The following updates has been released for openSUSE:
openSUSE-SU-2018:2811-1: moderate: Security update for ImageMagick
openSUSE-SU-2018:2813-1: important: Security update for openslp
openSUSE-SU-2018:2816-1: moderate: Security update for nodejs6
openSUSE-SU-2018:2817-1: moderate: Security update for MozillaFirefox
openSUSE-SU-2018:2818-1: moderate: Security update for gdm
openSUSE-SU-2018:2819-1: moderate: Security update for liblouis
openSUSE-SU-2018:2820-1: moderate: Security update for bouncycastle
openSUSE-SU-2018:2827-1: moderate: Security update for jhead
openSUSE-SU-2018:2833-1: Security update for GraphicsMagick
openSUSE-SU-2018:2811-1: moderate: Security update for ImageMagick
openSUSE-SU-2018:2813-1: important: Security update for openslp
openSUSE-SU-2018:2816-1: moderate: Security update for nodejs6
openSUSE-SU-2018:2817-1: moderate: Security update for MozillaFirefox
openSUSE-SU-2018:2818-1: moderate: Security update for gdm
openSUSE-SU-2018:2819-1: moderate: Security update for liblouis
openSUSE-SU-2018:2820-1: moderate: Security update for bouncycastle
openSUSE-SU-2018:2827-1: moderate: Security update for jhead
openSUSE-SU-2018:2833-1: Security update for GraphicsMagick
openSUSE-SU-2018:2811-1: moderate: Security update for ImageMagick
openSUSE Security Update: Security update for ImageMagick
______________________________________________________________________________
Announcement ID: openSUSE-SU-2018:2811-1
Rating: moderate
References: #1102003 #1102004 #1102005 #1102007 #1105592
#1106855 #1106858
Cross-References: CVE-2018-14434 CVE-2018-14435 CVE-2018-14436
CVE-2018-14437 CVE-2018-16323 CVE-2018-16329
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________
An update that solves 6 vulnerabilities and has one errata
is now available.
Description:
This update for ImageMagick fixes the following issues:
The following security vulnerabilities were fixed:
- CVE-2018-16329: Prevent NULL pointer dereference in the
GetMagickProperty function leading to DoS (bsc#1106858)
- CVE-2018-16323: ReadXBMImage left data uninitialized when processing an
XBM file that has a negative pixel value. If the affected code was used
as a library loaded into a process that includes sensitive information,
that information sometimes can be leaked via the image data (bsc#1106855)
- CVE-2018-14434: Fixed a memory leak for a colormap in WriteMPCImage
(bsc#1102003)
- CVE-2018-14435: Fixed a memory leak in DecodeImage in coders/pcd.c
(bsc#1102007)
- CVE-2018-14436: Fixed a memory leak in ReadMIFFImage in coders/miff.c
(bsc#1102005)
- CVE-2018-14437: Fixed a memory leak in parse8BIM in coders/meta.c
(bsc#1102004)
- Disable PS, PS2, PS3, XPS and PDF coders in default policy.xml
(bsc#1105592)
This update was imported from the SUSE:SLE-12:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 42.3:
zypper in -t patch openSUSE-2018-1038=1
Package List:
- openSUSE Leap 42.3 (i586 x86_64):
ImageMagick-6.8.8.1-67.1
ImageMagick-debuginfo-6.8.8.1-67.1
ImageMagick-debugsource-6.8.8.1-67.1
ImageMagick-devel-6.8.8.1-67.1
ImageMagick-extra-6.8.8.1-67.1
ImageMagick-extra-debuginfo-6.8.8.1-67.1
libMagick++-6_Q16-3-6.8.8.1-67.1
libMagick++-6_Q16-3-debuginfo-6.8.8.1-67.1
libMagick++-devel-6.8.8.1-67.1
libMagickCore-6_Q16-1-6.8.8.1-67.1
libMagickCore-6_Q16-1-debuginfo-6.8.8.1-67.1
libMagickWand-6_Q16-1-6.8.8.1-67.1
libMagickWand-6_Q16-1-debuginfo-6.8.8.1-67.1
perl-PerlMagick-6.8.8.1-67.1
perl-PerlMagick-debuginfo-6.8.8.1-67.1
- openSUSE Leap 42.3 (x86_64):
ImageMagick-devel-32bit-6.8.8.1-67.1
libMagick++-6_Q16-3-32bit-6.8.8.1-67.1
libMagick++-6_Q16-3-debuginfo-32bit-6.8.8.1-67.1
libMagick++-devel-32bit-6.8.8.1-67.1
libMagickCore-6_Q16-1-32bit-6.8.8.1-67.1
libMagickCore-6_Q16-1-debuginfo-32bit-6.8.8.1-67.1
libMagickWand-6_Q16-1-32bit-6.8.8.1-67.1
libMagickWand-6_Q16-1-debuginfo-32bit-6.8.8.1-67.1
