SUSE 5147 Published by

The following updates has been released for openSUSE:

openSUSE-SU-2018:2283-1: important: Security update for ceph
openSUSE-SU-2018:2284-1: moderate: Security update for polkit
openSUSE-SU-2018:2285-1: moderate: Security update for webkit2gtk3
openSUSE-SU-2018:2286-1: moderate: Security update for libraw
openSUSE-SU-2018:2287-1: moderate: Security update for gdk-pixbuf
openSUSE-SU-2018:2288-1: important: Security update for libtirpc
openSUSE-SU-2018:2289-1: moderate: Security update for sssd
openSUSE-SU-2018:2290-1: moderate: Security update for blueman
openSUSE-SU-2018:2291-1: moderate: Security update for python-mitmproxy
openSUSE-SU-2018:2292-1: moderate: Security update for cups
openSUSE-SU-2018:2293-1: moderate: Security update for mysql-community-server
openSUSE-SU-2018:2294-1: Security update for libcdio
openSUSE-SU-2018:2295-1: important: Security update for virtualbox
openSUSE-SU-2018:2296-1: moderate: Security update for libsoup



openSUSE-SU-2018:2283-1: important: Security update for ceph

openSUSE Security Update: Security update for ceph
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2283-1
Rating: important
References: #1092874 #1094932 #1096748 #1099162
Cross-References: CVE-2018-10861 CVE-2018-1128 CVE-2018-1129

Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________

An update that solves three vulnerabilities and has one
errata is now available.

Description:

This update for ceph fixes the following issues:

Security issues fixed:

- CVE-2018-10861: Ensure that ceph-mon does perform authorization on all
OSD pool ops (bsc#1099162)
- CVE-2018-1129: cephx signature check bypass (bsc#1096748)
- CVE-2018-1128: cephx protocol was vulnerable to replay attack
(bsc#1096748)

Bugs fixed in 12.2.7-420-gc0ef85b854:

- luminous: osd: eternal stuck PG in 'unfound_recovery' (bsc#1094932)
- bluestore: db.slow used when db is not full (bsc#1092874)
- Upstream fixes and improvements, see
https://ceph.com/releases/12-2-7-luminous-released/

This update was imported from the SUSE:SLE-12-SP3:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-854=1



Package List:

- openSUSE Leap 42.3 (x86_64):

ceph-12.2.7+git.1531910353.c0ef85b854-12.1
ceph-base-12.2.7+git.1531910353.c0ef85b854-12.1
ceph-base-debuginfo-12.2.7+git.1531910353.c0ef85b854-12.1
ceph-common-12.2.7+git.1531910353.c0ef85b854-12.1
ceph-common-debuginfo-12.2.7+git.1531910353.c0ef85b854-12.1
ceph-debugsource-12.2.7+git.1531910353.c0ef85b854-12.1
ceph-fuse-12.2.7+git.1531910353.c0ef85b854-12.1
ceph-fuse-debuginfo-12.2.7+git.1531910353.c0ef85b854-12.1
ceph-mds-12.2.7+git.1531910353.c0ef85b854-12.1
ceph-mds-debuginfo-12.2.7+git.1531910353.c0ef85b854-12.1
ceph-mgr-12.2.7+git.1531910353.c0ef85b854-12.1
ceph-mgr-debuginfo-12.2.7+git.1531910353.c0ef85b854-12.1
ceph-mon-12.2.7+git.1531910353.c0ef85b854-12.1
ceph-mon-debuginfo-12.2.7+git.1531910353.c0ef85b854-12.1
ceph-osd-12.2.7+git.1531910353.c0ef85b854-12.1
ceph-osd-debuginfo-12.2.7+git.1531910353.c0ef85b854-12.1
ceph-radosgw-12.2.7+git.1531910353.c0ef85b854-12.1
ceph-radosgw-debuginfo-12.2.7+git.1531910353.c0ef85b854-12.1
ceph-resource-agents-12.2.7+git.1531910353.c0ef85b854-12.1
ceph-test-12.2.7+git.1531910353.c0ef85b854-12.1
ceph-test-debuginfo-12.2.7+git.1531910353.c0ef85b854-12.1
ceph-test-debugsource-12.2.7+git.1531910353.c0ef85b854-12.1
libcephfs-devel-12.2.7+git.1531910353.c0ef85b854-12.1
libcephfs2-12.2.7+git.1531910353.c0ef85b854-12.1
libcephfs2-debuginfo-12.2.7+git.1531910353.c0ef85b854-12.1
librados-devel-12.2.7+git.1531910353.c0ef85b854-12.1
librados-devel-debuginfo-12.2.7+git.1531910353.c0ef85b854-12.1
librados2-12.2.7+git.1531910353.c0ef85b854-12.1
librados2-debuginfo-12.2.7+git.1531910353.c0ef85b854-12.1
libradosstriper-devel-12.2.7+git.1531910353.c0ef85b854-12.1
libradosstriper1-12.2.7+git.1531910353.c0ef85b854-12.1
libradosstriper1-debuginfo-12.2.7+git.1531910353.c0ef85b854-12.1
librbd-devel-12.2.7+git.1531910353.c0ef85b854-12.1
librbd1-12.2.7+git.1531910353.c0ef85b854-12.1
librbd1-debuginfo-12.2.7+git.1531910353.c0ef85b854-12.1
librgw-devel-12.2.7+git.1531910353.c0ef85b854-12.1
librgw2-12.2.7+git.1531910353.c0ef85b854-12.1
librgw2-debuginfo-12.2.7+git.1531910353.c0ef85b854-12.1
python-ceph-compat-12.2.7+git.1531910353.c0ef85b854-12.1
python-cephfs-12.2.7+git.1531910353.c0ef85b854-12.1
python-cephfs-debuginfo-12.2.7+git.1531910353.c0ef85b854-12.1
python-rados-12.2.7+git.1531910353.c0ef85b854-12.1
python-rados-debuginfo-12.2.7+git.1531910353.c0ef85b854-12.1
python-rbd-12.2.7+git.1531910353.c0ef85b854-12.1
python-rbd-debuginfo-12.2.7+git.1531910353.c0ef85b854-12.1
python-rgw-12.2.7+git.1531910353.c0ef85b854-12.1
python-rgw-debuginfo-12.2.7+git.1531910353.c0ef85b854-12.1
python3-ceph-argparse-12.2.7+git.1531910353.c0ef85b854-12.1
python3-cephfs-12.2.7+git.1531910353.c0ef85b854-12.1
python3-cephfs-debuginfo-12.2.7+git.1531910353.c0ef85b854-12.1
python3-rados-12.2.7+git.1531910353.c0ef85b854-12.1
python3-rados-debuginfo-12.2.7+git.1531910353.c0ef85b854-12.1
python3-rbd-12.2.7+git.1531910353.c0ef85b854-12.1
python3-rbd-debuginfo-12.2.7+git.1531910353.c0ef85b854-12.1
python3-rgw-12.2.7+git.1531910353.c0ef85b854-12.1
python3-rgw-debuginfo-12.2.7+git.1531910353.c0ef85b854-12.1
rados-objclass-devel-12.2.7+git.1531910353.c0ef85b854-12.1
rbd-fuse-12.2.7+git.1531910353.c0ef85b854-12.1
rbd-fuse-debuginfo-12.2.7+git.1531910353.c0ef85b854-12.1
rbd-mirror-12.2.7+git.1531910353.c0ef85b854-12.1
rbd-mirror-debuginfo-12.2.7+git.1531910353.c0ef85b854-12.1
rbd-nbd-12.2.7+git.1531910353.c0ef85b854-12.1
rbd-nbd-debuginfo-12.2.7+git.1531910353.c0ef85b854-12.1


