SUSE 5153 Published by

The following updates has been released for SUSE:

openSUSE-SU-2018:4029-1: Security update for messagelib
openSUSE-SU-2018:4030-1: moderate: Recommended update for php7
openSUSE-SU-2018:4031-1: moderate: Security update for postgresql10
openSUSE-SU-2018:4032-1: important: Security update for apache2-mod_jk
openSUSE-SU-2018:4034-1: important: Security update for ncurses
openSUSE-SU-2018:4038-1: moderate: Recommended update for php5
openSUSE-SU-2018:4041-1: Security update for rubygem-activejob-5_1
openSUSE-SU-2018:4042-1: moderate: Security update for tomcat
openSUSE-SU-2018:4043-1: important: Security update for pam
openSUSE-SU-2018:4045-1: moderate: Security update for dom4j
openSUSE-SU-2018:4046-1: moderate: Security update for otrs



openSUSE-SU-2018:4029-1: Security update for messagelib

openSUSE Security Update: Security update for messagelib
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:4029-1
Rating: low
References: #1117958
Cross-References: CVE-2018-19516
Affected Products:
openSUSE Leap 15.0
openSUSE Backports SLE-15
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for messagelib fixes the following issues:

The following security vulnerability was addressed:

- CVE-2018-19516: Fix a potential issue with opening messages in a new
browser window when displaying mails as HTML (boo#1117958).


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-1508=1

- openSUSE Backports SLE-15:

zypper in -t patch openSUSE-2018-1508=1



Package List:

- openSUSE Leap 15.0 (x86_64):

messagelib-17.12.3-lp150.2.6.1
messagelib-debuginfo-17.12.3-lp150.2.6.1
messagelib-debugsource-17.12.3-lp150.2.6.1
messagelib-devel-17.12.3-lp150.2.6.1

- openSUSE Leap 15.0 (noarch):

messagelib-lang-17.12.3-lp150.2.6.1

- openSUSE Backports SLE-15 (x86_64):

messagelib-17.12.3-bp150.3.6.1
messagelib-devel-17.12.3-bp150.3.6.1

- openSUSE Backports SLE-15 (noarch):

messagelib-lang-17.12.3-bp150.3.6.1


References:

https://www.suse.com/security/cve/CVE-2018-19516.html
https://bugzilla.suse.com/1117958

--


openSUSE-SU-2018:4030-1: moderate: Recommended update for php7

openSUSE Security Update: Recommended update for php7
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:4030-1
Rating: moderate
References: #1117107
Cross-References: CVE-2018-19518
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for php7 fixes the following issues:

Security issue fixed:

- CVE-2018-19518: Fixed imap_open script injection flaw (bsc#1117107).

This update was imported from the SUSE:SLE-12:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-1507=1



Package List:

- openSUSE Leap 42.3 (i586 x86_64):

