SUSE 5149 Published by

The following security updates has been released for SUSE:

openSUSE-SU-2018:2510-1: moderate: Security update for nextcloud
openSUSE-SU-2018:2516-1: important: Security update for GraphicsMagick
openSUSE-SU-2018:2521-1: moderate: Security update for nextcloud
openSUSE-SU-2018:2523-1: moderate: Security update for phpMyAdmin
openSUSE-SU-2018:2524-1: important: Security update for kbuild, virtualbox
openSUSE-SU-2018:2525-1: moderate: Security update for phpMyAdmin



openSUSE-SU-2018:2510-1: moderate: Security update for nextcloud

openSUSE Security Update: Security update for nextcloud
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2510-1
Rating: moderate
References: #1105598
Cross-References: CVE-2018-3780
Affected Products:
SUSE Package Hub for SUSE Linux Enterprise 12
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for nextcloud to version 13.0.5 fixes the following issues:

Security issues fixed:

- CVE-2018-3780: Fixed a missing sanitization of search results for an
autocomplete field that could lead to a stored XSS requiring
user-interaction. The missing sanitization only affected user names,
hence malicious search results could only be crafted by authenticated
users. (boo#1105598)


Other bugs fixed:

- Fix highlighting of the upload drop zone
- Apply ldapUserFilter on members of group
- Make the DELETION of groups match greedy on the groupID
- Add parent index to share table
- Log full exception in cron instead of only the message
- Properly lock the target file on dav upload when not using part files
- LDAP backup server should not be queried when auth fails
- Fix filenames in sharing integration tests
- Lower log level for quota manipulation cases
- Let user set avatar in nextcloud if LDAP provides invalid image data
- Improved logging of smb connection errors
- Allow admin to disable fetching of avatars as well as a specific
attribute
- Allow to disable encryption
- Update message shown when unsharing a file
- Fixed English grammatical error on Settings page.
- Request a valid property for DAV opendir
- Allow updating the token on session regeneration
- Prevent lock values from going negative with memcache backend
- Correctly handle users with numeric user ids
- Correctly parse the subject parameters for link (un)shares of calendars
- Fix "parsing" of email-addresses in comments and chat messages
- Sanitize parameters in createSessionToken() while logging
- Also retry rename operation on InvalidArgumentException
- Improve url detection in comments
- Only bind to ldap if configuration for the first server is set
- Use download manager from PDF.js to download the file
- Fix trying to load removed scripts
- Only pull for new messages if the session is allowed to be kept alive
- Always push object data
- Add prioritization for Talk


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- SUSE Package Hub for SUSE Linux Enterprise 12:

zypper in -t patch openSUSE-2018-936=1



Package List:

- SUSE Package Hub for SUSE Linux Enterprise 12 (noarch):

nextcloud-13.0.5-5.1


References:

https://www.suse.com/security/cve/CVE-2018-3780.html
https://bugzilla.suse.com/1105598

--


openSUSE-SU-2018:2516-1: important: Security update for GraphicsMagick

openSUSE Security Update: Security update for GraphicsMagick
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2516-1
Rating: important
References: #1105592
Affected Products:
openSUSE Leap 42.3
openSUSE Leap 15.0
______________________________________________________________________________

An update that contains security fixes can now be installed.

Description:

This update for GraphicsMagick fixes the following issues:

Security issue fixed:

- Disable PS, PS2, PS3 and PDF coders by default, remove gs calls from
delegates.mgk (boo#1105592)


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-937=1

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-937=1



Package List:

- openSUSE Leap 42.3 (i586 x86_64):

GraphicsMagick-1.3.25-99.1
GraphicsMagick-debuginfo-1.3.25-99.1
GraphicsMagick-debugsource-1.3.25-99.1
GraphicsMagick-devel-1.3.25-99.1
libGraphicsMagick++-Q16-12-1.3.25-99.1
libGraphicsMagick++-Q16-12-debuginfo-1.3.25-99.1
libGraphicsMagick++-devel-1.3.25-99.1
libGraphicsMagick-Q16-3-1.3.25-99.1
libGraphicsMagick-Q16-3-debuginfo-1.3.25-99.1
libGraphicsMagick3-config-1.3.25-99.1
libGraphicsMagickWand-Q16-2-1.3.25-99.1
libGraphicsMagickWand-Q16-2-debuginfo-1.3.25-99.1
perl-GraphicsMagick-1.3.25-99.1
perl-GraphicsMagick-debuginfo-1.3.25-99.1

