SUSE 5162 Published by

The following updates has been released for openSUSE Leap 15.0:

openSUSE-SU-2018:2116-1: important: Security update for xen
openSUSE-SU-2018:2117-1: moderate: Security update for openssl-1_1
openSUSE-SU-2018:2118-1: important: Security update for the Linux Kernel
openSUSE-SU-2018:2119-1: important: Security update for the Linux Kernel
openSUSE-SU-2018:2120-1: moderate: Security update for qutebrowser
openSUSE-SU-2018:2121-1: moderate: Security update for cinnamon
openSUSE-SU-2018:2122-1: moderate: Security update for libgcrypt
openSUSE-SU-2018:2123-1: moderate: Security update for ImageMagick
openSUSE-SU-2018:2124-1: moderate: Security update for rubygem-sprockets
openSUSE-SU-2018:2125-1: moderate: Security update for cinnamon
openSUSE-SU-2018:2126-1: moderate: Security update for python
openSUSE-SU-2018:2127-1: important: Security update for shadow
openSUSE-SU-2018:2128-1: moderate: Security update for openssh
openSUSE-SU-2018:2129-1: moderate: Security update for openssl-1_0_0
openSUSE-SU-2018:2130-1: moderate: Security update for qutebrowser
openSUSE-SU-2018:2131-1: moderate: Security update for bouncycastle
openSUSE-SU-2018:2132-1: moderate: Security update for mercurial
openSUSE-SU-2018:2133-1: moderate: Security update for e2fsprogs



openSUSE-SU-2018:2116-1: important: Security update for xen

openSUSE Security Update: Security update for xen
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2116-1
Rating: important
References: #1027519 #1079730 #1087289 #1095242 #1097521
#1097522 #1097523 #1098403
Cross-References: CVE-2018-12891 CVE-2018-12892 CVE-2018-12893
CVE-2018-3665
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that solves four vulnerabilities and has four
fixes is now available.

Description:

This update for xen fixes the following issues:

Security issues fixed:

- CVE-2018-3665: Fix Lazy FP Save/Restore issue (XSA-267) (bsc#1095242).
- CVE-2018-12891: Fix possible Denial of Service (DoS) via certain PV MMU
operations that affect the entire host (XSA-264) (bsc#1097521).
- CVE-2018-12892: Fix libxl to honour the readonly flag on HVM emulated
SCSI disks (XSA-266) (bsc#1097523).
- CVE-2018-12893: Fix crash/Denial of Service (DoS) via safety check
(XSA-265) (bsc#1097522).

Bug fixes:

- bsc#1027519: Add upstream patches from January.
- bsc#1098403: Fix regression introduced by changes for bsc#1079730. A PV
domU without qcow2 and/or vfb has no qemu attached. Ignore QMP errors
for PV domUs to handle PV domUs with and without an attached qemu-xen.
- bsc#1087289: Fix xen scheduler crash.

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-766=1



Package List:

- openSUSE Leap 15.0 (i586 x86_64):

xen-debugsource-4.10.1_06-lp150.2.6.1
xen-devel-4.10.1_06-lp150.2.6.1
xen-libs-4.10.1_06-lp150.2.6.1
xen-libs-debuginfo-4.10.1_06-lp150.2.6.1
xen-tools-domU-4.10.1_06-lp150.2.6.1
xen-tools-domU-debuginfo-4.10.1_06-lp150.2.6.1

- openSUSE Leap 15.0 (x86_64):

xen-4.10.1_06-lp150.2.6.1
xen-doc-html-4.10.1_06-lp150.2.6.1
xen-libs-32bit-4.10.1_06-lp150.2.6.1
xen-libs-32bit-debuginfo-4.10.1_06-lp150.2.6.1
xen-tools-4.10.1_06-lp150.2.6.1
xen-tools-debuginfo-4.10.1_06-lp150.2.6.1


References:

https://www.suse.com/security/cve/CVE-2018-12891.html
https://www.suse.com/security/cve/CVE-2018-12892.html
https://www.suse.com/security/cve/CVE-2018-12893.html
https://www.suse.com/security/cve/CVE-2018-3665.html
https://bugzilla.suse.com/1027519
https://bugzilla.suse.com/1079730
https://bugzilla.suse.com/1087289
https://bugzilla.suse.com/1095242
https://bugzilla.suse.com/1097521
https://bugzilla.suse.com/1097522
https://bugzilla.suse.com/1097523
https://bugzilla.suse.com/1098403

--


openSUSE-SU-2018:2117-1: moderate: Security update for openssl-1_1

openSUSE Security Update: Security update for openssl-1_1
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2117-1
Rating: moderate
References: #1097158 #1097624 #1098592
Cross-References: CVE-2018-0732
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that solves one vulnerability and has two fixes
is now available.

Description:

This update for openssl-1_1 fixes the following issues:

- CVE-2018-0732: During key agreement in a TLS handshake using a DH(E)
based ciphersuite a malicious server could have sent a very large prime
value to the client. This caused the client to spend an unreasonably
long period of time generating a key for this prime resulting in a hang
until the client has finished. This could be exploited in a Denial Of
Service attack (bsc#1097158).
- Blinding enhancements for ECDSA and DSA (bsc#1097624, bsc#1098592)

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-777=1



Package List:

- openSUSE Leap 15.0 (i586 x86_64):

libopenssl-1_1-devel-1.1.0h-lp150.3.3.1
libopenssl1_1-1.1.0h-lp150.3.3.1
libopenssl1_1-debuginfo-1.1.0h-lp150.3.3.1
libopenssl1_1-hmac-1.1.0h-lp150.3.3.1
openssl-1_1-1.1.0h-lp150.3.3.1
openssl-1_1-debuginfo-1.1.0h-lp150.3.3.1
openssl-1_1-debugsource-1.1.0h-lp150.3.3.1

- openSUSE Leap 15.0 (x86_64):

libopenssl-1_1-devel-32bit-1.1.0h-lp150.3.3.1
libopenssl1_1-32bit-1.1.0h-lp150.3.3.1
libopenssl1_1-32bit-debuginfo-1.1.0h-lp150.3.3.1
libopenssl1_1-hmac-32bit-1.1.0h-lp150.3.3.1

- openSUSE Leap 15.0 (noarch):

openssl-1_1-doc-1.1.0h-lp150.3.3.1


References:

https://www.suse.com/security/cve/CVE-2018-0732.html
https://bugzilla.suse.com/1097158
https://bugzilla.suse.com/1097624
https://bugzilla.suse.com/1098592

--


openSUSE-SU-2018:2118-1: important: Security update for the Linux Kernel

openSUSE Security Update: Security update for the Linux Kernel
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2118-1
Rating: important
References: #1012382 #1064232 #1075876 #1076110 #1085185
#1085657 #1089525 #1090435 #1090888 #1091171
#1092207 #1094244 #1094248 #1094643 #1095453
#1096790 #1097034 #1097140 #1097492 #1097501
#1097551 #1097808 #1097931 #1097961 #1098016
#1098236 #1098425 #1098435 #1098527 #1098599
#1099042 #1099183 #1099279 #1099713 #1099732
#1099792 #1099810 #1099918 #1099924 #1099966
#1099993 #1100089 #1100340 #1100416 #1100418
#1100491 #1100843 #1101296
Cross-References: CVE-2018-13053 CVE-2018-13405 CVE-2018-13406
CVE-2018-9385
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________

An update that solves four vulnerabilities and has 44 fixes
is now available.

Description:


The openSUSE 42.3 was updated to 4.4.140 to receive various security and
bugfixes.

The following security bugs were fixed:

- CVE-2018-13053: The alarm_timer_nsleep function had an integer overflow
via a large relative timeout because ktime_add_safe was not used
(bnc#1099924).
- CVE-2018-9385: Prevent overread of the "driver_override" buffer
(bsc#1100491).
- CVE-2018-13405: The inode_init_owner function allowed local users to
create files with an unintended group ownership allowing attackers to
escalate privileges by making a plain file executable and SGID
(bnc#1100416).
- CVE-2018-13406: An integer overflow in the uvesafb_setcmap function
could have result in local attackers being able to crash the kernel or
potentially elevate privileges because kmalloc_array is not used
(bnc#1100418).

