dirmngr Type: recommended Severity: low References: 1019276 This update for dirmngr fixes the following issues: - Properly initialize the dirmngr tmpfilesd files right away and not just during reboot - Own the /usr/lib/tmpfiles.d/ folder as it is needed in older systemds wrt (bsc#1019276) - Proprely require logrotate as we need it for the dirmngr configs ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:439-1 Released: Tue Mar 21 10:48:47 2017 Summary: Recommended update for netcfg Type: recommended Severity: low References: 1028305,959693 This update for netcfg provides the following fixes: - Update script to generate services to use UTF8 by default. (bsc#1028305) - Repack services.bz2 with latest from upstream and adjust the script to not add all the names and emails at the bottom of the file. (bsc#959693) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:580-1 Released: Wed Apr 12 23:58:47 2017 Summary: Recommended update for cpio Type: recommended Severity: important References: 1028410 This update for cpio fixes the following issues: - A regression caused cpio to crash for tar and ustar archive types [bsc#1028410] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:732-1 Released: Wed May 10 14:03:43 2017 Summary: Recommended update for procps Type: recommended Severity: low References: 1030621 This update for procps fixes the following issues: - Command w(1) with option -n doesn't work. (bsc#1030621) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:735-1 Released: Wed May 10 15:43:46 2017 Summary: Recommended update for gpg2 Type: recommended Severity: low References: 1036736,986783 This update for gpg2 provides the following fixes: - Do not install CAcert and other root certificates which are not needed with Let's Encrypt. (bsc#1036736) - Initialize the trustdb before import attempt. (bsc#986783) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:794-1 Released: Tue May 16 15:41:09 2017 Summary: Security update for bash Type: security Severity: moderate References: 1010845,1035371,CVE-2016-9401 This update for bash fixes an issue that could lead to syntax errors when parsing scripts that use expr(1) inside loops. Additionally, the popd build-in now ensures that the normalized stack offset is within bounds before trying to free that stack entry. This fixes a segmentation fault. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:865-1 Released: Wed May 24 16:23:20 2017 Summary: Security update for pam Type: security Severity: moderate References: 1015565,1037824,934920,CVE-2015-3238 This update for pam fixes the following issues: - CVE-2015-3238: pam_unix in conjunction with SELinux allowed for DoS attacks (bsc#934920). - log a hint to syslog if /etc/nologin is present, but empty (bsc#1015565). - If /etc/nologin is present, but empty, log a hint to syslog. (bsc#1015565) - Added support for libowcrypt.so, if present, to configure support for BLOWFISH (bsc#1037824) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:891-1 Released: Tue May 30 22:28:21 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1039063,1039064,1039066,1039069,1039661,981114,CVE-2016-1839,CVE-2017-9047,CVE-2017-9048,CVE-2017-9049,CVE-2017-9050 This update for libxml2 fixes the following issues: - CVE-2017-9047, CVE-2017-9048: The function xmlSnprintfElementContent in valid.c was vulnerable to a stack buffer overflow (bsc#1039063, bsc#1039064) - CVE-2017-9049: The function xmlDictComputeFastKey in dict.c was vulnerable to a heap-based buffer over-read. (bsc#1039066) - CVE-2017-9050: The function xmlDictAddString was vulnerable to a heap-based buffer over-read (bsc#1039661) - CVE-2016-1839: heap-based buffer overflow (xmlDictAddString func) (bnc#1039069) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:918-1 Released: Tue Jun 6 12:35:44 2017 Summary: Recommended update for libsemanage, selinux-policy Type: recommended Severity: moderate References: 1020143,1032445,1035818,1038189 This update for libsemanage, selinux-policy fixes the following issues: - Limit to policy version 29 by default. - Fix policy module build failures and wrong policy path on SLE 12 SP2 (bsc#1038189, bsc#1035818, bsc#1020143, bsc#1032445) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:939-1 Released: Mon Jun 12 10:56:22 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1039063,1039064,1039066,1039069,1039661,CVE-2017-9047,CVE-2017-9048,CVE-2017-9049,CVE-2017-9050 This update for libxml2 fixes the following security issues: * CVE-2017-9050: A heap-based buffer over-read in xmlDictAddString (bsc#1039069, bsc#1039661) * CVE-2017-9049: A heap-based buffer overflow in xmlDictComputeFastKey (bsc#1039066) * CVE-2017-9048: A stack overflow vulnerability in xmlSnprintfElementContent (bsc#1039063) * CVE-2017-9047: A stack overflow vulnerability in xmlSnprintfElementContent (bsc#1039064) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:959-1 Released: Wed Jun 14 14:38:11 2017 Summary: Recommended update for gcc5 Type: recommended Severity: low References: 1043580 This update for gcc5 fixes the version of libffi in its pkg-config configuration file. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:962-1 Released: Wed Jun 14 16:33:07 2017 Summary: Security update for openldap2 Type: security Severity: moderate References: 1009470,1037396,1041764,972331,CVE-2017-9287 This update for openldap2 fixes the following issues: Security issues fixed: - CVE-2017-9287: A double free vulnerability in the mdb backend during search with page size 0 was fixed (bsc#1041764) Non security bugs fixed: - Let OpenLDAP read system-wide certificates by default and don't hide the error if the user-specified CA location cannot be read. (bsc#1009470) - Fix an uninitialised variable that causes startup failure (bsc#1037396) - Fix an issue with transaction management that can cause server crash (bsc#972331) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:985-1 Released: Mon Jun 19 14:57:41 2017 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1042326,931932,CVE-2017-9526 This update for libgcrypt fixes the following issues: - CVE-2017-9526: Store the session key in secure memory to ensure that constant time point operations are used in the MPI library. (bsc#1042326) - Don't require secure memory for the fips selftests, this prevents the 'Oops, secure memory pool already initialized' warning. (bsc#931932) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1036-1 Released: Mon Jun 26 08:12:24 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1024989,1044337,CVE-2017-0663,CVE-2017-5969 This update for libxml2 fixes the following issues: Security issues fixed: * CVE-2017-0663: Fixed a heap buffer overflow in xmlAddID (bsc#1044337) * CVE-2017-5969: Fixed a NULL pointer deref in xmlDumpElementContent (bsc#1024989) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1040-1 Released: Mon Jun 26 13:22:26 2017 Summary: Recommended update for libsemanage, policycoreutils Type: recommended Severity: low References: 1043237 This update for libsemanage, policycoreutils fixes the following issue: - Show version numbers of modules where they are available (bsc#1043237) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1082-1 Released: Fri Jun 30 10:54:06 2017 Summary: Recommended update for dirmngr Type: recommended Severity: low References: 1045943 This update for dirmngr provides the following fix: - Change logrotate from Requires to Recommends (bsc#1045943) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1086-1 Released: Fri Jun 30 15:36:17 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1044887,1044894,CVE-2017-7375,CVE-2017-7376 This update for libxml2 fixes the following issues: Security issues fixed: * CVE-2017-7376: Increase buffer space for port in HTTP redirect support (bsc#1044887) * CVE-2017-7375: Prevent unwanted external entity reference [bsc#1044894, ] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1116-1 Released: Thu Jul 6 11:37:18 2017 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1046607,CVE-2017-7526 This update for libgcrypt fixes the following issues: - CVE-2017-7526: Hardening against a local side-channel attack in RSA key handling has been added (bsc#1046607) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1119-1 Released: Fri Jul 7 11:23:20 2017 Summary: Recommended update for ncurses Type: security Severity: important References: 1000662,1046853,1046858,CVE-2017-10684,CVE-2017-10685 This update for ncurses fixes the following issues: Security issues fixed: - CVE-2017-10684: Possible RCE via stack-based buffer overflow in the fmt_entry function. (bsc#1046858) - CVE-2017-10685: Possible RCE with format string vulnerability in the fmt_entry function. (bsc#1046853) Bugfixes: - Drop patch ncurses-5.9-environment.dif as YaST2 ncurses GUI does not need it anymore and as well as it causes bug bsc#1000662 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1160-1 Released: Fri Jul 14 17:20:26 2017 Summary: Recommended update for openldap2 Type: recommended Severity: low References: 1031702 This update for openldap2 provides the following fix: - Fix a regression in handling of non-blocking connection (bsc#1031702) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1222-1 Released: Wed Jul 26 17:15:18 2017 Summary: Recommended update for procps Type: recommended Severity: low References: 1034563,1039941 This update for procps provides the following fixes: - Make pmap handle LazyFree in /proc/smaps (bsc#1034563) - Allow reading and writing content lines longer than 1024 characters under /proc/sys (bsc#1039941) - Avoid printing messages when /proc/sys/net/ipv6/conf/*/stable_secret is not set ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1279-1 Released: Mon Aug 7 14:46:40 2017 Summary: Security update for ncurses Type: security Severity: moderate References: 1046853,1046858,1047964,1047965,1049344,CVE-2017-10684,CVE-2017-10685,CVE-2017-11112,CVE-2017-11113 This update for ncurses fixes the following issues: Security issues fixed: - CVE-2017-11112: Illegal address access in append_acs. (bsc#1047964) - CVE-2017-11113: Dereferencing NULL pointer in _nc_parse_entry. (bsc#1047965) - CVE-2017-10684, CVE-2017-10685: Add modified upstream fix from ncurses 6.0 to avoid broken termcap format (bsc#1046853, bsc#1046858, bsc#1049344) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1316-1 Released: Thu Aug 10 13:54:27 2017 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1014471,1026825,1044840,938657 This update for cyrus-sasl provides the following fixes: - Fix SASL GSSAPI mechanism acceptor wrongly returns zero maxbufsize - Fix unknown authentication mechanism: kerberos5 (bsc#1026825) - Really use SASLAUTHD_PARAMS variable (bsc#938657) - Make sure /usr/sbin/rcsaslauthd exists - Add /usr/sbin/rcsaslauthd symbolic link to /usr/sbin/service (bsc#1014471) - Silence 'GSSAPI client step 1' debug log message (bsc#1044840) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1326-1 Released: Fri Aug 11 16:59:04 2017 Summary: Security update for libxml2 Type: security Severity: low References: 1038444,CVE-2017-8872 This update for libxml2 fixes the following issues: Security issues fixed: - CVE-2017-8872: Out-of-bounds read in htmlParseTryOrFinish. (bsc#1038444) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1330-1 Released: Mon Aug 14 18:41:29 2017 Summary: Recommended update for sed Type: recommended Severity: low References: 954661 This update for sed provides the following fixes: - Don't terminate with a segmentation fault if close of last file descriptor fails. (bsc#954661) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2017:1333-1 Released: Tue Aug 15 17:59:30 2017 Summary: Optional update for libverto Type: optional Severity: low References: 1029561 This update adds the libverto library to OpenStack Cloud Magnum Orchestration channels. