SUSE 5149 Published by

The following updates has been released for openSUSE:

openSUSE-SU-2018:2658-1: important: Security update for MozillaThunderbird
openSUSE-SU-2018:2659-1: important: Security update for chromium
openSUSE-SU-2018:2664-1: important: Security update for chromium
openSUSE-SU-2018:2667-1: moderate: Security update for nodejs4
openSUSE-SU-2018:2672-1: Security update for GraphicsMagick
openSUSE-SU-2018:2674-1: important: Security update for MozillaFirefox



openSUSE-SU-2018:2658-1: important: Security update for MozillaThunderbird

openSUSE Security Update: Security update for MozillaThunderbird
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2658-1
Rating: important
References: #1084603 #1098998
Cross-References: CVE-2018-12359 CVE-2018-12360 CVE-2018-12361
CVE-2018-12362 CVE-2018-12363 CVE-2018-12364
CVE-2018-12365 CVE-2018-12366 CVE-2018-12367
CVE-2018-12371 CVE-2018-5156 CVE-2018-5187
CVE-2018-5188
Affected Products:
openSUSE Leap 42.3
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes 13 vulnerabilities is now available.

Description:

This update for MozillaThunderbird to version 60.0 fixes the following
issues:

These security issues were fixed:

- CVE-2018-12359: Prevent buffer overflow using computed size of canvas
element (bsc#1098998).
- CVE-2018-12360: Prevent use-after-free when using focus() (bsc#1098998).
- CVE-2018-12361: Prevent integer overflow in SwizzleData (bsc#1098998).
- CVE-2018-12362: Prevent integer overflow in SSSE3 scaler (bsc#1098998).
- CVE-2018-5156: Prevent media recorder segmentation fault when track type
is changed during capture (bsc#1098998).
- CVE-2018-12363: Prevent use-after-free when appending DOM nodes
(bsc#1098998).
- CVE-2018-12364: Prevent CSRF attacks through 307 redirects and NPAPI
plugins (bsc#1098998).
- CVE-2018-12365: Prevent compromised IPC child process listing local
filenames (bsc#1098998).
- CVE-2018-12371: Prevent integer overflow in Skia library during edge
builder allocation (bsc#1098998).
- CVE-2018-12366: Prevent invalid data handling during QCMS
transformations (bsc#1098998).
- CVE-2018-12367: Timing attack mitigation of PerformanceNavigationTiming
(bsc#1098998).
- CVE-2018-5187: Various memory safety bugs (bsc#1098998).
- CVE-2018-5188: Various memory safety bugs (bsc#1098998).

These can not, in general, be exploited through email, but are potential
risks in browser or browser-like contexts.

These non-security issues were fixed:

- Storing of remote content settings fixed (bsc#1084603)
- Improved message handling and composing
- Improved handling of message templates
- Support for OAuth2 and FIDO U2F
- Various Calendar improvements
- Various fixes and changes to e-mail workflow
- Various IMAP fixes
- Native desktop notifications


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-994=1

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-994=1



Package List:

- openSUSE Leap 42.3 (x86_64):

MozillaThunderbird-60.0-74.1
MozillaThunderbird-buildsymbols-60.0-74.1
MozillaThunderbird-debuginfo-60.0-74.1
MozillaThunderbird-debugsource-60.0-74.1
MozillaThunderbird-translations-common-60.0-74.1
MozillaThunderbird-translations-other-60.0-74.1

- openSUSE Leap 15.0 (x86_64):

MozillaThunderbird-60.0-lp150.3.14.1
MozillaThunderbird-buildsymbols-60.0-lp150.3.14.1
MozillaThunderbird-debuginfo-60.0-lp150.3.14.1
MozillaThunderbird-debugsource-60.0-lp150.3.14.1
MozillaThunderbird-translations-common-60.0-lp150.3.14.1
MozillaThunderbird-translations-other-60.0-lp150.3.14.1


References:

https://www.suse.com/security/cve/CVE-2018-12359.html
https://www.suse.com/security/cve/CVE-2018-12360.html
https://www.suse.com/security/cve/CVE-2018-12361.html
https://www.suse.com/security/cve/CVE-2018-12362.html
https://www.suse.com/security/cve/CVE-2018-12363.html
https://www.suse.com/security/cve/CVE-2018-12364.html
https://www.suse.com/security/cve/CVE-2018-12365.html
https://www.suse.com/security/cve/CVE-2018-12366.html
https://www.suse.com/security/cve/CVE-2018-12367.html
https://www.suse.com/security/cve/CVE-2018-12371.html
https://www.suse.com/security/cve/CVE-2018-5156.html
https://www.suse.com/security/cve/CVE-2018-5187.html
https://www.suse.com/security/cve/CVE-2018-5188.html
https://bugzilla.suse.com/1084603
https://bugzilla.suse.com/1098998

