SUSE 5145 Published by

The following updates has been released for openSUSE:

openSUSE-SU-2019:1089-1: moderate: Security update for yast2-rmt
openSUSE-SU-2019:1104-1: important: Security update for python-cryptography, python-pyOpenSSL
openSUSE-SU-2019:1105-1: moderate: Security update for openssl-1_0_0
openSUSE-SU-2019:1106-1: important: Security update for python-azure-agent
openSUSE-SU-2019:1107-1: moderate: Security update for tor
openSUSE-SU-2019:1108-1: moderate: Security update for wireshark
openSUSE-SU-2019:1109-1: moderate: Security update for libssh2_org
openSUSE-SU-2019:1110-1: moderate: Security update for lftp
openSUSE-SU-2019:1111-1: important: Security update for openwsman
openSUSE-SU-2019:1112-1: Security update for python-Flask
openSUSE-SU-2019:1113-1: moderate: Security update for putty
openSUSE-SU-2019:1114-1: important: Security update for perl-Email-Address
openSUSE-SU-2019:1115-1: moderate: Security update for libqt5-qtimageformats
openSUSE-SU-2019:1116-1: moderate: Security update for libqt5-qtsvg
openSUSE-SU-2019:1117-1: moderate: Security update for unzip
openSUSE-SU-2019:1118-1: moderate: Security update for libjpeg-turbo
openSUSE-SU-2019:1119-1: important: Security update for ghostscript
openSUSE-SU-2019:1120-1: moderate: Security update for libgxps
openSUSE-SU-2019:1121-1: important: Security update for ghostscript



openSUSE-SU-2019:1089-1: moderate: Security update for yast2-rmt

openSUSE Security Update: Security update for yast2-rmt
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1089-1
Rating: moderate
References: #1119835 #1120672 #1123562
Cross-References: CVE-2018-20105
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that solves one vulnerability and has two fixes
is now available.

Description:

This update for yast2-rmt to 1.2.2 fixes the following issues:

Security issue fixed:

- CVE-2018-20105: Pass SSL password to Cheetah CLI interface securely
(bsc#1119835)

Non-security issues fixed:

- Launch as root from gnome-shell menu (bsc#1123562)
- Remove broken hyperlink from help (bsc#1120672)

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1089=1



Package List:

- openSUSE Leap 15.0 (noarch):

yast2-rmt-1.2.2-lp150.2.19.1


References:

https://www.suse.com/security/cve/CVE-2018-20105.html
https://bugzilla.suse.com/1119835
https://bugzilla.suse.com/1120672
https://bugzilla.suse.com/1123562

--


openSUSE-SU-2019:1104-1: important: Security update for python-cryptography, python-pyOpenSSL

openSUSE Security Update: Security update for python-cryptography, python-pyOpenSSL
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1104-1
Rating: important
References: #1021578 #1052927 #1111634 #1111635 #1119077

Cross-References: CVE-2018-1000807 CVE-2018-1000808
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________

An update that solves two vulnerabilities and has three
fixes is now available.

Description:

This update for python-cryptography, python-pyOpenSSL fixes the following
issues:

Security issues fixed:

- CVE-2018-1000808: A memory leak due to missing reference checking in
PKCS#12 store handling was fixed (bsc#1111634)
- CVE-2018-1000807: A use-after-free in X509 object handling was fixed
(bsc#1111635)

This update also contains the following tracked bug fixes:

- avoid bad interaction with python-cryptography package. (bsc#1021578)
- Avoid regression accessesing non-existing attribute _from_raw_x509_ptr
in object X509 (bsc#1119077)
- Add python-setuptools as a requirement. (bsc#1052927)

This update was imported from the SUSE:SLE-12-SP2:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2019-1104=1



Package List:

- openSUSE Leap 42.3 (noarch):

python-pyOpenSSL-16.0.0-5.8.2
python-pyOpenSSL-doc-16.0.0-5.8.2
python3-pyOpenSSL-16.0.0-5.8.2
python3-pyOpenSSL-doc-16.0.0-5.8.2