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1347-1 Released: Fri Aug 18 11:03:57 2017 Summary: Recommended update for procps Type: recommended Severity: important References: 1053409 This update for procps fixes the following issues: - Fix a regression introduced in a previous update that would result in sysctl dying with a SIGSEGV error (bsc#1053409). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1349-1 Released: Fri Aug 18 12:31:07 2017 Summary: Recommended update for lua51 Type: recommended Severity: low References: 1051626 This update for lua51 provides the following fixes: - Add Lua(API) and Lua(devel) symbols to fix building of lua51-luasocket. (bsc#1051626) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1390-1 Released: Fri Aug 25 15:14:27 2017 Summary: Security update for libzypp Type: security Severity: important References: 1009745,1036659,1038984,1043218,1045735,1046417,1047785,1048315,CVE-2017-7435,CVE-2017-7436,CVE-2017-9269 The Software Update Stack was updated to receive fixes and enhancements. libzypp: - CVE-2017-7435, CVE-2017-7436, CVE-2017-9269: Fix GPG check workflows, mainly for unsigned repositories and packages. (bsc#1045735, bsc#1038984) - Fix gpg-pubkey release (creation time) computation. (bsc#1036659) - Update lsof blacklist. (bsc#1046417) - Re-probe on refresh if the repository type changes. (bsc#1048315) - Propagate proper error code to DownloadProgressReport. (bsc#1047785) - Allow to trigger an appdata refresh unconditionally. (bsc#1009745) - Support custom repo variables defined in /etc/zypp/vars.d. yast2-pkg-bindings: - Do not crash when the repository URL is not defined. (bsc#1043218) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1419-1 Released: Wed Aug 30 15:38:22 2017 Summary: Security update for expat Type: security Severity: moderate References: 1047236,1047240,CVE-2016-9063,CVE-2017-9233 This update for expat fixes the following issues: - CVE-2016-9063: Possible integer overflow to fix inside XML_Parse leading to unexpected behaviour (bsc#1047240) - CVE-2017-9233: External Entity Vulnerability could lead to denial of service (bsc#1047236) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1447-1 Released: Mon Sep 4 15:38:20 2017 Summary: Security update for libzypp, zypper Type: security Severity: important References: 1008325,1038984,1045735,1047785,1054088,1054671,1055920,CVE-2017-7436 The Software Update Stack was updated to receive fixes and enhancements. libzypp: - Adapt to work with GnuPG 2.1.23. (bsc#1054088) - Support signing with subkeys. (bsc#1008325) - Enhance sort order for media.1/products. (bsc#1054671) zypper: - Also show a gpg key's subkeys. (bsc#1008325) - Improve signature check callback messages. (bsc#1045735) - Add options to tune the GPG check settings. (bsc#1045735) - Adapt download callback to report and handle unsigned packages. (bsc#1038984, CVE-2017-7436) - Report missing/optional files as 'not found' rather than 'error'. (bsc#1047785) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1450-1 Released: Mon Sep 4 16:36:07 2017 Summary: Recommended update for insserv-compat Type: recommended Severity: low References: 1035062,944903 This update for insserv-compat fixes the following issues: - Add /etc/init.d hierarchy from former 'filesystem' package. (bsc#1035062) - Fix directory argument parsing. (bsc#944903) - Add perl(Getopt::Long) to list of requirements. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1453-1 Released: Mon Sep 4 21:23:50 2017 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1043333,1046659,1047008 This update for libgcrypt fixes the following issues: - libgcrypt stored an open file descriptor to the random device in a static variable between invocations. gnome-keyring-daemon on initialization reopened descriptors 0-2 with /dev/null which caused an infinite loop when libgcrypt attempted to read from the random device (bsc#1043333) - Avoid seeding the DRBG during FIPS power-up selftests (bsc#1046659) * don't call gcry_drbg_instantiate() in healthcheck sanity test to save entropy * turn off blinding for RSA decryption in selftests_rsa to avoid allocation of a random integer - fix a bug in gcry_drbg_healthcheck_sanity() which caused skipping some of the tests (bsc#1046659) - dlsym returns PLT address on s390x, dlopen libgcrypt20.so before calling dlsym (bsc#1047008) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1644-1 Released: Mon Oct 9 07:52:24 2017 Summary: Security update for krb5 Type: security Severity: moderate References: 1032680,1054028,1056995,903543,CVE-2017-11462 This update for krb5 fixes several issues. This security issue was fixed: - CVE-2017-11462: Prevent automatic security context deletion to prevent double-free (bsc#1056995) These non-security issues were fixed: - Set 'rdns' and 'dns_canonicalize_hostname' to false in krb5.conf in order to improve client security in handling service principle names. (bsc#1054028) - Prevent kadmind.service startup failure caused by absence of LDAP service. (bsc#903543) - Remove main package's dependency on systemd (bsc#1032680) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1796-1 Released: Fri Oct 27 21:25:06 2017 Summary: Recommended update for pcre Type: recommended Severity: moderate References: 1058722 This update for pcre fixes the following issues: - Fixed the pcre stack frame size detection because modern compilers break it due to cloning and inlining pcre match() function (bsc#1058722) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1826-1 Released: Wed Nov 8 08:47:17 2017 Summary: Security update for krb5 Type: security Severity: important References: 1065274,CVE-2017-15088 This update for krb5 fixes the following issues: Security issues fixed: - CVE-2017-15088: A buffer overflow in get_matching_data() was fixed that could under specific circumstances be used to execute code (bsc#1065274) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1881-1 Released: Wed Nov 22 16:29:58 2017 Summary: Security update for file Type: security Severity: moderate References: 1009966,1063269,910252,910253,913650,913651,917152,996511,CVE-2014-8116,CVE-2014-8117,CVE-2014-9620,CVE-2014-9621,CVE-2014-9653 The GNU file utility was updated to version 5.22. Security issues fixed: - CVE-2014-9621: The ELF parser in file allowed remote attackers to cause a denial of service via a long string. (bsc#913650) - CVE-2014-9620: The ELF parser in file allowed remote attackers to cause a denial of service via a large number of notes. (bsc#913651) - CVE-2014-9653: readelf.c in file did not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory access) or possibly have unspecified other impact via a crafted ELF file. (bsc#917152) - CVE-2014-8116: The ELF parser (readelf.c) in file allowed remote attackers to cause a denial of service (CPU consumption or crash) via a large number of (1) program or (2) section headers or (3) invalid capabilities. (bsc#910253) - CVE-2014-8117: softmagic.c in file did not properly limit recursion, which allowed remote attackers to cause a denial of service (CPU consumption or crash) via unspecified vectors. (bsc#910253) Version update to file version 5.22 * add indirect relative for TIFF/Exif * restructure elf note printing to avoid repeated messages * add note limit, suggested by Alexander Cherepanov * Bail out on partial pread()'s (Alexander Cherepanov) * Fix incorrect bounds check in file_printable (Alexander Cherepanov) * PR/405: ignore SIGPIPE from uncompress programs * change printable -> file_printable and use it in more places for safety * in ELF, instead of '(uses dynamic libraries)' when PT_INTERP is present print the interpreter name. Version update to file version 5.21 * there was an incorrect free in magic_load_buffers() * there was an out of bounds read for some pascal strings * there was a memory leak in magic lists * don't interpret strings printed from files using the current locale, convert them to ascii format first. * there was an out of bounds read in elf note reads Update to file version 5.20 * recognize encrypted CDF documents * add magic_load_buffers from Brooks Davis * add thumbs.db support Additional non-security bug fixes: * Fixed a memory corruption during rpmbuild (bsc#1063269) * Backport of a fix for an increased printable string length as found in file 5.30 (bsc#996511) * file command throws 'Composite Document File V2 Document, corrupt: Can't read SSAT' error against excel 97/2003 file format. (bsc#1009966) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1903-1 Released: Fri Nov 24 16:19:37 2017 Summary: Security update for perl Type: security Severity: moderate References: 1047178,1057721,1057724,999735,CVE-2017-12837,CVE-2017-12883,CVE-2017-6512 This update for perl fixes the following issues: Security issues fixed: - CVE-2017-12837: Heap-based buffer overflow in the S_regatom function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to cause a denial of service (out-of-bounds write) via a regular expression with a '\N{}' escape and the case-insensitive modifier. (bnc#1057724) - CVE-2017-12883: Buffer overflow in the S_grok_bslash_N function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to disclose sensitive information or cause a denial of service (application crash) via a crafted regular expression with an invalid '\N{U+...}' escape. (bnc#1057721) - CVE-2017-6512: Race condition in the rmtree and remove_tree functions in the File-Path module before 2.13 for Perl allows attackers to set the mode on arbitrary files via vectors involving directory-permission loosening logic. (bnc#1047178) Bug fixes: - backport set_capture_string changes from upstream (bsc#999735) - reformat baselibs.conf as source validator workaround ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1916-1 Released: Fri Nov 24 20:15:01 2017 Summary: Recommended update for libgcrypt Type: recommended Severity: important References: 1043333,1059723 This update for libgcrypt provides the following fix: - Fix a regression in a previous update which caused libgcrypt to leak file descriptors causing failures when starting rtkit-daemon. (bsc#1059723) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1917-1 Released: Mon Nov 27 13:32:07 2017 Summary: Optional update for gcc7 Type: recommended Severity: low References: 1056437,1062591,1062592 The GNU Compiler GCC 7 is being added to the Toolchain Module by this update. New features: - Support for specific IBM Power9 processor instructions. - Support for specific IBM zSeries z14 processor instructions. - New packages cross-npvtx-gcc7 and nvptx-tools added to the Toolchain Module for specific NVIDIA Card offload support. The update also supplies gcc7 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the base products of SUSE Linux Enterprise 12. Various optimizers have been improved in GCC 7, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 7 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-7/changes.