SUSE 5145 Published by

The following security updates has been released for openSUSE:

openSUSE-SU-2018:1904-1: important: Security update for ucode-intel
openSUSE-SU-2018:1905-1: moderate: Security update for Mozilla Thunderbird
openSUSE-SU-2018:1906-1: moderate: Security update for openssl
openSUSE-SU-2018:1908-1: important: Security update for rubygem-yard
openSUSE-SU-2018:1909-1: moderate: Security update for ghostscript
openSUSE-SU-2018:1912-1: moderate: Security update for openvpn
openSUSE-SU-2018:1913-1: moderate: Security update for php7
openSUSE-SU-2018:1914-1: moderate: Security update for unzip



openSUSE-SU-2018:1904-1: important: Security update for ucode-intel

openSUSE Security Update: Security update for ucode-intel
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:1904-1
Rating: important
References: #1087082 #1087083 #1100147
Cross-References: CVE-2018-3639 CVE-2018-3640
Affected Products:
openSUSE Leap 42.3
openSUSE Leap 15.0
______________________________________________________________________________

An update that solves two vulnerabilities and has one
errata is now available.

Description:



This update for ucode-intel fixes the following issues:

The microcode bundles was updated to the 20180703 release

For the listed CPU chipsets this fixes CVE-2018-3640 (Spectre v3a) and
helps mitigating CVE-2018-3639 (Spectre v4) (bsc#1100147 bsc#1087082
bsc#1087083).

More information on:
https://downloadcenter.intel.com/download/27945/Linux-Processor-Microcode-D
ata-File

Following chipsets are fixed in this round:

Model Stepping F-MO-S/PI Old->New

---- updated platforms ------------------------------------

SNB-EP C1 6-2d-6/6d 0000061c->0000061d Xeon E5 SNB-EP
C2 6-2d-7/6d 00000713->00000714 Xeon E5 IVT C0
6-3e-4/ed 0000042c->0000042d Xeon E5 v2; Core i7-4960X/4930K/4820K
IVT D1 6-3e-7/ed 00000713->00000714 Xeon E5 v2 HSX-E/EP/4S
C0 6-3f-2/6f 0000003c->0000003d Xeon E5 v3 HSX-EX E0
6-3f-4/80 00000011->00000012 Xeon E7 v3 SKX-SP/D/W/X H0 6-55-4/b7
02000043->0200004d Xeon Bronze 31xx, Silver 41xx, Gold 51xx/61xx Platinum
81xx, D/W-21xx; Core i9-7xxxX BDX-DE A1 6-56-5/10
0e000009->0e00000a Xeon D-15x3N BDX-ML B/M/R0 6-4f-1/ef
0b00002c->0b00002e Xeon E5/E7 v4; Core i7-69xx/68xx


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-700=1

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-700=1



Package List:

- openSUSE Leap 42.3 (i586 x86_64):

ucode-intel-20180703-25.1
ucode-intel-blob-20180703-25.1
ucode-intel-debuginfo-20180703-25.1
ucode-intel-debugsource-20180703-25.1

- openSUSE Leap 15.0 (x86_64):

ucode-intel-20180703-lp150.2.4.1


References:

https://www.suse.com/security/cve/CVE-2018-3639.html
https://www.suse.com/security/cve/CVE-2018-3640.html
https://bugzilla.suse.com/1087082
https://bugzilla.suse.com/1087083
https://bugzilla.suse.com/1100147

--


openSUSE-SU-2018:1905-1: moderate: Security update for Mozilla Thunderbird

openSUSE Security Update: Security update for Mozilla Thunderbird
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:1905-1
Rating: moderate
References: #1076907 #1085780 #1091376 #1098998 #1100079
#1100081 #1100082
Cross-References: CVE-2018-12359 CVE-2018-12360 CVE-2018-12362
CVE-2018-12363 CVE-2018-12364 CVE-2018-12365
CVE-2018-12366 CVE-2018-12372 CVE-2018-12373
CVE-2018-12374 CVE-2018-5188
Affected Products:
openSUSE Leap 42.3
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes 11 vulnerabilities is now available.

Description:

This update for Mozilla Thunderbird to version 52.9.0 fixes multiple
issues.