- openSUSE Leap 42.3 (x86_64):

python-cryptography-1.3.1-5.3.1
python-cryptography-debuginfo-1.3.1-5.3.1
python-cryptography-debugsource-1.3.1-5.3.1
python3-cryptography-1.3.1-5.3.1
python3-cryptography-debuginfo-1.3.1-5.3.1


References:

https://www.suse.com/security/cve/CVE-2018-1000807.html
https://www.suse.com/security/cve/CVE-2018-1000808.html
https://bugzilla.suse.com/1021578
https://bugzilla.suse.com/1052927
https://bugzilla.suse.com/1111634
https://bugzilla.suse.com/1111635
https://bugzilla.suse.com/1119077

--


openSUSE-SU-2019:1105-1: moderate: Security update for openssl-1_0_0

openSUSE Security Update: Security update for openssl-1_0_0
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1105-1
Rating: moderate
References: #1117951 #1127080
Cross-References: CVE-2019-1559
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that solves one vulnerability and has one errata
is now available.

Description:

This update for openssl-1_0_0 fixes the following issues:

Security issues fixed:

- The 9 Lives of Bleichenbacher's CAT: Cache Attacks on TLS
Implementations (bsc#1117951)
- CVE-2019-1559: Fixed OpenSSL 0-byte Record Padding Oracle which under
certain circumstances a TLS server can be forced to respond differently
to a client and lead to the decryption of the data (bsc#1127080).

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1105=1



Package List:

- openSUSE Leap 15.0 (i586 x86_64):

libopenssl-1_0_0-devel-1.0.2p-lp150.2.13.1
libopenssl1_0_0-1.0.2p-lp150.2.13.1
libopenssl1_0_0-debuginfo-1.0.2p-lp150.2.13.1
libopenssl1_0_0-hmac-1.0.2p-lp150.2.13.1
openssl-1_0_0-1.0.2p-lp150.2.13.1
openssl-1_0_0-cavs-1.0.2p-lp150.2.13.1
openssl-1_0_0-cavs-debuginfo-1.0.2p-lp150.2.13.1
openssl-1_0_0-debuginfo-1.0.2p-lp150.2.13.1
openssl-1_0_0-debugsource-1.0.2p-lp150.2.13.1

- openSUSE Leap 15.0 (noarch):

openssl-1_0_0-doc-1.0.2p-lp150.2.13.1

- openSUSE Leap 15.0 (x86_64):

libopenssl-1_0_0-devel-32bit-1.0.2p-lp150.2.13.1
libopenssl1_0_0-32bit-1.0.2p-lp150.2.13.1
libopenssl1_0_0-32bit-debuginfo-1.0.2p-lp150.2.13.1
libopenssl1_0_0-hmac-32bit-1.0.2p-lp150.2.13.1


References:

https://www.suse.com/security/cve/CVE-2019-1559.html
https://bugzilla.suse.com/1117951
https://bugzilla.suse.com/1127080

--


openSUSE-SU-2019:1106-1: important: Security update for python-azure-agent

openSUSE Security Update: Security update for python-azure-agent
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1106-1
Rating: important
References: #1127838
Cross-References: CVE-2019-0804
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for python-azure-agent fixes the following issues:

- CVE-2019-0804: An issue with swapfile handling in the agent created a
data leak situation that exposes system memory data. (bsc#1127838)

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1106=1



Package List:

- openSUSE Leap 15.0 (noarch):

python-azure-agent-2.2.36-lp150.5.10.1
python-azure-agent-test-2.2.36-lp150.5.10.1


References:

https://www.suse.com/security/cve/CVE-2019-0804.html
https://bugzilla.suse.com/1127838

--


openSUSE-SU-2019:1107-1: moderate: Security update for tor

openSUSE Security Update: Security update for tor
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1107-1
Rating: moderate
References: #1126340
Cross-References: CVE-2019-8955
Affected Products:
openSUSE Leap 42.3
openSUSE Leap 15.0
openSUSE Backports SLE-15
SUSE Package Hub for SUSE Linux Enterprise 12
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for tor to version 0.3.4.11 fixes the following issues:

Security issue fixed:

- CVE-2019-8955: Fixed a vulnerability in the KIST cell scheduler which
could lead to memory exhaustion and finally Denial-of-Service
(bsc#1126340).