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-764=1



Package List:

- openSUSE Leap 42.3 (noarch):

kernel-devel-4.4.140-62.2
kernel-docs-4.4.140-62.2
kernel-docs-html-4.4.140-62.2
kernel-docs-pdf-4.4.140-62.2
kernel-macros-4.4.140-62.2
kernel-source-4.4.140-62.2
kernel-source-vanilla-4.4.140-62.2

- openSUSE Leap 42.3 (x86_64):

kernel-debug-4.4.140-62.2
kernel-debug-base-4.4.140-62.2
kernel-debug-base-debuginfo-4.4.140-62.2
kernel-debug-debuginfo-4.4.140-62.2
kernel-debug-debugsource-4.4.140-62.2
kernel-debug-devel-4.4.140-62.2
kernel-debug-devel-debuginfo-4.4.140-62.2
kernel-default-4.4.140-62.2
kernel-default-base-4.4.140-62.2
kernel-default-base-debuginfo-4.4.140-62.2
kernel-default-debuginfo-4.4.140-62.2
kernel-default-debugsource-4.4.140-62.2
kernel-default-devel-4.4.140-62.2
kernel-obs-build-4.4.140-62.3
kernel-obs-build-debugsource-4.4.140-62.3
kernel-obs-qa-4.4.140-62.1
kernel-syms-4.4.140-62.1
kernel-vanilla-4.4.140-62.2
kernel-vanilla-base-4.4.140-62.2
kernel-vanilla-base-debuginfo-4.4.140-62.2
kernel-vanilla-debuginfo-4.4.140-62.2
kernel-vanilla-debugsource-4.4.140-62.2
kernel-vanilla-devel-4.4.140-62.2
kselftests-kmp-debug-4.4.140-62.2
kselftests-kmp-debug-debuginfo-4.4.140-62.2
kselftests-kmp-default-4.4.140-62.2
kselftests-kmp-default-debuginfo-4.4.140-62.2
kselftests-kmp-vanilla-4.4.140-62.2
kselftests-kmp-vanilla-debuginfo-4.4.140-62.2


References:

https://www.suse.com/security/cve/CVE-2018-13053.html
https://www.suse.com/security/cve/CVE-2018-13405.html
https://www.suse.com/security/cve/CVE-2018-13406.html
https://www.suse.com/security/cve/CVE-2018-9385.html
https://bugzilla.suse.com/1012382
https://bugzilla.suse.com/1064232
https://bugzilla.suse.com/1075876
https://bugzilla.suse.com/1076110
https://bugzilla.suse.com/1085185
https://bugzilla.suse.com/1085657
https://bugzilla.suse.com/1089525
https://bugzilla.suse.com/1090435
https://bugzilla.suse.com/1090888
https://bugzilla.suse.com/1091171
https://bugzilla.suse.com/1092207
https://bugzilla.suse.com/1094244
https://bugzilla.suse.com/1094248
https://bugzilla.suse.com/1094643
https://bugzilla.suse.com/1095453
https://bugzilla.suse.com/1096790
https://bugzilla.suse.com/1097034
https://bugzilla.suse.com/1097140
https://bugzilla.suse.com/1097492
https://bugzilla.suse.com/1097501
https://bugzilla.suse.com/1097551
https://bugzilla.suse.com/1097808
https://bugzilla.suse.com/1097931
https://bugzilla.suse.com/1097961
https://bugzilla.suse.com/1098016
https://bugzilla.suse.com/1098236
https://bugzilla.suse.com/1098425
https://bugzilla.suse.com/1098435
https://bugzilla.suse.com/1098527
https://bugzilla.suse.com/1098599
https://bugzilla.suse.com/1099042
https://bugzilla.suse.com/1099183
https://bugzilla.suse.com/1099279
https://bugzilla.suse.com/1099713
https://bugzilla.suse.com/1099732
https://bugzilla.suse.com/1099792
https://bugzilla.suse.com/1099810
https://bugzilla.suse.com/1099918
https://bugzilla.suse.com/1099924
https://bugzilla.suse.com/1099966
https://bugzilla.suse.com/1099993
https://bugzilla.suse.com/1100089
https://bugzilla.suse.com/1100340
https://bugzilla.suse.com/1100416
https://bugzilla.suse.com/1100418
https://bugzilla.suse.com/1100491
https://bugzilla.suse.com/1100843
https://bugzilla.suse.com/1101296

--


openSUSE-SU-2018:2119-1: important: Security update for the Linux Kernel

openSUSE Security Update: Security update for the Linux Kernel
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2119-1
Rating: important
References: #1022476 #1046303 #1046305 #1046306 #1046307
#1046540 #1046542 #1046543 #1048129 #1050242
#1050252 #1050529 #1050536 #1050538 #1050545
#1050549 #1050662 #1051510 #1052766 #1055117
#1055186 #1055968 #1056427 #1056643 #1056651
#1056653 #1056657 #1056658 #1056662 #1056686
#1056787 #1058115 #1058513 #1058659 #1058717
#1059336 #1060463 #1061024 #1061840 #1062897
#1064802 #1065600 #1065729 #1066110 #1066129
#1068032 #1068054 #1068546 #1071218 #1071995
#1072829 #1072856 #1073513 #1073765 #1073960
#1074562 #1074578 #1074701 #1074741 #1074873
#1074919 #1074984 #1075006 #1075007 #1075262
#1075419 #1075748 #1075876 #1076049 #1076115
#1076372 #1076830 #1077338 #1078248 #1078353
#1079152 #1079747 #1080039 #1080157 #1080542
#1081599 #1082485 #1082504 #1082869 #1082962
#1083647 #1083684 #1083900 #1084001 #1084570
#1084721 #1085308 #1085341 #1085400 #1085539
#1085626 #1085933 #1085936 #1085937 #1085938
#1085939 #1085941 #1086224 #1086282 #1086283
#1086286 #1086288 #1086319 #1086323 #1086400
#1086467 #1086652 #1086739 #1087084 #1087088
#1087092 #1087205 #1087210 #1087213 #1087214
#1087284 #1087405 #1087458 #1087939 #1087978
#1088273 #1088354 #1088374 #1088690 #1088704
#1088713 #1088722 #1088796 #1088804 #1088821
#1088866 #1088872 #1089074 #1089086 #1089115
#1089141 #1089198 #1089268 #1089271 #1089467
#1089608 #1089644 #1089663 #1089664 #1089667
#1089669 #1089752 #1089753 #1089762 #1089878
#1089889 #1089977 #1090098 #1090150 #1090457
#1090522 #1090534 #1090535 #1090605 #1090643
#1090646 #1090658 #1090717 #1090734 #1090818
#1090888 #1090953 #1091101 #1091158 #1091171
#1091264 #1091424 #1091532 #1091543 #1091594
#1091666 #1091678 #1091686 #1091781 #1091782
#1091815 #1091860 #1091960 #1092100 #1092289
#1092472 #1092566 #1092710 #1092772 #1092888
#1092904 #1092975 #1093023 #1093027 #1093035
#1093118 #1093148 #1093158 #1093184 #1093205
#1093273 #1093290 #1093604 #1093641 #1093649
#1093653 #1093655 #1093657 #1093663 #1093721
#1093728 #1093904 #1093990 #1094244 #1094356
#1094420 #1094541 #1094575 #1094751 #1094825
#1094840 #1094978 #1095042 #1095094 #1095104
#1095115 #1095155 #1095265 #1095321 #1095337
#1095467 #1095573 #1095735 #1095893 #1096065
#1096480 #1096529 #1096696 #1096705 #1096728
#1096753 #1096790 #1096793 #1097034 #1097105
#1097234 #1097356 #1097373 #1097439 #1097465
#1097468 #1097470 #1097471 #1097472 #1097551
#1097780 #1097796 #1097800 #1097941 #1097961
#1098016 #1098043 #1098050 #1098174 #1098176
#1098236 #1098401 #1098425 #1098435 #1098599
#1098626 #1098706 #1098983 #1098995 #1099029
#1099041 #1099109 #1099142 #1099183 #1099715
#1099792 #1099918 #1099924 #1099966 #1100132
#1100209 #1100340 #1100362 #1100382 #1100416
#1100418 #1100491 #1100602 #1100633 #1100734
#1100843 #1101296 #1101315 #1101324 #971975
#975772
Cross-References: CVE-2017-5715 CVE-2017-5753 CVE-2018-1000200
CVE-2018-1000204 CVE-2018-10087 CVE-2018-10124
CVE-2018-10323 CVE-2018-1092 CVE-2018-1093
CVE-2018-1094 CVE-2018-1108 CVE-2018-1118
CVE-2018-1120 CVE-2018-1130 CVE-2018-12233
CVE-2018-13053 CVE-2018-13405 CVE-2018-13406
CVE-2018-5803 CVE-2018-5848 CVE-2018-7492
CVE-2018-8781 CVE-2018-9385
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that solves 23 vulnerabilities and has 283 fixes
is now available.

