14 Security Updates for openSUSE
Posted on: 07/21/2019 01:09 PM

14 security updates has been released for openSUSE:

openSUSE-SU-2019:1759-1: important: Security update for neovim
openSUSE-SU-2019:1760-1: moderate: Security update for python-Twisted
openSUSE-SU-2019:1766-1: important: Security update for webkit2gtk3
openSUSE-SU-2019:1767-1: important: Security update for zeromq
openSUSE-SU-2019:1770-1: moderate: Security update for kernel-firmware
openSUSE-SU-2019:1771-1: important: Security update for ruby-bundled-gems-rpmhelper, ruby2.5
openSUSE-SU-2019:1773-1: moderate: Security update for postgresql10
openSUSE-SU-2019:1775-1: important: Security update for znc
openSUSE-SU-2019:1777-1: moderate: Security update for expat
openSUSE-SU-2019:1778-1: moderate: Security update for php7
openSUSE-SU-2019:1779-1: moderate: Security update for ledger
openSUSE-SU-2019:1780-1: moderate: Security update for clementine
openSUSE-SU-2019:1781-1: important: Security update for bzip2
openSUSE-SU-2019:1782-1: important: Security update for MozillaFirefox

openSUSE-SU-2019:1759-1: important: Security update for neovim
openSUSE Security Update: Security update for neovim
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1759-1
Rating: important
References: #1137443
Cross-References: CVE-2019-12735
Affected Products:
openSUSE Leap 15.1
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for neovim fixes the following issues:

neovim was updated to version 0.3.7:

* CVE-2019-12735: source should check sandbox (boo#1137443)
* genappimage.sh: migrate to linuxdeploy

Version Update to version 0.3.5:

* options: properly reset directories on 'autochdir'
* Remove MSVC optimization workaround for SHM_ALL
* Make SHM_ALL to a variable instead of a compound literal #define
* doc: mention "pynvim" module rename
* screen: don't crash when drawing popupmenu with 'rightleft' option
* look-behind match may use the wrong line number
* :terminal : set topline based on window height
* :recover : Fix crash on non-existent *.swp

Version Update to version 0.3.4:

* test: add tests for conceal cursor movement
* display: unify ursorline and concealcursor redraw logic

Version Update to version 0.3.3:

* health/provider: Check for available pynvim when neovim mod is missing
* python#CheckForModule: Use the given module string instead of
hard-coding pynvim
* (health.provider)/python: Import the neovim, rather than pynvim, module
* TUI: Konsole DECSCUSR fixup

Version Update to version 0.3.2:-

* Features

- clipboard: support Custom VimL functions (#9304)
- win/TUI: improve terminal/console support (#9401)
- startup: Use $XDG_CONFIG_DIRS/nvim/sysinit.vim if exists (#9077)
- support mapping in more places (#9299)
- diff/highlight: show underline for low-priority CursorLine (#9028)
- signs: Add "nuhml" argument (#9113)
- clipboard: support Wayland (#9230)
- TUI: add support for undercurl and underline color (#9052)
- man.vim: soft (dynamic) wrap (#9023)

* API

- API: implement object namespaces (#6920)
- API: implement nvim_win_set_buf() (#9100)
- API: virtual text annotations (nvim_buf_set_virtual_text) (#8180)
- API: add nvim_buf_is_loaded() (#8660)
- API: nvm_buf_get_offset_for_line (#8221)
- API/UI: ext_newgrid, ext_histate (#8221)

* UI

- TUI: use BCE again more often (smoother resize) (#8806)
- screen: add missing status redraw when redraw_later(CLEAR) was used
(#9315)
- TUI: clip invalid regions on resize (#8779)
- TUI: improvements for scrolling and clearing (#9193)
- TUI: disable clearing almost everywhere (#9143)
- TUI: always use safe cursor movement after resize (#9079)
- ui_options: also send when starting or from OptionSet (#9211)
- TUI: Avoid reset_color_cursor_color in old VTE (#9191)
- Don't erase screen on :hi Normal during startup (#9021)
- TUI: Hint wrapped lines to terminals (#8915)

* FIXES

- RPC: turn errors from async calls into notifications
- TUI: Restore terminal title via "title stacking" (#9407)
- genappimage: Unset $ARGV0 at invocation (#9376)
- TUI: Konsole 18.07.70 supports DECSCUSR (#9364)
- provider: improve error message (#9344)
- runtime/syntax: Fix highlighting of autogroup contents (#9328)
- VimL/confirm(): Show dialog even if :silent (#9297)
- clipboard: prefer xclip (#9302)
- provider/nodejs: fix npm, yarn detection
- channel: avoid buffering output when only terminal is active (#9218)
- ruby: detect rbenv shims for other versions (#8733)
- third party/unibilium: Fix parsing of extended capabilitiy entries
(#9123)
- jobstart(): Fix hang on non-executable cwd (#9204)
- provide/nodejs: Simultaneously query npm and yarn (#9054)
- undo: Fix infinite loop if undo_read_byte returns EOF (#2880)
- 'swapfile: always show dialog' (#9034)

- Add to the system-wide configuration file extension of runtimepath by
/usr/share/vim/site, so that neovim uses other Vim plugins installed
from packages.