- openSUSE Leap 42.3 (noarch):
ImageMagick-doc-6.8.8.1-67.1
References:
https://www.suse.com/security/cve/CVE-2018-14434.html
https://www.suse.com/security/cve/CVE-2018-14435.html
https://www.suse.com/security/cve/CVE-2018-14436.html
https://www.suse.com/security/cve/CVE-2018-14437.html
https://www.suse.com/security/cve/CVE-2018-16323.html
https://www.suse.com/security/cve/CVE-2018-16329.html
https://bugzilla.suse.com/1102003
https://bugzilla.suse.com/1102004
https://bugzilla.suse.com/1102005
https://bugzilla.suse.com/1102007
https://bugzilla.suse.com/1105592
https://bugzilla.suse.com/1106855
https://bugzilla.suse.com/1106858
--
openSUSE-SU-2018:2813-1: important: Security update for openslp
openSUSE Security Update: Security update for openslp
______________________________________________________________________________
Announcement ID: openSUSE-SU-2018:2813-1
Rating: important
References: #1090638
Cross-References: CVE-2017-17833
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for openslp fixes the following issues:
- CVE-2017-17833: Prevent heap-related memory corruption issue which may
have manifested itself as a denial-of-service or a remote code-execution
vulnerability (bsc#1090638)
- Prevent out of bounds reads in message parsing
This update was imported from the SUSE:SLE-12:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 42.3:
zypper in -t patch openSUSE-2018-1040=1
Package List:
- openSUSE Leap 42.3 (i586 x86_64):
openslp-2.0.0-18.7.1
openslp-debuginfo-2.0.0-18.7.1
openslp-debugsource-2.0.0-18.7.1
openslp-devel-2.0.0-18.7.1
openslp-server-2.0.0-18.7.1
openslp-server-debuginfo-2.0.0-18.7.1
- openSUSE Leap 42.3 (x86_64):
openslp-32bit-2.0.0-18.7.1
openslp-debuginfo-32bit-2.0.0-18.7.1
References:
https://www.suse.com/security/cve/CVE-2017-17833.html
https://bugzilla.suse.com/1090638
--
openSUSE-SU-2018:2816-1: moderate: Security update for nodejs6
openSUSE Security Update: Security update for nodejs6
______________________________________________________________________________
Announcement ID: openSUSE-SU-2018:2816-1
Rating: moderate
References: #1097158 #1097748 #1105019
Cross-References: CVE-2018-0732 CVE-2018-12115
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________
An update that solves two vulnerabilities and has one
errata is now available.
Description:
This update for nodejs6 to version 6.14.4 fixes the following issues:
Security issues fixed:
CVE-2018-12115: Fixed an out-of-bounds (OOB) write in Buffer.write() for
UCS-2 encoding (bsc#1105019) CVE-2018-0732: Upgrade to OpenSSL 1.0.2p,
fixing a client DoS due to large DH parameter (bsc#1097158)
Other issues fixed:
- Recommend same major version npm package (bsc#1097748)
This update was imported from the SUSE:SLE-12:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 42.3:
zypper in -t patch openSUSE-2018-1041=1
Package List:
- openSUSE Leap 42.3 (i586 x86_64):
nodejs6-6.14.4-15.1
nodejs6-debuginfo-6.14.4-15.1
nodejs6-debugsource-6.14.4-15.1
nodejs6-devel-6.14.4-15.1
npm6-6.14.4-15.1
- openSUSE Leap 42.3 (noarch):
nodejs6-docs-6.14.4-15.1
References:
https://www.suse.com/security/cve/CVE-2018-0732.html
https://www.suse.com/security/cve/CVE-2018-12115.html
https://bugzilla.suse.com/1097158
https://bugzilla.suse.com/1097748
https://bugzilla.suse.com/1105019
--
openSUSE-SU-2018:2817-1: moderate: Security update for MozillaFirefox
openSUSE Security Update: Security update for MozillaFirefox
______________________________________________________________________________
Announcement ID: openSUSE-SU-2018:2817-1
Rating: moderate
References: #1107343 #1109363
Cross-References: CVE-2018-12383 CVE-2018-12385
Affected Products:
openSUSE Leap 42.3
openSUSE Leap 15.0
______________________________________________________________________________
An update that fixes two vulnerabilities is now available.
