SUSE 5152 Published by

36 updates has been released for openSUSE. The is part 1:

openSUSE-SU-2019:1883-1: moderate: Security update for libsass
openSUSE-SU-2019:1888-1: moderate: Security update for libheimdal
openSUSE-SU-2019:1889-1: moderate: Security update for libmediainfo
openSUSE-SU-2019:1894-1: moderate: Security update for irssi
openSUSE-SU-2019:1895-1: moderate: Security update for ledger
openSUSE-SU-2019:1897-1: important: Security update for vlc
openSUSE-SU-2019:1898-1: important: Security update for kconfig, kdelibs4
openSUSE-SU-2019:1901-1: important: Security update for chromium
openSUSE-SU-2019:1902-1: important: Security update for chromium
openSUSE-SU-2019:1903-1: important: Security update for chromium
openSUSE-SU-2019:1904-1: important: Security update for pdns
openSUSE-SU-2019:1905-1: important: Security update for dosbox
openSUSE-SU-2019:1906-1: important: Security update for python
openSUSE-SU-2019:1907-1: important: Security update for nodejs8
openSUSE-SU-2019:1908-1: important: Security update for evince
openSUSE-SU-2019:1909-1: important: Security update for vlc
openSUSE-SU-2019:1910-1: important: Security update for subversion
openSUSE-SU-2019:1911-1: important: Security update for icedtea-web
openSUSE-SU-2019:1912-1: important: Security update for java-1_8_0-openjdk
openSUSE-SU-2019:1913-1: important: Security update for mariadb, mariadb-connector-c
openSUSE-SU-2019:1914-1: important: Security update for polkit
openSUSE-SU-2019:1915-1: important: Security update for mariadb, mariadb-connector-c
openSUSE-SU-2019:1916-1: important: Security update for java-11-openjdk
openSUSE-SU-2019:1917-1: important: Security update for gpg2
openSUSE-SU-2019:1918-1: important: Security update for bzip2



openSUSE-SU-2019:1883-1: moderate: Security update for libsass

openSUSE Security Update: Security update for libsass
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1883-1
Rating: moderate
References: #1096894 #1118301 #1118346 #1118348 #1118349
#1118351 #1119789 #1121943 #1121944 #1121945
#1133200 #1133201
Cross-References: CVE-2018-11499 CVE-2018-19797 CVE-2018-19827
CVE-2018-19837 CVE-2018-19838 CVE-2018-19839
CVE-2018-20190 CVE-2018-20821 CVE-2018-20822
CVE-2019-6283 CVE-2019-6284 CVE-2019-6286

Affected Products:
openSUSE Backports SLE-15-SP1
______________________________________________________________________________

An update that fixes 12 vulnerabilities is now available.

Description:

This update for libsass to version 3.6.1 fixes the following issues:

Security issues fixed:

- CVE-2019-6283: Fixed heap-buffer-overflow in
Sass::Prelexer::parenthese_scope(char const*) (boo#1121943).
- CVE-2019-6284: Fixed heap-based buffer over-read exists in
Sass:Prelexer:alternatives (boo#1121944).
- CVE-2019-6286: Fixed heap-based buffer over-read exists in
Sass:Prelexer:skip_over_scopes (boo#1121945).
- CVE-2018-11499: Fixed use-after-free vulnerability in
sass_context.cpp:handle_error (boo#1096894).
- CVE-2018-19797: Disallowed parent selector in selector_fns arguments
(boo#1118301).
- CVE-2018-19827: Fixed use-after-free vulnerability exists in the
SharedPtr class (boo#1118346).
- CVE-2018-19837: Fixed stack overflow in Eval::operator() (boo#1118348).
- CVE-2018-19838: Fixed stack-overflow at IMPLEMENT_AST_OPERATORS
expansion (boo#1118349).
- CVE-2018-19839: Fixed buffer-overflow (OOB read) against some invalid
input (boo#1118351).
- CVE-2018-20190: Fixed Null pointer dereference in
Sass::Eval::operator()(Sass::Supports_Operator*) (boo#1119789).
- CVE-2018-20821: Fixed uncontrolled recursion in
Sass:Parser:parse_css_variable_value (boo#1133200).
- CVE-2018-20822: Fixed stack-overflow at Sass::Inspect::operator()
(boo#1133201).

This update was imported from the openSUSE:Leap:15.0:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP1:

zypper in -t patch openSUSE-2019-1883=1



Package List:

- openSUSE Backports SLE-15-SP1 (aarch64 ppc64le s390x x86_64):

libsass-3_6_1-1-3.6.1-bp151.4.3.1
libsass-devel-3.6.1-bp151.4.3.1


References:

https://www.suse.com/security/cve/CVE-2018-11499.html
https://www.suse.com/security/cve/CVE-2018-19797.html
https://www.suse.com/security/cve/CVE-2018-19827.html
https://www.suse.com/security/cve/CVE-2018-19837.html
https://www.suse.com/security/cve/CVE-2018-19838.html
https://www.suse.com/security/cve/CVE-2018-19839.html
https://www.suse.com/security/cve/CVE-2018-20190.html
https://www.suse.com/security/cve/CVE-2018-20821.html
https://www.suse.com/security/cve/CVE-2018-20822.html
https://www.suse.com/security/cve/CVE-2019-6283.html
https://www.suse.com/security/cve/CVE-2019-6284.html
https://www.suse.com/security/cve/CVE-2019-6286.html
https://bugzilla.suse.com/1096894
https://bugzilla.suse.com/1118301
https://bugzilla.suse.com/1118346
https://bugzilla.suse.com/1118348
https://bugzilla.suse.com/1118349
https://bugzilla.suse.com/1118351
https://bugzilla.suse.com/1119789
https://bugzilla.suse.com/1121943
https://bugzilla.suse.com/1121944
https://bugzilla.suse.com/1121945
https://bugzilla.suse.com/1133200
https://bugzilla.suse.com/1133201

--


openSUSE-SU-2019:1888-1: moderate: Security update for libheimdal

openSUSE Security Update: Security update for libheimdal
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1888-1
Rating: moderate
References: #1047218 #1084909
Cross-References: CVE-2018-16860 CVE-2019-12098
Affected Products:
openSUSE Backports SLE-15-SP1
______________________________________________________________________________

An update that fixes two vulnerabilities is now available.

Description:

This update for libheimdal fixes the following issues:

libheimdal was updated to version 7.7.0:

+ Bug fixes:

- PKCS#11 hcrypto back-end:

+ initialize the p11_module_load function list
+ verify that not only is a mechanism present but that its mechanism
info states that it offers the required encryption, decryption or
digest services

- krb5:

+ Starting with 7.6, Heimdal permitted requesting authenticated
anonymous tickets. However, it did not verify that a KDC in fact
returned an anonymous ticket when one was requested.
+ Cease setting the KDCOption reaquest_anonymous flag when issuing
S4UProxy (constrained delegation) TGS requests.
+ when the Win2K PKINIT compatibility option is set, do not require
krbtgt otherName to match when validating KDC certificate.
+ set PKINIT_BTMM flag per Apple implementation
+ use memset_s() instead of memset()

- kdc:

+ When generating KRB5SignedPath in the AS, use the reply client name
rather than the one from the request, so validation will work
correctly in the TGS.
+ allow checksum of PA-FOR-USER to be HMAC_MD5. Even if TGT used an
enctype with a different checksum. Per [MS-SFU] 2.2.1 PA-FOR-USER
the checksum is always HMAC_MD5, and that's what Windows and MIT
clients send. In Heimdal both the client and kdc use instead the
checksum of the TGT, and therefore work with each other but Windows
and MIT clients fail against Heimdal KDC. Both Windows and MIT KDC
would allow any keyed checksum to be used so Heimdal client work
fine against it. Change Heimdal KDC to allow HMAC_MD5 even for non
RC4 based TGT in order to support per-spec clients.
+ use memset_s() instead of memset()
+ Detect Heimdal 1.0 through 7.6 clients that issue S4UProxy
(constrained delegation) TGS Requests with the request anonymous
flag set. These requests will be treated as S4UProxy requests and
not anonymous requests.

- HDB:

+ Set SQLite3 backend default page size to 8KB.
+ Add hdb_set_sync() method

- kadmind:

+ disable HDB sync during database load avoiding unnecessary disk i/o.

- ipropd:

+ disable HDB sync during receive_everything. Doing an fsync
per-record when receiving the complete HDB is a performance
disaster. Among other things, if the HDB is very large, then one
slave receving a full HDB can cause
other slaves to timeout and, if HDB write activity is high enough to
cause iprop log truncation, then also need full syncs, which leads to a
cycle of full syncs for all slaves until HDB write activity drops.
Allowing the iprop log to be larger helps, but improving
receive_everything() performance helps even more.

- kinit:

+ Anonymous PKINIT tickets discard the realm information used to
locate the issuing AS. Store the issuing realm in the credentials
cache in order to locate a KDC which can renew them.
+ Do not leak the result of krb5_cc_get_config() when determining
anonymous PKINIT start realm.

- klist:

+ Show transited-policy-checked, ok-as-delegate and anonymous flags
when listing credentials.

- tests:

+ Regenerate certs so that they expire before the 2038 armageddon so
the test suite will pass on 32-bit
operating systems until the underlying issues can be resolved.

- documentation:

+ rename verify-password to verify-password-quality
+ hprop default mode is encrypt
+ kadmind "all" permission does not include "get-keys"
+ verify-password-quality might not be stateless

Version 7.6.0:

+ Security (#555):

- CVE-2018-16860 Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum

When the Heimdal KDC checks the checksum that is placed on the
S4U2Self packet by the server to protect the requested principal against
modification, it does not confirm that the checksum algorithm that
protects the user name (principal) in the request is keyed. This allows a
man-in-the-middle attacker who can intercept the request to the KDC to
modify the packet by replacing the user name (principal) in the request
with any desired user name (principal) that exists in the KDC and replace
the checksum protecting that name with a CRC32 checksum (which requires no
prior knowledge to compute). This would allow a S4U2Self ticket requested
on behalf of user name (principal) user@EXAMPLE.COM to any service to be
changed to a S4U2Self ticket with a user name (principal) of
Administrator@EXAMPLE.COM. This ticket would then contain the PAC of the
modified user name (principal).