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2019-1107=1

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1107=1

- openSUSE Backports SLE-15:

zypper in -t patch openSUSE-2019-1107=1

- SUSE Package Hub for SUSE Linux Enterprise 12:

zypper in -t patch openSUSE-2019-1107=1



Package List:

- openSUSE Leap 42.3 (i586 x86_64):

tor-0.3.4.11-21.1
tor-debuginfo-0.3.4.11-21.1
tor-debugsource-0.3.4.11-21.1

- openSUSE Leap 15.0 (x86_64):

tor-0.3.4.11-lp150.22.1
tor-debuginfo-0.3.4.11-lp150.22.1
tor-debugsource-0.3.4.11-lp150.22.1

- openSUSE Backports SLE-15 (aarch64 ppc64le s390x x86_64):

tor-0.3.4.11-bp150.3.6.1

- SUSE Package Hub for SUSE Linux Enterprise 12 (aarch64 ppc64le s390x x86_64):

tor-0.3.4.11-20.1


References:

https://www.suse.com/security/cve/CVE-2019-8955.html
https://bugzilla.suse.com/1126340

--


openSUSE-SU-2019:1108-1: moderate: Security update for wireshark

openSUSE Security Update: Security update for wireshark
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1108-1
Rating: moderate
References: #1127367 #1127369 #1127370
Cross-References: CVE-2019-9208 CVE-2019-9209 CVE-2019-9214

Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes three vulnerabilities is now available.

Description:

This update for wireshark to version 2.4.13 fixes the following issues:

Security issues fixed:

- CVE-2019-9214: Avoided a dereference of a null coversation which could
make RPCAP dissector crash (bsc#1127367).
- CVE-2019-9209: Fixed a buffer overflow in time values which could make
ASN.1 BER and related dissectors crash (bsc#1127369).
- CVE-2019-9208: Fixed a null pointer dereference which could make TCAP
dissector crash (bsc#1127370).

Release notes:
https://www.wireshark.org/docs/relnotes/wireshark-2.4.13.html

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1108=1



Package List:

- openSUSE Leap 15.0 (i586 x86_64):

libwireshark9-2.4.13-lp150.2.23.1
libwireshark9-debuginfo-2.4.13-lp150.2.23.1
libwiretap7-2.4.13-lp150.2.23.1
libwiretap7-debuginfo-2.4.13-lp150.2.23.1
libwscodecs1-2.4.13-lp150.2.23.1
libwscodecs1-debuginfo-2.4.13-lp150.2.23.1
libwsutil8-2.4.13-lp150.2.23.1
libwsutil8-debuginfo-2.4.13-lp150.2.23.1
wireshark-2.4.13-lp150.2.23.1
wireshark-debuginfo-2.4.13-lp150.2.23.1
wireshark-debugsource-2.4.13-lp150.2.23.1
wireshark-devel-2.4.13-lp150.2.23.1
wireshark-ui-qt-2.4.13-lp150.2.23.1
wireshark-ui-qt-debuginfo-2.4.13-lp150.2.23.1


References:

https://www.suse.com/security/cve/CVE-2019-9208.html
https://www.suse.com/security/cve/CVE-2019-9209.html
https://www.suse.com/security/cve/CVE-2019-9214.html
https://bugzilla.suse.com/1127367
https://bugzilla.suse.com/1127369
https://bugzilla.suse.com/1127370

--


openSUSE-SU-2019:1109-1: moderate: Security update for libssh2_org

openSUSE Security Update: Security update for libssh2_org
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1109-1
Rating: moderate
References: #1128471 #1128472 #1128474 #1128476 #1128480
#1128481 #1128490 #1128492 #1128493
Cross-References: CVE-2019-3855 CVE-2019-3856 CVE-2019-3857
CVE-2019-3858 CVE-2019-3859 CVE-2019-3860
CVE-2019-3861 CVE-2019-3862 CVE-2019-3863

Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes 9 vulnerabilities is now available.