Description:
This update for Mozilla Firefox to version 60.2.1esr fixes the following
issues:
Security issues fixed (MFSA 2018-23):
- CVE-2018-12385: Crash in TransportSecurityInfo due to cached data
(boo#1109363)
- CVE-2018-12383: Setting a master password did not delete unencrypted
previously stored passwords (boo#1107343)
Bugx fixed:
- Fixed a startup crash affecting users migrating from older ESR releases
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 42.3:
zypper in -t patch openSUSE-2018-1042=1
- openSUSE Leap 15.0:
zypper in -t patch openSUSE-2018-1042=1
Package List:
- openSUSE Leap 42.3 (x86_64):
MozillaFirefox-60.2.1-112.1
MozillaFirefox-branding-upstream-60.2.1-112.1
MozillaFirefox-buildsymbols-60.2.1-112.1
MozillaFirefox-debuginfo-60.2.1-112.1
MozillaFirefox-debugsource-60.2.1-112.1
MozillaFirefox-devel-60.2.1-112.1
MozillaFirefox-translations-common-60.2.1-112.1
MozillaFirefox-translations-other-60.2.1-112.1
- openSUSE Leap 15.0 (x86_64):
MozillaFirefox-60.2.1-lp150.3.17.1
MozillaFirefox-branding-upstream-60.2.1-lp150.3.17.1
MozillaFirefox-buildsymbols-60.2.1-lp150.3.17.1
MozillaFirefox-debuginfo-60.2.1-lp150.3.17.1
MozillaFirefox-debugsource-60.2.1-lp150.3.17.1
MozillaFirefox-devel-60.2.1-lp150.3.17.1
MozillaFirefox-translations-common-60.2.1-lp150.3.17.1
MozillaFirefox-translations-other-60.2.1-lp150.3.17.1
References:
https://www.suse.com/security/cve/CVE-2018-12383.html
https://www.suse.com/security/cve/CVE-2018-12385.html
https://bugzilla.suse.com/1107343
https://bugzilla.suse.com/1109363
--
openSUSE-SU-2018:2818-1: moderate: Security update for gdm
openSUSE Security Update: Security update for gdm
______________________________________________________________________________
Announcement ID: openSUSE-SU-2018:2818-1
Rating: moderate
References: #1081947 #1103093 #1103737
Cross-References: CVE-2018-14424
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________
An update that solves one vulnerability and has two fixes
is now available.