- CVE-2019-12098, client-only:

RFC8062 Section 7 requires verification of the PA-PKINIT-KX key
exchange when anonymous PKINIT is used. Failure to do so can permit an
active attacker to become a man-in-the-middle.

+ Bug fixes:

- Happy eyeballs: Don't wait for responses from known-unreachable KDCs.

- kdc:

+ check return copy_Realm, copy_PrincipalName, copy_EncryptionKey

- kinit:

+ cleanup temporary ccaches
+ see man page for "kinit --anonymous" command line syntax change

- kdc:

+ Make anonymous AS-requests more RFC8062-compliant. Updated expired
test certificates

+ Features:

- kuser: support authenticated anonymous AS-REQs in kinit
- kdc: support for anonymous TGS-REQs
- kgetcred support for anonymous service tickets
- Support builds with OpenSSL 1.1.1


This update was imported from the openSUSE:Leap:15.0:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP1:

zypper in -t patch openSUSE-2019-1888=1



Package List:

- openSUSE Backports SLE-15-SP1 (aarch64 ppc64le s390x x86_64):

libheimdal-7.7.0-bp151.4.3.1
libheimdal-devel-7.7.0-bp151.4.3.1


References:

https://www.suse.com/security/cve/CVE-2018-16860.html
https://www.suse.com/security/cve/CVE-2019-12098.html
https://bugzilla.suse.com/1047218
https://bugzilla.suse.com/1084909

--


openSUSE-SU-2019:1889-1: moderate: Security update for libmediainfo

openSUSE Security Update: Security update for libmediainfo
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1889-1
Rating: moderate
References: #1133156 #1133157
Cross-References: CVE-2019-11372 CVE-2019-11373
Affected Products:
openSUSE Backports SLE-15-SP1
______________________________________________________________________________

An update that fixes two vulnerabilities is now available.

Description:

This update for libmediainfo fixes the following issues:

* CVE-2019-11373: Fixed out-of-bounds read in function
File__Analyze:Get_L8 (boo#1133156)
* CVE-2019-11372: Fixed out-of-bounds read in function
MediaInfoLib:File__Tags_Helper:Synched_Test (boo#1133157)


This update was imported from the openSUSE:Leap:15.0:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP1:

zypper in -t patch openSUSE-2019-1889=1



Package List:

- openSUSE Backports SLE-15-SP1 (aarch64 ppc64le s390x x86_64):

libmediainfo-devel-18.03-bp151.4.3.2
libmediainfo0-18.03-bp151.4.3.2

- openSUSE Backports SLE-15-SP1 (aarch64_ilp32):

libmediainfo0-64bit-18.03-bp151.4.3.2


References:

https://www.suse.com/security/cve/CVE-2019-11372.html
https://www.suse.com/security/cve/CVE-2019-11373.html
https://bugzilla.suse.com/1133156
https://bugzilla.suse.com/1133157

--


openSUSE-SU-2019:1894-1: moderate: Security update for irssi

openSUSE Security Update: Security update for irssi
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1894-1
Rating: moderate
References: #1139802
Cross-References: CVE-2019-13045
Affected Products:
openSUSE Backports SLE-15-SP1
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for irssi fixes the following issues:

irssi was updated to 1.1.3:

- CVE-2019-13045: Fix a use after free issue when sending the SASL login
on (automatic and manual) reconnects (#1055, #1058) (boo#1139802)
- Fix regression of #779 where autolog_ignore_targets would not matching
itemless windows anymore (#1012, #1013)

This update was imported from the openSUSE:Leap:15.1:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP1:

zypper in -t patch openSUSE-2019-1894=1



Package List:

- openSUSE Backports SLE-15-SP1 (aarch64 ppc64le s390x x86_64):

irssi-1.1.3-bp151.3.3.3
irssi-devel-1.1.3-bp151.3.3.3


References:

https://www.suse.com/security/cve/CVE-2019-13045.html
https://bugzilla.suse.com/1139802

--


openSUSE-SU-2019:1895-1: moderate: Security update for ledger

openSUSE Security Update: Security update for ledger
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1895-1
Rating: moderate
References: #1052478 #1052484 #1105084
Cross-References: CVE-2017-12481 CVE-2017-12482 CVE-2017-2807
CVE-2017-2808
Affected Products:
openSUSE Backports SLE-15-SP1
______________________________________________________________________________

An update that fixes four vulnerabilities is now available.

Description:

This update for ledger fixes the following issues:

ledger was updated to 3.1.3:

+ Properly reject postings with a comment right after the flag (bug #1753)
+ Make sorting order of lot information deterministic (bug #1747)
+ Fix bug in tag value parsing (bug #1702)
+ Remove the org command, which was always a hack to begin with (bug #1706)
+ Provide Docker information in README
+ Various small documentation improvements

This also includes the update to 3.1.2:

+ Increase maximum length for regex from 255 to 4095 (bug #981)
+ Initialize periods from from/since clause rather than earliest
transaction date (bug #1159)
+ Check balance assertions against the amount after the posting (bug #1147)
+ Allow balance assertions with multiple posts to same account (bug #1187)
+ Fix period duration of "every X days" and similar statements (bug #370)
+ Make option --force-color not require --color anymore (bug #1109)
+ Add quoted_rfc4180 to allow CVS output with RFC 4180 compliant quoting.
+ Add support for --prepend-format in accounts command
+ Fix handling of edge cases in trim function (bug #520)
+ Fix auto xact posts not getting applied to account total during journal
parse (bug #552)
+ Transfer null_post flags to generated postings
+ Fix segfault when using --market with --group-by
+ Use amount_width variable for budget report
+ Keep pending items in budgets until the last day they apply
+ Fix bug where .total used in value expressions breaks totals
+ Make automated transactions work with assertions (bug #1127)
+ Improve parsing of date tokens (bug #1626)
+ Don't attempt to invert a value if it's already zero (bug #1703)
+ Do not parse user-specified init-file twice
+ Fix parsing issue of effective dates (bug #1722, TALOS-2017-0303,
CVE-2017-2807)
+ Fix use-after-free issue with deferred postings (bug #1723,
TALOS-2017-0304, CVE-2017-2808)
+ Fix possible stack overflow in option parsing routine (bug #1222,
CVE-2017-12481)
+ Fix possible stack overflow in date parsing routine (bug #1224,
CVE-2017-12482)
+ Fix use-after-free when using --gain (bug #541)
+ Python: Removed double quotes from Unicode values.
+ Python: Ensure that parse errors produce useful RuntimeErrors
+ Python: Expose journal expand_aliases
+ Python: Expose journal_t::register_account
+ Improve bash completion
+ Emacs Lisp files have been moved to https://github.com/ledger/ledger-mode
+ Various documentation improvements

This update was imported from the openSUSE:Leap:15.0:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP1:

zypper in -t patch openSUSE-2019-1895=1



Package List:

- openSUSE Backports SLE-15-SP1 (ppc64le s390x x86_64):

ledger-3.1.3-bp151.4.3.1


References:

https://www.suse.com/security/cve/CVE-2017-12481.html
https://www.suse.com/security/cve/CVE-2017-12482.html
https://www.suse.com/security/cve/CVE-2017-2807.html
https://www.suse.com/security/cve/CVE-2017-2808.html
https://bugzilla.suse.com/1052478
https://bugzilla.suse.com/1052484
https://bugzilla.suse.com/1105084

--


openSUSE-SU-2019:1897-1: important: Security update for vlc

openSUSE Security Update: Security update for vlc
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1897-1
Rating: important
References: #1118586 #1138354 #1138933 #1141522 #1142161
#1143547 #1143549
Cross-References: CVE-2018-19857 CVE-2019-12874 CVE-2019-13602
CVE-2019-13962 CVE-2019-5439 CVE-2019-5459
CVE-2019-5460
Affected Products:
openSUSE Backports SLE-15-SP1
______________________________________________________________________________

An update that fixes 7 vulnerabilities is now available.

Description:

This update for vlc to version 3.0.7.1 fixes the following issues:

Security issues fixed:

- CVE-2019-5439: Fixed a buffer overflow (bsc#1138354).
- CVE-2019-5459: Fixed an integer underflow (bsc#1143549).
- CVE-2019-5460: Fixed a double free (bsc#1143547).
- CVE-2019-12874: Fixed a double free in zlib_decompress_extra in
modules/demux/mkv/util.cpp (bsc#1138933).
- CVE-2019-13602: Fixed an integer underflow in mp4 demuxer (boo#1141522).
- CVE-2019-13962: Fixed a heap-based buffer over-read in avcodec
(boo#1142161).

Non-security issues fixed:

- Video Output:
* Fix hardware acceleration with some AMD drivers
* Improve direct3d11 HDR support
- Access:
* Improve Blu-ray support
- Audio output:
* Fix pass-through on Android-23
* Fix DirectSound drain
- Demux: Improve MP4 support
- Video Output:
* Fix 12 bits sources playback with Direct3D11
* Fix crash on iOS
* Fix midstream aspect-ratio changes when Windows hardware decoding is on
* Fix HLG display with Direct3D11
- Stream Output: Improve Chromecast support with new ChromeCast apps
- Misc:
* Update Youtube, Dailymotion, Vimeo, Soundcloud scripts
* Work around busy looping when playing an invalid item with loop enabled
- Updated translations.

This update was imported from the openSUSE:Leap:15.1:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP1:

zypper in -t patch openSUSE-2019-1897=1



Package List:

- openSUSE Backports SLE-15-SP1 (x86_64):

libvlc5-3.0.7.1-bp151.5.3.3
libvlccore9-3.0.7.1-bp151.5.3.3
vlc-3.0.7.1-bp151.5.3.3
vlc-codec-gstreamer-3.0.7.1-bp151.5.3.3
vlc-devel-3.0.7.1-bp151.5.3.3
vlc-jack-3.0.7.1-bp151.5.3.3
vlc-noX-3.0.7.1-bp151.5.3.3
vlc-qt-3.0.7.1-bp151.5.3.3
vlc-vdpau-3.0.7.1-bp151.5.3.3

- openSUSE Backports SLE-15-SP1 (noarch):

vlc-lang-3.0.7.1-bp151.5.3.3


References:

https://www.suse.com/security/cve/CVE-2018-19857.html
https://www.suse.com/security/cve/CVE-2019-12874.html
https://www.suse.com/security/cve/CVE-2019-13602.html
https://www.suse.com/security/cve/CVE-2019-13962.html
https://www.suse.com/security/cve/CVE-2019-5439.html
https://www.suse.com/security/cve/CVE-2019-5459.html
https://www.suse.com/security/cve/CVE-2019-5460.html
https://bugzilla.suse.com/1118586
https://bugzilla.suse.com/1138354
https://bugzilla.suse.com/1138933
https://bugzilla.suse.com/1141522
https://bugzilla.suse.com/1142161
https://bugzilla.suse.com/1143547
https://bugzilla.suse.com/1143549

--


openSUSE-SU-2019:1898-1: important: Security update for kconfig, kdelibs4

openSUSE Security Update: Security update for kconfig, kdelibs4
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1898-1
Rating: important
References: #1144600
Cross-References: CVE-2019-14744
Affected Products:
openSUSE Backports SLE-15-SP1
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for kconfig, kdelibs4 fixes the following issues:

- CVE-2019-14744: Fixed a command execution by an shell expansion
(boo#1144600).

