SUSE 5147 Published by

The following updates has been released for openSUSE:

openSUSE-SU-2019:1595-1: important: Security update for MozillaFirefox
openSUSE-SU-2019:1602-1: moderate: Security update for openssh
openSUSE-SU-2019:1603-1: moderate: Security update for ImageMagick
openSUSE-SU-2019:1604-1: important: Security update for dbus-1
openSUSE-SU-2019:1605-1: moderate: Security update for netpbm
openSUSE-SU-2019:1606-1: important: Security update for MozillaThunderbird



openSUSE-SU-2019:1595-1: important: Security update for MozillaFirefox

openSUSE Security Update: Security update for MozillaFirefox
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1595-1
Rating: important
References: #1138872
Cross-References: CVE-2019-11708
Affected Products:
openSUSE Leap 15.1
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for MozillaFirefox fixes the following issues:

- Mozilla Firefox Firefox 60.7.2 MFSA 2019-19 (bsc#1138872)

- CVE-2019-11708: Fix sandbox escape using Prompt:Open.
* Insufficient vetting of parameters passed with the Prompt:Open IPC
message between child and parent processes could result in the
non-sandboxed parent process opening web content chosen by a
compromised child process. When combined with additional
vulnerabilities this could result in executing arbitrary code on the
user's computer.

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.1:

zypper in -t patch openSUSE-2019-1595=1



Package List:

- openSUSE Leap 15.1 (x86_64):

MozillaFirefox-60.7.2-lp151.2.7.1
MozillaFirefox-branding-upstream-60.7.2-lp151.2.7.1
MozillaFirefox-buildsymbols-60.7.2-lp151.2.7.1
MozillaFirefox-debuginfo-60.7.2-lp151.2.7.1
MozillaFirefox-debugsource-60.7.2-lp151.2.7.1
MozillaFirefox-devel-60.7.2-lp151.2.7.1
MozillaFirefox-translations-common-60.7.2-lp151.2.7.1
MozillaFirefox-translations-other-60.7.2-lp151.2.7.1


References:

https://www.suse.com/security/cve/CVE-2019-11708.html
https://bugzilla.suse.com/1138872

--


openSUSE-SU-2019:1602-1: moderate: Security update for openssh

openSUSE Security Update: Security update for openssh
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1602-1
Rating: moderate
References: #1065237 #1090671 #1119183 #1121816 #1121821
#1131709
Cross-References: CVE-2019-6109 CVE-2019-6111
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________

An update that solves two vulnerabilities and has four
fixes is now available.

Description:

This update for openssh fixes the following issues:

Security vulnerabilities addressed:

- CVE-2019-6109: Fixed an character encoding issue in the progress display
of the scp client that could be used to manipulate client output,
allowing for spoofing during file transfers (bsc#1121816).
- CVE-2019-6111: Properly validate object names received by the scp client
to prevent arbitrary file overwrites when interacting with a malicious
SSH server (bsc#1121821).

Other issues fixed:

- Fixed two race conditions in sshd relating to SIGHUP (bsc#1119183).
- Returned proper reason for port forwarding failures (bsc#1090671).
- Fixed a double free() in the KDF CAVS testing tool (bsc#1065237).

This update was imported from the SUSE:SLE-12-SP2:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2019-1602=1



Package List:

- openSUSE Leap 42.3 (i586 x86_64):

openssh-7.2p2-35.1
openssh-askpass-gnome-7.2p2-35.1
openssh-askpass-gnome-debuginfo-7.2p2-35.1
openssh-cavs-7.2p2-35.1
openssh-cavs-debuginfo-7.2p2-35.1
openssh-debuginfo-7.2p2-35.1
openssh-debugsource-7.2p2-35.1
openssh-fips-7.2p2-35.1
openssh-helpers-7.2p2-35.1
openssh-helpers-debuginfo-7.2p2-35.1


References:

https://www.suse.com/security/cve/CVE-2019-6109.html
https://www.suse.com/security/cve/CVE-2019-6111.html
https://bugzilla.suse.com/1065237
https://bugzilla.suse.com/1090671
https://bugzilla.suse.com/1119183
https://bugzilla.suse.com/1121816
https://bugzilla.suse.com/1121821
https://bugzilla.suse.com/1131709

--


openSUSE-SU-2019:1603-1: moderate: Security update for ImageMagick

openSUSE Security Update: Security update for ImageMagick
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1603-1
Rating: moderate
References: #1133204 #1133205 #1133498 #1133501 #1136183
#1136732
Cross-References: CVE-2019-11470 CVE-2019-11472 CVE-2019-11505
CVE-2019-11506 CVE-2019-11598
Affected Products:
openSUSE Leap 15.1
openSUSE Leap 15.0
______________________________________________________________________________

An update that solves 5 vulnerabilities and has one errata
is now available.

