SUSE 5153 Published by

The following updates has been released for openSUSE:

openSUSE-SU-2018:4050-1: moderate: Security update for openssl-1_0_0
openSUSE-SU-2018:4051-1: important: Security update for libgit2
openSUSE-SU-2018:4053-1: moderate: Security update for tiff
openSUSE-SU-2018:4054-1: moderate: Security update for ImageMagick
openSUSE-SU-2018:4055-1: important: Security update for ncurses
openSUSE-SU-2018:4056-1: important: Security update for Chromium



openSUSE-SU-2018:4050-1: moderate: Security update for openssl-1_0_0

openSUSE Security Update: Security update for openssl-1_0_0
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:4050-1
Rating: moderate
References: #1100078 #1112209 #1113534 #1113652 #1113742

Cross-References: CVE-2018-0734 CVE-2018-5407
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that solves two vulnerabilities and has three
fixes is now available.

Description:

This update for openssl-1_0_0 fixes the following issues:

Security issues fixed:

- CVE-2018-0734: Fixed timing vulnerability in DSA signature generation
(bsc#1113652).
- CVE-2018-5407: Added elliptic curve scalar multiplication timing attack
defenses that fixes "PortSmash" (bsc#1113534).

Non-security issues fixed:

- Added missing timing side channel patch for DSA signature generation
(bsc#1113742).
- Set TLS version to 0 in msg_callback for record messages to avoid
confusing applications (bsc#1100078).
- Fixed infinite loop in DSA generation with incorrect parameters
(bsc#1112209)

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-1518=1



Package List:

- openSUSE Leap 15.0 (i586 x86_64):

libopenssl-1_0_0-devel-1.0.2p-lp150.2.9.1
libopenssl1_0_0-1.0.2p-lp150.2.9.1
libopenssl1_0_0-debuginfo-1.0.2p-lp150.2.9.1
libopenssl1_0_0-hmac-1.0.2p-lp150.2.9.1
libopenssl1_0_0-steam-1.0.2p-lp150.2.9.1
libopenssl1_0_0-steam-debuginfo-1.0.2p-lp150.2.9.1
openssl-1_0_0-1.0.2p-lp150.2.9.1
openssl-1_0_0-cavs-1.0.2p-lp150.2.9.1
openssl-1_0_0-cavs-debuginfo-1.0.2p-lp150.2.9.1
openssl-1_0_0-debuginfo-1.0.2p-lp150.2.9.1
openssl-1_0_0-debugsource-1.0.2p-lp150.2.9.1

- openSUSE Leap 15.0 (noarch):

openssl-1_0_0-doc-1.0.2p-lp150.2.9.1

- openSUSE Leap 15.0 (x86_64):

libopenssl-1_0_0-devel-32bit-1.0.2p-lp150.2.9.1
libopenssl1_0_0-32bit-1.0.2p-lp150.2.9.1
libopenssl1_0_0-32bit-debuginfo-1.0.2p-lp150.2.9.1
libopenssl1_0_0-hmac-32bit-1.0.2p-lp150.2.9.1
libopenssl1_0_0-steam-32bit-1.0.2p-lp150.2.9.1
libopenssl1_0_0-steam-32bit-debuginfo-1.0.2p-lp150.2.9.1


References:

https://www.suse.com/security/cve/CVE-2018-0734.html
https://www.suse.com/security/cve/CVE-2018-5407.html
https://bugzilla.suse.com/1100078
https://bugzilla.suse.com/1112209
https://bugzilla.suse.com/1113534
https://bugzilla.suse.com/1113652
https://bugzilla.suse.com/1113742

--


openSUSE-SU-2018:4051-1: important: Security update for libgit2

openSUSE Security Update: Security update for libgit2
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:4051-1
Rating: important
References: #1110949 #1114729
Cross-References: CVE-2018-17456
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that solves one vulnerability and has one errata
is now available.

Description:

This update for libgit2 fixes the following issues:


Security issue fixed:

- CVE-2018-17456: Submodule URLs and paths with a leading "-" are now
ignored to avoid injecting options into library consumers that perform
recursive clones (bsc#1110949).