This update was imported from the openSUSE:Leap:15.1:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP1:

zypper in -t patch openSUSE-2019-1898=1



Package List:

- openSUSE Backports SLE-15-SP1 (aarch64 ppc64le s390x x86_64):

kconf_update5-5.55.0-bp151.3.8.1
kconfig-devel-5.55.0-bp151.3.8.1
kdelibs4-4.14.38-bp151.9.8.2
kdelibs4-branding-upstream-4.14.38-bp151.9.8.2
kdelibs4-core-4.14.38-bp151.9.8.2
kdelibs4-core-debuginfo-4.14.38-bp151.9.8.2
kdelibs4-debuginfo-4.14.38-bp151.9.8.2
kdelibs4-debugsource-4.14.38-bp151.9.8.2
kdelibs4-doc-4.14.38-bp151.9.8.2
kdelibs4-doc-debuginfo-4.14.38-bp151.9.8.2
libKF5ConfigCore5-5.55.0-bp151.3.8.1
libKF5ConfigGui5-5.55.0-bp151.3.8.1
libkde4-4.14.38-bp151.9.8.2
libkde4-debuginfo-4.14.38-bp151.9.8.2
libkde4-devel-4.14.38-bp151.9.8.2
libkde4-devel-debuginfo-4.14.38-bp151.9.8.2
libkdecore4-4.14.38-bp151.9.8.2
libkdecore4-debuginfo-4.14.38-bp151.9.8.2
libkdecore4-devel-4.14.38-bp151.9.8.2
libkdecore4-devel-debuginfo-4.14.38-bp151.9.8.2
libksuseinstall-devel-4.14.38-bp151.9.8.2
libksuseinstall1-4.14.38-bp151.9.8.2
libksuseinstall1-debuginfo-4.14.38-bp151.9.8.2

- openSUSE Backports SLE-15-SP1 (aarch64_ilp32):

kconfig-devel-64bit-5.55.0-bp151.3.8.1
libKF5ConfigCore5-64bit-5.55.0-bp151.3.8.1
libKF5ConfigGui5-64bit-5.55.0-bp151.3.8.1
libkde4-64bit-4.14.38-bp151.9.8.2
libkde4-64bit-debuginfo-4.14.38-bp151.9.8.2
libkdecore4-64bit-4.14.38-bp151.9.8.2
libkdecore4-64bit-debuginfo-4.14.38-bp151.9.8.2
libksuseinstall1-64bit-4.14.38-bp151.9.8.2
libksuseinstall1-64bit-debuginfo-4.14.38-bp151.9.8.2

- openSUSE Backports SLE-15-SP1 (noarch):

kdelibs4-apidocs-4.14.38-bp151.9.8.1
libKF5ConfigCore5-lang-5.55.0-bp151.3.8.1


References:

https://www.suse.com/security/cve/CVE-2019-14744.html
https://bugzilla.suse.com/1144600

--


openSUSE-SU-2019:1901-1: important: Security update for chromium

openSUSE Security Update: Security update for chromium
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1901-1
Rating: important
References: #1143492 #1144625
Cross-References: CVE-2019-5850 CVE-2019-5851 CVE-2019-5852
CVE-2019-5853 CVE-2019-5854 CVE-2019-5855
CVE-2019-5856 CVE-2019-5857 CVE-2019-5858
CVE-2019-5859 CVE-2019-5860 CVE-2019-5861
CVE-2019-5862 CVE-2019-5863 CVE-2019-5864
CVE-2019-5865
Affected Products:
openSUSE Backports SLE-15-SP1
______________________________________________________________________________

An update that fixes 16 vulnerabilities is now available.

Description:

This update for chromium to version 76.0.3809.87 fixes the following
issues:

- CVE-2019-5850: Use-after-free in offline page fetcher (boo#1143492)
- CVE-2019-5860: Use-after-free in PDFium (boo#1143492)
- CVE-2019-5853: Memory corruption in regexp length check (boo#1143492)
- CVE-2019-5851: Use-after-poison in offline audio context (boo#1143492)
- CVE-2019-5859: res: URIs can load alternative browsers (boo#1143492)
- CVE-2019-5856: Insufficient checks on filesystem: URI permissions
(boo#1143492)
- CVE-2019-5855: Integer overflow in PDFium (boo#1143492)
- CVE-2019-5865: Site isolation bypass from compromised renderer
(boo#1143492)
- CVE-2019-5858: Insufficient filtering of Open URL service parameters
(boo#1143492)
- CVE-2019-5864: Insufficient port filtering in CORS for extensions
(boo#1143492)
- CVE-2019-5862: AppCache not robust to compromised renderers (boo#1143492)
- CVE-2019-5861: Click location incorrectly checked (boo#1143492)
- CVE-2019-5857: Comparison of -0 and null yields crash (boo#1143492)
- CVE-2019-5854: Integer overflow in PDFium text rendering (boo#1143492)
- CVE-2019-5852: Object leak of utility functions (boo#1143492)

This update was imported from the openSUSE:Leap:15.1:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP1:

zypper in -t patch openSUSE-2019-1901=1



Package List:

- openSUSE Backports SLE-15-SP1 (aarch64 x86_64):

chromedriver-76.0.3809.87-bp151.3.3.3
chromium-76.0.3809.87-bp151.3.3.3


References:

https://www.suse.com/security/cve/CVE-2019-5850.html
https://www.suse.com/security/cve/CVE-2019-5851.html
https://www.suse.com/security/cve/CVE-2019-5852.html
https://www.suse.com/security/cve/CVE-2019-5853.html
https://www.suse.com/security/cve/CVE-2019-5854.html
https://www.suse.com/security/cve/CVE-2019-5855.html
https://www.suse.com/security/cve/CVE-2019-5856.html
https://www.suse.com/security/cve/CVE-2019-5857.html
https://www.suse.com/security/cve/CVE-2019-5858.html
https://www.suse.com/security/cve/CVE-2019-5859.html
https://www.suse.com/security/cve/CVE-2019-5860.html
https://www.suse.com/security/cve/CVE-2019-5861.html
https://www.suse.com/security/cve/CVE-2019-5862.html
https://www.suse.com/security/cve/CVE-2019-5863.html
https://www.suse.com/security/cve/CVE-2019-5864.html
https://www.suse.com/security/cve/CVE-2019-5865.html
https://bugzilla.suse.com/1143492
https://bugzilla.suse.com/1144625

--


openSUSE-SU-2019:1902-1: important: Security update for chromium

openSUSE Security Update: Security update for chromium
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1902-1
Rating: important
References: #1145242
Cross-References: CVE-2019-5867 CVE-2019-5868
Affected Products:
openSUSE Leap 15.1
______________________________________________________________________________

An update that fixes two vulnerabilities is now available.

Description:

This update for chromium to verion 76.0.3809.100 fixes the following
issues:

- CVE-2019-5868: Use-after-free in PDFium ExecuteFieldAction (boo#1145242)
- CVE-2019-5867: Out-of-bounds read in V8 (boo#1145242).


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.1:

zypper in -t patch openSUSE-2019-1902=1



Package List:

- openSUSE Leap 15.1 (x86_64):

chromedriver-76.0.3809.100-lp151.2.20.1
chromedriver-debuginfo-76.0.3809.100-lp151.2.20.1
chromium-76.0.3809.100-lp151.2.20.1
chromium-debuginfo-76.0.3809.100-lp151.2.20.1
chromium-debugsource-76.0.3809.100-lp151.2.20.1


References:

https://www.suse.com/security/cve/CVE-2019-5867.html
https://www.suse.com/security/cve/CVE-2019-5868.html
https://bugzilla.suse.com/1145242

--


openSUSE-SU-2019:1903-1: important: Security update for chromium

openSUSE Security Update: Security update for chromium
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1903-1
Rating: important
References: #1145242
Cross-References: CVE-2019-5867 CVE-2019-5868
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes two vulnerabilities is now available.

Description:

This update for chromium to verion 76.0.3809.100 fixes the following
issues:

- CVE-2019-5868: Use-after-free in PDFium ExecuteFieldAction (boo#1145242)
- CVE-2019-5867: Out-of-bounds read in V8 (boo#1145242).


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1903=1



Package List:

- openSUSE Leap 15.0 (x86_64):

chromedriver-76.0.3809.100-lp150.229.1
chromedriver-debuginfo-76.0.3809.100-lp150.229.1
chromium-76.0.3809.100-lp150.229.1
chromium-debuginfo-76.0.3809.100-lp150.229.1
chromium-debugsource-76.0.3809.100-lp150.229.1


References:

https://www.suse.com/security/cve/CVE-2019-5867.html
https://www.suse.com/security/cve/CVE-2019-5868.html
https://bugzilla.suse.com/1145242

--


openSUSE-SU-2019:1904-1: important: Security update for pdns

openSUSE Security Update: Security update for pdns
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1904-1
Rating: important
References: #1138582 #1142810
Cross-References: CVE-2019-10162 CVE-2019-10163 CVE-2019-10203

Affected Products:
openSUSE Leap 15.1
openSUSE Leap 15.0
openSUSE Backports SLE-15
______________________________________________________________________________

An update that fixes three vulnerabilities is now available.