Description:


The openSUSE Leap 15 kernel was updated to receive various security and
bugfixes.

The following security bugs were fixed:

- CVE-2018-13406: An integer overflow in the uvesafb_setcmap function
could have result in local attackers being able to crash the kernel or
potentially elevate privileges because kmalloc_array is not used
(bnc#1100418)
- CVE-2018-13053: The alarm_timer_nsleep function had an integer overflow
via a large relative timeout because ktime_add_safe was not used
(bnc#1099924)
- CVE-2018-9385: Prevent overread of the "driver_override" buffer
(bsc#1100491)
- CVE-2018-13405: The inode_init_owner function allowed local users to
create files with an unintended group ownership allowing attackers to
escalate privileges by making a plain file executable and SGID
(bnc#1100416)
- CVE-2017-5753: Systems with microprocessors utilizing speculative
execution and branch prediction may have allowed unauthorized disclosure
of information to an attacker with local user access via a side-channel
analysis (bsc#1068032).
- CVE-2018-1118: Linux kernel vhost did not properly initialize memory in
messages passed between virtual guests and the host operating system.
This could have allowed local privileged users to read some kernel
memory contents when reading from the /dev/vhost-net device file
(bsc#1092472).
- CVE-2018-12233: A memory corruption bug in JFS could have been triggered
by calling setxattr twice with two different extended attribute names on
the same file. This vulnerability could be triggered by an unprivileged
user with the ability to create files and execute programs (bsc#1097234)
- CVE-2018-5848: In the function wmi_set_ie(), the length validation code
did not handle unsigned integer overflow properly. As a result, a large
value of the 'ie_len' argument could have caused a buffer overflow
(bnc#1097356)
- CVE-2018-1000204: Prevent infoleak caused by incorrect handling of the
SG_IO ioctl (bsc#1096728)
- CVE-2018-1120: By mmap()ing a FUSE-backed file onto a process's memory
containing command line arguments (or environment strings), an attacker
could have caused utilities from psutils or procps (such as ps, w) to
block indefinitely (denial of service) or for some controlled time (as a
synchronization primitive for other attacks) (bsc#1093158).
- CVE-2018-1094: The ext4_fill_super function did not always initialize
the crc32c checksum driver, which allowed attackers to cause a denial of
service (ext4_xattr_inode_hash NULL pointer dereference and system
crash) via a crafted ext4 image (bsc#1087007).
- CVE-2018-1092: The ext4_iget function mishandled the case of a root
directory with a zero i_links_count, which allowed attackers to cause a
denial of service (ext4_process_freed_data NULL pointer dereference and
OOPS) via a crafted ext4 image (bsc#1087012).
- CVE-2018-1093: The ext4_valid_block_bitmap function allowed attackers to
cause a denial of service (out-of-bounds read and system crash) via a
crafted ext4 image because balloc.c and ialloc.c do not validate bitmap
block numbers (bsc#1087095).
- CVE-2018-1000200: Prevent NULL pointer dereference which could have
resulted in an out of memory (OOM) killing of large mlocked processes
(bsc#1090150).
- CVE-2018-1130: NULL pointer dereference in dccp_write_xmit() function
that allowed a local user to cause a denial of service by a number of
certain crafted system calls (bsc#1092904)
- CVE-2018-5803: Prevent error in the "_sctp_make_chunk()" function when
handling SCTP packets length that could have been exploited to cause a
kernel crash (bnc#1083900)
- CVE-2018-7492: Prevent NULL pointer dereference in the net/rds/rdma.c
__rds_rdma_map() function that allowed local attackers to cause a system
panic and a denial-of-service, related to RDS_GET_MR and
RDS_GET_MR_FOR_DEST (bsc#1082962)
- CVE-2018-1108: Prevent weakness in the implementation of random seed
data. Programs, early in the boot sequence, could have used the data
allocated for the seed (bsc#1090818).
- CVE-2018-10323: The xfs_bmap_extents_to_btree function allowed local
users to cause a denial of service (xfs_bmapi_write NULL pointer
dereference) via a crafted xfs image (bsc#1090717).
- CVE-2018-8781: The udl_fb_mmap function had an integer-overflow
vulnerability allowing local users with access to the udldrmfb driver to
obtain full read and write permissions on kernel physical pages,
resulting in a code execution in kernel space (bsc#1090643)
- CVE-2018-10124: The kill_something_info function in kernel/signal.c
might have allowed local users to cause a denial of service via an
INT_MIN argument (bnc#1089752)
- CVE-2018-10087: The kernel_wait4 function in kernel/exit.c might have
allowed local users to cause a denial of service by triggering an
attempted use of the
-INT_MIN value (bnc#1089608)
- CVE-2017-5715: Prevent unauthorized disclosure of information to an
attacker with local user access caused by speculative execution and
indirect branch prediction (bsc#1068032)

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-762=1



Package List:

- openSUSE Leap 15.0 (x86_64):

kernel-debug-4.12.14-lp150.12.7.1
kernel-debug-base-4.12.14-lp150.12.7.1
kernel-debug-base-debuginfo-4.12.14-lp150.12.7.1
kernel-debug-debuginfo-4.12.14-lp150.12.7.1
kernel-debug-debugsource-4.12.14-lp150.12.7.1
kernel-debug-devel-4.12.14-lp150.12.7.1
kernel-debug-devel-debuginfo-4.12.14-lp150.12.7.1
kernel-default-4.12.14-lp150.12.7.1
kernel-default-base-4.12.14-lp150.12.7.1
kernel-default-base-debuginfo-4.12.14-lp150.12.7.1
kernel-default-debuginfo-4.12.14-lp150.12.7.1
kernel-default-debugsource-4.12.14-lp150.12.7.1
kernel-default-devel-4.12.14-lp150.12.7.1
kernel-default-devel-debuginfo-4.12.14-lp150.12.7.1
kernel-kvmsmall-4.12.14-lp150.12.7.1
kernel-kvmsmall-base-4.12.14-lp150.12.7.1
kernel-kvmsmall-base-debuginfo-4.12.14-lp150.12.7.1
kernel-kvmsmall-debuginfo-4.12.14-lp150.12.7.1
kernel-kvmsmall-debugsource-4.12.14-lp150.12.7.1
kernel-kvmsmall-devel-4.12.14-lp150.12.7.1
kernel-kvmsmall-devel-debuginfo-4.12.14-lp150.12.7.1
kernel-obs-build-4.12.14-lp150.12.7.1
kernel-obs-build-debugsource-4.12.14-lp150.12.7.1
kernel-obs-qa-4.12.14-lp150.12.7.1
kernel-syms-4.12.14-lp150.12.7.1
kernel-vanilla-4.12.14-lp150.12.7.1
kernel-vanilla-base-4.12.14-lp150.12.7.1
kernel-vanilla-base-debuginfo-4.12.14-lp150.12.7.1
kernel-vanilla-debuginfo-4.12.14-lp150.12.7.1
kernel-vanilla-debugsource-4.12.14-lp150.12.7.1
kernel-vanilla-devel-4.12.14-lp150.12.7.1
kernel-vanilla-devel-debuginfo-4.12.14-lp150.12.7.1