--


openSUSE-SU-2018:2659-1: important: Security update for chromium

openSUSE Security Update: Security update for chromium
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2659-1
Rating: important
References: #1106341 #1107235
Cross-References: CVE-2017-15430 CVE-2018-16065 CVE-2018-16066
CVE-2018-16067 CVE-2018-16068 CVE-2018-16069
CVE-2018-16070 CVE-2018-16071 CVE-2018-16073
CVE-2018-16074 CVE-2018-16075 CVE-2018-16076
CVE-2018-16077 CVE-2018-16078 CVE-2018-16079
CVE-2018-16080 CVE-2018-16081 CVE-2018-16082
CVE-2018-16083 CVE-2018-16084 CVE-2018-16085
CVE-2018-16086 CVE-2018-16087 CVE-2018-16088

Affected Products:
SUSE Package Hub for SUSE Linux Enterprise 12
______________________________________________________________________________

An update that fixes 24 vulnerabilities is now available.

Description:

This update for Chromium to version 69.0.3497.81 fixes multiple issues.

Security issues fixed (boo#1107235):

- CVE-2018-16065: Out of bounds write in V8
- CVE-2018-16066:Out of bounds read in Blink
- CVE-2018-16067: Out of bounds read in WebAudio
- CVE-2018-16068: Out of bounds write in Mojo
- CVE-2018-16069:Out of bounds read in SwiftShader
- CVE-2018-16070: Integer overflow in Skia
- CVE-2018-16071: Use after free in WebRTC
- CVE-2018-16073: Site Isolation bypass after tab restore
- CVE-2018-16074: Site Isolation bypass using Blob URLS
- Out of bounds read in Little-CMS
- CVE-2018-16075: Local file access in Blink
- CVE-2018-16076: Out of bounds read in PDFium
- CVE-2018-16077: Content security policy bypass in Blink
- CVE-2018-16078: Credit card information leak in Autofill
- CVE-2018-16079: URL spoof in permission dialogs
- CVE-2018-16080: URL spoof in full screen mode
- CVE-2018-16081: Local file access in DevTools
- CVE-2018-16082: Stack buffer overflow in SwiftShader
- CVE-2018-16083: Out of bounds read in WebRTC
- CVE-2018-16084: User confirmation bypass in external protocol handling
- CVE-2018-16085: Use after free in Memory Instrumentation
- CVE-2017-15430: Unsafe navigation in Chromecast (boo#1106341)
- CVE-2018-16086: Script injection in New Tab Page
- CVE-2018-16087: Multiple download restriction bypass
- CVE-2018-16088: User gesture requirement bypass

The re2 regular expression library was updated to the current version
2018-09-01.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- SUSE Package Hub for SUSE Linux Enterprise 12:

zypper in -t patch openSUSE-2018-979=1



Package List:

- SUSE Package Hub for SUSE Linux Enterprise 12 (aarch64 s390x x86_64):

libre2-0-20180901-11.1
libre2-0-debuginfo-20180901-11.1
re2-debugsource-20180901-11.1
re2-devel-20180901-11.1

- SUSE Package Hub for SUSE Linux Enterprise 12 (ppc64le):

libre2-0-20180901-11.2
libre2-0-debuginfo-20180901-11.2
re2-debugsource-20180901-11.2
re2-devel-20180901-11.2

- SUSE Package Hub for SUSE Linux Enterprise 12 (x86_64):

chromedriver-69.0.3497.81-65.1
chromedriver-debuginfo-69.0.3497.81-65.1
chromium-69.0.3497.81-65.1
chromium-debuginfo-69.0.3497.81-65.1
chromium-debugsource-69.0.3497.81-65.1