Description:

This update for pdns fixes the following issues:

Security issues fixed:

- CVE-2019-10203: Updated PostgreSQL schema to address a possible denial
of service by an authorized user by inserting a crafted record in a
MASTER type zone under their control. (boo#1142810)
- CVE-2019-10162: Fixed a denial of service but when authorized user to
cause the server to exit by inserting a crafted record in a MASTER type
zone under their control. (boo#1138582)
- CVE-2019-10163: Fixed a denial of service of slave server when an
authorized master server sends large number of NOTIFY messages.
(boo#1138582)

Non-security issues fixed:

- Enabled the option to disable superslave support.
- Fixed `pdnsutil b2b-migrate` to not lose NSEC3 settings.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.1:

zypper in -t patch openSUSE-2019-1904=1

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1904=1

- openSUSE Backports SLE-15:

zypper in -t patch openSUSE-2019-1904=1



Package List:

- openSUSE Leap 15.1 (x86_64):

pdns-4.1.8-lp151.2.3.1
pdns-backend-geoip-4.1.8-lp151.2.3.1
pdns-backend-geoip-debuginfo-4.1.8-lp151.2.3.1
pdns-backend-godbc-4.1.8-lp151.2.3.1
pdns-backend-godbc-debuginfo-4.1.8-lp151.2.3.1
pdns-backend-ldap-4.1.8-lp151.2.3.1
pdns-backend-ldap-debuginfo-4.1.8-lp151.2.3.1
pdns-backend-lua-4.1.8-lp151.2.3.1
pdns-backend-lua-debuginfo-4.1.8-lp151.2.3.1
pdns-backend-mydns-4.1.8-lp151.2.3.1
pdns-backend-mydns-debuginfo-4.1.8-lp151.2.3.1
pdns-backend-mysql-4.1.8-lp151.2.3.1
pdns-backend-mysql-debuginfo-4.1.8-lp151.2.3.1
pdns-backend-postgresql-4.1.8-lp151.2.3.1
pdns-backend-postgresql-debuginfo-4.1.8-lp151.2.3.1
pdns-backend-remote-4.1.8-lp151.2.3.1
pdns-backend-remote-debuginfo-4.1.8-lp151.2.3.1
pdns-backend-sqlite3-4.1.8-lp151.2.3.1
pdns-backend-sqlite3-debuginfo-4.1.8-lp151.2.3.1
pdns-debuginfo-4.1.8-lp151.2.3.1
pdns-debugsource-4.1.8-lp151.2.3.1

- openSUSE Leap 15.0 (x86_64):

pdns-4.1.2-lp150.3.13.1
pdns-backend-geoip-4.1.2-lp150.3.13.1
pdns-backend-geoip-debuginfo-4.1.2-lp150.3.13.1
pdns-backend-godbc-4.1.2-lp150.3.13.1
pdns-backend-godbc-debuginfo-4.1.2-lp150.3.13.1
pdns-backend-ldap-4.1.2-lp150.3.13.1
pdns-backend-ldap-debuginfo-4.1.2-lp150.3.13.1
pdns-backend-lua-4.1.2-lp150.3.13.1
pdns-backend-lua-debuginfo-4.1.2-lp150.3.13.1
pdns-backend-mydns-4.1.2-lp150.3.13.1
pdns-backend-mydns-debuginfo-4.1.2-lp150.3.13.1
pdns-backend-mysql-4.1.2-lp150.3.13.1
pdns-backend-mysql-debuginfo-4.1.2-lp150.3.13.1
pdns-backend-postgresql-4.1.2-lp150.3.13.1
pdns-backend-postgresql-debuginfo-4.1.2-lp150.3.13.1
pdns-backend-remote-4.1.2-lp150.3.13.1
pdns-backend-remote-debuginfo-4.1.2-lp150.3.13.1
pdns-backend-sqlite3-4.1.2-lp150.3.13.1
pdns-backend-sqlite3-debuginfo-4.1.2-lp150.3.13.1
pdns-debuginfo-4.1.2-lp150.3.13.1
pdns-debugsource-4.1.2-lp150.3.13.1

- openSUSE Backports SLE-15 (aarch64 ppc64le s390x x86_64):

pdns-4.1.2-bp150.2.9.1
pdns-backend-geoip-4.1.2-bp150.2.9.1
pdns-backend-geoip-debuginfo-4.1.2-bp150.2.9.1
pdns-backend-godbc-4.1.2-bp150.2.9.1
pdns-backend-godbc-debuginfo-4.1.2-bp150.2.9.1
pdns-backend-ldap-4.1.2-bp150.2.9.1
pdns-backend-ldap-debuginfo-4.1.2-bp150.2.9.1
pdns-backend-lua-4.1.2-bp150.2.9.1
pdns-backend-lua-debuginfo-4.1.2-bp150.2.9.1
pdns-backend-mydns-4.1.2-bp150.2.9.1
pdns-backend-mydns-debuginfo-4.1.2-bp150.2.9.1
pdns-backend-mysql-4.1.2-bp150.2.9.1
pdns-backend-mysql-debuginfo-4.1.2-bp150.2.9.1
pdns-backend-postgresql-4.1.2-bp150.2.9.1
pdns-backend-postgresql-debuginfo-4.1.2-bp150.2.9.1
pdns-backend-remote-4.1.2-bp150.2.9.1
pdns-backend-remote-debuginfo-4.1.2-bp150.2.9.1
pdns-backend-sqlite3-4.1.2-bp150.2.9.1
pdns-backend-sqlite3-debuginfo-4.1.2-bp150.2.9.1
pdns-debuginfo-4.1.2-bp150.2.9.1
pdns-debugsource-4.1.2-bp150.2.9.1


References:

https://www.suse.com/security/cve/CVE-2019-10162.html
https://www.suse.com/security/cve/CVE-2019-10163.html
https://www.suse.com/security/cve/CVE-2019-10203.html
https://bugzilla.suse.com/1138582
https://bugzilla.suse.com/1142810

--


openSUSE-SU-2019:1905-1: important: Security update for dosbox

openSUSE Security Update: Security update for dosbox
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1905-1
Rating: important
References: #1140254
Cross-References: CVE-2019-12594 CVE-2019-7165
Affected Products:
openSUSE Leap 15.1
openSUSE Leap 15.0
openSUSE Backports SLE-15
______________________________________________________________________________

An update that fixes two vulnerabilities is now available.

Description:

This update for dosbox fixes the following issues:

Security issues fixed:

- CVE-2019-7165: Fixed that a very long line inside a bat file would
overflow the parsing buffer (bnc#1140254).
- CVE-2019-12594: Added a basic permission system so that a program
running inside DOSBox can't access the contents of /proc (e.g.
/proc/self/mem) when / or /proc were (to be) mounted (bnc#1140254).
- Several other fixes for out of bounds access and buffer overflows.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.1:

zypper in -t patch openSUSE-2019-1905=1

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1905=1

- openSUSE Backports SLE-15:

zypper in -t patch openSUSE-2019-1905=1



Package List:

- openSUSE Leap 15.1 (x86_64):

dosbox-0.74.3-lp151.3.3.1
dosbox-debuginfo-0.74.3-lp151.3.3.1
dosbox-debugsource-0.74.3-lp151.3.3.1

- openSUSE Leap 15.0 (x86_64):

dosbox-0.74.3-lp150.2.3.1
dosbox-debuginfo-0.74.3-lp150.2.3.1
dosbox-debugsource-0.74.3-lp150.2.3.1

- openSUSE Backports SLE-15 (aarch64 ppc64le s390x x86_64):

dosbox-0.74.3-bp150.3.3.1


References:

https://www.suse.com/security/cve/CVE-2019-12594.html
https://www.suse.com/security/cve/CVE-2019-7165.html
https://bugzilla.suse.com/1140254

--


openSUSE-SU-2019:1906-1: important: Security update for python

openSUSE Security Update: Security update for python
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1906-1
Rating: important
References: #1138459
Cross-References: CVE-2019-10160
Affected Products:
openSUSE Leap 15.1
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for python fixes the following issues:

Security issue fixed:

- CVE-2019-10160: Fixed a regression in urlparse() and urlsplit()
introduced by the fix for CVE-2019-9636 (bsc#1138459).

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.1:

zypper in -t patch openSUSE-2019-1906=1

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1906=1



Package List:

- openSUSE Leap 15.1 (i586 x86_64):

libpython2_7-1_0-2.7.14-lp151.10.3.1
libpython2_7-1_0-debuginfo-2.7.14-lp151.10.3.1
python-2.7.14-lp151.10.3.1
python-base-2.7.14-lp151.10.3.1
python-base-debuginfo-2.7.14-lp151.10.3.1
python-base-debugsource-2.7.14-lp151.10.3.1
python-curses-2.7.14-lp151.10.3.1
python-curses-debuginfo-2.7.14-lp151.10.3.1
python-debuginfo-2.7.14-lp151.10.3.1
python-debugsource-2.7.14-lp151.10.3.1
python-demo-2.7.14-lp151.10.3.1
python-devel-2.7.14-lp151.10.3.1
python-gdbm-2.7.14-lp151.10.3.1
python-gdbm-debuginfo-2.7.14-lp151.10.3.1
python-idle-2.7.14-lp151.10.3.1
python-tk-2.7.14-lp151.10.3.1
python-tk-debuginfo-2.7.14-lp151.10.3.1
python-xml-2.7.14-lp151.10.3.1
python-xml-debuginfo-2.7.14-lp151.10.3.1

- openSUSE Leap 15.1 (noarch):

python-doc-2.7.14-lp151.10.3.1
python-doc-pdf-2.7.14-lp151.10.3.1

- openSUSE Leap 15.1 (x86_64):

libpython2_7-1_0-32bit-2.7.14-lp151.10.3.1
libpython2_7-1_0-32bit-debuginfo-2.7.14-lp151.10.3.1
python-32bit-2.7.14-lp151.10.3.1
python-32bit-debuginfo-2.7.14-lp151.10.3.1
python-base-32bit-2.7.14-lp151.10.3.1
python-base-32bit-debuginfo-2.7.14-lp151.10.3.1

- openSUSE Leap 15.0 (i586 x86_64):

python-2.7.14-lp150.6.13.1
python-curses-2.7.14-lp150.6.13.1
python-curses-debuginfo-2.7.14-lp150.6.13.1
python-debuginfo-2.7.14-lp150.6.13.1
python-debugsource-2.7.14-lp150.6.13.1
python-demo-2.7.14-lp150.6.13.1
python-gdbm-2.7.14-lp150.6.13.1
python-gdbm-debuginfo-2.7.14-lp150.6.13.1
python-idle-2.7.14-lp150.6.13.1
python-tk-2.7.14-lp150.6.13.1
python-tk-debuginfo-2.7.14-lp150.6.13.1

- openSUSE Leap 15.0 (x86_64):

python-32bit-2.7.14-lp150.6.13.1
python-32bit-debuginfo-2.7.14-lp150.6.13.1


References:

https://www.suse.com/security/cve/CVE-2019-10160.html
https://bugzilla.suse.com/1138459

--


openSUSE-SU-2019:1907-1: important: Security update for nodejs8

openSUSE Security Update: Security update for nodejs8
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1907-1
Rating: important
References: #1134209 #1140290
Cross-References: CVE-2019-13173
Affected Products:
openSUSE Leap 15.1
openSUSE Leap 15.0
______________________________________________________________________________

An update that solves one vulnerability and has one errata
is now available.

