SUSE 5149 Published by

The following updates has been released for openSUSE:

openSUSE-SU-2018:2811-1: moderate: Security update for ImageMagick
openSUSE-SU-2018:2813-1: important: Security update for openslp
openSUSE-SU-2018:2816-1: moderate: Security update for nodejs6
openSUSE-SU-2018:2817-1: moderate: Security update for MozillaFirefox
openSUSE-SU-2018:2818-1: moderate: Security update for gdm
openSUSE-SU-2018:2819-1: moderate: Security update for liblouis
openSUSE-SU-2018:2820-1: moderate: Security update for bouncycastle
openSUSE-SU-2018:2827-1: moderate: Security update for jhead
openSUSE-SU-2018:2833-1: Security update for GraphicsMagick



openSUSE-SU-2018:2811-1: moderate: Security update for ImageMagick

openSUSE Security Update: Security update for ImageMagick
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2811-1
Rating: moderate
References: #1102003 #1102004 #1102005 #1102007 #1105592
#1106855 #1106858
Cross-References: CVE-2018-14434 CVE-2018-14435 CVE-2018-14436
CVE-2018-14437 CVE-2018-16323 CVE-2018-16329

Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________

An update that solves 6 vulnerabilities and has one errata
is now available.

Description:

This update for ImageMagick fixes the following issues:

The following security vulnerabilities were fixed:

- CVE-2018-16329: Prevent NULL pointer dereference in the
GetMagickProperty function leading to DoS (bsc#1106858)
- CVE-2018-16323: ReadXBMImage left data uninitialized when processing an
XBM file that has a negative pixel value. If the affected code was used
as a library loaded into a process that includes sensitive information,
that information sometimes can be leaked via the image data (bsc#1106855)
- CVE-2018-14434: Fixed a memory leak for a colormap in WriteMPCImage
(bsc#1102003)
- CVE-2018-14435: Fixed a memory leak in DecodeImage in coders/pcd.c
(bsc#1102007)
- CVE-2018-14436: Fixed a memory leak in ReadMIFFImage in coders/miff.c
(bsc#1102005)
- CVE-2018-14437: Fixed a memory leak in parse8BIM in coders/meta.c
(bsc#1102004)
- Disable PS, PS2, PS3, XPS and PDF coders in default policy.xml
(bsc#1105592)

This update was imported from the SUSE:SLE-12:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-1038=1



Package List:

- openSUSE Leap 42.3 (i586 x86_64):

ImageMagick-6.8.8.1-67.1
ImageMagick-debuginfo-6.8.8.1-67.1
ImageMagick-debugsource-6.8.8.1-67.1
ImageMagick-devel-6.8.8.1-67.1
ImageMagick-extra-6.8.8.1-67.1
ImageMagick-extra-debuginfo-6.8.8.1-67.1
libMagick++-6_Q16-3-6.8.8.1-67.1
libMagick++-6_Q16-3-debuginfo-6.8.8.1-67.1
libMagick++-devel-6.8.8.1-67.1
libMagickCore-6_Q16-1-6.8.8.1-67.1
libMagickCore-6_Q16-1-debuginfo-6.8.8.1-67.1
libMagickWand-6_Q16-1-6.8.8.1-67.1
libMagickWand-6_Q16-1-debuginfo-6.8.8.1-67.1
perl-PerlMagick-6.8.8.1-67.1
perl-PerlMagick-debuginfo-6.8.8.1-67.1

- openSUSE Leap 42.3 (x86_64):

ImageMagick-devel-32bit-6.8.8.1-67.1
libMagick++-6_Q16-3-32bit-6.8.8.1-67.1
libMagick++-6_Q16-3-debuginfo-32bit-6.8.8.1-67.1
libMagick++-devel-32bit-6.8.8.1-67.1
libMagickCore-6_Q16-1-32bit-6.8.8.1-67.1
libMagickCore-6_Q16-1-debuginfo-32bit-6.8.8.1-67.1
libMagickWand-6_Q16-1-32bit-6.8.8.1-67.1
libMagickWand-6_Q16-1-debuginfo-32bit-6.8.8.1-67.1

- openSUSE Leap 42.3 (noarch):

ImageMagick-doc-6.8.8.1-67.1


References:

https://www.suse.com/security/cve/CVE-2018-14434.html
https://www.suse.com/security/cve/CVE-2018-14435.html
https://www.suse.com/security/cve/CVE-2018-14436.html
https://www.suse.com/security/cve/CVE-2018-14437.html
https://www.suse.com/security/cve/CVE-2018-16323.html
https://www.suse.com/security/cve/CVE-2018-16329.html
https://bugzilla.suse.com/1102003
https://bugzilla.suse.com/1102004
https://bugzilla.suse.com/1102005
https://bugzilla.suse.com/1102007
https://bugzilla.suse.com/1105592
https://bugzilla.suse.com/1106855
https://bugzilla.suse.com/1106858

