The following updates has been released for SUSE:
openSUSE-SU-2018:4029-1: Security update for messagelib
openSUSE-SU-2018:4030-1: moderate: Recommended update for php7
openSUSE-SU-2018:4031-1: moderate: Security update for postgresql10
openSUSE-SU-2018:4032-1: important: Security update for apache2-mod_jk
openSUSE-SU-2018:4034-1: important: Security update for ncurses
openSUSE-SU-2018:4038-1: moderate: Recommended update for php5
openSUSE-SU-2018:4041-1: Security update for rubygem-activejob-5_1
openSUSE-SU-2018:4042-1: moderate: Security update for tomcat
openSUSE-SU-2018:4043-1: important: Security update for pam
openSUSE-SU-2018:4045-1: moderate: Security update for dom4j
openSUSE-SU-2018:4046-1: moderate: Security update for otrs
openSUSE-SU-2018:4029-1: Security update for messagelib
openSUSE-SU-2018:4030-1: moderate: Recommended update for php7
openSUSE-SU-2018:4031-1: moderate: Security update for postgresql10
openSUSE-SU-2018:4032-1: important: Security update for apache2-mod_jk
openSUSE-SU-2018:4034-1: important: Security update for ncurses
openSUSE-SU-2018:4038-1: moderate: Recommended update for php5
openSUSE-SU-2018:4041-1: Security update for rubygem-activejob-5_1
openSUSE-SU-2018:4042-1: moderate: Security update for tomcat
openSUSE-SU-2018:4043-1: important: Security update for pam
openSUSE-SU-2018:4045-1: moderate: Security update for dom4j
openSUSE-SU-2018:4046-1: moderate: Security update for otrs
openSUSE-SU-2018:4029-1: Security update for messagelib
openSUSE Security Update: Security update for messagelib
______________________________________________________________________________
Announcement ID: openSUSE-SU-2018:4029-1
Rating: low
References: #1117958
Cross-References: CVE-2018-19516
Affected Products:
openSUSE Leap 15.0
openSUSE Backports SLE-15
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for messagelib fixes the following issues:
The following security vulnerability was addressed:
- CVE-2018-19516: Fix a potential issue with opening messages in a new
browser window when displaying mails as HTML (boo#1117958).
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.0:
zypper in -t patch openSUSE-2018-1508=1
- openSUSE Backports SLE-15:
zypper in -t patch openSUSE-2018-1508=1
Package List:
- openSUSE Leap 15.0 (x86_64):
messagelib-17.12.3-lp150.2.6.1
messagelib-debuginfo-17.12.3-lp150.2.6.1
messagelib-debugsource-17.12.3-lp150.2.6.1
messagelib-devel-17.12.3-lp150.2.6.1
- openSUSE Leap 15.0 (noarch):
messagelib-lang-17.12.3-lp150.2.6.1
- openSUSE Backports SLE-15 (x86_64):
messagelib-17.12.3-bp150.3.6.1
messagelib-devel-17.12.3-bp150.3.6.1
- openSUSE Backports SLE-15 (noarch):
messagelib-lang-17.12.3-bp150.3.6.1
References:
https://www.suse.com/security/cve/CVE-2018-19516.html
https://bugzilla.suse.com/1117958
--
openSUSE-SU-2018:4030-1: moderate: Recommended update for php7
openSUSE Security Update: Recommended update for php7
______________________________________________________________________________
Announcement ID: openSUSE-SU-2018:4030-1
Rating: moderate
References: #1117107
Cross-References: CVE-2018-19518
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for php7 fixes the following issues:
Security issue fixed:
- CVE-2018-19518: Fixed imap_open script injection flaw (bsc#1117107).
