SUSE 5152 Published by

The following updates has been released for SUSE Linux:

openSUSE-SU-2018:4240-1: moderate: Security update for ovmf
openSUSE-SU-2018:4242-1: moderate: Security update for tryton
openSUSE-SU-2018:4248-1: moderate: Security update for tryton
openSUSE-SU-2018:4252-1: moderate: Security update for tcpdump
openSUSE-SU-2018:4254-1: moderate: Security update for ovmf
openSUSE-SU-2018:4255-1: important: Security update for go1.10
openSUSE-SU-2018:4256-1: moderate: Security update for tiff
openSUSE-SU-2018:4257-1: moderate: Security update for git
openSUSE-SU-2018:4258-1: moderate: Security update for perl
openSUSE-SU-2018:4259-1: moderate: Security update for bluez
openSUSE-SU-2018:4260-1: moderate: Security update for libnettle
openSUSE-SU-2018:4261-1: moderate: Security update for libqt5-qtbase
openSUSE-SU-2018:4262-1: moderate: Security update for pdns
openSUSE-SU-2018:4272-1: important: Security update for yast2-rmt



openSUSE-SU-2018:4240-1: moderate: Security update for ovmf

openSUSE Security Update: Security update for ovmf
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:4240-1
Rating: moderate
References: #1115916 #1115917 #1117998
Cross-References: CVE-2017-5731 CVE-2017-5732 CVE-2017-5733
CVE-2017-5734 CVE-2017-5735 CVE-2018-3613

Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes 6 vulnerabilities is now available.

Description:

This update for ovmf fixes the following issues:

Security issues fixed:

- CVE-2018-3613: Fixed AuthVariable Timestamp zeroing issue on
APPEND_WRITE (bsc#1115916).
- CVE-2017-5731: Fixed privilege escalation via processing of malformed
files in TianoCompress.c (bsc#1115917).
- CVE-2017-5732: Fixed privilege escalation via processing of malformed
files in BaseUefiDecompressLib.c (bsc#1115917).
- CVE-2017-5733: Fixed privilege escalation via heap-based buffer overflow
in MakeTable() function (bsc#1115917).
- CVE-2017-5734: Fixed privilege escalation via stack-based buffer
overflow in MakeTable() function (bsc#1115917).
- CVE-2017-5735: Fixed privilege escalation via heap-based buffer overflow
in Decode() function (bsc#1115917).

Non security issues fixed:

- Fixed an issue with the default owner of PK/KEK/db/dbx and make the
auto-enrollment only happen at the very first time. (bsc#1117998)

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-1590=1



Package List:

- openSUSE Leap 15.0 (i586 x86_64):

ovmf-2017+git1510945757.b2662641d5-lp150.4.9.1
ovmf-tools-2017+git1510945757.b2662641d5-lp150.4.9.1

- openSUSE Leap 15.0 (x86_64):

qemu-ovmf-x86_64-debug-2017+git1510945757.b2662641d5-lp150.4.9.1

- openSUSE Leap 15.0 (noarch):

qemu-ovmf-ia32-2017+git1510945757.b2662641d5-lp150.4.9.1
qemu-ovmf-x86_64-2017+git1510945757.b2662641d5-lp150.4.9.1


References:

https://www.suse.com/security/cve/CVE-2017-5731.html
https://www.suse.com/security/cve/CVE-2017-5732.html
https://www.suse.com/security/cve/CVE-2017-5733.html
https://www.suse.com/security/cve/CVE-2017-5734.html
https://www.suse.com/security/cve/CVE-2017-5735.html
https://www.suse.com/security/cve/CVE-2018-3613.html
https://bugzilla.suse.com/1115916
https://bugzilla.suse.com/1115917
https://bugzilla.suse.com/1117998

--


openSUSE-SU-2018:4242-1: moderate: Security update for tryton

openSUSE Security Update: Security update for tryton
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:4242-1
Rating: moderate
References: #1117105
Cross-References: CVE-2018-19443
Affected Products:
openSUSE Leap 15.0
openSUSE Backports SLE-15
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for tryton to version 4.2.19 fixes the following issues:

Security issue fixed:

- CVE-2018-19443: Fixed an information leakage by attemping to initiate an
unencrypted connection, which would fail eventually, but might leak
session information of the user (boo#1117105)