Description:
This update for gdm provides the following fixes:
This security issue was fixed:
- CVE-2018-14424: The daemon in GDM did not properly unexport display
objects from its D-Bus interface when they are destroyed, which allowed
a local attacker to trigger a use-after-free via a specially crafted
sequence of D-Bus method calls, resulting in a denial of service or
potential code execution (bsc#1103737)
These non-security issues were fixed:
- Enable pam_keyinit module (bsc#1081947)
- Fix a build race in SLE (bsc#1103093)
This update was imported from the SUSE:SLE-15:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.0:
zypper in -t patch openSUSE-2018-1037=1
Package List:
- openSUSE Leap 15.0 (x86_64):
gdm-3.26.2.1-lp150.11.3.1
gdm-debuginfo-3.26.2.1-lp150.11.3.1
gdm-debugsource-3.26.2.1-lp150.11.3.1
gdm-devel-3.26.2.1-lp150.11.3.1
libgdm1-3.26.2.1-lp150.11.3.1
libgdm1-debuginfo-3.26.2.1-lp150.11.3.1
typelib-1_0-Gdm-1_0-3.26.2.1-lp150.11.3.1
- openSUSE Leap 15.0 (noarch):
gdm-branding-upstream-3.26.2.1-lp150.11.3.1
gdm-lang-3.26.2.1-lp150.11.3.1
gdmflexiserver-3.26.2.1-lp150.11.3.1
References:
https://www.suse.com/security/cve/CVE-2018-14424.html
https://bugzilla.suse.com/1081947
https://bugzilla.suse.com/1103093
https://bugzilla.suse.com/1103737
--
openSUSE-SU-2018:2819-1: moderate: Security update for liblouis
openSUSE Security Update: Security update for liblouis
______________________________________________________________________________
Announcement ID: openSUSE-SU-2018:2819-1
Rating: moderate
References: #1095189 #1095825 #1095826 #1095827 #1095945
#1097103
Cross-References: CVE-2018-11440 CVE-2018-11577 CVE-2018-11683
CVE-2018-11684 CVE-2018-11685 CVE-2018-12085
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________
An update that fixes 6 vulnerabilities is now available.
Description:
This update for liblouis fixes the following issues:
Security issues fixed:
- CVE-2018-11440: Fixed a stack-based buffer overflow in the function
parseChars() in compileTranslationTable.c (bsc#1095189)
- CVE-2018-11577: Fixed a segmentation fault in lou_logPrint in logging.c
(bsc#1095945)
- CVE-2018-11683: Fixed a stack-based buffer overflow in the function
parseChars() in compileTranslationTable.c (different vulnerability than
CVE-2018-11440) (bsc#1095827)
- CVE-2018-11684: Fixed stack-based buffer overflow in the function
includeFile() in compileTranslationTable.c (bsc#1095826)
- CVE-2018-11685: Fixed a stack-based buffer overflow in the function
compileHyphenation() in compileTranslationTable.c (bsc#1095825)
- CVE-2018-12085: Fixed a stack-based buffer overflow in the function
parseChars() in compileTranslationTable.c (different vulnerability than
CVE-2018-11440) (bsc#1097103)
This update was imported from the SUSE:SLE-12-SP2:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 42.3:
zypper in -t patch openSUSE-2018-1039=1
Package List:
- openSUSE Leap 42.3 (i586 x86_64):
liblouis-data-2.6.4-9.1
liblouis-debugsource-2.6.4-9.1
liblouis-devel-2.6.4-9.1
liblouis-doc-2.6.4-9.1
liblouis-tools-2.6.4-9.1
liblouis-tools-debuginfo-2.6.4-9.1
liblouis9-2.6.4-9.1
liblouis9-debuginfo-2.6.4-9.1
python-louis-2.6.4-9.1
References:
https://www.suse.com/security/cve/CVE-2018-11440.html
https://www.suse.com/security/cve/CVE-2018-11577.html
https://www.suse.com/security/cve/CVE-2018-11683.html
https://www.suse.com/security/cve/CVE-2018-11684.html
https://www.suse.com/security/cve/CVE-2018-11685.html
https://www.suse.com/security/cve/CVE-2018-12085.html
https://bugzilla.suse.com/1095189
https://bugzilla.suse.com/1095825
https://bugzilla.suse.com/1095826
https://bugzilla.suse.com/1095827
https://bugzilla.suse.com/1095945
https://bugzilla.suse.com/1097103
--
openSUSE-SU-2018:2820-1: moderate: Security update for bouncycastle
openSUSE Security Update: Security update for bouncycastle
______________________________________________________________________________
Announcement ID: openSUSE-SU-2018:2820-1
Rating: moderate
References: #1096291
Cross-References: CVE-2018-1000180
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for bouncycastle fixes the following security issue:
- CVE-2018-1000180: Fixed flaw in the Low-level interface to RSA key pair
generator. RSA Key Pairs generated in low-level API with added certainty
may had less M-R tests than expected (bsc#1096291).