Non-security issues fixed:

- Version update to version 0.26.8 (bsc#1114729).
- Full changelog can be found at:
* https://github.com/libgit2/libgit2/releases/tag/v0.26.8
* https://github.com/libgit2/libgit2/releases/tag/v0.26.7

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-1517=1



Package List:

- openSUSE Leap 15.0 (i586 x86_64):

libgit2-26-0.26.8-lp150.2.6.1
libgit2-26-debuginfo-0.26.8-lp150.2.6.1
libgit2-debugsource-0.26.8-lp150.2.6.1
libgit2-devel-0.26.8-lp150.2.6.1

- openSUSE Leap 15.0 (x86_64):

libgit2-26-32bit-0.26.8-lp150.2.6.1
libgit2-26-32bit-debuginfo-0.26.8-lp150.2.6.1


References:

https://www.suse.com/security/cve/CVE-2018-17456.html
https://bugzilla.suse.com/1110949
https://bugzilla.suse.com/1114729

--


openSUSE-SU-2018:4053-1: moderate: Security update for tiff

openSUSE Security Update: Security update for tiff
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:4053-1
Rating: moderate
References: #1017693 #1054594 #1115717 #990460
Cross-References: CVE-2016-10092 CVE-2016-10093 CVE-2016-10094
CVE-2016-6223 CVE-2017-12944 CVE-2018-19210

Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes 6 vulnerabilities is now available.

Description:

This update for tiff fixes the following issues:

Security issues fixed:

- CVE-2018-19210: Fixed NULL pointer dereference in the
TIFFWriteDirectorySec function (bsc#1115717).
- CVE-2017-12944: Fixed denial of service issue in the
TIFFReadDirEntryArray function (bsc#1054594).
- CVE-2016-10094: Fixed heap-based buffer overflow in the _tiffWriteProc
function (bsc#1017693).
- CVE-2016-10093: Fixed heap-based buffer overflow in the _TIFFmemcpy
function (bsc#1017693).
- CVE-2016-10092: Fixed heap-based buffer overflow in the TIFFReverseBits
function (bsc#1017693).
- CVE-2016-6223: Fixed out-of-bounds read on memory-mapped files in
TIFFReadRawStrip1() and TIFFReadRawTile1() (bsc#990460).

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-1522=1



Package List:

- openSUSE Leap 15.0 (i586 x86_64):

libtiff-devel-4.0.9-lp150.4.12.1
libtiff5-4.0.9-lp150.4.12.1
libtiff5-debuginfo-4.0.9-lp150.4.12.1
tiff-4.0.9-lp150.4.12.1
tiff-debuginfo-4.0.9-lp150.4.12.1
tiff-debugsource-4.0.9-lp150.4.12.1

- openSUSE Leap 15.0 (x86_64):

libtiff-devel-32bit-4.0.9-lp150.4.12.1
libtiff5-32bit-4.0.9-lp150.4.12.1
libtiff5-32bit-debuginfo-4.0.9-lp150.4.12.1


References:

https://www.suse.com/security/cve/CVE-2016-10092.html
https://www.suse.com/security/cve/CVE-2016-10093.html
https://www.suse.com/security/cve/CVE-2016-10094.html
https://www.suse.com/security/cve/CVE-2016-6223.html
https://www.suse.com/security/cve/CVE-2017-12944.html
https://www.suse.com/security/cve/CVE-2018-19210.html
https://bugzilla.suse.com/1017693
https://bugzilla.suse.com/1054594
https://bugzilla.suse.com/1115717
https://bugzilla.suse.com/990460

--


openSUSE-SU-2018:4054-1: moderate: Security update for ImageMagick

openSUSE Security Update: Security update for ImageMagick
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:4054-1
Rating: moderate
References: #1057246 #1113064 #1117463
Cross-References: CVE-2018-18544
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________

An update that solves one vulnerability and has two fixes
is now available.

Description:

This update for ImageMagick fixes the following issues:

Security issues fixed:

- CVE-2018-18544: Fixed memory leak in the function WriteMSLImage
(bsc#1113064).


Non-security issues fixed:

- Improve import documentation (bsc#1057246).
- Allow override system security policy (bsc#1117463).
- asan_build: build ASAN included
- debug_build: build more suitable for debugging

This update was imported from the SUSE:SLE-12:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-1520=1



Package List:

- openSUSE Leap 42.3 (i586 x86_64):

ImageMagick-6.8.8.1-79.1
ImageMagick-debuginfo-6.8.8.1-79.1
ImageMagick-debugsource-6.8.8.1-79.1
ImageMagick-devel-6.8.8.1-79.1
ImageMagick-extra-6.8.8.1-79.1
ImageMagick-extra-debuginfo-6.8.8.1-79.1
libMagick++-6_Q16-3-6.8.8.1-79.1
libMagick++-6_Q16-3-debuginfo-6.8.8.1-79.1
libMagick++-devel-6.8.8.1-79.1
libMagickCore-6_Q16-1-6.8.8.1-79.1
libMagickCore-6_Q16-1-debuginfo-6.8.8.1-79.1
libMagickWand-6_Q16-1-6.8.8.1-79.1
libMagickWand-6_Q16-1-debuginfo-6.8.8.1-79.1
perl-PerlMagick-6.8.8.1-79.1
perl-PerlMagick-debuginfo-6.8.8.1-79.1

