SUSE 5152 Published by

The following security updates has been released for openSUSE:

openSUSE-SU-2018:2487-1: Security update for libXcursor
openSUSE-SU-2018:2488-1: moderate: Security update for python-Django
openSUSE-SU-2018:2502-1: important: Security update for libgit2
openSUSE-SU-2018:2503-1: moderate: Security update for ImageMagick



openSUSE-SU-2018:2487-1: Security update for libXcursor

openSUSE Security Update: Security update for libXcursor
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2487-1
Rating: low
References: #1103511
Cross-References: CVE-2015-9262
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for libXcursor fixes the following issues:

- CVE-2015-9262: _XcursorThemeInherits allowed remote attackers to cause
denial
of service or potentially code execution via a one-byte heap overflow
(bsc#1103511)


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-915=1



Package List:

- openSUSE Leap 42.3 (i586 x86_64):

libXcursor-debugsource-1.1.14-10.6.1
libXcursor-devel-1.1.14-10.6.1
libXcursor1-1.1.14-10.6.1
libXcursor1-debuginfo-1.1.14-10.6.1

- openSUSE Leap 42.3 (x86_64):

libXcursor-devel-32bit-1.1.14-10.6.1
libXcursor1-32bit-1.1.14-10.6.1
libXcursor1-debuginfo-32bit-1.1.14-10.6.1


References:

https://www.suse.com/security/cve/CVE-2015-9262.html
https://bugzilla.suse.com/1103511

--


openSUSE-SU-2018:2488-1: moderate: Security update for python-Django

openSUSE Security Update: Security update for python-Django
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2488-1
Rating: moderate
References: #1102680
Cross-References: CVE-2018-14574
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for python-Django to version 2.08 fixes the following issues:

The following security vulnerability was fixed:

- CVE-2018-14574: Fixed an redirection vulnerability in CommonMiddleware
(boo#1102680)

The following other bugs were fixed:

- Fixed a regression in Django 2.0.7 that broke the regex lookup on MariaDB
- Fixed a regression where django.template.Template crashed if the
template_string argument is lazy
- Fixed __regex and __iregex lookups with MySQL
- Fixed admin check crash when using a query expression in
ModelAdmin.ordering
- Fixed admin changelist crash when using a query expression without asc()
or desc() in the page’s ordering
- Fixed a regression that broke custom template filters that use decorators
- Fixed detection of custom URL converters in included pattern
- Fixed a regression that added an unnecessary subquery to the GROUP BY
clause
on MySQL when using a RawSQL annotation
- Fixed WKBWriter.write() and write_hex() for empty polygons on GEOS 3.6.1+
- Fixed a regression in Django 1.10 that could result in large memory
usage when making edits using ModelAdmin.list_editable
- Corrected the import paths that inspectdb generates for
django.contrib.postgres fields
- Fixed crashes in django.contrib.admindocs when a view is a callable
object, such as django.contrib.syndication.views.Feed
- Fixed a regression in Django 1.11.12 where QuerySet.values() or
values_list() after combining an annotated and unannotated queryset with
union(), difference(), or intersection() crashed due to mismatching
columns


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-914=1



Package List:

- openSUSE Leap 15.0 (noarch):

python3-Django-2.0.8-lp150.2.3.1


References:

https://www.suse.com/security/cve/CVE-2018-14574.html
https://bugzilla.suse.com/1102680

--


openSUSE-SU-2018:2502-1: important: Security update for libgit2

openSUSE Security Update: Security update for libgit2
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2502-1
Rating: important
References: #1095219 #1100612 #1100613 #1104641
Cross-References: CVE-2018-10887 CVE-2018-10888 CVE-2018-11235
CVE-2018-15501
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes four vulnerabilities is now available.

Description:

This update for libgit2 to version 0.26.5 fixes the following issues:

The following security vulnerabilities were addressed:

- CVE-2018-10887: Fixed an integer overflow which in turn leads to an out
of bound read, allowing to read the base object, which could be
exploited by an attacker to cause denial of service (DoS) (bsc#1100613).
- CVE-2018-10888: Fixed an out-of-bound read while reading a binary delta
file, which could be exploited by an attacker t ocause a denial of
service (DoS) (bsc#1100612).
- CVE-2018-11235: Fixed a remote code execution, which could occur with a
crafted .gitmodules file (bsc#1095219)
- CVE-2018-15501: Prevent out-of-bounds reads when processing
smart-protocol "ng" packets (bsc#1104641)

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-922=1



Package List:

- openSUSE Leap 15.0 (i586 x86_64):

libgit2-26-0.26.6-lp150.2.3.1
libgit2-26-debuginfo-0.26.6-lp150.2.3.1
libgit2-debugsource-0.26.6-lp150.2.3.1
libgit2-devel-0.26.6-lp150.2.3.1