Security issues fixed, inherited from the Mozilla common code base (MFSA
2018-16, bsc#1098998):

- CVE-2018-12359: Buffer overflow using computed size of canvas element
- CVE-2018-12360: Use-after-free when using focus()
- CVE-2018-12362: Integer overflow in SSSE3 scaler
- CVE-2018-12363: Use-after-free when appending DOM nodes
- CVE-2018-12364: CSRF attacks through 307 redirects and NPAPI plugins
- CVE-2018-12365: Compromised IPC child process can list local filenames
- CVE-2018-12366: Invalid data handling during QCMS transformations
- CVE-2018-5188: Memory safety bugs fixed in Thunderbird 52.9.0

Security issues fixed that affect e-mail privacy and integrity (including
EFAIL):

- CVE-2018-12372: S/MIME and PGP decryption oracles can be built with HTML
emails (bsc#1100082)
- CVE-2018-12373: S/MIME plaintext can be leaked through HTML
reply/forward (bsc#1100079)
- CVE-2018-12374: Using form to exfiltrate encrypted mail part by pressing
enter in form field (bsc#1100081)

The following options are available for added security in certain
scenarios:

- Option for not decrypting subordinate message parts that otherwise might
reveal decryted content to the attacker. Preference
mailnews.p7m_subparts_external needs to be set to true for added
security.

The following upstream changes are included:

- Thunderbird will now prompt to compact IMAP folders even if the account
is online
- Fix various problems when forwarding messages inline when using "simple"
HTML view

The following tracked packaging changes are included:

- correct requires and provides handling (boo#1076907)
- reduce memory footprint with %ix86 at linking time via additional
compiler flags (boo#1091376)
- Build from upstream source archive and verify source signature
(boo#1085780)


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-701=1

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-701=1



Package List:

- openSUSE Leap 42.3 (x86_64):

MozillaThunderbird-52.9.0-68.1
MozillaThunderbird-buildsymbols-52.9.0-68.1
MozillaThunderbird-debuginfo-52.9.0-68.1
MozillaThunderbird-debugsource-52.9.0-68.1
MozillaThunderbird-devel-52.9.0-68.1
MozillaThunderbird-translations-common-52.9.0-68.1
MozillaThunderbird-translations-other-52.9.0-68.1

- openSUSE Leap 15.0 (x86_64):

MozillaThunderbird-52.9.0-lp150.3.8.1
MozillaThunderbird-buildsymbols-52.9.0-lp150.3.8.1
MozillaThunderbird-debuginfo-52.9.0-lp150.3.8.1
MozillaThunderbird-debugsource-52.9.0-lp150.3.8.1
MozillaThunderbird-devel-52.9.0-lp150.3.8.1
MozillaThunderbird-translations-common-52.9.0-lp150.3.8.1
MozillaThunderbird-translations-other-52.9.0-lp150.3.8.1


References:

https://www.suse.com/security/cve/CVE-2018-12359.html
https://www.suse.com/security/cve/CVE-2018-12360.html
https://www.suse.com/security/cve/CVE-2018-12362.html
https://www.suse.com/security/cve/CVE-2018-12363.html
https://www.suse.com/security/cve/CVE-2018-12364.html
https://www.suse.com/security/cve/CVE-2018-12365.html
https://www.suse.com/security/cve/CVE-2018-12366.html
https://www.suse.com/security/cve/CVE-2018-12372.html
https://www.suse.com/security/cve/CVE-2018-12373.html
https://www.suse.com/security/cve/CVE-2018-12374.html
https://www.suse.com/security/cve/CVE-2018-5188.html
https://bugzilla.suse.com/1076907
https://bugzilla.suse.com/1085780
https://bugzilla.suse.com/1091376
https://bugzilla.suse.com/1098998
https://bugzilla.suse.com/1100079
https://bugzilla.suse.com/1100081
https://bugzilla.suse.com/1100082

--


openSUSE-SU-2018:1906-1: moderate: Security update for openssl

openSUSE Security Update: Security update for openssl
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:1906-1
Rating: moderate
References: #1097158 #1097624 #1098592
Cross-References: CVE-2018-0732
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________

An update that solves one vulnerability and has two fixes
is now available.