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1965-1 Released: Thu Nov 30 12:48:45 2017 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: moderate References: 1047233,1053671,1057188,1057634,1058695,1058783,1059065,1061384,1062561,1064999,661410 The Software Update Stack was updated to receive fixes and enhancements. libsolv: - Many fixes and improvements for cleandeps. - Always create dup rules for 'distupgrade' jobs. - Use recommends also for ordering packages. - Fix splitprovides handling with addalreadyrecommended turned off. (bsc#1059065) - Expose solver_get_recommendations() in bindings. - Fix bug in solver_prune_to_highest_prio_per_name resulting in bad output from solver_get_recommendations(). - Support 'without' and 'unless' dependencies. - Use same heuristic as upstream to determine source RPMs. - Fix memory leak in bindings. - Add pool_best_solvables() function. - Fix 64bit integer parsing from RPM headers. - Enable bzip2 and xz/lzma compression support. - Enable complex/rich dependencies on distributions with RPM 4.13+. libzypp: - Fix media handling in presence of a repo path prefix. (bsc#1062561) - Fix RepoProvideFile ignoring a repo path prefix. (bsc#1062561) - Remove unused legacy notify-message script. (bsc#1058783) - Support multiple product licenses in repomd. (fate#322276) - Propagate 'rpm --import' errors. (bsc#1057188) - Fix typos in zypp.conf. zypper: - Locale: Fix possible segmentation fault. (bsc#1064999) - Add summary hint if product is better updated by a different command. This is mainly used by rolling distributions like openSUSE Tumbleweed to remind their users to use 'zypper dup' to update (not zypper up or patch). (bsc#1061384) - Unify '(add|modify)(repo|service)' property related arguments. - Fixed 'add' commands supporting to set only a subset of properties. - Introduced '-f/-F' as preferred short option for --[no-]refresh in all four commands. (bsc#661410, bsc#1053671) - Fix missing package names in installation report. (bsc#1058695) - Differ between unsupported and packages with unknown support status. (bsc#1057634) - Return error code '107' if an RPM's %post configuration script fails, but only if ZYPPER_ON_CODE12_RETURN_107=1 is set in the environment. (bsc#1047233) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1968-1 Released: Thu Nov 30 19:49:33 2017 Summary: Recommended update for coreutils Type: recommended Severity: low References: 1026567,1043059,965780 This update for coreutils provides the following fixes: - Fix df(1) to no longer interact with excluded file system types, so for example specifying -x nfs no longer hangs with problematic nfs mounts. (bsc#1026567) - Ensure df -l no longer interacts with dummy file system types, so for example no longer hangs with problematic NFS mounted via system.automount(5). (bsc#1043059) - Significantly speed up df(1) for huge mount lists. (bsc#965780) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:2021-1 Released: Fri Dec 8 10:11:04 2017 Summary: Recommended update for file Type: recommended Severity: moderate References: 1070878,1070958 This update for file fixes detection of JPEG files. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:4-1 Released: Tue Jan 2 15:58:20 2018 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1057640,1067605,1068708,1071466,969569 The Software Update Stack was updated to receive fixes and enhancements. libzypp: - Don't store duplicated locks. (bsc#969569) - Fix default for solver.allowNameChange. (bsc#1071466) - Don't filter procs with a different mnt namespace. (bsc#1068708) - Support repo variables in an URIs host:port component. (bsc#1057640, bsc#1067605) zypper: - Update manpage regarding custom repository variable fixes. (bsc#1057640, bsc#1067605) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:86-1 Released: Wed Jan 17 09:38:17 2018 Summary: Security update for ncurses Type: security Severity: moderate References: 1056127,1056128,1056129,1056131,1056132,1056136,CVE-2017-13728,CVE-2017-13729,CVE-2017-13730,CVE-2017-13731,CVE-2017-13732,CVE-2017-13733 This update for ncurses fixes the following issues: Security issues fixed: - CVE-2017-13728: Fix infinite loop in the next_char function in comp_scan.c (bsc#1056136). - CVE-2017-13730: Fix illegal address access in the function _nc_read_entry_source() (bsc#1056131). - CVE-2017-13733: Fix illegal address access in the fmt_entry function (bsc#1056127). - CVE-2017-13729: Fix illegal address access in the _nc_save_str (bsc#1056132). - CVE-2017-13732: Fix illegal address access in the function dump_uses() (bsc#1056128). - CVE-2017-13731: Fix illegal address access in the function postprocess_termcap() (bsc#1056129). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:146-1 Released: Thu Jan 25 11:44:23 2018 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1064397,1065083 This update for openldap2 provides the following fixes: - Fix a leak of sockets in case of unsuccessful connection attempts. (bsc#1065083) - Fix a crash that would happen under heavy load when using back-relay. (bsc#1064397) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:209-1 Released: Tue Jan 30 10:53:43 2018 Summary: Security update for ncurses Type: security Severity: moderate References: 1056126,1056127,1056128,1056129,1056131,1056132,1056136,CVE-2017-13728,CVE-2017-13729,CVE-2017-13730,CVE-2017-13731,CVE-2017-13732,CVE-2017-13733,CVE-2017-13734 This update for ncurses fixes several issues. These security issues were fixed: - CVE-2017-13734: Prevent illegal address access in the _nc_safe_strcat function in strings.c that might have lead to a remote denial of service attack (bsc#1056126). - CVE-2017-13733: Prevent illegal address access in the fmt_entry function in progs/dump_entry.c that might have lead to a remote denial of service attack (bsc#1056127). - CVE-2017-13732: Prevent illegal address access in the function dump_uses() in progs/dump_entry.c that might have lead to a remote denial of service attack (bsc#1056128). - CVE-2017-13731: Prevent illegal address access in the function postprocess_termcap() in parse_entry.c that might have lead to a remote denial of service attack (bsc#1056129). - CVE-2017-13730: Prevent illegal address access in the function _nc_read_entry_source() in progs/tic.c that might have lead to a remote denial of service attack (bsc#1056131). - CVE-2017-13729: Prevent illegal address access in the _nc_save_str function in alloc_entry.c that might have lead to a remote denial of service attack (bsc#1056132). - CVE-2017-13728: Prevent infinite loop in the next_char function in comp_scan.c that might have lead to a remote denial of service attack (bsc#1056136). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:214-1 Released: Tue Jan 30 14:37:42 2018 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1076832,CVE-2018-6003 This update for libtasn1 fixes one issue. This security issue was fixed: - CVE-2018-6003: Prevent a stack exhaustion in _asn1_decode_simple_ber (lib/decoding.c) when decoding BER encoded structure allowed for DoS (bsc#1076832). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:265-1 Released: Tue Feb 6 14:58:28 2018 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1010996,1071152,1071390 This update for ca-certificates-mozilla fixes the following issues: The system SSL root certificate store was updated to Mozilla certificate version 2.22 from January 2018. (bsc#1071152 bsc#1071390 bsc#1010996) We removed the old 1024 bit legacy CAs that were temporary left in to allow in-chain root certificates as openssl is now able to handle it. Further changes coming from Mozilla: - New Root CAs added: * Amazon Root CA 1: (email protection, server auth) * Amazon Root CA 2: (email protection, server auth) * Amazon Root CA 3: (email protection, server auth) * Amazon Root CA 4: (email protection, server auth) * Certplus Root CA G1: (email protection, server auth) * Certplus Root CA G2: (email protection, server auth) * D-TRUST Root CA 3 2013: (email protection) * GDCA TrustAUTH R5 ROOT: (server auth) * Hellenic Academic and Research Institutions ECC RootCA 2015: (email protection, server auth) * Hellenic Academic and Research Institutions RootCA 2015: (email protection, server auth) * ISRG Root X1: (server auth) * LuxTrust Global Root 2: (server auth) * OpenTrust Root CA G1: (email protection, server auth) * OpenTrust Root CA G2: (email protection, server auth) * OpenTrust Root CA G3: (email protection, server auth) * SSL.com EV Root Certification Authority ECC: (server auth) * SSL.com EV Root Certification Authority RSA R2: (server auth) * SSL.com Root Certification Authority ECC: (email protection, server auth) * SSL.com Root Certification Authority RSA: (email protection, server auth) * Symantec Class 1 Public Primary Certification Authority - G4: (email protection) * Symantec Class 1 Public Primary Certification Authority - G6: (email protection) * Symantec Class 2 Public Primary Certification Authority - G4: (email protection) * Symantec Class 2 Public Primary Certification Authority - G6: (email protection) * TrustCor ECA-1: (email protection, server auth) * TrustCor RootCert CA-1: (email protection, server auth) * TrustCor RootCert CA-2: (email protection, server auth) * TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1: (server auth) - Removed root CAs: * AddTrust Public Services Root * AddTrust Public CA Root * AddTrust Qualified CA Root * ApplicationCA - Japanese Government * Buypass Class 2 CA 1 * CA Disig Root R1 * CA WoSign ECC Root * Certification Authority of WoSign G2 * Certinomis - Autorité Racine * Certum Root CA * China Internet Network Information Center EV Certificates Root * CNNIC ROOT * Comodo Secure Services root * Comodo Trusted Services root * ComSign Secured CA * EBG Elektronik Sertifika Hizmet Sağlayıcısı * Equifax Secure CA * Equifax Secure eBusiness CA 1 * Equifax Secure Global eBusiness CA * GeoTrust Global CA 2 * IGC/A * Juur-SK * Microsec e-Szigno Root CA * PSCProcert * Root CA Generalitat Valenciana * RSA Security 2048 v3 * Security Communication EV RootCA1 * Sonera Class 1 Root CA * StartCom Certification Authority * StartCom Certification Authority G2 * S-TRUST Authentication and Encryption Root CA 2005 PN * Swisscom Root CA 1 * Swisscom Root EV CA 2 * TÜBİTAK UEKAE Kök Sertifika Hizmet Sağlayıcısı - Sürüm 3 * TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı * TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6 * UTN USERFirst Hardware Root CA * UTN USERFirst Object Root CA * VeriSign