Description:

This update for libssh2_org fixes the following issues:

Security issues fixed:

- CVE-2019-3861: Fixed Out-of-bounds reads with specially crafted SSH
packets (bsc#1128490).
- CVE-2019-3862: Fixed Out-of-bounds memory comparison with specially
crafted message channel request packet (bsc#1128492).
- CVE-2019-3860: Fixed Out-of-bounds reads with specially crafted SFTP
packets (bsc#1128481).
- CVE-2019-3863: Fixed an Integer overflow in user authenicate keyboard
interactive which could allow out-of-bounds writes with specially
crafted keyboard responses (bsc#1128493).
- CVE-2019-3856: Fixed a potential Integer overflow in keyboard
interactive handling which could allow out-of-bounds write with
specially crafted payload (bsc#1128472).
- CVE-2019-3859: Fixed Out-of-bounds reads with specially crafted payloads
due to unchecked use of _libssh2_packet_require and
_libssh2_packet_requirev (bsc#1128480).
- CVE-2019-3855: Fixed a potential Integer overflow in transport read
which could allow out-of-bounds write with specially crafted payload
(bsc#1128471).
- CVE-2019-3858: Fixed a potential zero-byte allocation which could lead
to an out-of-bounds read with a specially crafted SFTP packet
(bsc#1128476).
- CVE-2019-3857: Fixed a potential Integer overflow which could lead to
zero-byte allocation and out-of-bounds with specially crafted message
channel request SSH packet (bsc#1128474).

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1109=1



Package List:

- openSUSE Leap 15.0 (i586 x86_64):

libssh2-1-1.8.0-lp150.3.3.1
libssh2-1-debuginfo-1.8.0-lp150.3.3.1
libssh2-devel-1.8.0-lp150.3.3.1
libssh2_org-debugsource-1.8.0-lp150.3.3.1

- openSUSE Leap 15.0 (x86_64):

libssh2-1-32bit-1.8.0-lp150.3.3.1
libssh2-1-32bit-debuginfo-1.8.0-lp150.3.3.1


References:

https://www.suse.com/security/cve/CVE-2019-3855.html
https://www.suse.com/security/cve/CVE-2019-3856.html
https://www.suse.com/security/cve/CVE-2019-3857.html
https://www.suse.com/security/cve/CVE-2019-3858.html
https://www.suse.com/security/cve/CVE-2019-3859.html
https://www.suse.com/security/cve/CVE-2019-3860.html
https://www.suse.com/security/cve/CVE-2019-3861.html
https://www.suse.com/security/cve/CVE-2019-3862.html
https://www.suse.com/security/cve/CVE-2019-3863.html
https://bugzilla.suse.com/1128471
https://bugzilla.suse.com/1128472
https://bugzilla.suse.com/1128474
https://bugzilla.suse.com/1128476
https://bugzilla.suse.com/1128480
https://bugzilla.suse.com/1128481
https://bugzilla.suse.com/1128490
https://bugzilla.suse.com/1128492
https://bugzilla.suse.com/1128493

--


openSUSE-SU-2019:1110-1: moderate: Security update for lftp

openSUSE Security Update: Security update for lftp
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1110-1
Rating: moderate
References: #1103367 #1120946
Cross-References: CVE-2018-10916
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that solves one vulnerability and has one errata
is now available.

Description:

This update for lftp fixes the following issues: Security issue fixed:

- CVE-2018-10916: Fixed an improper file name sanitization which could
lead to loss of integrity of the local system (bsc#1103367).

Other issue addressed:

- The SSH login handling code detects password prompts more reliably
(bsc#1120946).

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1110=1



Package List:

- openSUSE Leap 15.0 (x86_64):

lftp-4.8.3-lp150.3.3.1
lftp-debuginfo-4.8.3-lp150.3.3.1
lftp-debugsource-4.8.3-lp150.3.3.1


References:

https://www.suse.com/security/cve/CVE-2018-10916.html
https://bugzilla.suse.com/1103367
https://bugzilla.suse.com/1120946

--


openSUSE-SU-2019:1111-1: important: Security update for openwsman

openSUSE Security Update: Security update for openwsman
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1111-1
Rating: important
References: #1092206 #1122623
Cross-References: CVE-2019-3816 CVE-2019-3833
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes two vulnerabilities is now available.