- openSUSE Leap 15.0 (x86_64):

GraphicsMagick-1.3.29-lp150.3.9.1
GraphicsMagick-debuginfo-1.3.29-lp150.3.9.1
GraphicsMagick-debugsource-1.3.29-lp150.3.9.1
GraphicsMagick-devel-1.3.29-lp150.3.9.1
libGraphicsMagick++-Q16-12-1.3.29-lp150.3.9.1
libGraphicsMagick++-Q16-12-debuginfo-1.3.29-lp150.3.9.1
libGraphicsMagick++-devel-1.3.29-lp150.3.9.1
libGraphicsMagick-Q16-3-1.3.29-lp150.3.9.1
libGraphicsMagick-Q16-3-debuginfo-1.3.29-lp150.3.9.1
libGraphicsMagick3-config-1.3.29-lp150.3.9.1
libGraphicsMagickWand-Q16-2-1.3.29-lp150.3.9.1
libGraphicsMagickWand-Q16-2-debuginfo-1.3.29-lp150.3.9.1
perl-GraphicsMagick-1.3.29-lp150.3.9.1
perl-GraphicsMagick-debuginfo-1.3.29-lp150.3.9.1


References:

https://bugzilla.suse.com/1105592

--


openSUSE-SU-2018:2521-1: moderate: Security update for nextcloud

openSUSE Security Update: Security update for nextcloud
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2521-1
Rating: moderate
References: #1105598
Cross-References: CVE-2018-3780
Affected Products:
openSUSE Leap 42.3
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for nextcloud to version 13.0.5 fixes the following issues:

Security issues fixed:

- CVE-2018-3780: Fixed a missing sanitization of search results for an
autocomplete field that could lead to a stored XSS requiring
user-interaction. The missing sanitization only affected user names,
hence malicious search results could only be crafted by authenticated
users. (boo#1105598)


Other bugs fixed:

- Fix highlighting of the upload drop zone
- Apply ldapUserFilter on members of group
- Make the DELETION of groups match greedy on the groupID
- Add parent index to share table
- Log full exception in cron instead of only the message
- Properly lock the target file on dav upload when not using part files
- LDAP backup server should not be queried when auth fails
- Fix filenames in sharing integration tests
- Lower log level for quota manipulation cases
- Let user set avatar in nextcloud if LDAP provides invalid image data
- Improved logging of smb connection errors
- Allow admin to disable fetching of avatars as well as a specific
attribute
- Allow to disable encryption
- Update message shown when unsharing a file
- Fixed English grammatical error on Settings page.
- Request a valid property for DAV opendir
- Allow updating the token on session regeneration
- Prevent lock values from going negative with memcache backend
- Correctly handle users with numeric user ids
- Correctly parse the subject parameters for link (un)shares of calendars
- Fix "parsing" of email-addresses in comments and chat messages
- Sanitize parameters in createSessionToken() while logging
- Also retry rename operation on InvalidArgumentException
- Improve url detection in comments
- Only bind to ldap if configuration for the first server is set
- Use download manager from PDF.js to download the file
- Fix trying to load removed scripts
- Only pull for new messages if the session is allowed to be kept alive
- Always push object data
- Add prioritization for Talk


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-936=1

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-936=1



Package List:

- openSUSE Leap 42.3 (noarch):

nextcloud-13.0.5-12.1

- openSUSE Leap 15.0 (noarch):

nextcloud-13.0.5-lp150.2.6.1


References:

https://www.suse.com/security/cve/CVE-2018-3780.html
https://bugzilla.suse.com/1105598

--


openSUSE-SU-2018:2523-1: moderate: Security update for phpMyAdmin

openSUSE Security Update: Security update for phpMyAdmin
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2523-1
Rating: moderate
References: #1105726
Cross-References: CVE-2018-15605
Affected Products:
SUSE Package Hub for SUSE Linux Enterprise 12
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for phpMyAdmin to version 4.8.3 addresses multiple issues.