- openSUSE Leap 15.0 (x86_64):

libgit2-26-32bit-0.26.6-lp150.2.3.1
libgit2-26-32bit-debuginfo-0.26.6-lp150.2.3.1


References:

https://www.suse.com/security/cve/CVE-2018-10887.html
https://www.suse.com/security/cve/CVE-2018-10888.html
https://www.suse.com/security/cve/CVE-2018-11235.html
https://www.suse.com/security/cve/CVE-2018-15501.html
https://bugzilla.suse.com/1095219
https://bugzilla.suse.com/1100612
https://bugzilla.suse.com/1100613
https://bugzilla.suse.com/1104641

--


openSUSE-SU-2018:2503-1: moderate: Security update for ImageMagick

openSUSE Security Update: Security update for ImageMagick
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2503-1
Rating: moderate
References: #1094741 #1102003 #1102004 #1102005 #1102007

Cross-References: CVE-2018-14434 CVE-2018-14435 CVE-2018-14436
CVE-2018-14437
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that solves four vulnerabilities and has one
errata is now available.

Description:

This update for ImageMagick fixes the following issues:

Security issues fixed:

* CVE-2018-14434: A memory leak for a colormap in WriteMPCImage
incoders/mpc.c was fixed. (bsc#1102003)
* CVE-2018-14435: A memory leak in DecodeImage in coders/pcd.c was fixed.
(bsc#1102007)
* CVE-2018-14436: A memory leak in ReadMIFFImage in coders/miff.c was
fixed. (bsc#1102005)
* CVE-2018-14437: A memory leak in parse8BIM in coders/meta.c was fixed.
(bsc#1102004)

Bug fix:

- bsc#1094741: Fix unexpected result with `convert -compose`.

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-925=1



Package List:

- openSUSE Leap 15.0 (i586 x86_64):

ImageMagick-7.0.7.34-lp150.2.9.1
ImageMagick-debuginfo-7.0.7.34-lp150.2.9.1
ImageMagick-debugsource-7.0.7.34-lp150.2.9.1
ImageMagick-devel-7.0.7.34-lp150.2.9.1
ImageMagick-extra-7.0.7.34-lp150.2.9.1
ImageMagick-extra-debuginfo-7.0.7.34-lp150.2.9.1
libMagick++-7_Q16HDRI4-7.0.7.34-lp150.2.9.1
libMagick++-7_Q16HDRI4-debuginfo-7.0.7.34-lp150.2.9.1
libMagick++-devel-7.0.7.34-lp150.2.9.1
libMagickCore-7_Q16HDRI6-7.0.7.34-lp150.2.9.1
libMagickCore-7_Q16HDRI6-debuginfo-7.0.7.34-lp150.2.9.1
libMagickWand-7_Q16HDRI6-7.0.7.34-lp150.2.9.1
libMagickWand-7_Q16HDRI6-debuginfo-7.0.7.34-lp150.2.9.1
perl-PerlMagick-7.0.7.34-lp150.2.9.1
perl-PerlMagick-debuginfo-7.0.7.34-lp150.2.9.1

- openSUSE Leap 15.0 (x86_64):

ImageMagick-devel-32bit-7.0.7.34-lp150.2.9.1
libMagick++-7_Q16HDRI4-32bit-7.0.7.34-lp150.2.9.1
libMagick++-7_Q16HDRI4-32bit-debuginfo-7.0.7.34-lp150.2.9.1
libMagick++-devel-32bit-7.0.7.34-lp150.2.9.1
libMagickCore-7_Q16HDRI6-32bit-7.0.7.34-lp150.2.9.1
libMagickCore-7_Q16HDRI6-32bit-debuginfo-7.0.7.34-lp150.2.9.1
libMagickWand-7_Q16HDRI6-32bit-7.0.7.34-lp150.2.9.1
libMagickWand-7_Q16HDRI6-32bit-debuginfo-7.0.7.34-lp150.2.9.1

- openSUSE Leap 15.0 (noarch):

ImageMagick-doc-7.0.7.34-lp150.2.9.1


References:

https://www.suse.com/security/cve/CVE-2018-14434.html
https://www.suse.com/security/cve/CVE-2018-14435.html
https://www.suse.com/security/cve/CVE-2018-14436.html
https://www.suse.com/security/cve/CVE-2018-14437.html
https://bugzilla.suse.com/1094741
https://bugzilla.suse.com/1102003
https://bugzilla.suse.com/1102004
https://bugzilla.suse.com/1102005
https://bugzilla.suse.com/1102007

--