Description:

This update for ImageMagick fixes the following issues:

Security issues fixed:

- CVE-2019-11472: Fixed a denial-of-service in ReadXWDImage()
(bsc#1133204).
- CVE-2019-11470: Fixed a denial-of-service in ReadCINImage()
(bsc#1133205).
- CVE-2019-11506: Fixed a heap-based buffer overflow in the
WriteMATLABImage() (bsc#1133498).
- CVE-2019-11505: Fixed a heap-based buffer overflow in the
WritePDBImage() (bsc#1133501).
- CVE-2019-11598: Fixed a heap-based buffer overread in WritePNMImage()
(bsc#1136732)

We also now disable PCL in the -SUSE configuration, as it also uses
ghostscript for decoding (bsc#1136183)

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.1:

zypper in -t patch openSUSE-2019-1603=1

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1603=1



Package List:

- openSUSE Leap 15.1 (i586 x86_64):

ImageMagick-7.0.7.34-lp151.7.3.1
ImageMagick-config-7-SUSE-7.0.7.34-lp151.7.3.1
ImageMagick-config-7-upstream-7.0.7.34-lp151.7.3.1
ImageMagick-debuginfo-7.0.7.34-lp151.7.3.1
ImageMagick-debugsource-7.0.7.34-lp151.7.3.1
ImageMagick-devel-7.0.7.34-lp151.7.3.1
ImageMagick-extra-7.0.7.34-lp151.7.3.1
ImageMagick-extra-debuginfo-7.0.7.34-lp151.7.3.1
libMagick++-7_Q16HDRI4-7.0.7.34-lp151.7.3.1
libMagick++-7_Q16HDRI4-debuginfo-7.0.7.34-lp151.7.3.1
libMagick++-devel-7.0.7.34-lp151.7.3.1
libMagickCore-7_Q16HDRI6-7.0.7.34-lp151.7.3.1
libMagickCore-7_Q16HDRI6-debuginfo-7.0.7.34-lp151.7.3.1
libMagickWand-7_Q16HDRI6-7.0.7.34-lp151.7.3.1
libMagickWand-7_Q16HDRI6-debuginfo-7.0.7.34-lp151.7.3.1
perl-PerlMagick-7.0.7.34-lp151.7.3.1
perl-PerlMagick-debuginfo-7.0.7.34-lp151.7.3.1

- openSUSE Leap 15.1 (noarch):

ImageMagick-doc-7.0.7.34-lp151.7.3.1

- openSUSE Leap 15.1 (x86_64):

ImageMagick-devel-32bit-7.0.7.34-lp151.7.3.1
libMagick++-7_Q16HDRI4-32bit-7.0.7.34-lp151.7.3.1
libMagick++-7_Q16HDRI4-32bit-debuginfo-7.0.7.34-lp151.7.3.1
libMagick++-devel-32bit-7.0.7.34-lp151.7.3.1
libMagickCore-7_Q16HDRI6-32bit-7.0.7.34-lp151.7.3.1
libMagickCore-7_Q16HDRI6-32bit-debuginfo-7.0.7.34-lp151.7.3.1
libMagickWand-7_Q16HDRI6-32bit-7.0.7.34-lp151.7.3.1
libMagickWand-7_Q16HDRI6-32bit-debuginfo-7.0.7.34-lp151.7.3.1

- openSUSE Leap 15.0 (i586 x86_64):

ImageMagick-7.0.7.34-lp150.2.32.1
ImageMagick-config-7-SUSE-7.0.7.34-lp150.2.32.1
ImageMagick-config-7-upstream-7.0.7.34-lp150.2.32.1
ImageMagick-debuginfo-7.0.7.34-lp150.2.32.1
ImageMagick-debugsource-7.0.7.34-lp150.2.32.1
ImageMagick-devel-7.0.7.34-lp150.2.32.1
ImageMagick-extra-7.0.7.34-lp150.2.32.1
ImageMagick-extra-debuginfo-7.0.7.34-lp150.2.32.1
libMagick++-7_Q16HDRI4-7.0.7.34-lp150.2.32.1
libMagick++-7_Q16HDRI4-debuginfo-7.0.7.34-lp150.2.32.1
libMagick++-devel-7.0.7.34-lp150.2.32.1
libMagickCore-7_Q16HDRI6-7.0.7.34-lp150.2.32.1
libMagickCore-7_Q16HDRI6-debuginfo-7.0.7.34-lp150.2.32.1
libMagickWand-7_Q16HDRI6-7.0.7.34-lp150.2.32.1
libMagickWand-7_Q16HDRI6-debuginfo-7.0.7.34-lp150.2.32.1
perl-PerlMagick-7.0.7.34-lp150.2.32.1
perl-PerlMagick-debuginfo-7.0.7.34-lp150.2.32.1