This update was imported from the SUSE:SLE-12:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 42.3:
zypper in -t patch openSUSE-2018-1507=1
Package List:
- openSUSE Leap 42.3 (i586 x86_64):
apache2-mod_php7-7.0.7-52.1
apache2-mod_php7-debuginfo-7.0.7-52.1
php7-7.0.7-52.1
php7-bcmath-7.0.7-52.1
php7-bcmath-debuginfo-7.0.7-52.1
php7-bz2-7.0.7-52.1
php7-bz2-debuginfo-7.0.7-52.1
php7-calendar-7.0.7-52.1
php7-calendar-debuginfo-7.0.7-52.1
php7-ctype-7.0.7-52.1
php7-ctype-debuginfo-7.0.7-52.1
php7-curl-7.0.7-52.1
php7-curl-debuginfo-7.0.7-52.1
php7-dba-7.0.7-52.1
php7-dba-debuginfo-7.0.7-52.1
php7-debuginfo-7.0.7-52.1
php7-debugsource-7.0.7-52.1
php7-devel-7.0.7-52.1
php7-dom-7.0.7-52.1
php7-dom-debuginfo-7.0.7-52.1
php7-enchant-7.0.7-52.1
php7-enchant-debuginfo-7.0.7-52.1
php7-exif-7.0.7-52.1
php7-exif-debuginfo-7.0.7-52.1
php7-fastcgi-7.0.7-52.1
php7-fastcgi-debuginfo-7.0.7-52.1
php7-fileinfo-7.0.7-52.1
php7-fileinfo-debuginfo-7.0.7-52.1
php7-firebird-7.0.7-52.1
php7-firebird-debuginfo-7.0.7-52.1
php7-fpm-7.0.7-52.1
php7-fpm-debuginfo-7.0.7-52.1
php7-ftp-7.0.7-52.1
php7-ftp-debuginfo-7.0.7-52.1
php7-gd-7.0.7-52.1
php7-gd-debuginfo-7.0.7-52.1
php7-gettext-7.0.7-52.1
php7-gettext-debuginfo-7.0.7-52.1
php7-gmp-7.0.7-52.1
php7-gmp-debuginfo-7.0.7-52.1
php7-iconv-7.0.7-52.1
php7-iconv-debuginfo-7.0.7-52.1
php7-imap-7.0.7-52.1
php7-imap-debuginfo-7.0.7-52.1
php7-intl-7.0.7-52.1
php7-intl-debuginfo-7.0.7-52.1
php7-json-7.0.7-52.1
php7-json-debuginfo-7.0.7-52.1
php7-ldap-7.0.7-52.1
php7-ldap-debuginfo-7.0.7-52.1
php7-mbstring-7.0.7-52.1
php7-mbstring-debuginfo-7.0.7-52.1
php7-mcrypt-7.0.7-52.1
php7-mcrypt-debuginfo-7.0.7-52.1
php7-mysql-7.0.7-52.1
php7-mysql-debuginfo-7.0.7-52.1
php7-odbc-7.0.7-52.1
php7-odbc-debuginfo-7.0.7-52.1
php7-opcache-7.0.7-52.1
php7-opcache-debuginfo-7.0.7-52.1
php7-openssl-7.0.7-52.1
php7-openssl-debuginfo-7.0.7-52.1
php7-pcntl-7.0.7-52.1
php7-pcntl-debuginfo-7.0.7-52.1
php7-pdo-7.0.7-52.1
php7-pdo-debuginfo-7.0.7-52.1
php7-pgsql-7.0.7-52.1
php7-pgsql-debuginfo-7.0.7-52.1
php7-phar-7.0.7-52.1
php7-phar-debuginfo-7.0.7-52.1
php7-posix-7.0.7-52.1
php7-posix-debuginfo-7.0.7-52.1
php7-pspell-7.0.7-52.1
php7-pspell-debuginfo-7.0.7-52.1
php7-readline-7.0.7-52.1
php7-readline-debuginfo-7.0.7-52.1
php7-shmop-7.0.7-52.1
php7-shmop-debuginfo-7.0.7-52.1
php7-snmp-7.0.7-52.1
php7-snmp-debuginfo-7.0.7-52.1
php7-soap-7.0.7-52.1
php7-soap-debuginfo-7.0.7-52.1
php7-sockets-7.0.7-52.1
php7-sockets-debuginfo-7.0.7-52.1
php7-sqlite-7.0.7-52.1
php7-sqlite-debuginfo-7.0.7-52.1
php7-sysvmsg-7.0.7-52.1
php7-sysvmsg-debuginfo-7.0.7-52.1
php7-sysvsem-7.0.7-52.1
php7-sysvsem-debuginfo-7.0.7-52.1
php7-sysvshm-7.0.7-52.1
php7-sysvshm-debuginfo-7.0.7-52.1
php7-tidy-7.0.7-52.1
php7-tidy-debuginfo-7.0.7-52.1
php7-tokenizer-7.0.7-52.1
php7-tokenizer-debuginfo-7.0.7-52.1
php7-wddx-7.0.7-52.1
php7-wddx-debuginfo-7.0.7-52.1
php7-xmlreader-7.0.7-52.1
php7-xmlreader-debuginfo-7.0.7-52.1
php7-xmlrpc-7.0.7-52.1
php7-xmlrpc-debuginfo-7.0.7-52.1
