SUSE 5145 Published by

The following updates has been released for openSUSE:

openSUSE-SU-2019:1341-1: Security update for yubico-piv-tool
openSUSE-SU-2019:1342-1: important: Security update for pacemaker
openSUSE-SU-2019:1343-1: moderate: Security update for libjpeg-turbo
openSUSE-SU-2019:1344-1: moderate: Security update for rubygem-actionpack-5_1
openSUSE-SU-2019:1345-1: moderate: Security update for wpa_supplicant
openSUSE-SU-2019:1346-1: important: Security update for freeradius-server



openSUSE-SU-2019:1341-1: Security update for yubico-piv-tool

openSUSE Security Update: Security update for yubico-piv-tool
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1341-1
Rating: low
References: #1104809 #1104811
Cross-References: CVE-2018-14779 CVE-2018-14780
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes two vulnerabilities is now available.

Description:

This update for yubico-piv-tool fixes the following issues:

Security issues fixed:

- Fixed an buffer overflow and an out of bounds memory read in
ykpiv_transfer_data(), which could be triggered by a malicious token.
(CVE-2018-14779, bsc#1104809, YSA-2018-03)
- Fixed an buffer overflow and an out of bounds memory read in
_ykpiv_fetch_object(), which could be triggered by a malicious token.
(CVE-2018-14780, bsc#1104811, YSA-2018-03)

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1341=1



Package List:

- openSUSE Leap 15.0 (x86_64):

libykcs11-1-1.5.0-lp150.2.3.1
libykcs11-1-debuginfo-1.5.0-lp150.2.3.1
libykcs11-devel-1.5.0-lp150.2.3.1
libykpiv-devel-1.5.0-lp150.2.3.1
libykpiv1-1.5.0-lp150.2.3.1
libykpiv1-debuginfo-1.5.0-lp150.2.3.1
yubico-piv-tool-1.5.0-lp150.2.3.1
yubico-piv-tool-debuginfo-1.5.0-lp150.2.3.1
yubico-piv-tool-debugsource-1.5.0-lp150.2.3.1


References:

https://www.suse.com/security/cve/CVE-2018-14779.html
https://www.suse.com/security/cve/CVE-2018-14780.html
https://bugzilla.suse.com/1104809
https://bugzilla.suse.com/1104811

--


openSUSE-SU-2019:1342-1: important: Security update for pacemaker

openSUSE Security Update: Security update for pacemaker
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1342-1
Rating: important
References: #1131353 #1131356
Cross-References: CVE-2018-16877 CVE-2018-16878
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________

An update that fixes two vulnerabilities is now available.

Description:

This update for pacemaker fixes the following issues:

Security issues fixed:

- CVE-2018-16877: Fixed a local privilege escalation through insufficient
IPC client-server authentication. (bsc#1131356)
- CVE-2018-16878: Fixed a denial of service through insufficient
verification inflicted preference of uncontrolled processes.
(bsc#1131353)

This update was imported from the SUSE:SLE-12-SP3:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2019-1342=1



Package List:

- openSUSE Leap 42.3 (i586 x86_64):

libpacemaker-devel-1.1.16-4.12.1
libpacemaker3-1.1.16-4.12.1
libpacemaker3-debuginfo-1.1.16-4.12.1
pacemaker-1.1.16-4.12.1
pacemaker-cli-1.1.16-4.12.1
pacemaker-cli-debuginfo-1.1.16-4.12.1
pacemaker-cts-1.1.16-4.12.1
pacemaker-cts-debuginfo-1.1.16-4.12.1
pacemaker-debuginfo-1.1.16-4.12.1
pacemaker-debugsource-1.1.16-4.12.1
pacemaker-remote-1.1.16-4.12.1
pacemaker-remote-debuginfo-1.1.16-4.12.1


References:

https://www.suse.com/security/cve/CVE-2018-16877.html
https://www.suse.com/security/cve/CVE-2018-16878.html
https://bugzilla.suse.com/1131353
https://bugzilla.suse.com/1131356

--


openSUSE-SU-2019:1343-1: moderate: Security update for libjpeg-turbo

openSUSE Security Update: Security update for libjpeg-turbo
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1343-1
Rating: moderate
References: #1096209 #1098155 #1128712
Cross-References: CVE-2018-1152 CVE-2018-11813 CVE-2018-14498

Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________

An update that fixes three vulnerabilities is now available.