This update also contains newer versions of tryton related packages with
general bug fixes and updates:

- trytond 4.2.17
- trytond_account 4.2.10
- trytond_account_invoice 4.2.7
- trytond_purchase_request 4.2.4
- trytond_stock 4.2.8
- trytond_stock_supply 4.2.3


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-1588=1

- openSUSE Backports SLE-15:

zypper in -t patch openSUSE-2018-1588=1



Package List:

- openSUSE Leap 15.0 (noarch):

tryton-4.2.19-lp150.2.10.1
trytond-4.2.17-lp150.2.15.1
trytond_account-4.2.10-lp150.2.3.1
trytond_account_invoice-4.2.7-lp150.2.3.1
trytond_purchase_request-4.2.4-lp150.2.3.1
trytond_stock-4.2.8-lp150.2.3.1
trytond_stock_supply-4.2.3-lp150.2.7.1

- openSUSE Backports SLE-15 (noarch):

tryton-4.2.19-bp150.2.6.1
trytond-4.2.17-bp150.2.6.1
trytond_account-4.2.10-bp150.3.3.1
trytond_account_invoice-4.2.7-bp150.3.3.1
trytond_purchase_request-4.2.4-bp150.3.3.1
trytond_stock-4.2.8-bp150.3.3.1
trytond_stock_supply-4.2.3-bp150.3.6.1


References:

https://www.suse.com/security/cve/CVE-2018-19443.html
https://bugzilla.suse.com/1117105

--


openSUSE-SU-2018:4248-1: moderate: Security update for tryton

openSUSE Security Update: Security update for tryton
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:4248-1
Rating: moderate
References: #1107771 #1117105
Cross-References: CVE-2018-19443
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________

An update that solves one vulnerability and has one errata
is now available.

Description:

This update for tryton to version 4.2.19 fixes the following issues
(boo#1107771):

Security issue fixed:

- CVE-2018-19443: Fixed an information leakage by attemping to initiate an
unencrypted connection, which would fail eventually, but might leak
session information of the user (boo#1117105)

This update also contains newer versions of tryton related packages with
general bug fixes and updates:

- trytond 4.2.17
- trytond_account 4.2.10
- trytond_account_invoice 4.2.7
- trytond_currency 4.2.2
- trytond_purchase 4.2.6
- trytond_purchase_request 4.2.4
- trytond_stock 4.2.8
- trytond_stock_supply 4.2.3


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-1587=1



Package List:

- openSUSE Leap 42.3 (noarch):

tryton-4.2.19-28.1
trytond-4.2.17-33.1
trytond_account-4.2.10-12.1
trytond_account_invoice-4.2.7-2.3.1
trytond_currency-4.2.2-6.1
trytond_purchase-4.2.6-9.1
trytond_purchase_request-4.2.4-9.1
trytond_stock-4.2.8-12.1
trytond_stock_supply-4.2.3-2.3.1


References:

https://www.suse.com/security/cve/CVE-2018-19443.html
https://bugzilla.suse.com/1107771
https://bugzilla.suse.com/1117105

--


openSUSE-SU-2018:4252-1: moderate: Security update for tcpdump

openSUSE Security Update: Security update for tcpdump
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:4252-1
Rating: moderate
References: #1117267
Cross-References: CVE-2018-19519
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for tcpdump fixes the following security issue:

- CVE-2018-19519: Fixed a stack-based buffer over-read in the print_prefix
function (bsc#1117267)

This update was imported from the SUSE:SLE-12:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-1589=1



Package List:

- openSUSE Leap 42.3 (x86_64):

tcpdump-4.9.2-12.1
tcpdump-debuginfo-4.9.2-12.1
tcpdump-debugsource-4.9.2-12.1


References:

https://www.suse.com/security/cve/CVE-2018-19519.html
https://bugzilla.suse.com/1117267

--


openSUSE-SU-2018:4254-1: moderate: Security update for ovmf

openSUSE Security Update: Security update for ovmf
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:4254-1
Rating: moderate
References: #1115916 #1115917
Cross-References: CVE-2017-5731 CVE-2017-5732 CVE-2017-5733
CVE-2017-5734 CVE-2017-5735 CVE-2018-3613

Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________

An update that fixes 6 vulnerabilities is now available.