- openSUSE Leap 42.3 (noarch):

ImageMagick-doc-6.8.8.1-79.1

- openSUSE Leap 42.3 (x86_64):

ImageMagick-devel-32bit-6.8.8.1-79.1
libMagick++-6_Q16-3-32bit-6.8.8.1-79.1
libMagick++-6_Q16-3-debuginfo-32bit-6.8.8.1-79.1
libMagick++-devel-32bit-6.8.8.1-79.1
libMagickCore-6_Q16-1-32bit-6.8.8.1-79.1
libMagickCore-6_Q16-1-debuginfo-32bit-6.8.8.1-79.1
libMagickWand-6_Q16-1-32bit-6.8.8.1-79.1
libMagickWand-6_Q16-1-debuginfo-32bit-6.8.8.1-79.1


References:

https://www.suse.com/security/cve/CVE-2018-18544.html
https://bugzilla.suse.com/1057246
https://bugzilla.suse.com/1113064
https://bugzilla.suse.com/1117463

--


openSUSE-SU-2018:4055-1: important: Security update for ncurses

openSUSE Security Update: Security update for ncurses
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:4055-1
Rating: important
References: #1103320 #1115929
Cross-References: CVE-2018-19211
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that solves one vulnerability and has one errata
is now available.

Description:

This update for ncurses fixes the following issues:

Security issue fixed:

- CVE-2018-19211: Fixed denial of service issue that was triggered by a
NULL pointer dereference at function _nc_parse_entry (bsc#1115929).

Non-security issue fixed:

- Remove scree.xterm from terminfo data base as with this screen uses
fallback TERM=screen (bsc#1103320).

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-1516=1



Package List:

- openSUSE Leap 15.0 (i586 x86_64):

libncurses5-6.1-lp150.4.3.1
libncurses5-debuginfo-6.1-lp150.4.3.1
libncurses6-6.1-lp150.4.3.1
libncurses6-debuginfo-6.1-lp150.4.3.1
ncurses-debugsource-6.1-lp150.4.3.1
ncurses-devel-6.1-lp150.4.3.1
ncurses-devel-debuginfo-6.1-lp150.4.3.1
ncurses-utils-6.1-lp150.4.3.1
ncurses-utils-debuginfo-6.1-lp150.4.3.1
ncurses5-devel-6.1-lp150.4.3.1
tack-6.1-lp150.4.3.1
tack-debuginfo-6.1-lp150.4.3.1
terminfo-6.1-lp150.4.3.1
terminfo-base-6.1-lp150.4.3.1
terminfo-iterm-6.1-lp150.4.3.1
terminfo-screen-6.1-lp150.4.3.1

- openSUSE Leap 15.0 (x86_64):

libncurses5-32bit-6.1-lp150.4.3.1
libncurses5-32bit-debuginfo-6.1-lp150.4.3.1
libncurses6-32bit-6.1-lp150.4.3.1
libncurses6-32bit-debuginfo-6.1-lp150.4.3.1
ncurses-devel-32bit-6.1-lp150.4.3.1
ncurses-devel-32bit-debuginfo-6.1-lp150.4.3.1
ncurses5-devel-32bit-6.1-lp150.4.3.1


References:

https://www.suse.com/security/cve/CVE-2018-19211.html
https://bugzilla.suse.com/1103320
https://bugzilla.suse.com/1115929

--


openSUSE-SU-2018:4056-1: important: Security update for Chromium

openSUSE Security Update: Security update for Chromium
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:4056-1
Rating: important
References: #1118529
Cross-References: CVE-2018-17480 CVE-2018-17481 CVE-2018-18335
CVE-2018-18336 CVE-2018-18337 CVE-2018-18338
CVE-2018-18339 CVE-2018-18340 CVE-2018-18341
CVE-2018-18342 CVE-2018-18343 CVE-2018-18344
CVE-2018-18345 CVE-2018-18346 CVE-2018-18347
CVE-2018-18348 CVE-2018-18349 CVE-2018-18350
CVE-2018-18351 CVE-2018-18352 CVE-2018-18353
CVE-2018-18354 CVE-2018-18355 CVE-2018-18356
CVE-2018-18357 CVE-2018-18358 CVE-2018-18359

Affected Products:
openSUSE Leap 15.0
openSUSE Backports SLE-15
______________________________________________________________________________

An update that fixes 27 vulnerabilities is now available.

Description:

This update to Chromium version 71.0.3578.80 fixes security issues and
bugs.