References:

https://www.suse.com/security/cve/CVE-2017-15430.html
https://www.suse.com/security/cve/CVE-2018-16065.html
https://www.suse.com/security/cve/CVE-2018-16066.html
https://www.suse.com/security/cve/CVE-2018-16067.html
https://www.suse.com/security/cve/CVE-2018-16068.html
https://www.suse.com/security/cve/CVE-2018-16069.html
https://www.suse.com/security/cve/CVE-2018-16070.html
https://www.suse.com/security/cve/CVE-2018-16071.html
https://www.suse.com/security/cve/CVE-2018-16073.html
https://www.suse.com/security/cve/CVE-2018-16074.html
https://www.suse.com/security/cve/CVE-2018-16075.html
https://www.suse.com/security/cve/CVE-2018-16076.html
https://www.suse.com/security/cve/CVE-2018-16077.html
https://www.suse.com/security/cve/CVE-2018-16078.html
https://www.suse.com/security/cve/CVE-2018-16079.html
https://www.suse.com/security/cve/CVE-2018-16080.html
https://www.suse.com/security/cve/CVE-2018-16081.html
https://www.suse.com/security/cve/CVE-2018-16082.html
https://www.suse.com/security/cve/CVE-2018-16083.html
https://www.suse.com/security/cve/CVE-2018-16084.html
https://www.suse.com/security/cve/CVE-2018-16085.html
https://www.suse.com/security/cve/CVE-2018-16086.html
https://www.suse.com/security/cve/CVE-2018-16087.html
https://www.suse.com/security/cve/CVE-2018-16088.html
https://bugzilla.suse.com/1106341
https://bugzilla.suse.com/1107235

--


openSUSE-SU-2018:2664-1: important: Security update for chromium

openSUSE Security Update: Security update for chromium
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2664-1
Rating: important
References: #1106341 #1107235
Cross-References: CVE-2017-15430 CVE-2018-16065 CVE-2018-16066
CVE-2018-16067 CVE-2018-16068 CVE-2018-16069
CVE-2018-16070 CVE-2018-16071 CVE-2018-16073
CVE-2018-16074 CVE-2018-16075 CVE-2018-16076
CVE-2018-16077 CVE-2018-16078 CVE-2018-16079
CVE-2018-16080 CVE-2018-16081 CVE-2018-16082
CVE-2018-16083 CVE-2018-16084 CVE-2018-16085
CVE-2018-16086 CVE-2018-16087 CVE-2018-16088

Affected Products:
openSUSE Leap 42.3
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes 24 vulnerabilities is now available.

Description:

This update for Chromium to version 69.0.3497.81 fixes multiple issues.

Security issues fixed (boo#1107235):

- CVE-2018-16065: Out of bounds write in V8
- CVE-2018-16066:Out of bounds read in Blink
- CVE-2018-16067: Out of bounds read in WebAudio
- CVE-2018-16068: Out of bounds write in Mojo
- CVE-2018-16069:Out of bounds read in SwiftShader
- CVE-2018-16070: Integer overflow in Skia
- CVE-2018-16071: Use after free in WebRTC
- CVE-2018-16073: Site Isolation bypass after tab restore
- CVE-2018-16074: Site Isolation bypass using Blob URLS
- Out of bounds read in Little-CMS
- CVE-2018-16075: Local file access in Blink
- CVE-2018-16076: Out of bounds read in PDFium
- CVE-2018-16077: Content security policy bypass in Blink
- CVE-2018-16078: Credit card information leak in Autofill
- CVE-2018-16079: URL spoof in permission dialogs
- CVE-2018-16080: URL spoof in full screen mode
- CVE-2018-16081: Local file access in DevTools
- CVE-2018-16082: Stack buffer overflow in SwiftShader
- CVE-2018-16083: Out of bounds read in WebRTC
- CVE-2018-16084: User confirmation bypass in external protocol handling
- CVE-2018-16085: Use after free in Memory Instrumentation
- CVE-2017-15430: Unsafe navigation in Chromecast (boo#1106341)
- CVE-2018-16086: Script injection in New Tab Page
- CVE-2018-16087: Multiple download restriction bypass
- CVE-2018-16088: User gesture requirement bypass

The re2 regular expression library was updated to the current version
2018-09-01.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-979=1

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-979=1



Package List:

- openSUSE Leap 42.3 (i586 x86_64):

libre2-0-20180901-18.1
libre2-0-debuginfo-20180901-18.1
re2-debugsource-20180901-18.1
re2-devel-20180901-18.1

