SUSE 5149 Published by

The following updates has been released for openSUSE:

openSUSE-SU-2017:3220-1: important: Security update for exim
openSUSE-SU-2017:3223-1: important: Security update for GraphicsMagick

The following updates are also available for SUSE Linux Enterprise:
SUSE-SU-2017:3212-1: important: Security update for xen
SUSE-SU-2017:3213-1: important: Security update for MozillaFirefox
SUSE-SU-2017:3215-1: important: Security update for shibboleth-sp



openSUSE-SU-2017:3220-1: important: Security update for exim

openSUSE Security Update: Security update for exim
______________________________________________________________________________

Announcement ID: openSUSE-SU-2017:3220-1
Rating: important
References: #1069857
Cross-References: CVE-2017-16943
Affected Products:
openSUSE Leap 42.3
openSUSE Leap 42.2
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for exim fixes the following issues:

Security issue fixed:

- CVE-2017-16943: Fix possible remote code execution (boo#1069857).


Patch Instructions:

To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2017-1342=1

- openSUSE Leap 42.2:

zypper in -t patch openSUSE-2017-1342=1

To bring your system up-to-date, use "zypper patch".


Package List:

- openSUSE Leap 42.3 (x86_64):

exim-4.86.2-17.1
exim-debuginfo-4.86.2-17.1
exim-debugsource-4.86.2-17.1
eximon-4.86.2-17.1
eximon-debuginfo-4.86.2-17.1
eximstats-html-4.86.2-17.1

- openSUSE Leap 42.2 (x86_64):

exim-4.86.2-10.9.1
exim-debuginfo-4.86.2-10.9.1
exim-debugsource-4.86.2-10.9.1
eximon-4.86.2-10.9.1
eximon-debuginfo-4.86.2-10.9.1
eximstats-html-4.86.2-10.9.1


References:

https://www.suse.com/security/cve/CVE-2017-16943.html
https://bugzilla.suse.com/1069857

openSUSE-SU-2017:3223-1: important: Security update for GraphicsMagick

openSUSE Security Update: Security update for GraphicsMagick
______________________________________________________________________________

Announcement ID: openSUSE-SU-2017:3223-1
Rating: important
References: #1050632 #1056162 #1058485 #1058637 #1067181
#1067184 #1067409
Cross-References: CVE-2017-11640 CVE-2017-13737 CVE-2017-14341
CVE-2017-14342 CVE-2017-16545 CVE-2017-16546
CVE-2017-16669
Affected Products:
openSUSE Leap 42.3
openSUSE Leap 42.2
______________________________________________________________________________

An update that fixes 7 vulnerabilities is now available.

Description:

This update for GraphicsMagick fixes the following issues:

Security issues fixed:

- CVE-2017-16546: Fix ReadWPGImage function in coders/wpg.c that could
lead to a denial of service (bsc#1067181).
- CVE-2017-14342: Fix a memory exhaustion vulnerability in ReadWPGImage in
coders/wpg.c that could lead to a denial of service (bsc#1058485).
- CVE-2017-16669: Fix coders/wpg.c that allows remote attackers to cause a
denial of service via crafted files (bsc#1067409).
- CVE-2017-16545: Fix the ReadWPGImage function in coders/wpg.c as a
validation problems could lead to a denial of service (bsc#1067184).
- CVE-2017-14341: Fix infinite loop in the ReadWPGImage function
(bsc#1058637).
- CVE-2017-13737: Fix invalid free in the MagickFree function in
magick/memory.c (tiff.c) (bsc#1056162).
- CVE-2017-11640: Fix NULL pointer deref in WritePTIFImage() in
coders/tiff.c (bsc#1050632).


Patch Instructions:

To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2017-1346=1

- openSUSE Leap 42.2:

zypper in -t patch openSUSE-2017-1346=1

To bring your system up-to-date, use "zypper patch".