References:

https://www.suse.com/security/cve/CVE-2018-10861.html
https://www.suse.com/security/cve/CVE-2018-1128.html
https://www.suse.com/security/cve/CVE-2018-1129.html
https://bugzilla.suse.com/1092874
https://bugzilla.suse.com/1094932
https://bugzilla.suse.com/1096748
https://bugzilla.suse.com/1099162

--


openSUSE-SU-2018:2284-1: moderate: Security update for polkit

openSUSE Security Update: Security update for polkit
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2284-1
Rating: moderate
References: #1099031
Cross-References: CVE-2018-1116
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for polkit fixes the following issues:

Security issue fixed:

- CVE-2018-1116: Fix uid comparison lacking in
polkit_backend_interactive_authority_check_authorization (bsc#1099031).

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-848=1



Package List:

- openSUSE Leap 15.0 (i586 x86_64):

libpolkit0-0.114-lp150.2.3.1
libpolkit0-debuginfo-0.114-lp150.2.3.1
polkit-0.114-lp150.2.3.1
polkit-debuginfo-0.114-lp150.2.3.1
polkit-debugsource-0.114-lp150.2.3.1
polkit-devel-0.114-lp150.2.3.1
polkit-devel-debuginfo-0.114-lp150.2.3.1
typelib-1_0-Polkit-1_0-0.114-lp150.2.3.1

- openSUSE Leap 15.0 (x86_64):

libpolkit0-32bit-0.114-lp150.2.3.1
libpolkit0-32bit-debuginfo-0.114-lp150.2.3.1

- openSUSE Leap 15.0 (noarch):

polkit-doc-0.114-lp150.2.3.1


References:

https://www.suse.com/security/cve/CVE-2018-1116.html
https://bugzilla.suse.com/1099031

--


openSUSE-SU-2018:2285-1: moderate: Security update for webkit2gtk3

openSUSE Security Update: Security update for webkit2gtk3
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2285-1
Rating: moderate
References: #1095611 #1097693
Cross-References: CVE-2018-11646 CVE-2018-4190 CVE-2018-4199
CVE-2018-4218 CVE-2018-4222 CVE-2018-4232
CVE-2018-4233
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes 7 vulnerabilities is now available.

Description:

This update for webkit2gtk3 to version 2.20.3 fixes the following issues:

These security issues were fixed:

- CVE-2018-4190: An unspecified issue allowed remote attackers to obtain
sensitive credential information that is transmitted during a CSS
mask-image fetch (bsc#1097693).
- CVE-2018-4199: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (buffer overflow and
application crash) via a crafted web site (bsc#1097693)
- CVE-2018-4218: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and
application crash) via a crafted web site that triggers an
@generatorState use-after-free (bsc#1097693)
- CVE-2018-4222: An unspecified issue allowed remote attackers to execute
arbitrary code via a crafted web site that leverages a
getWasmBufferFromValue
out-of-bounds read during WebAssembly compilation (bsc#1097693)
- CVE-2018-4232: An unspecified issue allowed remote attackers to
overwrite cookies via a crafted web site (bsc#1097693)
- CVE-2018-4233: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and
application crash) via a crafted web site (bsc#1097693)
- CVE-2018-11646: webkitFaviconDatabaseSetIconForPageURL and
webkitFaviconDatabaseSetIconURLForPageURL mishandle an unset pageURL,
leading to an application crash (bsc#1095611).

These non-security issues were fixed:

- Disable Gigacage if mmap fails to allocate in Linux.
- Add user agent quirk for paypal website.
- Fix a network process crash when trying to get cookies of about:blank
page.
- Fix UI process crash when closing the window under Wayland.
- Fix several crashes and rendering issues.