Description:

This update for ovmf fixes the following issues:

Security issues fixed:

- CVE-2018-3613: Fixed AuthVariable Timestamp zeroing issue on
APPEND_WRITE (bsc#1115916).
- CVE-2017-5731: Fixed privilege escalation via processing of malformed
files in TianoCompress.c (bsc#1115917).
- CVE-2017-5732: Fixed privilege escalation via processing of malformed
files in BaseUefiDecompressLib.c (bsc#1115917).
- CVE-2017-5733: Fixed privilege escalation via heap-based buffer overflow
in MakeTable() function (bsc#1115917).
- CVE-2017-5734: Fixed privilege escalation via stack-based buffer
overflow in MakeTable() function (bsc#1115917).
- CVE-2017-5735: Fixed privilege escalation via heap-based buffer overflow
in Decode() function (bsc#1115917).

This update was imported from the SUSE:SLE-12-SP3:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-1591=1



Package List:

- openSUSE Leap 42.3 (i586 x86_64):

ovmf-2017+git1492060560.b6d11d7c46-13.1
ovmf-tools-2017+git1492060560.b6d11d7c46-13.1

- openSUSE Leap 42.3 (noarch):

qemu-ovmf-ia32-2017+git1492060560.b6d11d7c46-13.1
qemu-ovmf-x86_64-2017+git1492060560.b6d11d7c46-13.1

- openSUSE Leap 42.3 (x86_64):

qemu-ovmf-x86_64-debug-2017+git1492060560.b6d11d7c46-13.1


References:

https://www.suse.com/security/cve/CVE-2017-5731.html
https://www.suse.com/security/cve/CVE-2017-5732.html
https://www.suse.com/security/cve/CVE-2017-5733.html
https://www.suse.com/security/cve/CVE-2017-5734.html
https://www.suse.com/security/cve/CVE-2017-5735.html
https://www.suse.com/security/cve/CVE-2018-3613.html
https://bugzilla.suse.com/1115916
https://bugzilla.suse.com/1115917

--


openSUSE-SU-2018:4255-1: important: Security update for go1.10

openSUSE Security Update: Security update for go1.10
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:4255-1
Rating: important
References: #1082409 #1098017 #1113978 #1118897 #1118898
#1118899 #1119634 #1119706
Cross-References: CVE-2018-16873 CVE-2018-16874 CVE-2018-16875

Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________

An update that solves three vulnerabilities and has 5 fixes
is now available.

Description:

This update for go1.10 fixes the following issues:

Security vulnerabilities fixed:

- CVE-2018-16873 (bsc#1118897): cmd/go: remote command execution during
"go get -u".
- CVE-2018-16874 (bsc#1118898): cmd/go: directory traversal in "go get"
via curly braces in import paths
- CVE-2018-16875 (bsc#1118899): crypto/x509: CPU denial of service

Other issues fixed:

- Fix build error with PIE linker flags on ppc64le. (bsc#1113978,
bsc#1098017)
- Review dependencies (requires, recommends and supports) (bsc#1082409)
- Make profile.d/go.sh no longer set GOROOT=, in order to make switching
between versions no longer break. This ends up removing the need for
go.sh entirely (because GOPATH is also set automatically) (boo#1119634)
- Fix a regression that broke go get for import path patterns containing
"..." (bsc#1119706)

This update was imported from the SUSE:SLE-12:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-1593=1



Package List:

- openSUSE Leap 42.3 (i586 x86_64):

go1.10-1.10.7-5.1
go1.10-doc-1.10.7-5.1

- openSUSE Leap 42.3 (x86_64):

go1.10-race-1.10.7-5.1


References:

https://www.suse.com/security/cve/CVE-2018-16873.html
https://www.suse.com/security/cve/CVE-2018-16874.html
https://www.suse.com/security/cve/CVE-2018-16875.html
https://bugzilla.suse.com/1082409
https://bugzilla.suse.com/1098017
https://bugzilla.suse.com/1113978
https://bugzilla.suse.com/1118897
https://bugzilla.suse.com/1118898
https://bugzilla.suse.com/1118899
https://bugzilla.suse.com/1119634
https://bugzilla.suse.com/1119706

--


openSUSE-SU-2018:4256-1: moderate: Security update for tiff

openSUSE Security Update: Security update for tiff
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:4256-1
Rating: moderate
References: #1017693 #1054594 #1115717 #990460
Cross-References: CVE-2016-10092 CVE-2016-10093 CVE-2016-10094
CVE-2016-6223 CVE-2017-12944 CVE-2018-19210

Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________

An update that fixes 6 vulnerabilities is now available.