Description:

This update for openwsman fixes the following issues:

Security issues fixed:

- CVE-2019-3816: Fixed a vulnerability in openwsmand deamon which could
lead to arbitary file disclosure (bsc#1122623).
- CVE-2019-3833: Fixed a vulnerability in process_connection() which could
allow an attacker to trigger an infinite loop which leads to Denial of
Service (bsc#1122623).

Other issues addressed:

- Added OpenSSL 1.1 compatibility
- Compilation in debug mode fixed
- Directory listing without authentication fixed (bsc#1092206).

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1111=1



Package List:

- openSUSE Leap 15.0 (x86_64):

libwsman-devel-2.6.7-lp150.2.3.1
libwsman3-2.6.7-lp150.2.3.1
libwsman3-debuginfo-2.6.7-lp150.2.3.1
libwsman_clientpp-devel-2.6.7-lp150.2.3.1
libwsman_clientpp1-2.6.7-lp150.2.3.1
libwsman_clientpp1-debuginfo-2.6.7-lp150.2.3.1
openwsman-debuginfo-2.6.7-lp150.2.3.1
openwsman-debugsource-2.6.7-lp150.2.3.1
openwsman-java-2.6.7-lp150.2.3.1
openwsman-perl-2.6.7-lp150.2.3.1
openwsman-perl-debuginfo-2.6.7-lp150.2.3.1
openwsman-ruby-2.6.7-lp150.2.3.1
openwsman-ruby-debuginfo-2.6.7-lp150.2.3.1
openwsman-ruby-docs-2.6.7-lp150.2.3.1
openwsman-server-2.6.7-lp150.2.3.1
openwsman-server-debuginfo-2.6.7-lp150.2.3.1
openwsman-server-plugin-ruby-2.6.7-lp150.2.3.1
openwsman-server-plugin-ruby-debuginfo-2.6.7-lp150.2.3.1
python3-openwsman-2.6.7-lp150.2.3.1
python3-openwsman-debuginfo-2.6.7-lp150.2.3.1
winrs-2.6.7-lp150.2.3.1


References:

https://www.suse.com/security/cve/CVE-2019-3816.html
https://www.suse.com/security/cve/CVE-2019-3833.html
https://bugzilla.suse.com/1092206
https://bugzilla.suse.com/1122623

--


openSUSE-SU-2019:1112-1: Security update for python-Flask

openSUSE Security Update: Security update for python-Flask
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1112-1
Rating: low
References: #1106279
Cross-References: CVE-2018-1000656
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for python-Flask to version 0.12.4 fixes the following issues:

Security issue fixed:

- CVE-2018-1000656: Fixed an improper input validation vulnerability in
flask that can result in Large amount of memory usage possibly leading
to denial of service. (bsc#1106279)

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1112=1



Package List:

- openSUSE Leap 15.0 (noarch):

python2-Flask-0.12.4-lp150.2.3.1
python2-Flask-doc-0.12.4-lp150.2.3.1
python3-Flask-0.12.4-lp150.2.3.1
python3-Flask-doc-0.12.4-lp150.2.3.1


References:

https://www.suse.com/security/cve/CVE-2018-1000656.html
https://bugzilla.suse.com/1106279

--


openSUSE-SU-2019:1113-1: moderate: Security update for putty

openSUSE Security Update: Security update for putty
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1113-1
Rating: moderate
References: #1129633
Cross-References: CVE-2019-9894 CVE-2019-9895 CVE-2019-9896
CVE-2019-9897 CVE-2019-9898
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes 5 vulnerabilities is now available.

