SUSE 5149 Published by

The following updates has been released for SUSE has been released:

openSUSE-SU-2019:1139-1: moderate: Security update for ovmf
openSUSE-SU-2019:1140-1: moderate: Security update for gd
openSUSE-SU-2019:1141-1: moderate: Security update for ImageMagick
openSUSE-SU-2019:1142-1: moderate: Security update for w3m
openSUSE-SU-2019:1143-1: moderate: Security update for ntp
openSUSE-SU-2019:1144-1: moderate: Security update for libcaca
openSUSE-SU-2019:1145-1: moderate: Security update for wavpack
openSUSE-SU-2019:1147-1: moderate: Security update for openssl-1_1
openSUSE-SU-2019:1148-1: moderate: Security update for gd
openSUSE-SU-2019:1152-1: important: Security update for MozillaThunderbird



openSUSE-SU-2019:1139-1: moderate: Security update for ovmf

openSUSE Security Update: Security update for ovmf
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1139-1
Rating: moderate
References: #1128503
Cross-References: CVE-2018-12181
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for ovmf fixes the following issue:

Security issue fixed:

- CVE-2018-12181: Fixed a stack buffer overflow in the HII database when a
corrupted Bitmap was used (bsc#1128503).

This update was imported from the SUSE:SLE-12-SP3:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2019-1139=1



Package List:

- openSUSE Leap 42.3 (i586 x86_64):

ovmf-2017+git1492060560.b6d11d7c46-19.1
ovmf-tools-2017+git1492060560.b6d11d7c46-19.1

- openSUSE Leap 42.3 (noarch):

qemu-ovmf-ia32-2017+git1492060560.b6d11d7c46-19.1
qemu-ovmf-x86_64-2017+git1492060560.b6d11d7c46-19.1

- openSUSE Leap 42.3 (x86_64):

qemu-ovmf-x86_64-debug-2017+git1492060560.b6d11d7c46-19.1


References:

https://www.suse.com/security/cve/CVE-2018-12181.html
https://bugzilla.suse.com/1128503

--


openSUSE-SU-2019:1140-1: moderate: Security update for gd

openSUSE Security Update: Security update for gd
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1140-1
Rating: moderate
References: #1123361 #1123522
Cross-References: CVE-2019-6977 CVE-2019-6978
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________

An update that fixes two vulnerabilities is now available.

Description:

This update for gd fixes the following issues:

Security issues fixed:

- CVE-2019-6977: Fixed a heap-based buffer overflow the GD Graphics
Library used in the imagecolormatch function (bsc#1123361).
- CVE-2019-6978: Fixed a double free in the gdImage*Ptr() functions
(bsc#1123522).

This update was imported from the SUSE:SLE-12:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2019-1140=1



Package List:

- openSUSE Leap 42.3 (i586 x86_64):

gd-2.1.0-30.1
gd-debuginfo-2.1.0-30.1
gd-debugsource-2.1.0-30.1
gd-devel-2.1.0-30.1

- openSUSE Leap 42.3 (x86_64):

gd-32bit-2.1.0-30.1
gd-debuginfo-32bit-2.1.0-30.1


References:

https://www.suse.com/security/cve/CVE-2019-6977.html
https://www.suse.com/security/cve/CVE-2019-6978.html
https://bugzilla.suse.com/1123361
https://bugzilla.suse.com/1123522

--


openSUSE-SU-2019:1141-1: moderate: Security update for ImageMagick

openSUSE Security Update: Security update for ImageMagick
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1141-1
Rating: moderate
References: #1106415 #1106996 #1113064 #1120381 #1124365
#1124366 #1124367 #1124368 #1128649
Cross-References: CVE-2018-16412 CVE-2018-18544 CVE-2018-20467
CVE-2019-7175 CVE-2019-7395 CVE-2019-7396
CVE-2019-7397 CVE-2019-7398
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that solves 8 vulnerabilities and has one errata
is now available.