- openSUSE Leap 15.0 (noarch):

kernel-devel-4.12.14-lp150.12.7.1
kernel-docs-4.12.14-lp150.12.7.1
kernel-docs-html-4.12.14-lp150.12.7.1
kernel-macros-4.12.14-lp150.12.7.1
kernel-source-4.12.14-lp150.12.7.1
kernel-source-vanilla-4.12.14-lp150.12.7.1


References:

https://www.suse.com/security/cve/CVE-2017-5715.html
https://www.suse.com/security/cve/CVE-2017-5753.html
https://www.suse.com/security/cve/CVE-2018-1000200.html
https://www.suse.com/security/cve/CVE-2018-1000204.html
https://www.suse.com/security/cve/CVE-2018-10087.html
https://www.suse.com/security/cve/CVE-2018-10124.html
https://www.suse.com/security/cve/CVE-2018-10323.html
https://www.suse.com/security/cve/CVE-2018-1092.html
https://www.suse.com/security/cve/CVE-2018-1093.html
https://www.suse.com/security/cve/CVE-2018-1094.html
https://www.suse.com/security/cve/CVE-2018-1108.html
https://www.suse.com/security/cve/CVE-2018-1118.html
https://www.suse.com/security/cve/CVE-2018-1120.html
https://www.suse.com/security/cve/CVE-2018-1130.html
https://www.suse.com/security/cve/CVE-2018-12233.html
https://www.suse.com/security/cve/CVE-2018-13053.html
https://www.suse.com/security/cve/CVE-2018-13405.html
https://www.suse.com/security/cve/CVE-2018-13406.html
https://www.suse.com/security/cve/CVE-2018-5803.html
https://www.suse.com/security/cve/CVE-2018-5848.html
https://www.suse.com/security/cve/CVE-2018-7492.html
https://www.suse.com/security/cve/CVE-2018-8781.html
https://www.suse.com/security/cve/CVE-2018-9385.html
https://bugzilla.suse.com/1022476
https://bugzilla.suse.com/1046303
https://bugzilla.suse.com/1046305
https://bugzilla.suse.com/1046306
https://bugzilla.suse.com/1046307
https://bugzilla.suse.com/1046540
https://bugzilla.suse.com/1046542
https://bugzilla.suse.com/1046543
https://bugzilla.suse.com/1048129
https://bugzilla.suse.com/1050242
https://bugzilla.suse.com/1050252
https://bugzilla.suse.com/1050529
https://bugzilla.suse.com/1050536
https://bugzilla.suse.com/1050538
https://bugzilla.suse.com/1050545
https://bugzilla.suse.com/1050549
https://bugzilla.suse.com/1050662
https://bugzilla.suse.com/1051510
https://bugzilla.suse.com/1052766
https://bugzilla.suse.com/1055117
https://bugzilla.suse.com/1055186
https://bugzilla.suse.com/1055968
https://bugzilla.suse.com/1056427
https://bugzilla.suse.com/1056643
https://bugzilla.suse.com/1056651
https://bugzilla.suse.com/1056653
https://bugzilla.suse.com/1056657
https://bugzilla.suse.com/1056658
https://bugzilla.suse.com/1056662
https://bugzilla.suse.com/1056686
https://bugzilla.suse.com/1056787
https://bugzilla.suse.com/1058115
https://bugzilla.suse.com/1058513
https://bugzilla.suse.com/1058659
https://bugzilla.suse.com/1058717
https://bugzilla.suse.com/1059336
https://bugzilla.suse.com/1060463
https://bugzilla.suse.com/1061024
https://bugzilla.suse.com/1061840
https://bugzilla.suse.com/1062897
https://bugzilla.suse.com/1064802
https://bugzilla.suse.com/1065600
https://bugzilla.suse.com/1065729
https://bugzilla.suse.com/1066110
https://bugzilla.suse.com/1066129
https://bugzilla.suse.com/1068032
https://bugzilla.suse.com/1068054
https://bugzilla.suse.com/1068546
https://bugzilla.suse.com/1071218
https://bugzilla.suse.com/1071995
https://bugzilla.suse.com/1072829
https://bugzilla.suse.com/1072856
https://bugzilla.suse.com/1073513
https://bugzilla.suse.com/1073765
https://bugzilla.suse.com/1073960
https://bugzilla.suse.com/1074562
https://bugzilla.suse.com/1074578
https://bugzilla.suse.com/1074701
https://bugzilla.suse.com/1074741
https://bugzilla.suse.com/1074873
https://bugzilla.suse.com/1074919
https://bugzilla.suse.com/1074984
https://bugzilla.suse.com/1075006
https://bugzilla.suse.com/1075007
https://bugzilla.suse.com/1075262
https://bugzilla.suse.com/1075419
https://bugzilla.suse.com/1075748
https://bugzilla.suse.com/1075876
https://bugzilla.suse.com/1076049
https://bugzilla.suse.com/1076115
https://bugzilla.suse.com/1076372
https://bugzilla.suse.com/1076830
https://bugzilla.suse.com/1077338
https://bugzilla.suse.com/1078248
https://bugzilla.suse.com/1078353
https://bugzilla.suse.com/1079152
https://bugzilla.suse.com/1079747
https://bugzilla.suse.com/1080039
https://bugzilla.suse.com/1080157
https://bugzilla.suse.com/1080542
https://bugzilla.suse.com/1081599
https://bugzilla.suse.com/1082485
https://bugzilla.suse.com/1082504
https://bugzilla.suse.com/1082869
https://bugzilla.suse.com/1082962
https://bugzilla.suse.com/1083647
https://bugzilla.suse.com/1083684
https://bugzilla.suse.com/1083900
https://bugzilla.suse.com/1084001
https://bugzilla.suse.com/1084570
https://bugzilla.suse.com/1084721
https://bugzilla.suse.com/1085308
https://bugzilla.suse.com/1085341
https://bugzilla.suse.com/1085400
https://bugzilla.suse.com/1085539
https://bugzilla.suse.com/1085626
https://bugzilla.suse.com/1085933
https://bugzilla.suse.com/1085936
https://bugzilla.suse.com/1085937
https://bugzilla.suse.com/1085938
https://bugzilla.suse.com/1085939
https://bugzilla.suse.com/1085941
https://bugzilla.suse.com/1086224
https://bugzilla.suse.com/1086282
https://bugzilla.suse.com/1086283
https://bugzilla.suse.com/1086286
https://bugzilla.suse.com/1086288
https://bugzilla.suse.com/1086319
https://bugzilla.suse.com/1086323
https://bugzilla.suse.com/1086400
https://bugzilla.suse.com/1086467
https://bugzilla.suse.com/1086652
https://bugzilla.suse.com/1086739
https://bugzilla.suse.com/1087084
https://bugzilla.suse.com/1087088
https://bugzilla.suse.com/1087092
https://bugzilla.suse.com/1087205
https://bugzilla.suse.com/1087210
https://bugzilla.suse.com/1087213
https://bugzilla.suse.com/1087214
https://bugzilla.suse.com/1087284
https://bugzilla.suse.com/1087405
https://bugzilla.suse.com/1087458
https://bugzilla.suse.com/1087939
https://bugzilla.suse.com/1087978
https://bugzilla.suse.com/1088273
https://bugzilla.suse.com/1088354
https://bugzilla.suse.com/1088374
https://bugzilla.suse.com/1088690
https://bugzilla.suse.com/1088704
https://bugzilla.suse.com/1088713
https://bugzilla.suse.com/1088722
https://bugzilla.suse.com/1088796
https://bugzilla.suse.com/1088804
https://bugzilla.suse.com/1088821
https://bugzilla.suse.com/1088866
https://bugzilla.suse.com/1088872