Description:

This update for nodejs8 fixes the following issues:

Security issue fixed:

- CVE-2019-13173: Fixed a potential file overwrite via hardlink in
fstream.DirWriter() (bsc#1140290).

Non-security issue fixed:

- Backported fixes for OpenSSL 1.1.1 from nodejs8 (bsc#1134209).

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.1:

zypper in -t patch openSUSE-2019-1907=1

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1907=1



Package List:

- openSUSE Leap 15.1 (i586 x86_64):

nodejs8-8.15.1-lp151.2.3.1
nodejs8-debuginfo-8.15.1-lp151.2.3.1
nodejs8-debugsource-8.15.1-lp151.2.3.1
nodejs8-devel-8.15.1-lp151.2.3.1
npm8-8.15.1-lp151.2.3.1

- openSUSE Leap 15.1 (noarch):

nodejs8-docs-8.15.1-lp151.2.3.1

- openSUSE Leap 15.0 (i586 x86_64):

nodejs8-8.15.1-lp150.2.16.1
nodejs8-debuginfo-8.15.1-lp150.2.16.1
nodejs8-debugsource-8.15.1-lp150.2.16.1
nodejs8-devel-8.15.1-lp150.2.16.1
npm8-8.15.1-lp150.2.16.1

- openSUSE Leap 15.0 (noarch):

nodejs8-docs-8.15.1-lp150.2.16.1


References:

https://www.suse.com/security/cve/CVE-2019-13173.html
https://bugzilla.suse.com/1134209
https://bugzilla.suse.com/1140290

--


openSUSE-SU-2019:1908-1: important: Security update for evince

openSUSE Security Update: Security update for evince
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1908-1
Rating: important
References: #1141619
Cross-References: CVE-2019-1010006
Affected Products:
openSUSE Leap 15.1
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for evince fixes the following issues:

- CVE-2019-1010006: Fixed a buffer overflow in
backend/tiff/tiff-document.c (bsc#1141619).

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.1:

zypper in -t patch openSUSE-2019-1908=1

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1908=1



Package List:

- openSUSE Leap 15.1 (noarch):

evince-lang-3.26.0+20180128.1bd86963-lp151.4.6.1

- openSUSE Leap 15.1 (x86_64):

evince-3.26.0+20180128.1bd86963-lp151.4.6.1
evince-debuginfo-3.26.0+20180128.1bd86963-lp151.4.6.1
evince-debugsource-3.26.0+20180128.1bd86963-lp151.4.6.1
evince-devel-3.26.0+20180128.1bd86963-lp151.4.6.1
evince-plugin-comicsdocument-3.26.0+20180128.1bd86963-lp151.4.6.1
evince-plugin-comicsdocument-debuginfo-3.26.0+20180128.1bd86963-lp151.4.6.1
evince-plugin-djvudocument-3.26.0+20180128.1bd86963-lp151.4.6.1
evince-plugin-djvudocument-debuginfo-3.26.0+20180128.1bd86963-lp151.4.6.1
evince-plugin-dvidocument-3.26.0+20180128.1bd86963-lp151.4.6.1
evince-plugin-dvidocument-debuginfo-3.26.0+20180128.1bd86963-lp151.4.6.1
evince-plugin-pdfdocument-3.26.0+20180128.1bd86963-lp151.4.6.1
evince-plugin-pdfdocument-debuginfo-3.26.0+20180128.1bd86963-lp151.4.6.1
evince-plugin-psdocument-3.26.0+20180128.1bd86963-lp151.4.6.1
evince-plugin-psdocument-debuginfo-3.26.0+20180128.1bd86963-lp151.4.6.1
evince-plugin-tiffdocument-3.26.0+20180128.1bd86963-lp151.4.6.1
evince-plugin-tiffdocument-debuginfo-3.26.0+20180128.1bd86963-lp151.4.6.1
evince-plugin-xpsdocument-3.26.0+20180128.1bd86963-lp151.4.6.1
evince-plugin-xpsdocument-debuginfo-3.26.0+20180128.1bd86963-lp151.4.6.1
libevdocument3-4-3.26.0+20180128.1bd86963-lp151.4.6.1
libevdocument3-4-debuginfo-3.26.0+20180128.1bd86963-lp151.4.6.1
libevview3-3-3.26.0+20180128.1bd86963-lp151.4.6.1
libevview3-3-debuginfo-3.26.0+20180128.1bd86963-lp151.4.6.1
nautilus-evince-3.26.0+20180128.1bd86963-lp151.4.6.1
nautilus-evince-debuginfo-3.26.0+20180128.1bd86963-lp151.4.6.1
typelib-1_0-EvinceDocument-3_0-3.26.0+20180128.1bd86963-lp151.4.6.1
typelib-1_0-EvinceView-3_0-3.26.0+20180128.1bd86963-lp151.4.6.1

- openSUSE Leap 15.0 (noarch):

evince-lang-3.26.0+20180128.1bd86963-lp150.3.6.1

- openSUSE Leap 15.0 (x86_64):

evince-3.26.0+20180128.1bd86963-lp150.3.6.1
evince-debuginfo-3.26.0+20180128.1bd86963-lp150.3.6.1
evince-debugsource-3.26.0+20180128.1bd86963-lp150.3.6.1
evince-devel-3.26.0+20180128.1bd86963-lp150.3.6.1
evince-plugin-comicsdocument-3.26.0+20180128.1bd86963-lp150.3.6.1
evince-plugin-comicsdocument-debuginfo-3.26.0+20180128.1bd86963-lp150.3.6.1
evince-plugin-djvudocument-3.26.0+20180128.1bd86963-lp150.3.6.1
evince-plugin-djvudocument-debuginfo-3.26.0+20180128.1bd86963-lp150.3.6.1
evince-plugin-dvidocument-3.26.0+20180128.1bd86963-lp150.3.6.1
evince-plugin-dvidocument-debuginfo-3.26.0+20180128.1bd86963-lp150.3.6.1
evince-plugin-pdfdocument-3.26.0+20180128.1bd86963-lp150.3.6.1
evince-plugin-pdfdocument-debuginfo-3.26.0+20180128.1bd86963-lp150.3.6.1
evince-plugin-psdocument-3.26.0+20180128.1bd86963-lp150.3.6.1
evince-plugin-psdocument-debuginfo-3.26.0+20180128.1bd86963-lp150.3.6.1
evince-plugin-tiffdocument-3.26.0+20180128.1bd86963-lp150.3.6.1
evince-plugin-tiffdocument-debuginfo-3.26.0+20180128.1bd86963-lp150.3.6.1
evince-plugin-xpsdocument-3.26.0+20180128.1bd86963-lp150.3.6.1
evince-plugin-xpsdocument-debuginfo-3.26.0+20180128.1bd86963-lp150.3.6.1
libevdocument3-4-3.26.0+20180128.1bd86963-lp150.3.6.1
libevdocument3-4-debuginfo-3.26.0+20180128.1bd86963-lp150.3.6.1
libevview3-3-3.26.0+20180128.1bd86963-lp150.3.6.1
libevview3-3-debuginfo-3.26.0+20180128.1bd86963-lp150.3.6.1
nautilus-evince-3.26.0+20180128.1bd86963-lp150.3.6.1
nautilus-evince-debuginfo-3.26.0+20180128.1bd86963-lp150.3.6.1
typelib-1_0-EvinceDocument-3_0-3.26.0+20180128.1bd86963-lp150.3.6.1
typelib-1_0-EvinceView-3_0-3.26.0+20180128.1bd86963-lp150.3.6.1


References:

https://www.suse.com/security/cve/CVE-2019-1010006.html
https://bugzilla.suse.com/1141619

--


openSUSE-SU-2019:1909-1: important: Security update for vlc

openSUSE Security Update: Security update for vlc
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1909-1
Rating: important
References: #1093732 #1094893 #1118586 #1133290 #1138354
#1138933 #1141522 #1142161 #1143547 #1143549

Cross-References: CVE-2018-19857 CVE-2019-12874 CVE-2019-13602
CVE-2019-13962 CVE-2019-5439 CVE-2019-5459
CVE-2019-5460
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that solves 7 vulnerabilities and has three fixes
is now available.

Description:

This update for vlc to version 3.0.7.1 fixes the following issues:

Security issues fixed:

- CVE-2019-5439: Fixed a buffer overflow (bsc#1138354).
- CVE-2019-5459: Fixed an integer underflow (bsc#1143549).
- CVE-2019-5460: Fixed a double free (bsc#1143547).
- CVE-2019-12874: Fixed a double free in zlib_decompress_extra in
modules/demux/mkv/util.cpp (bsc#1138933).
- CVE-2019-13602: Fixed an integer underflow in mp4 demuxer (boo#1141522).
- CVE-2019-13962: Fixed a heap-based buffer over-read in avcodec
(boo#1142161).

Non-security issues fixed:

- Video Output:
* Fix hardware acceleration with some AMD drivers
* Improve direct3d11 HDR support
- Access:
* Improve Blu-ray support
- Audio output:
* Fix pass-through on Android-23
* Fix DirectSound drain
- Demux: Improve MP4 support
- Video Output:
* Fix 12 bits sources playback with Direct3D11
* Fix crash on iOS
* Fix midstream aspect-ratio changes when Windows hardware decoding is on
* Fix HLG display with Direct3D11
- Stream Output: Improve Chromecast support with new ChromeCast apps
- Misc:
* Update Youtube, Dailymotion, Vimeo, Soundcloud scripts
* Work around busy looping when playing an invalid item with loop enabled
- Updated translations.