apache2-mod_php7-7.0.7-52.1
apache2-mod_php7-debuginfo-7.0.7-52.1
php7-7.0.7-52.1
php7-bcmath-7.0.7-52.1
php7-bcmath-debuginfo-7.0.7-52.1
php7-bz2-7.0.7-52.1
php7-bz2-debuginfo-7.0.7-52.1
php7-calendar-7.0.7-52.1
php7-calendar-debuginfo-7.0.7-52.1
php7-ctype-7.0.7-52.1
php7-ctype-debuginfo-7.0.7-52.1
php7-curl-7.0.7-52.1
php7-curl-debuginfo-7.0.7-52.1
php7-dba-7.0.7-52.1
php7-dba-debuginfo-7.0.7-52.1
php7-debuginfo-7.0.7-52.1
php7-debugsource-7.0.7-52.1
php7-devel-7.0.7-52.1
php7-dom-7.0.7-52.1
php7-dom-debuginfo-7.0.7-52.1
php7-enchant-7.0.7-52.1
php7-enchant-debuginfo-7.0.7-52.1
php7-exif-7.0.7-52.1
php7-exif-debuginfo-7.0.7-52.1
php7-fastcgi-7.0.7-52.1
php7-fastcgi-debuginfo-7.0.7-52.1
php7-fileinfo-7.0.7-52.1
php7-fileinfo-debuginfo-7.0.7-52.1
php7-firebird-7.0.7-52.1
php7-firebird-debuginfo-7.0.7-52.1
php7-fpm-7.0.7-52.1
php7-fpm-debuginfo-7.0.7-52.1
php7-ftp-7.0.7-52.1
php7-ftp-debuginfo-7.0.7-52.1
php7-gd-7.0.7-52.1
php7-gd-debuginfo-7.0.7-52.1
php7-gettext-7.0.7-52.1
php7-gettext-debuginfo-7.0.7-52.1
php7-gmp-7.0.7-52.1
php7-gmp-debuginfo-7.0.7-52.1
php7-iconv-7.0.7-52.1
php7-iconv-debuginfo-7.0.7-52.1
php7-imap-7.0.7-52.1
php7-imap-debuginfo-7.0.7-52.1
php7-intl-7.0.7-52.1
php7-intl-debuginfo-7.0.7-52.1
php7-json-7.0.7-52.1
php7-json-debuginfo-7.0.7-52.1
php7-ldap-7.0.7-52.1
php7-ldap-debuginfo-7.0.7-52.1
php7-mbstring-7.0.7-52.1
php7-mbstring-debuginfo-7.0.7-52.1
php7-mcrypt-7.0.7-52.1
php7-mcrypt-debuginfo-7.0.7-52.1
php7-mysql-7.0.7-52.1
php7-mysql-debuginfo-7.0.7-52.1
php7-odbc-7.0.7-52.1
php7-odbc-debuginfo-7.0.7-52.1
php7-opcache-7.0.7-52.1
php7-opcache-debuginfo-7.0.7-52.1
php7-openssl-7.0.7-52.1
php7-openssl-debuginfo-7.0.7-52.1
php7-pcntl-7.0.7-52.1
php7-pcntl-debuginfo-7.0.7-52.1
php7-pdo-7.0.7-52.1
php7-pdo-debuginfo-7.0.7-52.1
php7-pgsql-7.0.7-52.1
php7-pgsql-debuginfo-7.0.7-52.1
php7-phar-7.0.7-52.1
php7-phar-debuginfo-7.0.7-52.1
php7-posix-7.0.7-52.1
php7-posix-debuginfo-7.0.7-52.1
php7-pspell-7.0.7-52.1
php7-pspell-debuginfo-7.0.7-52.1
php7-readline-7.0.7-52.1
php7-readline-debuginfo-7.0.7-52.1
php7-shmop-7.0.7-52.1
php7-shmop-debuginfo-7.0.7-52.1
php7-snmp-7.0.7-52.1
php7-snmp-debuginfo-7.0.7-52.1
php7-soap-7.0.7-52.1
php7-soap-debuginfo-7.0.7-52.1
php7-sockets-7.0.7-52.1
php7-sockets-debuginfo-7.0.7-52.1
php7-sqlite-7.0.7-52.1
php7-sqlite-debuginfo-7.0.7-52.1
php7-sysvmsg-7.0.7-52.1
php7-sysvmsg-debuginfo-7.0.7-52.1
php7-sysvsem-7.0.7-52.1
php7-sysvsem-debuginfo-7.0.7-52.1
php7-sysvshm-7.0.7-52.1
php7-sysvshm-debuginfo-7.0.7-52.1
php7-tidy-7.0.7-52.1
php7-tidy-debuginfo-7.0.7-52.1
php7-tokenizer-7.0.7-52.1
php7-tokenizer-debuginfo-7.0.7-52.1
php7-wddx-7.0.7-52.1
php7-wddx-debuginfo-7.0.7-52.1
php7-xmlreader-7.0.7-52.1
php7-xmlreader-debuginfo-7.0.7-52.1
php7-xmlrpc-7.0.7-52.1
php7-xmlrpc-debuginfo-7.0.7-52.1
php7-xmlwriter-7.0.7-52.1
php7-xmlwriter-debuginfo-7.0.7-52.1
php7-xsl-7.0.7-52.1
php7-xsl-debuginfo-7.0.7-52.1
php7-zip-7.0.7-52.1
php7-zip-debuginfo-7.0.7-52.1
php7-zlib-7.0.7-52.1
php7-zlib-debuginfo-7.0.7-52.1

- openSUSE Leap 42.3 (noarch):

php7-pear-7.0.7-52.1
php7-pear-Archive_Tar-7.0.7-52.1


References:

https://www.suse.com/security/cve/CVE-2018-19518.html
https://bugzilla.suse.com/1117107

--


openSUSE-SU-2018:4031-1: moderate: Security update for postgresql10

openSUSE Security Update: Security update for postgresql10
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:4031-1
Rating: moderate
References: #1114837
Cross-References: CVE-2018-16850
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for postgresql10 fixes the following issues:

Security issue fixed:

- CVE-2018-16850: Fixed improper quoting of transition table names when
pg_dump emits CREATE TRIGGER could have caused privilege escalation
(bsc#1114837).