https://bugzilla.suse.com/1089074
https://bugzilla.suse.com/1089086
https://bugzilla.suse.com/1089115
https://bugzilla.suse.com/1089141
https://bugzilla.suse.com/1089198
https://bugzilla.suse.com/1089268
https://bugzilla.suse.com/1089271
https://bugzilla.suse.com/1089467
https://bugzilla.suse.com/1089608
https://bugzilla.suse.com/1089644
https://bugzilla.suse.com/1089663
https://bugzilla.suse.com/1089664
https://bugzilla.suse.com/1089667
https://bugzilla.suse.com/1089669
https://bugzilla.suse.com/1089752
https://bugzilla.suse.com/1089753
https://bugzilla.suse.com/1089762
https://bugzilla.suse.com/1089878
https://bugzilla.suse.com/1089889
https://bugzilla.suse.com/1089977
https://bugzilla.suse.com/1090098
https://bugzilla.suse.com/1090150
https://bugzilla.suse.com/1090457
https://bugzilla.suse.com/1090522
https://bugzilla.suse.com/1090534
https://bugzilla.suse.com/1090535
https://bugzilla.suse.com/1090605
https://bugzilla.suse.com/1090643
https://bugzilla.suse.com/1090646
https://bugzilla.suse.com/1090658
https://bugzilla.suse.com/1090717
https://bugzilla.suse.com/1090734
https://bugzilla.suse.com/1090818
https://bugzilla.suse.com/1090888
https://bugzilla.suse.com/1090953
https://bugzilla.suse.com/1091101
https://bugzilla.suse.com/1091158
https://bugzilla.suse.com/1091171
https://bugzilla.suse.com/1091264
https://bugzilla.suse.com/1091424
https://bugzilla.suse.com/1091532
https://bugzilla.suse.com/1091543
https://bugzilla.suse.com/1091594
https://bugzilla.suse.com/1091666
https://bugzilla.suse.com/1091678
https://bugzilla.suse.com/1091686
https://bugzilla.suse.com/1091781
https://bugzilla.suse.com/1091782
https://bugzilla.suse.com/1091815
https://bugzilla.suse.com/1091860
https://bugzilla.suse.com/1091960
https://bugzilla.suse.com/1092100
https://bugzilla.suse.com/1092289
https://bugzilla.suse.com/1092472
https://bugzilla.suse.com/1092566
https://bugzilla.suse.com/1092710
https://bugzilla.suse.com/1092772
https://bugzilla.suse.com/1092888
https://bugzilla.suse.com/1092904
https://bugzilla.suse.com/1092975
https://bugzilla.suse.com/1093023
https://bugzilla.suse.com/1093027
https://bugzilla.suse.com/1093035
https://bugzilla.suse.com/1093118
https://bugzilla.suse.com/1093148
https://bugzilla.suse.com/1093158
https://bugzilla.suse.com/1093184
https://bugzilla.suse.com/1093205
https://bugzilla.suse.com/1093273
https://bugzilla.suse.com/1093290
https://bugzilla.suse.com/1093604
https://bugzilla.suse.com/1093641
https://bugzilla.suse.com/1093649
https://bugzilla.suse.com/1093653
https://bugzilla.suse.com/1093655
https://bugzilla.suse.com/1093657
https://bugzilla.suse.com/1093663
https://bugzilla.suse.com/1093721
https://bugzilla.suse.com/1093728
https://bugzilla.suse.com/1093904
https://bugzilla.suse.com/1093990
https://bugzilla.suse.com/1094244
https://bugzilla.suse.com/1094356
https://bugzilla.suse.com/1094420
https://bugzilla.suse.com/1094541
https://bugzilla.suse.com/1094575
https://bugzilla.suse.com/1094751
https://bugzilla.suse.com/1094825
https://bugzilla.suse.com/1094840
https://bugzilla.suse.com/1094978
https://bugzilla.suse.com/1095042
https://bugzilla.suse.com/1095094
https://bugzilla.suse.com/1095104
https://bugzilla.suse.com/1095115
https://bugzilla.suse.com/1095155
https://bugzilla.suse.com/1095265
https://bugzilla.suse.com/1095321
https://bugzilla.suse.com/1095337
https://bugzilla.suse.com/1095467
https://bugzilla.suse.com/1095573
https://bugzilla.suse.com/1095735
https://bugzilla.suse.com/1095893
https://bugzilla.suse.com/1096065
https://bugzilla.suse.com/1096480
https://bugzilla.suse.com/1096529
https://bugzilla.suse.com/1096696
https://bugzilla.suse.com/1096705
https://bugzilla.suse.com/1096728
https://bugzilla.suse.com/1096753
https://bugzilla.suse.com/1096790
https://bugzilla.suse.com/1096793
https://bugzilla.suse.com/1097034
https://bugzilla.suse.com/1097105
https://bugzilla.suse.com/1097234
https://bugzilla.suse.com/1097356
https://bugzilla.suse.com/1097373
https://bugzilla.suse.com/1097439
https://bugzilla.suse.com/1097465
https://bugzilla.suse.com/1097468
https://bugzilla.suse.com/1097470
https://bugzilla.suse.com/1097471
https://bugzilla.suse.com/1097472
https://bugzilla.suse.com/1097551
https://bugzilla.suse.com/1097780
https://bugzilla.suse.com/1097796
https://bugzilla.suse.com/1097800
https://bugzilla.suse.com/1097941
https://bugzilla.suse.com/1097961
https://bugzilla.suse.com/1098016
https://bugzilla.suse.com/1098043
https://bugzilla.suse.com/1098050
https://bugzilla.suse.com/1098174
https://bugzilla.suse.com/1098176
https://bugzilla.suse.com/1098236
https://bugzilla.suse.com/1098401
https://bugzilla.suse.com/1098425
https://bugzilla.suse.com/1098435
https://bugzilla.suse.com/1098599
https://bugzilla.suse.com/1098626
https://bugzilla.suse.com/1098706
https://bugzilla.suse.com/1098983
https://bugzilla.suse.com/1098995
https://bugzilla.suse.com/1099029
https://bugzilla.suse.com/1099041
https://bugzilla.suse.com/1099109
https://bugzilla.suse.com/1099142
https://bugzilla.suse.com/1099183
https://bugzilla.suse.com/1099715
https://bugzilla.suse.com/1099792
https://bugzilla.suse.com/1099918
https://bugzilla.suse.com/1099924
https://bugzilla.suse.com/1099966
https://bugzilla.suse.com/1100132
https://bugzilla.suse.com/1100209
https://bugzilla.suse.com/1100340
https://bugzilla.suse.com/1100362
https://bugzilla.suse.com/1100382
https://bugzilla.suse.com/1100416
https://bugzilla.suse.com/1100418
https://bugzilla.suse.com/1100491
https://bugzilla.suse.com/1100602
https://bugzilla.suse.com/1100633
https://bugzilla.suse.com/1100734
https://bugzilla.suse.com/1100843
https://bugzilla.suse.com/1101296
https://bugzilla.suse.com/1101315
https://bugzilla.suse.com/1101324
https://bugzilla.suse.com/971975
https://bugzilla.suse.com/975772

--


openSUSE-SU-2018:2120-1: moderate: Security update for qutebrowser

openSUSE Security Update: Security update for qutebrowser
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2120-1
Rating: moderate
References: #1100968 #1101507
Cross-References: CVE-2018-1000559 CVE-2018-10895
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes two vulnerabilities is now available.