--


openSUSE-SU-2018:2813-1: important: Security update for openslp

openSUSE Security Update: Security update for openslp
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2813-1
Rating: important
References: #1090638
Cross-References: CVE-2017-17833
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for openslp fixes the following issues:

- CVE-2017-17833: Prevent heap-related memory corruption issue which may
have manifested itself as a denial-of-service or a remote code-execution
vulnerability (bsc#1090638)
- Prevent out of bounds reads in message parsing

This update was imported from the SUSE:SLE-12:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-1040=1



Package List:

- openSUSE Leap 42.3 (i586 x86_64):

openslp-2.0.0-18.7.1
openslp-debuginfo-2.0.0-18.7.1
openslp-debugsource-2.0.0-18.7.1
openslp-devel-2.0.0-18.7.1
openslp-server-2.0.0-18.7.1
openslp-server-debuginfo-2.0.0-18.7.1

- openSUSE Leap 42.3 (x86_64):

openslp-32bit-2.0.0-18.7.1
openslp-debuginfo-32bit-2.0.0-18.7.1


References:

https://www.suse.com/security/cve/CVE-2017-17833.html
https://bugzilla.suse.com/1090638

--


openSUSE-SU-2018:2816-1: moderate: Security update for nodejs6

openSUSE Security Update: Security update for nodejs6
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2816-1
Rating: moderate
References: #1097158 #1097748 #1105019
Cross-References: CVE-2018-0732 CVE-2018-12115
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________

An update that solves two vulnerabilities and has one
errata is now available.

Description:

This update for nodejs6 to version 6.14.4 fixes the following issues:

Security issues fixed:

CVE-2018-12115: Fixed an out-of-bounds (OOB) write in Buffer.write() for
UCS-2 encoding (bsc#1105019) CVE-2018-0732: Upgrade to OpenSSL 1.0.2p,
fixing a client DoS due to large DH parameter (bsc#1097158)

Other issues fixed:

- Recommend same major version npm package (bsc#1097748)

This update was imported from the SUSE:SLE-12:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-1041=1



Package List:

- openSUSE Leap 42.3 (i586 x86_64):

nodejs6-6.14.4-15.1
nodejs6-debuginfo-6.14.4-15.1
nodejs6-debugsource-6.14.4-15.1
nodejs6-devel-6.14.4-15.1
npm6-6.14.4-15.1

- openSUSE Leap 42.3 (noarch):

nodejs6-docs-6.14.4-15.1


References:

https://www.suse.com/security/cve/CVE-2018-0732.html
https://www.suse.com/security/cve/CVE-2018-12115.html
https://bugzilla.suse.com/1097158
https://bugzilla.suse.com/1097748
https://bugzilla.suse.com/1105019

--


openSUSE-SU-2018:2817-1: moderate: Security update for MozillaFirefox

openSUSE Security Update: Security update for MozillaFirefox
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2817-1
Rating: moderate
References: #1107343 #1109363
Cross-References: CVE-2018-12383 CVE-2018-12385
Affected Products:
openSUSE Leap 42.3
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes two vulnerabilities is now available.

Description:

This update for Mozilla Firefox to version 60.2.1esr fixes the following
issues:

Security issues fixed (MFSA 2018-23):

- CVE-2018-12385: Crash in TransportSecurityInfo due to cached data
(boo#1109363)
- CVE-2018-12383: Setting a master password did not delete unencrypted
previously stored passwords (boo#1107343)

Bugx fixed:

- Fixed a startup crash affecting users migrating from older ESR releases


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-1042=1

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-1042=1



Package List:

- openSUSE Leap 42.3 (x86_64):

MozillaFirefox-60.2.1-112.1
MozillaFirefox-branding-upstream-60.2.1-112.1
MozillaFirefox-buildsymbols-60.2.1-112.1
MozillaFirefox-debuginfo-60.2.1-112.1
MozillaFirefox-debugsource-60.2.1-112.1
MozillaFirefox-devel-60.2.1-112.1
MozillaFirefox-translations-common-60.2.1-112.1
MozillaFirefox-translations-other-60.2.1-112.1

- openSUSE Leap 15.0 (x86_64):

MozillaFirefox-60.2.1-lp150.3.17.1
MozillaFirefox-branding-upstream-60.2.1-lp150.3.17.1
MozillaFirefox-buildsymbols-60.2.1-lp150.3.17.1
MozillaFirefox-debuginfo-60.2.1-lp150.3.17.1
MozillaFirefox-debugsource-60.2.1-lp150.3.17.1
MozillaFirefox-devel-60.2.1-lp150.3.17.1
MozillaFirefox-translations-common-60.2.1-lp150.3.17.1
MozillaFirefox-translations-other-60.2.1-lp150.3.17.1


References:

https://www.suse.com/security/cve/CVE-2018-12383.html
https://www.suse.com/security/cve/CVE-2018-12385.html
https://bugzilla.suse.com/1107343
https://bugzilla.suse.com/1109363

--


openSUSE-SU-2018:2818-1: moderate: Security update for gdm

openSUSE Security Update: Security update for gdm
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2818-1
Rating: moderate
References: #1081947 #1103093 #1103737
Cross-References: CVE-2018-14424
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that solves one vulnerability and has two fixes
is now available.