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-845=1



Package List:

- openSUSE Leap 15.0 (i586 x86_64):

libjavascriptcoregtk-4_0-18-2.20.3-lp150.2.3.1
libjavascriptcoregtk-4_0-18-debuginfo-2.20.3-lp150.2.3.1
libwebkit2gtk-4_0-37-2.20.3-lp150.2.3.1
libwebkit2gtk-4_0-37-debuginfo-2.20.3-lp150.2.3.1
typelib-1_0-JavaScriptCore-4_0-2.20.3-lp150.2.3.1
typelib-1_0-WebKit2-4_0-2.20.3-lp150.2.3.1
typelib-1_0-WebKit2WebExtension-4_0-2.20.3-lp150.2.3.1
webkit-jsc-4-2.20.3-lp150.2.3.1
webkit-jsc-4-debuginfo-2.20.3-lp150.2.3.1
webkit2gtk-4_0-injected-bundles-2.20.3-lp150.2.3.1
webkit2gtk-4_0-injected-bundles-debuginfo-2.20.3-lp150.2.3.1
webkit2gtk3-debugsource-2.20.3-lp150.2.3.1
webkit2gtk3-devel-2.20.3-lp150.2.3.1
webkit2gtk3-plugin-process-gtk2-2.20.3-lp150.2.3.1
webkit2gtk3-plugin-process-gtk2-debuginfo-2.20.3-lp150.2.3.1

- openSUSE Leap 15.0 (x86_64):

libjavascriptcoregtk-4_0-18-32bit-2.20.3-lp150.2.3.1
libjavascriptcoregtk-4_0-18-32bit-debuginfo-2.20.3-lp150.2.3.1
libwebkit2gtk-4_0-37-32bit-2.20.3-lp150.2.3.1
libwebkit2gtk-4_0-37-32bit-debuginfo-2.20.3-lp150.2.3.1

- openSUSE Leap 15.0 (noarch):

libwebkit2gtk3-lang-2.20.3-lp150.2.3.1


References:

https://www.suse.com/security/cve/CVE-2018-11646.html
https://www.suse.com/security/cve/CVE-2018-4190.html
https://www.suse.com/security/cve/CVE-2018-4199.html
https://www.suse.com/security/cve/CVE-2018-4218.html
https://www.suse.com/security/cve/CVE-2018-4222.html
https://www.suse.com/security/cve/CVE-2018-4232.html
https://www.suse.com/security/cve/CVE-2018-4233.html
https://bugzilla.suse.com/1095611
https://bugzilla.suse.com/1097693

--


openSUSE-SU-2018:2286-1: moderate: Security update for libraw

openSUSE Security Update: Security update for libraw
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2286-1
Rating: moderate
References: #1103200 #1103206 #1103353 #1103359 #1103360
#1103361
Cross-References: CVE-2018-5807 CVE-2018-5810 CVE-2018-5811
CVE-2018-5812 CVE-2018-5813 CVE-2018-5815

Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________

An update that fixes 6 vulnerabilities is now available.

Description:

This update for libraw fixes the following issues:

The following security vulnerabilities were addressed:

- CVE-2018-5813: Fixed an error within the "parse_minolta()" function
(dcraw/dcraw.c) that could be exploited to trigger an infinite loop via
a specially crafted file. This could be exploited to cause a
DoS.(boo#1103200).

- CVE-2018-5815: Fixed an integer overflow in the
internal/dcraw_common.cpp:parse_qt() function, that could be exploited
to cause an infinite loop via a specially crafted Apple QuickTime file.
(boo#1103206)

- CVE-2018-5810: Fixed an error within the rollei_load_raw() function
(internal/dcraw_common.cpp) that could be exploited to cause a
heap-based buffer overflow and subsequently cause a crash. (boo#1103353)

- CVE-2018-5811: Fixed an error within the nikon_coolscan_load_raw()
function (internal/dcraw_common.cpp) that could be exploited to cause an
out-of-bounds read memory access and subsequently cause a crash.
(boo#1103359)

- CVE-2018-5812: Fixed another error within the nikon_coolscan_load_raw()
function (internal/dcraw_common.cpp) that could be exploited to trigger
a NULL pointer dereference. (boo#1103360)

- CVE-2018-5807: Fixed an error within the samsung_load_raw() function
(internal/dcraw_common.cpp) that could be exploited to cause an
out-of-bounds read memory access and subsequently cause a crash.
(boo#1103361)


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-849=1



Package List:

- openSUSE Leap 42.3 (i586 x86_64):

libraw-debugsource-0.17.1-23.1
libraw-devel-0.17.1-23.1
libraw-devel-static-0.17.1-23.1
libraw-tools-0.17.1-23.1
libraw-tools-debuginfo-0.17.1-23.1
libraw15-0.17.1-23.1
libraw15-debuginfo-0.17.1-23.1


References:

https://www.suse.com/security/cve/CVE-2018-5807.html
https://www.suse.com/security/cve/CVE-2018-5810.html
https://www.suse.com/security/cve/CVE-2018-5811.html
https://www.suse.com/security/cve/CVE-2018-5812.html
https://www.suse.com/security/cve/CVE-2018-5813.html
https://www.suse.com/security/cve/CVE-2018-5815.html
https://bugzilla.suse.com/1103200
https://bugzilla.suse.com/1103206
https://bugzilla.suse.com/1103353
https://bugzilla.suse.com/1103359
https://bugzilla.suse.com/1103360
https://bugzilla.suse.com/1103361

--


openSUSE-SU-2018:2287-1: moderate: Security update for gdk-pixbuf

openSUSE Security Update: Security update for gdk-pixbuf
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2287-1
Rating: moderate
References: #1053417
Cross-References: CVE-2015-4491
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for gdk-pixbuf fixes the following issues:

Security issue fixed:

- CVE-2015-4491: Fix integer multiplication overflow that allows for DoS
or potentially RCE (bsc#1053417).