Description:

This update for libjpeg-turbo fixes the following issues:

The following security vulnerabilities were addressed:

- CVE-2018-14498: Fixed a heap-based buffer over read in get_8bit_row
function which could allow to an attacker to cause denial of service
(bsc#1128712).
- CVE-2018-11813: Fixed the end-of-file mishandling in read_pixel in
rdtarga.c, which allowed remote attackers to cause a denial-of-service
via crafted JPG files due to a large loop (bsc#1096209)
- CVE-2018-1152: Fixed a denial of service in start_input_bmp() rdbmp.c
caused by a divide by zero when processing a crafted BMP image
(bsc#1098155)

This update was imported from the SUSE:SLE-12:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2019-1343=1



Package List:

- openSUSE Leap 42.3 (i586 x86_64):

libjpeg-turbo-1.5.3-45.1
libjpeg-turbo-debuginfo-1.5.3-45.1
libjpeg-turbo-debugsource-1.5.3-45.1
libjpeg62-62.2.0-45.1
libjpeg62-debuginfo-62.2.0-45.1
libjpeg62-devel-62.2.0-45.1
libjpeg62-turbo-1.5.3-45.1
libjpeg62-turbo-debugsource-1.5.3-45.1
libjpeg8-8.1.2-45.1
libjpeg8-debuginfo-8.1.2-45.1
libjpeg8-devel-8.1.2-45.1
libturbojpeg0-8.1.2-45.1
libturbojpeg0-debuginfo-8.1.2-45.1

- openSUSE Leap 42.3 (x86_64):

libjpeg62-32bit-62.2.0-45.1
libjpeg62-debuginfo-32bit-62.2.0-45.1
libjpeg62-devel-32bit-62.2.0-45.1
libjpeg8-32bit-8.1.2-45.1
libjpeg8-debuginfo-32bit-8.1.2-45.1
libjpeg8-devel-32bit-8.1.2-45.1
libturbojpeg0-32bit-8.1.2-45.1
libturbojpeg0-debuginfo-32bit-8.1.2-45.1


References:

https://www.suse.com/security/cve/CVE-2018-1152.html
https://www.suse.com/security/cve/CVE-2018-11813.html
https://www.suse.com/security/cve/CVE-2018-14498.html
https://bugzilla.suse.com/1096209
https://bugzilla.suse.com/1098155
https://bugzilla.suse.com/1128712

--


openSUSE-SU-2019:1344-1: moderate: Security update for rubygem-actionpack-5_1

openSUSE Security Update: Security update for rubygem-actionpack-5_1
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1344-1
Rating: moderate
References: #1129271 #1129272
Cross-References: CVE-2019-5418 CVE-2019-5419
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes two vulnerabilities is now available.

Description:

This update for rubygem-actionpack-5_1 fixes the following issues:

Security issues fixed:

- CVE-2019-5418: Fixed a file content disclosure vulnerability in Action
View which could be exploited via specially crafted accept headers in
combination with calls to render file (bsc#1129272).
- CVE-2019-5419: Fixed a resource exhaustion issue in Action View which
could make the server unable to process requests (bsc#1129271).

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1344=1



Package List:

- openSUSE Leap 15.0 (x86_64):

ruby2.5-rubygem-actionpack-5_1-5.1.4-lp150.2.3.1
ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-lp150.2.3.1


References:

https://www.suse.com/security/cve/CVE-2019-5418.html
https://www.suse.com/security/cve/CVE-2019-5419.html
https://bugzilla.suse.com/1129271
https://bugzilla.suse.com/1129272

--


openSUSE-SU-2019:1345-1: moderate: Security update for wpa_supplicant

openSUSE Security Update: Security update for wpa_supplicant
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1345-1
Rating: moderate
References: #1104205 #1109209
Cross-References: CVE-2018-14526
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________

An update that solves one vulnerability and has one errata
is now available.

