SUSE 5152 Published by

The following updates has been released for openSUSE:

openSUSE-SU-2019:0325-1: important: Security update for freerdp
openSUSE-SU-2019:0326-1: important: Security update for obs-service-tar_scm
openSUSE-SU-2019:0327-1: important: Security update for mariadb



openSUSE-SU-2019:0325-1: important: Security update for freerdp

openSUSE Security Update: Security update for freerdp
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:0325-1
Rating: important
References: #1085416 #1087240 #1103557 #1104918 #1112028
#1116708 #1117963 #1117964 #1117965 #1117966
#1117967 #1120507
Cross-References: CVE-2018-0886 CVE-2018-1000852 CVE-2018-8784
CVE-2018-8785 CVE-2018-8786 CVE-2018-8787
CVE-2018-8788 CVE-2018-8789
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that solves 8 vulnerabilities and has four fixes
is now available.

Description:

This update for freerdp to version 2.0.0~rc4 fixes the following issues:

Security issues fixed:

- CVE-2018-0886: Fix a remote code execution vulnerability (CredSSP)
(bsc#1085416, bsc#1087240, bsc#1104918)
- CVE-2018-8789: Fix several denial of service vulnerabilities in the in
the NTLM Authentication module (bsc#1117965)
- CVE-2018-8785: Fix a potential remote code execution vulnerability in
the zgfx_decompress function (bsc#1117967)
- CVE-2018-8786: Fix a potential remote code execution vulnerability in
the update_read_bitmap_update function (bsc#1117966)
- CVE-2018-8787: Fix a potential remote code execution vulnerability in
the gdi_Bitmap_Decompress function (bsc#1117964)
- CVE-2018-8788: Fix a potential remote code execution vulnerability in
the nsc_rle_decode function (bsc#1117963)
- CVE-2018-8784: Fix a potential remote code execution vulnerability in
the zgfx_decompress_segment function (bsc#1116708)
- CVE-2018-1000852: Fixed a remote memory access in the
drdynvc_process_capability_request function (bsc#1120507)

Other issues:

- Upgraded to version 2.0.0-rc4 (FATE#326739)
- Security and stability improvements, including bsc#1103557 and
bsc#1112028
- gateway: multiple fixes and improvements
- client/X11: support for rail (remote app) icons was added
- The licensing code was re-worked: Per-device licenses are now saved on
the client and used on re-connect: WARNING: this is a change in FreeRDP
behavior regarding licensing. If the old behavior is required, or no
licenses should be saved use the new command line option +old-license
(gh#/FreeRDP/FreeRDP#4979)
- Improved order handling - only orders that were enable during
capability exchange are accepted. WARNING and NOTE: some servers do
improperly send orders that weren't negotiated, for such cases the new
command line option /relax-order-checks was added to disable the strict
order checking. If connecting to xrdp the options /relax-order-checks
*and* +glyph-cache are required. (gh#/FreeRDP/FreeRDP#4926)
- Fixed automount issues
- Fixed several audio and microphone related issues
- Fixed X11 Right-Ctrl ungrab feature
- Fixed race condition in rdpsnd channel server.
- Disabled SSE2 for ARM and powerpc

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-325=1



Package List:

- openSUSE Leap 15.0 (x86_64):

freerdp-2.0.0~rc4-lp150.2.3.1
freerdp-debuginfo-2.0.0~rc4-lp150.2.3.1
freerdp-debugsource-2.0.0~rc4-lp150.2.3.1
freerdp-devel-2.0.0~rc4-lp150.2.3.1
freerdp-server-2.0.0~rc4-lp150.2.3.1
freerdp-server-debuginfo-2.0.0~rc4-lp150.2.3.1
freerdp-wayland-2.0.0~rc4-lp150.2.3.1
freerdp-wayland-debuginfo-2.0.0~rc4-lp150.2.3.1
libfreerdp2-2.0.0~rc4-lp150.2.3.1
libfreerdp2-debuginfo-2.0.0~rc4-lp150.2.3.1
libuwac0-0-2.0.0~rc4-lp150.2.3.1
libuwac0-0-debuginfo-2.0.0~rc4-lp150.2.3.1
libwinpr2-2.0.0~rc4-lp150.2.3.1
libwinpr2-debuginfo-2.0.0~rc4-lp150.2.3.1
uwac0-0-devel-2.0.0~rc4-lp150.2.3.1
winpr2-devel-2.0.0~rc4-lp150.2.3.1