Description:

This update for tiff fixes the following issues:

Security issues fixed:

- CVE-2018-19210: Fixed NULL pointer dereference in the
TIFFWriteDirectorySec function (bsc#1115717).
- CVE-2017-12944: Fixed denial of service issue in the
TIFFReadDirEntryArray function (bsc#1054594).
- CVE-2016-10094: Fixed heap-based buffer overflow in the _tiffWriteProc
function (bsc#1017693).
- CVE-2016-10093: Fixed heap-based buffer overflow in the _TIFFmemcpy
function (bsc#1017693).
- CVE-2016-10092: Fixed heap-based buffer overflow in the TIFFReverseBits
function (bsc#1017693).
- CVE-2016-6223: Fixed out-of-bounds read on memory-mapped files in
TIFFReadRawStrip1() and TIFFReadRawTile1() (bsc#990460).

This update was imported from the SUSE:SLE-12:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-1598=1



Package List:

- openSUSE Leap 42.3 (i586 x86_64):

libtiff-devel-4.0.9-43.1
libtiff5-4.0.9-43.1
libtiff5-debuginfo-4.0.9-43.1
tiff-4.0.9-43.1
tiff-debuginfo-4.0.9-43.1
tiff-debugsource-4.0.9-43.1

- openSUSE Leap 42.3 (x86_64):

libtiff-devel-32bit-4.0.9-43.1
libtiff5-32bit-4.0.9-43.1
libtiff5-debuginfo-32bit-4.0.9-43.1


References:

https://www.suse.com/security/cve/CVE-2016-10092.html
https://www.suse.com/security/cve/CVE-2016-10093.html
https://www.suse.com/security/cve/CVE-2016-10094.html
https://www.suse.com/security/cve/CVE-2016-6223.html
https://www.suse.com/security/cve/CVE-2017-12944.html
https://www.suse.com/security/cve/CVE-2018-19210.html
https://bugzilla.suse.com/1017693
https://bugzilla.suse.com/1054594
https://bugzilla.suse.com/1115717
https://bugzilla.suse.com/990460

--


openSUSE-SU-2018:4257-1: moderate: Security update for git

openSUSE Security Update: Security update for git
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:4257-1
Rating: moderate
References: #1117257
Cross-References: CVE-2018-19486
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for git fixes the following issues:

Security issue fixed:

- CVE-2018-19486: Fixed git that executed commands from the current
working directory (as if '.' were at the end of $PATH) in certain cases
involving the run_command() API and run-command.c, because there was
(bsc#1117257).

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-1599=1



Package List:

- openSUSE Leap 15.0 (i586 x86_64):

git-2.16.4-lp150.2.9.1
git-arch-2.16.4-lp150.2.9.1
git-core-2.16.4-lp150.2.9.1
git-core-debuginfo-2.16.4-lp150.2.9.1
git-credential-gnome-keyring-2.16.4-lp150.2.9.1
git-credential-gnome-keyring-debuginfo-2.16.4-lp150.2.9.1
git-credential-libsecret-2.16.4-lp150.2.9.1
git-credential-libsecret-debuginfo-2.16.4-lp150.2.9.1
git-cvs-2.16.4-lp150.2.9.1
git-daemon-2.16.4-lp150.2.9.1
git-daemon-debuginfo-2.16.4-lp150.2.9.1
git-debuginfo-2.16.4-lp150.2.9.1
git-debugsource-2.16.4-lp150.2.9.1
git-email-2.16.4-lp150.2.9.1
git-gui-2.16.4-lp150.2.9.1
git-p4-2.16.4-lp150.2.9.1
git-svn-2.16.4-lp150.2.9.1
git-svn-debuginfo-2.16.4-lp150.2.9.1
git-web-2.16.4-lp150.2.9.1
gitk-2.16.4-lp150.2.9.1

- openSUSE Leap 15.0 (noarch):

git-doc-2.16.4-lp150.2.9.1


References:

https://www.suse.com/security/cve/CVE-2018-19486.html
https://bugzilla.suse.com/1117257

--


openSUSE-SU-2018:4258-1: moderate: Security update for perl

openSUSE Security Update: Security update for perl
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:4258-1
Rating: moderate
References: #1114674 #1114675 #1114681 #1114686
Cross-References: CVE-2018-18311 CVE-2018-18312 CVE-2018-18313
CVE-2018-18314
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes four vulnerabilities is now available.

