SUSE 5145 Published by

The following updates has been released for openSUSE:

openSUSE-SU-2019:2219-1: moderate: Security update for djvulibre
openSUSE-SU-2019:2221-1: moderate: Security update for varnish
openSUSE-SU-2019:2222-1: important: Security update for ghostscript
openSUSE-SU-2019:2223-1: important: Security update for ghostscript
openSUSE-SU-2019:2224-1: moderate: Security update for SDL2
openSUSE-SU-2019:2225-1: moderate: Security update for python-numpy
openSUSE-SU-2019:2226-1: moderate: Security update for SDL2
openSUSE-SU-2019:2227-1: moderate: Security update for python-numpy



openSUSE-SU-2019:2219-1: moderate: Security update for djvulibre

openSUSE Security Update: Security update for djvulibre
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:2219-1
Rating: moderate
References: #1146569 #1146571 #1146572 #1146702
Cross-References: CVE-2019-15142 CVE-2019-15143 CVE-2019-15144
CVE-2019-15145
Affected Products:
openSUSE Leap 15.1
______________________________________________________________________________

An update that fixes four vulnerabilities is now available.

Description:

This update for djvulibre fixes the following issues:

Security issues fixed:

- CVE-2019-15142: Fixed heap-based buffer over-read (bsc#1146702).
- CVE-2019-15143: Fixed resource exhaustion caused by corrupted image
files (bsc#1146569).
- CVE-2019-15144: Fixed denial-of-service caused by crafted PBM image
files (bsc#1146571).
- CVE-2019-15145: Fixed out-of-bounds read caused by corrupted JB2 image
files (bsc#1146572).
- Fixed segfault when libtiff encounters corrupted TIFF (upstream issue
#295).

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.1:

zypper in -t patch openSUSE-2019-2219=1



Package List:

- openSUSE Leap 15.1 (i586 x86_64):

djvulibre-3.5.27-lp151.3.3.1
djvulibre-debuginfo-3.5.27-lp151.3.3.1
djvulibre-debugsource-3.5.27-lp151.3.3.1
djvulibre-doc-3.5.27-lp151.3.3.1
libdjvulibre-devel-3.5.27-lp151.3.3.1
libdjvulibre21-3.5.27-lp151.3.3.1
libdjvulibre21-debuginfo-3.5.27-lp151.3.3.1


References:

https://www.suse.com/security/cve/CVE-2019-15142.html
https://www.suse.com/security/cve/CVE-2019-15143.html
https://www.suse.com/security/cve/CVE-2019-15144.html
https://www.suse.com/security/cve/CVE-2019-15145.html
https://bugzilla.suse.com/1146569
https://bugzilla.suse.com/1146571
https://bugzilla.suse.com/1146572
https://bugzilla.suse.com/1146702

openSUSE-SU-2019:2221-1: moderate: Security update for varnish

openSUSE Security Update: Security update for varnish
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:2221-1
Rating: moderate
References: #1149382
Cross-References: CVE-2019-15892
Affected Products:
openSUSE Backports SLE-15-SP1
openSUSE Backports SLE-15
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for varnish fixes the following issues:

Security issue fixed:

- CVE-2019-15892: Fixed a potential denial of service by sending crafted
HTTP/1 requests (boo#1149382).

Non-security issues fixed:

- Updated the package to release 6.2.1.
- Added a thread pool watchdog which will restart the worker process if
scheduling tasks onto worker threads appears stuck. The new parameter
"thread_pool_watchdog" configures it.
- Disabled error for clobbering, which caused bogus error in varnishtest.

This update was imported from the openSUSE:Leap:15.0:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP1:

zypper in -t patch openSUSE-2019-2221=1

- openSUSE Backports SLE-15:

zypper in -t patch openSUSE-2019-2221=1



Package List:

- openSUSE Backports SLE-15-SP1 (aarch64 ppc64le s390x x86_64):

libvarnishapi2-6.2.1-bp151.4.3.1
libvarnishapi2-debuginfo-6.2.1-bp151.4.3.1
varnish-6.2.1-bp151.4.3.1
varnish-debuginfo-6.2.1-bp151.4.3.1
varnish-debugsource-6.2.1-bp151.4.3.1
varnish-devel-6.2.1-bp151.4.3.1

- openSUSE Backports SLE-15 (aarch64 ppc64le s390x x86_64):

libvarnishapi2-6.2.1-bp150.3.3.1
varnish-6.2.1-bp150.3.3.1
varnish-devel-6.2.1-bp150.3.3.1


References:

https://www.suse.com/security/cve/CVE-2019-15892.html
https://bugzilla.suse.com/1149382

openSUSE-SU-2019:2222-1: important: Security update for ghostscript

openSUSE Security Update: Security update for ghostscript
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:2222-1
Rating: important
References: #1129180 #1129186 #1134156 #1140359 #1146882
#1146884
Cross-References: CVE-2019-12973 CVE-2019-14811 CVE-2019-14812
CVE-2019-14813 CVE-2019-14817 CVE-2019-3835
CVE-2019-3839
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes 7 vulnerabilities is now available.