Non-security issues fixed:

- Update to release 10.6:
* https://www.postgresql.org/docs/current/static/release-10-6.html

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-1493=1



Package List:

- openSUSE Leap 15.0 (i586 x86_64):

libecpg6-10.6-lp150.3.6.1
libecpg6-debuginfo-10.6-lp150.3.6.1
libpq5-10.6-lp150.3.6.1
libpq5-debuginfo-10.6-lp150.3.6.1
postgresql10-10.6-lp150.3.6.1
postgresql10-contrib-10.6-lp150.3.6.1
postgresql10-contrib-debuginfo-10.6-lp150.3.6.1
postgresql10-debuginfo-10.6-lp150.3.6.1
postgresql10-debugsource-10.6-lp150.3.6.1
postgresql10-devel-10.6-lp150.3.6.1
postgresql10-devel-debuginfo-10.6-lp150.3.6.1
postgresql10-plperl-10.6-lp150.3.6.1
postgresql10-plperl-debuginfo-10.6-lp150.3.6.1
postgresql10-plpython-10.6-lp150.3.6.1
postgresql10-plpython-debuginfo-10.6-lp150.3.6.1
postgresql10-pltcl-10.6-lp150.3.6.1
postgresql10-pltcl-debuginfo-10.6-lp150.3.6.1
postgresql10-server-10.6-lp150.3.6.1
postgresql10-server-debuginfo-10.6-lp150.3.6.1
postgresql10-test-10.6-lp150.3.6.1

- openSUSE Leap 15.0 (noarch):

postgresql10-docs-10.6-lp150.3.6.1

- openSUSE Leap 15.0 (x86_64):

libecpg6-32bit-10.6-lp150.3.6.1
libecpg6-32bit-debuginfo-10.6-lp150.3.6.1
libpq5-32bit-10.6-lp150.3.6.1
libpq5-32bit-debuginfo-10.6-lp150.3.6.1


References:

https://www.suse.com/security/cve/CVE-2018-16850.html
https://bugzilla.suse.com/1114837

--


openSUSE-SU-2018:4032-1: important: Security update for apache2-mod_jk

openSUSE Security Update: Security update for apache2-mod_jk
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:4032-1
Rating: important
References: #1114612
Cross-References: CVE-2018-11759
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for apache2-mod_jk fixes the following issue:

Security issue fixed:

- CVE-2018-11759: Fixed connector path traversal due to mishandled HTTP
requests in httpd (bsc#1114612).

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-1510=1



Package List:

- openSUSE Leap 15.0 (x86_64):

apache2-mod_jk-1.2.43-lp150.2.3.1
apache2-mod_jk-debuginfo-1.2.43-lp150.2.3.1
apache2-mod_jk-debugsource-1.2.43-lp150.2.3.1


References:

https://www.suse.com/security/cve/CVE-2018-11759.html
https://bugzilla.suse.com/1114612

--


openSUSE-SU-2018:4034-1: important: Security update for ncurses

openSUSE Security Update: Security update for ncurses
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:4034-1
Rating: important
References: #1115929
Cross-References: CVE-2018-19211
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for ncurses fixes the following issue:

Security issue fixed:

- CVE-2018-19211: Fixed denial of service issue that was triggered by a
NULL pointer dereference at function _nc_parse_entry (bsc#1115929).

This update was imported from the SUSE:SLE-12:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-1509=1



Package List:

- openSUSE Leap 42.3 (i586 x86_64):

libncurses5-5.9-66.1
libncurses5-debuginfo-5.9-66.1
libncurses6-5.9-66.1
libncurses6-debuginfo-5.9-66.1
ncurses-debugsource-5.9-66.1
ncurses-devel-5.9-66.1
ncurses-devel-debuginfo-5.9-66.1
ncurses-utils-5.9-66.1
ncurses-utils-debuginfo-5.9-66.1
tack-5.9-66.1
tack-debuginfo-5.9-66.1
terminfo-5.9-66.1
terminfo-base-5.9-66.1