References:

https://www.suse.com/security/cve/CVE-2018-0886.html
https://www.suse.com/security/cve/CVE-2018-1000852.html
https://www.suse.com/security/cve/CVE-2018-8784.html
https://www.suse.com/security/cve/CVE-2018-8785.html
https://www.suse.com/security/cve/CVE-2018-8786.html
https://www.suse.com/security/cve/CVE-2018-8787.html
https://www.suse.com/security/cve/CVE-2018-8788.html
https://www.suse.com/security/cve/CVE-2018-8789.html
https://bugzilla.suse.com/1085416
https://bugzilla.suse.com/1087240
https://bugzilla.suse.com/1103557
https://bugzilla.suse.com/1104918
https://bugzilla.suse.com/1112028
https://bugzilla.suse.com/1116708
https://bugzilla.suse.com/1117963
https://bugzilla.suse.com/1117964
https://bugzilla.suse.com/1117965
https://bugzilla.suse.com/1117966
https://bugzilla.suse.com/1117967
https://bugzilla.suse.com/1120507

--


openSUSE-SU-2019:0326-1: important: Security update for obs-service-tar_scm

openSUSE Security Update: Security update for obs-service-tar_scm
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:0326-1
Rating: important
References: #1076410 #1082696 #1105361 #1107507 #1107944

Cross-References: CVE-2018-12473 CVE-2018-12474 CVE-2018-12476

Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that solves three vulnerabilities and has two
fixes is now available.

Description:

This update for obs-service-tar_scm fixes the following issues:

Security vulnerabilities addressed:

- CVE-2018-12473: Fixed a path traversal issue, which allowed users to
access files outside of the repository using relative paths (bsc#1105361)
- CVE-2018-12474: Fixed an issue whereby crafted service parameters
allowed for unexpected behaviour (bsc#1107507)
- CVE-2018-12476: Fixed an issue whereby the outfilename parameter allowed
to write files outside of package directory (bsc#1107944)

Other bug fixes and changes made:

- Prefer UTF-8 locale as output format for changes
- added KankuFile
- fix problems with unicode source files
- added python-six to Requires in specfile
- better encoding handling
- fixes bsc#1082696 and bsc#1076410
- fix unicode in containers
- move to python3
- added logging for better debugging changesgenerate
- raise exception if no changesauthor given
- Stop using @opensuse.org addresses to indicate a missing address
- move argparse dep to -common package
- allow submodule and ssl options in appimage
- sync spec file as used in openSUSE:Tools project
- check encoding problems for svn and print proper error msg
- added new param '--locale'
- separate service file installation in GNUmakefile
- added glibc as Recommends in spec file
- cleanup for broken svn caches
- another fix for unicode problem in obs_scm
- Final fix for unicode in filenames
- Another attempt to fix unicode filenames in prep_tree_for_archive
- Another attempt to fix unicode filenames in prep_tree_for_archive
- fix bug with unicode filenames in prep_tree_for_archive
- reuse _service*_servicedata/changes files from previous service runs
- fix problems with unicode characters in commit messages for
changeloggenerate
- fix encoding issues if commit message contains utf8 char
- revert encoding for old changes file
- remove hardcoded utf-8 encodings
- Add support for extract globbing
- split pylint2 in GNUmakefile
- fix check for "--reproducible"
- create reproducible obscpio archives
- fix regression from 44b3bee
- Support also SSH urls for Git
- check name/version option in obsinfo for slashes
- check url for remote url
- check symlinks in subdir parameter
- check filename for slashes
- disable follow_symlinks in extract feature
- switch to obs_scm for this package
- run download_files in appimage and snapcraft case
- check --extract file path for parent dir
- Fix parameter descriptions
- changed os.removedirs -> shutil.rmtree
- Adding information regarding the *package-metadata* option for the *tar*
service The tar service is highly useful in combination with the
*obscpio* service. After the fix for the metadata for the latter one, it
is important to inform the users of the *tar* service that metadata is
kept only if the flag *package-metadata* is enabled. Add the flag to the
.service file for mentioning that.
- Allow metadata packing for CPIO archives when desired As of now,
metadata are always excluded from *obscpio* packages. This is because
the *package-metadata* flag is ignored; this change (should) make
*obscpio* aware of it.
- improve handling of corrupt git cache directories
- only do git stash save/pop if we have a non-empty working tree (#228)
- don't allow DEBUG_TAR_SCM to change behaviour (#240)
- add stub user docs in lieu of something proper (#238)
- Remove clone_dir if clone fails
- python-unittest2 is only required for the optional make check
- move python-unittest2 dep to test suite only part (submission by olh)
- Removing redundant pass statement
- missing import for logging functions.
- [backend] Adding http proxy support
- python-unittest2 is only required for the optional make check
- make installation of scm's optional
- add a lot more detail to README
- Git clone with --no-checkout in prepare_working_copy
- Refactor and simplify git prepare_working_copy
- Only use current dir if it actually looks like git (Fixes #202)
- reactivate test_obscpio_extract_d
- fix broken test create_archive
- fix broken tests for broken-links
- changed PREFIX in Gnumakefile to /usr
- new cli option --skip-cleanup
- fix for broken links
- fix reference to snapcraft YAML file
- fix docstring typo in TarSCM.scm.tar.fetch_upstream
- acknowledge deficiencies in dev docs
- wrap long lines in README