- openSUSE Leap 15.0 (x86_64):

ImageMagick-devel-32bit-7.0.7.34-lp150.2.32.1
libMagick++-7_Q16HDRI4-32bit-7.0.7.34-lp150.2.32.1
libMagick++-7_Q16HDRI4-32bit-debuginfo-7.0.7.34-lp150.2.32.1
libMagick++-devel-32bit-7.0.7.34-lp150.2.32.1
libMagickCore-7_Q16HDRI6-32bit-7.0.7.34-lp150.2.32.1
libMagickCore-7_Q16HDRI6-32bit-debuginfo-7.0.7.34-lp150.2.32.1
libMagickWand-7_Q16HDRI6-32bit-7.0.7.34-lp150.2.32.1
libMagickWand-7_Q16HDRI6-32bit-debuginfo-7.0.7.34-lp150.2.32.1

- openSUSE Leap 15.0 (noarch):

ImageMagick-doc-7.0.7.34-lp150.2.32.1


References:

https://www.suse.com/security/cve/CVE-2019-11470.html
https://www.suse.com/security/cve/CVE-2019-11472.html
https://www.suse.com/security/cve/CVE-2019-11505.html
https://www.suse.com/security/cve/CVE-2019-11506.html
https://www.suse.com/security/cve/CVE-2019-11598.html
https://bugzilla.suse.com/1133204
https://bugzilla.suse.com/1133205
https://bugzilla.suse.com/1133498
https://bugzilla.suse.com/1133501
https://bugzilla.suse.com/1136183
https://bugzilla.suse.com/1136732

--


openSUSE-SU-2019:1604-1: important: Security update for dbus-1

openSUSE Security Update: Security update for dbus-1
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1604-1
Rating: important
References: #1082318 #1137832
Cross-References: CVE-2019-12749
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that solves one vulnerability and has one errata
is now available.

Description:

This update for dbus-1 fixes the following issues:

Security issue fixed:

- CVE-2019-12749: Fixed an implementation flaw in DBUS_COOKIE_SHA1 which
could have allowed local attackers to bypass authentication
(bsc#1137832).

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1604=1



Package List:

- openSUSE Leap 15.0 (i586 x86_64):

dbus-1-1.12.2-lp150.2.3.1
dbus-1-debuginfo-1.12.2-lp150.2.3.1
dbus-1-debugsource-1.12.2-lp150.2.3.1
dbus-1-devel-1.12.2-lp150.2.3.1
dbus-1-x11-1.12.2-lp150.2.3.1
dbus-1-x11-debuginfo-1.12.2-lp150.2.3.1
dbus-1-x11-debugsource-1.12.2-lp150.2.3.1
libdbus-1-3-1.12.2-lp150.2.3.1
libdbus-1-3-debuginfo-1.12.2-lp150.2.3.1

- openSUSE Leap 15.0 (noarch):

dbus-1-devel-doc-1.12.2-lp150.2.3.1

- openSUSE Leap 15.0 (x86_64):

dbus-1-32bit-debuginfo-1.12.2-lp150.2.3.1
dbus-1-devel-32bit-1.12.2-lp150.2.3.1
libdbus-1-3-32bit-1.12.2-lp150.2.3.1
libdbus-1-3-32bit-debuginfo-1.12.2-lp150.2.3.1


References:

https://www.suse.com/security/cve/CVE-2019-12749.html
https://bugzilla.suse.com/1082318
https://bugzilla.suse.com/1137832

--


openSUSE-SU-2019:1605-1: moderate: Security update for netpbm

openSUSE Security Update: Security update for netpbm
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1605-1
Rating: moderate
References: #1024288 #1024291 #1136936
Cross-References: CVE-2017-2579 CVE-2017-2580
Affected Products:
openSUSE Leap 15.1
openSUSE Leap 15.0
______________________________________________________________________________

An update that solves two vulnerabilities and has one
errata is now available.