This update was imported from the SUSE:SLE-12-SP2:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-846=1



Package List:

- openSUSE Leap 42.3 (i586 x86_64):

gdk-pixbuf-debugsource-2.34.0-19.1
gdk-pixbuf-devel-2.34.0-19.1
gdk-pixbuf-devel-debuginfo-2.34.0-19.1
gdk-pixbuf-query-loaders-2.34.0-19.1
gdk-pixbuf-query-loaders-debuginfo-2.34.0-19.1
libgdk_pixbuf-2_0-0-2.34.0-19.1
libgdk_pixbuf-2_0-0-debuginfo-2.34.0-19.1
typelib-1_0-GdkPixbuf-2_0-2.34.0-19.1

- openSUSE Leap 42.3 (noarch):

gdk-pixbuf-lang-2.34.0-19.1

- openSUSE Leap 42.3 (x86_64):

gdk-pixbuf-devel-32bit-2.34.0-19.1
gdk-pixbuf-devel-debuginfo-32bit-2.34.0-19.1
gdk-pixbuf-query-loaders-32bit-2.34.0-19.1
gdk-pixbuf-query-loaders-debuginfo-32bit-2.34.0-19.1
libgdk_pixbuf-2_0-0-32bit-2.34.0-19.1
libgdk_pixbuf-2_0-0-debuginfo-32bit-2.34.0-19.1


References:

https://www.suse.com/security/cve/CVE-2015-4491.html
https://bugzilla.suse.com/1053417

--


openSUSE-SU-2018:2288-1: important: Security update for libtirpc

openSUSE Security Update: Security update for libtirpc
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2288-1
Rating: important
References: #1072183 #968175
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________

An update that contains security fixes can now be installed.

Description:

This update for libtirpc fixes the following issues:

Security issue fixed:

- bsc#968175: Fix remote crash of RPC services.

Bug fixes:

- bsc#1072183: Send RPC getport call as specified via parameter.

This update was imported from the SUSE:SLE-12-SP2:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-851=1



Package List:

- openSUSE Leap 42.3 (i586 x86_64):

libtirpc-debugsource-1.0.1-5.3.1
libtirpc-devel-1.0.1-5.3.1
libtirpc-netconfig-1.0.1-5.3.1
libtirpc3-1.0.1-5.3.1
libtirpc3-debuginfo-1.0.1-5.3.1

- openSUSE Leap 42.3 (x86_64):

libtirpc3-32bit-1.0.1-5.3.1
libtirpc3-debuginfo-32bit-1.0.1-5.3.1


References:

https://bugzilla.suse.com/1072183
https://bugzilla.suse.com/968175

--


openSUSE-SU-2018:2289-1: moderate: Security update for sssd

openSUSE Security Update: Security update for sssd
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2289-1
Rating: moderate
References: #1098163 #1098377
Cross-References: CVE-2018-10852
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that solves one vulnerability and has one errata
is now available.

Description:

This update for sssd fixes the following security issue:

- CVE-2018-10852: Set stricter permissions on /var/lib/sss/pipes/sudo to
prevent the disclosure of sudo rules for arbitrary users (bsc#1098377).

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-847=1



Package List:

- openSUSE Leap 15.0 (i586 x86_64):

libipa_hbac-devel-1.16.1-lp150.2.3.1
libipa_hbac0-1.16.1-lp150.2.3.1
libipa_hbac0-debuginfo-1.16.1-lp150.2.3.1
libnfsidmap-sss-1.16.1-lp150.2.3.1
libnfsidmap-sss-debuginfo-1.16.1-lp150.2.3.1
libsss_certmap-devel-1.16.1-lp150.2.3.1
libsss_certmap0-1.16.1-lp150.2.3.1
libsss_certmap0-debuginfo-1.16.1-lp150.2.3.1
libsss_idmap-devel-1.16.1-lp150.2.3.1
libsss_idmap0-1.16.1-lp150.2.3.1
libsss_idmap0-debuginfo-1.16.1-lp150.2.3.1
libsss_nss_idmap-devel-1.16.1-lp150.2.3.1
libsss_nss_idmap0-1.16.1-lp150.2.3.1
libsss_nss_idmap0-debuginfo-1.16.1-lp150.2.3.1
libsss_simpleifp-devel-1.16.1-lp150.2.3.1
libsss_simpleifp0-1.16.1-lp150.2.3.1
libsss_simpleifp0-debuginfo-1.16.1-lp150.2.3.1
python3-ipa_hbac-1.16.1-lp150.2.3.1
python3-ipa_hbac-debuginfo-1.16.1-lp150.2.3.1
python3-sss-murmur-1.16.1-lp150.2.3.1
python3-sss-murmur-debuginfo-1.16.1-lp150.2.3.1
python3-sss_nss_idmap-1.16.1-lp150.2.3.1
python3-sss_nss_idmap-debuginfo-1.16.1-lp150.2.3.1
python3-sssd-config-1.16.1-lp150.2.3.1
python3-sssd-config-debuginfo-1.16.1-lp150.2.3.1
sssd-1.16.1-lp150.2.3.1
sssd-ad-1.16.1-lp150.2.3.1
sssd-ad-debuginfo-1.16.1-lp150.2.3.1
sssd-dbus-1.16.1-lp150.2.3.1
sssd-dbus-debuginfo-1.16.1-lp150.2.3.1
sssd-debuginfo-1.16.1-lp150.2.3.1
sssd-debugsource-1.16.1-lp150.2.3.1
sssd-ipa-1.16.1-lp150.2.3.1
sssd-ipa-debuginfo-1.16.1-lp150.2.3.1
sssd-krb5-1.16.1-lp150.2.3.1
sssd-krb5-common-1.16.1-lp150.2.3.1
sssd-krb5-common-debuginfo-1.16.1-lp150.2.3.1
sssd-krb5-debuginfo-1.16.1-lp150.2.3.1
sssd-ldap-1.16.1-lp150.2.3.1
sssd-ldap-debuginfo-1.16.1-lp150.2.3.1
sssd-proxy-1.16.1-lp150.2.3.1
sssd-proxy-debuginfo-1.16.1-lp150.2.3.1
sssd-tools-1.16.1-lp150.2.3.1
sssd-tools-debuginfo-1.16.1-lp150.2.3.1
sssd-wbclient-1.16.1-lp150.2.3.1
sssd-wbclient-debuginfo-1.16.1-lp150.2.3.1
sssd-wbclient-devel-1.16.1-lp150.2.3.1
sssd-winbind-idmap-1.16.1-lp150.2.3.1
sssd-winbind-idmap-debuginfo-1.16.1-lp150.2.3.1