Description:

This update for ghostscript fixes the following issues:

Security issues fixed:

- CVE-2019-3835: Fixed an unauthorized file system access caused by an
available superexec operator. (bsc#1129180)
- CVE-2019-3839: Fixed an unauthorized file system access caused by
available privileged operators. (bsc#1134156)
- CVE-2019-12973: Fixed a denial-of-service vulnerability in the OpenJPEG
function opj_t1_encode_cblks. (bsc#1140359)
- CVE-2019-14811: Fixed a safer mode bypass by .forceput exposure in
.pdf_hook_DSC_Creator. (bsc#1146882)
- CVE-2019-14812: Fixed a safer mode bypass by .forceput exposure in
setuserparams. (bsc#1146882)
- CVE-2019-14813: Fixed a safer mode bypass by .forceput exposure in
setsystemparams. (bsc#1146882)
- CVE-2019-14817: Fixed a safer mode bypass by .forceput exposure in
.pdfexectoken and other procedures. (bsc#1146884)

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-2222=1



Package List:

- openSUSE Leap 15.0 (i586 x86_64):

ghostscript-9.27-lp150.2.23.1
ghostscript-debuginfo-9.27-lp150.2.23.1
ghostscript-debugsource-9.27-lp150.2.23.1
ghostscript-devel-9.27-lp150.2.23.1
ghostscript-mini-9.27-lp150.2.23.1
ghostscript-mini-debuginfo-9.27-lp150.2.23.1
ghostscript-mini-debugsource-9.27-lp150.2.23.1
ghostscript-mini-devel-9.27-lp150.2.23.1
ghostscript-x11-9.27-lp150.2.23.1
ghostscript-x11-debuginfo-9.27-lp150.2.23.1


References:

https://www.suse.com/security/cve/CVE-2019-12973.html
https://www.suse.com/security/cve/CVE-2019-14811.html
https://www.suse.com/security/cve/CVE-2019-14812.html
https://www.suse.com/security/cve/CVE-2019-14813.html
https://www.suse.com/security/cve/CVE-2019-14817.html
https://www.suse.com/security/cve/CVE-2019-3835.html
https://www.suse.com/security/cve/CVE-2019-3839.html
https://bugzilla.suse.com/1129180
https://bugzilla.suse.com/1129186
https://bugzilla.suse.com/1134156
https://bugzilla.suse.com/1140359
https://bugzilla.suse.com/1146882
https://bugzilla.suse.com/1146884

openSUSE-SU-2019:2223-1: important: Security update for ghostscript

openSUSE Security Update: Security update for ghostscript
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:2223-1
Rating: important
References: #1129180 #1129186 #1134156 #1140359 #1146882
#1146884
Cross-References: CVE-2019-12973 CVE-2019-14811 CVE-2019-14812
CVE-2019-14813 CVE-2019-14817 CVE-2019-3835
CVE-2019-3839
Affected Products:
openSUSE Leap 15.1
______________________________________________________________________________

An update that fixes 7 vulnerabilities is now available.

Description:

This update for ghostscript fixes the following issues:

Security issues fixed:

- CVE-2019-3835: Fixed an unauthorized file system access caused by an
available superexec operator. (bsc#1129180)
- CVE-2019-3839: Fixed an unauthorized file system access caused by
available privileged operators. (bsc#1134156)
- CVE-2019-12973: Fixed a denial-of-service vulnerability in the OpenJPEG
function opj_t1_encode_cblks. (bsc#1140359)
- CVE-2019-14811: Fixed a safer mode bypass by .forceput exposure in
.pdf_hook_DSC_Creator. (bsc#1146882)
- CVE-2019-14812: Fixed a safer mode bypass by .forceput exposure in
setuserparams. (bsc#1146882)
- CVE-2019-14813: Fixed a safer mode bypass by .forceput exposure in
setsystemparams. (bsc#1146882)
- CVE-2019-14817: Fixed a safer mode bypass by .forceput exposure in
.pdfexectoken and other procedures. (bsc#1146884)

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.1:

zypper in -t patch openSUSE-2019-2223=1



Package List:

- openSUSE Leap 15.1 (i586 x86_64):

ghostscript-9.27-lp151.3.6.1
ghostscript-debuginfo-9.27-lp151.3.6.1
ghostscript-debugsource-9.27-lp151.3.6.1
ghostscript-devel-9.27-lp151.3.6.1
ghostscript-mini-9.27-lp151.3.6.1
ghostscript-mini-debuginfo-9.27-lp151.3.6.1
ghostscript-mini-debugsource-9.27-lp151.3.6.1
ghostscript-mini-devel-9.27-lp151.3.6.1
ghostscript-x11-9.27-lp151.3.6.1
ghostscript-x11-debuginfo-9.27-lp151.3.6.1


References:

https://www.suse.com/security/cve/CVE-2019-12973.html
https://www.suse.com/security/cve/CVE-2019-14811.html
https://www.suse.com/security/cve/CVE-2019-14812.html
https://www.suse.com/security/cve/CVE-2019-14813.html
https://www.suse.com/security/cve/CVE-2019-14817.html
https://www.suse.com/security/cve/CVE-2019-3835.html
https://www.suse.com/security/cve/CVE-2019-3839.html
https://bugzilla.suse.com/1129180
https://bugzilla.suse.com/1129186
https://bugzilla.suse.com/1134156
https://bugzilla.suse.com/1140359
https://bugzilla.suse.com/1146882
https://bugzilla.suse.com/1146884

openSUSE-SU-2019:2224-1: moderate: Security update for SDL2

openSUSE Security Update: Security update for SDL2
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:2224-1
Rating: moderate
References: #1141844 #1142031
Cross-References: CVE-2019-13616 CVE-2019-13626
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes two vulnerabilities is now available.

Description:

This update for SDL2 fixes the following issues:

Security issues fixed:

- CVE-2019-13616: Fixed heap-based buffer over-read in BlitNtoN in
video/SDL_blit_N.c (bsc#1141844).
- CVE-2019-13626: Fixed integer overflow in IMA_ADPCM_decode() in
audio/SDL_wave.c (bsc#1142031).

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-2224=1



Package List:

- openSUSE Leap 15.0 (i586 x86_64):

SDL2-debugsource-2.0.8-lp150.2.9.1
libSDL2-2_0-0-2.0.8-lp150.2.9.1
libSDL2-2_0-0-debuginfo-2.0.8-lp150.2.9.1
libSDL2-devel-2.0.8-lp150.2.9.1

- openSUSE Leap 15.0 (x86_64):

libSDL2-2_0-0-32bit-2.0.8-lp150.2.9.1
libSDL2-2_0-0-32bit-debuginfo-2.0.8-lp150.2.9.1
libSDL2-devel-32bit-2.0.8-lp150.2.9.1


References:

https://www.suse.com/security/cve/CVE-2019-13616.html
https://www.suse.com/security/cve/CVE-2019-13626.html
https://bugzilla.suse.com/1141844
https://bugzilla.suse.com/1142031

openSUSE-SU-2019:2225-1: moderate: Security update for python-numpy

openSUSE Security Update: Security update for python-numpy
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:2225-1
Rating: moderate
References: #1149203
Cross-References: CVE-2019-6446
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for python-numpy fixes the following issues:

Non-security issues fixed:

- Updated to upstream version 1.16.1. (bsc#1149203) (jsc#SLE-8532)

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-2225=1



Package List:

- openSUSE Leap 15.0 (x86_64):

python-numpy-debuginfo-1.16.1-lp150.8.1
python-numpy-debugsource-1.16.1-lp150.8.1
python-numpy_1_16_1-gnu-hpc-debuginfo-1.16.1-lp150.8.1
python-numpy_1_16_1-gnu-hpc-debugsource-1.16.1-lp150.8.1
python2-numpy-1.16.1-lp150.8.1
python2-numpy-debuginfo-1.16.1-lp150.8.1
python2-numpy-devel-1.16.1-lp150.8.1
python2-numpy-gnu-hpc-1.16.1-lp150.8.1
python2-numpy-gnu-hpc-devel-1.16.1-lp150.8.1
python2-numpy_1_16_1-gnu-hpc-1.16.1-lp150.8.1
python2-numpy_1_16_1-gnu-hpc-debuginfo-1.16.1-lp150.8.1
python2-numpy_1_16_1-gnu-hpc-devel-1.16.1-lp150.8.1
python3-numpy-1.16.1-lp150.8.1
python3-numpy-debuginfo-1.16.1-lp150.8.1
python3-numpy-devel-1.16.1-lp150.8.1
python3-numpy-gnu-hpc-1.16.1-lp150.8.1
python3-numpy-gnu-hpc-devel-1.16.1-lp150.8.1
python3-numpy_1_16_1-gnu-hpc-1.16.1-lp150.8.1
python3-numpy_1_16_1-gnu-hpc-debuginfo-1.16.1-lp150.8.1
python3-numpy_1_16_1-gnu-hpc-devel-1.16.1-lp150.8.1