Description:

This update for openssl fixes the following issues:

- CVE-2018-0732: During key agreement in a TLS handshake using a DH(E)
based ciphersuite a malicious server could have sent a very large prime
value to the client. This caused the client to spend an unreasonably
long period of time generating a key for this prime resulting in a hang
until the client has finished. This could be exploited in a Denial Of
Service attack (bsc#1097158).
- Blinding enhancements for ECDSA and DSA (bsc#1097624, bsc#1098592)

This update was imported from the SUSE:SLE-12-SP2:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-704=1



Package List:

- openSUSE Leap 42.3 (i586 x86_64):

libopenssl-devel-1.0.2j-25.1
libopenssl1_0_0-1.0.2j-25.1
libopenssl1_0_0-debuginfo-1.0.2j-25.1
libopenssl1_0_0-hmac-1.0.2j-25.1
openssl-1.0.2j-25.1
openssl-cavs-1.0.2j-25.1
openssl-cavs-debuginfo-1.0.2j-25.1
openssl-debuginfo-1.0.2j-25.1
openssl-debugsource-1.0.2j-25.1

- openSUSE Leap 42.3 (noarch):

openssl-doc-1.0.2j-25.1

- openSUSE Leap 42.3 (x86_64):

libopenssl-devel-32bit-1.0.2j-25.1
libopenssl1_0_0-32bit-1.0.2j-25.1
libopenssl1_0_0-debuginfo-32bit-1.0.2j-25.1
libopenssl1_0_0-hmac-32bit-1.0.2j-25.1


References:

https://www.suse.com/security/cve/CVE-2018-0732.html
https://bugzilla.suse.com/1097158
https://bugzilla.suse.com/1097624
https://bugzilla.suse.com/1098592

--


openSUSE-SU-2018:1908-1: important: Security update for rubygem-yard

openSUSE Security Update: Security update for rubygem-yard
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:1908-1
Rating: important
References: #1070263
Cross-References: CVE-2017-17042
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for rubygem-yard fixes the following issues:

- CVE-2017-17042: The server in YARD did not block relative paths with an
initial ../ sequence, which allowed attackers to conduct directory
traversal attacks and read arbitrary files (bsc#1070263).

This update was imported from the SUSE:SLE-12-SP1:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-707=1



Package List:

- openSUSE Leap 42.3 (i586 x86_64):

ruby2.1-rubygem-yard-0.8.7.3-8.3.1
ruby2.1-rubygem-yard-doc-0.8.7.3-8.3.1
ruby2.1-rubygem-yard-testsuite-0.8.7.3-8.3.1
ruby2.2-rubygem-yard-0.8.7.3-8.3.1
ruby2.2-rubygem-yard-doc-0.8.7.3-8.3.1
ruby2.2-rubygem-yard-testsuite-0.8.7.3-8.3.1
ruby2.3-rubygem-yard-0.8.7.3-8.3.1
ruby2.3-rubygem-yard-doc-0.8.7.3-8.3.1
ruby2.3-rubygem-yard-testsuite-0.8.7.3-8.3.1
ruby2.4-rubygem-yard-0.8.7.3-8.3.1
ruby2.4-rubygem-yard-doc-0.8.7.3-8.3.1
ruby2.4-rubygem-yard-testsuite-0.8.7.3-8.3.1


References:

https://www.suse.com/security/cve/CVE-2017-17042.html
https://bugzilla.suse.com/1070263

--


openSUSE-SU-2018:1909-1: moderate: Security update for ghostscript

openSUSE Security Update: Security update for ghostscript
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:1909-1
Rating: moderate
References: #1090099
Cross-References: CVE-2018-10194
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for ghostscript fixes the following issues:

- CVE-2018-10194: The set_text_distance function did not prevent overflows
in text-positioning calculation, which allowed remote attackers to cause
a denial
of service (application crash) or possibly have unspecified other impact
via a crafted PDF document (bsc#1090099).

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-706=1



Package List:

- openSUSE Leap 15.0 (i586 x86_64):

ghostscript-9.23-lp150.2.3.1
ghostscript-debuginfo-9.23-lp150.2.3.1
ghostscript-debugsource-9.23-lp150.2.3.1
ghostscript-devel-9.23-lp150.2.3.1
ghostscript-mini-9.23-lp150.2.3.1
ghostscript-mini-debuginfo-9.23-lp150.2.3.1
ghostscript-mini-debugsource-9.23-lp150.2.3.1
ghostscript-mini-devel-9.23-lp150.2.3.1
ghostscript-x11-9.23-lp150.2.3.1
ghostscript-x11-debuginfo-9.23-lp150.2.3.1


References:

https://www.suse.com/security/cve/CVE-2018-10194.html
https://bugzilla.suse.com/1090099

--


openSUSE-SU-2018:1912-1: moderate: Security update for openvpn

openSUSE Security Update: Security update for openvpn
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:1912-1
Rating: moderate
References: #1090839
Cross-References: CVE-2018-9336
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for openvpn fixes the following issues:

- CVE-2018-9336: Fix potential double-free() in Interactive Service could
lead to denial of service (bsc#1090839).