New package libaom:
* Initial version 1.0.0
* A library for AOMedia Video 1 (AV1), an open, royalty-free video
coding format designed for video transmissions over the Internet.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1909=1



Package List:

- openSUSE Leap 15.0 (noarch):

libaom-devel-doc-1.0.0-lp150.2.1
vlc-lang-3.0.7.1-lp150.8.1

- openSUSE Leap 15.0 (x86_64):

aom-tools-1.0.0-lp150.2.1
aom-tools-debuginfo-1.0.0-lp150.2.1
libaom-debugsource-1.0.0-lp150.2.1
libaom-devel-1.0.0-lp150.2.1
libaom0-1.0.0-lp150.2.1
libaom0-debuginfo-1.0.0-lp150.2.1
libvlc5-3.0.7.1-lp150.8.1
libvlc5-debuginfo-3.0.7.1-lp150.8.1
libvlccore9-3.0.7.1-lp150.8.1
libvlccore9-debuginfo-3.0.7.1-lp150.8.1
vlc-3.0.7.1-lp150.8.1
vlc-codec-gstreamer-3.0.7.1-lp150.8.1
vlc-codec-gstreamer-debuginfo-3.0.7.1-lp150.8.1
vlc-debuginfo-3.0.7.1-lp150.8.1
vlc-debugsource-3.0.7.1-lp150.8.1
vlc-devel-3.0.7.1-lp150.8.1
vlc-jack-3.0.7.1-lp150.8.1
vlc-jack-debuginfo-3.0.7.1-lp150.8.1
vlc-noX-3.0.7.1-lp150.8.1
vlc-noX-debuginfo-3.0.7.1-lp150.8.1
vlc-qt-3.0.7.1-lp150.8.1
vlc-qt-debuginfo-3.0.7.1-lp150.8.1
vlc-vdpau-3.0.7.1-lp150.8.1
vlc-vdpau-debuginfo-3.0.7.1-lp150.8.1


References:

https://www.suse.com/security/cve/CVE-2018-19857.html
https://www.suse.com/security/cve/CVE-2019-12874.html
https://www.suse.com/security/cve/CVE-2019-13602.html
https://www.suse.com/security/cve/CVE-2019-13962.html
https://www.suse.com/security/cve/CVE-2019-5439.html
https://www.suse.com/security/cve/CVE-2019-5459.html
https://www.suse.com/security/cve/CVE-2019-5460.html
https://bugzilla.suse.com/1093732
https://bugzilla.suse.com/1094893
https://bugzilla.suse.com/1118586
https://bugzilla.suse.com/1133290
https://bugzilla.suse.com/1138354
https://bugzilla.suse.com/1138933
https://bugzilla.suse.com/1141522
https://bugzilla.suse.com/1142161
https://bugzilla.suse.com/1143547
https://bugzilla.suse.com/1143549

--


openSUSE-SU-2019:1910-1: important: Security update for subversion

openSUSE Security Update: Security update for subversion
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1910-1
Rating: important
References: #1142721 #1142743
Cross-References: CVE-2018-11782 CVE-2019-0203
Affected Products:
openSUSE Leap 15.1
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes two vulnerabilities is now available.

Description:

This update for subversion to version 1.10.6 fixes the following issues:

Security issues fixed:

- CVE-2018-11782: Fixed a remote denial of service in svnserve
'get-deleted-rev' (bsc#1142743).
- CVE-2019-0203: Fixed a remote, unauthenticated denial of service in
svnserve (bsc#1142721).

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.1:

zypper in -t patch openSUSE-2019-1910=1

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1910=1



Package List:

- openSUSE Leap 15.1 (i586 x86_64):

libsvn_auth_gnome_keyring-1-0-1.10.6-lp151.4.3.1
libsvn_auth_gnome_keyring-1-0-debuginfo-1.10.6-lp151.4.3.1
libsvn_auth_kwallet-1-0-1.10.6-lp151.4.3.1
libsvn_auth_kwallet-1-0-debuginfo-1.10.6-lp151.4.3.1
subversion-1.10.6-lp151.4.3.1
subversion-debuginfo-1.10.6-lp151.4.3.1
subversion-debugsource-1.10.6-lp151.4.3.1
subversion-devel-1.10.6-lp151.4.3.1
subversion-perl-1.10.6-lp151.4.3.1
subversion-perl-debuginfo-1.10.6-lp151.4.3.1
subversion-python-1.10.6-lp151.4.3.1
subversion-python-ctypes-1.10.6-lp151.4.3.1
subversion-python-debuginfo-1.10.6-lp151.4.3.1
subversion-ruby-1.10.6-lp151.4.3.1
subversion-ruby-debuginfo-1.10.6-lp151.4.3.1
subversion-server-1.10.6-lp151.4.3.1
subversion-server-debuginfo-1.10.6-lp151.4.3.1
subversion-tools-1.10.6-lp151.4.3.1
subversion-tools-debuginfo-1.10.6-lp151.4.3.1

- openSUSE Leap 15.1 (noarch):

subversion-bash-completion-1.10.6-lp151.4.3.1

- openSUSE Leap 15.0 (i586 x86_64):

libsvn_auth_gnome_keyring-1-0-1.10.6-lp150.7.1
libsvn_auth_gnome_keyring-1-0-debuginfo-1.10.6-lp150.7.1
libsvn_auth_kwallet-1-0-1.10.6-lp150.7.1
libsvn_auth_kwallet-1-0-debuginfo-1.10.6-lp150.7.1
subversion-1.10.6-lp150.7.1
subversion-debuginfo-1.10.6-lp150.7.1
subversion-debugsource-1.10.6-lp150.7.1
subversion-devel-1.10.6-lp150.7.1
subversion-perl-1.10.6-lp150.7.1
subversion-perl-debuginfo-1.10.6-lp150.7.1
subversion-python-1.10.6-lp150.7.1
subversion-python-ctypes-1.10.6-lp150.7.1
subversion-python-debuginfo-1.10.6-lp150.7.1
subversion-ruby-1.10.6-lp150.7.1
subversion-ruby-debuginfo-1.10.6-lp150.7.1
subversion-server-1.10.6-lp150.7.1
subversion-server-debuginfo-1.10.6-lp150.7.1
subversion-tools-1.10.6-lp150.7.1
subversion-tools-debuginfo-1.10.6-lp150.7.1

- openSUSE Leap 15.0 (noarch):

subversion-bash-completion-1.10.6-lp150.7.1


References:

https://www.suse.com/security/cve/CVE-2018-11782.html
https://www.suse.com/security/cve/CVE-2019-0203.html
https://bugzilla.suse.com/1142721
https://bugzilla.suse.com/1142743

--


openSUSE-SU-2019:1911-1: important: Security update for icedtea-web

openSUSE Security Update: Security update for icedtea-web
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1911-1
Rating: important
References: #1142825 #1142832 #1142835
Cross-References: CVE-2019-10181 CVE-2019-10182 CVE-2019-10185

Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes three vulnerabilities is now available.

Description:

This update for icedtea-web to version 1.7.2 fixes the following issues:

Security issues fixed:

- CVE-2019-10181: Fixed an unsigned code injection in a signed JAR file
(bsc#1142835)
- CVE-2019-10182: Fixed a path traversal while processing elements
of JNLP files results in arbitrary file overwrite (bsc#1142825).
- CVE-2019-10185: Fixed a directory traversal in the nested jar
auto-extraction leading to arbitrary file overwrite (bsc#1142832).

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1911=1



Package List:

- openSUSE Leap 15.0 (x86_64):

icedtea-web-1.7.2-lp150.2.3.1

- openSUSE Leap 15.0 (noarch):

icedtea-web-javadoc-1.7.2-lp150.2.3.1


References:

https://www.suse.com/security/cve/CVE-2019-10181.html
https://www.suse.com/security/cve/CVE-2019-10182.html
https://www.suse.com/security/cve/CVE-2019-10185.html
https://bugzilla.suse.com/1142825
https://bugzilla.suse.com/1142832
https://bugzilla.suse.com/1142835

--


openSUSE-SU-2019:1912-1: important: Security update for java-1_8_0-openjdk

openSUSE Security Update: Security update for java-1_8_0-openjdk
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1912-1
Rating: important
References: #1115375 #1141780 #1141782 #1141783 #1141784
#1141785 #1141786 #1141787 #1141789
Cross-References: CVE-2019-2745 CVE-2019-2762 CVE-2019-2766
CVE-2019-2769 CVE-2019-2786 CVE-2019-2816
CVE-2019-2842 CVE-2019-7317
Affected Products:
openSUSE Leap 15.1
openSUSE Leap 15.0
______________________________________________________________________________

An update that solves 8 vulnerabilities and has one errata
is now available.