- openSUSE Leap 15.0 (x86_64):

sssd-32bit-1.16.1-lp150.2.3.1
sssd-32bit-debuginfo-1.16.1-lp150.2.3.1


References:

https://www.suse.com/security/cve/CVE-2018-10852.html
https://bugzilla.suse.com/1098163
https://bugzilla.suse.com/1098377

--


openSUSE-SU-2018:2290-1: moderate: Security update for blueman

openSUSE Security Update: Security update for blueman
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2290-1
Rating: moderate
References: #1083066
Affected Products:
openSUSE Leap 42.3
openSUSE Leap 15.0
______________________________________________________________________________

An update that contains security fixes can now be installed.

Description:

This update for blueman fixes the following issues:

The following security issue was addressed:

- Fixed the polkit authorization checks in blueman, which previously
allowed any user with access to the D-Bus system bus to trigger certain
network configuration logic in blueman without authentication
(boo#1083066).


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-855=1

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-855=1



Package List:

- openSUSE Leap 42.3 (x86_64):

blueman-2.0.6-2.3.1
blueman-debuginfo-2.0.6-2.3.1
blueman-debugsource-2.0.6-2.3.1

- openSUSE Leap 42.3 (noarch):

blueman-lang-2.0.6-2.3.1
thunar-sendto-blueman-2.0.6-2.3.1

- openSUSE Leap 15.0 (x86_64):

blueman-2.0.6-lp150.3.3.1
blueman-debuginfo-2.0.6-lp150.3.3.1
blueman-debugsource-2.0.6-lp150.3.3.1

- openSUSE Leap 15.0 (noarch):

blueman-lang-2.0.6-lp150.3.3.1
thunar-sendto-blueman-2.0.6-lp150.3.3.1


References:

https://bugzilla.suse.com/1083066

--


openSUSE-SU-2018:2291-1: moderate: Security update for python-mitmproxy

openSUSE Security Update: Security update for python-mitmproxy
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2291-1
Rating: moderate
References: #1101457 #1102178
Cross-References: CVE-2018-14505
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that solves one vulnerability and has one errata
is now available.

Description:

This update for python-mitmproxy fixes the following issues:

The following security vulnerability was fixed:

- CVE-2018-14505: Fixed multiple DNS rebinding attacks related to
tools/web/app.py (boo#1102178)

The following other issue was fixed:

- Fixed a dependency issue with python-ldap3 (boo#1101457)


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-850=1



Package List:

- openSUSE Leap 15.0 (noarch):

python3-mitmproxy-3.0.4-lp150.2.3.1


References:

https://www.suse.com/security/cve/CVE-2018-14505.html
https://bugzilla.suse.com/1101457
https://bugzilla.suse.com/1102178

--


openSUSE-SU-2018:2292-1: moderate: Security update for cups

openSUSE Security Update: Security update for cups
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2292-1
Rating: moderate
References: #1096405 #1096406 #1096407 #1096408
Cross-References: CVE-2018-4180 CVE-2018-4181 CVE-2018-4182
CVE-2018-4183
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes four vulnerabilities is now available.

Description:

This update for cups fixes the following issues:

The following security vulnerabilities were fixed:

- Fixed a local privilege escalation to root and sandbox bypasses in the
scheduler
- CVE-2018-4180: Fixed a local privilege escalation to root in dnssd
backend (bsc#1096405)
- CVE-2018-4181: Limited local file reads as root via cupsd.conf include
directive (bsc#1096406)
- CVE-2018-4182: Fixed a sandbox bypass due to insecure error handling
(bsc#1096407)
- CVE-2018-4183: Fixed a sandbox bypass due to profile misconfiguration
(bsc#1096408)

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-852=1



Package List:

- openSUSE Leap 15.0 (i586 x86_64):

cups-2.2.7-lp150.2.3.1
cups-client-2.2.7-lp150.2.3.1
cups-client-debuginfo-2.2.7-lp150.2.3.1
cups-config-2.2.7-lp150.2.3.1
cups-ddk-2.2.7-lp150.2.3.1
cups-ddk-debuginfo-2.2.7-lp150.2.3.1
cups-debuginfo-2.2.7-lp150.2.3.1
cups-debugsource-2.2.7-lp150.2.3.1
cups-devel-2.2.7-lp150.2.3.1
libcups2-2.2.7-lp150.2.3.1
libcups2-debuginfo-2.2.7-lp150.2.3.1
libcupscgi1-2.2.7-lp150.2.3.1
libcupscgi1-debuginfo-2.2.7-lp150.2.3.1
libcupsimage2-2.2.7-lp150.2.3.1
libcupsimage2-debuginfo-2.2.7-lp150.2.3.1
libcupsmime1-2.2.7-lp150.2.3.1
libcupsmime1-debuginfo-2.2.7-lp150.2.3.1
libcupsppdc1-2.2.7-lp150.2.3.1
libcupsppdc1-debuginfo-2.2.7-lp150.2.3.1