- openSUSE Leap 42.3 (x86_64):

chromedriver-69.0.3497.81-168.1
chromedriver-debuginfo-69.0.3497.81-168.1
chromium-69.0.3497.81-168.1
chromium-debuginfo-69.0.3497.81-168.1
chromium-debugsource-69.0.3497.81-168.1
libre2-0-32bit-20180901-18.1
libre2-0-debuginfo-32bit-20180901-18.1

- openSUSE Leap 15.0 (i586 x86_64):

libre2-0-20180901-lp150.7.3.1
libre2-0-debuginfo-20180901-lp150.7.3.1
re2-debugsource-20180901-lp150.7.3.1
re2-devel-20180901-lp150.7.3.1

- openSUSE Leap 15.0 (x86_64):

chromedriver-69.0.3497.81-lp150.2.10.1
chromedriver-debuginfo-69.0.3497.81-lp150.2.10.1
chromium-69.0.3497.81-lp150.2.10.1
chromium-debuginfo-69.0.3497.81-lp150.2.10.1
chromium-debugsource-69.0.3497.81-lp150.2.10.1
libre2-0-32bit-20180901-lp150.7.3.1
libre2-0-32bit-debuginfo-20180901-lp150.7.3.1


References:

https://www.suse.com/security/cve/CVE-2017-15430.html
https://www.suse.com/security/cve/CVE-2018-16065.html
https://www.suse.com/security/cve/CVE-2018-16066.html
https://www.suse.com/security/cve/CVE-2018-16067.html
https://www.suse.com/security/cve/CVE-2018-16068.html
https://www.suse.com/security/cve/CVE-2018-16069.html
https://www.suse.com/security/cve/CVE-2018-16070.html
https://www.suse.com/security/cve/CVE-2018-16071.html
https://www.suse.com/security/cve/CVE-2018-16073.html
https://www.suse.com/security/cve/CVE-2018-16074.html
https://www.suse.com/security/cve/CVE-2018-16075.html
https://www.suse.com/security/cve/CVE-2018-16076.html
https://www.suse.com/security/cve/CVE-2018-16077.html
https://www.suse.com/security/cve/CVE-2018-16078.html
https://www.suse.com/security/cve/CVE-2018-16079.html
https://www.suse.com/security/cve/CVE-2018-16080.html
https://www.suse.com/security/cve/CVE-2018-16081.html
https://www.suse.com/security/cve/CVE-2018-16082.html
https://www.suse.com/security/cve/CVE-2018-16083.html
https://www.suse.com/security/cve/CVE-2018-16084.html
https://www.suse.com/security/cve/CVE-2018-16085.html
https://www.suse.com/security/cve/CVE-2018-16086.html
https://www.suse.com/security/cve/CVE-2018-16087.html
https://www.suse.com/security/cve/CVE-2018-16088.html
https://bugzilla.suse.com/1106341
https://bugzilla.suse.com/1107235

--


openSUSE-SU-2018:2667-1: moderate: Security update for nodejs4

openSUSE Security Update: Security update for nodejs4
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2667-1
Rating: moderate
References: #1082318 #1091764 #1097158 #1097748 #1105019

Cross-References: CVE-2018-0732 CVE-2018-12115
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________

An update that solves two vulnerabilities and has three
fixes is now available.

Description:

This update for nodejs4 fixes the following issues:

Security issues fixed:

- CVE-2018-12115: Fixed an out-of-bounds memory write in Buffer that could
be used to write to memory outside of a Buffer's memory space buffer
(bsc#1105019)
- Upgrade to OpenSSL 1.0.2p, which fixed:
- CVE-2018-0732: Client denial-of-service due to large DH parameter
(bsc#1097158)
- ECDSA key extraction via local side-channel

Other changes made:

- Recommend same major version npm package (bsc#1097748)
- Use absolute paths in executable shebang lines
- Fix building with ICU61.1 (bsc#1091764)
- Install license with %license, not %doc (bsc#1082318)

This update was imported from the SUSE:SLE-12:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-991=1



Package List:

- openSUSE Leap 42.3 (i586 x86_64):

nodejs4-4.9.1-17.1
nodejs4-debuginfo-4.9.1-17.1
nodejs4-debugsource-4.9.1-17.1
nodejs4-devel-4.9.1-17.1
npm4-4.9.1-17.1