Description:

This update for putty fixes the following issues:

Update to new upstream release 0.71 [boo#1129633]

* CVE-2019-9894: Fixed a remotely triggerable memory overwrite in RSA key
exchange, which can occur before host key verification potential
recycling of random numbers used in cryptography.
* CVE-2019-9895: Fixed a remotely triggerable buffer overflow in any kind
of server-to-client forwarding.
* CVE-2019-9897: Fixed multiple denial-of-service attacks that can be
triggered by writing to the terminal.
* CVE-2019-9898: Fixed potential recycling of random numbers used in
cryptography
* CVE-2019-9896 (Windows only): Fixed hijacking by a malicious help file
in the same directory as the executable
* Major rewrite of the crypto code to remove cache and timing side
channels.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1113=1



Package List:

- openSUSE Leap 15.0 (x86_64):

putty-0.71-lp150.9.1
putty-debuginfo-0.71-lp150.9.1
putty-debugsource-0.71-lp150.9.1


References:

https://www.suse.com/security/cve/CVE-2019-9894.html
https://www.suse.com/security/cve/CVE-2019-9895.html
https://www.suse.com/security/cve/CVE-2019-9896.html
https://www.suse.com/security/cve/CVE-2019-9897.html
https://www.suse.com/security/cve/CVE-2019-9898.html
https://bugzilla.suse.com/1129633

--


openSUSE-SU-2019:1114-1: important: Security update for perl-Email-Address

openSUSE Security Update: Security update for perl-Email-Address
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1114-1
Rating: important
References: #1098368
Cross-References: CVE-2018-12558
Affected Products:
openSUSE Leap 42.3
openSUSE Leap 15.0
openSUSE Backports SLE-15
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for perl-Email-Address to version 1.912 fixes the following
issue:

Security issue fixed:

- CVE-2018-12558: Fixed a vulnerability which could allow Denial of
Service in perl module Email::Address (bsc#1098368).


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2019-1114=1

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1114=1

- openSUSE Backports SLE-15:

zypper in -t patch openSUSE-2019-1114=1



Package List:

- openSUSE Leap 42.3 (noarch):

perl-Email-Address-1.912-5.3.1

- openSUSE Leap 15.0 (noarch):

perl-Email-Address-1.912-lp150.2.3.1

- openSUSE Backports SLE-15 (noarch):

perl-Email-Address-1.912-bp150.3.3.1


References:

https://www.suse.com/security/cve/CVE-2018-12558.html
https://bugzilla.suse.com/1098368

--


openSUSE-SU-2019:1115-1: moderate: Security update for libqt5-qtimageformats

openSUSE Security Update: Security update for libqt5-qtimageformats
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1115-1
Rating: moderate
References: #1118598
Cross-References: CVE-2018-19871
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for libqt5-qtimageformats fixes the following issues:

Security issues fixed:

- CVE-2018-19871: Fixed CPU exhaustion in QTgaFile (bsc#1118598)

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1115=1



Package List:

- openSUSE Leap 15.0 (i586 x86_64):

libqt5-qtimageformats-5.9.4-lp150.2.3.2
libqt5-qtimageformats-debuginfo-5.9.4-lp150.2.3.2
libqt5-qtimageformats-debugsource-5.9.4-lp150.2.3.2
libqt5-qtimageformats-devel-5.9.4-lp150.2.3.2

- openSUSE Leap 15.0 (x86_64):

libqt5-qtimageformats-32bit-5.9.4-lp150.2.3.2
libqt5-qtimageformats-32bit-debuginfo-5.9.4-lp150.2.3.2


References:

https://www.suse.com/security/cve/CVE-2018-19871.html
https://bugzilla.suse.com/1118598

--


openSUSE-SU-2019:1116-1: moderate: Security update for libqt5-qtsvg

openSUSE Security Update: Security update for libqt5-qtsvg
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1116-1
Rating: moderate
References: #1118599
Cross-References: CVE-2018-19869
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for libqt5-qtsvg fixes the following issues:

Security issues fixed:

- CVE-2018-19869: Fixed Denial of Service when parsing malformed URL
reference (bsc#1118599)

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1116=1



Package List:

- openSUSE Leap 15.0 (i586 x86_64):

libQt5Svg5-5.9.4-lp150.2.3.2
libQt5Svg5-debuginfo-5.9.4-lp150.2.3.2
libqt5-qtsvg-debugsource-5.9.4-lp150.2.3.2
libqt5-qtsvg-devel-5.9.4-lp150.2.3.2
libqt5-qtsvg-examples-5.9.4-lp150.2.3.2
libqt5-qtsvg-examples-debuginfo-5.9.4-lp150.2.3.2