Description:

This update for qutebrowser fixes the following issues:

Security issue fixed:

- CVE-2018-1000559: Fix an XSS issue on qute://history (boo#1101507).
- CVE-2018-10895: Fix CSRF issue on the qute://settings page (boo#1100968).


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-775=1



Package List:

- openSUSE Leap 15.0 (noarch):

qutebrowser-1.4.1-lp150.2.3.1


References:

https://www.suse.com/security/cve/CVE-2018-1000559.html
https://www.suse.com/security/cve/CVE-2018-10895.html
https://bugzilla.suse.com/1100968
https://bugzilla.suse.com/1101507

--


openSUSE-SU-2018:2121-1: moderate: Security update for cinnamon

openSUSE Security Update: Security update for cinnamon
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2121-1
Rating: moderate
References: #1083067
Cross-References: CVE-2018-13054
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for cinnamon fixes the following issues:

Security issue fixed:

- CVE-2018-13054: Fix symlink attack vulnerability (boo#1083067).


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-768=1



Package List:

- openSUSE Leap 15.0 (noarch):

cinnamon-gschemas-branding-upstream-3.6.7-lp150.3.3.1

- openSUSE Leap 15.0 (x86_64):

cinnamon-3.6.7-lp150.3.3.1
cinnamon-debuginfo-3.6.7-lp150.3.3.1
cinnamon-debugsource-3.6.7-lp150.3.3.1
cinnamon-gschemas-3.6.7-lp150.3.3.1


References:

https://www.suse.com/security/cve/CVE-2018-13054.html
https://bugzilla.suse.com/1083067

--


openSUSE-SU-2018:2122-1: moderate: Security update for libgcrypt

openSUSE Security Update: Security update for libgcrypt
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2122-1
Rating: moderate
References: #1097410
Cross-References: CVE-2018-0495
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for libgcrypt fixes the following issue:

The following security issue was fixed:

- CVE-2018-0495: Fixed a novel side-channel attack, by enabling blinding
for ECDSA signatures (bsc#1097410)

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-769=1



Package List:

- openSUSE Leap 15.0 (i586 x86_64):

libgcrypt-cavs-1.8.2-lp150.5.3.1
libgcrypt-cavs-debuginfo-1.8.2-lp150.5.3.1
libgcrypt-debugsource-1.8.2-lp150.5.3.1
libgcrypt-devel-1.8.2-lp150.5.3.1
libgcrypt-devel-debuginfo-1.8.2-lp150.5.3.1
libgcrypt20-1.8.2-lp150.5.3.1
libgcrypt20-debuginfo-1.8.2-lp150.5.3.1
libgcrypt20-hmac-1.8.2-lp150.5.3.1

- openSUSE Leap 15.0 (x86_64):

libgcrypt-devel-32bit-1.8.2-lp150.5.3.1
libgcrypt-devel-32bit-debuginfo-1.8.2-lp150.5.3.1
libgcrypt20-32bit-1.8.2-lp150.5.3.1
libgcrypt20-32bit-debuginfo-1.8.2-lp150.5.3.1
libgcrypt20-hmac-32bit-1.8.2-lp150.5.3.1


References:

https://www.suse.com/security/cve/CVE-2018-0495.html
https://bugzilla.suse.com/1097410

--


openSUSE-SU-2018:2123-1: moderate: Security update for ImageMagick

openSUSE Security Update: Security update for ImageMagick
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2123-1
Rating: moderate
References: #1094742 #1094745 #1095812 #1096200 #1096203
#1098545 #1098546
Cross-References: CVE-2018-10805 CVE-2018-11624 CVE-2018-11625
CVE-2018-12599 CVE-2018-12600
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that solves 5 vulnerabilities and has two fixes
is now available.

Description:

This update for ImageMagick fixes the following issues:

The following security vulnerabilities were fixed:

- CVE-2018-11625: Fixed heap-based buffer over-read in SetGrayscaleImage
in the quantize.c file, which allowed remote attackers to cause buffer
over-read via a crafted file. (bsc#1096200)
- CVE-2018-11624: Fixed a use-after-free issue in the ReadMATImage
function in coders/mat.c. (bsc#1096203)
- CVE-2018-10805: Fixed several memory leaks in bgr.c, rgb.c, cmyk.c,
gray.c, and ycbcr.c (bsc#1095812)
- CVE-2018-12600: The ReadDIBImage and WriteDIBImage functions allowed
attackers to cause an out of bounds write via a crafted file
(bsc#1098545).
- CVE-2018-12599: The ReadBMPImage and WriteBMPImage fucntions allowed
attackers to cause an out of bounds write via a crafted file
(bsc#1098546).

The following other changes were made:

- Fix -gamma issues in special cases. (bsc#1094745, bsc#1094742)

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-778=1



Package List:

- openSUSE Leap 15.0 (i586 x86_64):

ImageMagick-7.0.7.34-lp150.2.6.1
ImageMagick-debuginfo-7.0.7.34-lp150.2.6.1
ImageMagick-debugsource-7.0.7.34-lp150.2.6.1
ImageMagick-devel-7.0.7.34-lp150.2.6.1
ImageMagick-extra-7.0.7.34-lp150.2.6.1
ImageMagick-extra-debuginfo-7.0.7.34-lp150.2.6.1
libMagick++-7_Q16HDRI4-7.0.7.34-lp150.2.6.1
libMagick++-7_Q16HDRI4-debuginfo-7.0.7.34-lp150.2.6.1
libMagick++-devel-7.0.7.34-lp150.2.6.1
libMagickCore-7_Q16HDRI6-7.0.7.34-lp150.2.6.1
libMagickCore-7_Q16HDRI6-debuginfo-7.0.7.34-lp150.2.6.1
libMagickWand-7_Q16HDRI6-7.0.7.34-lp150.2.6.1
libMagickWand-7_Q16HDRI6-debuginfo-7.0.7.34-lp150.2.6.1
perl-PerlMagick-7.0.7.34-lp150.2.6.1
perl-PerlMagick-debuginfo-7.0.7.34-lp150.2.6.1

- openSUSE Leap 15.0 (noarch):

ImageMagick-doc-7.0.7.34-lp150.2.6.1

- openSUSE Leap 15.0 (x86_64):

ImageMagick-devel-32bit-7.0.7.34-lp150.2.6.1
libMagick++-7_Q16HDRI4-32bit-7.0.7.34-lp150.2.6.1
libMagick++-7_Q16HDRI4-32bit-debuginfo-7.0.7.34-lp150.2.6.1
libMagick++-devel-32bit-7.0.7.34-lp150.2.6.1
libMagickCore-7_Q16HDRI6-32bit-7.0.7.34-lp150.2.6.1
libMagickCore-7_Q16HDRI6-32bit-debuginfo-7.0.7.34-lp150.2.6.1
libMagickWand-7_Q16HDRI6-32bit-7.0.7.34-lp150.2.6.1
libMagickWand-7_Q16HDRI6-32bit-debuginfo-7.0.7.34-lp150.2.6.1


References:

https://www.suse.com/security/cve/CVE-2018-10805.html
https://www.suse.com/security/cve/CVE-2018-11624.html
https://www.suse.com/security/cve/CVE-2018-11625.html
https://www.suse.com/security/cve/CVE-2018-12599.html
https://www.suse.com/security/cve/CVE-2018-12600.html
https://bugzilla.suse.com/1094742
https://bugzilla.suse.com/1094745
https://bugzilla.suse.com/1095812
https://bugzilla.suse.com/1096200
https://bugzilla.suse.com/1096203
https://bugzilla.suse.com/1098545
https://bugzilla.suse.com/1098546

--


openSUSE-SU-2018:2124-1: moderate: Security update for rubygem-sprockets

openSUSE Security Update: Security update for rubygem-sprockets
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2124-1
Rating: moderate
References: #1098369
Cross-References: CVE-2018-3760
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for rubygem-sprockets fixes the following issues:

The following security vulnerability was addressed:

- CVE-2018-3760: Fixed a path traversal issue in
sprockets/server.rb:forbidden_request?(), which allowed remote attackers
to read arbitrary files (bsc#1098369)

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-773=1



Package List:

- openSUSE Leap 15.0 (x86_64):

ruby2.5-rubygem-sprockets-3.7.2-lp150.2.3.1
ruby2.5-rubygem-sprockets-doc-3.7.2-lp150.2.3.1


References:

https://www.suse.com/security/cve/CVE-2018-3760.html
https://bugzilla.suse.com/1098369

--


openSUSE-SU-2018:2125-1: moderate: Security update for cinnamon

openSUSE Security Update: Security update for cinnamon
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2125-1
Rating: moderate
References: #1083067
Cross-References: CVE-2018-13054
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for cinnamon fixes the following issues:

Security issue fixed:

- CVE-2018-13054: Fix symlink attack vulnerability (boo#1083067).