Description:

This update for perl fixes the following issues:

Secuirty issues fixed:

- CVE-2018-18311: Fixed integer overflow with oversize environment
(bsc#1114674).
- CVE-2018-18312: Fixed heap-buffer-overflow write / reg_node overrun
(bsc#1114675).
- CVE-2018-18313: Fixed heap-buffer-overflow read if regex contains \0
chars (bsc#1114681).
- CVE-2018-18314: Fixed heap-buffer-overflow in regex (bsc#1114686).

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-1595=1



Package List:

- openSUSE Leap 15.0 (i586 x86_64):

perl-5.26.1-lp150.6.6.1
perl-base-5.26.1-lp150.6.6.1
perl-base-debuginfo-5.26.1-lp150.6.6.1
perl-debuginfo-5.26.1-lp150.6.6.1
perl-debugsource-5.26.1-lp150.6.6.1

- openSUSE Leap 15.0 (noarch):

perl-doc-5.26.1-lp150.6.6.1

- openSUSE Leap 15.0 (x86_64):

perl-32bit-5.26.1-lp150.6.6.1
perl-32bit-debuginfo-5.26.1-lp150.6.6.1
perl-base-32bit-5.26.1-lp150.6.6.1
perl-base-32bit-debuginfo-5.26.1-lp150.6.6.1


References:

https://www.suse.com/security/cve/CVE-2018-18311.html
https://www.suse.com/security/cve/CVE-2018-18312.html
https://www.suse.com/security/cve/CVE-2018-18313.html
https://www.suse.com/security/cve/CVE-2018-18314.html
https://bugzilla.suse.com/1114674
https://bugzilla.suse.com/1114675
https://bugzilla.suse.com/1114681
https://bugzilla.suse.com/1114686

--


openSUSE-SU-2018:4259-1: moderate: Security update for bluez

openSUSE Security Update: Security update for bluez
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:4259-1
Rating: moderate
References: #1013721 #1013732
Cross-References: CVE-2016-9800 CVE-2016-9801
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes two vulnerabilities is now available.

Description:

This update for bluez fixes the following issues:

Security issues fixed:

- CVE-2016-9800: Fixed a buffer overflow in pin_code_reply_dump function
(bsc#1013721)
- CVE-2016-9801: Fixed a buffer overflow in set_ext_ctrl function
(bsc#1013732)

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-1596=1



Package List:

- openSUSE Leap 15.0 (i586 x86_64):

bluez-5.48-lp150.4.6.1
bluez-cups-5.48-lp150.4.6.1
bluez-cups-debuginfo-5.48-lp150.4.6.1
bluez-debuginfo-5.48-lp150.4.6.1
bluez-debugsource-5.48-lp150.4.6.1
bluez-devel-5.48-lp150.4.6.1
bluez-test-5.48-lp150.4.6.1
bluez-test-debuginfo-5.48-lp150.4.6.1
libbluetooth3-5.48-lp150.4.6.1
libbluetooth3-debuginfo-5.48-lp150.4.6.1

- openSUSE Leap 15.0 (x86_64):

bluez-devel-32bit-5.48-lp150.4.6.1
libbluetooth3-32bit-5.48-lp150.4.6.1
libbluetooth3-32bit-debuginfo-5.48-lp150.4.6.1

- openSUSE Leap 15.0 (noarch):

bluez-auto-enable-devices-5.48-lp150.4.6.1


References:

https://www.suse.com/security/cve/CVE-2016-9800.html
https://www.suse.com/security/cve/CVE-2016-9801.html
https://bugzilla.suse.com/1013721
https://bugzilla.suse.com/1013732