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 42.3:
zypper in -t patch openSUSE-2018-1043=1
Package List:
- openSUSE Leap 42.3 (noarch):
bouncycastle-1.60-23.10.1
bouncycastle-javadoc-1.60-23.10.1
References:
https://www.suse.com/security/cve/CVE-2018-1000180.html
https://bugzilla.suse.com/1096291
--
openSUSE-SU-2018:2827-1: moderate: Security update for jhead
openSUSE Security Update: Security update for jhead
______________________________________________________________________________
Announcement ID: openSUSE-SU-2018:2827-1
Rating: moderate
References: #1108480
Cross-References: CVE-2016-3822 CVE-2018-16554
Affected Products:
openSUSE Leap 42.3
openSUSE Leap 15.0
openSUSE Backports SLE-15
______________________________________________________________________________
An update that fixes two vulnerabilities is now available.
Description:
This update for jhead fixes the following security issues:
- CVE-2016-3822: jhead remote attackers to execute arbitrary code or cause
a denial of service (out-of-bounds access) via crafted EXIF data
(bsc#1108480).
- CVE-2018-16554: The ProcessGpsInfo function may have allowed a remote
attacker to cause a denial-of-service attack or unspecified other impact
via a malicious JPEG file, because of inconsistency between float and
double in a sprintf format string during TAG_GPS_ALT handling
(bsc#1108480).
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 42.3:
zypper in -t patch openSUSE-2018-1044=1
- openSUSE Leap 15.0:
zypper in -t patch openSUSE-2018-1044=1
- openSUSE Backports SLE-15:
zypper in -t patch openSUSE-2018-1044=1
Package List:
- openSUSE Leap 42.3 (i586 x86_64):
jhead-3.00-11.1
jhead-debuginfo-3.00-11.1
jhead-debugsource-3.00-11.1
- openSUSE Leap 15.0 (x86_64):
jhead-3.00-lp150.3.3.1
jhead-debuginfo-3.00-lp150.3.3.1
jhead-debugsource-3.00-lp150.3.3.1
- openSUSE Backports SLE-15 (aarch64 ppc64le s390x x86_64):
jhead-3.00-bp150.3.3.1
References:
https://www.suse.com/security/cve/CVE-2016-3822.html
https://www.suse.com/security/cve/CVE-2018-16554.html
https://bugzilla.suse.com/1108480
--
openSUSE-SU-2018:2833-1: Security update for GraphicsMagick
openSUSE Security Update: Security update for GraphicsMagick
______________________________________________________________________________
Announcement ID: openSUSE-SU-2018:2833-1
Rating: low
References: #1108282 #1108283
Cross-References: CVE-2018-16749 CVE-2018-16750
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________
An update that fixes two vulnerabilities is now available.
Description:
This update for GraphicsMagick fixes the following security issue:
- CVE-2018-16750: Prevent memory leak in the formatIPTCfromBuffer function
(bsc#1108283).
An earlier update added a change that also fixed this issues that was
unknown at the time of release:
- CVE-2018-16749: Added missing NULL check in ReadOneJNGImage that allowed
an attacker to cause a denial of service (WriteBlob assertion failure
and application exit) via a crafted file (bsc#1108282).
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 42.3:
zypper in -t patch openSUSE-2018-1045=1
Package List:
- openSUSE Leap 42.3 (i586 x86_64):
GraphicsMagick-1.3.25-108.1
GraphicsMagick-debuginfo-1.3.25-108.1
GraphicsMagick-debugsource-1.3.25-108.1
GraphicsMagick-devel-1.3.25-108.1
libGraphicsMagick++-Q16-12-1.3.25-108.1
libGraphicsMagick++-Q16-12-debuginfo-1.3.25-108.1
libGraphicsMagick++-devel-1.3.25-108.1
libGraphicsMagick-Q16-3-1.3.25-108.1
libGraphicsMagick-Q16-3-debuginfo-1.3.25-108.1
libGraphicsMagick3-config-1.3.25-108.1
libGraphicsMagickWand-Q16-2-1.3.25-108.1
libGraphicsMagickWand-Q16-2-debuginfo-1.3.25-108.1
perl-GraphicsMagick-1.3.25-108.1
perl-GraphicsMagick-debuginfo-1.3.25-108.1
References:
https://www.suse.com/security/cve/CVE-2018-16749.html
https://www.suse.com/security/cve/CVE-2018-16750.html
https://bugzilla.suse.com/1108282
https://bugzilla.suse.com/1108283
--