Bug fixes:

- Update to version 3.4.6 (changes since 3.4.4):
* osdWindow.js: Always check the theme node on first showing - an
actor's width isn't necessarily filled if it hasn't been explicitly
set, causing the first few activations of the OSD to not show an
accurate level bar.
* cs_default: Fix an incorrect button label (but preserve translations).
* main.js: Remove an obsolete Meta enum member reference.
* workspace.js: Use our normal prototype init method.
* workspace.js: Initalise WindowClone._zoomStep to 0.
* slideshow-applet: Fix a translation.
* cs_themes.py: Create the file "~/.icons/default/index.theme" and set
the selected cursor theme inside of it. This ensures other (non-gtk)
applications end up using the same theme (though they are required to
be restarted for these changes to take effect).
* keyboard-applet: Applet icon vanishes when moved in edit mode.
* cinnamon-json-makepot: Add keyword option, change language used by
xgettext to JavaScript.
* expoThumbnail: Correct a couple of calls with mismatched argument
counts.
* window-list: Set AppMenuButtons unreactive during panel edit mode.
* panel-launchers: Set PanelAppLaunchers unreactive during panel edit
mode.
* windows-quick-list: Fix argument warning.
* Fix a reference to undefined actor._delegate warning.
* ui/environment: Handle undefined actors in
containerClass.prototype.add.
* ui/cinnamonDBus: Handle null xlet objects in
CinnamonDBus.highlightXlet.
* deskletManager: Initialise some variables and remove the variables
that were initialised, probable typo


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-767=1



Package List:

- openSUSE Leap 42.3 (x86_64):

cinnamon-3.4.6-2.3.1
cinnamon-debuginfo-3.4.6-2.3.1
cinnamon-debugsource-3.4.6-2.3.1
cinnamon-gschemas-3.4.6-2.3.1

- openSUSE Leap 42.3 (noarch):

cinnamon-gschemas-branding-upstream-3.4.6-2.3.1


References:

https://www.suse.com/security/cve/CVE-2018-13054.html
https://bugzilla.suse.com/1083067

--


openSUSE-SU-2018:2126-1: moderate: Security update for python

openSUSE Security Update: Security update for python
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2126-1
Rating: moderate
References: #1083507
Cross-References: CVE-2017-18207
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for python fixes the following issues:

The following security vulnerabilities were addressed:

- Add a check to Lib/wave.py that verifies that at least one channel is
provided. Prior to this, attackers could cause a denial of service via a
crafted wav format audio file. [bsc#1083507, CVE-2017-18207]

This update was imported from the SUSE:SLE-12-SP1:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-779=1



Package List:

- openSUSE Leap 42.3 (i586 x86_64):

libpython2_7-1_0-2.7.13-27.6.1
libpython2_7-1_0-debuginfo-2.7.13-27.6.1
python-2.7.13-27.6.1
python-base-2.7.13-27.6.1
python-base-debuginfo-2.7.13-27.6.1
python-base-debugsource-2.7.13-27.6.1
python-curses-2.7.13-27.6.1
python-curses-debuginfo-2.7.13-27.6.1
python-debuginfo-2.7.13-27.6.1
python-debugsource-2.7.13-27.6.1
python-demo-2.7.13-27.6.1
python-devel-2.7.13-27.6.1
python-gdbm-2.7.13-27.6.1
python-gdbm-debuginfo-2.7.13-27.6.1
python-idle-2.7.13-27.6.1
python-tk-2.7.13-27.6.1
python-tk-debuginfo-2.7.13-27.6.1
python-xml-2.7.13-27.6.1
python-xml-debuginfo-2.7.13-27.6.1

- openSUSE Leap 42.3 (noarch):

python-doc-2.7.13-27.6.1
python-doc-pdf-2.7.13-27.6.1

- openSUSE Leap 42.3 (x86_64):

libpython2_7-1_0-32bit-2.7.13-27.6.1
libpython2_7-1_0-debuginfo-32bit-2.7.13-27.6.1
python-32bit-2.7.13-27.6.1
python-base-32bit-2.7.13-27.6.1
python-base-debuginfo-32bit-2.7.13-27.6.1
python-debuginfo-32bit-2.7.13-27.6.1


References:

https://www.suse.com/security/cve/CVE-2017-18207.html
https://bugzilla.suse.com/1083507

--


openSUSE-SU-2018:2127-1: important: Security update for shadow

openSUSE Security Update: Security update for shadow
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2127-1
Rating: important
References: #1099310
Cross-References: CVE-2016-6252
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for shadow fixes the following issues:

- CVE-2016-6252: Incorrect integer handling could results in local
privilege escalation (bsc#1099310)

This update was imported from the SUSE:SLE-12-SP2:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-770=1



Package List:

- openSUSE Leap 42.3 (i586 x86_64):

shadow-4.2.1-16.1
shadow-debuginfo-4.2.1-16.1
shadow-debugsource-4.2.1-16.1


References:

https://www.suse.com/security/cve/CVE-2016-6252.html
https://bugzilla.suse.com/1099310

--


openSUSE-SU-2018:2128-1: moderate: Security update for openssh

openSUSE Security Update: Security update for openssh
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2128-1
Rating: moderate
References: #1076957
Cross-References: CVE-2016-10708
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for openssh fixes the following issues:

Security issue fixed:

- CVE-2016-10708: Prevent DoS due to crashes caused by out-of-sequence
NEWKEYS message (bsc#1076957).

This update was imported from the SUSE:SLE-12-SP2:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-765=1



Package List:

- openSUSE Leap 42.3 (i586 x86_64):

openssh-7.2p2-21.1
openssh-askpass-gnome-7.2p2-21.1
openssh-askpass-gnome-debuginfo-7.2p2-21.1
openssh-cavs-7.2p2-21.1
openssh-cavs-debuginfo-7.2p2-21.1
openssh-debuginfo-7.2p2-21.1
openssh-debugsource-7.2p2-21.1
openssh-fips-7.2p2-21.1
openssh-helpers-7.2p2-21.1
openssh-helpers-debuginfo-7.2p2-21.1


References:

https://www.suse.com/security/cve/CVE-2016-10708.html
https://bugzilla.suse.com/1076957

--


openSUSE-SU-2018:2129-1: moderate: Security update for openssl-1_0_0

openSUSE Security Update: Security update for openssl-1_0_0
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2129-1
Rating: moderate
References: #1097158 #1097624 #1098592
Cross-References: CVE-2018-0732
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that solves one vulnerability and has two fixes
is now available.

