SUSE 5009 Published by

The following updates has been released for openSUSE:

openSUSE-SU-2019:1484-1: important: Security update for MozillaThunderbird
openSUSE-SU-2019:1485-1: moderate: Security update for screen
openSUSE-SU-2019:1486-1: moderate: Security update for doxygen
openSUSE-SU-2019:1488-1: important: Security update for chromium



openSUSE-SU-2019:1484-1: important: Security update for MozillaThunderbird

openSUSE Security Update: Security update for MozillaThunderbird
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1484-1
Rating: important
References: #1130694 #1133267 #1135824
Cross-References: CVE-2018-18511 CVE-2019-11691 CVE-2019-11692
CVE-2019-11693 CVE-2019-11694 CVE-2019-11698
CVE-2019-5798 CVE-2019-7317 CVE-2019-9797
CVE-2019-9800 CVE-2019-9815 CVE-2019-9816
CVE-2019-9817 CVE-2019-9818 CVE-2019-9819
CVE-2019-9820
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________

An update that fixes 16 vulnerabilities is now available.

Description:

This update for MozillaThunderbird fixes the following issues:

Mozilla Thunderbird was updated to 60.7.0

* Attachment pane of Write window no longer focussed when attaching files
using a keyboard shortcut

Security issues fixed (MFSA 2019-15 boo#1135824):

* CVE-2018-18511: Cross-origin theft of images with
ImageBitmapRenderingContext
* CVE-2019-11691: Use-after-free in XMLHttpRequest
* CVE-2019-11692: Use-after-free removing listeners in the event listener
manager
* CVE-2019-11693: Buffer overflow in WebGL bufferdata on Linux
* CVE-2019-11694: (Windows only) Uninitialized memory memory leakage in
Windows sandbox
* CVE-2019-11698: Theft of user history data through drag and drop of
hyperlinks to and from bookmarks
* CVE-2019-5798: Out-of-bounds read in Skia
* CVE-2019-7317: Use-after-free in png_image_free of libpng library
* CVE-2019-9797: Cross-origin theft of images with createImageBitmap
* CVE-2019-9800: Memory safety bugs fixed in Firefox 67 and Firefox ESR
60.7
* CVE-2019-9815: Disable hyperthreading on content JavaScript threads on
macOS
* CVE-2019-9816: Type confusion with object groups and UnboxedObjects
* CVE-2019-9817: Stealing of cross-domain images using canvas
* CVE-2019-9818: Use-after-free in crash generation server
* CVE-2019-9819: Compartment mismatch with fetch API
* CVE-2019-9820: Use-after-free of ChromeEventHandler by DocShell

- Disable LTO (boo#1133267).

- Add patch to fix build using rust-1.33: (boo#1130694)


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2019-1484=1



Package List:

- openSUSE Leap 42.3 (x86_64):

MozillaThunderbird-60.7.0-92.1
MozillaThunderbird-buildsymbols-60.7.0-92.1
MozillaThunderbird-debuginfo-60.7.0-92.1
MozillaThunderbird-debugsource-60.7.0-92.1
MozillaThunderbird-translations-common-60.7.0-92.1
MozillaThunderbird-translations-other-60.7.0-92.1


References:

https://www.suse.com/security/cve/CVE-2018-18511.html
https://www.suse.com/security/cve/CVE-2019-11691.html
https://www.suse.com/security/cve/CVE-2019-11692.html
https://www.suse.com/security/cve/CVE-2019-11693.html
https://www.suse.com/security/cve/CVE-2019-11694.html
https://www.suse.com/security/cve/CVE-2019-11698.html
https://www.suse.com/security/cve/CVE-2019-5798.html
https://www.suse.com/security/cve/CVE-2019-7317.html
https://www.suse.com/security/cve/CVE-2019-9797.html
https://www.suse.com/security/cve/CVE-2019-9800.html
https://www.suse.com/security/cve/CVE-2019-9815.html
https://www.suse.com/security/cve/CVE-2019-9816.html
https://www.suse.com/security/cve/CVE-2019-9817.html
https://www.suse.com/security/cve/CVE-2019-9818.html
https://www.suse.com/security/cve/CVE-2019-9819.html
https://www.suse.com/security/cve/CVE-2019-9820.html
https://bugzilla.suse.com/1130694
https://bugzilla.suse.com/1133267
https://bugzilla.suse.com/1135824

--


openSUSE-SU-2019:1485-1: moderate: Security update for screen

openSUSE Security Update: Security update for screen
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1485-1
Rating: moderate
References: #1130831 #944458
Cross-References: CVE-2015-6806
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________

An update that solves one vulnerability and has one errata
is now available.

Description:

This update for screen fixes the following issues:

Security issue fixed:

- CVE-2015-6806: Fixed a stack overflow due to deep recursion (bsc#944458).

Non-security issue fixed:

- Fixed segmentation faults related to altscreen and resizing screen
(bsc#1130831).

This update was imported from the SUSE:SLE-12-SP2:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2019-1485=1



Package List:

- openSUSE Leap 42.3 (i586 x86_64):

screen-4.0.4-10.3.1
screen-debuginfo-4.0.4-10.3.1
screen-debugsource-4.0.4-10.3.1


References:

https://www.suse.com/security/cve/CVE-2015-6806.html
https://bugzilla.suse.com/1130831
https://bugzilla.suse.com/944458

--


openSUSE-SU-2019:1486-1: moderate: Security update for doxygen

openSUSE Security Update: Security update for doxygen
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1486-1
Rating: moderate
References: #1136364
Cross-References: CVE-2016-10245
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for doxygen fixes the following issues:

- CVE-2016-10245: Fixed XSS via insufficient sanitization of the query
parameter in templates/html/search_opensearch.php [boo#1136364]


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2019-1486=1



Package List:

- openSUSE Leap 42.3 (i586 x86_64):

doxygen-1.8.11-4.3.1
doxygen-debuginfo-1.8.11-4.3.1
doxygen-debugsource-1.8.11-4.3.1
doxygen-doc-1.8.11-4.3.1
doxywizard-1.8.11-4.3.1
doxywizard-debuginfo-1.8.11-4.3.1
doxywizard-debugsource-1.8.11-4.3.1


References:

https://www.suse.com/security/cve/CVE-2016-10245.html
https://bugzilla.suse.com/1136364

--


openSUSE-SU-2019:1488-1: important: Security update for chromium

openSUSE Security Update: Security update for chromium
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1488-1
Rating: important
References: #1134218
Cross-References: CVE-2019-5824 CVE-2019-5827
Affected Products:
openSUSE Backports SLE-15
______________________________________________________________________________

An update that fixes two vulnerabilities is now available.

Description:

This update for chromium fixes the following issues:

Chromium was updated to 74.0.3729.157:

- Various security fixes from internal audits, fuzzing and other
initiatives

Includes security fixes from 74.0.3729.131 (boo#1134218):

- CVE-2019-5827: Out-of-bounds access in SQLite
- CVE-2019-5824: Parameter passing error in media player


This update was imported from the openSUSE:Leap:15.0:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15:

zypper in -t patch openSUSE-2019-1488=1



Package List:

- openSUSE Backports SLE-15 (aarch64 x86_64):

chromedriver-74.0.3729.157-bp150.210.1
chromium-74.0.3729.157-bp150.210.1


References:

https://www.suse.com/security/cve/CVE-2019-5824.html
https://www.suse.com/security/cve/CVE-2019-5827.html
https://bugzilla.suse.com/1134218

--