Description:

This update for ImageMagick fixes the following issues:

Security issues fixed:

- CVE-2019-7175: Fixed multiple memory leaks in DecodeImage function
(bsc#1128649).
- CVE-2018-18544: Fixed a memory leak in the function WriteMSLImage
(bsc#1113064).
- CVE-2018-20467: Fixed an infinite loop in coders/bmp.c (bsc#1120381).
- CVE-2019-7398: Fixed a memory leak in the function WriteDIBImage
(bsc#1124365).
- CVE-2019-7396: Fixed a memory leak in the function ReadSIXELImage
(bsc#1124367).
- CVE-2019-7395: Fixed a memory leak in the function WritePSDChannel
(bsc#1124368).
- CVE-2019-7397: Fixed a memory leak in the function WritePDFImage
(bsc#1124366).
- CVE-2018-16412: Prevent heap-based buffer over-read in the
ParseImageResourceBlocks function leading to DOS (bsc#1106996).

Non-security issue fixed:

- Fixed a regression in regards to the 'edge' comand line flag
(bsc#1106415)

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1141=1



Package List:

- openSUSE Leap 15.0 (i586 x86_64):

ImageMagick-7.0.7.34-lp150.2.26.1
ImageMagick-debuginfo-7.0.7.34-lp150.2.26.1
ImageMagick-debugsource-7.0.7.34-lp150.2.26.1
ImageMagick-devel-7.0.7.34-lp150.2.26.1
ImageMagick-extra-7.0.7.34-lp150.2.26.1
ImageMagick-extra-debuginfo-7.0.7.34-lp150.2.26.1
libMagick++-7_Q16HDRI4-7.0.7.34-lp150.2.26.1
libMagick++-7_Q16HDRI4-debuginfo-7.0.7.34-lp150.2.26.1
libMagick++-devel-7.0.7.34-lp150.2.26.1
libMagickCore-7_Q16HDRI6-7.0.7.34-lp150.2.26.1
libMagickCore-7_Q16HDRI6-debuginfo-7.0.7.34-lp150.2.26.1
libMagickWand-7_Q16HDRI6-7.0.7.34-lp150.2.26.1
libMagickWand-7_Q16HDRI6-debuginfo-7.0.7.34-lp150.2.26.1
perl-PerlMagick-7.0.7.34-lp150.2.26.1
perl-PerlMagick-debuginfo-7.0.7.34-lp150.2.26.1

- openSUSE Leap 15.0 (noarch):

ImageMagick-doc-7.0.7.34-lp150.2.26.1

- openSUSE Leap 15.0 (x86_64):

ImageMagick-devel-32bit-7.0.7.34-lp150.2.26.1
libMagick++-7_Q16HDRI4-32bit-7.0.7.34-lp150.2.26.1
libMagick++-7_Q16HDRI4-32bit-debuginfo-7.0.7.34-lp150.2.26.1
libMagick++-devel-32bit-7.0.7.34-lp150.2.26.1
libMagickCore-7_Q16HDRI6-32bit-7.0.7.34-lp150.2.26.1
libMagickCore-7_Q16HDRI6-32bit-debuginfo-7.0.7.34-lp150.2.26.1
libMagickWand-7_Q16HDRI6-32bit-7.0.7.34-lp150.2.26.1
libMagickWand-7_Q16HDRI6-32bit-debuginfo-7.0.7.34-lp150.2.26.1


References:

https://www.suse.com/security/cve/CVE-2018-16412.html
https://www.suse.com/security/cve/CVE-2018-18544.html
https://www.suse.com/security/cve/CVE-2018-20467.html
https://www.suse.com/security/cve/CVE-2019-7175.html
https://www.suse.com/security/cve/CVE-2019-7395.html
https://www.suse.com/security/cve/CVE-2019-7396.html
https://www.suse.com/security/cve/CVE-2019-7397.html
https://www.suse.com/security/cve/CVE-2019-7398.html
https://bugzilla.suse.com/1106415
https://bugzilla.suse.com/1106996
https://bugzilla.suse.com/1113064
https://bugzilla.suse.com/1120381
https://bugzilla.suse.com/1124365
https://bugzilla.suse.com/1124366
https://bugzilla.suse.com/1124367
https://bugzilla.suse.com/1124368
https://bugzilla.suse.com/1128649

--


openSUSE-SU-2019:1142-1: moderate: Security update for w3m

openSUSE Security Update: Security update for w3m
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1142-1
Rating: moderate
References: #1077559 #1077568 #1077572
Cross-References: CVE-2018-6196 CVE-2018-6197 CVE-2018-6198

Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________

An update that fixes three vulnerabilities is now available.