php7-xmlwriter-7.0.7-52.1
php7-xmlwriter-debuginfo-7.0.7-52.1
php7-xsl-7.0.7-52.1
php7-xsl-debuginfo-7.0.7-52.1
php7-zip-7.0.7-52.1
php7-zip-debuginfo-7.0.7-52.1
php7-zlib-7.0.7-52.1
php7-zlib-debuginfo-7.0.7-52.1
- openSUSE Leap 42.3 (noarch):
php7-pear-7.0.7-52.1
php7-pear-Archive_Tar-7.0.7-52.1
References:
https://www.suse.com/security/cve/CVE-2018-19518.html
https://bugzilla.suse.com/1117107
--
openSUSE-SU-2018:4031-1: moderate: Security update for postgresql10
openSUSE Security Update: Security update for postgresql10
______________________________________________________________________________
Announcement ID: openSUSE-SU-2018:4031-1
Rating: moderate
References: #1114837
Cross-References: CVE-2018-16850
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for postgresql10 fixes the following issues:
Security issue fixed:
- CVE-2018-16850: Fixed improper quoting of transition table names when
pg_dump emits CREATE TRIGGER could have caused privilege escalation
(bsc#1114837).
Non-security issues fixed:
- Update to release 10.6:
* https://www.postgresql.org/docs/current/static/release-10-6.html
This update was imported from the SUSE:SLE-15:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.0:
zypper in -t patch openSUSE-2018-1493=1
Package List:
- openSUSE Leap 15.0 (i586 x86_64):
libecpg6-10.6-lp150.3.6.1
libecpg6-debuginfo-10.6-lp150.3.6.1
libpq5-10.6-lp150.3.6.1
libpq5-debuginfo-10.6-lp150.3.6.1
postgresql10-10.6-lp150.3.6.1
postgresql10-contrib-10.6-lp150.3.6.1
postgresql10-contrib-debuginfo-10.6-lp150.3.6.1
postgresql10-debuginfo-10.6-lp150.3.6.1
postgresql10-debugsource-10.6-lp150.3.6.1
postgresql10-devel-10.6-lp150.3.6.1
postgresql10-devel-debuginfo-10.6-lp150.3.6.1
postgresql10-plperl-10.6-lp150.3.6.1
postgresql10-plperl-debuginfo-10.6-lp150.3.6.1
postgresql10-plpython-10.6-lp150.3.6.1
postgresql10-plpython-debuginfo-10.6-lp150.3.6.1
postgresql10-pltcl-10.6-lp150.3.6.1
postgresql10-pltcl-debuginfo-10.6-lp150.3.6.1
postgresql10-server-10.6-lp150.3.6.1
postgresql10-server-debuginfo-10.6-lp150.3.6.1
postgresql10-test-10.6-lp150.3.6.1
- openSUSE Leap 15.0 (noarch):
postgresql10-docs-10.6-lp150.3.6.1
- openSUSE Leap 15.0 (x86_64):
libecpg6-32bit-10.6-lp150.3.6.1
libecpg6-32bit-debuginfo-10.6-lp150.3.6.1
libpq5-32bit-10.6-lp150.3.6.1
libpq5-32bit-debuginfo-10.6-lp150.3.6.1
References:
https://www.suse.com/security/cve/CVE-2018-16850.html
https://bugzilla.suse.com/1114837
--
openSUSE-SU-2018:4032-1: important: Security update for apache2-mod_jk
openSUSE Security Update: Security update for apache2-mod_jk
______________________________________________________________________________
Announcement ID: openSUSE-SU-2018:4032-1
Rating: important
References: #1114612
Cross-References: CVE-2018-11759
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for apache2-mod_jk fixes the following issue:
Security issue fixed:
- CVE-2018-11759: Fixed connector path traversal due to mishandled HTTP
requests in httpd (bsc#1114612).