Description:

This update for netpbm fixes the following issues:

Security issues fixed:

- CVE-2017-2579: Fixed out-of-bounds read in expandCodeOntoStack()
(bsc#1024288).
- CVE-2017-2580: Fixed out-of-bounds write of heap data in
addPixelToRaster() function (bsc#1024291).
- create netpbm-vulnerable subpackage and move pstopnm there, as
ghostscript is used to convert (bsc#1136936)


This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.1:

zypper in -t patch openSUSE-2019-1605=1

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1605=1



Package List:

- openSUSE Leap 15.1 (i586 x86_64):

libnetpbm-devel-10.80.1-lp151.4.3.1
libnetpbm11-10.80.1-lp151.4.3.1
libnetpbm11-debuginfo-10.80.1-lp151.4.3.1
netpbm-10.80.1-lp151.4.3.1
netpbm-debuginfo-10.80.1-lp151.4.3.1
netpbm-debugsource-10.80.1-lp151.4.3.1
netpbm-vulnerable-10.80.1-lp151.4.3.1
netpbm-vulnerable-debuginfo-10.80.1-lp151.4.3.1

- openSUSE Leap 15.1 (x86_64):

libnetpbm11-32bit-10.80.1-lp151.4.3.1
libnetpbm11-32bit-debuginfo-10.80.1-lp151.4.3.1

- openSUSE Leap 15.0 (i586 x86_64):

libnetpbm-devel-10.80.1-lp150.2.6.1
libnetpbm11-10.80.1-lp150.2.6.1
libnetpbm11-debuginfo-10.80.1-lp150.2.6.1
netpbm-10.80.1-lp150.2.6.1
netpbm-debuginfo-10.80.1-lp150.2.6.1
netpbm-debugsource-10.80.1-lp150.2.6.1
netpbm-vulnerable-10.80.1-lp150.2.6.1
netpbm-vulnerable-debuginfo-10.80.1-lp150.2.6.1

- openSUSE Leap 15.0 (x86_64):

libnetpbm11-32bit-10.80.1-lp150.2.6.1
libnetpbm11-32bit-debuginfo-10.80.1-lp150.2.6.1


References:

https://www.suse.com/security/cve/CVE-2017-2579.html
https://www.suse.com/security/cve/CVE-2017-2580.html
https://bugzilla.suse.com/1024288
https://bugzilla.suse.com/1024291
https://bugzilla.suse.com/1136936

--


openSUSE-SU-2019:1606-1: important: Security update for MozillaThunderbird

openSUSE Security Update: Security update for MozillaThunderbird
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1606-1
Rating: important
References: #1137595 #1138872
Cross-References: CVE-2019-11703 CVE-2019-11704 CVE-2019-11705
CVE-2019-11706 CVE-2019-11707 CVE-2019-11708

Affected Products:
openSUSE Leap 15.1
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes 6 vulnerabilities is now available.

Description:

This update for MozillaThunderbird fixes the following issues:

Security issues fixed:

- CVE-2019-11703: Fixed a heap-based buffer overflow in
icalmemorystrdupanddequote() (bsc#1137595).
- CVE-2019-11704: Fixed a heap-based buffer overflow in
parser_get_next_char() (bsc#1137595).
- CVE-2019-11705: Fixed a stack-based buffer overflow in
icalrecur_add_bydayrules() (bsc#1137595).
- CVE-2019-11706: Fixed a type confusion in
icaltimezone_get_vtimezone_properties() (bsc#1137595).
- CVE-2019-11707: Fixed a type confusion in Array.pop (bsc#1138872).
- CVE-2019-11708: Fixed a sandbox escape using Prompt:Open (bsc#1138872).

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.1:

zypper in -t patch openSUSE-2019-1606=1

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1606=1



Package List:

- openSUSE Leap 15.1 (x86_64):

MozillaThunderbird-60.7.2-lp151.2.7.1
MozillaThunderbird-buildsymbols-60.7.2-lp151.2.7.1
MozillaThunderbird-debuginfo-60.7.2-lp151.2.7.1
MozillaThunderbird-debugsource-60.7.2-lp151.2.7.1
MozillaThunderbird-translations-common-60.7.2-lp151.2.7.1
MozillaThunderbird-translations-other-60.7.2-lp151.2.7.1

- openSUSE Leap 15.0 (x86_64):

MozillaThunderbird-60.7.2-lp150.3.45.1
MozillaThunderbird-buildsymbols-60.7.2-lp150.3.45.1
MozillaThunderbird-debuginfo-60.7.2-lp150.3.45.1
MozillaThunderbird-debugsource-60.7.2-lp150.3.45.1
MozillaThunderbird-translations-common-60.7.2-lp150.3.45.1
MozillaThunderbird-translations-other-60.7.2-lp150.3.45.1


References:

https://www.suse.com/security/cve/CVE-2019-11703.html
https://www.suse.com/security/cve/CVE-2019-11704.html
https://www.suse.com/security/cve/CVE-2019-11705.html
https://www.suse.com/security/cve/CVE-2019-11706.html
https://www.suse.com/security/cve/CVE-2019-11707.html
https://www.suse.com/security/cve/CVE-2019-11708.html
https://bugzilla.suse.com/1137595
https://bugzilla.suse.com/1138872

--