Description:

This update for w3m fixes the following issues:

Security issues fixed:

- CVE-2018-6196: Prevent infinite recursion in HTMLlineproc0 caused by the
feed_table_block_tag function which did not prevent a negative indent
value (bsc#1077559)
- CVE-2018-6197: Prevent NULL pointer dereference in formUpdateBuffer
(bsc#1077568)
- CVE-2018-6198: w3m did not properly handle temporary files when the
~/.w3m directory is unwritable, which allowed a local attacker to craft
a symlink attack to overwrite arbitrary files (bsc#1077572)

This update was imported from the SUSE:SLE-12:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2019-1142=1



Package List:

- openSUSE Leap 42.3 (i586 x86_64):

w3m-0.5.3.git20161120-164.3.1
w3m-debuginfo-0.5.3.git20161120-164.3.1
w3m-debugsource-0.5.3.git20161120-164.3.1
w3m-inline-image-0.5.3.git20161120-164.3.1
w3m-inline-image-debuginfo-0.5.3.git20161120-164.3.1


References:

https://www.suse.com/security/cve/CVE-2018-6196.html
https://www.suse.com/security/cve/CVE-2018-6197.html
https://www.suse.com/security/cve/CVE-2018-6198.html
https://bugzilla.suse.com/1077559
https://bugzilla.suse.com/1077568
https://bugzilla.suse.com/1077572

--


openSUSE-SU-2019:1143-1: moderate: Security update for ntp

openSUSE Security Update: Security update for ntp
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1143-1
Rating: moderate
References: #1128525
Cross-References: CVE-2019-8936
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for ntp fixes the following issues:

Security issue fixed:

- CVE-2019-8936: Fixed a null pointer exception which could allow an
authenticated attcker to cause segmentation fault to ntpd (bsc#1128525).

Other issues addressed:

- Fixed several bugs in the BANCOMM reclock driver.
- Fixed ntp_loopfilter.c snprintf compilation warnings.
- Fixed spurious initgroups() error message.
- Fixed STA_NANO struct timex units.
- Fixed GPS week rollover in libparse.
- Fixed incorrect poll interval in packet.
- Added a missing check for ENABLE_CMAC.

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1143=1



Package List:

- openSUSE Leap 15.0 (i586 x86_64):

ntp-4.2.8p13-lp150.8.1
ntp-debuginfo-4.2.8p13-lp150.8.1
ntp-debugsource-4.2.8p13-lp150.8.1
ntp-doc-4.2.8p13-lp150.8.1


References:

https://www.suse.com/security/cve/CVE-2019-8936.html
https://bugzilla.suse.com/1128525

--


openSUSE-SU-2019:1144-1: moderate: Security update for libcaca

openSUSE Security Update: Security update for libcaca
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1144-1
Rating: moderate
References: #1120470 #1120502 #1120503 #1120504 #1120584
#1120589
Cross-References: CVE-2018-20544 CVE-2018-20545 CVE-2018-20546
CVE-2018-20547 CVE-2018-20548 CVE-2018-20549

Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes 6 vulnerabilities is now available.

Description:

This update for libcaca fixes the following issues:

Security issues fixed:

- CVE-2018-20544: Fixed a floating point exception at caca/dither.c
(bsc#1120502)
- CVE-2018-20545: Fixed a WRITE memory access in the load_image function
at common-image.c for 4bpp (bsc#1120584)
- CVE-2018-20546: Fixed a READ memory access in the get_rgba_default
function at caca/dither.c for bpp (bsc#1120503)
- CVE-2018-20547: Fixed a READ memory access in the get_rgba_default
function at caca/dither.c for 24bpp (bsc#1120504)
- CVE-2018-20548: Fixed a WRITE memory access in the load_image function
at common-image.c for 1bpp (bsc#1120589)
- CVE-2018-20549: Fixed a WRITE memory access in the caca_file_read
function at caca/file.c (bsc#1120470)

