SUSE 5152 Published by

The following updates has been released for openSUSE:

openSUSE-SU-2018:2739-1: important: Security update for libzypp, zypper
openSUSE-SU-2018:2740-1: moderate: Security update for tomcat
openSUSE-SU-2018:2741-1: important: Security update for zsh
openSUSE-SU-2018:2742-1: Security update for GraphicsMagick



openSUSE-SU-2018:2739-1: important: Security update for libzypp, zypper

openSUSE Security Update: Security update for libzypp, zypper
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2739-1
Rating: important
References: #1036304 #1041178 #1043166 #1045735 #1058515
#1066215 #1070770 #1070851 #1082318 #1084525
#1088037 #1088705 #1091624 #1092413 #1093103
#1096217 #1096617 #1096803 #1099847 #1100028
#1100095 #1100427 #1101349 #1102019 #1102429
#408814 #428822 #907538
Cross-References: CVE-2017-9269 CVE-2018-7685
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that solves two vulnerabilities and has 26 fixes
is now available.

Description:

This update for libzypp, zypper, libsolv provides the following fixes:

Security fixes in libzypp:

- CVE-2018-7685: PackageProvider: Validate RPMs before caching
(bsc#1091624, bsc#1088705)
- CVE-2017-9269: Be sure bad packages do not stay in the cache
(bsc#1045735)

Changes in libzypp:

- Update to version 17.6.4
- Automatically fetch repository signing key from gpgkey url (bsc#1088037)
- lsof: use '-K i' if lsof supports it (bsc#1099847,bsc#1036304)
- Check for not imported keys after multi key import from rpmdb
(bsc#1096217)
- Flags: make it std=c++14 ready
- Ignore /var, /tmp and /proc in zypper ps. (bsc#1096617)
- Show GPGME version in log
- Adapt to changes in libgpgme11-11.1.0 breaking the signature
verification (bsc#1100427)
- RepoInfo::provideKey: add report telling where we look for missing keys.
- Support listing gpgkey URLs in repo files (bsc#1088037)
- Add new report to request user approval for importing a package key
- Handle http error 502 Bad Gateway in curl backend (bsc#1070851)
- Add filesize check for downloads with known size (bsc#408814)
- Removed superfluous space in translation (bsc#1102019)
- Prevent the system from sleeping during a commit
- RepoManager: Explicitly request repo2solv to generate application pseudo
packages.
- libzypp-devel should not require cmake (bsc#1101349)
- Avoid zombies from ExternalProgram
- Update ApiConfig
- HardLocksFile: Prevent against empty commit without Target having been
been loaded (bsc#1096803)
- lsof: use '-K i' if lsof supports it (bsc#1099847)
- Add filesize check for downloads with known size (bsc#408814)
- Fix detection of metalink downloads and prevent aborting if a metalink
file is larger than the expected data file.
- Require libsolv-devel >= 0.6.35 during build (fixing bsc#1100095)
- Make use of %license macro (bsc#1082318)

Security fix in zypper:

- CVE-2017-9269: Improve signature check callback messages (bsc#1045735)

Changes in zypper:

- Always set error status if any nr of unknown repositories are passed to
lr and ref (bsc#1093103)
- Notify user about unsupported rpm V3 keys in an old rpm database
(bsc#1096217)
- Detect read only filesystem on system modifying operations (fixes #199)
- Use %license (bsc#1082318)
- Handle repo aliases containing multiple ':' in the PackageArgs parser
(bsc #1041178)
- Fix broken display of detailed query results.
- Fix broken search for items with a dash. (bsc#907538, bsc#1043166,
bsc#1070770)
- Disable repository operations when searching installed packages.
(bsc#1084525)
- Prevent nested calls to exit() if aborted by a signal. (bsc#1092413)
- ansi.h: Prevent ESC sequence strings from going out of scope.
(bsc#1092413)
- Fix some translation errors.
- Support listing gpgkey URLs in repo files (bsc#1088037)
- Check for root privileges in zypper verify and si (bsc#1058515)
- XML attribute `packages-to-change` added (bsc#1102429)
- Add expert (allow-*) options to all installer commands (bsc#428822)
- Sort search results by multiple columns (bsc#1066215)
- man: Strengthen that `--config FILE' affects zypper.conf, not zypp.conf
(bsc#1100028)
- Set error status if repositories passed to lr and ref are not known
(bsc#1093103)
- Do not override table style in search
- Fix out of bound read in MbsIterator
- Add --supplements switch to search and info
- Add setter functions for zypp cache related config values to ZConfig

Changes in libsolv:

- convert repo2solv.sh script into a binary tool
- Make use of %license macro (bsc#1082318)

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-1017=1



Package List:

- openSUSE Leap 15.0 (x86_64):

libsolv-debuginfo-0.6.35-lp150.2.3.1
libsolv-debugsource-0.6.35-lp150.2.3.1
libsolv-demo-0.6.35-lp150.2.3.1
libsolv-demo-debuginfo-0.6.35-lp150.2.3.1
libsolv-devel-0.6.35-lp150.2.3.1
libsolv-devel-debuginfo-0.6.35-lp150.2.3.1
libsolv-tools-0.6.35-lp150.2.3.1
libsolv-tools-debuginfo-0.6.35-lp150.2.3.1
libzypp-17.6.4-lp150.2.3.1
libzypp-debuginfo-17.6.4-lp150.2.3.1
libzypp-debugsource-17.6.4-lp150.2.3.1
libzypp-devel-17.6.4-lp150.2.3.1
libzypp-devel-doc-17.6.4-lp150.2.3.1
perl-solv-0.6.35-lp150.2.3.1
perl-solv-debuginfo-0.6.35-lp150.2.3.1
python-solv-0.6.35-lp150.2.3.1
python-solv-debuginfo-0.6.35-lp150.2.3.1
python3-solv-0.6.35-lp150.2.3.1
python3-solv-debuginfo-0.6.35-lp150.2.3.1
ruby-solv-0.6.35-lp150.2.3.1
ruby-solv-debuginfo-0.6.35-lp150.2.3.1
zypper-1.14.10-lp150.2.3.1
zypper-debuginfo-1.14.10-lp150.2.3.1
zypper-debugsource-1.14.10-lp150.2.3.1

- openSUSE Leap 15.0 (noarch):

zypper-aptitude-1.14.10-lp150.2.3.1
zypper-log-1.14.10-lp150.2.3.1


References:

https://www.suse.com/security/cve/CVE-2017-9269.html
https://www.suse.com/security/cve/CVE-2018-7685.html
https://bugzilla.suse.com/1036304
https://bugzilla.suse.com/1041178
https://bugzilla.suse.com/1043166
https://bugzilla.suse.com/1045735
https://bugzilla.suse.com/1058515
https://bugzilla.suse.com/1066215
https://bugzilla.suse.com/1070770
https://bugzilla.suse.com/1070851
https://bugzilla.suse.com/1082318
https://bugzilla.suse.com/1084525
https://bugzilla.suse.com/1088037
https://bugzilla.suse.com/1088705
https://bugzilla.suse.com/1091624
https://bugzilla.suse.com/1092413
https://bugzilla.suse.com/1093103
https://bugzilla.suse.com/1096217
https://bugzilla.suse.com/1096617
https://bugzilla.suse.com/1096803
https://bugzilla.suse.com/1099847
https://bugzilla.suse.com/1100028
https://bugzilla.suse.com/1100095
https://bugzilla.suse.com/1100427
https://bugzilla.suse.com/1101349
https://bugzilla.suse.com/1102019
https://bugzilla.suse.com/1102429
https://bugzilla.suse.com/408814
https://bugzilla.suse.com/428822
https://bugzilla.suse.com/907538

--


openSUSE-SU-2018:2740-1: moderate: Security update for tomcat

openSUSE Security Update: Security update for tomcat
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2740-1
Rating: moderate
References: #1067720 #1093697 #1095472 #1102379 #1102400
#1102410
Cross-References: CVE-2018-1336 CVE-2018-8014 CVE-2018-8034
CVE-2018-8037
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________

An update that solves four vulnerabilities and has two
fixes is now available.

Description:

This update for tomcat to 8.0.53 fixes the following issues:

Security issue fixed:

- CVE-2018-1336: An improper handing of overflow in the UTF-8 decoder with
supplementary characters could have lead to an infinite loop in the
decoder causing a Denial of Service (bsc#1102400).
- CVE-2018-8034: The host name verification when using TLS with the
WebSocket client was missing. It is now enabled by default (bsc#1102379).
- CVE-2018-8037: If an async request was completed by the application at
the same time as the container triggered the async timeout, a race
condition existed that could have resulted in a user seeing a response
intended for a different user. An additional issue was present in the
NIO and NIO2 connectors that did not correctly track the closure of the
connection when an async request was completed by the application and
timed out by the container at the same time. This could also have
resulted in a user seeing a response intended for another user
(bsc#1102410).
- CVE-2018-8014: Fix insecure default CORS filter settings (bsc#1093697).

Bug fixes:

- bsc#1067720: Avoid overwriting of customer's configuration during update.
- bsc#1095472: Add Obsoletes for tomcat6 packages.