- openSUSE Leap 15.0 (x86_64):

libQt5Svg5-32bit-5.9.4-lp150.2.3.2
libQt5Svg5-32bit-debuginfo-5.9.4-lp150.2.3.2
libqt5-qtsvg-devel-32bit-5.9.4-lp150.2.3.2

- openSUSE Leap 15.0 (noarch):

libqt5-qtsvg-private-headers-devel-5.9.4-lp150.2.3.2


References:

https://www.suse.com/security/cve/CVE-2018-19869.html
https://bugzilla.suse.com/1118599

--


openSUSE-SU-2019:1117-1: moderate: Security update for unzip

openSUSE Security Update: Security update for unzip
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1117-1
Rating: moderate
References: #1110194
Cross-References: CVE-2018-18384
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for unzip fixes the following issues:

- CVE-2018-18384: Fixed a buffer overflow when listing archives
(bsc#1110194)

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1117=1



Package List:

- openSUSE Leap 15.0 (i586 x86_64):

unzip-6.00-lp150.8.3
unzip-debuginfo-6.00-lp150.8.3
unzip-debugsource-6.00-lp150.8.3
unzip-doc-6.00-lp150.8.3

- openSUSE Leap 15.0 (x86_64):

unzip-rcc-6.00-lp150.8.3
unzip-rcc-debuginfo-6.00-lp150.8.3
unzip-rcc-debugsource-6.00-lp150.8.3


References:

https://www.suse.com/security/cve/CVE-2018-18384.html
https://bugzilla.suse.com/1110194

--


openSUSE-SU-2019:1118-1: moderate: Security update for libjpeg-turbo

openSUSE Security Update: Security update for libjpeg-turbo
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1118-1
Rating: moderate
References: #1096209 #1098155 #1128712
Cross-References: CVE-2018-1152 CVE-2018-11813 CVE-2018-14498

Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes three vulnerabilities is now available.

Description:

This update for libjpeg-turbo fixes the following issues:

The following security vulnerabilities were addressed:

- CVE-2018-14498: Fixed a heap-based buffer over read in get_8bit_row
function which could allow to an attacker to cause denial of service
(bsc#1128712).
- CVE-2018-11813: Fixed the end-of-file mishandling in read_pixel in
rdtarga.c, which allowed remote attackers to cause a denial-of-service
via crafted JPG files due to a large loop (bsc#1096209)
- CVE-2018-1152: Fixed a denial of service in start_input_bmp() rdbmp.c
caused by a divide by zero when processing a crafted BMP image
(bsc#1098155)

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1118=1



Package List:

- openSUSE Leap 15.0 (i586 x86_64):

libjpeg-turbo-1.5.3-lp150.4.3.2
libjpeg-turbo-debuginfo-1.5.3-lp150.4.3.2
libjpeg-turbo-debugsource-1.5.3-lp150.4.3.2
libjpeg62-62.2.0-lp150.4.3.2
libjpeg62-debuginfo-62.2.0-lp150.4.3.2
libjpeg62-devel-62.2.0-lp150.4.3.2
libjpeg62-turbo-1.5.3-lp150.4.3.2
libjpeg62-turbo-debugsource-1.5.3-lp150.4.3.2
libjpeg8-8.1.2-lp150.4.3.2
libjpeg8-debuginfo-8.1.2-lp150.4.3.2
libjpeg8-devel-8.1.2-lp150.4.3.2
libturbojpeg0-8.1.2-lp150.4.3.2
libturbojpeg0-debuginfo-8.1.2-lp150.4.3.2

- openSUSE Leap 15.0 (x86_64):

libjpeg62-32bit-62.2.0-lp150.4.3.2
libjpeg62-32bit-debuginfo-62.2.0-lp150.4.3.2
libjpeg62-devel-32bit-62.2.0-lp150.4.3.2
libjpeg8-32bit-8.1.2-lp150.4.3.2
libjpeg8-32bit-debuginfo-8.1.2-lp150.4.3.2
libjpeg8-devel-32bit-8.1.2-lp150.4.3.2
libturbojpeg0-32bit-8.1.2-lp150.4.3.2
libturbojpeg0-32bit-debuginfo-8.1.2-lp150.4.3.2