--


openSUSE-SU-2018:4260-1: moderate: Security update for libnettle

openSUSE Security Update: Security update for libnettle
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:4260-1
Rating: moderate
References: #1118086
Cross-References: CVE-2018-16869
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for libnettle fixes the following issues:

Security issues fixed:

- CVE-2018-16869: Fixed a leaky data conversion exposing a manager oracle
(bsc#1118086)

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-1597=1



Package List:

- openSUSE Leap 15.0 (i586 x86_64):

libhogweed4-3.4-lp150.3.3.1
libhogweed4-debuginfo-3.4-lp150.3.3.1
libnettle-debugsource-3.4-lp150.3.3.1
libnettle-devel-3.4-lp150.3.3.1
libnettle6-3.4-lp150.3.3.1
libnettle6-debuginfo-3.4-lp150.3.3.1
nettle-3.4-lp150.3.3.1
nettle-debuginfo-3.4-lp150.3.3.1

- openSUSE Leap 15.0 (x86_64):

libhogweed4-32bit-3.4-lp150.3.3.1
libhogweed4-32bit-debuginfo-3.4-lp150.3.3.1
libnettle-devel-32bit-3.4-lp150.3.3.1
libnettle6-32bit-3.4-lp150.3.3.1
libnettle6-32bit-debuginfo-3.4-lp150.3.3.1


References:

https://www.suse.com/security/cve/CVE-2018-16869.html
https://bugzilla.suse.com/1118086

--


openSUSE-SU-2018:4261-1: moderate: Security update for libqt5-qtbase

openSUSE Security Update: Security update for libqt5-qtbase
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:4261-1
Rating: moderate
References: #1118595 #1118596
Cross-References: CVE-2018-15518 CVE-2018-19873
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________

An update that fixes two vulnerabilities is now available.

Description:

This update for libqt5-qtbase fixes the following issues:

Security issues fixed:

- CVE-2018-15518: Fixed double free in QXmlStreamReader (bsc#1118595)
- CVE-2018-19873: Fixed Denial of Service on malformed BMP file in
QBmpHandler (bsc#1118596)

This update was imported from the SUSE:SLE-12-SP3:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-1592=1



Package List:

- openSUSE Leap 42.3 (i586 x86_64):

libQt5Bootstrap-devel-static-5.6.2-7.6.1
libQt5Concurrent-devel-5.6.2-7.6.1
libQt5Concurrent5-5.6.2-7.6.1
libQt5Concurrent5-debuginfo-5.6.2-7.6.1
libQt5Core-devel-5.6.2-7.6.1
libQt5Core5-5.6.2-7.6.1
libQt5Core5-debuginfo-5.6.2-7.6.1
libQt5DBus-devel-5.6.2-7.6.1
libQt5DBus-devel-debuginfo-5.6.2-7.6.1
libQt5DBus5-5.6.2-7.6.1
libQt5DBus5-debuginfo-5.6.2-7.6.1
libQt5Gui-devel-5.6.2-7.6.1
libQt5Gui5-5.6.2-7.6.1
libQt5Gui5-debuginfo-5.6.2-7.6.1
libQt5Network-devel-5.6.2-7.6.1
libQt5Network5-5.6.2-7.6.1
libQt5Network5-debuginfo-5.6.2-7.6.1
libQt5OpenGL-devel-5.6.2-7.6.1
libQt5OpenGL5-5.6.2-7.6.1
libQt5OpenGL5-debuginfo-5.6.2-7.6.1
libQt5OpenGLExtensions-devel-static-5.6.2-7.6.1
libQt5PlatformHeaders-devel-5.6.2-7.6.1
libQt5PlatformSupport-devel-static-5.6.2-7.6.1
libQt5PrintSupport-devel-5.6.2-7.6.1
libQt5PrintSupport5-5.6.2-7.6.1
libQt5PrintSupport5-debuginfo-5.6.2-7.6.1
libQt5Sql-devel-5.6.2-7.6.1
libQt5Sql5-5.6.2-7.6.1
libQt5Sql5-debuginfo-5.6.2-7.6.1
libQt5Sql5-mysql-5.6.2-7.6.1
libQt5Sql5-mysql-debuginfo-5.6.2-7.6.1
libQt5Sql5-postgresql-5.6.2-7.6.1
libQt5Sql5-postgresql-debuginfo-5.6.2-7.6.1
libQt5Sql5-sqlite-5.6.2-7.6.1
libQt5Sql5-sqlite-debuginfo-5.6.2-7.6.1
libQt5Sql5-unixODBC-5.6.2-7.6.1
libQt5Sql5-unixODBC-debuginfo-5.6.2-7.6.1
libQt5Test-devel-5.6.2-7.6.1
libQt5Test5-5.6.2-7.6.1
libQt5Test5-debuginfo-5.6.2-7.6.1
libQt5Widgets-devel-5.6.2-7.6.1
libQt5Widgets5-5.6.2-7.6.1
libQt5Widgets5-debuginfo-5.6.2-7.6.1
libQt5Xml-devel-5.6.2-7.6.1
libQt5Xml5-5.6.2-7.6.1
libQt5Xml5-debuginfo-5.6.2-7.6.1
libqt5-qtbase-common-devel-5.6.2-7.6.1
libqt5-qtbase-common-devel-debuginfo-5.6.2-7.6.1
libqt5-qtbase-debugsource-5.6.2-7.6.1
libqt5-qtbase-devel-5.6.2-7.6.1
libqt5-qtbase-examples-5.6.2-7.6.1
libqt5-qtbase-examples-debuginfo-5.6.2-7.6.1

