SUSE 5152 Published by

The following updates has been released for openSUSE:

openSUSE-SU-2018:1858-1: moderate: Security update for mailman
openSUSE-SU-2018:1859-1: moderate: Security update for Opera
openSUSE-SU-2018:1860-1: moderate: Security update for ImageMagick
openSUSE-SU-2018:1862-1: Security update for GraphicsMagick



openSUSE-SU-2018:1858-1: moderate: Security update for mailman

openSUSE Security Update: Security update for mailman
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:1858-1
Rating: moderate
References: #1099510
Cross-References: CVE-2018-0618
Affected Products:
openSUSE Leap 42.3
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for mailman to version 2.1.27 fixes the following issues:

This security issue was fixed:

- CVE-2018-0618: Additional protections against injecting scripts into
listinfo and error messages pages (bsc#1099510).

These non-security issues were fixed:

- The hash generated when SUBSCRIBE_FORM_SECRET is set could have been the
same as one generated at the same time for a different list and IP
address.
- An option has been added to bin/add_members to issue invitations instead
of immediately adding members.
- A new BLOCK_SPAMHAUS_LISTED_IP_SUBSCRIBE setting has been added to
enable blocking web subscribes from IPv4 addresses listed in Spamhaus
SBL, CSS or XBL. It will work with IPv6 addresses if Python's
py2-ipaddress module is installed. The module can be installed via pip
if not included in your Python.
- Mailman has a new 'security' log and logs authentication failures to the
various web CGI functions. The logged data include the remote IP and
can be used to automate blocking of IPs with something like fail2ban.
Since Mailman 2.1.14, these have returned an http 401 status and the
information should be logged by the web server, but this new log makes
that more convenient. Also, the 'mischief' log entries for 'hostile
listname' noe include the remote IP if available.
- admin notices of (un)subscribes now may give the source of the action.
This consists of a %(whence)s replacement that has been added to the
admin(un)subscribeack.txt templates. Thanks to Yasuhito FUTATSUKI for
updating the non-English templates and help with internationalizing the
reasons.
- there is a new BLOCK_SPAMHAUS_LISTED_DBL_SUBSCRIBE setting to enable
blocking web subscribes for addresses in domains listed in the Spamhaus
DBL.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-691=1

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-691=1



Package List:

- openSUSE Leap 42.3 (x86_64):

mailman-2.1.27-2.6.1
mailman-debuginfo-2.1.27-2.6.1
mailman-debugsource-2.1.27-2.6.1

- openSUSE Leap 15.0 (x86_64):

mailman-2.1.27-lp150.2.3.1
mailman-debuginfo-2.1.27-lp150.2.3.1
mailman-debugsource-2.1.27-lp150.2.3.1


References:

https://www.suse.com/security/cve/CVE-2018-0618.html
https://bugzilla.suse.com/1099510

--


openSUSE-SU-2018:1859-1: moderate: Security update for Opera

openSUSE Security Update: Security update for Opera
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:1859-1
Rating: moderate
References: #1096508 #1099568
Cross-References: CVE-2018-6148
Affected Products:
openSUSE Leap 42.3:NonFree
openSUSE Leap 15.0:NonFree
______________________________________________________________________________

An update that solves one vulnerability and has one errata
is now available.

Description:

This update for Opera 54.0.2952.41 fixes multiple issues.

- CVE-2018-6148: Incorrect handling of CSP header (boo#1096508)

This update to version 54.0.2952.41 also contains all security and bug
fixes in this upstream version, including all fixes in the chromium engine.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:NonFree:

zypper in -t patch openSUSE-2018-687=1

- openSUSE Leap 15.0:NonFree:

zypper in -t patch openSUSE-2018-687=1



Package List:

- openSUSE Leap 42.3:NonFree (x86_64):

opera-54.0.2952.41-68.1

- openSUSE Leap 15.0:NonFree (x86_64):

opera-54.0.2952.41-lp150.2.3.1


References:

https://www.suse.com/security/cve/CVE-2018-6148.html
https://bugzilla.suse.com/1096508
https://bugzilla.suse.com/1099568