- openSUSE Leap 15.0 (x86_64):

cups-devel-32bit-2.2.7-lp150.2.3.1
libcups2-32bit-2.2.7-lp150.2.3.1
libcups2-32bit-debuginfo-2.2.7-lp150.2.3.1
libcupscgi1-32bit-2.2.7-lp150.2.3.1
libcupscgi1-32bit-debuginfo-2.2.7-lp150.2.3.1
libcupsimage2-32bit-2.2.7-lp150.2.3.1
libcupsimage2-32bit-debuginfo-2.2.7-lp150.2.3.1
libcupsmime1-32bit-2.2.7-lp150.2.3.1
libcupsmime1-32bit-debuginfo-2.2.7-lp150.2.3.1
libcupsppdc1-32bit-2.2.7-lp150.2.3.1
libcupsppdc1-32bit-debuginfo-2.2.7-lp150.2.3.1


References:

https://www.suse.com/security/cve/CVE-2018-4180.html
https://www.suse.com/security/cve/CVE-2018-4181.html
https://www.suse.com/security/cve/CVE-2018-4182.html
https://www.suse.com/security/cve/CVE-2018-4183.html
https://bugzilla.suse.com/1096405
https://bugzilla.suse.com/1096406
https://bugzilla.suse.com/1096407
https://bugzilla.suse.com/1096408

--


openSUSE-SU-2018:2293-1: moderate: Security update for mysql-community-server

openSUSE Security Update: Security update for mysql-community-server
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2293-1
Rating: moderate
References: #1087102 #1088681 #1101676 #1101678 #1101679
#1101680 #1103342 #1103344
Cross-References: CVE-2018-0739 CVE-2018-2767 CVE-2018-3058
CVE-2018-3062 CVE-2018-3064 CVE-2018-3066
CVE-2018-3070 CVE-2018-3081
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________

An update that fixes 8 vulnerabilities is now available.

Description:

This update for mysql-community-server to version 5.6.41 fixes the
following issues:

Security vulnerabilities fixed:

- CVE-2018-3064: Fixed an easily exploitable vulnerability that allowed a
low privileged attacker with network access via multiple protocols to
compromise the MySQL Server. Successful attacks of this vulnerability
can result in unauthorized ability to cause a hang or frequently
repeatable crash (complete DOS) of MySQL Server as well as unauthorized
update, insert or delete access to some of MySQL Server accessible data.
(bsc#1103342)

- CVE-2018-3070: Fixed an easily exploitable vulnerability that allowed a
low privileged attacker with network access via multiple protocols to
compromise MySQL Server. Successful attacks of this vulnerability can
result in unauthorized ability to cause a hang or frequently repeatable
crash (complete DOS) of MySQL Server. (bsc#1101679)

- CVE-2018-0739: Fixed a stack exhaustion in case of recursively
constructed ASN.1 types. (boo#1087102)

- CVE-2018-3062: Fixed a difficult to exploit vulnerability that allowed
low privileged attacker with network access via memcached to compromise
MySQL Server. Successful attacks of this vulnerability can result in
unauthorized ability to cause a hang or frequently repeatable crash
(complete DOS) of MySQL Server. (bsc#1103344)

- CVE-2018-3081: Fixed a difficult to exploit vulnerability that allowed
high privileged attacker with network access via multiple protocols to
compromise MySQL Client. Successful attacks of this vulnerability can
result in unauthorized ability to cause a hang or frequently repeatable
crash (complete DOS) of MySQL Client as well as unauthorized update,
insert or delete access to some of MySQL Client accessible data.
(bsc#1101680)

- CVE-2018-3058: Fixed an easily exploitable vulnerability that allowed
low privileged attacker with network access via multiple protocols to
compromise MySQL Server. Successful attacks of this vulnerability can
result in unauthorized update, insert or delete access to some of MySQL
Server accessible data. (bsc#1101676)

- CVE-2018-3066: Fixed a difficult to exploit vulnerability allowed high
privileged attacker with network access via multiple protocols to
compromise MySQL Server. Successful attacks of this vulnerability can
result in unauthorized update, insert or delete access to some of MySQL
Server accessible data as well as unauthorized read access to a subset
of MySQL Server accessible data. (bsc#1101678)

- CVE-2018-2767: Fixed a difficult to exploit vulnerability that allowed
low privileged attacker with network access via multiple protocols to
compromise MySQL Server. Successful attacks of this vulnerability can
result in unauthorized read access to a subset of MySQL Server
accessible data. (boo#1088681)

You can find more detailed information about this update in the [release
notes](http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-41.html)


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-844=1



Package List:

- openSUSE Leap 42.3 (i586 x86_64):

libmysql56client18-5.6.41-39.1
libmysql56client18-debuginfo-5.6.41-39.1
libmysql56client_r18-5.6.41-39.1
mysql-community-server-5.6.41-39.1
mysql-community-server-bench-5.6.41-39.1
mysql-community-server-bench-debuginfo-5.6.41-39.1
mysql-community-server-client-5.6.41-39.1
mysql-community-server-client-debuginfo-5.6.41-39.1
mysql-community-server-debuginfo-5.6.41-39.1
mysql-community-server-debugsource-5.6.41-39.1
mysql-community-server-test-5.6.41-39.1
mysql-community-server-test-debuginfo-5.6.41-39.1
mysql-community-server-tools-5.6.41-39.1
mysql-community-server-tools-debuginfo-5.6.41-39.1

- openSUSE Leap 42.3 (x86_64):

libmysql56client18-32bit-5.6.41-39.1
libmysql56client18-debuginfo-32bit-5.6.41-39.1
libmysql56client_r18-32bit-5.6.41-39.1

- openSUSE Leap 42.3 (noarch):

mysql-community-server-errormessages-5.6.41-39.1


References:

https://www.suse.com/security/cve/CVE-2018-0739.html
https://www.suse.com/security/cve/CVE-2018-2767.html
https://www.suse.com/security/cve/CVE-2018-3058.html
https://www.suse.com/security/cve/CVE-2018-3062.html
https://www.suse.com/security/cve/CVE-2018-3064.html
https://www.suse.com/security/cve/CVE-2018-3066.html
https://www.suse.com/security/cve/CVE-2018-3070.html
https://www.suse.com/security/cve/CVE-2018-3081.html
https://bugzilla.suse.com/1087102
https://bugzilla.suse.com/1088681
https://bugzilla.suse.com/1101676
https://bugzilla.suse.com/1101678
https://bugzilla.suse.com/1101679
https://bugzilla.suse.com/1101680
https://bugzilla.suse.com/1103342
https://bugzilla.suse.com/1103344

--


openSUSE-SU-2018:2294-1: Security update for libcdio

openSUSE Security Update: Security update for libcdio
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2294-1
Rating: low
References: #1082821 #1082877
Cross-References: CVE-2017-18199 CVE-2017-18201
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes two vulnerabilities is now available.