- openSUSE Leap 42.3 (noarch):

libQt5Core-private-headers-devel-5.6.2-7.6.1
libQt5DBus-private-headers-devel-5.6.2-7.6.1
libQt5Gui-private-headers-devel-5.6.2-7.6.1
libQt5Network-private-headers-devel-5.6.2-7.6.1
libQt5OpenGL-private-headers-devel-5.6.2-7.6.1
libQt5PlatformSupport-private-headers-devel-5.6.2-7.6.1
libQt5PrintSupport-private-headers-devel-5.6.2-7.6.1
libQt5Sql-private-headers-devel-5.6.2-7.6.1
libQt5Test-private-headers-devel-5.6.2-7.6.1
libQt5Widgets-private-headers-devel-5.6.2-7.6.1
libqt5-qtbase-private-headers-devel-5.6.2-7.6.1

- openSUSE Leap 42.3 (x86_64):

libQt5Bootstrap-devel-static-32bit-5.6.2-7.6.1
libQt5Concurrent-devel-32bit-5.6.2-7.6.1
libQt5Concurrent5-32bit-5.6.2-7.6.1
libQt5Concurrent5-debuginfo-32bit-5.6.2-7.6.1
libQt5Core-devel-32bit-5.6.2-7.6.1
libQt5Core5-32bit-5.6.2-7.6.1
libQt5Core5-debuginfo-32bit-5.6.2-7.6.1
libQt5DBus-devel-32bit-5.6.2-7.6.1
libQt5DBus-devel-debuginfo-32bit-5.6.2-7.6.1
libQt5DBus5-32bit-5.6.2-7.6.1
libQt5DBus5-debuginfo-32bit-5.6.2-7.6.1
libQt5Gui-devel-32bit-5.6.2-7.6.1
libQt5Gui5-32bit-5.6.2-7.6.1
libQt5Gui5-debuginfo-32bit-5.6.2-7.6.1
libQt5Network-devel-32bit-5.6.2-7.6.1
libQt5Network5-32bit-5.6.2-7.6.1
libQt5Network5-debuginfo-32bit-5.6.2-7.6.1
libQt5OpenGL-devel-32bit-5.6.2-7.6.1
libQt5OpenGL5-32bit-5.6.2-7.6.1
libQt5OpenGL5-debuginfo-32bit-5.6.2-7.6.1
libQt5OpenGLExtensions-devel-static-32bit-5.6.2-7.6.1
libQt5PlatformSupport-devel-static-32bit-5.6.2-7.6.1
libQt5PrintSupport-devel-32bit-5.6.2-7.6.1
libQt5PrintSupport5-32bit-5.6.2-7.6.1
libQt5PrintSupport5-debuginfo-32bit-5.6.2-7.6.1
libQt5Sql-devel-32bit-5.6.2-7.6.1
libQt5Sql5-32bit-5.6.2-7.6.1
libQt5Sql5-debuginfo-32bit-5.6.2-7.6.1
libQt5Sql5-mysql-32bit-5.6.2-7.6.1
libQt5Sql5-mysql-debuginfo-32bit-5.6.2-7.6.1
libQt5Sql5-postgresql-32bit-5.6.2-7.6.1
libQt5Sql5-postgresql-debuginfo-32bit-5.6.2-7.6.1
libQt5Sql5-sqlite-32bit-5.6.2-7.6.1
libQt5Sql5-sqlite-debuginfo-32bit-5.6.2-7.6.1
libQt5Sql5-unixODBC-32bit-5.6.2-7.6.1
libQt5Sql5-unixODBC-debuginfo-32bit-5.6.2-7.6.1
libQt5Test-devel-32bit-5.6.2-7.6.1
libQt5Test5-32bit-5.6.2-7.6.1
libQt5Test5-debuginfo-32bit-5.6.2-7.6.1
libQt5Widgets-devel-32bit-5.6.2-7.6.1
libQt5Widgets5-32bit-5.6.2-7.6.1
libQt5Widgets5-debuginfo-32bit-5.6.2-7.6.1
libQt5Xml-devel-32bit-5.6.2-7.6.1
libQt5Xml5-32bit-5.6.2-7.6.1
libQt5Xml5-debuginfo-32bit-5.6.2-7.6.1
libqt5-qtbase-examples-32bit-5.6.2-7.6.1
libqt5-qtbase-examples-debuginfo-32bit-5.6.2-7.6.1