Description:

This update for java-1_8_0-openjdk to version 8u222 fixes the following
issues:

Security issues fixed:

- CVE-2019-2745: Improved ECC Implementation (bsc#1141784).
- CVE-2019-2762: Exceptional throw cases (bsc#1141782).
- CVE-2019-2766: Improve file protocol handling (bsc#1141789).
- CVE-2019-2769: Better copies of CopiesList (bsc#1141783).
- CVE-2019-2786: More limited privilege usage (bsc#1141787).
- CVE-2019-2816: Normalize normalization (bsc#1141785).
- CVE-2019-2842: Extended AES support (bsc#1141786).
- CVE-2019-7317: Improve PNG support (bsc#1141780).
- Certificate validation improvements

Non-security issue fixed:

- Fixed an issue where the installation failed when the manpages are not
present (bsc#1115375)

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.1:

zypper in -t patch openSUSE-2019-1912=1

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1912=1



Package List:

- openSUSE Leap 15.1 (i586 x86_64):

java-1_8_0-openjdk-1.8.0.222-lp151.2.3.1
java-1_8_0-openjdk-accessibility-1.8.0.222-lp151.2.3.1
java-1_8_0-openjdk-debuginfo-1.8.0.222-lp151.2.3.1
java-1_8_0-openjdk-debugsource-1.8.0.222-lp151.2.3.1
java-1_8_0-openjdk-demo-1.8.0.222-lp151.2.3.1
java-1_8_0-openjdk-demo-debuginfo-1.8.0.222-lp151.2.3.1
java-1_8_0-openjdk-devel-1.8.0.222-lp151.2.3.1
java-1_8_0-openjdk-devel-debuginfo-1.8.0.222-lp151.2.3.1
java-1_8_0-openjdk-headless-1.8.0.222-lp151.2.3.1
java-1_8_0-openjdk-headless-debuginfo-1.8.0.222-lp151.2.3.1
java-1_8_0-openjdk-src-1.8.0.222-lp151.2.3.1

- openSUSE Leap 15.1 (noarch):

java-1_8_0-openjdk-javadoc-1.8.0.222-lp151.2.3.1

- openSUSE Leap 15.0 (i586 x86_64):

java-1_8_0-openjdk-1.8.0.222-lp150.2.19.1
java-1_8_0-openjdk-accessibility-1.8.0.222-lp150.2.19.1
java-1_8_0-openjdk-debuginfo-1.8.0.222-lp150.2.19.1
java-1_8_0-openjdk-debugsource-1.8.0.222-lp150.2.19.1
java-1_8_0-openjdk-demo-1.8.0.222-lp150.2.19.1
java-1_8_0-openjdk-demo-debuginfo-1.8.0.222-lp150.2.19.1
java-1_8_0-openjdk-devel-1.8.0.222-lp150.2.19.1
java-1_8_0-openjdk-devel-debuginfo-1.8.0.222-lp150.2.19.1
java-1_8_0-openjdk-headless-1.8.0.222-lp150.2.19.1
java-1_8_0-openjdk-headless-debuginfo-1.8.0.222-lp150.2.19.1
java-1_8_0-openjdk-src-1.8.0.222-lp150.2.19.1

- openSUSE Leap 15.0 (noarch):

java-1_8_0-openjdk-javadoc-1.8.0.222-lp150.2.19.1


References:

https://www.suse.com/security/cve/CVE-2019-2745.html
https://www.suse.com/security/cve/CVE-2019-2762.html
https://www.suse.com/security/cve/CVE-2019-2766.html
https://www.suse.com/security/cve/CVE-2019-2769.html
https://www.suse.com/security/cve/CVE-2019-2786.html
https://www.suse.com/security/cve/CVE-2019-2816.html
https://www.suse.com/security/cve/CVE-2019-2842.html
https://www.suse.com/security/cve/CVE-2019-7317.html
https://bugzilla.suse.com/1115375
https://bugzilla.suse.com/1141780
https://bugzilla.suse.com/1141782
https://bugzilla.suse.com/1141783
https://bugzilla.suse.com/1141784
https://bugzilla.suse.com/1141785
https://bugzilla.suse.com/1141786
https://bugzilla.suse.com/1141787
https://bugzilla.suse.com/1141789

--


openSUSE-SU-2019:1913-1: important: Security update for mariadb, mariadb-connector-c

openSUSE Security Update: Security update for mariadb, mariadb-connector-c
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1913-1
Rating: important
References: #1126088 #1132666 #1136035
Cross-References: CVE-2019-2614 CVE-2019-2627 CVE-2019-2628

Affected Products:
openSUSE Leap 15.1
______________________________________________________________________________

An update that fixes three vulnerabilities is now available.

Description:

This update for mariadb and mariadb-connector-c fixes the following issues:

mariadb:

- Update to version 10.2.25 (bsc#1136035)
- CVE-2019-2628: Fixed a remote denial of service by an privileged
attacker (bsc#1136035).
- CVE-2019-2627: Fixed another remote denial of service by an privileged
attacker (bsc#1136035).
- CVE-2019-2614: Fixed a potential remote denial of service by an
privileged attacker (bsc#1136035).
- Fixed reading options for multiple instances if my${INSTANCE}.cnf is
used (bsc#1132666)

mariadb-connector-c:

- Update to version 3.1.2 (bsc#1136035)
- Moved libmariadb.pc from /usr/lib/pkgconfig to /usr/lib64/pkgconfig for
x86_64 (bsc#1126088)

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.1:

zypper in -t patch openSUSE-2019-1913=1



Package List:

- openSUSE Leap 15.1 (i586 x86_64):

libmariadb-devel-3.1.2-lp151.3.3.1
libmariadb-devel-debuginfo-3.1.2-lp151.3.3.1
libmariadb3-3.1.2-lp151.3.3.1
libmariadb3-debuginfo-3.1.2-lp151.3.3.1
libmariadb_plugins-3.1.2-lp151.3.3.1
libmariadb_plugins-debuginfo-3.1.2-lp151.3.3.1
libmariadbprivate-3.1.2-lp151.3.3.1
libmariadbprivate-debuginfo-3.1.2-lp151.3.3.1
libmysqld-devel-10.2.25-lp151.2.3.1
libmysqld19-10.2.25-lp151.2.3.1
libmysqld19-debuginfo-10.2.25-lp151.2.3.1
mariadb-10.2.25-lp151.2.3.1
mariadb-bench-10.2.25-lp151.2.3.1
mariadb-bench-debuginfo-10.2.25-lp151.2.3.1
mariadb-client-10.2.25-lp151.2.3.1
mariadb-client-debuginfo-10.2.25-lp151.2.3.1
mariadb-connector-c-debugsource-3.1.2-lp151.3.3.1
mariadb-debuginfo-10.2.25-lp151.2.3.1
mariadb-debugsource-10.2.25-lp151.2.3.1
mariadb-galera-10.2.25-lp151.2.3.1
mariadb-test-10.2.25-lp151.2.3.1
mariadb-test-debuginfo-10.2.25-lp151.2.3.1
mariadb-tools-10.2.25-lp151.2.3.1
mariadb-tools-debuginfo-10.2.25-lp151.2.3.1

- openSUSE Leap 15.1 (noarch):

mariadb-errormessages-10.2.25-lp151.2.3.1

- openSUSE Leap 15.1 (x86_64):

libmariadb3-32bit-3.1.2-lp151.3.3.1
libmariadb3-32bit-debuginfo-3.1.2-lp151.3.3.1


References:

https://www.suse.com/security/cve/CVE-2019-2614.html
https://www.suse.com/security/cve/CVE-2019-2627.html
https://www.suse.com/security/cve/CVE-2019-2628.html
https://bugzilla.suse.com/1126088
https://bugzilla.suse.com/1132666
https://bugzilla.suse.com/1136035

--


openSUSE-SU-2019:1914-1: important: Security update for polkit

openSUSE Security Update: Security update for polkit
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1914-1
Rating: important
References: #1121826
Cross-References: CVE-2019-6133
Affected Products:
openSUSE Leap 15.1
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for polkit fixes the following issues:

Security issue fixed:

- CVE-2019-6133: Fixed improper caching of auth decisions, which could
bypass uid checking in the interactive backend (bsc#1121826).

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.1:

zypper in -t patch openSUSE-2019-1914=1

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1914=1



Package List:

- openSUSE Leap 15.1 (i586 x86_64):

libpolkit0-0.114-lp151.5.3.1
libpolkit0-debuginfo-0.114-lp151.5.3.1
polkit-0.114-lp151.5.3.1
polkit-debuginfo-0.114-lp151.5.3.1
polkit-debugsource-0.114-lp151.5.3.1
polkit-devel-0.114-lp151.5.3.1
polkit-devel-debuginfo-0.114-lp151.5.3.1
typelib-1_0-Polkit-1_0-0.114-lp151.5.3.1

- openSUSE Leap 15.1 (x86_64):

libpolkit0-32bit-0.114-lp151.5.3.1
libpolkit0-32bit-debuginfo-0.114-lp151.5.3.1

- openSUSE Leap 15.1 (noarch):

polkit-doc-0.114-lp151.5.3.1

- openSUSE Leap 15.0 (i586 x86_64):

libpolkit0-0.114-lp150.2.10.1
libpolkit0-debuginfo-0.114-lp150.2.10.1
polkit-0.114-lp150.2.10.1
polkit-debuginfo-0.114-lp150.2.10.1
polkit-debugsource-0.114-lp150.2.10.1
polkit-devel-0.114-lp150.2.10.1
polkit-devel-debuginfo-0.114-lp150.2.10.1
typelib-1_0-Polkit-1_0-0.114-lp150.2.10.1

- openSUSE Leap 15.0 (x86_64):

libpolkit0-32bit-0.114-lp150.2.10.1
libpolkit0-32bit-debuginfo-0.114-lp150.2.10.1

- openSUSE Leap 15.0 (noarch):

polkit-doc-0.114-lp150.2.10.1


References:

https://www.suse.com/security/cve/CVE-2019-6133.html
https://bugzilla.suse.com/1121826

--


openSUSE-SU-2019:1915-1: important: Security update for mariadb, mariadb-connector-c

openSUSE Security Update: Security update for mariadb, mariadb-connector-c
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1915-1
Rating: important
References: #1126088 #1132666 #1136035
Cross-References: CVE-2019-2614 CVE-2019-2627 CVE-2019-2628

Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes three vulnerabilities is now available.

