The following updates has been released for openSUSE:
openSUSE-SU-2018:2941-1: moderate: Security update for gd
openSUSE-SU-2018:2942-1: important: Security update for mgetty
openSUSE-SU-2018:2943-1: important: Security update for yast2-smt
openSUSE-SU-2018:2941-1: moderate: Security update for gd
openSUSE-SU-2018:2942-1: important: Security update for mgetty
openSUSE-SU-2018:2943-1: important: Security update for yast2-smt
openSUSE-SU-2018:2941-1: moderate: Security update for gd
openSUSE Security Update: Security update for gd
______________________________________________________________________________
Announcement ID: openSUSE-SU-2018:2941-1
Rating: moderate
References: #1105434
Cross-References: CVE-2018-1000222
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for gd fixes the following issues:
Security issue fixed:
- CVE-2018-1000222: Fixed a double free vulnerability in gdImageBmpPtr()
that could result in remote code execution. This could have been
exploited via a specially crafted JPEG image files. (bsc#1105434)
This update was imported from the SUSE:SLE-15:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.0:
zypper in -t patch openSUSE-2018-1079=1
Package List:
- openSUSE Leap 15.0 (i586 x86_64):
gd-2.2.5-lp150.3.3.1
gd-debuginfo-2.2.5-lp150.3.3.1
gd-debugsource-2.2.5-lp150.3.3.1
gd-devel-2.2.5-lp150.3.3.1
libgd3-2.2.5-lp150.3.3.1
libgd3-debuginfo-2.2.5-lp150.3.3.1
- openSUSE Leap 15.0 (x86_64):
libgd3-32bit-2.2.5-lp150.3.3.1
libgd3-32bit-debuginfo-2.2.5-lp150.3.3.1
References:
https://www.suse.com/security/cve/CVE-2018-1000222.html
https://bugzilla.suse.com/1105434
--
openSUSE-SU-2018:2942-1: important: Security update for mgetty
openSUSE Security Update: Security update for mgetty
______________________________________________________________________________
Announcement ID: openSUSE-SU-2018:2942-1
Rating: important
References: #1108752 #1108756 #1108757 #1108761 #1108762
Cross-References: CVE-2018-16741 CVE-2018-16742 CVE-2018-16743
CVE-2018-16744 CVE-2018-16745
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________
An update that fixes 5 vulnerabilities is now available.
Description:
This update for mgetty fixes the following issues:
- CVE-2018-16741: The function do_activate() did not properly sanitize
shell metacharacters to prevent command injection (bsc#1108752).
- CVE-2018-16745: The mail_to parameter was not sanitized, leading to a
buffer
overflow if long untrusted input reached it (bsc#1108756).
- CVE-2018-16744: The mail_to parameter was not sanitized, leading to
command injection if untrusted input reached reach it (bsc#1108757).
- CVE-2018-16742: Prevent stack-based buffer overflow that could have been
triggered via a command-line parameter (bsc#1108762).
- CVE-2018-16743: The command-line parameter username wsa passed
unsanitized to strcpy(), which could have caused a stack-based buffer
overflow (bsc#1108761).
This update was imported from the SUSE:SLE-15:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.0:
zypper in -t patch openSUSE-2018-1080=1
Package List:
- openSUSE Leap 15.0 (x86_64):
g3utils-1.1.37-lp150.2.3.1
g3utils-debuginfo-1.1.37-lp150.2.3.1
mgetty-1.1.37-lp150.2.3.1
mgetty-debuginfo-1.1.37-lp150.2.3.1
mgetty-debugsource-1.1.37-lp150.2.3.1
sendfax-1.1.37-lp150.2.3.1
sendfax-debuginfo-1.1.37-lp150.2.3.1
References:
https://www.suse.com/security/cve/CVE-2018-16741.html
https://www.suse.com/security/cve/CVE-2018-16742.html
https://www.suse.com/security/cve/CVE-2018-16743.html
https://www.suse.com/security/cve/CVE-2018-16744.html
https://www.suse.com/security/cve/CVE-2018-16745.html
https://bugzilla.suse.com/1108752
https://bugzilla.suse.com/1108756
https://bugzilla.suse.com/1108757
https://bugzilla.suse.com/1108761
https://bugzilla.suse.com/1108762
--
openSUSE-SU-2018:2943-1: important: Security update for yast2-smt
openSUSE Security Update: Security update for yast2-smt
______________________________________________________________________________
Announcement ID: openSUSE-SU-2018:2943-1
Rating: important
References: #1097560
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________
An update that contains security fixes can now be installed.
Description:
This update fixes the following issue in yast2-smt:
- Remove cron job rescheduling (bsc#1097560)
This update is a requirement for the security update for SMT. Because of
that it is tagged as security to ensure that all users, even those that
only install security updates, install it.
This update was imported from the SUSE:SLE-12-SP3:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 42.3:
zypper in -t patch openSUSE-2018-1081=1
Package List:
- openSUSE Leap 42.3 (noarch):
yast2-smt-3.0.14-2.3.1
References:
https://bugzilla.suse.com/1097560
--