Description:

This update for libcdio fixes the following issues:

The following security vulnerabilities were addressed:

- CVE-2017-18199: Fixed a NULL pointer dereference in realloc_symlink in
rock.c (bsc#1082821)
- CVE-2017-18201: Fixed a double free vulnerability in
get_cdtext_generic() in _cdio_generic.c (bsc#1082877)
- Fixed several memory leaks (bsc#1082821)

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-857=1



Package List:

- openSUSE Leap 15.0 (i586 x86_64):

libcdio++0-0.94-lp150.5.3.1
libcdio++0-debuginfo-0.94-lp150.5.3.1
libcdio-debugsource-0.94-lp150.5.3.1
libcdio-devel-0.94-lp150.5.3.1
libcdio16-0.94-lp150.5.3.1
libcdio16-debuginfo-0.94-lp150.5.3.1
libiso9660-10-0.94-lp150.5.3.1
libiso9660-10-debuginfo-0.94-lp150.5.3.1
libudf0-0.94-lp150.5.3.1
libudf0-debuginfo-0.94-lp150.5.3.1

- openSUSE Leap 15.0 (x86_64):

cdio-utils-0.94-lp150.5.3.1
cdio-utils-debuginfo-0.94-lp150.5.3.1
cdio-utils-debugsource-0.94-lp150.5.3.1
libcdio++0-32bit-0.94-lp150.5.3.1
libcdio++0-32bit-debuginfo-0.94-lp150.5.3.1
libcdio16-32bit-0.94-lp150.5.3.1
libcdio16-32bit-debuginfo-0.94-lp150.5.3.1
libiso9660-10-32bit-0.94-lp150.5.3.1
libiso9660-10-32bit-debuginfo-0.94-lp150.5.3.1
libudf0-32bit-0.94-lp150.5.3.1
libudf0-32bit-debuginfo-0.94-lp150.5.3.1


References:

https://www.suse.com/security/cve/CVE-2017-18199.html
https://www.suse.com/security/cve/CVE-2017-18201.html
https://bugzilla.suse.com/1082821
https://bugzilla.suse.com/1082877

--


openSUSE-SU-2018:2295-1: important: Security update for virtualbox

openSUSE Security Update: Security update for virtualbox
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2295-1
Rating: important
References: #1101667
Cross-References: CVE-2018-3005 CVE-2018-3055 CVE-2018-3085
CVE-2018-3086 CVE-2018-3087 CVE-2018-3088
CVE-2018-3089 CVE-2018-3090 CVE-2018-3091

Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes 9 vulnerabilities is now available.

Description:

This update for virtualbox to version 5.2.16 fixes the following issues:

The following security vulnerabilities were fixed (boo#1101667):

- CVE-2018-3005: Fixed an easily exploitable vulnerability that allowed
unauthenticated attacker with logon to the infrastructure where Oracle
VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful
attacks of this vulnerability can result in unauthorized ability to
cause a partial denial
of service (partial DOS) of Oracle VM VirtualBox.

- CVE-2018-3055: Fixed an easily exploitable vulnerability that allowed
unauthenticated attacker with logon to the infrastructure where Oracle
VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful
attacks require human interaction from a person other than the attacker
and while the vulnerability is in Oracle VM VirtualBox, attacks may
significantly impact additional products. Successful attacks of this
vulnerability can result in unauthorized ability to cause a hang or
frequently repeatable crash (complete DOS) of Oracle VM VirtualBox and
unauthorized read access to a subset of Oracle VM VirtualBox accessible
data.

- CVE-2018-3085: Fixed an easily exploitable vulnerability that allowed
unauthenticated attacker with logon to the infrastructure where Oracle
VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful
attacks require human interaction from a person other than the attacker
and while the vulnerability is in Oracle VM VirtualBox, attacks may
significantly impact additional products. Successful attacks of this
vulnerability can result in unauthorized creation, deletion or
modification access to critical data or all Oracle VM VirtualBox
accessible data as well as unauthorized read access to a subset of
Oracle VM VirtualBox accessible data and unauthorized ability to cause a
hang or frequently repeatable crash (complete DOS) of Oracle VM
VirtualBox.

- CVE-2018-3086: Fixed an easily exploitable vulnerability that allowed
unauthenticated attacker with logon to the infrastructure where Oracle
VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful
attacks require human interaction from a person other than the attacker
and while the vulnerability is in Oracle VM VirtualBox, attacks may
significantly impact additional products. Successful attacks of this
vulnerability can result in takeover of Oracle VM VirtualBox.

- CVE-2018-3087: Fixed an easily exploitable vulnerability that allowed
unauthenticated attacker with logon to the infrastructure where Oracle
VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful
attacks require human interaction from a person other than the attacker
and while the vulnerability is in Oracle VM VirtualBox, attacks may
significantly impact additional products. Successful attacks of this
vulnerability can result in takeover of Oracle VM VirtualBox.