--


openSUSE-SU-2018:1860-1: moderate: Security update for ImageMagick

openSUSE Security Update: Security update for ImageMagick
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:1860-1
Rating: moderate
References: #1047356 #1056277 #1087820 #1094204 #1094237
#1095730 #1095812 #1095813
Cross-References: CVE-2017-10928 CVE-2017-13758 CVE-2017-18271
CVE-2018-10804 CVE-2018-10805 CVE-2018-11251
CVE-2018-11655 CVE-2018-9133
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________

An update that fixes 8 vulnerabilities is now available.

Description:

This update for ImageMagick fixes the following issues:

These security issues were fixed:

- CVE-2017-13758: Prevent heap-based buffer overflow in the TracePoint()
function (bsc#1056277).
- CVE-2017-10928: Prevent heap-based buffer over-read in the GetNextToken
function that allowed remote attackers to obtain sensitive information
from process memory or possibly have unspecified other impact via a
crafted SVG document (bsc#1047356).
- CVE-2018-9133: Long compute times in the tiff decoder have been fixed
(bsc#1087820).
- CVE-2018-11251: Heap-based buffer over-read in ReadSUNImage in
coders/sun.c, which allows attackers to cause denial of service
(bsc#1094237).
- CVE-2017-18271: Infinite loop in the function ReadMIFFImage in
coders/miff.c, which allows attackers to cause a denial of service
(bsc#1094204).
- CVE-2018-11655: Memory leak in the GetImagePixelCache in
MagickCore/cache.c was fixed (bsc#1095730)
- CVE-2018-10804: Memory leak in WriteTIFFImage in coders/tiff.c was fixed
(bsc#1095813)
- CVE-2018-10805: Fixed memory leaks in bgr.c, rgb.c, cmyk.c, gray.c,
ycbcr.c (bsc#1095812)

This update was imported from the SUSE:SLE-12:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-690=1



Package List:

- openSUSE Leap 42.3 (i586 x86_64):

ImageMagick-6.8.8.1-64.1
ImageMagick-debuginfo-6.8.8.1-64.1
ImageMagick-debugsource-6.8.8.1-64.1
ImageMagick-devel-6.8.8.1-64.1
ImageMagick-extra-6.8.8.1-64.1
ImageMagick-extra-debuginfo-6.8.8.1-64.1
libMagick++-6_Q16-3-6.8.8.1-64.1
libMagick++-6_Q16-3-debuginfo-6.8.8.1-64.1
libMagick++-devel-6.8.8.1-64.1
libMagickCore-6_Q16-1-6.8.8.1-64.1
libMagickCore-6_Q16-1-debuginfo-6.8.8.1-64.1
libMagickWand-6_Q16-1-6.8.8.1-64.1
libMagickWand-6_Q16-1-debuginfo-6.8.8.1-64.1
perl-PerlMagick-6.8.8.1-64.1
perl-PerlMagick-debuginfo-6.8.8.1-64.1

- openSUSE Leap 42.3 (noarch):

ImageMagick-doc-6.8.8.1-64.1

- openSUSE Leap 42.3 (x86_64):

ImageMagick-devel-32bit-6.8.8.1-64.1
libMagick++-6_Q16-3-32bit-6.8.8.1-64.1
libMagick++-6_Q16-3-debuginfo-32bit-6.8.8.1-64.1
libMagick++-devel-32bit-6.8.8.1-64.1
libMagickCore-6_Q16-1-32bit-6.8.8.1-64.1
libMagickCore-6_Q16-1-debuginfo-32bit-6.8.8.1-64.1
libMagickWand-6_Q16-1-32bit-6.8.8.1-64.1
libMagickWand-6_Q16-1-debuginfo-32bit-6.8.8.1-64.1