Package List:

- openSUSE Leap 42.3 (i586 x86_64):

GraphicsMagick-1.3.25-44.1
GraphicsMagick-debuginfo-1.3.25-44.1
GraphicsMagick-debugsource-1.3.25-44.1
GraphicsMagick-devel-1.3.25-44.1
libGraphicsMagick++-Q16-12-1.3.25-44.1
libGraphicsMagick++-Q16-12-debuginfo-1.3.25-44.1
libGraphicsMagick++-devel-1.3.25-44.1
libGraphicsMagick-Q16-3-1.3.25-44.1
libGraphicsMagick-Q16-3-debuginfo-1.3.25-44.1
libGraphicsMagick3-config-1.3.25-44.1
libGraphicsMagickWand-Q16-2-1.3.25-44.1
libGraphicsMagickWand-Q16-2-debuginfo-1.3.25-44.1
perl-GraphicsMagick-1.3.25-44.1
perl-GraphicsMagick-debuginfo-1.3.25-44.1

- openSUSE Leap 42.2 (i586 x86_64):

GraphicsMagick-1.3.25-11.44.1
GraphicsMagick-debuginfo-1.3.25-11.44.1
GraphicsMagick-debugsource-1.3.25-11.44.1
GraphicsMagick-devel-1.3.25-11.44.1
libGraphicsMagick++-Q16-12-1.3.25-11.44.1
libGraphicsMagick++-Q16-12-debuginfo-1.3.25-11.44.1
libGraphicsMagick++-devel-1.3.25-11.44.1
libGraphicsMagick-Q16-3-1.3.25-11.44.1
libGraphicsMagick-Q16-3-debuginfo-1.3.25-11.44.1
libGraphicsMagick3-config-1.3.25-11.44.1
libGraphicsMagickWand-Q16-2-1.3.25-11.44.1
libGraphicsMagickWand-Q16-2-debuginfo-1.3.25-11.44.1
perl-GraphicsMagick-1.3.25-11.44.1
perl-GraphicsMagick-debuginfo-1.3.25-11.44.1


References:

https://www.suse.com/security/cve/CVE-2017-11640.html
https://www.suse.com/security/cve/CVE-2017-13737.html
https://www.suse.com/security/cve/CVE-2017-14341.html
https://www.suse.com/security/cve/CVE-2017-14342.html
https://www.suse.com/security/cve/CVE-2017-16545.html
https://www.suse.com/security/cve/CVE-2017-16546.html
https://www.suse.com/security/cve/CVE-2017-16669.html
https://bugzilla.suse.com/1050632
https://bugzilla.suse.com/1056162
https://bugzilla.suse.com/1058485
https://bugzilla.suse.com/1058637
https://bugzilla.suse.com/1067181
https://bugzilla.suse.com/1067184
https://bugzilla.suse.com/1067409

SUSE-SU-2017:3212-1: important: Security update for xen

SUSE Security Update: Security update for xen
______________________________________________________________________________

Announcement ID: SUSE-SU-2017:3212-1
Rating: important
References: #1061075 #1061081 #1061086 #1063123 #1068187
#1068191
Cross-References: CVE-2017-15289 CVE-2017-15592 CVE-2017-15595
CVE-2017-15597
Affected Products:
SUSE Linux Enterprise Server 11-SP3-LTSS
SUSE Linux Enterprise Point of Sale 11-SP3
SUSE Linux Enterprise Debuginfo 11-SP3
______________________________________________________________________________

An update that solves four vulnerabilities and has two
fixes is now available.

Description:

This update for xen fixes several issues.

These security issues were fixed:

- bsc#1068187: Failure to recognize errors in the Populate on Demand (PoD)
code allowed for DoS (XSA-246)
- bsc#1068191: Missing p2m error checking in PoD code allowed unprivileged
guests to retain a writable mapping of freed memory leading to
information leaks, privilege escalation or DoS (XSA-247).
- CVE-2017-15289: The mode4and5 write functions allowed local OS guest
privileged users to cause a denial of service (out-of-bounds write
access and Qemu process crash) via vectors related to dst calculation
(bsc#1063123)
- CVE-2017-15597: A grant copy operation being done on a grant of a dying
domain allowed a malicious guest administrator to corrupt hypervisor
memory, allowing for DoS or potentially privilege escalation and
information leaks (bsc#1061075).
- CVE-2017-15595: x86 PV guest OS users were able to cause a DoS
(unbounded recursion, stack consumption, and hypervisor crash) or
possibly gain privileges via crafted page-table stacking (bsc#1061081).
- CVE-2017-15592: x86 HVM guest OS users were able to cause a DoS
(hypervisor crash) or possibly gain privileges because self-linear
shadow mappings were mishandled for translated guests (bsc#1061086).