- openSUSE Leap 42.3 (x86_64):

libncurses5-32bit-5.9-66.1
libncurses5-debuginfo-32bit-5.9-66.1
libncurses6-32bit-5.9-66.1
libncurses6-debuginfo-32bit-5.9-66.1
ncurses-devel-32bit-5.9-66.1
ncurses-devel-debuginfo-32bit-5.9-66.1


References:

https://www.suse.com/security/cve/CVE-2018-19211.html
https://bugzilla.suse.com/1115929

--


openSUSE-SU-2018:4038-1: moderate: Recommended update for php5

openSUSE Security Update: Recommended update for php5
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:4038-1
Rating: moderate
References: #1117107
Cross-References: CVE-2018-19518
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for php5 fixes the following issues:

Security issue fixed:

- CVE-2018-19518: Fixed imap_open script injection flaw (bsc#1117107).

This update was imported from the SUSE:SLE-12:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-1506=1



Package List:

- openSUSE Leap 42.3 (i586 x86_64):

apache2-mod_php5-5.5.14-109.1
apache2-mod_php5-debuginfo-5.5.14-109.1
php5-5.5.14-109.1
php5-bcmath-5.5.14-109.1
php5-bcmath-debuginfo-5.5.14-109.1
php5-bz2-5.5.14-109.1
php5-bz2-debuginfo-5.5.14-109.1
php5-calendar-5.5.14-109.1
php5-calendar-debuginfo-5.5.14-109.1
php5-ctype-5.5.14-109.1
php5-ctype-debuginfo-5.5.14-109.1
php5-curl-5.5.14-109.1
php5-curl-debuginfo-5.5.14-109.1
php5-dba-5.5.14-109.1
php5-dba-debuginfo-5.5.14-109.1
php5-debuginfo-5.5.14-109.1
php5-debugsource-5.5.14-109.1
php5-devel-5.5.14-109.1
php5-dom-5.5.14-109.1
php5-dom-debuginfo-5.5.14-109.1
php5-enchant-5.5.14-109.1
php5-enchant-debuginfo-5.5.14-109.1
php5-exif-5.5.14-109.1
php5-exif-debuginfo-5.5.14-109.1
php5-fastcgi-5.5.14-109.1
php5-fastcgi-debuginfo-5.5.14-109.1
php5-fileinfo-5.5.14-109.1
php5-fileinfo-debuginfo-5.5.14-109.1
php5-firebird-5.5.14-109.1
php5-firebird-debuginfo-5.5.14-109.1
php5-fpm-5.5.14-109.1
php5-fpm-debuginfo-5.5.14-109.1
php5-ftp-5.5.14-109.1
php5-ftp-debuginfo-5.5.14-109.1
php5-gd-5.5.14-109.1
php5-gd-debuginfo-5.5.14-109.1
php5-gettext-5.5.14-109.1
php5-gettext-debuginfo-5.5.14-109.1
php5-gmp-5.5.14-109.1
php5-gmp-debuginfo-5.5.14-109.1
php5-iconv-5.5.14-109.1
php5-iconv-debuginfo-5.5.14-109.1
php5-imap-5.5.14-109.1
php5-imap-debuginfo-5.5.14-109.1
php5-intl-5.5.14-109.1
php5-intl-debuginfo-5.5.14-109.1
php5-json-5.5.14-109.1
php5-json-debuginfo-5.5.14-109.1
php5-ldap-5.5.14-109.1
php5-ldap-debuginfo-5.5.14-109.1
php5-mbstring-5.5.14-109.1
php5-mbstring-debuginfo-5.5.14-109.1
php5-mcrypt-5.5.14-109.1
php5-mcrypt-debuginfo-5.5.14-109.1
php5-mssql-5.5.14-109.1
php5-mssql-debuginfo-5.5.14-109.1
php5-mysql-5.5.14-109.1
php5-mysql-debuginfo-5.5.14-109.1
php5-odbc-5.5.14-109.1
php5-odbc-debuginfo-5.5.14-109.1
php5-opcache-5.5.14-109.1
php5-opcache-debuginfo-5.5.14-109.1
php5-openssl-5.5.14-109.1
php5-openssl-debuginfo-5.5.14-109.1
php5-pcntl-5.5.14-109.1
php5-pcntl-debuginfo-5.5.14-109.1
php5-pdo-5.5.14-109.1
php5-pdo-debuginfo-5.5.14-109.1
php5-pgsql-5.5.14-109.1
php5-pgsql-debuginfo-5.5.14-109.1
php5-phar-5.5.14-109.1
php5-phar-debuginfo-5.5.14-109.1
php5-posix-5.5.14-109.1
php5-posix-debuginfo-5.5.14-109.1
php5-pspell-5.5.14-109.1
php5-pspell-debuginfo-5.5.14-109.1
php5-readline-5.5.14-109.1
php5-readline-debuginfo-5.5.14-109.1
php5-shmop-5.5.14-109.1
php5-shmop-debuginfo-5.5.14-109.1
php5-snmp-5.5.14-109.1
php5-snmp-debuginfo-5.5.14-109.1
php5-soap-5.5.14-109.1
php5-soap-debuginfo-5.5.14-109.1
php5-sockets-5.5.14-109.1
php5-sockets-debuginfo-5.5.14-109.1
php5-sqlite-5.5.14-109.1
php5-sqlite-debuginfo-5.5.14-109.1
php5-suhosin-5.5.14-109.1
php5-suhosin-debuginfo-5.5.14-109.1
php5-sysvmsg-5.5.14-109.1
php5-sysvmsg-debuginfo-5.5.14-109.1
php5-sysvsem-5.5.14-109.1
php5-sysvsem-debuginfo-5.5.14-109.1
php5-sysvshm-5.5.14-109.1
php5-sysvshm-debuginfo-5.5.14-109.1
php5-tidy-5.5.14-109.1
php5-tidy-debuginfo-5.5.14-109.1
php5-tokenizer-5.5.14-109.1
php5-tokenizer-debuginfo-5.5.14-109.1
php5-wddx-5.5.14-109.1
php5-wddx-debuginfo-5.5.14-109.1
php5-xmlreader-5.5.14-109.1
php5-xmlreader-debuginfo-5.5.14-109.1
php5-xmlrpc-5.5.14-109.1
php5-xmlrpc-debuginfo-5.5.14-109.1
php5-xmlwriter-5.5.14-109.1
php5-xmlwriter-debuginfo-5.5.14-109.1
php5-xsl-5.5.14-109.1
php5-xsl-debuginfo-5.5.14-109.1
php5-zip-5.5.14-109.1
php5-zip-debuginfo-5.5.14-109.1
php5-zlib-5.5.14-109.1
php5-zlib-debuginfo-5.5.14-109.1