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-705=1



Package List:

- openSUSE Leap 15.0 (x86_64):

openvpn-2.4.3-lp150.3.3.1
openvpn-auth-pam-plugin-2.4.3-lp150.3.3.1
openvpn-auth-pam-plugin-debuginfo-2.4.3-lp150.3.3.1
openvpn-debuginfo-2.4.3-lp150.3.3.1
openvpn-debugsource-2.4.3-lp150.3.3.1
openvpn-devel-2.4.3-lp150.3.3.1
openvpn-down-root-plugin-2.4.3-lp150.3.3.1
openvpn-down-root-plugin-debuginfo-2.4.3-lp150.3.3.1


References:

https://www.suse.com/security/cve/CVE-2018-9336.html
https://bugzilla.suse.com/1090839

--


openSUSE-SU-2018:1913-1: moderate: Security update for php7

openSUSE Security Update: Security update for php7
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:1913-1
Rating: moderate
References: #1099098
Cross-References: CVE-2018-12882
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for php7 fixes the following issues:

- CVE-2018-12882: exif_read_from_impl allowed attackers to trigger a
use-after-free (in exif_read_from_file) because it closed a stream that
it is not responsible for closing (bsc#1099098)

This update was imported from the SUSE:SLE-12:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-708=1



Package List:

- openSUSE Leap 42.3 (i586 x86_64):

apache2-mod_php7-7.0.7-40.1
apache2-mod_php7-debuginfo-7.0.7-40.1
php7-7.0.7-40.1
php7-bcmath-7.0.7-40.1
php7-bcmath-debuginfo-7.0.7-40.1
php7-bz2-7.0.7-40.1
php7-bz2-debuginfo-7.0.7-40.1
php7-calendar-7.0.7-40.1
php7-calendar-debuginfo-7.0.7-40.1
php7-ctype-7.0.7-40.1
php7-ctype-debuginfo-7.0.7-40.1
php7-curl-7.0.7-40.1
php7-curl-debuginfo-7.0.7-40.1
php7-dba-7.0.7-40.1
php7-dba-debuginfo-7.0.7-40.1
php7-debuginfo-7.0.7-40.1
php7-debugsource-7.0.7-40.1
php7-devel-7.0.7-40.1
php7-dom-7.0.7-40.1
php7-dom-debuginfo-7.0.7-40.1
php7-enchant-7.0.7-40.1
php7-enchant-debuginfo-7.0.7-40.1
php7-exif-7.0.7-40.1
php7-exif-debuginfo-7.0.7-40.1
php7-fastcgi-7.0.7-40.1
php7-fastcgi-debuginfo-7.0.7-40.1
php7-fileinfo-7.0.7-40.1
php7-fileinfo-debuginfo-7.0.7-40.1
php7-firebird-7.0.7-40.1
php7-firebird-debuginfo-7.0.7-40.1
php7-fpm-7.0.7-40.1
php7-fpm-debuginfo-7.0.7-40.1
php7-ftp-7.0.7-40.1
php7-ftp-debuginfo-7.0.7-40.1
php7-gd-7.0.7-40.1
php7-gd-debuginfo-7.0.7-40.1
php7-gettext-7.0.7-40.1
php7-gettext-debuginfo-7.0.7-40.1
php7-gmp-7.0.7-40.1
php7-gmp-debuginfo-7.0.7-40.1
php7-iconv-7.0.7-40.1
php7-iconv-debuginfo-7.0.7-40.1
php7-imap-7.0.7-40.1
php7-imap-debuginfo-7.0.7-40.1
php7-intl-7.0.7-40.1
php7-intl-debuginfo-7.0.7-40.1
php7-json-7.0.7-40.1
php7-json-debuginfo-7.0.7-40.1
php7-ldap-7.0.7-40.1
php7-ldap-debuginfo-7.0.7-40.1
php7-mbstring-7.0.7-40.1
php7-mbstring-debuginfo-7.0.7-40.1
php7-mcrypt-7.0.7-40.1
php7-mcrypt-debuginfo-7.0.7-40.1
php7-mysql-7.0.7-40.1
php7-mysql-debuginfo-7.0.7-40.1
php7-odbc-7.0.7-40.1
php7-odbc-debuginfo-7.0.7-40.1
php7-opcache-7.0.7-40.1
php7-opcache-debuginfo-7.0.7-40.1
php7-openssl-7.0.7-40.1
php7-openssl-debuginfo-7.0.7-40.1
php7-pcntl-7.0.7-40.1
php7-pcntl-debuginfo-7.0.7-40.1
php7-pdo-7.0.7-40.1
php7-pdo-debuginfo-7.0.7-40.1
php7-pgsql-7.0.7-40.1
php7-pgsql-debuginfo-7.0.7-40.1
php7-phar-7.0.7-40.1
php7-phar-debuginfo-7.0.7-40.1
php7-posix-7.0.7-40.1
php7-posix-debuginfo-7.0.7-40.1
php7-pspell-7.0.7-40.1
php7-pspell-debuginfo-7.0.7-40.1
php7-readline-7.0.7-40.1
php7-readline-debuginfo-7.0.7-40.1
php7-shmop-7.0.7-40.1
php7-shmop-debuginfo-7.0.7-40.1
php7-snmp-7.0.7-40.1
php7-snmp-debuginfo-7.0.7-40.1
php7-soap-7.0.7-40.1
php7-soap-debuginfo-7.0.7-40.1
php7-sockets-7.0.7-40.1
php7-sockets-debuginfo-7.0.7-40.1
php7-sqlite-7.0.7-40.1
php7-sqlite-debuginfo-7.0.7-40.1
php7-sysvmsg-7.0.7-40.1
php7-sysvmsg-debuginfo-7.0.7-40.1
php7-sysvsem-7.0.7-40.1
php7-sysvsem-debuginfo-7.0.7-40.1
php7-sysvshm-7.0.7-40.1
php7-sysvshm-debuginfo-7.0.7-40.1
php7-tidy-7.0.7-40.1
php7-tidy-debuginfo-7.0.7-40.1
php7-tokenizer-7.0.7-40.1
php7-tokenizer-debuginfo-7.0.7-40.1
php7-wddx-7.0.7-40.1
php7-wddx-debuginfo-7.0.7-40.1
php7-xmlreader-7.0.7-40.1
php7-xmlreader-debuginfo-7.0.7-40.1
php7-xmlrpc-7.0.7-40.1
php7-xmlrpc-debuginfo-7.0.7-40.1
php7-xmlwriter-7.0.7-40.1
php7-xmlwriter-debuginfo-7.0.7-40.1
php7-xsl-7.0.7-40.1
php7-xsl-debuginfo-7.0.7-40.1
php7-zip-7.0.7-40.1
php7-zip-debuginfo-7.0.7-40.1
php7-zlib-7.0.7-40.1
php7-zlib-debuginfo-7.0.7-40.1