Patch Instructions:

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

- SUSE Linux Enterprise Server 11-SP3-LTSS:

zypper in -t patch slessp3-xen-13366=1

- SUSE Linux Enterprise Point of Sale 11-SP3:

zypper in -t patch sleposp3-xen-13366=1

- SUSE Linux Enterprise Debuginfo 11-SP3:

zypper in -t patch dbgsp3-xen-13366=1

To bring your system up-to-date, use "zypper patch".


Package List:

- SUSE Linux Enterprise Server 11-SP3-LTSS (i586 x86_64):

xen-kmp-default-4.2.5_21_3.0.101_0.47.106.8-45.16.1
xen-libs-4.2.5_21-45.16.1
xen-tools-domU-4.2.5_21-45.16.1

- SUSE Linux Enterprise Server 11-SP3-LTSS (x86_64):

xen-4.2.5_21-45.16.1
xen-doc-html-4.2.5_21-45.16.1
xen-doc-pdf-4.2.5_21-45.16.1
xen-libs-32bit-4.2.5_21-45.16.1
xen-tools-4.2.5_21-45.16.1

- SUSE Linux Enterprise Server 11-SP3-LTSS (i586):

xen-kmp-pae-4.2.5_21_3.0.101_0.47.106.8-45.16.1

- SUSE Linux Enterprise Point of Sale 11-SP3 (i586):

xen-kmp-default-4.2.5_21_3.0.101_0.47.106.8-45.16.1
xen-kmp-pae-4.2.5_21_3.0.101_0.47.106.8-45.16.1
xen-libs-4.2.5_21-45.16.1
xen-tools-domU-4.2.5_21-45.16.1

- SUSE Linux Enterprise Debuginfo 11-SP3 (i586 x86_64):

xen-debuginfo-4.2.5_21-45.16.1
xen-debugsource-4.2.5_21-45.16.1


References:

https://www.suse.com/security/cve/CVE-2017-15289.html
https://www.suse.com/security/cve/CVE-2017-15592.html
https://www.suse.com/security/cve/CVE-2017-15595.html
https://www.suse.com/security/cve/CVE-2017-15597.html
https://bugzilla.suse.com/1061075
https://bugzilla.suse.com/1061081
https://bugzilla.suse.com/1061086
https://bugzilla.suse.com/1063123
https://bugzilla.suse.com/1068187
https://bugzilla.suse.com/1068191

SUSE-SU-2017:3213-1: important: Security update for MozillaFirefox

SUSE Security Update: Security update for MozillaFirefox
______________________________________________________________________________

Announcement ID: SUSE-SU-2017:3213-1
Rating: important
References: #1068101
Cross-References: CVE-2017-7826 CVE-2017-7828 CVE-2017-7830

Affected Products:
SUSE OpenStack Cloud 6
SUSE Linux Enterprise Software Development Kit 12-SP3
SUSE Linux Enterprise Software Development Kit 12-SP2
SUSE Linux Enterprise Server for SAP 12-SP1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2
SUSE Linux Enterprise Server 12-SP3
SUSE Linux Enterprise Server 12-SP2
SUSE Linux Enterprise Server 12-SP1-LTSS
SUSE Linux Enterprise Server 12-LTSS
SUSE Linux Enterprise Desktop 12-SP3
SUSE Linux Enterprise Desktop 12-SP2
______________________________________________________________________________

An update that fixes three vulnerabilities is now available.

Description:

This update for MozillaFirefox ESR 52.5 fixes the following issues:

Security issues fixed:
- CVE-2017-7826: Memory safety bugs fixed (bsc#1068101).
- CVE-2017-7828: Use-after-free of PressShell while restyling layout
(bsc#1068101).
- CVE-2017-7830: Cross-origin URL information leak through Resource Timing
API (bsc#1068101).