Security issues fixed:

- CVE-2018-15605: vulnerability in the file import feature allowed
cross-site scripting via importing a specially-crafted file
(PMASA-2018-5, boo#1105726)

This update also contains a number of upstream bug fixes in the UI and
behavior.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- SUSE Package Hub for SUSE Linux Enterprise 12:

zypper in -t patch openSUSE-2018-939=1



Package List:

- SUSE Package Hub for SUSE Linux Enterprise 12 (noarch):

phpMyAdmin-4.8.3-29.1


References:

https://www.suse.com/security/cve/CVE-2018-15605.html
https://bugzilla.suse.com/1105726

--


openSUSE-SU-2018:2524-1: important: Security update for kbuild, virtualbox

openSUSE Security Update: Security update for kbuild, virtualbox
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2524-1
Rating: important
References: #1039375 #1076372 #1079838 #1093731 #1097248
#1098050 #1101667
Cross-References: CVE-2017-5715 CVE-2018-0739 CVE-2018-2676
CVE-2018-2685 CVE-2018-2686 CVE-2018-2687
CVE-2018-2688 CVE-2018-2689 CVE-2018-2690
CVE-2018-2693 CVE-2018-2694 CVE-2018-2698
CVE-2018-2830 CVE-2018-2831 CVE-2018-2835
CVE-2018-2836 CVE-2018-2837 CVE-2018-2842
CVE-2018-2843 CVE-2018-2844 CVE-2018-2845
CVE-2018-2860 CVE-2018-3005 CVE-2018-3055
CVE-2018-3085 CVE-2018-3086 CVE-2018-3087
CVE-2018-3088 CVE-2018-3089 CVE-2018-3090
CVE-2018-3091
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________

An update that fixes 31 vulnerabilities is now available.

Description:

This update for kbuild, virtualbox fixes the following issues:

kbuild changes:

- Update to version 0.1.9998svn3110
- Do not assume glibc glob internals
- Support GLIBC glob interface version 2
- Fix build failure (boo#1079838)
- Fix build with GCC7 (boo#1039375)
- Fix build by disabling vboxvideo_drv.so

virtualbox security fixes (boo#1101667, boo#1076372):

- CVE-2018-3005
- CVE-2018-3055
- CVE-2018-3085
- CVE-2018-3086
- CVE-2018-3087
- CVE-2018-3088
- CVE-2018-3089
- CVE-2018-3090
- CVE-2018-3091
- CVE-2018-2694
- CVE-2018-2698
- CVE-2018-2685
- CVE-2018-2686
- CVE-2018-2687
- CVE-2018-2688
- CVE-2018-2689
- CVE-2018-2690
- CVE-2018-2676
- CVE-2018-2693
- CVE-2017-5715

virtualbox other changes:

- Version bump to 5.2.16
- Use %{?linux_make_arch} when building kernel modules (boo#1098050)
- Fixed vboxguestconfig.sh script
- Update warning regarding the security hole in USB passthrough.
(boo#1097248)
- Fixed include for build with Qt 5.11 (boo#1093731)
- You can find a detailed list of changes
[here](https://www.virtualbox.org/wiki/Changelog#v16)


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-938=1



Package List:

- openSUSE Leap 42.3 (i586 x86_64):

kbuild-0.1.9998svn3110-4.3.1
kbuild-debuginfo-0.1.9998svn3110-4.3.1
kbuild-debugsource-0.1.9998svn3110-4.3.1

- openSUSE Leap 42.3 (x86_64):

python-virtualbox-5.2.18-56.1
python-virtualbox-debuginfo-5.2.18-56.1
virtualbox-5.2.18-56.1
virtualbox-debuginfo-5.2.18-56.1
virtualbox-debugsource-5.2.18-56.1
virtualbox-devel-5.2.18-56.1
virtualbox-guest-kmp-default-5.2.18_k4.4.143_65-56.1
virtualbox-guest-kmp-default-debuginfo-5.2.18_k4.4.143_65-56.1
virtualbox-guest-tools-5.2.18-56.1
virtualbox-guest-tools-debuginfo-5.2.18-56.1
virtualbox-guest-x11-5.2.18-56.1
virtualbox-guest-x11-debuginfo-5.2.18-56.1
virtualbox-host-kmp-default-5.2.18_k4.4.143_65-56.1
virtualbox-host-kmp-default-debuginfo-5.2.18_k4.4.143_65-56.1
virtualbox-qt-5.2.18-56.1
virtualbox-qt-debuginfo-5.2.18-56.1
virtualbox-vnc-5.2.18-56.1
virtualbox-websrv-5.2.18-56.1
virtualbox-websrv-debuginfo-5.2.18-56.1