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1144=1



Package List:

- openSUSE Leap 15.0 (i586 x86_64):

caca-utils-0.99.beta19.git20171003-lp150.2.3.1
caca-utils-debuginfo-0.99.beta19.git20171003-lp150.2.3.1
libcaca-debugsource-0.99.beta19.git20171003-lp150.2.3.1
libcaca-devel-0.99.beta19.git20171003-lp150.2.3.1
libcaca-ruby-0.99.beta19.git20171003-lp150.2.3.1
libcaca-ruby-debuginfo-0.99.beta19.git20171003-lp150.2.3.1
libcaca0-0.99.beta19.git20171003-lp150.2.3.1
libcaca0-debuginfo-0.99.beta19.git20171003-lp150.2.3.1
libcaca0-plugins-0.99.beta19.git20171003-lp150.2.3.1
libcaca0-plugins-debuginfo-0.99.beta19.git20171003-lp150.2.3.1

- openSUSE Leap 15.0 (noarch):

python3-caca-0.99.beta19.git20171003-lp150.2.3.1

- openSUSE Leap 15.0 (x86_64):

libcaca0-32bit-0.99.beta19.git20171003-lp150.2.3.1
libcaca0-32bit-debuginfo-0.99.beta19.git20171003-lp150.2.3.1
libcaca0-plugins-32bit-0.99.beta19.git20171003-lp150.2.3.1
libcaca0-plugins-32bit-debuginfo-0.99.beta19.git20171003-lp150.2.3.1


References:

https://www.suse.com/security/cve/CVE-2018-20544.html
https://www.suse.com/security/cve/CVE-2018-20545.html
https://www.suse.com/security/cve/CVE-2018-20546.html
https://www.suse.com/security/cve/CVE-2018-20547.html
https://www.suse.com/security/cve/CVE-2018-20548.html
https://www.suse.com/security/cve/CVE-2018-20549.html
https://bugzilla.suse.com/1120470
https://bugzilla.suse.com/1120502
https://bugzilla.suse.com/1120503
https://bugzilla.suse.com/1120504
https://bugzilla.suse.com/1120584
https://bugzilla.suse.com/1120589

--


openSUSE-SU-2019:1145-1: moderate: Security update for wavpack

openSUSE Security Update: Security update for wavpack
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1145-1
Rating: moderate
References: #1120929 #1120930
Cross-References: CVE-2018-19840 CVE-2018-19841
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes two vulnerabilities is now available.

Description:

This update for wavpack fixes the following issues:

Security issues fixed:

- CVE-2018-19840: Fixed a denial-of-service in the WavpackPackInit
function from pack_utils.c (bsc#1120930)
- CVE-2018-19841: Fixed a denial-of-service in the
WavpackVerifySingleBlock function from open_utils.c (bsc#1120929)

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1145=1



Package List:

- openSUSE Leap 15.0 (i586 x86_64):

libwavpack1-5.1.0-lp150.3.3.1
libwavpack1-debuginfo-5.1.0-lp150.3.3.1
wavpack-5.1.0-lp150.3.3.1
wavpack-debuginfo-5.1.0-lp150.3.3.1
wavpack-debugsource-5.1.0-lp150.3.3.1
wavpack-devel-5.1.0-lp150.3.3.1

- openSUSE Leap 15.0 (x86_64):

libwavpack1-32bit-5.1.0-lp150.3.3.1
libwavpack1-32bit-debuginfo-5.1.0-lp150.3.3.1


References:

https://www.suse.com/security/cve/CVE-2018-19840.html
https://www.suse.com/security/cve/CVE-2018-19841.html
https://bugzilla.suse.com/1120929
https://bugzilla.suse.com/1120930

--


openSUSE-SU-2019:1147-1: moderate: Security update for openssl-1_1

openSUSE Security Update: Security update for openssl-1_1
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1147-1
Rating: moderate
References: #1116833 #1125494 #1128189
Cross-References: CVE-2019-1543
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that solves one vulnerability and has two fixes
is now available.