- openSUSE Leap 42.3 (noarch):

php7-pear-7.0.7-40.1
php7-pear-Archive_Tar-7.0.7-40.1


References:

https://www.suse.com/security/cve/CVE-2018-12882.html
https://bugzilla.suse.com/1099098

--


openSUSE-SU-2018:1914-1: moderate: Security update for unzip

openSUSE Security Update: Security update for unzip
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:1914-1
Rating: moderate
References: #1080074 #910683 #914442
Cross-References: CVE-2014-9636 CVE-2018-1000035
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that solves two vulnerabilities and has one
errata is now available.

Description:

This update for unzip fixes the following issues:

- CVE-2014-9636: Prevent denial of service (out-of-bounds read or write
and crash) via an extra field with an uncompressed size smaller than the
compressed field size in a zip archive that advertises STORED method
compression (bsc#914442)
- CVE-2018-1000035: Prevent heap-based buffer overflow in the processing
of password-protected archives that allowed an attacker to perform a
denial of service or to possibly achieve code execution (bsc#1080074)

This non-security issue was fixed:

+- Allow processing of Windows zip64 archives (Windows archivers set
total_disks field to 0 but per standard, valid values are 1 and higher)
(bnc#910683)

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-709=1



Package List:

- openSUSE Leap 15.0 (i586 x86_64):

unzip-6.00-lp150.3.3.1
unzip-debuginfo-6.00-lp150.3.3.1
unzip-debugsource-6.00-lp150.3.3.1
unzip-doc-6.00-lp150.3.3.1

- openSUSE Leap 15.0 (x86_64):

unzip-rcc-6.00-lp150.3.3.1
unzip-rcc-debuginfo-6.00-lp150.3.3.1
unzip-rcc-debugsource-6.00-lp150.3.3.1


References:

https://www.suse.com/security/cve/CVE-2014-9636.html
https://www.suse.com/security/cve/CVE-2018-1000035.html
https://bugzilla.suse.com/1080074
https://bugzilla.suse.com/910683
https://bugzilla.suse.com/914442

--