- CVE-2018-3088: Fixed an easily exploitable vulnerability allows
unauthenticated attacker with logon to the infrastructure where Oracle
VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful
attacks require human interaction from a person other than the attacker
and while the vulnerability is in Oracle VM VirtualBox, attacks may
significantly impact additional products. Successful attacks of this
vulnerability can result in takeover of Oracle VM VirtualBox.

- CVE-2018-3089: Fixed an easily exploitable vulnerability allows
unauthenticated attacker with logon to the infrastructure where Oracle
VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful
attacks require human interaction from a person other than the attacker
and while the vulnerability is in Oracle VM VirtualBox, attacks may
significantly impact additional products. Successful attacks of this
vulnerability can result in takeover of Oracle VM VirtualBox.

- CVE-2018-3090: Fixed an easily exploitable vulnerability allows
unauthenticated attacker with logon to the infrastructure where Oracle
VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful
attacks require human interaction from a person other than the attacker
and while the vulnerability is in Oracle VM VirtualBox, attacks may
significantly impact additional products. Successful attacks of this
vulnerability can result in takeover of Oracle VM VirtualBox.

- CVE-2018-3091: Fixed an easily exploitable vulnerability allows
unauthenticated attacker with logon to the infrastructure where Oracle
VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful
attacks require human interaction from a person other than the attacker
and while the vulnerability is in Oracle VM VirtualBox, attacks may
significantly impact additional products. Successful attacks of this
vulnerability can result in unauthorized access to critical data or
complete access to all Oracle VM VirtualBox accessible data.

The following bugs were fixed:

- OVF: case insensitive comparison of manifest attribute values, to
improve compatibility


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-853=1



Package List:

- openSUSE Leap 15.0 (x86_64):

python3-virtualbox-5.2.16-lp150.4.9.1
python3-virtualbox-debuginfo-5.2.16-lp150.4.9.1
virtualbox-5.2.16-lp150.4.9.1
virtualbox-debuginfo-5.2.16-lp150.4.9.1
virtualbox-debugsource-5.2.16-lp150.4.9.1
virtualbox-devel-5.2.16-lp150.4.9.1
virtualbox-guest-kmp-default-5.2.16_k4.12.14_lp150.12.7-lp150.4.9.1
virtualbox-guest-kmp-default-debuginfo-5.2.16_k4.12.14_lp150.12.7-lp150.4.9.1
virtualbox-guest-tools-5.2.16-lp150.4.9.1
virtualbox-guest-tools-debuginfo-5.2.16-lp150.4.9.1
virtualbox-guest-x11-5.2.16-lp150.4.9.1
virtualbox-guest-x11-debuginfo-5.2.16-lp150.4.9.1
virtualbox-host-kmp-default-5.2.16_k4.12.14_lp150.12.7-lp150.4.9.1
virtualbox-host-kmp-default-debuginfo-5.2.16_k4.12.14_lp150.12.7-lp150.4.9.1
virtualbox-qt-5.2.16-lp150.4.9.1
virtualbox-qt-debuginfo-5.2.16-lp150.4.9.1
virtualbox-vnc-5.2.16-lp150.4.9.1
virtualbox-websrv-5.2.16-lp150.4.9.1
virtualbox-websrv-debuginfo-5.2.16-lp150.4.9.1

- openSUSE Leap 15.0 (noarch):

virtualbox-guest-desktop-icons-5.2.16-lp150.4.9.1
virtualbox-guest-source-5.2.16-lp150.4.9.1
virtualbox-host-source-5.2.16-lp150.4.9.1


References:

https://www.suse.com/security/cve/CVE-2018-3005.html
https://www.suse.com/security/cve/CVE-2018-3055.html
https://www.suse.com/security/cve/CVE-2018-3085.html
https://www.suse.com/security/cve/CVE-2018-3086.html
https://www.suse.com/security/cve/CVE-2018-3087.html
https://www.suse.com/security/cve/CVE-2018-3088.html
https://www.suse.com/security/cve/CVE-2018-3089.html
https://www.suse.com/security/cve/CVE-2018-3090.html
https://www.suse.com/security/cve/CVE-2018-3091.html
https://bugzilla.suse.com/1101667

--


openSUSE-SU-2018:2296-1: moderate: Security update for libsoup

openSUSE Security Update: Security update for libsoup
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2296-1
Rating: moderate
References: #1052916 #1086036 #1100097
Cross-References: CVE-2017-2885 CVE-2018-12910
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________

An update that solves two vulnerabilities and has one
errata is now available.

Description:

This update for libsoup fixes the following issues:

Security issue fixed:

- CVE-2018-12910: Fix crash when handling empty hostnames (bsc#1100097).
- CVE-2017-2885: Fix chunk decoding buffer overrun that could be exploited
against either clients or servers (bsc#1052916).

Bug fixes:

- bsc#1086036: translation-update-upstream commented out for Leap

This update was imported from the SUSE:SLE-12-SP2:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-856=1



Package List:

- openSUSE Leap 42.3 (i586 x86_64):

libsoup-2_4-1-2.62.2-8.1
libsoup-2_4-1-debuginfo-2.62.2-8.1
libsoup-debugsource-2.62.2-8.1
libsoup-devel-2.62.2-8.1
typelib-1_0-Soup-2_4-2.62.2-8.1

- openSUSE Leap 42.3 (noarch):

libsoup-lang-2.62.2-8.1

- openSUSE Leap 42.3 (x86_64):

libsoup-2_4-1-32bit-2.62.2-8.1
libsoup-2_4-1-debuginfo-32bit-2.62.2-8.1
libsoup-devel-32bit-2.62.2-8.1


References:

https://www.suse.com/security/cve/CVE-2017-2885.html
https://www.suse.com/security/cve/CVE-2018-12910.html
https://bugzilla.suse.com/1052916
https://bugzilla.suse.com/1086036
https://bugzilla.suse.com/1100097

--