SUSE 5181 Published by

The following updates has been released for openSUSE:

openSUSE-SU-2019:1125-1: moderate: Security update for ansible
openSUSE-SU-2019:1126-1: critical: Security update for MozillaThunderbird
openSUSE-SU-2019:1128-1: important: Security update for pdns



openSUSE-SU-2019:1125-1: moderate: Security update for ansible

openSUSE Security Update: Security update for ansible
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1125-1
Rating: moderate
References: #1099808 #1102126 #1109957 #1112959 #1116587
#1118896 #1126503
Cross-References: CVE-2018-10875 CVE-2018-16837 CVE-2018-16859
CVE-2018-16876 CVE-2019-3828
Affected Products:
SUSE Package Hub for SUSE Linux Enterprise 12
______________________________________________________________________________

An update that solves 5 vulnerabilities and has two fixes
is now available.

Description:

This update for ansible to version 2.7.8 fixes the following issues:

Security issues fixed:

- CVE-2018-16837: Fixed an information leak in user module (bsc#1112959).
- CVE-2018-16859: Fixed an issue which clould allow logging of password in
plaintext in Windows powerShell (bsc#1116587).
- CVE-2019-3828: Fixed a path traversal vulnerability in fetch module
(bsc#1126503).
- CVE-2018-10875: Fixed a potential code execution in ansible.cfg
(bsc#1099808).
- CVE-2018-16876: Fixed an issue which could allow information disclosure
in vvv+ mode with no_log on (bsc#1118896).

Other issues addressed:

- prepare update to 2.7.8 for multiple releases (boo#1102126, boo#1109957)

Release notes:
https://github.com/ansible/ansible/blob/stable-2.7/changelogs/CHANGELOG-v2.
7.rst#id1


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- SUSE Package Hub for SUSE Linux Enterprise 12:

zypper in -t patch openSUSE-2019-1125=1



Package List:

- SUSE Package Hub for SUSE Linux Enterprise 12 (noarch):

ansible-2.7.8-9.1


References:

https://www.suse.com/security/cve/CVE-2018-10875.html
https://www.suse.com/security/cve/CVE-2018-16837.html
https://www.suse.com/security/cve/CVE-2018-16859.html
https://www.suse.com/security/cve/CVE-2018-16876.html
https://www.suse.com/security/cve/CVE-2019-3828.html
https://bugzilla.suse.com/1099808
https://bugzilla.suse.com/1102126
https://bugzilla.suse.com/1109957
https://bugzilla.suse.com/1112959
https://bugzilla.suse.com/1116587
https://bugzilla.suse.com/1118896
https://bugzilla.suse.com/1126503

--


openSUSE-SU-2019:1126-1: critical: Security update for MozillaThunderbird

openSUSE Security Update: Security update for MozillaThunderbird
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1126-1
Rating: critical
References: #1129821 #1130262
Cross-References: CVE-2018-18506 CVE-2019-5785 CVE-2019-9788
CVE-2019-9790 CVE-2019-9791 CVE-2019-9792
CVE-2019-9793 CVE-2019-9794 CVE-2019-9795
CVE-2019-9796 CVE-2019-9801 CVE-2019-9810
CVE-2019-9813
Affected Products:
SUSE Package Hub for SUSE Linux Enterprise 12
______________________________________________________________________________

An update that fixes 13 vulnerabilities is now available.

Description:

This update for MozillaThunderbird fixes the following issues:

Security issues fixed:

- Update to MozillaThunderbird 60.6.1 (bsc#1130262):

- CVE-2019-9813: Fixed Ionmonkey type confusion with __proto__ mutations
- CVE-2019-9810: Fixed IonMonkey MArraySlice incorrect alias information

- Update to MozillaThunderbird 60.6 (bsc#1129821):

- CVE-2018-18506: Fixed an issue with Proxy Auto-Configuration file
- CVE-2019-9801: Fixed an issue which could allow Windows programs to be
exposed to web content
- CVE-2019-9788: Fixed multiple memory safety bugs
- CVE-2019-9790: Fixed a Use-after-free vulnerability when removing in-use
DOM elements
- CVE-2019-9791: Fixed an incorrect Type inference for constructors
entered through on-stack replacement with IonMonkey
- CVE-2019-9792: Fixed an issue where IonMonkey leaks JS_OPTIMIZED_OUT
magic value to script
- CVE-2019-9793: Fixed multiple improper bounds checks when Spectre
mitigations are disabled
- CVE-2019-9794: Fixed an issue where command line arguments not discarded
during execution
- CVE-2019-9795: Fixed a Type-confusion vulnerability in IonMonkey JIT
compiler
- CVE-2019-9796: Fixed a Use-after-free vulnerability in SMIL animation
controller

Release notes:
https://www.mozilla.org/en-US/security/advisories/mfsa2019-12/
https://www.mozilla.org/en-US/security/advisories/mfsa2019-11/


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- SUSE Package Hub for SUSE Linux Enterprise 12:

zypper in -t patch openSUSE-2019-1126=1



Package List:

- SUSE Package Hub for SUSE Linux Enterprise 12 (x86_64):

MozillaThunderbird-60.6.1-82.1
MozillaThunderbird-buildsymbols-60.6.1-82.1
MozillaThunderbird-translations-common-60.6.1-82.1
MozillaThunderbird-translations-other-60.6.1-82.1