References:

https://www.suse.com/security/cve/CVE-2018-1152.html
https://www.suse.com/security/cve/CVE-2018-11813.html
https://www.suse.com/security/cve/CVE-2018-14498.html
https://bugzilla.suse.com/1096209
https://bugzilla.suse.com/1098155
https://bugzilla.suse.com/1128712

--


openSUSE-SU-2019:1119-1: important: Security update for ghostscript

openSUSE Security Update: Security update for ghostscript
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1119-1
Rating: important
References: #1129186
Cross-References: CVE-2019-3838
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for ghostscript fixes the following issue:

Security issue fixed:

- CVE-2019-3838: Fixed a vulnerability which made forceput operator in
DefineResource to be still accessible which could allow access to file
system outside of the constraints of -dSAFER (bsc#1129186).

This update was imported from the SUSE:SLE-12:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2019-1119=1



Package List:

- openSUSE Leap 42.3 (i586 x86_64):

ghostscript-9.26a-14.18.1
ghostscript-debuginfo-9.26a-14.18.1
ghostscript-debugsource-9.26a-14.18.1
ghostscript-devel-9.26a-14.18.1
ghostscript-mini-9.26a-14.18.1
ghostscript-mini-debuginfo-9.26a-14.18.1
ghostscript-mini-debugsource-9.26a-14.18.1
ghostscript-mini-devel-9.26a-14.18.1
ghostscript-x11-9.26a-14.18.1
ghostscript-x11-debuginfo-9.26a-14.18.1


References:

https://www.suse.com/security/cve/CVE-2019-3838.html
https://bugzilla.suse.com/1129186

--


openSUSE-SU-2019:1120-1: moderate: Security update for libgxps

openSUSE Security Update: Security update for libgxps
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1120-1
Rating: moderate
References: #1092125
Cross-References: CVE-2018-10733
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for libgxps fixes the following issues:

- CVE-2018-10733: Fixed a heap-based buffer over-read issue in
ft_font_face_hash (bsc#1092125).


This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1120=1



Package List:

- openSUSE Leap 15.0 (x86_64):

libgxps-debuginfo-0.3.0-lp150.3.3.2
libgxps-debugsource-0.3.0-lp150.3.3.2
libgxps-devel-0.3.0-lp150.3.3.2
libgxps-tools-0.3.0-lp150.3.3.2
libgxps-tools-debuginfo-0.3.0-lp150.3.3.2
libgxps2-0.3.0-lp150.3.3.2
libgxps2-debuginfo-0.3.0-lp150.3.3.2
typelib-1_0-GXPS-0_1-0.3.0-lp150.3.3.2


References:

https://www.suse.com/security/cve/CVE-2018-10733.html
https://bugzilla.suse.com/1092125

--


openSUSE-SU-2019:1121-1: important: Security update for ghostscript

openSUSE Security Update: Security update for ghostscript
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1121-1
Rating: important
References: #1129186
Cross-References: CVE-2019-3838
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for ghostscript fixes the following issue:

Security issue fixed:

- CVE-2019-3838: Fixed a vulnerability which made forceput operator in
DefineResource to be still accessible which could allow access to file
system outside of the constraints of -dSAFER (bsc#1129186).


This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1121=1



Package List:

- openSUSE Leap 15.0 (i586 x86_64):

ghostscript-9.26a-lp150.2.17.2
ghostscript-debuginfo-9.26a-lp150.2.17.2
ghostscript-debugsource-9.26a-lp150.2.17.2
ghostscript-devel-9.26a-lp150.2.17.2
ghostscript-mini-9.26a-lp150.2.17.2
ghostscript-mini-debuginfo-9.26a-lp150.2.17.2
ghostscript-mini-debugsource-9.26a-lp150.2.17.2
ghostscript-mini-devel-9.26a-lp150.2.17.2
ghostscript-x11-9.26a-lp150.2.17.2
ghostscript-x11-debuginfo-9.26a-lp150.2.17.2


References:

https://www.suse.com/security/cve/CVE-2019-3838.html
https://bugzilla.suse.com/1129186

--