Mozilla Foundation Security Advisory (MFSA 2017-25):
- https://www.mozilla.org/en-US/security/advisories/mfsa2017-25/


Patch Instructions:

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

- SUSE OpenStack Cloud 6:

zypper in -t patch SUSE-OpenStack-Cloud-6-2017-1998=1

- SUSE Linux Enterprise Software Development Kit 12-SP3:

zypper in -t patch SUSE-SLE-SDK-12-SP3-2017-1998=1

- SUSE Linux Enterprise Software Development Kit 12-SP2:

zypper in -t patch SUSE-SLE-SDK-12-SP2-2017-1998=1

- SUSE Linux Enterprise Server for SAP 12-SP1:

zypper in -t patch SUSE-SLE-SAP-12-SP1-2017-1998=1

- SUSE Linux Enterprise Server for Raspberry Pi 12-SP2:

zypper in -t patch SUSE-SLE-RPI-12-SP2-2017-1998=1

- SUSE Linux Enterprise Server 12-SP3:

zypper in -t patch SUSE-SLE-SERVER-12-SP3-2017-1998=1

- SUSE Linux Enterprise Server 12-SP2:

zypper in -t patch SUSE-SLE-SERVER-12-SP2-2017-1998=1

- SUSE Linux Enterprise Server 12-SP1-LTSS:

zypper in -t patch SUSE-SLE-SERVER-12-SP1-2017-1998=1

- SUSE Linux Enterprise Server 12-LTSS:

zypper in -t patch SUSE-SLE-SERVER-12-2017-1998=1

- SUSE Linux Enterprise Desktop 12-SP3:

zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2017-1998=1

- SUSE Linux Enterprise Desktop 12-SP2:

zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2017-1998=1

To bring your system up-to-date, use "zypper patch".


Package List:

- SUSE OpenStack Cloud 6 (x86_64):

MozillaFirefox-52.5.0esr-109.9.1
MozillaFirefox-debuginfo-52.5.0esr-109.9.1
MozillaFirefox-debugsource-52.5.0esr-109.9.1
MozillaFirefox-devel-52.5.0esr-109.9.1
MozillaFirefox-translations-52.5.0esr-109.9.1

- SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64):

MozillaFirefox-debuginfo-52.5.0esr-109.9.1
MozillaFirefox-debugsource-52.5.0esr-109.9.1
MozillaFirefox-devel-52.5.0esr-109.9.1

- SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64):

MozillaFirefox-debuginfo-52.5.0esr-109.9.1
MozillaFirefox-debugsource-52.5.0esr-109.9.1
MozillaFirefox-devel-52.5.0esr-109.9.1

- SUSE Linux Enterprise Server for SAP 12-SP1 (ppc64le x86_64):

MozillaFirefox-52.5.0esr-109.9.1
MozillaFirefox-debuginfo-52.5.0esr-109.9.1
MozillaFirefox-debugsource-52.5.0esr-109.9.1
MozillaFirefox-devel-52.5.0esr-109.9.1
MozillaFirefox-translations-52.5.0esr-109.9.1

- SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64):

MozillaFirefox-52.5.0esr-109.9.1
MozillaFirefox-debuginfo-52.5.0esr-109.9.1
MozillaFirefox-debugsource-52.5.0esr-109.9.1
MozillaFirefox-translations-52.5.0esr-109.9.1

- SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64):

MozillaFirefox-52.5.0esr-109.9.1
MozillaFirefox-debuginfo-52.5.0esr-109.9.1
MozillaFirefox-debugsource-52.5.0esr-109.9.1
MozillaFirefox-translations-52.5.0esr-109.9.1

- SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le s390x x86_64):

MozillaFirefox-52.5.0esr-109.9.1
MozillaFirefox-debuginfo-52.5.0esr-109.9.1
MozillaFirefox-debugsource-52.5.0esr-109.9.1
MozillaFirefox-translations-52.5.0esr-109.9.1

- SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64):

MozillaFirefox-52.5.0esr-109.9.1
MozillaFirefox-debuginfo-52.5.0esr-109.9.1
MozillaFirefox-debugsource-52.5.0esr-109.9.1
MozillaFirefox-devel-52.5.0esr-109.9.1
MozillaFirefox-translations-52.5.0esr-109.9.1

- SUSE Linux Enterprise Server 12-LTSS (ppc64le s390x x86_64):

MozillaFirefox-52.5.0esr-109.9.1
MozillaFirefox-debuginfo-52.5.0esr-109.9.1
MozillaFirefox-debugsource-52.5.0esr-109.9.1
MozillaFirefox-devel-52.5.0esr-109.9.1
MozillaFirefox-translations-52.5.0esr-109.9.1

- SUSE Linux Enterprise Desktop 12-SP3 (x86_64):