- openSUSE Leap 42.3 (noarch):

nodejs4-docs-4.9.1-17.1


References:

https://www.suse.com/security/cve/CVE-2018-0732.html
https://www.suse.com/security/cve/CVE-2018-12115.html
https://bugzilla.suse.com/1082318
https://bugzilla.suse.com/1091764
https://bugzilla.suse.com/1097158
https://bugzilla.suse.com/1097748
https://bugzilla.suse.com/1105019

--


openSUSE-SU-2018:2672-1: Security update for GraphicsMagick

openSUSE Security Update: Security update for GraphicsMagick
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2672-1
Rating: low
References: #1106855
Cross-References: CVE-2018-16323
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for GraphicsMagick fixes the following security issue:

- CVE-2018-16323: ReadXBMImage left data uninitialized when processing an
XBM file that has a negative pixel value. If the affected code was used
as a library loaded into a process that includes sensitive information,
that information sometimes can be leaked via the image data
(bsc#1106855).


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-993=1



Package List:

- openSUSE Leap 42.3 (i586 x86_64):

GraphicsMagick-1.3.25-102.1
GraphicsMagick-debuginfo-1.3.25-102.1
GraphicsMagick-debugsource-1.3.25-102.1
GraphicsMagick-devel-1.3.25-102.1
libGraphicsMagick++-Q16-12-1.3.25-102.1
libGraphicsMagick++-Q16-12-debuginfo-1.3.25-102.1
libGraphicsMagick++-devel-1.3.25-102.1
libGraphicsMagick-Q16-3-1.3.25-102.1
libGraphicsMagick-Q16-3-debuginfo-1.3.25-102.1
libGraphicsMagick3-config-1.3.25-102.1
libGraphicsMagickWand-Q16-2-1.3.25-102.1
libGraphicsMagickWand-Q16-2-debuginfo-1.3.25-102.1
perl-GraphicsMagick-1.3.25-102.1
perl-GraphicsMagick-debuginfo-1.3.25-102.1


References:

https://www.suse.com/security/cve/CVE-2018-16323.html
https://bugzilla.suse.com/1106855

--


openSUSE-SU-2018:2674-1: important: Security update for MozillaFirefox

openSUSE Security Update: Security update for MozillaFirefox
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2674-1
Rating: important
References: #1066489 #1107343
Cross-References: CVE-2017-16541 CVE-2018-12376 CVE-2018-12377
CVE-2018-12378
Affected Products:
openSUSE Leap 42.3
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes four vulnerabilities is now available.

Description:

This update to Mozilla Firefox 60.2.0esr fixes the following issues:

Security issues fixed (MFSA 2018-21, boo#1107343):

- CVE-2018-12377: Use-after-free in refresh driver timers
- CVE-2018-12378: Use-after-free in IndexedDB
- CVE-2017-16541: Proxy bypass using automount and autofs (boo#1066489)
- CVE-2018-12376: Memory safety bugs fixed in Firefox 62 and Firefox ESR
60.2


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-995=1

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-995=1



Package List:

- openSUSE Leap 42.3 (x86_64):

MozillaFirefox-60.2.0-109.1
MozillaFirefox-branding-upstream-60.2.0-109.1
MozillaFirefox-buildsymbols-60.2.0-109.1
MozillaFirefox-debuginfo-60.2.0-109.1
MozillaFirefox-debugsource-60.2.0-109.1
MozillaFirefox-devel-60.2.0-109.1
MozillaFirefox-translations-common-60.2.0-109.1
MozillaFirefox-translations-other-60.2.0-109.1

- openSUSE Leap 15.0 (x86_64):

MozillaFirefox-60.2.0-lp150.3.14.1
MozillaFirefox-branding-upstream-60.2.0-lp150.3.14.1
MozillaFirefox-buildsymbols-60.2.0-lp150.3.14.1
MozillaFirefox-debuginfo-60.2.0-lp150.3.14.1
MozillaFirefox-debugsource-60.2.0-lp150.3.14.1
MozillaFirefox-devel-60.2.0-lp150.3.14.1
MozillaFirefox-translations-common-60.2.0-lp150.3.14.1
MozillaFirefox-translations-other-60.2.0-lp150.3.14.1


References:

https://www.suse.com/security/cve/CVE-2017-16541.html
https://www.suse.com/security/cve/CVE-2018-12376.html
https://www.suse.com/security/cve/CVE-2018-12377.html
https://www.suse.com/security/cve/CVE-2018-12378.html
https://bugzilla.suse.com/1066489
https://bugzilla.suse.com/1107343

--