Description:

This update for gdm provides the following fixes:

This security issue was fixed:

- CVE-2018-14424: The daemon in GDM did not properly unexport display
objects from its D-Bus interface when they are destroyed, which allowed
a local attacker to trigger a use-after-free via a specially crafted
sequence of D-Bus method calls, resulting in a denial of service or
potential code execution (bsc#1103737)

These non-security issues were fixed:

- Enable pam_keyinit module (bsc#1081947)
- Fix a build race in SLE (bsc#1103093)

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-1037=1



Package List:

- openSUSE Leap 15.0 (x86_64):

gdm-3.26.2.1-lp150.11.3.1
gdm-debuginfo-3.26.2.1-lp150.11.3.1
gdm-debugsource-3.26.2.1-lp150.11.3.1
gdm-devel-3.26.2.1-lp150.11.3.1
libgdm1-3.26.2.1-lp150.11.3.1
libgdm1-debuginfo-3.26.2.1-lp150.11.3.1
typelib-1_0-Gdm-1_0-3.26.2.1-lp150.11.3.1

- openSUSE Leap 15.0 (noarch):

gdm-branding-upstream-3.26.2.1-lp150.11.3.1
gdm-lang-3.26.2.1-lp150.11.3.1
gdmflexiserver-3.26.2.1-lp150.11.3.1


References:

https://www.suse.com/security/cve/CVE-2018-14424.html
https://bugzilla.suse.com/1081947
https://bugzilla.suse.com/1103093
https://bugzilla.suse.com/1103737

--


openSUSE-SU-2018:2819-1: moderate: Security update for liblouis

openSUSE Security Update: Security update for liblouis
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2819-1
Rating: moderate
References: #1095189 #1095825 #1095826 #1095827 #1095945
#1097103
Cross-References: CVE-2018-11440 CVE-2018-11577 CVE-2018-11683
CVE-2018-11684 CVE-2018-11685 CVE-2018-12085

Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________

An update that fixes 6 vulnerabilities is now available.

Description:

This update for liblouis fixes the following issues:

Security issues fixed:

- CVE-2018-11440: Fixed a stack-based buffer overflow in the function
parseChars() in compileTranslationTable.c (bsc#1095189)
- CVE-2018-11577: Fixed a segmentation fault in lou_logPrint in logging.c
(bsc#1095945)
- CVE-2018-11683: Fixed a stack-based buffer overflow in the function
parseChars() in compileTranslationTable.c (different vulnerability than
CVE-2018-11440) (bsc#1095827)
- CVE-2018-11684: Fixed stack-based buffer overflow in the function
includeFile() in compileTranslationTable.c (bsc#1095826)
- CVE-2018-11685: Fixed a stack-based buffer overflow in the function
compileHyphenation() in compileTranslationTable.c (bsc#1095825)
- CVE-2018-12085: Fixed a stack-based buffer overflow in the function
parseChars() in compileTranslationTable.c (different vulnerability than
CVE-2018-11440) (bsc#1097103)

This update was imported from the SUSE:SLE-12-SP2:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-1039=1



Package List:

- openSUSE Leap 42.3 (i586 x86_64):

liblouis-data-2.6.4-9.1
liblouis-debugsource-2.6.4-9.1
liblouis-devel-2.6.4-9.1
liblouis-doc-2.6.4-9.1
liblouis-tools-2.6.4-9.1
liblouis-tools-debuginfo-2.6.4-9.1
liblouis9-2.6.4-9.1
liblouis9-debuginfo-2.6.4-9.1
python-louis-2.6.4-9.1


References:

https://www.suse.com/security/cve/CVE-2018-11440.html
https://www.suse.com/security/cve/CVE-2018-11577.html
https://www.suse.com/security/cve/CVE-2018-11683.html
https://www.suse.com/security/cve/CVE-2018-11684.html
https://www.suse.com/security/cve/CVE-2018-11685.html
https://www.suse.com/security/cve/CVE-2018-12085.html
https://bugzilla.suse.com/1095189
https://bugzilla.suse.com/1095825
https://bugzilla.suse.com/1095826
https://bugzilla.suse.com/1095827
https://bugzilla.suse.com/1095945
https://bugzilla.suse.com/1097103

--


openSUSE-SU-2018:2820-1: moderate: Security update for bouncycastle

openSUSE Security Update: Security update for bouncycastle
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2820-1
Rating: moderate
References: #1096291
Cross-References: CVE-2018-1000180
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for bouncycastle fixes the following security issue:

- CVE-2018-1000180: Fixed flaw in the Low-level interface to RSA key pair
generator. RSA Key Pairs generated in low-level API with added certainty
may had less M-R tests than expected (bsc#1096291).