- openSUSE Leap 42.3 (noarch):

php5-pear-5.5.14-109.1


References:

https://www.suse.com/security/cve/CVE-2018-19518.html
https://bugzilla.suse.com/1117107

--


openSUSE-SU-2018:4041-1: Security update for rubygem-activejob-5_1

openSUSE Security Update: Security update for rubygem-activejob-5_1
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:4041-1
Rating: low
References: #1117632
Cross-References: CVE-2018-16476
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for rubygem-activejob-5_1 fixes the following issues:

Security issue fixed:

- CVE-2018-16476: Fixed broken access control vulnerability (bsc#1117632).

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-1502=1



Package List:

- openSUSE Leap 15.0 (x86_64):

ruby2.5-rubygem-activejob-5_1-5.1.4-lp150.2.3.1
ruby2.5-rubygem-activejob-doc-5_1-5.1.4-lp150.2.3.1


References:

https://www.suse.com/security/cve/CVE-2018-16476.html
https://bugzilla.suse.com/1117632

--


openSUSE-SU-2018:4042-1: moderate: Security update for tomcat

openSUSE Security Update: Security update for tomcat
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:4042-1
Rating: moderate
References: #1110850
Cross-References: CVE-2018-11784
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:



This update for tomcat to 9.0.12 fixes the following issues:

See the full changelog at:
http://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.12_(markt
)

Security issues fixed:

- CVE-2018-11784: When the default servlet in Apache Tomcat returned a
redirect to a directory (e.g. redirecting to '/foo/' when the user
requested '/foo') a specially crafted URL could be used to cause the
redirect to be generated to any URI of the attackers choice.
(bsc#1110850)

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-1504=1



Package List:

- openSUSE Leap 15.0 (noarch):

tomcat-9.0.12-lp150.2.6.1
tomcat-admin-webapps-9.0.12-lp150.2.6.1
tomcat-docs-webapp-9.0.12-lp150.2.6.1
tomcat-el-3_0-api-9.0.12-lp150.2.6.1
tomcat-embed-9.0.12-lp150.2.6.1
tomcat-javadoc-9.0.12-lp150.2.6.1
tomcat-jsp-2_3-api-9.0.12-lp150.2.6.1
tomcat-jsvc-9.0.12-lp150.2.6.1
tomcat-lib-9.0.12-lp150.2.6.1
tomcat-servlet-4_0-api-9.0.12-lp150.2.6.1
tomcat-webapps-9.0.12-lp150.2.6.1