This update was imported from the SUSE:SLE-15:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.0:
zypper in -t patch openSUSE-2018-1510=1
Package List:
- openSUSE Leap 15.0 (x86_64):
apache2-mod_jk-1.2.43-lp150.2.3.1
apache2-mod_jk-debuginfo-1.2.43-lp150.2.3.1
apache2-mod_jk-debugsource-1.2.43-lp150.2.3.1
References:
https://www.suse.com/security/cve/CVE-2018-11759.html
https://bugzilla.suse.com/1114612
--
openSUSE-SU-2018:4034-1: important: Security update for ncurses
openSUSE Security Update: Security update for ncurses
______________________________________________________________________________
Announcement ID: openSUSE-SU-2018:4034-1
Rating: important
References: #1115929
Cross-References: CVE-2018-19211
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for ncurses fixes the following issue:
Security issue fixed:
- CVE-2018-19211: Fixed denial of service issue that was triggered by a
NULL pointer dereference at function _nc_parse_entry (bsc#1115929).
This update was imported from the SUSE:SLE-12:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 42.3:
zypper in -t patch openSUSE-2018-1509=1
Package List:
- openSUSE Leap 42.3 (i586 x86_64):
libncurses5-5.9-66.1
libncurses5-debuginfo-5.9-66.1
libncurses6-5.9-66.1
libncurses6-debuginfo-5.9-66.1
ncurses-debugsource-5.9-66.1
ncurses-devel-5.9-66.1
ncurses-devel-debuginfo-5.9-66.1
ncurses-utils-5.9-66.1
ncurses-utils-debuginfo-5.9-66.1
tack-5.9-66.1
tack-debuginfo-5.9-66.1
terminfo-5.9-66.1
terminfo-base-5.9-66.1
- openSUSE Leap 42.3 (x86_64):
libncurses5-32bit-5.9-66.1
libncurses5-debuginfo-32bit-5.9-66.1
libncurses6-32bit-5.9-66.1
libncurses6-debuginfo-32bit-5.9-66.1
ncurses-devel-32bit-5.9-66.1
ncurses-devel-debuginfo-32bit-5.9-66.1
References:
https://www.suse.com/security/cve/CVE-2018-19211.html
https://bugzilla.suse.com/1115929
--
openSUSE-SU-2018:4038-1: moderate: Recommended update for php5
openSUSE Security Update: Recommended update for php5
______________________________________________________________________________
Announcement ID: openSUSE-SU-2018:4038-1
Rating: moderate
References: #1117107
Cross-References: CVE-2018-19518
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for php5 fixes the following issues:
Security issue fixed:
- CVE-2018-19518: Fixed imap_open script injection flaw (bsc#1117107).