References:

https://www.suse.com/security/cve/CVE-2018-15518.html
https://www.suse.com/security/cve/CVE-2018-19873.html
https://bugzilla.suse.com/1118595
https://bugzilla.suse.com/1118596

--


openSUSE-SU-2018:4262-1: moderate: Security update for pdns

openSUSE Security Update: Security update for pdns
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:4262-1
Rating: moderate
References: #1114157
Cross-References: CVE-2018-10851
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for pdns fixes the following issues:

Security issues fixed:

- CVE-2018-10851: Fixed denial of service via crafted zone record or
crafted answer (bsc#1114157).


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-1594=1



Package List:

- openSUSE Leap 42.3 (x86_64):

pdns-4.0.3-15.2
pdns-backend-geoip-4.0.3-15.2
pdns-backend-geoip-debuginfo-4.0.3-15.2
pdns-backend-godbc-4.0.3-15.2
pdns-backend-godbc-debuginfo-4.0.3-15.2
pdns-backend-ldap-4.0.3-15.2
pdns-backend-ldap-debuginfo-4.0.3-15.2
pdns-backend-lua-4.0.3-15.2
pdns-backend-lua-debuginfo-4.0.3-15.2
pdns-backend-mydns-4.0.3-15.2
pdns-backend-mydns-debuginfo-4.0.3-15.2
pdns-backend-mysql-4.0.3-15.2
pdns-backend-mysql-debuginfo-4.0.3-15.2
pdns-backend-postgresql-4.0.3-15.2
pdns-backend-postgresql-debuginfo-4.0.3-15.2
pdns-backend-remote-4.0.3-15.2
pdns-backend-remote-debuginfo-4.0.3-15.2
pdns-backend-sqlite3-4.0.3-15.2
pdns-backend-sqlite3-debuginfo-4.0.3-15.2
pdns-debuginfo-4.0.3-15.2
pdns-debugsource-4.0.3-15.2


References:

https://www.suse.com/security/cve/CVE-2018-10851.html
https://bugzilla.suse.com/1114157

--


openSUSE-SU-2018:4272-1: important: Security update for yast2-rmt

openSUSE Security Update: Security update for yast2-rmt
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:4272-1
Rating: important
References: #1117602
Cross-References: CVE-2018-17957
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for yast2-rmt to version 1.1.12 fixes the following issues:

Security issue fixed:

- CVE-2018-17957: Secure MySQL credentials by not exposing them on the
command line (bsc#1117602)

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-1604=1



Package List:

- openSUSE Leap 15.0 (noarch):

yast2-rmt-1.1.2-lp150.2.12.1


References:

https://www.suse.com/security/cve/CVE-2018-17957.html
https://bugzilla.suse.com/1117602

--