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-326=1



Package List:

- openSUSE Leap 15.0 (noarch):

obs-service-appimage-0.10.5.1551309990.79898c7-lp150.2.3.1
obs-service-obs_scm-0.10.5.1551309990.79898c7-lp150.2.3.1
obs-service-obs_scm-common-0.10.5.1551309990.79898c7-lp150.2.3.1
obs-service-snapcraft-0.10.5.1551309990.79898c7-lp150.2.3.1
obs-service-tar-0.10.5.1551309990.79898c7-lp150.2.3.1
obs-service-tar_scm-0.10.5.1551309990.79898c7-lp150.2.3.1


References:

https://www.suse.com/security/cve/CVE-2018-12473.html
https://www.suse.com/security/cve/CVE-2018-12474.html
https://www.suse.com/security/cve/CVE-2018-12476.html
https://bugzilla.suse.com/1076410
https://bugzilla.suse.com/1082696
https://bugzilla.suse.com/1105361
https://bugzilla.suse.com/1107507
https://bugzilla.suse.com/1107944

--


openSUSE-SU-2019:0327-1: important: Security update for mariadb

openSUSE Security Update: Security update for mariadb
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:0327-1
Rating: important
References: #1013882 #1101676 #1101677 #1101678 #1103342
#1111858 #1111859 #1112368 #1112377 #1112384
#1112386 #1112391 #1112397 #1112404 #1112415
#1112417 #1112421 #1112432 #1112767 #1116686
#1118754 #1120041 #1122198 #1122475 #1127027

Cross-References: CVE-2016-9843 CVE-2018-3058 CVE-2018-3060
CVE-2018-3063 CVE-2018-3064 CVE-2018-3066
CVE-2018-3143 CVE-2018-3156 CVE-2018-3162
CVE-2018-3173 CVE-2018-3174 CVE-2018-3185
CVE-2018-3200 CVE-2018-3251 CVE-2018-3277
CVE-2018-3282 CVE-2018-3284 CVE-2019-2510
CVE-2019-2537
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that solves 19 vulnerabilities and has 6 fixes is
now available.

Description:

This update for mariadb to version 10.2.22 fixes the following issues:

Security issues fixed:

- CVE-2019-2510: Fixed a vulnerability which can lead to MySQL compromise
and lead to Denial of Service (bsc#1122198).
- CVE-2019-2537: Fixed a vulnerability which can lead to MySQL compromise
and lead to Denial of Service (bsc#1122198).
- CVE-2018-3284: Fixed InnoDB unspecified vulnerability (CPU Oct 2018)
(bsc#1112377)
- CVE-2018-3282: Server Storage Engines unspecified vulnerability (CPU Oct
2018) (bsc#1112432)
- CVE-2018-3277: Fixed InnoDB unspecified vulnerability (CPU Oct 2018)
(bsc#1112391)
- CVE-2018-3251: InnoDB unspecified vulnerability (CPU Oct 2018)
(bsc#1112397)
- CVE-2018-3200: Fixed InnoDB unspecified vulnerability (CPU Oct 2018)
(bsc#1112404)
- CVE-2018-3185: Fixed InnoDB unspecified vulnerability (CPU Oct 2018)
(bsc#1112384)
- CVE-2018-3174: Client programs unspecified vulnerability (CPU Oct 2018)
(bsc#1112368)
- CVE-2018-3173: Fixed InnoDB unspecified vulnerability (CPU Oct 2018)
(bsc#1112386)
- CVE-2018-3162: Fixed InnoDB unspecified vulnerability (CPU Oct 2018)
(bsc#1112415)
- CVE-2018-3156: InnoDB unspecified vulnerability (CPU Oct 2018)
(bsc#1112417)
- CVE-2018-3143: InnoDB unspecified vulnerability (CPU Oct 2018)
(bsc#1112421)
- CVE-2018-3066: Unspecified vulnerability in the MySQL Server component
of Oracle MySQL (subcomponent Server Options). (bsc#1101678)
- CVE-2018-3064: InnoDB unspecified vulnerability (CPU Jul 2018)
(bsc#1103342)
- CVE-2018-3063: Unspecified vulnerability in the MySQL Server component
of Oracle MySQL (subcomponent Server Security Privileges). (bsc#1101677)
- CVE-2018-3058: Unspecified vulnerability in the MySQL Server component
of Oracle MySQL (subcomponent MyISAM). (bsc#1101676)
- CVE-2016-9843: Big-endian out-of-bounds pointer (bsc#1013882)