This update was imported from the SUSE:SLE-12:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 42.3:
zypper in -t patch openSUSE-2018-1506=1
Package List:
- openSUSE Leap 42.3 (i586 x86_64):
apache2-mod_php5-5.5.14-109.1
apache2-mod_php5-debuginfo-5.5.14-109.1
php5-5.5.14-109.1
php5-bcmath-5.5.14-109.1
php5-bcmath-debuginfo-5.5.14-109.1
php5-bz2-5.5.14-109.1
php5-bz2-debuginfo-5.5.14-109.1
php5-calendar-5.5.14-109.1
php5-calendar-debuginfo-5.5.14-109.1
php5-ctype-5.5.14-109.1
php5-ctype-debuginfo-5.5.14-109.1
php5-curl-5.5.14-109.1
php5-curl-debuginfo-5.5.14-109.1
php5-dba-5.5.14-109.1
php5-dba-debuginfo-5.5.14-109.1
php5-debuginfo-5.5.14-109.1
php5-debugsource-5.5.14-109.1
php5-devel-5.5.14-109.1
php5-dom-5.5.14-109.1
php5-dom-debuginfo-5.5.14-109.1
php5-enchant-5.5.14-109.1
php5-enchant-debuginfo-5.5.14-109.1
php5-exif-5.5.14-109.1
php5-exif-debuginfo-5.5.14-109.1
php5-fastcgi-5.5.14-109.1
php5-fastcgi-debuginfo-5.5.14-109.1
php5-fileinfo-5.5.14-109.1
php5-fileinfo-debuginfo-5.5.14-109.1
php5-firebird-5.5.14-109.1
php5-firebird-debuginfo-5.5.14-109.1
php5-fpm-5.5.14-109.1
php5-fpm-debuginfo-5.5.14-109.1
php5-ftp-5.5.14-109.1
php5-ftp-debuginfo-5.5.14-109.1
php5-gd-5.5.14-109.1
php5-gd-debuginfo-5.5.14-109.1
php5-gettext-5.5.14-109.1
php5-gettext-debuginfo-5.5.14-109.1
php5-gmp-5.5.14-109.1
php5-gmp-debuginfo-5.5.14-109.1
php5-iconv-5.5.14-109.1
php5-iconv-debuginfo-5.5.14-109.1
php5-imap-5.5.14-109.1
php5-imap-debuginfo-5.5.14-109.1
php5-intl-5.5.14-109.1
php5-intl-debuginfo-5.5.14-109.1
php5-json-5.5.14-109.1
php5-json-debuginfo-5.5.14-109.1
php5-ldap-5.5.14-109.1
php5-ldap-debuginfo-5.5.14-109.1
php5-mbstring-5.5.14-109.1
php5-mbstring-debuginfo-5.5.14-109.1
php5-mcrypt-5.5.14-109.1
php5-mcrypt-debuginfo-5.5.14-109.1
php5-mssql-5.5.14-109.1
php5-mssql-debuginfo-5.5.14-109.1
php5-mysql-5.5.14-109.1
php5-mysql-debuginfo-5.5.14-109.1
php5-odbc-5.5.14-109.1
php5-odbc-debuginfo-5.5.14-109.1
php5-opcache-5.5.14-109.1
php5-opcache-debuginfo-5.5.14-109.1
php5-openssl-5.5.14-109.1
php5-openssl-debuginfo-5.5.14-109.1
php5-pcntl-5.5.14-109.1
php5-pcntl-debuginfo-5.5.14-109.1
php5-pdo-5.5.14-109.1
php5-pdo-debuginfo-5.5.14-109.1
php5-pgsql-5.5.14-109.1
php5-pgsql-debuginfo-5.5.14-109.1
php5-phar-5.5.14-109.1
php5-phar-debuginfo-5.5.14-109.1
php5-posix-5.5.14-109.1
php5-posix-debuginfo-5.5.14-109.1
php5-pspell-5.5.14-109.1
php5-pspell-debuginfo-5.5.14-109.1
php5-readline-5.5.14-109.1
php5-readline-debuginfo-5.5.14-109.1
php5-shmop-5.5.14-109.1
php5-shmop-debuginfo-5.5.14-109.1
php5-snmp-5.5.14-109.1
php5-snmp-debuginfo-5.5.14-109.1
php5-soap-5.5.14-109.1
php5-soap-debuginfo-5.5.14-109.1
php5-sockets-5.5.14-109.1
php5-sockets-debuginfo-5.5.14-109.1
php5-sqlite-5.5.14-109.1
php5-sqlite-debuginfo-5.5.14-109.1
php5-suhosin-5.5.14-109.1
php5-suhosin-debuginfo-5.5.14-109.1
php5-sysvmsg-5.5.14-109.1
php5-sysvmsg-debuginfo-5.5.14-109.1
php5-sysvsem-5.5.14-109.1
php5-sysvsem-debuginfo-5.5.14-109.1
php5-sysvshm-5.5.14-109.1
php5-sysvshm-debuginfo-5.5.14-109.1
php5-tidy-5.5.14-109.1
php5-tidy-debuginfo-5.5.14-109.1
php5-tokenizer-5.5.14-109.1
php5-tokenizer-debuginfo-5.5.14-109.1
php5-wddx-5.5.14-109.1
php5-wddx-debuginfo-5.5.14-109.1
php5-xmlreader-5.5.14-109.1
php5-xmlreader-debuginfo-5.5.14-109.1
php5-xmlrpc-5.5.14-109.1
php5-xmlrpc-debuginfo-5.5.14-109.1
php5-xmlwriter-5.5.14-109.1