Description:

This update for mariadb and mariadb-connector-c fixes the following issues:

mariadb:

- Update to version 10.2.25 (bsc#1136035)
- CVE-2019-2628: Fixed a remote denial of service by an privileged
attacker (bsc#1136035).
- CVE-2019-2627: Fixed another remote denial of service by an privileged
attacker (bsc#1136035).
- CVE-2019-2614: Fixed a potential remote denial of service by an
privileged attacker (bsc#1136035).
- Fixed reading options for multiple instances if my${INSTANCE}.cnf is
used (bsc#1132666)

mariadb-connector-c:

- Update to version 3.1.2 (bsc#1136035)
- Moved libmariadb.pc from /usr/lib/pkgconfig to /usr/lib64/pkgconfig for
x86_64 (bsc#1126088)

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1915=1



Package List:

- openSUSE Leap 15.0 (i586 x86_64):

libmariadb-devel-3.1.2-lp150.10.1
libmariadb-devel-debuginfo-3.1.2-lp150.10.1
libmariadb3-3.1.2-lp150.10.1
libmariadb3-debuginfo-3.1.2-lp150.10.1
libmariadb_plugins-3.1.2-lp150.10.1
libmariadb_plugins-debuginfo-3.1.2-lp150.10.1
libmariadbprivate-3.1.2-lp150.10.1
libmariadbprivate-debuginfo-3.1.2-lp150.10.1
libmysqld-devel-10.2.25-lp150.2.13.1
libmysqld19-10.2.25-lp150.2.13.1
libmysqld19-debuginfo-10.2.25-lp150.2.13.1
mariadb-10.2.25-lp150.2.13.1
mariadb-bench-10.2.25-lp150.2.13.1
mariadb-bench-debuginfo-10.2.25-lp150.2.13.1
mariadb-client-10.2.25-lp150.2.13.1
mariadb-client-debuginfo-10.2.25-lp150.2.13.1
mariadb-connector-c-debugsource-3.1.2-lp150.10.1
mariadb-debuginfo-10.2.25-lp150.2.13.1
mariadb-debugsource-10.2.25-lp150.2.13.1
mariadb-galera-10.2.25-lp150.2.13.1
mariadb-test-10.2.25-lp150.2.13.1
mariadb-test-debuginfo-10.2.25-lp150.2.13.1
mariadb-tools-10.2.25-lp150.2.13.1
mariadb-tools-debuginfo-10.2.25-lp150.2.13.1

- openSUSE Leap 15.0 (noarch):

mariadb-errormessages-10.2.25-lp150.2.13.1

- openSUSE Leap 15.0 (x86_64):

libmariadb3-32bit-3.1.2-lp150.10.1
libmariadb3-32bit-debuginfo-3.1.2-lp150.10.1


References:

https://www.suse.com/security/cve/CVE-2019-2614.html
https://www.suse.com/security/cve/CVE-2019-2627.html
https://www.suse.com/security/cve/CVE-2019-2628.html
https://bugzilla.suse.com/1126088
https://bugzilla.suse.com/1132666
https://bugzilla.suse.com/1136035

--


openSUSE-SU-2019:1916-1: important: Security update for java-11-openjdk

openSUSE Security Update: Security update for java-11-openjdk
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1916-1
Rating: important
References: #1115375 #1140461 #1141780 #1141781 #1141782
#1141783 #1141784 #1141785 #1141787 #1141788
#1141789
Cross-References: CVE-2019-2745 CVE-2019-2762 CVE-2019-2766
CVE-2019-2769 CVE-2019-2786 CVE-2019-2816
CVE-2019-2818 CVE-2019-2821 CVE-2019-7317

Affected Products:
openSUSE Leap 15.1
openSUSE Leap 15.0
______________________________________________________________________________

An update that solves 9 vulnerabilities and has two fixes
is now available.

Description:

This update for java-11-openjdk to version jdk-11.0.4+11 fixes the
following issues:

Security issues fixed:

- CVE-2019-2745: Improved ECC Implementation (bsc#1141784).
- CVE-2019-2762: Exceptional throw cases (bsc#1141782).
- CVE-2019-2766: Improve file protocol handling (bsc#1141789).
- CVE-2019-2769: Better copies of CopiesList (bsc#1141783).
- CVE-2019-2786: More limited privilege usage (bsc#1141787).
- CVE-2019-7317: Improve PNG support options (bsc#1141780).
- CVE-2019-2818: Better Poly1305 support (bsc#1141788).
- CVE-2019-2816: Normalize normalization (bsc#1141785).
- CVE-2019-2821: Improve TLS negotiation (bsc#1141781).
- Certificate validation improvements

Non-security issues fixed:

- Do not fail installation when the manpages are not present (bsc#1115375)
- Backport upstream fix for JDK-8208602: Cannot read PEM X.509 cert if
there is whitespace after the header or footer (bsc#1140461)

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.1:

zypper in -t patch openSUSE-2019-1916=1

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1916=1



Package List:

- openSUSE Leap 15.1 (i586 x86_64):

java-11-openjdk-11.0.4.0-lp151.3.6.1
java-11-openjdk-accessibility-11.0.4.0-lp151.3.6.1
java-11-openjdk-accessibility-debuginfo-11.0.4.0-lp151.3.6.1
java-11-openjdk-debuginfo-11.0.4.0-lp151.3.6.1
java-11-openjdk-debugsource-11.0.4.0-lp151.3.6.1
java-11-openjdk-demo-11.0.4.0-lp151.3.6.1
java-11-openjdk-devel-11.0.4.0-lp151.3.6.1
java-11-openjdk-headless-11.0.4.0-lp151.3.6.1
java-11-openjdk-jmods-11.0.4.0-lp151.3.6.1
java-11-openjdk-src-11.0.4.0-lp151.3.6.1

- openSUSE Leap 15.1 (noarch):

java-11-openjdk-javadoc-11.0.4.0-lp151.3.6.1

- openSUSE Leap 15.0 (noarch):

java-11-openjdk-javadoc-11.0.4.0-lp150.2.25.1

- openSUSE Leap 15.0 (x86_64):

java-11-openjdk-11.0.4.0-lp150.2.25.1
java-11-openjdk-accessibility-11.0.4.0-lp150.2.25.1
java-11-openjdk-accessibility-debuginfo-11.0.4.0-lp150.2.25.1
java-11-openjdk-debuginfo-11.0.4.0-lp150.2.25.1
java-11-openjdk-debugsource-11.0.4.0-lp150.2.25.1
java-11-openjdk-demo-11.0.4.0-lp150.2.25.1
java-11-openjdk-devel-11.0.4.0-lp150.2.25.1
java-11-openjdk-headless-11.0.4.0-lp150.2.25.1
java-11-openjdk-jmods-11.0.4.0-lp150.2.25.1
java-11-openjdk-src-11.0.4.0-lp150.2.25.1


References:

https://www.suse.com/security/cve/CVE-2019-2745.html
https://www.suse.com/security/cve/CVE-2019-2762.html
https://www.suse.com/security/cve/CVE-2019-2766.html
https://www.suse.com/security/cve/CVE-2019-2769.html
https://www.suse.com/security/cve/CVE-2019-2786.html
https://www.suse.com/security/cve/CVE-2019-2816.html
https://www.suse.com/security/cve/CVE-2019-2818.html
https://www.suse.com/security/cve/CVE-2019-2821.html
https://www.suse.com/security/cve/CVE-2019-7317.html
https://bugzilla.suse.com/1115375
https://bugzilla.suse.com/1140461
https://bugzilla.suse.com/1141780
https://bugzilla.suse.com/1141781
https://bugzilla.suse.com/1141782
https://bugzilla.suse.com/1141783
https://bugzilla.suse.com/1141784
https://bugzilla.suse.com/1141785
https://bugzilla.suse.com/1141787
https://bugzilla.suse.com/1141788
https://bugzilla.suse.com/1141789

--


openSUSE-SU-2019:1917-1: important: Security update for gpg2

openSUSE Security Update: Security update for gpg2
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1917-1
Rating: important
References: #1124847 #1141093
Cross-References: CVE-2019-13050
Affected Products:
openSUSE Leap 15.1
openSUSE Leap 15.0
______________________________________________________________________________

An update that solves one vulnerability and has one errata
is now available.

Description:

This update for gpg2 fixes the following issues:

Security issue fixed:

- CVE-2019-13050: Fixed a denial of service attacks via big keys
(bsc#1141093).

Non-security issue fixed:

- Allow coredumps in X11 desktop sessions (bsc#1124847)

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.1:

zypper in -t patch openSUSE-2019-1917=1

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1917=1



Package List:

- openSUSE Leap 15.1 (i586 x86_64):

gpg2-2.2.5-lp151.6.3.1
gpg2-debuginfo-2.2.5-lp151.6.3.1
gpg2-debugsource-2.2.5-lp151.6.3.1

- openSUSE Leap 15.1 (noarch):

gpg2-lang-2.2.5-lp151.6.3.1

- openSUSE Leap 15.0 (i586 x86_64):

gpg2-2.2.5-lp150.3.10.1
gpg2-debuginfo-2.2.5-lp150.3.10.1
gpg2-debugsource-2.2.5-lp150.3.10.1

- openSUSE Leap 15.0 (noarch):

gpg2-lang-2.2.5-lp150.3.10.1


References:

https://www.suse.com/security/cve/CVE-2019-13050.html
https://bugzilla.suse.com/1124847
https://bugzilla.suse.com/1141093

--


openSUSE-SU-2019:1918-1: important: Security update for bzip2

openSUSE Security Update: Security update for bzip2
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1918-1
Rating: important
References: #1139083
Cross-References: CVE-2019-12900
Affected Products:
openSUSE Leap 15.1
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for bzip2 fixes the following issues:

- Fixed a regression with the fix for CVE-2019-12900, which caused
incompatibilities with files that used many selectors (bsc#1139083).

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.1:

zypper in -t patch openSUSE-2019-1918=1

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1918=1



Package List:

- openSUSE Leap 15.1 (i586 x86_64):

bzip2-1.0.6-lp151.5.9.1
bzip2-debuginfo-1.0.6-lp151.5.9.1
bzip2-debugsource-1.0.6-lp151.5.9.1
libbz2-1-1.0.6-lp151.5.9.1
libbz2-1-debuginfo-1.0.6-lp151.5.9.1
libbz2-devel-1.0.6-lp151.5.9.1

- openSUSE Leap 15.1 (noarch):

bzip2-doc-1.0.6-lp151.5.9.1

- openSUSE Leap 15.1 (x86_64):

libbz2-1-32bit-1.0.6-lp151.5.9.1
libbz2-1-32bit-debuginfo-1.0.6-lp151.5.9.1
libbz2-devel-32bit-1.0.6-lp151.5.9.1

- openSUSE Leap 15.0 (i586 x86_64):

bzip2-1.0.6-lp150.4.9.1
bzip2-debuginfo-1.0.6-lp150.4.9.1
bzip2-debugsource-1.0.6-lp150.4.9.1
libbz2-1-1.0.6-lp150.4.9.1
libbz2-1-debuginfo-1.0.6-lp150.4.9.1
libbz2-devel-1.0.6-lp150.4.9.1

- openSUSE Leap 15.0 (x86_64):

libbz2-1-32bit-1.0.6-lp150.4.9.1
libbz2-1-32bit-debuginfo-1.0.6-lp150.4.9.1
libbz2-devel-32bit-1.0.6-lp150.4.9.1

- openSUSE Leap 15.0 (noarch):

bzip2-doc-1.0.6-lp150.4.9.1


References:

https://www.suse.com/security/cve/CVE-2019-12900.html
https://bugzilla.suse.com/1139083

--