References:

https://www.suse.com/security/cve/CVE-2017-10928.html
https://www.suse.com/security/cve/CVE-2017-13758.html
https://www.suse.com/security/cve/CVE-2017-18271.html
https://www.suse.com/security/cve/CVE-2018-10804.html
https://www.suse.com/security/cve/CVE-2018-10805.html
https://www.suse.com/security/cve/CVE-2018-11251.html
https://www.suse.com/security/cve/CVE-2018-11655.html
https://www.suse.com/security/cve/CVE-2018-9133.html
https://bugzilla.suse.com/1047356
https://bugzilla.suse.com/1056277
https://bugzilla.suse.com/1087820
https://bugzilla.suse.com/1094204
https://bugzilla.suse.com/1094237
https://bugzilla.suse.com/1095730
https://bugzilla.suse.com/1095812
https://bugzilla.suse.com/1095813

--


openSUSE-SU-2018:1862-1: Security update for GraphicsMagick

openSUSE Security Update: Security update for GraphicsMagick
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:1862-1
Rating: low
References: #1075821 #1095812
Cross-References: CVE-2018-10805
Affected Products:
openSUSE Leap 42.3
openSUSE Leap 15.0
______________________________________________________________________________

An update that solves one vulnerability and has one errata
is now available.

Description:

This update for GraphicsMagick fixes the following issues:

The following security fixes were fixed:

- CVE-2018-10805: Fixed a memory leak in ReadYCBCRImage in coders/ycbcr.c
and rgb.c, cmyk.c and gray.c (boo#1095812)
- Fixed invalid memory reads in dcm.c (boo#1075821#c14)


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-689=1

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-689=1



Package List:

- openSUSE Leap 42.3 (i586 x86_64):

GraphicsMagick-1.3.25-93.1
GraphicsMagick-debuginfo-1.3.25-93.1
GraphicsMagick-debugsource-1.3.25-93.1
GraphicsMagick-devel-1.3.25-93.1
libGraphicsMagick++-Q16-12-1.3.25-93.1
libGraphicsMagick++-Q16-12-debuginfo-1.3.25-93.1
libGraphicsMagick++-devel-1.3.25-93.1
libGraphicsMagick-Q16-3-1.3.25-93.1
libGraphicsMagick-Q16-3-debuginfo-1.3.25-93.1
libGraphicsMagick3-config-1.3.25-93.1
libGraphicsMagickWand-Q16-2-1.3.25-93.1
libGraphicsMagickWand-Q16-2-debuginfo-1.3.25-93.1
perl-GraphicsMagick-1.3.25-93.1
perl-GraphicsMagick-debuginfo-1.3.25-93.1

- openSUSE Leap 15.0 (x86_64):

GraphicsMagick-1.3.29-lp150.3.6.1
GraphicsMagick-debuginfo-1.3.29-lp150.3.6.1
GraphicsMagick-debugsource-1.3.29-lp150.3.6.1
GraphicsMagick-devel-1.3.29-lp150.3.6.1
libGraphicsMagick++-Q16-12-1.3.29-lp150.3.6.1
libGraphicsMagick++-Q16-12-debuginfo-1.3.29-lp150.3.6.1
libGraphicsMagick++-devel-1.3.29-lp150.3.6.1
libGraphicsMagick-Q16-3-1.3.29-lp150.3.6.1
libGraphicsMagick-Q16-3-debuginfo-1.3.29-lp150.3.6.1
libGraphicsMagick3-config-1.3.29-lp150.3.6.1
libGraphicsMagickWand-Q16-2-1.3.29-lp150.3.6.1
libGraphicsMagickWand-Q16-2-debuginfo-1.3.29-lp150.3.6.1
perl-GraphicsMagick-1.3.29-lp150.3.6.1
perl-GraphicsMagick-debuginfo-1.3.29-lp150.3.6.1


References:

https://www.suse.com/security/cve/CVE-2018-10805.html
https://bugzilla.suse.com/1075821
https://bugzilla.suse.com/1095812

--