Class 3 Secure Server CA - G2 * Verisign Class 1 Public Primary Certification Authority * Verisign Class 2 Public Primary Certification Authority - G2 * Verisign Class 3 Public Primary Certification Authority * WellsSecure Public Root Certificate Authority * Certification Authority of WoSign * WoSign China - Removed Code Signing rights from a lot of CAs (not listed here). - Removed Server Auth rights from: * AddTrust Low-Value Services Root * Camerfirma Chambers of Commerce Root * Camerfirma Global Chambersign Root * Swisscom Root CA 2 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:276-1 Released: Thu Feb 8 17:47:43 2018 Summary: Security update for libxml2 Type: security Severity: moderate References: 1077993,1078806,1078813,CVE-2016-5131,CVE-2017-15412,CVE-2017-5130 This update for libxml2 fixes one issue. This security issue was fixed: - CVE-2017-15412: Prevent use after free when calling XPath extension functions that allowed remote attackers to cause DoS or potentially RCE (bsc#1077993) - CVE-2016-5131: Use-after-free vulnerability in libxml2 allowed remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function. (bsc#1078813) - CVE-2017-5130: Fixed a potential remote buffer overflow in function xmlMemoryStrdup() (bsc#1078806) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:291-1 Released: Mon Feb 12 11:50:39 2018 Summary: Recommended update for bash Type: recommended Severity: low References: 1057452,1076909 This update for bash provides the following fix: - Allow process group assignment on all kernel versions to fix the usage of debug traps. (bsc#1057452) - Fix a crash when filesystem is full. (bsc#1076909) - Enable multi-byte characters by default. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:336-1 Released: Wed Feb 21 14:26:52 2018 Summary: Security update for libdb-4_8 Type: security Severity: moderate References: 1043886 This update for libdb-4_8 fixes the following issues: - A DB_CONFIG file in the current working directory allowed local users to obtain sensitive information via a symlink attack involving a setgid or setuid application using libdb-4_8. (bsc#1043886) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:472-1 Released: Thu Mar 15 10:47:40 2018 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: low References: 1074687,1075449,1076415,1079334,953130 This update for libsolv, libzypp and zypper provides the following fixes: libsolv: - Fix a bug that could make fileconflict detection very slow in some cases. (bnc#953130) - Add new configuration options: ENABLE_RPMDB_LIBRPM and ENABLE_RPMPKG_LIBRPM. - Add a new function to change the whatprovides data: pool_set_whatprovides. - Significant improvements in the selection code. libzypp: - Make sure deleted keys are also removed from rpmdb. (bsc#1075449) - plugin: Don't reject header values containing ':'. (bsc#1074687) - RpmDb::checkPackage: Fix parsing localized rpm output. (bsc#1076415) zypper: - Do not recommend cron as it is not a direct dependency of zypper. (bsc#1079334) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:560-1 Released: Wed Mar 28 16:39:25 2018 Summary: Recommended update for suse-build-key Type: recommended Severity: moderate References: 1082022,1085512 This update for suse-build-key fixes the following issues: - The lifetime of the SUSE Linux Enterprise 11 signing key was extended (bsc#1085512) - A new security@suse.de E-Mail key was added (bsc#1082022) pub rsa4096/0x21FE92322BA9E067 2018-03-15 [SC] [expires: 2020-03-14] Key fingerprint = EC7C 5EAB 2C34 09A6 4F3B BE6E 21FE 9232 2BA9 E067 uid SUSE Security Team uid SUSE Security Team sub rsa4096/0xFF97314EC1E11A0E 2018-03-15 [E] [expires: 2020-03-14] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:567-1 Released: Thu Mar 29 14:02:08 2018 Summary: Security update for krb5 Type: security Severity: moderate References: 1057662,1081725,1083926,1083927,CVE-2018-5729,CVE-2018-5730 This update for krb5 provides the following fixes: Security issues fixed: - CVE-2018-5730: DN container check bypass by supplying special crafted data (bsc#1083927). - CVE-2018-5729: Null pointer dereference in kadmind or DN container check bypass by supplying special crafted data (bsc#1083926). Non-security issues fixed: - Make it possible for legacy applications (e.g. SAP Netweaver) to remain compatible with newer Kerberos. System administrators who are experiencing this kind of compatibility issues may set the environment variable GSSAPI_ASSUME_MECH_MATCH to a non-empty value, and make sure the environment variable is visible and effective to the application startup script. (bsc#1057662) - Fix a GSS failure in legacy applications by not indicating deprecated GSS mechanisms in gss_indicate_mech() list. (bsc#1081725) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:586-1 Released: Wed Apr 4 11:51:00 2018 Summary: Recommended update for aaa_base Type: recommended Severity: low References: 1025743,1036895,1038549,1049577,1052182,1079674 This update for aaa_base provides the following fixes: - Support changing PS1 even for mksh and user root. (bsc#1036895) - Unset unused variables on profile files. (bsc#1049577) - Unset id in csh.cshrc instead of profile.csh. (bsc#1049577) - Allow that personal ~/.bashrc is read again. (bsc#1052182) - Avoid that IFS becomes global in _ls ksh shell function. (bsc#1079674, bsc#1025743) - Replace 'cat > file' by 'mv -f ... file' in pre/post to fix issues with clients having these files mmapped. (bsc#1038549) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:730-1 Released: Wed Apr 25 14:14:41 2018 Summary: Security update for perl Type: security Severity: moderate References: 1082216,1082233,1082234,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913 This update for perl fixes the following issues: Security issues fixed: - CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216). - CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233). - CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:736-1 Released: Wed Apr 25 14:23:49 2018 Summary: Recommended update for libsolv, libzypp Type: recommended Severity: moderate References: 1075978,1077635,1079991,1082318,1086602 This update for libsolv, libzypp provides the following fixes: Changes in libsolv: - Make sure the product file comes from /etc/products.d for the fallback product search. (bsc#1086602) - Also make use of suggests for ordering packages. (bsc#1077635) - Fix bad assignment in solution refinement that led to a memory leak. (bsc#1075978) - Use license tag instead of doc in the spec file. (bsc#1082318) Changes in libzypp: - Make sure the product file comes from /etc/products.d for the fallback product search. (bsc#1086602) - Fix a memory leak in Digest.cc. (bsc#1075978) - Add /var/lib/gdm to CheckAccessDeleted blacklist to prevent showing superfluous `zypper ps -s` messages. (bsc#1079991) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:779-1 Released: Wed May 2 22:16:26 2018 Summary: Recommended update for rpm Type: recommended Severity: low References: 1003714,1027925,1069934 This update for rpm provides the following fixes: - Fix find-lang.sh to handle special case of .qm file paths correctly. (bsc#1027925) - Add %sle_version macro to suse_macros. (bsc#1003714) - Added a %rpm_vercmp macro which accepts two versions as parameters and returns -1, 0, 1 if the first version is less than, equal or greater than the second version respectively. - Added a %pkg_version macro that accepts a package or capability name as argument and returns the version number of the installed package. If no package provides the argument, it returns the string '~~~'. - Added a %pkg_vcmp macro that accepts 3 parameters. The first parameter is a package name or provided capability name, the second argument is an operator ( < <= = >= > != ) and the third parameter is a version string to be compared to the installed version of the first argument. - Added a %pkg_version_cmp macro which accepts a package or capability name as first argument and a version number as second argument and returns -1, 0, 1 or '~~~'. The number values have the same meaning as in %rpm_vercmp and the '~~~' string is returned if the package or capability can't be found. (bsc#1069934) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:797-1 Released: Mon May 7 07:07:38 2018 Summary: Recommended update for gcc7 Type: recommended Severity: important References: 1061667,1068967,1074621,1083290,1083946,1084812,1087550,1087930 This update for gcc7 to 7.3 release fixes the following issues: - Update to GCC 7.3 release and further updated to gcc-7-branch head (r258812). - The Spectre v2 mitigation patch for s390x is now included. [bsc#1083946] - Adds backport of x86 retpoline support via -mindirect-branch=, -mfunction-return= and friends. [bsc#1074621] - Update includes a fix for chromium build failure. [bsc#1083290] - Various AArch64 compile fixes are included: * Picks fix to no longer enable -mpc-relative-literal-loads by default with --enable-fix-cortex-a53-843419. * Enable --enable-fix-cortex-a53-843419 for aarch64. [bsc#1084812] [bsc#1087930] * Enable --enable-fix-cortex-a53-835769 for aarch64. * Contains fix for PR82445 which is about a RPI1 bootloader miscompile. [bsc#1061667] * Fixed bogus stack probe instruction on ARM. [bsc#1068967] - Revert the ios_base::failure ABI back to compatible behavior with the default ABI. [bsc#1087550] - Fix nvptx offload target compiler install so GCC can pick up required files. Split out the newlib part into cross-nvptx-newlib7-devel and avoid conflicts with GCC 8 variant via Provides/Conflicts of cross-nvptx-newlib-devel. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:971-1 Released: Wed May 23 16:45:19 2018 Summary: Recommended update for aaa_base Type: recommended Severity: important References: 1088524 This update for aaa_base fixes a regression which was introduced within the latest maintenance update cycle, where customized profiles were not sourced properly. (bsc#1088524) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:977-1 Released: Wed May 23 17:14:16 2018 Summary: Security update for bash Type: security Severity: moderate References: 1000396,1001299,1086247,CVE-2016-0634,CVE-2016-7543 This update for bash fixes the following issues: Security issues fixed: - CVE-2016-7543: A code execution possibility via SHELLOPTS+PS4 variable was fixed (bsc#1001299) - CVE-2016-0634: Arbitrary code execution via malicious hostname was fixed (bsc#1000396) Non-security issues fixed: - Fix repeating self-calling of traps due the combination of a non-interactive shell, a trap handler for SIGINT, an external process in the trap handler, and a SIGINT within the trap after the external process runs. (bsc#1086247) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1028-1 Released: Tue Jun 5 13:20:44 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1089884 This update for pam fixes the following issues: - Fix order of accessed configuration files in man page. (bsc#1089884) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1082-1 Released: Thu Jun 7 12:58:56 2018 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1073879,1080078,964063 This update for rpm fixes the following issues: - Backport support for no_recompute_build_ids macro. (bsc#964063) - Fix code execution when evaluating common python-related macros. (bsc#1080078) Additionally, this update adds python3-rpm to the SUSE Linux Enterprise Server. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1141-1 Released: Fri Jun 15 13:41:08 2018 Summary: Security update for gpg2 Type: security Severity: important References: 1096745,CVE-2018-12020 This update for gpg2 fixes the following security issue: - CVE-2018-12020: GnuPG mishandled the original filename during decryption and verification actions, which allowed remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the '--status-fd 2' option (bsc#1096745) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1242-1 Released: Thu Jun 28 13:44:16 2018 Summary: Security update for procps Type: security Severity: moderate References: 1092100,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 This update for procps fixes the following security issues: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1328-1 Released: Tue Jul 17 08:07:57 2018 Summary: Security update for perl Type: security Severity: important References: 1068565,1082216,1082233,1082234,1096718,CVE-2018-12015,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913 This update for perl fixes the following issues: These security issue were fixed: - CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216). - CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233). - CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234). - CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a directory-traversal protection mechanism and overwrite arbitrary files (bsc#1096718) This non-security issue was fixed: - fix debugger crash in tab completion with Term::ReadLine::Gnu [bsc#1068565] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1413-1 Released: Fri Jul 27 12:41:13 2018 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1064455,1090766,1097410,CVE-2018-0495 This update for libgcrypt fixes the following issues: The following security vulnerability was addressed: - CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for ECDSA signatures (bsc#1097410). The following other issues were fixed: - Extended the fipsdrv dsa-sign and dsa-verify commands with the --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455). - Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1450-1 Released: Mon Jul 30 10:10:45 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1096282 This update for pam provides the following fix: - Added /etc/security/limits.d to the pam package. (bsc#1096282) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1610-1 Released: Thu Aug 16 14:04:25 2018 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1064455,1090766,1097410,CVE-2018-0495 This update for libgcrypt fixes the following issues: The following security vulnerability was addressed: - CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for ECDSA signatures (bsc#1097410). The following other issues were fixed: - Extended the fipsdrv dsa-sign and dsa-verify commands with the --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455). - Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1636-1 Released: Thu Aug 16 15:30:11 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1096282 This update for pam provides the following fix: - Added /etc/security/limits.d to the pam package. (bsc#1096282) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1643-1 Released: Thu Aug 16 17:41:07 2018 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1100415 The systemwide Root CA certificates were updated to the 2.24 state of the Mozilla NSS Certificate store. Following CAs were removed: * S-TRUST_Universal_Root_CA * TC_TrustCenter_Class_3_CA_II * TURKTRUST_Elektronik_Sertifika_Hizmet_Saglayicisi_H5 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1689-1 Released: Mon Aug 20 09:02:24 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1096282 This update for pam provides the following fix: - Added /etc/security/limits.d to the pam package. (bsc#1096282) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1695-1 Released: Mon Aug 20 09:19:20 2018 Summary: Security update for perl Type: security Severity: important References: 1068565,1082216,1082233,1082234,1096718,CVE-2018-12015,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913 This update for perl fixes the following issues: These security issue were fixed: - CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216). - CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233). - CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234). - CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a directory-traversal protection mechanism and overwrite arbitrary files (bsc#1096718) This non-security issue was fixed: - fix debugger crash in tab completion with Term::ReadLine::Gnu [bsc#1068565] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1763-1 Released: Mon Aug 27 09:30:15 2018 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1104780 This update for ca-certificates-mozilla fixes the following issues: The Root CA store was updated to 2.26 state of the Mozilla NSS Certificate store. (bsc#1104780) - Removed server auth from following CAs: - Certplus Root CA G1 - Certplus Root CA G2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 - Removed CAs - ComSign CA - Added new CAs - GlobalSign ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1969-1 Released: Mon Sep 24 08:06:42 2018 Summary: Security update for libzypp, zypper Type: security Severity: important References: 1036304,1045735,1049825,1070851,1076192,1088705,1091624,1092413,1096803,1099847,1100028,1101349,1102429,CVE-2017-9269,CVE-2018-7685 This update for libzypp, zypper fixes the following issues: Update libzypp to version 16.17.20: Security issues fixed: - PackageProvider: Validate deta rpms before caching (bsc#1091624, bsc#1088705, CVE-2018-7685) - PackageProvider: Validate downloaded rpm package signatures before caching (bsc#1091624, bsc#1088705, CVE-2018-7685) Other bugs fixed: - lsof: use '-K i' if lsof supports it (bsc#1099847, bsc#1036304) - Handle http error 502 Bad Gateway in curl backend (bsc#1070851) - RepoManager: Explicitly request repo2solv to generate application pseudo packages. - libzypp-devel should not require cmake (bsc#1101349) - HardLocksFile: Prevent against empty commit without Target having been been loaded (bsc#1096803) - Avoid zombie tar processes (bsc#1076192) Update to zypper to version 1.13.45: Security issues fixed: - Improve signature check callback messages (bsc#1045735, CVE-2017-9269) - add/modify repo: Add options to tune the GPG check settings (bsc#1045735, CVE-2017-9269) Other bugs fixed: - XML attribute `packages-to-change` added (bsc#1102429) - man: Strengthen that `--config FILE' affects zypper.conf, not zypp.conf (bsc#1100028) - Prevent nested calls to exit() if aborted by a signal (bsc#1092413) - ansi.h: Prevent ESC sequence strings from going out of scope (bsc#1092413) - Fix: zypper bash completion expands non-existing options (bsc#1049825) - Improve signature check callback messages (bsc#1045735) - add/modify repo: Add options to tune the GPG check settings (bsc#1045735) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1985-1 Released: Mon Sep 24 11:56:08 2018 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1089640 This update for openldap2 provides the following fix: - Fix slapd segfaults in mdb_env_reader_dest. (bsc#1089640) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2018:2036-1 Released: Wed Sep 26 11:56:30 2018 Summary: Initial release of kubic-locale-archive Type: optional Severity: low References: This update provides kubic-locale-archive for the codestream. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2162-1 Released: Fri Oct 5 14:46:53 2018 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1088921 This update for krb5 provides the following fix: - Resolve krb5 GSS credentials immediately if the application requests the lifetime. (bsc#1088921) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2181-1 Released: Tue Oct 9 11:08:20 2018 Summary: Security update for libxml2 Type: security Severity: moderate References: 1088279,1088601,1102046,1105166,CVE-2017-18258,CVE-2018-14404,CVE-2018-14567,CVE-2018-9251 This update for libxml2 fixes the following security issues: - CVE-2018-9251: The xz_decomp function allowed remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1088279). - CVE-2018-14567: Prevent denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1105166). - CVE-2018-14404: Prevent NULL pointer dereference in the xmlXPathCompOpEval() function when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case leading to a denial of service attack (bsc#1102046). - CVE-2017-18258: The xz_head function allowed remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality did not restrict memory usage to what is required for a legitimate file (bsc#1088601). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2196-1 Released: Thu Oct 11 07:45:16 2018 Summary: Optional update for gcc8 Type: recommended Severity: low References: 1084812,1084842,1087550,1094222,1102564 The GNU Compiler GCC 8 is being added to the Toolchain Module by this update. The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the base products of SUSE Linux Enterprise 12. Various optimizers have been improved in GCC 8, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 8 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-8/changes.html Also changes needed or common pitfalls when porting software are described on: https://gcc.gnu.org/gcc-8/porting_to.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2217-1 Released: Fri Oct 12 15:07:24 2018 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1094121,1107430 This update for bash provides the following fixes: - Fix an inconsistent behaviour regarding expansion of here strings. (bsc#1094121) - Fix mis-matching of null string with '*' pattern. (bsc#1107430) - Fix a crash when the lastpipe option is enabled. - Fix a typo that was preventing the `compat42' shopt option from working as intended. - Help the shell to process any pending traps at redirection. - Fix a crashe due to incorrect conversion from an indexed to associative array. - Avoid the expansion of escape sequences in HOSTNAME in prompt. - Avoid `xtrace' attack over $PS4. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2373-1 Released: Mon Oct 22 14:43:47 2018 Summary: Security update for rpm Type: security Severity: moderate References: 1077692,943457,CVE-2017-7500,CVE-2017-7501 This update for rpm fixes the following issues: These security issues were fixed: - CVE-2017-7500: rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination (bsc#943457). - CVE-2017-7501: rpm used temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation (bsc#943457) This non-security issue was fixed: - Use ksym-provides tool [bsc#1077692] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2475-1 Released: Thu Oct 25 16:56:24 2018 Summary: Recommended update for libzypp Type: recommended Severity: moderate References: 1099982,1109877,408814,556664,939392 This update for libzypp fixes the following issues: - Add filesize check for downloads with known size (bsc#408814) - Fix conversion of string and glob to regex when compiling queries (bsc#1099982, bsc#939392, bsc#556664) - Fix blocking wait for finished child process (bsc#1109877) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2488-1 Released: Fri Oct 26 12:39:59 2018 Summary: Recommended update for cpio Type: recommended Severity: low References: 1076810,889138 This update for cpio provides the following fix: - Remove an obsolete patch that was causing cpio not to preserve folder permissions. (bsc#1076810, bsc#889138) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2525-1 Released: Tue Oct 30 09:22:45 2018 Summary: Recommended update for bash Type: recommended Severity: important References: 1113117 This update for bash fixes the following issues: Recently released update introduced a change of behavior which resulted in broken customers scripts. (bsc#1113117) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2551-1 Released: Fri Nov 2 10:42:16 2018 Summary: Recommended update for container-suseconnect, skopeo, umoci Type: recommended Severity: important References: 1083189,953831 This releases container-suseconnect, skopeo and umoci to the SUSE Linux Enterprise 12 codestream as a build dependency only. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2593-1 Released: Wed Nov 7 11:04:00 2018 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1095148,1113100 This update for rpm fixes the following issues: - Fix superfluous TOC. dependency on PowerPC64 (bsc#1113100) - Update to current find-provides.ksyms and find-requires.ksyms scripts (bsc#1095148) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2702-1 Released: Mon Nov 19 11:02:01 2018 Summary: Recommended update for base-container-licenses, sles12sp4-image Type: recommended Severity: moderate References: 1083671,1085664,1098535,1102145 This update for base-container-licenses, sles12sp4-image fixes the following issues: Initial delivery of the SUSE Linux Enterprise Server 12 SP4 images. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2766-1 Released: Fri Nov 23 17:07:27 2018 Summary: Security update for rpm Type: security Severity: important References: 943457,CVE-2017-7500,CVE-2017-7501 This update for rpm fixes the following issues: These security issues were fixed: - CVE-2017-7500: rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination (bsc#943457). - CVE-2017-7501: rpm used temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation (bsc#943457) This is a reissue of the above security fixes for SUSE Linux Enterprise 12 GA, SP1 and SP2 LTSS, they have already been released for SUSE Linux Enterprise Server 12 SP3. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1697-1 Released: Fri Nov 23 17:08:32 2018 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1064455,1090766,1097410,CVE-2018-0495 This update for libgcrypt fixes the following issues: The following security vulnerability was addressed: - CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for ECDSA signatures (bsc#1097410). The following other issues were fixed: - Extended the fipsdrv dsa-sign and dsa-verify commands with the --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455). - Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1696-1 Released: Mon Nov 26 17:46:39 2018 Summary: Security update for procps Type: security Severity: moderate References: 1092100,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 This update for procps fixes the following security issues: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2811-1 Released: Thu Nov 29 11:24:19 2018 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1040613,1095969,1102310 This update for aaa_base provides the following fixes: - Get mixed use case of service wrapper script straight. (bsc#1040613) - Fix an error at login if java system directory is empty. (bsc#1102310) - Add a test for xdgdir/applications before adding data directory (bsc#1095969) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2824-1 Released: Mon Dec 3 15:34:09 2018 Summary: Security update for ncurses Type: security Severity: important References: 1115929,CVE-2018-19211 This update for ncurses fixes the following issue: Security issue fixed: - CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2842-1 Released: Wed Dec 5 10:00:35 2018 Summary: Recommended update for suse-build-key Type: recommended Severity: moderate References: 1044232 This update for suse-build-key fixes the following issues: - Install the PTF key also to /usr/lib/rpm/gnupg/keys/ so it can exists also on systems where documentation is not installed. (bsc#1044232) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2846-1 Released: Wed Dec 5 12:50:41 2018 Summary: Security update for openssl-1_0_0 Type: security Severity: moderate References: 1100078,1112209,1113534,1113652,1113742,CVE-2018-0734,CVE-2018-5407 This update for openssl-1_0_0 fixes the following issues: Security issues fixed: - CVE-2018-0734: Fixed timing vulnerability in DSA signature generation (bsc#1113652). - CVE-2018-5407: Fixed elliptic curve scalar multiplication timing attack defenses (bsc#1113534). - Add missing timing side channel patch for DSA signature generation (bsc#1113742). Non-security issues fixed: - Fixed infinite loop in DSA generation with incorrect parameters (bsc#1112209). - Set TLS version to 0 in msg_callback for record messages to avoid confusing applications (bsc#1100078). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2947-1 Released: Mon Dec 17 08:51:28 2018 Summary: Security update for openldap2 Type: security Severity: moderate References: 1073313,CVE-2017-17740 This update for openldap2 fixes the following issues: Security issue fixed: - CVE-2017-17740: When both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. (bsc#1073313) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:3029-1 Released: Fri Dec 21 17:34:05 2018 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1117355 This update for libgcrypt provides the following fix: - Fail selftests when checksum file is missing in FIPS mode only. (bsc#1117355) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:43-1 Released: Tue Jan 8 13:07:17 2019 Summary: Recommended update for acl Type: recommended Severity: low References: 953659 This update for acl fixes the following issues: - quote: Escape literal backslashes (bsc#953659). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:109-1 Released: Wed Jan 16 15:58:55 2019 Summary: Recommended update for container-suseconnect Type: recommended Severity: moderate References: 1119496 This update for container-suseconnect fixes the following issues: container-suseconnect was updated to 2.0.0 (bsc#1119496): - Added command line interface - Added `ADDITIONAL_MODULES` capability to enable further extension modules during image build and run - Added documentation about how to build docker images on non SLE distributions - Improve documentation to clarify how container-suseconnect works in a Dockerfile - Improve error handling on non SLE hosts - Fix bug which makes container-suseconnect work on SLE15 based distributions ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:111-1 Released: Thu Jan 17 14:18:31 2019 Summary: Security update for krb5 Type: security Severity: important References: 1120489,CVE-2018-20217 This update for krb5 fixes the following issues: Security issue fixed: - CVE-2018-20217: Fixed an assertion issue with older encryption types (bsc#1120489) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:143-1 Released: Tue Jan 22 14:21:55 2019 Summary: Recommended update for ncurses Type: recommended Severity: important References: 1121450 This update for ncurses fixes the following issues: - ncurses applications freezing (bsc#1121450) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:149-1 Released: Wed Jan 23 17:58:18 2019 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1121446 This update for ca-certificates-mozilla fixes the following issues: The package was updated to the 2.30 version of the Mozilla NSS Certificate store. (bsc#1121446) Removed Root CAs: - AC Raiz Certicamara S.A. - Certplus Root CA G1 - Certplus Root CA G2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 - Visa eCommerce Root Added Root CAs: - Certigna Root CA (email and server auth) - GTS Root R1 (server auth) - GTS Root R2 (server auth) - GTS Root R3 (server auth) - GTS Root R4 (server auth) - OISTE WISeKey Global Root GC CA (email and server auth) - UCA Extended Validation Root (server auth) - UCA Global G2 Root (email and server auth) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:434-1 Released: Tue Feb 19 12:19:02 2019 Summary: Recommended update for libsemanage Type: recommended Severity: moderate References: 1115500 This update for libsemanage provides the following fix: - Prevent an error message when reading module version if the directory does not exist. (bsc#1115500) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:450-1 Released: Wed Feb 20 16:42:38 2019 Summary: Security update for procps Type: security Severity: important References: 1092100,1121753,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 This update for procps fixes the following security issues: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). (These issues were previously released for SUSE Linux Enterprise 12 SP3 and SP4.) Also the following non-security issue was fixed: - Fix CPU summary showing old data. (bsc#1121753) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:563-1 Released: Wed Mar 6 17:20:15 2019 Summary: Security update for audit Type: security Severity: moderate References: 1042781,1085003,1125535,941922,CVE-2015-5186 This update for audit fixes the following issues: Audit on SUSE Linux Enterprise 12 SP4 was updated to 2.8.1 to bring new features and bugfixes. (bsc#1125535 FATE#326346) * Many features were added to auparse_normalize * cli option added to auditd and audispd for setting config dir * In auditd, restore the umask after creating a log file * Option added to auditd for skipping email verification The full changelog can be found here: http://people.redhat.com/sgrubb/audit/ChangeLog - Change openldap dependency to client only (bsc#1085003) Minor security issue fixed: - CVE-2015-5186: Audit: log terminal emulator escape sequences handling (bsc#941922) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:572-1 Released: Fri Mar 8 09:24:21 2019 Summary: Security update for openssl-1_0_0 Type: security Severity: moderate References: 1117951,1127080,CVE-2019-1559 This update for openssl-1_0_0 fixes the following issues: Security issues fixed: - The 9 Lives of Bleichenbacher's CAT: Cache Attacks on TLS Implementations (bsc#1117951) - CVE-2019-1559: Fixed OpenSSL 0-byte Record Padding Oracle which under certain circumstances a TLS server can be forced to respond differently to a client and lead to the decryption of the data (bsc#1127080). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:794-1 Released: Thu Mar 28 12:09:29 2019 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1087481 This update for krb5 fixes the following issues: - Add support for the GSS_KRB5_CRED_NO_CI_FLAGS_X cred option to suppress sending the confidentiality and integrity flags in GSS initiator tokens unless they are requested by the caller. These flags control the negotiated SASL security layer for the Microsoft GSS-SPNEGO SASL mechanism. (bsc#1087481). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:838-1 Released: Tue Apr 2 09:52:06 2019 Summary: Security update for bash Type: security Severity: important References: 1130324,CVE-2019-9924 This update for bash fixes the following issues: Security issue fixed: - CVE-2019-9924: Fixed a vulnerability in which shell did not prevent user BASH_CMDS allowing the user to execute any command with the permissions of the shell (bsc#1130324). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:839-1 Released: Tue Apr 2 13:13:21 2019 Summary: Security update for file Type: security Severity: moderate References: 1096974,1096984,1126117,1126118,1126119,CVE-2018-10360,CVE-2019-8905,CVE-2019-8906,CVE-2019-8907 This update for file fixes the following issues: The following security vulnerabilities were addressed: - Fixed an out-of-bounds read in the function do_core_note in readelf.c, which allowed remote attackers to cause a denial of service (application crash) via a crafted ELF file (bsc#1096974 CVE-2018-10360). - CVE-2019-8905: Fixed a stack-based buffer over-read in do_core_note in readelf.c (bsc#1126118) - CVE-2019-8906: Fixed an out-of-bounds read in do_core_note in readelf. c (bsc#1126119) - CVE-2019-8907: Fixed a stack corruption in do_core_note in readelf.c (bsc#1126117) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1102-1 Released: Tue Apr 30 12:07:42 2019 Summary: Security update for glibc Type: security Severity: moderate References: 1100396,1110661,1122729,1127223,1127308,1128574,1131994,CVE-2009-5155,CVE-2016-10739,CVE-2019-9169 This update for glibc fixes the following issues: Security issues fixed: - CVE-2019-9169: regex: fix read overrun (bsc#1127308, BZ #24114) - CVE-2016-10739: Fully parse IPv4 address strings (bsc#1122729, BZ #20018) - CVE-2009-5155: ERE '0|()0|\1|0' causes regexec undefined behavior (bsc#1127223, BZ #18986) Non-security issues fixed: - Enable TLE only if GLIBC_ELISION_ENABLE=yes is defined (bsc#1131994, fate#322271) - Add more checks for valid ld.so.cache file (bsc#1110661, BZ #18093) - Added cfi information for start routines in order to stop unwinding (bsc#1128574) - ja_JP locale: Add entry for the new Japanese era (bsc#1100396, fate#325570, BZ #22964) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1379-1 Released: Wed May 29 15:07:04 2019 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1040621,1105435,CVE-2017-6891,CVE-2018-1000654 This update for libtasn1 fixes the following issues: Security issues fixed: - CVE-2018-1000654: Fixed a denial of service in the asn1 parser (bsc#1105435). - CVE-2017-6891: Fixed a stack overflow in asn1_find_node() (bsc#1040621). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1431-1 Released: Wed Jun 5 16:50:13 2019 Summary: Recommended update for xz Type: recommended Severity: moderate References: 1135709 This update for xz does only update the license: - Add SUSE-Public-Domain license as some parts of xz utils (liblzma, xz, xzdec, lzmadec, documentation, translated messages, tests, debug, extra directory) are in public domain license (bsc#1135709) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1475-1 Released: Wed Jun 12 14:46:33 2019 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1110797 This update for permissions fixes the following issues: - Updated permissons for amanda (bsc#1110797) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1516-1 Released: Mon Jun 17 11:04:15 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1128383 This update for e2fsprogs fixes the following issues: - e2fsck: Check and fix tails of all bitmap blocks. (bsc#1128383) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1589-1 Released: Thu Jun 20 19:49:46 2019 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1128598 This update for permissions fixes the following issues: - Added whitelisting for /usr/lib/singularity/bin/starter-suid in the new singularity 3.1 version. (bsc#1128598) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1716-1 Released: Thu Jun 27 13:15:38 2019 Summary: Security update for glibc Type: security Severity: moderate References: 1117993,1132678,941234,CVE-2015-5180 This update for glibc fixes the following issues: Security issue fixed: - CVE-2015-5180: Fixed a NULL pointer dereference with internal QTYPE (bsc#941234). Feature work: - IBM zSeries arch13 hardware support in glibc added (fate#327072, bsc#1132678) Other issue addressed: - Fixed a concurrency issue with ldconfig (bsc#1117993). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1733-1 Released: Wed Jul 3 13:54:39 2019 Summary: Security update for elfutils Type: security Severity: low References: 1030472,1030476,1033084,1033085,1033087,1033088,1033089,1033090,1106390,1107067,1111973,1112723,1112726,1123685,1125007,CVE-2016-10254,CVE-2016-10255,CVE-2017-7607,CVE-2017-7608,CVE-2017-7610,CVE-2017-7611,CVE-2017-7612,CVE-2017-7613,CVE-2018-16062,CVE-2018-16403,CVE-2018-18310,CVE-2018-18520,CVE-2018-18521,CVE-2019-7150,CVE-2019-7665 This update for elfutils fixes the following issues: Security issues fixed: - CVE-2018-16403: Fixed a heap-based buffer over-read that could have led to Denial of Service (bsc#1107067). - CVE-2016-10254: Fixed a memory allocation failure in alloxate_elf (bsc#1030472). - CVE-2019-7665: NT_PLATFORM core file note should be a zero terminated string (bsc#1125007). - CVE-2016-10255: Fixed a memory allocation failure in libelf_set_rawdata_wrlock (bsc#1030476). - CVE-2019-7150: Added a missing check in dwfl_segment_report_module which could have allowed truncated files to be read (bsc#1123685). - CVE-2018-16062: Fixed a heap-buffer-overflow (bsc#1106390). - CVE-2017-7611: Fixed a heap-based buffer over-read that could have led to Denial of Service (bsc#1033088). - CVE-2017-7613: Fixed denial of service caused by the missing validation of the number of sections and the number of segments in a crafted ELF file (bsc#1033090). - CVE-2017-7607: Fixed a heap-based buffer overflow in handle_gnu_hash (bsc#1033084). - CVE-2017-7608: Fixed a heap-based buffer overflow in ebl_object_note_type_name() (bsc#1033085). - CVE-2017-7610: Fixed a heap-based buffer overflow in check_group (bsc#1033087). - CVE-2018-18521: Fixed multiple divide-by-zero vulnerabilities in function arlib_add_symbols() (bsc#1112723). - CVE-2017-7612: Fixed a denial of service in check_sysv_hash() via a crafted ELF file (bsc#1033089). - CVE-2018-18310: Fixed an invalid address read in dwfl_segment_report_module.c (bsc#1111973). - CVE-2018-18520: Fixed bad handling of ar files inside are files (bsc#1112726). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1834-1 Released: Fri Jul 12 17:55:14 2019 Summary: Security update for expat Type: security Severity: moderate References: 1139937,CVE-2018-20843 This update for expat fixes the following issues: Security issue fixed: - CVE-2018-20843: Fixed a denial of service triggered by high resource consumption in the XML parser when XML names contain a large amount of colons (bsc#1139937). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1844-1 Released: Mon Jul 15 07:13:09 2019 Summary: Recommended update for pam Type: recommended Severity: low References: 1116544 This update for pam fixes the following issues: - restricted the number of file descriptors to close to a more sensible number based upon resource limits (bsc#1116544) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1896-1 Released: Thu Jul 18 16:26:45 2019 Summary: Security update for libxml2 Type: security Severity: moderate References: 1010675,1110146,1126613,CVE-2016-9318 This update for libxml2 fixes the following issues: Issue fixed: - Fixed a bug related to the fix for CVE-2016-9318 which allowed xsltproc to access the internet even when --nonet was given and also was making docbook-xsl-stylesheets to have incomplete xml catalog file (bsc#1010675, bsc#1126613 and bsc#1110146). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1955-1 Released: Tue Jul 23 11:42:41 2019 Summary: Security update for bzip2 Type: security Severity: important References: 1139083,985657,CVE-2016-3189,CVE-2019-12900 This update for bzip2 fixes the following issues: Security issue fixed: - CVE-2019-12900: Fixed an out-of-bounds write in decompress.c with many selectors (bsc#1139083). - CVE-2016-3189: Fixed a use-after-free in bzip2recover (bsc#985657). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1972-1 Released: Thu Jul 25 15:00:03 2019 Summary: Security update for libsolv, libzypp, zypper Type: security Severity: moderate References: 1109893,1110542,1111319,1112911,1113296,1120629,1120630,1120631,1127155,1131823,1134226,1137977,CVE-2018-20532,CVE-2018-20533,CVE-2018-20534 This update for libsolv, libzypp and zypper fixes the following issues: libsolv was updated to version 0.6.36 fixes the following issues: Security issues fixed: - CVE-2018-20532: Fixed a NULL pointer dereference in testcase_read() (bsc#1120629). - CVE-2018-20533: Fixed a NULL pointer dereference in testcase_str2dep_complex() (bsc#1120630). - CVE-2018-20534: Fixed a NULL pointer dereference in pool_whatprovides() (bsc#1120631). Non-security issues fixed: - Made cleandeps jobs on patterns work (bsc#1137977). - Fixed an issue multiversion packages that obsolete their own name (bsc#1127155). - Keep consistent package name if there are multiple alternatives (bsc#1131823). libzypp received following fixes: - Fixes a bug where locking the kernel was not possible (bsc#1113296) zypper received following fixes: - Fixes a bug where the wrong exit code was set when refreshing repos if --root was used (bsc#1134226) - Improved the displaying of locks (bsc#1112911) - Fixes an issue where `https` repository urls caused an error prompt to appear twice (bsc#1110542) - zypper will now always warn when no repositories are defined (bsc#1109893) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2013-1 Released: Mon Jul 29 15:42:41 2019 Summary: Security update for bzip2 Type: security Severity: important References: 1139083,CVE-2019-12900 This update for bzip2 fixes the following issues: - Fixed a regression with the fix for CVE-2019-12900, which caused incompatibilities with files that used many selectors (bsc#1139083). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2120-1 Released: Wed Aug 14 11:17:39 2019 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1136298,SLE-7257 This update for pam fixes the following issues: - Enable pam_userdb.so (SLE-7257,bsc#1136298) - Upgraded pam_userdb to 1.3.1. (bsc#1136298) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2240-1 Released: Wed Aug 28 14:57:51 2019 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1144169 This update for ca-certificates-mozilla fixes the following issues: - Update to 2.34 state of the Mozilla NSS Certificate store. (bsc#1144169) - Removed Root CAs: - Certinomis - Root CA - Added root CAs from the 2.32 version: - emSign ECC Root CA - C3 (email and server auth) - emSign ECC Root CA - G3 (email and server auth) - emSign Root CA - C1 (email and server auth) - emSign Root CA - G1 (email and server auth) - Hongkong Post Root CA 3 (server auth) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2264-1 Released: Mon Sep 2 09:07:12 2019 Summary: Security update for perl Type: security Severity: important References: 1114674,CVE-2018-18311 This update for perl fixes the following issues: Security issue fixed: - CVE-2018-18311: Fixed integer overflow with oversize environment (bsc#1114674). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2372-1 Released: Thu Sep 12 14:01:27 2019 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1139942,1140914,SLE-7081 This update for krb5 fixes the following issues: - Fix missing responder if there is no pre-auth; (bsc#1139942) - Load mechglue config files from /etc/gss/mech.d; (bsc#1140914, jsc#SLE-7081) - Fix impersonate_name to work with interposers; (bsc#1140914, jsc#SLE-7081) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2390-1 Released: Tue Sep 17 15:46:02 2019 Summary: Security update for openldap2 Type: security Severity: moderate References: 1143194,1143273,CVE-2019-13057,CVE-2019-13565 This update for openldap2 fixes the following issues: Security issues fixed: - CVE-2019-13565: Fixed ssf memory reuse that leads to incorrect authorization of another connection, granting excess connection rights (ssf) (bsc#1143194). - CVE-2019-13057: Fixed rootDN of a backend that may proxyauth incorrectly to another backend, violating multi-tenant isolation (bsc#1143273). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2440-1 Released: Mon Sep 23 17:15:13 2019 Summary: Security update for expat Type: security Severity: moderate References: 1149429,CVE-2019-15903 This update for expat fixes the following issues: Security issue fixed: - CVE-2019-15903: Fixed a heap-based buffer over-read caused by crafted XML documents. (bsc#1149429) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2480-1 Released: Fri Sep 27 13:12:08 2019 Summary: Security update for gpg2 Type: security Severity: moderate References: 1124847,1141093,CVE-2019-13050 This update for gpg2 fixes the following issues: Security issue fixed: - CVE-2019-13050: Fixed denial-of-service attacks via big keys. (bsc#1141093) Non-security issue fixed: - Allow coredumps in X11 desktop sessions (bsc#1124847). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2504-1 Released: Tue Oct 1 13:07:07 2019 Summary: Security update for openssl-1_0_0 Type: security Severity: moderate References: 1131291,1150003,1150250,CVE-2019-1547,CVE-2019-1563 This update for openssl-1_0_0 fixes the following issues: OpenSSL Security Advisory [10 September 2019] * CVE-2019-1547: Added EC_GROUP_set_generator side channel attack avoidance. (bsc#1150003) * CVE-2019-1563: Fixed Bleichenbacher attack against cms/pkcs7 encryption transported key (bsc#1150250) In addition fixed invalid curve attacks by validating that an EC point lies on the curve (bsc#1131291). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2510-1 Released: Tue Oct 1 17:37:12 2019 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1148987,CVE-2019-13627 This update for libgcrypt fixes the following issues: Security issues fixed: - CVE-2019-13627: Mitigated ECDSA timing attack. (bsc#1148987) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2677-1 Released: Tue Oct 15 21:07:14 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1145716,1152101,CVE-2019-5094 This update for e2fsprogs fixes the following issues: Security issue fixed: - CVE-2019-5094: Fixed an arbitrary code execution via specially crafted ext4 file systems. (bsc#1152101) Non-security issue fixed: - libext2fs: Call fsync(2) to clear stale errors for a new a unix I/O channel. (bsc#1145716) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2818-1 Released: Tue Oct 29 17:22:01 2019 Summary: Recommended update for zypper and libzypp Type: recommended Severity: important References: 1049825,1116995,1140039,1145521,1146415,1153557 This update for zypper and libzypp fixes the following issues: Package: zypper - Fixed an issue where zypper exited on a SIGPIPE during package download (bsc#1145521) - Rephrased the file conflicts check summary (bsc#1140039) - Fixes an issue where the bash completion was wrongly expanded (bsc#1049825) Package: libzypp - Fixed an issue where YaST2 was not able to find base products via libzypp (bsc#1153557) - Added a new 'solver.focus' option for /etc/zypp/zypp.conf to define systemwide focus mode when resolving jobs (bsc#1146415) - Fixes a file descriptor leak in the media backend (bsc#1116995) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3003-1 Released: Tue Nov 19 10:12:33 2019 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1153386,SLE-10396 This update for procps provides the following fixes: - Backport the MemAvailable patch into SLE12-SP4/SP5 procps. (jsc#SLE-10396) - Add missing ShmemPmdMapped entry for pmap with newer kernels. (bsc#1153386) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3064-1 Released: Mon Nov 25 18:44:36 2019 Summary: Security update for cpio Type: security Severity: moderate References: 1155199,CVE-2019-14866 This update for cpio fixes the following issues: - CVE-2019-14866: Fixed an improper validation of the values written in the header of a TAR file through the to_oct() function which could have led to unexpected TAR generation (bsc#1155199). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3085-1 Released: Thu Nov 28 10:01:53 2019 Summary: Security update for libxml2 Type: security Severity: low References: 1123919 This update for libxml2 doesn't fix any additional security issues, but correct the rpm changelog to reflect all CVEs that have been fixed over the past. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3094-1 Released: Thu Nov 28 16:47:52 2019 Summary: Security update for ncurses Type: security Severity: moderate References: 1131830,1134550,1154036,1154037,CVE-2018-10754,CVE-2019-17594,CVE-2019-17595 This update for ncurses fixes the following issues: Security issue fixed: - CVE-2018-10754: Fixed a denial of service caused by a NULL Pointer Dereference in the _nc_parse_entry() (bsc#1131830). - CVE-2019-17594: Fixed a heap-based buffer over-read in _nc_find_entry function in tinfo/comp_hash.c (bsc#1154036). - CVE-2019-17595: Fixed a heap-based buffer over-read in fmt_entry function in tinfo/comp_hash.c (bsc#1154037). Bug fixes: - Fixed ppc64le build configuration (bsc#1134550). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3183-1 Released: Thu Dec 5 11:43:25 2019 Summary: Security update for permissions Type: security Severity: moderate References: 1047247,1093414,1097665,1150734,1157198,CVE-2019-3688,CVE-2019-3690 This update for permissions fixes the following issues: Security issues fixed: - CVE-2019-3688: Changed wrong ownership in /usr/sbin/pinger to root:squid which could have allowed a squid user to gain persistence by changing the binary (bsc#1093414). - CVE-2019-3690: Fixed a privilege escalation through untrusted symbolic links (bsc#1150734). Other issue addressed: - Corrected a badly constracted file which could have allowed treating of the shell environment as permissions files (bsc#1097665,bsc#1047247). - Fixed a regression which caused sagmentation fault (bsc#1157198). The following package changes have been done: - aaa_base-13.2+git20140911.61c1681-38.13.1 added - base-container-licenses-3.0-7.2 added - bash-4.3-83.23.1 added - ca-certificates-mozilla-2.34-12.15.1 added - ca-certificates-1_201403302107-6.2 added - container-suseconnect-2.0.0-1.6.1 added - coreutils-8.25-13.7.1 added - cpio-2.11-36.6.1 added - cracklib-dict-small-2.9.0-7.1 added - cracklib-2.9.0-7.1 added - diffutils-3.3-5.40 added - dirmngr-1.1.1-13.1 added - file-magic-5.22-10.12.2 added - filesystem-13.1-14.15 added - fillup-1.42-270.64 added - findutils-4.5.12-7.1 added - glibc-2.22-100.15.4 added - gpg2-2.0.24-9.8.1 added - grep-2.16-3.1 added - info-4.13a-37.229 added - insserv-compat-0.1-14.3.1 added - krb5-1.12.5-40.37.7 added - kubic-locale-archive-2.22-4.3.1 added - libacl1-2.2.52-7.3.1 added - libadns1-1.4-101.65 added - libassuan0-2.1.1-3.217 added - libattr1-2.4.47-3.143 added - libaudit1-2.8.1-10.3.2 added - libaugeas0-1.10.1-2.6 added - libblkid1-2.33.2-2.13 added - libbz2-1-1.0.6-30.8.1 added - libcap-ng0-0.7.3-4.125 added - libcap2-2.22-13.1 added - libcom_err2-1.43.8-3.8.1 added - libcrack2-2.9.0-7.1 added - libcurl4-7.60.0-9.8 added - libdb-4_8-4.8.30-29.6 added - libelf1-0.158-7.7.2 added - libexpat1-2.1.0-21.9.1 added - libfdisk1-2.33.2-2.13 added - libffi4-5.3.1+r233831-12.1 added - libgcc_s1-8.2.1+r264010-1.3.3 added - libgcrypt20-1.6.1-16.68.1 added - libgmp10-5.1.3-2.121 added - libgpg-error0-1.29-1.3 added - libkeyutils1-1.5.9-3.29 added - libksba8-1.3.0-23.1 added - libldap-2_4-2-2.4.41-18.63.1 added - liblua5_1-5.1.5-8.3.1 added - liblzma5-5.0.5-6.3.1 added - libmagic1-5.22-10.12.2 added - libmodman1-2.0.1-15.75 added - libmount1-2.33.2-2.13 added - libncurses5-5.9-69.1 added - libncurses6-5.9-69.1 added - libnghttp2-14-1.7.1-1.84 added - libopenssl1_0_0-1.0.2p-3.11.1 added - libp11-kit0-0.20.7-1.7 added - libpcre1-8.39-8.3.1 added - libpopt0-1.16-26.128 added - libprocps3-3.3.9-11.21.1 added - libproxy1-0.4.13-16.3 added - libpth20-2.0.7-140.1 added - libreadline6-6.3-83.23.1 added - libsasl2-3-2.1.26-8.7.1 added - libselinux1-2.5-8.79 added - libsemanage1-2.5-9.3.1 added - libsepol1-2.5-3.143 added - libsmartcols1-2.33.2-2.13 added - libsolv-tools-0.6.36-2.16.2 added - libssh4-0.8.7-1.31 added - libstdc++6-8.2.1+r264010-1.3.3 added - libsystemd0-228-155.21 added - libtasn1-6-4.9-3.10.1 added - libtasn1-4.9-3.10.1 added - libudev1-228-155.21 added - libusb-0_1-4-0.1.13-29.13 added - libusb-1_0-0-1.0.20-5.3 added - libustr-1_0-1-1.0.4-31.197 added - libutempter0-1.1.6-5.114 added - libuuid1-2.33.2-2.13 added - libverto1-0.2.6-3.2.2 added - libxml2-2-2.9.4-46.23.2 added - libz1-1.2.11-9.42 added - libzio1-1.00-9.188 added - libzypp-16.21.1-2.42.1 added - ncurses-utils-5.9-69.1 added - netcfg-11.5-29.1 added - openssl-1_0_0-1.0.2p-3.11.1 added - openssl-1.0.2p-1.13 added - p11-kit-tools-0.20.7-1.7 added - p11-kit-0.20.7-1.7 added - pam-1.1.8-24.27.1 added - perl-base-5.18.2-12.20.1 added - permissions-20170707-3.14.1 added - pinentry-0.8.3-4.27 added - procps-3.3.9-11.21.1 added - rpm-4.11.2-16.21.1 added - sed-4.2.2-7.3.1 added - shadow-4.2.1-34.20 added - sles-release-POOL-12.5-1.171 added - sles-release-12.5-1.171 added - suse-build-key-12.0-7.6.1 added - terminfo-base-5.9-69.1 added - util-linux-2.33.2-2.13 added - zypper-1.13.55-21.29.1 added