References:

https://www.suse.com/security/cve/CVE-2018-11784.html
https://bugzilla.suse.com/1110850

--


openSUSE-SU-2018:4043-1: important: Security update for pam

openSUSE Security Update: Security update for pam
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:4043-1
Rating: important
References: #1115640
Cross-References: CVE-2018-17953
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for pam fixes the following issue:

Security issue fixed:

- CVE-2018-17953: Fixed IP address and subnet handling of pam_access.so
that was not honoured correctly when a single host was specified
(bsc#1115640).

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-1511=1



Package List:

- openSUSE Leap 15.0 (i586 x86_64):

pam-1.3.0-lp150.5.6.1
pam-debuginfo-1.3.0-lp150.5.6.1
pam-debugsource-1.3.0-lp150.5.6.1
pam-devel-1.3.0-lp150.5.6.1

- openSUSE Leap 15.0 (x86_64):

pam-32bit-1.3.0-lp150.5.6.1
pam-32bit-debuginfo-1.3.0-lp150.5.6.1
pam-devel-32bit-1.3.0-lp150.5.6.1

- openSUSE Leap 15.0 (noarch):

pam-doc-1.3.0-lp150.5.6.1


References:

https://www.suse.com/security/cve/CVE-2018-17953.html
https://bugzilla.suse.com/1115640

--


openSUSE-SU-2018:4045-1: moderate: Security update for dom4j

openSUSE Security Update: Security update for dom4j
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:4045-1
Rating: moderate
References: #1105443
Cross-References: CVE-2018-1000632
Affected Products:
openSUSE Backports SLE-15
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for dom4j fixes the following issues:

- CVE-2018-1000632: Prevent XML injection that could have resulted in an
attacker tampering with XML documents (bsc#1105443).

This update was imported from the SUSE:SLE-15:Update update project. This
update was imported from the openSUSE:Leap:15.0:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15:

zypper in -t patch openSUSE-2018-1492=1



Package List:

- openSUSE Backports SLE-15 (noarch):

dom4j-1.6.1-bp150.2.3.1
dom4j-demo-1.6.1-bp150.2.3.1
dom4j-javadoc-1.6.1-bp150.2.3.1
dom4j-manual-1.6.1-bp150.2.3.1


References:

https://www.suse.com/security/cve/CVE-2018-1000632.html
https://bugzilla.suse.com/1105443

--


openSUSE-SU-2018:4046-1: moderate: Security update for otrs

openSUSE Security Update: Security update for otrs
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:4046-1
Rating: moderate
References: #1115416
Cross-References: CVE-2018-19141 CVE-2018-19143
Affected Products:
openSUSE Leap 15.0
openSUSE Backports SLE-15
______________________________________________________________________________

An update that fixes two vulnerabilities is now available.

Description:

This update for otrs fixes the following issues:

Update to version 4.0.33.

Security issues fixed:

- CVE-2018-19141: Fixed privilege escalation, that an attacker who is
logged into OTRS as an admin user cannot manipulate the URL to cause
execution of JavaScript in the context of OTRS.
- CVE-2018-19143: Fixed remote file deletion, that an attacker who is
logged into OTRS as a user cannot manipulate the submission form to
cause deletion of arbitrary files that the OTRS web server user has
write access to.

Non-security issues fixed:

- Full release notes can be found at:
* https://community.otrs.com/release-notes-otrs-4-patch-level-33/


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-1503=1

- openSUSE Backports SLE-15:

zypper in -t patch openSUSE-2018-1503=1



Package List:

- openSUSE Leap 15.0 (noarch):

otrs-4.0.33-lp150.2.6.1
otrs-doc-4.0.33-lp150.2.6.1
otrs-itsm-4.0.33-lp150.2.6.1

- openSUSE Backports SLE-15 (noarch):

otrs-4.0.33-bp150.3.6.1
otrs-doc-4.0.33-bp150.3.6.1
otrs-itsm-4.0.33-bp150.3.6.1


References:

https://www.suse.com/security/cve/CVE-2018-19141.html
https://www.suse.com/security/cve/CVE-2018-19143.html
https://bugzilla.suse.com/1115416

--