SUSE 5152 Published by

The following updates has been released for openSUSE:

openSUSE-SU-2019:2184-1: moderate: Security update for varnish
openSUSE-SU-2019:2185-1: moderate: Security update for links
openSUSE-SU-2019:2186-1: important: Security update for chromium



openSUSE-SU-2019:2184-1: moderate: Security update for varnish

openSUSE Security Update: Security update for varnish
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:2184-1
Rating: moderate
References: #1149382
Cross-References: CVE-2019-15892
Affected Products:
openSUSE Leap 15.1
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for varnish fixes the following issues:

Security issue fixed:

- CVE-2019-15892: Fixed a potential denial of service by sending crafted
HTTP/1 requests (boo#1149382).

Non-security issues fixed:

- Updated the package to release 6.2.1.
- Added a thread pool watchdog which will restart the worker process if
scheduling tasks onto worker threads appears stuck. The new parameter
"thread_pool_watchdog" configures it.
- Disabled error for clobbering, which caused bogus error in varnishtest.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.1:

zypper in -t patch openSUSE-2019-2184=1

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-2184=1



Package List:

- openSUSE Leap 15.1 (x86_64):

libvarnishapi2-6.2.1-lp151.3.3.1
libvarnishapi2-debuginfo-6.2.1-lp151.3.3.1
varnish-6.2.1-lp151.3.3.1
varnish-debuginfo-6.2.1-lp151.3.3.1
varnish-debugsource-6.2.1-lp151.3.3.1
varnish-devel-6.2.1-lp151.3.3.1

- openSUSE Leap 15.0 (x86_64):

libvarnishapi2-6.2.1-lp150.2.3.1
libvarnishapi2-debuginfo-6.2.1-lp150.2.3.1
varnish-6.2.1-lp150.2.3.1
varnish-debuginfo-6.2.1-lp150.2.3.1
varnish-debugsource-6.2.1-lp150.2.3.1
varnish-devel-6.2.1-lp150.2.3.1


References:

https://www.suse.com/security/cve/CVE-2019-15892.html
https://bugzilla.suse.com/1149382

openSUSE-SU-2019:2185-1: moderate: Security update for links

openSUSE Security Update: Security update for links
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:2185-1
Rating: moderate
References: #1149886
Affected Products:
openSUSE Leap 15.1
openSUSE Leap 15.0
openSUSE Backports SLE-15-SP1
openSUSE Backports SLE-15
______________________________________________________________________________

An update that contains security fixes can now be installed.

Description:

This update for links fixes the following issues:

links was updated to 2.20.1:

* libevent bug fixes

links was updated to 2.20:

* Security bug fixed: when links was connected to tor, it would send real
dns requests outside the tor network when the displayed page contains
link elements with rel=dns-prefetch boo#1149886
* stability improvements
* file urls support local hostnames
* mouse support improvement
* improve interaction with Google
* Support the zstd compression algorithm
* Use proper cookie expiry

links was updated to 2.19:

* Fixed a crash on invalidn IDN URLs
* Make font selection possible via fontconfig
* Show certificate authority in Document info box
* Use international error messages
* The -dump switch didn't report errors on stdout write

links was updated to 2.18:

* Automatically enable tor mode when the socks port is 9050
* When in tor mode, invert colors on top line and bottom line
* Fix an incorrect shift in write_ev_queue
* Fix runtime error sanitizer warning
* Add a menu entry to save and load a clipboard
* Don't synch with Xserver on every pixmap load
* Fix "Network Options" bug that caused a timeout
* Fix a possible integer overflow in decoder_memory_expand
* Fix possible pointer arithmetics bug if os allocated few bytes
* Add a button to never accept invalid certs for a given server
* Fix incorrect strings -html-t-text-color
* Add ascii replacement of Romanian S and T with comma
* Fix a bug when IPv6 control connection to ftp server fails

links was updated to 2.17:

* Fix verifying SSL certificates for numeric IPv6 addresses
* Delete the option -ftp.fast - it doesn't always work and ftp performance
is not an issue anymore
* Add bold and monospaced Turkish letter 'i' without a dot
* On OS/2 allocate OpenSSL memory fro the lower heap. It fixes SSL on
systems with old 16-bit TCP/IP stack
* Fix IPv6 on OpenVMS Alpha
* Support mouse scroll wheel in textarea
* Delete the option -http-bugs.bug-302-redirect - RFC7231 allows the
"buggy" behavior and defines new codes 307 and 308 that retain the post
data
* X11 - fixed colormap leak when creating a new window
* Fixed an infinite loop that happened in graphics mode if the user
clicked on OK in "Miscellaneous options" dialog and more than one
windows were open. This bug was introduced in Links 2.15
* Support 6x6x6 RGB palette in 256-bit color mode on framebuffer
* Implement dithering properly on OS/2 in 15-bit and 16-bit color mode. In
8-bit mode, Links may optionally use a private palette - it improves
visual quality of Links images, but degrades visual quality of other
concurrently running programs.
* Improve scrolling smoothness when the user drags the whole document
* On OS/2, allocate large memory blocks directly (not with malloc). It
reduces memory waste
* Fixed a bug that setting terminal title and resizing a terminal didn't
work on OS/2 and Windows. The bug was introduced in Links 2.16 when
shutting up coverity warnings
* Set link color to yellow by default
* Delete the option -http-bugs.bug-post-no-keepalive. It was needed in
1999 to avoid some bug in some http server and it is not needed anymore
* Trust Content-Length on HTTP/1.0 redirect requests. This fixes hangs
with misbehaving servers that honor Connection:keep-alive but send out
HTTP/1.0 reply without Connection: keep-alive. Links thought that they
don't support keep-alive and waited for the connection to close (for
example http://www.raspberrypi.org)
* Use keys 'H' and 'L' to select the top and bottom link on the current
page

links was updated to 2.16:

* Improve handling of the DELETE key
* Implement the bracketed paste mode
* Fix various bugs found by coverity
* Fix a crash in proxy authentication code
* Fixed internal error "invalid set_handlers call" on framebuffer if links
is suspend and terminate at the same time


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.1:

zypper in -t patch openSUSE-2019-2185=1

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-2185=1

- openSUSE Backports SLE-15-SP1:

zypper in -t patch openSUSE-2019-2185=1

- openSUSE Backports SLE-15:

zypper in -t patch openSUSE-2019-2185=1



Package List:

- openSUSE Leap 15.1 (i586 x86_64):

links-2.20.1-lp151.3.3.1
links-debuginfo-2.20.1-lp151.3.3.1
links-debugsource-2.20.1-lp151.3.3.1

- openSUSE Leap 15.0 (x86_64):

links-2.20.1-lp150.2.3.1
links-debuginfo-2.20.1-lp150.2.3.1
links-debugsource-2.20.1-lp150.2.3.1

- openSUSE Backports SLE-15-SP1 (aarch64 ppc64le s390x x86_64):

links-2.20.1-bp151.4.3.1

- openSUSE Backports SLE-15 (aarch64 ppc64le s390x x86_64):

links-2.20.1-bp150.2.3.1
links-debuginfo-2.20.1-bp150.2.3.1
links-debugsource-2.20.1-bp150.2.3.1


References:

https://bugzilla.suse.com/1149886

openSUSE-SU-2019:2186-1: important: Security update for chromium

openSUSE Security Update: Security update for chromium
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:2186-1
Rating: important
References: #1151229
Cross-References: CVE-2019-13685 CVE-2019-13686 CVE-2019-13687
CVE-2019-13688
Affected Products:
openSUSE Leap 15.1
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes four vulnerabilities is now available.

Description:

This update for chromium to version 77.0.3865.90 fixes the following
issues:

- CVE-2019-13685: Fixed a use-after-free in UI. (boo#1151229)
- CVE-2019-13688: Fixed a use-after-free in media. (boo#1151229)
- CVE-2019-13687: Fixed a use-after-free in media. (boo#1151229)
- CVE-2019-13686: Fixed a use-after-free in offline pages. (boo#1151229)


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.1:

zypper in -t patch openSUSE-2019-2186=1

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-2186=1



Package List:

- openSUSE Leap 15.1 (x86_64):

chromedriver-77.0.3865.90-lp151.2.33.1
chromedriver-debuginfo-77.0.3865.90-lp151.2.33.1
chromium-77.0.3865.90-lp151.2.33.1
chromium-debuginfo-77.0.3865.90-lp151.2.33.1
chromium-debugsource-77.0.3865.90-lp151.2.33.1

- openSUSE Leap 15.0 (x86_64):

chromedriver-77.0.3865.90-lp150.242.1
chromedriver-debuginfo-77.0.3865.90-lp150.242.1
chromium-77.0.3865.90-lp150.242.1
chromium-debuginfo-77.0.3865.90-lp150.242.1
chromium-debugsource-77.0.3865.90-lp150.242.1


References:

https://www.suse.com/security/cve/CVE-2019-13685.html
https://www.suse.com/security/cve/CVE-2019-13686.html
https://www.suse.com/security/cve/CVE-2019-13687.html
https://www.suse.com/security/cve/CVE-2019-13688.html
https://bugzilla.suse.com/1151229