- Add /usr/share/vim/site tree of directories to be owned by neovim as
well.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.1:

zypper in -t patch openSUSE-2019-1759=1

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1759=1



Package List:

- openSUSE Leap 15.1 (x86_64):

neovim-0.3.7-lp151.2.7.1
neovim-debuginfo-0.3.7-lp151.2.7.1
neovim-debugsource-0.3.7-lp151.2.7.1

- openSUSE Leap 15.1 (noarch):

neovim-lang-0.3.7-lp151.2.7.1

- openSUSE Leap 15.0 (x86_64):

neovim-0.3.7-lp150.13.1
neovim-debuginfo-0.3.7-lp150.13.1
neovim-debugsource-0.3.7-lp150.13.1

- openSUSE Leap 15.0 (noarch):

neovim-lang-0.3.7-lp150.13.1


References:

https://www.suse.com/security/cve/CVE-2019-12735.html
https://bugzilla.suse.com/1137443

--



openSUSE-SU-2019:1760-1: moderate: Security update for python-Twisted
openSUSE Security Update: Security update for python-Twisted
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1760-1
Rating: moderate
References: #1137825
Cross-References: CVE-2019-12387
Affected Products:
openSUSE Leap 15.1
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for python-Twisted fixes the following issue:

Security issue fixed:

- CVE-2019-12387: Fixed an improper sanitization of URIs or HTTP which
could have allowed attackers to perfrom CRLF attacks (bsc#1137825).

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.1:

zypper in -t patch openSUSE-2019-1760=1

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1760=1



Package List:

- openSUSE Leap 15.1 (i586 x86_64):

python-Twisted-debuginfo-17.9.0-lp151.3.3.1
python-Twisted-debugsource-17.9.0-lp151.3.3.1
python-Twisted-doc-17.9.0-lp151.3.3.1
python2-Twisted-17.9.0-lp151.3.3.1
python2-Twisted-debuginfo-17.9.0-lp151.3.3.1
python3-Twisted-17.9.0-lp151.3.3.1
python3-Twisted-debuginfo-17.9.0-lp151.3.3.1

- openSUSE Leap 15.0 (i586 x86_64):

python-Twisted-debuginfo-17.9.0-lp150.2.3.1
python-Twisted-debugsource-17.9.0-lp150.2.3.1
python-Twisted-doc-17.9.0-lp150.2.3.1
python2-Twisted-17.9.0-lp150.2.3.1
python2-Twisted-debuginfo-17.9.0-lp150.2.3.1
python3-Twisted-17.9.0-lp150.2.3.1
python3-Twisted-debuginfo-17.9.0-lp150.2.3.1


References:

https://www.suse.com/security/cve/CVE-2019-12387.html
https://bugzilla.suse.com/1137825

--



openSUSE-SU-2019:1766-1: important: Security update for webkit2gtk3
openSUSE Security Update: Security update for webkit2gtk3
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1766-1
Rating: important
References: #1133291 #1135715
Cross-References: CVE-2019-6237 CVE-2019-8571 CVE-2019-8583
CVE-2019-8584 CVE-2019-8586 CVE-2019-8587
CVE-2019-8594 CVE-2019-8595 CVE-2019-8596
CVE-2019-8597 CVE-2019-8601 CVE-2019-8607
CVE-2019-8608 CVE-2019-8609 CVE-2019-8610
CVE-2019-8611 CVE-2019-8615 CVE-2019-8619
CVE-2019-8622 CVE-2019-8623
Affected Products:
openSUSE Leap 15.1
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes 20 vulnerabilities is now available.

Description:

This update for webkit2gtk3 to version 2.24.2 fixes the following issues:

Security issues fixed:

- CVE-2019-6237, CVE-2019-8571, CVE-2019-8583, CVE-2019-8584,
CVE-2019-8586, CVE-2019-8587, CVE-2019-8594, CVE-2019-8595,
CVE-2019-8596, CVE-2019-8597, CVE-2019-8601, CVE-2019-8607,
CVE-2019-8608, CVE-2019-8609, CVE-2019-8610, CVE-2019-8615,
CVE-2019-8611, CVE-2019-8619, CVE-2019-8622, CVE-2019-8623 (bsc#1135715).