php5-xmlwriter-debuginfo-5.5.14-109.1
php5-xsl-5.5.14-109.1
php5-xsl-debuginfo-5.5.14-109.1
php5-zip-5.5.14-109.1
php5-zip-debuginfo-5.5.14-109.1
php5-zlib-5.5.14-109.1
php5-zlib-debuginfo-5.5.14-109.1
- openSUSE Leap 42.3 (noarch):
php5-pear-5.5.14-109.1
References:
https://www.suse.com/security/cve/CVE-2018-19518.html
https://bugzilla.suse.com/1117107
--
openSUSE-SU-2018:4041-1: Security update for rubygem-activejob-5_1
openSUSE Security Update: Security update for rubygem-activejob-5_1
______________________________________________________________________________
Announcement ID: openSUSE-SU-2018:4041-1
Rating: low
References: #1117632
Cross-References: CVE-2018-16476
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for rubygem-activejob-5_1 fixes the following issues:
Security issue fixed:
- CVE-2018-16476: Fixed broken access control vulnerability (bsc#1117632).
This update was imported from the SUSE:SLE-15:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.0:
zypper in -t patch openSUSE-2018-1502=1
Package List:
- openSUSE Leap 15.0 (x86_64):
ruby2.5-rubygem-activejob-5_1-5.1.4-lp150.2.3.1
ruby2.5-rubygem-activejob-doc-5_1-5.1.4-lp150.2.3.1
References:
https://www.suse.com/security/cve/CVE-2018-16476.html
https://bugzilla.suse.com/1117632
--
openSUSE-SU-2018:4042-1: moderate: Security update for tomcat
openSUSE Security Update: Security update for tomcat
______________________________________________________________________________
Announcement ID: openSUSE-SU-2018:4042-1
Rating: moderate
References: #1110850
Cross-References: CVE-2018-11784
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for tomcat to 9.0.12 fixes the following issues:
See the full changelog at:
http://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.12_(markt
)
Security issues fixed:
- CVE-2018-11784: When the default servlet in Apache Tomcat returned a
redirect to a directory (e.g. redirecting to '/foo/' when the user
requested '/foo') a specially crafted URL could be used to cause the
redirect to be generated to any URI of the attackers choice.
(bsc#1110850)
This update was imported from the SUSE:SLE-15:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.0:
zypper in -t patch openSUSE-2018-1504=1
Package List:
- openSUSE Leap 15.0 (noarch):
tomcat-9.0.12-lp150.2.6.1
tomcat-admin-webapps-9.0.12-lp150.2.6.1
tomcat-docs-webapp-9.0.12-lp150.2.6.1
tomcat-el-3_0-api-9.0.12-lp150.2.6.1
tomcat-embed-9.0.12-lp150.2.6.1
tomcat-javadoc-9.0.12-lp150.2.6.1
tomcat-jsp-2_3-api-9.0.12-lp150.2.6.1
tomcat-jsvc-9.0.12-lp150.2.6.1
tomcat-lib-9.0.12-lp150.2.6.1
tomcat-servlet-4_0-api-9.0.12-lp150.2.6.1
tomcat-webapps-9.0.12-lp150.2.6.1
References:
https://www.suse.com/security/cve/CVE-2018-11784.html
https://bugzilla.suse.com/1110850
--
openSUSE-SU-2018:4043-1: important: Security update for pam
openSUSE Security Update: Security update for pam
______________________________________________________________________________
Announcement ID: openSUSE-SU-2018:4043-1
Rating: important
References: #1115640
Cross-References: CVE-2018-17953
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for pam fixes the following issue:
Security issue fixed:
- CVE-2018-17953: Fixed IP address and subnet handling of pam_access.so
that was not honoured correctly when a single host was specified
(bsc#1115640).