MozillaFirefox-52.5.0esr-109.9.1
MozillaFirefox-debuginfo-52.5.0esr-109.9.1
MozillaFirefox-debugsource-52.5.0esr-109.9.1
MozillaFirefox-translations-52.5.0esr-109.9.1

- SUSE Linux Enterprise Desktop 12-SP2 (x86_64):

MozillaFirefox-52.5.0esr-109.9.1
MozillaFirefox-debuginfo-52.5.0esr-109.9.1
MozillaFirefox-debugsource-52.5.0esr-109.9.1
MozillaFirefox-translations-52.5.0esr-109.9.1


References:

https://www.suse.com/security/cve/CVE-2017-7826.html
https://www.suse.com/security/cve/CVE-2017-7828.html
https://www.suse.com/security/cve/CVE-2017-7830.html
https://bugzilla.suse.com/1068101

SUSE-SU-2017:3215-1: important: Security update for shibboleth-sp

SUSE Security Update: Security update for shibboleth-sp
______________________________________________________________________________

Announcement ID: SUSE-SU-2017:3215-1
Rating: important
References: #1068689
Cross-References: CVE-2017-16852
Affected Products:
SUSE Linux Enterprise Software Development Kit 12-SP3
SUSE Linux Enterprise Software Development Kit 12-SP2
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2
SUSE Linux Enterprise Server 12-SP3
SUSE Linux Enterprise Server 12-SP2
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for shibboleth-sp fixes the following issues:

Security issue fixed:

- CVE-2017-16852: Fix critical security checks in the Dynamic
MetadataProvider plugin in Shibboleth Service (bsc#1068689).


Patch Instructions:

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

- SUSE Linux Enterprise Software Development Kit 12-SP3:

zypper in -t patch SUSE-SLE-SDK-12-SP3-2017-2001=1

- SUSE Linux Enterprise Software Development Kit 12-SP2:

zypper in -t patch SUSE-SLE-SDK-12-SP2-2017-2001=1

- SUSE Linux Enterprise Server for Raspberry Pi 12-SP2:

zypper in -t patch SUSE-SLE-RPI-12-SP2-2017-2001=1

- SUSE Linux Enterprise Server 12-SP3:

zypper in -t patch SUSE-SLE-SERVER-12-SP3-2017-2001=1

- SUSE Linux Enterprise Server 12-SP2:

zypper in -t patch SUSE-SLE-SERVER-12-SP2-2017-2001=1

To bring your system up-to-date, use "zypper patch".


Package List:

- SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64):

shibboleth-sp-debuginfo-2.5.5-6.3.1
shibboleth-sp-debugsource-2.5.5-6.3.1
shibboleth-sp-devel-2.5.5-6.3.1

- SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64):

shibboleth-sp-debuginfo-2.5.5-6.3.1
shibboleth-sp-debugsource-2.5.5-6.3.1
shibboleth-sp-devel-2.5.5-6.3.1

- SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64):

libshibsp-lite6-2.5.5-6.3.1
libshibsp-lite6-debuginfo-2.5.5-6.3.1
libshibsp6-2.5.5-6.3.1
libshibsp6-debuginfo-2.5.5-6.3.1
shibboleth-sp-2.5.5-6.3.1
shibboleth-sp-debuginfo-2.5.5-6.3.1
shibboleth-sp-debugsource-2.5.5-6.3.1

- SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64):

libshibsp-lite6-2.5.5-6.3.1
libshibsp-lite6-debuginfo-2.5.5-6.3.1
libshibsp6-2.5.5-6.3.1
libshibsp6-debuginfo-2.5.5-6.3.1
shibboleth-sp-2.5.5-6.3.1
shibboleth-sp-debuginfo-2.5.5-6.3.1
shibboleth-sp-debugsource-2.5.5-6.3.1

- SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le s390x x86_64):

libshibsp-lite6-2.5.5-6.3.1
libshibsp-lite6-debuginfo-2.5.5-6.3.1
libshibsp6-2.5.5-6.3.1
libshibsp6-debuginfo-2.5.5-6.3.1
shibboleth-sp-2.5.5-6.3.1
shibboleth-sp-debuginfo-2.5.5-6.3.1
shibboleth-sp-debugsource-2.5.5-6.3.1


References:

https://www.suse.com/security/cve/CVE-2017-16852.html
https://bugzilla.suse.com/1068689