- openSUSE Leap 42.3 (noarch):

virtualbox-guest-desktop-icons-5.2.18-56.1
virtualbox-guest-source-5.2.18-56.1
virtualbox-host-source-5.2.18-56.1


References:

https://www.suse.com/security/cve/CVE-2017-5715.html
https://www.suse.com/security/cve/CVE-2018-0739.html
https://www.suse.com/security/cve/CVE-2018-2676.html
https://www.suse.com/security/cve/CVE-2018-2685.html
https://www.suse.com/security/cve/CVE-2018-2686.html
https://www.suse.com/security/cve/CVE-2018-2687.html
https://www.suse.com/security/cve/CVE-2018-2688.html
https://www.suse.com/security/cve/CVE-2018-2689.html
https://www.suse.com/security/cve/CVE-2018-2690.html
https://www.suse.com/security/cve/CVE-2018-2693.html
https://www.suse.com/security/cve/CVE-2018-2694.html
https://www.suse.com/security/cve/CVE-2018-2698.html
https://www.suse.com/security/cve/CVE-2018-2830.html
https://www.suse.com/security/cve/CVE-2018-2831.html
https://www.suse.com/security/cve/CVE-2018-2835.html
https://www.suse.com/security/cve/CVE-2018-2836.html
https://www.suse.com/security/cve/CVE-2018-2837.html
https://www.suse.com/security/cve/CVE-2018-2842.html
https://www.suse.com/security/cve/CVE-2018-2843.html
https://www.suse.com/security/cve/CVE-2018-2844.html
https://www.suse.com/security/cve/CVE-2018-2845.html
https://www.suse.com/security/cve/CVE-2018-2860.html
https://www.suse.com/security/cve/CVE-2018-3005.html
https://www.suse.com/security/cve/CVE-2018-3055.html
https://www.suse.com/security/cve/CVE-2018-3085.html
https://www.suse.com/security/cve/CVE-2018-3086.html
https://www.suse.com/security/cve/CVE-2018-3087.html
https://www.suse.com/security/cve/CVE-2018-3088.html
https://www.suse.com/security/cve/CVE-2018-3089.html
https://www.suse.com/security/cve/CVE-2018-3090.html
https://www.suse.com/security/cve/CVE-2018-3091.html
https://bugzilla.suse.com/1039375
https://bugzilla.suse.com/1076372
https://bugzilla.suse.com/1079838
https://bugzilla.suse.com/1093731
https://bugzilla.suse.com/1097248
https://bugzilla.suse.com/1098050
https://bugzilla.suse.com/1101667

--


openSUSE-SU-2018:2525-1: moderate: Security update for phpMyAdmin

openSUSE Security Update: Security update for phpMyAdmin
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2525-1
Rating: moderate
References: #1105726
Cross-References: CVE-2018-15605
Affected Products:
openSUSE Leap 42.3
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for phpMyAdmin to version 4.8.3 addresses multiple issues.

Security issues fixed:

- CVE-2018-15605: vulnerability in the file import feature allowed
cross-site scripting via importing a specially-crafted file
(PMASA-2018-5, boo#1105726)

This update also contains a number of upstream bug fixes in the UI and
behavior.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-939=1

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-939=1



Package List:

- openSUSE Leap 42.3 (noarch):

phpMyAdmin-4.8.3-21.1

- openSUSE Leap 15.0 (noarch):

phpMyAdmin-4.8.3-lp150.2.9.1


References:

https://www.suse.com/security/cve/CVE-2018-15605.html
https://bugzilla.suse.com/1105726

--