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.1:

zypper in -t patch openSUSE-2019-1766=1

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1766=1



Package List:

- openSUSE Leap 15.1 (i586 x86_64):

libjavascriptcoregtk-4_0-18-2.24.2-lp151.2.3.1
libjavascriptcoregtk-4_0-18-debuginfo-2.24.2-lp151.2.3.1
libwebkit2gtk-4_0-37-2.24.2-lp151.2.3.1
libwebkit2gtk-4_0-37-debuginfo-2.24.2-lp151.2.3.1
typelib-1_0-JavaScriptCore-4_0-2.24.2-lp151.2.3.1
typelib-1_0-WebKit2-4_0-2.24.2-lp151.2.3.1
typelib-1_0-WebKit2WebExtension-4_0-2.24.2-lp151.2.3.1
webkit-jsc-4-2.24.2-lp151.2.3.1
webkit-jsc-4-debuginfo-2.24.2-lp151.2.3.1
webkit2gtk-4_0-injected-bundles-2.24.2-lp151.2.3.1
webkit2gtk-4_0-injected-bundles-debuginfo-2.24.2-lp151.2.3.1
webkit2gtk3-debugsource-2.24.2-lp151.2.3.1
webkit2gtk3-devel-2.24.2-lp151.2.3.1
webkit2gtk3-minibrowser-2.24.2-lp151.2.3.1
webkit2gtk3-minibrowser-debuginfo-2.24.2-lp151.2.3.1
webkit2gtk3-plugin-process-gtk2-2.24.2-lp151.2.3.1
webkit2gtk3-plugin-process-gtk2-debuginfo-2.24.2-lp151.2.3.1

- openSUSE Leap 15.1 (noarch):

libwebkit2gtk3-lang-2.24.2-lp151.2.3.1

- openSUSE Leap 15.1 (x86_64):

libjavascriptcoregtk-4_0-18-32bit-2.24.2-lp151.2.3.1
libjavascriptcoregtk-4_0-18-32bit-debuginfo-2.24.2-lp151.2.3.1
libwebkit2gtk-4_0-37-32bit-2.24.2-lp151.2.3.1
libwebkit2gtk-4_0-37-32bit-debuginfo-2.24.2-lp151.2.3.1

- openSUSE Leap 15.0 (i586 x86_64):

libjavascriptcoregtk-4_0-18-2.24.2-lp150.2.22.1
libjavascriptcoregtk-4_0-18-debuginfo-2.24.2-lp150.2.22.1
libwebkit2gtk-4_0-37-2.24.2-lp150.2.22.1
libwebkit2gtk-4_0-37-debuginfo-2.24.2-lp150.2.22.1
typelib-1_0-JavaScriptCore-4_0-2.24.2-lp150.2.22.1
typelib-1_0-WebKit2-4_0-2.24.2-lp150.2.22.1
typelib-1_0-WebKit2WebExtension-4_0-2.24.2-lp150.2.22.1
webkit-jsc-4-2.24.2-lp150.2.22.1
webkit-jsc-4-debuginfo-2.24.2-lp150.2.22.1
webkit2gtk-4_0-injected-bundles-2.24.2-lp150.2.22.1
webkit2gtk-4_0-injected-bundles-debuginfo-2.24.2-lp150.2.22.1
webkit2gtk3-debugsource-2.24.2-lp150.2.22.1
webkit2gtk3-devel-2.24.2-lp150.2.22.1
webkit2gtk3-minibrowser-2.24.2-lp150.2.22.1
webkit2gtk3-minibrowser-debuginfo-2.24.2-lp150.2.22.1
webkit2gtk3-plugin-process-gtk2-2.24.2-lp150.2.22.1
webkit2gtk3-plugin-process-gtk2-debuginfo-2.24.2-lp150.2.22.1

- openSUSE Leap 15.0 (noarch):

libwebkit2gtk3-lang-2.24.2-lp150.2.22.1

- openSUSE Leap 15.0 (x86_64):

libjavascriptcoregtk-4_0-18-32bit-2.24.2-lp150.2.22.1
libjavascriptcoregtk-4_0-18-32bit-debuginfo-2.24.2-lp150.2.22.1
libwebkit2gtk-4_0-37-32bit-2.24.2-lp150.2.22.1
libwebkit2gtk-4_0-37-32bit-debuginfo-2.24.2-lp150.2.22.1