References:

https://www.suse.com/security/cve/CVE-2019-6446.html
https://bugzilla.suse.com/1149203

openSUSE-SU-2019:2226-1: moderate: Security update for SDL2

openSUSE Security Update: Security update for SDL2
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:2226-1
Rating: moderate
References: #1141844 #1142031
Cross-References: CVE-2019-13616 CVE-2019-13626
Affected Products:
openSUSE Leap 15.1
______________________________________________________________________________

An update that fixes two vulnerabilities is now available.

Description:

This update for SDL2 fixes the following issues:

Security issues fixed:

- CVE-2019-13616: Fixed heap-based buffer over-read in BlitNtoN in
video/SDL_blit_N.c (bsc#1141844).
- CVE-2019-13626: Fixed integer overflow in IMA_ADPCM_decode() in
audio/SDL_wave.c (bsc#1142031).

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.1:

zypper in -t patch openSUSE-2019-2226=1



Package List:

- openSUSE Leap 15.1 (i586 x86_64):

SDL2-debugsource-2.0.8-lp151.4.6.1
libSDL2-2_0-0-2.0.8-lp151.4.6.1
libSDL2-2_0-0-debuginfo-2.0.8-lp151.4.6.1
libSDL2-devel-2.0.8-lp151.4.6.1

- openSUSE Leap 15.1 (x86_64):

libSDL2-2_0-0-32bit-2.0.8-lp151.4.6.1
libSDL2-2_0-0-32bit-debuginfo-2.0.8-lp151.4.6.1
libSDL2-devel-32bit-2.0.8-lp151.4.6.1


References:

https://www.suse.com/security/cve/CVE-2019-13616.html
https://www.suse.com/security/cve/CVE-2019-13626.html
https://bugzilla.suse.com/1141844
https://bugzilla.suse.com/1142031

openSUSE-SU-2019:2227-1: moderate: Security update for python-numpy

openSUSE Security Update: Security update for python-numpy
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:2227-1
Rating: moderate
References: #1149203
Cross-References: CVE-2019-6446
Affected Products:
openSUSE Leap 15.1
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for python-numpy fixes the following issues:

Non-security issues fixed:

- Updated to upstream version 1.16.1. (bsc#1149203) (jsc#SLE-8532)

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.1:

zypper in -t patch openSUSE-2019-2227=1



Package List:

- openSUSE Leap 15.1 (x86_64):

python-numpy-debuginfo-1.16.1-lp151.5.3.1
python-numpy-debugsource-1.16.1-lp151.5.3.1
python-numpy_1_16_1-gnu-hpc-debuginfo-1.16.1-lp151.5.3.1
python-numpy_1_16_1-gnu-hpc-debugsource-1.16.1-lp151.5.3.1
python2-numpy-1.16.1-lp151.5.3.1
python2-numpy-debuginfo-1.16.1-lp151.5.3.1
python2-numpy-devel-1.16.1-lp151.5.3.1
python2-numpy-gnu-hpc-1.16.1-lp151.5.3.1
python2-numpy-gnu-hpc-devel-1.16.1-lp151.5.3.1
python2-numpy_1_16_1-gnu-hpc-1.16.1-lp151.5.3.1
python2-numpy_1_16_1-gnu-hpc-debuginfo-1.16.1-lp151.5.3.1
python2-numpy_1_16_1-gnu-hpc-devel-1.16.1-lp151.5.3.1
python3-numpy-1.16.1-lp151.5.3.1
python3-numpy-debuginfo-1.16.1-lp151.5.3.1
python3-numpy-devel-1.16.1-lp151.5.3.1
python3-numpy-gnu-hpc-1.16.1-lp151.5.3.1
python3-numpy-gnu-hpc-devel-1.16.1-lp151.5.3.1
python3-numpy_1_16_1-gnu-hpc-1.16.1-lp151.5.3.1
python3-numpy_1_16_1-gnu-hpc-debuginfo-1.16.1-lp151.5.3.1
python3-numpy_1_16_1-gnu-hpc-devel-1.16.1-lp151.5.3.1


References:

https://www.suse.com/security/cve/CVE-2019-6446.html
https://bugzilla.suse.com/1149203