Security issues fixed (boo#1118529):

- CVE-2018-17480: Out of bounds write in V8
- CVE-2018-17481: Use after frees in PDFium
- CVE-2018-18335: Heap buffer overflow in Skia
- CVE-2018-18336: Use after free in PDFium
- CVE-2018-18337: Use after free in Blink
- CVE-2018-18338: Heap buffer overflow in Canvas
- CVE-2018-18339: Use after free in WebAudio
- CVE-2018-18340: Use after free in MediaRecorder
- CVE-2018-18341: Heap buffer overflow in Blink
- CVE-2018-18342: Out of bounds write in V8
- CVE-2018-18343: Use after free in Skia
- CVE-2018-18344: Inappropriate implementation in Extensions
- Multiple issues in SQLite via WebSQL
- CVE-2018-18345: Inappropriate implementation in Site Isolation
- CVE-2018-18346: Incorrect security UI in Blink
- CVE-2018-18347: Inappropriate implementation in Navigation
- CVE-2018-18348: Inappropriate implementation in Omnibox
- CVE-2018-18349: Insufficient policy enforcement in Blink
- CVE-2018-18350: Insufficient policy enforcement in Blink
- CVE-2018-18351: Insufficient policy enforcement in Navigation
- CVE-2018-18352: Inappropriate implementation in Media
- CVE-2018-18353: Inappropriate implementation in Network Authentication
- CVE-2018-18354: Insufficient data validation in Shell Integration
- CVE-2018-18355: Insufficient policy enforcement in URL Formatter
- CVE-2018-18356: Use after free in Skia
- CVE-2018-18357: Insufficient policy enforcement in URL Formatter
- CVE-2018-18358: Insufficient policy enforcement in Proxy
- CVE-2018-18359: Out of bounds read in V8
- Inappropriate implementation in PDFium
- Use after free in Extensions
- Inappropriate implementation in Navigation
- Insufficient policy enforcement in Navigation
- Insufficient policy enforcement in URL Formatter
- Various fixes from internal audits, fuzzing and other initiatives

The following changes are included:

- advertisements posing as error messages are now blocked
- Automatic playing of content at page load mostly disabled
- New JavaScript API for relative time display


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-1521=1

- openSUSE Backports SLE-15:

zypper in -t patch openSUSE-2018-1521=1



Package List:

- openSUSE Leap 15.0 (x86_64):

chromedriver-71.0.3578.80-lp150.2.30.1
chromedriver-debuginfo-71.0.3578.80-lp150.2.30.1
chromium-71.0.3578.80-lp150.2.30.1
chromium-debuginfo-71.0.3578.80-lp150.2.30.1
chromium-debugsource-71.0.3578.80-lp150.2.30.1

- openSUSE Backports SLE-15 (aarch64 x86_64):

chromedriver-71.0.3578.80-bp150.2.23.1
chromedriver-debuginfo-71.0.3578.80-bp150.2.23.1
chromium-71.0.3578.80-bp150.2.23.1
chromium-debuginfo-71.0.3578.80-bp150.2.23.1
chromium-debugsource-71.0.3578.80-bp150.2.23.1


References:

https://www.suse.com/security/cve/CVE-2018-17480.html
https://www.suse.com/security/cve/CVE-2018-17481.html
https://www.suse.com/security/cve/CVE-2018-18335.html
https://www.suse.com/security/cve/CVE-2018-18336.html
https://www.suse.com/security/cve/CVE-2018-18337.html
https://www.suse.com/security/cve/CVE-2018-18338.html
https://www.suse.com/security/cve/CVE-2018-18339.html
https://www.suse.com/security/cve/CVE-2018-18340.html
https://www.suse.com/security/cve/CVE-2018-18341.html
https://www.suse.com/security/cve/CVE-2018-18342.html
https://www.suse.com/security/cve/CVE-2018-18343.html
https://www.suse.com/security/cve/CVE-2018-18344.html
https://www.suse.com/security/cve/CVE-2018-18345.html
https://www.suse.com/security/cve/CVE-2018-18346.html
https://www.suse.com/security/cve/CVE-2018-18347.html
https://www.suse.com/security/cve/CVE-2018-18348.html
https://www.suse.com/security/cve/CVE-2018-18349.html
https://www.suse.com/security/cve/CVE-2018-18350.html
https://www.suse.com/security/cve/CVE-2018-18351.html
https://www.suse.com/security/cve/CVE-2018-18352.html
https://www.suse.com/security/cve/CVE-2018-18353.html
https://www.suse.com/security/cve/CVE-2018-18354.html
https://www.suse.com/security/cve/CVE-2018-18355.html
https://www.suse.com/security/cve/CVE-2018-18356.html
https://www.suse.com/security/cve/CVE-2018-18357.html
https://www.suse.com/security/cve/CVE-2018-18358.html
https://www.suse.com/security/cve/CVE-2018-18359.html
https://bugzilla.suse.com/1118529

--