References:

https://www.suse.com/security/cve/CVE-2018-18506.html
https://www.suse.com/security/cve/CVE-2019-5785.html
https://www.suse.com/security/cve/CVE-2019-9788.html
https://www.suse.com/security/cve/CVE-2019-9790.html
https://www.suse.com/security/cve/CVE-2019-9791.html
https://www.suse.com/security/cve/CVE-2019-9792.html
https://www.suse.com/security/cve/CVE-2019-9793.html
https://www.suse.com/security/cve/CVE-2019-9794.html
https://www.suse.com/security/cve/CVE-2019-9795.html
https://www.suse.com/security/cve/CVE-2019-9796.html
https://www.suse.com/security/cve/CVE-2019-9801.html
https://www.suse.com/security/cve/CVE-2019-9810.html
https://www.suse.com/security/cve/CVE-2019-9813.html
https://bugzilla.suse.com/1129821
https://bugzilla.suse.com/1130262

--


openSUSE-SU-2019:1128-1: important: Security update for pdns

openSUSE Security Update: Security update for pdns
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1128-1
Rating: important
References: #1129734
Cross-References: CVE-2019-3871
Affected Products:
openSUSE Leap 42.3
openSUSE Leap 15.0
openSUSE Backports SLE-15
SUSE Package Hub for SUSE Linux Enterprise 12
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for pdns fixes the following issue:

Security issue fixed:

- CVE-2019-3871: Fixed an insufficient validation in the HTTP remote
backend which could allow a remote user to cause the HTTP backend to
connect to an attacker-specified host instead of the configured one
(bsc#1129734).


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2019-1128=1

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1128=1

- openSUSE Backports SLE-15:

zypper in -t patch openSUSE-2019-1128=1

- SUSE Package Hub for SUSE Linux Enterprise 12:

zypper in -t patch openSUSE-2019-1128=1



Package List:

- openSUSE Leap 42.3 (x86_64):

pdns-4.0.3-18.1
pdns-backend-geoip-4.0.3-18.1
pdns-backend-geoip-debuginfo-4.0.3-18.1
pdns-backend-godbc-4.0.3-18.1
pdns-backend-godbc-debuginfo-4.0.3-18.1
pdns-backend-ldap-4.0.3-18.1
pdns-backend-ldap-debuginfo-4.0.3-18.1
pdns-backend-lua-4.0.3-18.1
pdns-backend-lua-debuginfo-4.0.3-18.1
pdns-backend-mydns-4.0.3-18.1
pdns-backend-mydns-debuginfo-4.0.3-18.1
pdns-backend-mysql-4.0.3-18.1
pdns-backend-mysql-debuginfo-4.0.3-18.1
pdns-backend-postgresql-4.0.3-18.1
pdns-backend-postgresql-debuginfo-4.0.3-18.1
pdns-backend-remote-4.0.3-18.1
pdns-backend-remote-debuginfo-4.0.3-18.1
pdns-backend-sqlite3-4.0.3-18.1
pdns-backend-sqlite3-debuginfo-4.0.3-18.1
pdns-debuginfo-4.0.3-18.1
pdns-debugsource-4.0.3-18.1

- openSUSE Leap 15.0 (x86_64):

pdns-4.1.2-lp150.3.10.1
pdns-backend-geoip-4.1.2-lp150.3.10.1
pdns-backend-geoip-debuginfo-4.1.2-lp150.3.10.1
pdns-backend-godbc-4.1.2-lp150.3.10.1
pdns-backend-godbc-debuginfo-4.1.2-lp150.3.10.1
pdns-backend-ldap-4.1.2-lp150.3.10.1
pdns-backend-ldap-debuginfo-4.1.2-lp150.3.10.1
pdns-backend-lua-4.1.2-lp150.3.10.1
pdns-backend-lua-debuginfo-4.1.2-lp150.3.10.1
pdns-backend-mydns-4.1.2-lp150.3.10.1
pdns-backend-mydns-debuginfo-4.1.2-lp150.3.10.1
pdns-backend-mysql-4.1.2-lp150.3.10.1
pdns-backend-mysql-debuginfo-4.1.2-lp150.3.10.1
pdns-backend-postgresql-4.1.2-lp150.3.10.1
pdns-backend-postgresql-debuginfo-4.1.2-lp150.3.10.1
pdns-backend-remote-4.1.2-lp150.3.10.1
pdns-backend-remote-debuginfo-4.1.2-lp150.3.10.1
pdns-backend-sqlite3-4.1.2-lp150.3.10.1
pdns-backend-sqlite3-debuginfo-4.1.2-lp150.3.10.1
pdns-debuginfo-4.1.2-lp150.3.10.1
pdns-debugsource-4.1.2-lp150.3.10.1

- openSUSE Backports SLE-15 (aarch64 ppc64le s390x x86_64):

pdns-4.1.2-bp150.2.6.1
pdns-backend-geoip-4.1.2-bp150.2.6.1
pdns-backend-godbc-4.1.2-bp150.2.6.1
pdns-backend-ldap-4.1.2-bp150.2.6.1
pdns-backend-lua-4.1.2-bp150.2.6.1
pdns-backend-mydns-4.1.2-bp150.2.6.1
pdns-backend-mysql-4.1.2-bp150.2.6.1
pdns-backend-postgresql-4.1.2-bp150.2.6.1
pdns-backend-remote-4.1.2-bp150.2.6.1
pdns-backend-sqlite3-4.1.2-bp150.2.6.1

- SUSE Package Hub for SUSE Linux Enterprise 12 (aarch64 ppc64le s390x x86_64):

pdns-4.1.7-17.1
pdns-backend-godbc-4.1.7-17.1
pdns-backend-ldap-4.1.7-17.1
pdns-backend-lua-4.1.7-17.1
pdns-backend-mydns-4.1.7-17.1
pdns-backend-mysql-4.1.7-17.1
pdns-backend-postgresql-4.1.7-17.1
pdns-backend-remote-4.1.7-17.1
pdns-backend-sqlite3-4.1.7-17.1


References:

https://www.suse.com/security/cve/CVE-2019-3871.html
https://bugzilla.suse.com/1129734

--