This update was imported from the SUSE:SLE-15:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.0:
zypper in -t patch openSUSE-2018-1511=1
Package List:
- openSUSE Leap 15.0 (i586 x86_64):
pam-1.3.0-lp150.5.6.1
pam-debuginfo-1.3.0-lp150.5.6.1
pam-debugsource-1.3.0-lp150.5.6.1
pam-devel-1.3.0-lp150.5.6.1
- openSUSE Leap 15.0 (x86_64):
pam-32bit-1.3.0-lp150.5.6.1
pam-32bit-debuginfo-1.3.0-lp150.5.6.1
pam-devel-32bit-1.3.0-lp150.5.6.1
- openSUSE Leap 15.0 (noarch):
pam-doc-1.3.0-lp150.5.6.1
References:
https://www.suse.com/security/cve/CVE-2018-17953.html
https://bugzilla.suse.com/1115640
--
openSUSE-SU-2018:4045-1: moderate: Security update for dom4j
openSUSE Security Update: Security update for dom4j
______________________________________________________________________________
Announcement ID: openSUSE-SU-2018:4045-1
Rating: moderate
References: #1105443
Cross-References: CVE-2018-1000632
Affected Products:
openSUSE Backports SLE-15
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for dom4j fixes the following issues:
- CVE-2018-1000632: Prevent XML injection that could have resulted in an
attacker tampering with XML documents (bsc#1105443).
This update was imported from the SUSE:SLE-15:Update update project. This
update was imported from the openSUSE:Leap:15.0:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15:
zypper in -t patch openSUSE-2018-1492=1
Package List:
- openSUSE Backports SLE-15 (noarch):
dom4j-1.6.1-bp150.2.3.1
dom4j-demo-1.6.1-bp150.2.3.1
dom4j-javadoc-1.6.1-bp150.2.3.1
dom4j-manual-1.6.1-bp150.2.3.1
References:
https://www.suse.com/security/cve/CVE-2018-1000632.html
https://bugzilla.suse.com/1105443
--
openSUSE-SU-2018:4046-1: moderate: Security update for otrs
openSUSE Security Update: Security update for otrs
______________________________________________________________________________
Announcement ID: openSUSE-SU-2018:4046-1
Rating: moderate
References: #1115416
Cross-References: CVE-2018-19141 CVE-2018-19143
Affected Products:
openSUSE Leap 15.0
openSUSE Backports SLE-15
______________________________________________________________________________
An update that fixes two vulnerabilities is now available.
Description:
This update for otrs fixes the following issues:
Update to version 4.0.33.
Security issues fixed:
- CVE-2018-19141: Fixed privilege escalation, that an attacker who is
logged into OTRS as an admin user cannot manipulate the URL to cause
execution of JavaScript in the context of OTRS.
- CVE-2018-19143: Fixed remote file deletion, that an attacker who is
logged into OTRS as a user cannot manipulate the submission form to
cause deletion of arbitrary files that the OTRS web server user has
write access to.
Non-security issues fixed:
- Full release notes can be found at:
* https://community.otrs.com/release-notes-otrs-4-patch-level-33/
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.0:
zypper in -t patch openSUSE-2018-1503=1
- openSUSE Backports SLE-15:
zypper in -t patch openSUSE-2018-1503=1
Package List:
- openSUSE Leap 15.0 (noarch):
otrs-4.0.33-lp150.2.6.1
otrs-doc-4.0.33-lp150.2.6.1
otrs-itsm-4.0.33-lp150.2.6.1
- openSUSE Backports SLE-15 (noarch):
otrs-4.0.33-bp150.3.6.1
otrs-doc-4.0.33-bp150.3.6.1
otrs-itsm-4.0.33-bp150.3.6.1
References:
https://www.suse.com/security/cve/CVE-2018-19141.html
https://www.suse.com/security/cve/CVE-2018-19143.html
https://bugzilla.suse.com/1115416
--