Description:

This update for openssl-1_1 (OpenSSL Security Advisory [6 March 2019])
fixes the following issues:

Security issue fixed:

- CVE-2019-1543: Fixed an implementation error in ChaCha20-Poly1305 where
it was allowed to set IV with more than 12 bytes (bsc#1128189).

Other issues addressed:

- Fixed a segfault in openssl speed when an unknown algorithm is passed
(bsc#1125494).
- Correctly skipped binary curves in openssl speed to avoid spitting
errors (bsc#1116833).

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1147=1



Package List:

- openSUSE Leap 15.0 (noarch):

openssl-1_1-doc-1.1.0i-lp150.3.22.3

- openSUSE Leap 15.0 (x86_64):

libopenssl-1_1-devel-1.1.0i-lp150.3.22.3
libopenssl1_1-1.1.0i-lp150.3.22.3
libopenssl1_1-debuginfo-1.1.0i-lp150.3.22.3
libopenssl1_1-hmac-1.1.0i-lp150.3.22.3
openssl-1_1-1.1.0i-lp150.3.22.3
openssl-1_1-debuginfo-1.1.0i-lp150.3.22.3
openssl-1_1-debugsource-1.1.0i-lp150.3.22.3


References:

https://www.suse.com/security/cve/CVE-2019-1543.html
https://bugzilla.suse.com/1116833
https://bugzilla.suse.com/1125494
https://bugzilla.suse.com/1128189

--


openSUSE-SU-2019:1148-1: moderate: Security update for gd

openSUSE Security Update: Security update for gd
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1148-1
Rating: moderate
References: #1123361 #1123522
Cross-References: CVE-2019-6977 CVE-2019-6978
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes two vulnerabilities is now available.

Description:

This update for gd fixes the following issues:

Security issues fixed:

- CVE-2019-6977: Fixed a heap-based buffer overflow the GD Graphics
Library used in the imagecolormatch function (bsc#1123361).
- CVE-2019-6978: Fixed a double free in the gdImage*Ptr() functions
(bsc#1123522).

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1148=1



Package List:

- openSUSE Leap 15.0 (i586 x86_64):

gd-2.2.5-lp150.8.1
gd-debuginfo-2.2.5-lp150.8.1
gd-debugsource-2.2.5-lp150.8.1
gd-devel-2.2.5-lp150.8.1
libgd3-2.2.5-lp150.8.1
libgd3-debuginfo-2.2.5-lp150.8.1

- openSUSE Leap 15.0 (x86_64):

libgd3-32bit-2.2.5-lp150.8.1
libgd3-32bit-debuginfo-2.2.5-lp150.8.1


References:

https://www.suse.com/security/cve/CVE-2019-6977.html
https://www.suse.com/security/cve/CVE-2019-6978.html
https://bugzilla.suse.com/1123361
https://bugzilla.suse.com/1123522

--


openSUSE-SU-2019:1152-1: important: Security update for MozillaThunderbird

openSUSE Security Update: Security update for MozillaThunderbird
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1152-1
Rating: important
References: #1129821 #1130262
Cross-References: CVE-2019-9810 CVE-2019-9813
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________

An update that fixes two vulnerabilities is now available.

Description:

This update for MozillaThunderbird fixes the following issues:

Security issues fixed:

- update to Mozilla Thunderbird 60.6.1 (bsc#1130262):

- CVE-2019-9813: Fixed Ionmonkey type confusion with __proto__ mutations
- CVE-2019-9810: Fixed IonMonkey MArraySlice incorrect alias information

Release notes:
https://www.mozilla.org/en-US/security/advisories/mfsa2019-12


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2019-1152=1



Package List:

- openSUSE Leap 42.3 (x86_64):

MozillaThunderbird-60.6.1-89.1
MozillaThunderbird-buildsymbols-60.6.1-89.1
MozillaThunderbird-debuginfo-60.6.1-89.1
MozillaThunderbird-debugsource-60.6.1-89.1
MozillaThunderbird-translations-common-60.6.1-89.1
MozillaThunderbird-translations-other-60.6.1-89.1


References:

https://www.suse.com/security/cve/CVE-2019-9810.html
https://www.suse.com/security/cve/CVE-2019-9813.html
https://bugzilla.suse.com/1129821
https://bugzilla.suse.com/1130262

--