Non-security issues fixed:

- Fixed an issue where mysl_install_db fails due to incorrect basedir
(bsc#1127027).
- Fixed an issue where the lograte was not working (bsc#1112767).
- Backport Information Schema CHECK_CONSTRAINTS Table.
- Maximum value of table_definition_cache is now 2097152.
- InnoDB ALTER TABLE fixes.
- Galera crash recovery fixes.
- Encryption fixes.
- Remove xtrabackup dependency as MariaDB ships a build in mariabackup so
xtrabackup is not needed (bsc#1122475).
- Maria DB testsuite - test main.plugin_auth failed (bsc#1111859)
- Maria DB testsuite - test encryption.second_plugin-12863 failed
(bsc#1111858)
- Remove PerconaFT from the package as it has AGPL licence (bsc#1118754)
- remove PerconaFT from the package as it has AGPL licence (bsc#1118754)
- Database corruption after renaming a prefix-indexed column (bsc#1120041)


Release notes and changelog:

- https://mariadb.com/kb/en/library/mariadb-10222-release-notes
- https://mariadb.com/kb/en/library/mariadb-10222-changelog/

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-327=1



Package List:

- openSUSE Leap 15.0 (i586 x86_64):

libmysqld-devel-10.2.22-lp150.2.9.1
libmysqld19-10.2.22-lp150.2.9.1
libmysqld19-debuginfo-10.2.22-lp150.2.9.1
mariadb-10.2.22-lp150.2.9.1
mariadb-bench-10.2.22-lp150.2.9.1
mariadb-bench-debuginfo-10.2.22-lp150.2.9.1
mariadb-client-10.2.22-lp150.2.9.1
mariadb-client-debuginfo-10.2.22-lp150.2.9.1
mariadb-debuginfo-10.2.22-lp150.2.9.1
mariadb-debugsource-10.2.22-lp150.2.9.1
mariadb-galera-10.2.22-lp150.2.9.1
mariadb-test-10.2.22-lp150.2.9.1
mariadb-test-debuginfo-10.2.22-lp150.2.9.1
mariadb-tools-10.2.22-lp150.2.9.1
mariadb-tools-debuginfo-10.2.22-lp150.2.9.1

- openSUSE Leap 15.0 (noarch):

mariadb-errormessages-10.2.22-lp150.2.9.1


References:

https://www.suse.com/security/cve/CVE-2016-9843.html
https://www.suse.com/security/cve/CVE-2018-3058.html
https://www.suse.com/security/cve/CVE-2018-3060.html
https://www.suse.com/security/cve/CVE-2018-3063.html
https://www.suse.com/security/cve/CVE-2018-3064.html
https://www.suse.com/security/cve/CVE-2018-3066.html
https://www.suse.com/security/cve/CVE-2018-3143.html
https://www.suse.com/security/cve/CVE-2018-3156.html
https://www.suse.com/security/cve/CVE-2018-3162.html
https://www.suse.com/security/cve/CVE-2018-3173.html
https://www.suse.com/security/cve/CVE-2018-3174.html
https://www.suse.com/security/cve/CVE-2018-3185.html
https://www.suse.com/security/cve/CVE-2018-3200.html
https://www.suse.com/security/cve/CVE-2018-3251.html
https://www.suse.com/security/cve/CVE-2018-3277.html
https://www.suse.com/security/cve/CVE-2018-3282.html
https://www.suse.com/security/cve/CVE-2018-3284.html
https://www.suse.com/security/cve/CVE-2019-2510.html
https://www.suse.com/security/cve/CVE-2019-2537.html
https://bugzilla.suse.com/1013882
https://bugzilla.suse.com/1101676
https://bugzilla.suse.com/1101677
https://bugzilla.suse.com/1101678
https://bugzilla.suse.com/1103342
https://bugzilla.suse.com/1111858
https://bugzilla.suse.com/1111859
https://bugzilla.suse.com/1112368
https://bugzilla.suse.com/1112377
https://bugzilla.suse.com/1112384
https://bugzilla.suse.com/1112386
https://bugzilla.suse.com/1112391
https://bugzilla.suse.com/1112397
https://bugzilla.suse.com/1112404
https://bugzilla.suse.com/1112415
https://bugzilla.suse.com/1112417
https://bugzilla.suse.com/1112421
https://bugzilla.suse.com/1112432
https://bugzilla.suse.com/1112767
https://bugzilla.suse.com/1116686
https://bugzilla.suse.com/1118754
https://bugzilla.suse.com/1120041
https://bugzilla.suse.com/1122198
https://bugzilla.suse.com/1122475
https://bugzilla.suse.com/1127027

--