This update was imported from the SUSE:SLE-12-SP2:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-1019=1



Package List:

- openSUSE Leap 42.3 (noarch):

tomcat-8.0.53-15.1
tomcat-admin-webapps-8.0.53-15.1
tomcat-docs-webapp-8.0.53-15.1
tomcat-el-3_0-api-8.0.53-15.1
tomcat-embed-8.0.53-15.1
tomcat-javadoc-8.0.53-15.1
tomcat-jsp-2_3-api-8.0.53-15.1
tomcat-jsvc-8.0.53-15.1
tomcat-lib-8.0.53-15.1
tomcat-servlet-3_1-api-8.0.53-15.1
tomcat-webapps-8.0.53-15.1


References:

https://www.suse.com/security/cve/CVE-2018-1336.html
https://www.suse.com/security/cve/CVE-2018-8014.html
https://www.suse.com/security/cve/CVE-2018-8034.html
https://www.suse.com/security/cve/CVE-2018-8037.html
https://bugzilla.suse.com/1067720
https://bugzilla.suse.com/1093697
https://bugzilla.suse.com/1095472
https://bugzilla.suse.com/1102379
https://bugzilla.suse.com/1102400
https://bugzilla.suse.com/1102410

--


openSUSE-SU-2018:2741-1: important: Security update for zsh

openSUSE Security Update: Security update for zsh
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2741-1
Rating: important
References: #1107294 #1107296
Cross-References: CVE-2018-0502 CVE-2018-13259
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes two vulnerabilities is now available.

Description:

This update for zsh to version 5.6 fixes the following security issues:

- CVE-2018-0502: The beginning of a #! script file was mishandled,
potentially leading to an execve call to a program named on the second
line (bsc#1107296).
- CVE-2018-13259: Shebang lines exceeding 64 characters were truncated,
potentially leading to an execve call to a program name that is a
substring of the intended one (bsc#1107294).

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-1018=1



Package List:

- openSUSE Leap 15.0 (x86_64):

zsh-5.6-lp150.2.6.1
zsh-debuginfo-5.6-lp150.2.6.1
zsh-debugsource-5.6-lp150.2.6.1
zsh-htmldoc-5.6-lp150.2.6.1


References:

https://www.suse.com/security/cve/CVE-2018-0502.html
https://www.suse.com/security/cve/CVE-2018-13259.html
https://bugzilla.suse.com/1107294
https://bugzilla.suse.com/1107296

--


openSUSE-SU-2018:2742-1: Security update for GraphicsMagick

openSUSE Security Update: Security update for GraphicsMagick
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2742-1
Rating: low
References: #1107604 #1107609
Cross-References: CVE-2018-16644 CVE-2018-16645
Affected Products:
openSUSE Leap 42.3
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes two vulnerabilities is now available.

Description:

This update for GraphicsMagick fixes the following issues:

- CVE-2018-16644: Added missing check for length in the functions
ReadDCMImage and ReadPICTImage, which allowed remote attackers to cause
a denial of service via a crafted image (bsc#1107609)
- CVE-2018-16645: Prevent excessive memory allocation issue in the
functions ReadBMPImage and ReadDIBImage, which allowed remote attackers
to cause a denial
of service via a crafted image file (bsc#1107604)


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-1020=1

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-1020=1



Package List:

- openSUSE Leap 42.3 (i586 x86_64):

GraphicsMagick-1.3.25-105.1
GraphicsMagick-debuginfo-1.3.25-105.1
GraphicsMagick-debugsource-1.3.25-105.1
GraphicsMagick-devel-1.3.25-105.1
libGraphicsMagick++-Q16-12-1.3.25-105.1
libGraphicsMagick++-Q16-12-debuginfo-1.3.25-105.1
libGraphicsMagick++-devel-1.3.25-105.1
libGraphicsMagick-Q16-3-1.3.25-105.1
libGraphicsMagick-Q16-3-debuginfo-1.3.25-105.1
libGraphicsMagick3-config-1.3.25-105.1
libGraphicsMagickWand-Q16-2-1.3.25-105.1
libGraphicsMagickWand-Q16-2-debuginfo-1.3.25-105.1
perl-GraphicsMagick-1.3.25-105.1
perl-GraphicsMagick-debuginfo-1.3.25-105.1

- openSUSE Leap 15.0 (x86_64):

GraphicsMagick-1.3.29-lp150.3.12.1
GraphicsMagick-debuginfo-1.3.29-lp150.3.12.1
GraphicsMagick-debugsource-1.3.29-lp150.3.12.1
GraphicsMagick-devel-1.3.29-lp150.3.12.1
libGraphicsMagick++-Q16-12-1.3.29-lp150.3.12.1
libGraphicsMagick++-Q16-12-debuginfo-1.3.29-lp150.3.12.1
libGraphicsMagick++-devel-1.3.29-lp150.3.12.1
libGraphicsMagick-Q16-3-1.3.29-lp150.3.12.1
libGraphicsMagick-Q16-3-debuginfo-1.3.29-lp150.3.12.1
libGraphicsMagick3-config-1.3.29-lp150.3.12.1
libGraphicsMagickWand-Q16-2-1.3.29-lp150.3.12.1
libGraphicsMagickWand-Q16-2-debuginfo-1.3.29-lp150.3.12.1
perl-GraphicsMagick-1.3.29-lp150.3.12.1
perl-GraphicsMagick-debuginfo-1.3.29-lp150.3.12.1


References:

https://www.suse.com/security/cve/CVE-2018-16644.html
https://www.suse.com/security/cve/CVE-2018-16645.html
https://bugzilla.suse.com/1107604
https://bugzilla.suse.com/1107609

--