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-1043=1



Package List:

- openSUSE Leap 42.3 (noarch):

bouncycastle-1.60-23.10.1
bouncycastle-javadoc-1.60-23.10.1


References:

https://www.suse.com/security/cve/CVE-2018-1000180.html
https://bugzilla.suse.com/1096291

--


openSUSE-SU-2018:2827-1: moderate: Security update for jhead

openSUSE Security Update: Security update for jhead
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2827-1
Rating: moderate
References: #1108480
Cross-References: CVE-2016-3822 CVE-2018-16554
Affected Products:
openSUSE Leap 42.3
openSUSE Leap 15.0
openSUSE Backports SLE-15
______________________________________________________________________________

An update that fixes two vulnerabilities is now available.

Description:

This update for jhead fixes the following security issues:

- CVE-2016-3822: jhead remote attackers to execute arbitrary code or cause
a denial of service (out-of-bounds access) via crafted EXIF data
(bsc#1108480).
- CVE-2018-16554: The ProcessGpsInfo function may have allowed a remote
attacker to cause a denial-of-service attack or unspecified other impact
via a malicious JPEG file, because of inconsistency between float and
double in a sprintf format string during TAG_GPS_ALT handling
(bsc#1108480).


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-1044=1

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-1044=1

- openSUSE Backports SLE-15:

zypper in -t patch openSUSE-2018-1044=1



Package List:

- openSUSE Leap 42.3 (i586 x86_64):

jhead-3.00-11.1
jhead-debuginfo-3.00-11.1
jhead-debugsource-3.00-11.1

- openSUSE Leap 15.0 (x86_64):

jhead-3.00-lp150.3.3.1
jhead-debuginfo-3.00-lp150.3.3.1
jhead-debugsource-3.00-lp150.3.3.1

- openSUSE Backports SLE-15 (aarch64 ppc64le s390x x86_64):

jhead-3.00-bp150.3.3.1


References:

https://www.suse.com/security/cve/CVE-2016-3822.html
https://www.suse.com/security/cve/CVE-2018-16554.html
https://bugzilla.suse.com/1108480

--


openSUSE-SU-2018:2833-1: Security update for GraphicsMagick

openSUSE Security Update: Security update for GraphicsMagick
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2833-1
Rating: low
References: #1108282 #1108283
Cross-References: CVE-2018-16749 CVE-2018-16750
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________

An update that fixes two vulnerabilities is now available.

Description:

This update for GraphicsMagick fixes the following security issue:

- CVE-2018-16750: Prevent memory leak in the formatIPTCfromBuffer function
(bsc#1108283).

An earlier update added a change that also fixed this issues that was
unknown at the time of release:

- CVE-2018-16749: Added missing NULL check in ReadOneJNGImage that allowed
an attacker to cause a denial of service (WriteBlob assertion failure
and application exit) via a crafted file (bsc#1108282).


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-1045=1



Package List:

- openSUSE Leap 42.3 (i586 x86_64):

GraphicsMagick-1.3.25-108.1
GraphicsMagick-debuginfo-1.3.25-108.1
GraphicsMagick-debugsource-1.3.25-108.1
GraphicsMagick-devel-1.3.25-108.1
libGraphicsMagick++-Q16-12-1.3.25-108.1
libGraphicsMagick++-Q16-12-debuginfo-1.3.25-108.1
libGraphicsMagick++-devel-1.3.25-108.1
libGraphicsMagick-Q16-3-1.3.25-108.1
libGraphicsMagick-Q16-3-debuginfo-1.3.25-108.1
libGraphicsMagick3-config-1.3.25-108.1
libGraphicsMagickWand-Q16-2-1.3.25-108.1
libGraphicsMagickWand-Q16-2-debuginfo-1.3.25-108.1
perl-GraphicsMagick-1.3.25-108.1
perl-GraphicsMagick-debuginfo-1.3.25-108.1


References:

https://www.suse.com/security/cve/CVE-2018-16749.html
https://www.suse.com/security/cve/CVE-2018-16750.html
https://bugzilla.suse.com/1108282
https://bugzilla.suse.com/1108283

--