Description:

This update for wpa_supplicant fixes the following issues:

This security issue was fixed:

- CVE-2018-14526: Under certain conditions, the integrity of EAPOL-Key
messages was not checked, leading to a decryption oracle. An attacker
within range of the Access Point and client could have abused the
vulnerability to recover sensitive information (bsc#1104205).

This non-security issue was fixed:

- Enabled PWD as EAP method. This allows for password-based
authentication, which is easier to setup than most of the other methods,
and is used by the Eduroam network (bsc#1109209).

This update was imported from the SUSE:SLE-12:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2019-1345=1



Package List:

- openSUSE Leap 42.3 (i586 x86_64):

wpa_supplicant-2.6-16.1
wpa_supplicant-debuginfo-2.6-16.1
wpa_supplicant-debugsource-2.6-16.1
wpa_supplicant-gui-2.6-16.1
wpa_supplicant-gui-debuginfo-2.6-16.1


References:

https://www.suse.com/security/cve/CVE-2018-14526.html
https://bugzilla.suse.com/1104205
https://bugzilla.suse.com/1109209

--


openSUSE-SU-2019:1346-1: important: Security update for freeradius-server

openSUSE Security Update: Security update for freeradius-server
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1346-1
Rating: important
References: #1132549 #1132664
Cross-References: CVE-2019-11234 CVE-2019-11235
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes two vulnerabilities is now available.

Description:

This update for freeradius-server fixes the following issues:

Security issues fixed:

- CVE-2019-11235: Fixed an authentication bypass related to the EAP-PWD
Commit frame and insufficent validation of elliptic curve points
(bsc#1132549).
- CVE-2019-11234: Fixed an authentication bypass caused by reflecting
privous values back to the server (bsc#1132664).

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1346=1



Package List:

- openSUSE Leap 15.0 (x86_64):

freeradius-server-3.0.16-lp150.2.3.1
freeradius-server-debuginfo-3.0.16-lp150.2.3.1
freeradius-server-debugsource-3.0.16-lp150.2.3.1
freeradius-server-devel-3.0.16-lp150.2.3.1
freeradius-server-doc-3.0.16-lp150.2.3.1
freeradius-server-krb5-3.0.16-lp150.2.3.1
freeradius-server-krb5-debuginfo-3.0.16-lp150.2.3.1
freeradius-server-ldap-3.0.16-lp150.2.3.1
freeradius-server-ldap-debuginfo-3.0.16-lp150.2.3.1
freeradius-server-libs-3.0.16-lp150.2.3.1
freeradius-server-libs-debuginfo-3.0.16-lp150.2.3.1
freeradius-server-mysql-3.0.16-lp150.2.3.1
freeradius-server-mysql-debuginfo-3.0.16-lp150.2.3.1
freeradius-server-perl-3.0.16-lp150.2.3.1
freeradius-server-perl-debuginfo-3.0.16-lp150.2.3.1
freeradius-server-postgresql-3.0.16-lp150.2.3.1
freeradius-server-postgresql-debuginfo-3.0.16-lp150.2.3.1
freeradius-server-python-3.0.16-lp150.2.3.1
freeradius-server-python-debuginfo-3.0.16-lp150.2.3.1
freeradius-server-sqlite-3.0.16-lp150.2.3.1
freeradius-server-sqlite-debuginfo-3.0.16-lp150.2.3.1
freeradius-server-utils-3.0.16-lp150.2.3.1
freeradius-server-utils-debuginfo-3.0.16-lp150.2.3.1


References:

https://www.suse.com/security/cve/CVE-2019-11234.html
https://www.suse.com/security/cve/CVE-2019-11235.html
https://bugzilla.suse.com/1132549
https://bugzilla.suse.com/1132664

--