Description:

This update for openssl-1_0_0 fixes the following issues:

- CVE-2018-0732: During key agreement in a TLS handshake using a DH(E)
based ciphersuite a malicious server could have sent a very large prime
value to the client. This caused the client to spend an unreasonably
long period of time generating a key for this prime resulting in a hang
until the client has finished. This could be exploited in a Denial Of
Service attack (bsc#1097158).
- Blinding enhancements for ECDSA and DSA (bsc#1097624, bsc#1098592)

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-763=1



Package List:

- openSUSE Leap 15.0 (i586 x86_64):

libopenssl-1_0_0-devel-1.0.2n-lp150.2.3.1
libopenssl1_0_0-1.0.2n-lp150.2.3.1
libopenssl1_0_0-debuginfo-1.0.2n-lp150.2.3.1
libopenssl1_0_0-hmac-1.0.2n-lp150.2.3.1
libopenssl1_0_0-steam-1.0.2n-lp150.2.3.1
libopenssl1_0_0-steam-debuginfo-1.0.2n-lp150.2.3.1
openssl-1_0_0-1.0.2n-lp150.2.3.1
openssl-1_0_0-cavs-1.0.2n-lp150.2.3.1
openssl-1_0_0-cavs-debuginfo-1.0.2n-lp150.2.3.1
openssl-1_0_0-debuginfo-1.0.2n-lp150.2.3.1
openssl-1_0_0-debugsource-1.0.2n-lp150.2.3.1

- openSUSE Leap 15.0 (x86_64):

libopenssl-1_0_0-devel-32bit-1.0.2n-lp150.2.3.1
libopenssl1_0_0-32bit-1.0.2n-lp150.2.3.1
libopenssl1_0_0-32bit-debuginfo-1.0.2n-lp150.2.3.1
libopenssl1_0_0-hmac-32bit-1.0.2n-lp150.2.3.1
libopenssl1_0_0-steam-32bit-1.0.2n-lp150.2.3.1
libopenssl1_0_0-steam-32bit-debuginfo-1.0.2n-lp150.2.3.1

- openSUSE Leap 15.0 (noarch):

openssl-1_0_0-doc-1.0.2n-lp150.2.3.1


References:

https://www.suse.com/security/cve/CVE-2018-0732.html
https://bugzilla.suse.com/1097158
https://bugzilla.suse.com/1097624
https://bugzilla.suse.com/1098592

--


openSUSE-SU-2018:2130-1: moderate: Security update for qutebrowser

openSUSE Security Update: Security update for qutebrowser
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2130-1
Rating: moderate
References: #1101507
Cross-References: CVE-2018-1000559
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for qutebrowser fixes the following issues:

Security issue fixed:

- CVE-2018-1000559: Fix an XSS issue on qute://history (boo#1101507).


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-774=1



Package List:

- openSUSE Leap 42.3 (noarch):

qutebrowser-0.11.1-2.3.1


References:

https://www.suse.com/security/cve/CVE-2018-1000559.html
https://bugzilla.suse.com/1101507

--


openSUSE-SU-2018:2131-1: moderate: Security update for bouncycastle

openSUSE Security Update: Security update for bouncycastle
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2131-1
Rating: moderate
References: #1072697 #1100694
Cross-References: CVE-2017-13098 CVE-2018-1000613
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes two vulnerabilities is now available.

Description:

This update for bouncycastle fixes the following issues:

Security issues fixed:

- CVE-2018-1000613: Fix use of Externally-Controlled Input to Select
Classes or Code ('Unsafe Reflection') (boo#1100694).
- CVE-2017-13098: Fix against Bleichenbacher oracle when not using the
lightweight APIs (boo#1072697).


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-776=1



Package List:

- openSUSE Leap 15.0 (noarch):

bouncycastle-1.60-lp150.2.3.1
bouncycastle-javadoc-1.60-lp150.2.3.1


References:

https://www.suse.com/security/cve/CVE-2017-13098.html
https://www.suse.com/security/cve/CVE-2018-1000613.html
https://bugzilla.suse.com/1072697
https://bugzilla.suse.com/1100694

--


openSUSE-SU-2018:2132-1: moderate: Security update for mercurial

openSUSE Security Update: Security update for mercurial
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2132-1
Rating: moderate
References: #1100353 #1100354 #1100355
Cross-References: CVE-2018-13346 CVE-2018-13347 CVE-2018-13348

Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes three vulnerabilities is now available.

Description:

This update for mercurial fixes the following issues:

Security issues fixed:

- CVE-2018-13346: Fix mpatch_apply function in mpatch.c that incorrectly
proceeds in cases where the fragment start is past the end of the
original data (bsc#1100354).
- CVE-2018-13347: Fix mpatch.c that mishandles integer addition and
subtraction (bsc#1100355).
- CVE-2018-13348: Fix the mpatch_decode function in mpatch.c that
mishandles certain situations where there should be at least 12 bytes
remaining after thecurrent position in the patch data (bsc#1100353).

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-772=1



Package List:

- openSUSE Leap 15.0 (i586 x86_64):

mercurial-4.5.2-lp150.2.3.1
mercurial-debuginfo-4.5.2-lp150.2.3.1
mercurial-debugsource-4.5.2-lp150.2.3.1

- openSUSE Leap 15.0 (noarch):

mercurial-lang-4.5.2-lp150.2.3.1


References:

https://www.suse.com/security/cve/CVE-2018-13346.html
https://www.suse.com/security/cve/CVE-2018-13347.html
https://www.suse.com/security/cve/CVE-2018-13348.html
https://bugzilla.suse.com/1100353
https://bugzilla.suse.com/1100354
https://bugzilla.suse.com/1100355

--


openSUSE-SU-2018:2133-1: moderate: Security update for e2fsprogs

openSUSE Security Update: Security update for e2fsprogs
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2133-1
Rating: moderate
References: #1009532 #1038194 #915402 #918346 #960273

Cross-References: CVE-2015-0247 CVE-2015-1572
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that solves two vulnerabilities and has three
fixes is now available.

Description:

This update for e2fsprogs fixes the following issues:

Security issues fixed:

- CVE-2015-0247: Fixed couple of heap overflows in e2fsprogs (fsck,
dumpe2fs, e2image...) (bsc#915402).
- CVE-2015-1572: Fixed potential buffer overflow in closefs() (bsc#918346).

Bug fixes:

- bsc#1038194: generic/405 test fails with /dev/mapper/thin-vol is
inconsistent on ext4 file system.
- bsc#1009532: resize2fs hangs when trying to resize a large ext4 file
system.
- bsc#960273: xfsprogs does not call %{?regenerate_initrd_post}.

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-771=1



Package List:

- openSUSE Leap 15.0 (i586 x86_64):

e2fsprogs-1.43.8-lp150.3.3.1
e2fsprogs-debuginfo-1.43.8-lp150.3.3.1
e2fsprogs-debugsource-1.43.8-lp150.3.3.1
e2fsprogs-devel-1.43.8-lp150.3.3.1
libcom_err-devel-1.43.8-lp150.3.3.1
libcom_err-devel-static-1.43.8-lp150.3.3.1
libcom_err2-1.43.8-lp150.3.3.1
libcom_err2-debuginfo-1.43.8-lp150.3.3.1
libext2fs-devel-1.43.8-lp150.3.3.1
libext2fs-devel-static-1.43.8-lp150.3.3.1
libext2fs2-1.43.8-lp150.3.3.1
libext2fs2-debuginfo-1.43.8-lp150.3.3.1

- openSUSE Leap 15.0 (x86_64):

e2fsprogs-32bit-debuginfo-1.43.8-lp150.3.3.1
libcom_err-devel-32bit-1.43.8-lp150.3.3.1
libcom_err2-32bit-1.43.8-lp150.3.3.1
libcom_err2-32bit-debuginfo-1.43.8-lp150.3.3.1
libext2fs-devel-32bit-1.43.8-lp150.3.3.1
libext2fs2-32bit-1.43.8-lp150.3.3.1
libext2fs2-32bit-debuginfo-1.43.8-lp150.3.3.1


References:

https://www.suse.com/security/cve/CVE-2015-0247.html
https://www.suse.com/security/cve/CVE-2015-1572.html
https://bugzilla.suse.com/1009532
https://bugzilla.suse.com/1038194
https://bugzilla.suse.com/915402
https://bugzilla.suse.com/918346
https://bugzilla.suse.com/960273

--