References:

https://www.suse.com/security/cve/CVE-2019-6237.html
https://www.suse.com/security/cve/CVE-2019-8571.html
https://www.suse.com/security/cve/CVE-2019-8583.html
https://www.suse.com/security/cve/CVE-2019-8584.html
https://www.suse.com/security/cve/CVE-2019-8586.html
https://www.suse.com/security/cve/CVE-2019-8587.html
https://www.suse.com/security/cve/CVE-2019-8594.html
https://www.suse.com/security/cve/CVE-2019-8595.html
https://www.suse.com/security/cve/CVE-2019-8596.html
https://www.suse.com/security/cve/CVE-2019-8597.html
https://www.suse.com/security/cve/CVE-2019-8601.html
https://www.suse.com/security/cve/CVE-2019-8607.html
https://www.suse.com/security/cve/CVE-2019-8608.html
https://www.suse.com/security/cve/CVE-2019-8609.html
https://www.suse.com/security/cve/CVE-2019-8610.html
https://www.suse.com/security/cve/CVE-2019-8611.html
https://www.suse.com/security/cve/CVE-2019-8615.html
https://www.suse.com/security/cve/CVE-2019-8619.html
https://www.suse.com/security/cve/CVE-2019-8622.html
https://www.suse.com/security/cve/CVE-2019-8623.html
https://bugzilla.suse.com/1133291
https://bugzilla.suse.com/1135715

--



openSUSE-SU-2019:1767-1: important: Security update for zeromq
openSUSE Security Update: Security update for zeromq
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1767-1
Rating: important
References: #1082318 #1140255
Cross-References: CVE-2019-13132
Affected Products:
openSUSE Leap 15.1
openSUSE Leap 15.0
______________________________________________________________________________

An update that solves one vulnerability and has one errata
is now available.

Description:

This update for zeromq fixes the following issues:

- CVE-2019-13132: An unauthenticated remote attacker could have exploited
a stack overflow vulnerability on a server that is supposed to be
protected by encryption and authentication to potentially gain a remote
code execution. (bsc#1140255)

- Correctly mark license files as licence instead of documentation
(bsc#1082318)

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.1:

zypper in -t patch openSUSE-2019-1767=1

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1767=1



Package List:

- openSUSE Leap 15.1 (x86_64):

libzmq5-4.2.3-lp151.5.3.1
libzmq5-debuginfo-4.2.3-lp151.5.3.1
zeromq-debugsource-4.2.3-lp151.5.3.1
zeromq-devel-4.2.3-lp151.5.3.1
zeromq-tools-4.2.3-lp151.5.3.1
zeromq-tools-debuginfo-4.2.3-lp151.5.3.1

- openSUSE Leap 15.0 (x86_64):

libzmq5-4.2.3-lp150.2.15.1
libzmq5-debuginfo-4.2.3-lp150.2.15.1
zeromq-debugsource-4.2.3-lp150.2.15.1
zeromq-devel-4.2.3-lp150.2.15.1
zeromq-tools-4.2.3-lp150.2.15.1
zeromq-tools-debuginfo-4.2.3-lp150.2.15.1


References:

https://www.suse.com/security/cve/CVE-2019-13132.html
https://bugzilla.suse.com/1082318
https://bugzilla.suse.com/1140255

--



openSUSE-SU-2019:1770-1: moderate: Security update for kernel-firmware
openSUSE Security Update: Security update for kernel-firmware
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1770-1
Rating: moderate
References: #1136334 #1136498 #1139383
Cross-References: CVE-2019-9836
Affected Products:
openSUSE Leap 15.1
openSUSE Leap 15.0
______________________________________________________________________________

An update that solves one vulnerability and has two fixes
is now available.

Description:

This update for kernel-firmware fixes the following issues:

kernel-firmware was updated to version 20190618:

* cavium: Add firmware for CNN55XX crypto driver.
* linux-firmware: Update firmware file for Intel Bluetooth 22161
* linux-firmware: Update firmware file for Intel Bluetooth 9560
* linux-firmware: Update firmware file for Intel Bluetooth 9260
* linux-firmware: Update AMD SEV firmware (CVE-2019-9836, bsc#1139383)
* linux-firmware: update licence text for Marvell firmware
* linux-firmware: update firmware for mhdp8546
* linux-firmware: rsi: update firmware images for Redpine 9113 chipset
* imx: sdma: update firmware to v3.5/v4.5
* nvidia: update GP10[2467] SEC2 RTOS with the one already used on GP108
* linux-firmware: Update firmware file for Intel Bluetooth 8265
* linux-firmware: Update firmware file for Intel Bluetooth 9260
* linux-firmware: Update firmware file for Intel Bluetooth 9560
* amlogic: add video decoder firmwares
* iwlwifi: update -46 firmwares for 22260 and 9000 series
* iwlwifi: add firmware for 22260 and update 9000 series -46 firmwares
* iwlwifi: add -46.ucode firmwares for 9000 series
* amdgpu: update vega20 to the latest 19.10 firmware
* amdgpu: update vega12 to the latest 19.10 firmware
* amdgpu: update vega10 to the latest 19.10 firmware
* amdgpu: update polaris11 to the latest 19.10 firmware
* amdgpu: update polaris10 to the latest 19.10 firmware
* amdgpu: update raven2 to the latest 19.10 firmware
* amdgpu: update raven to the latest 19.10 firmware
* amdgpu: update picasso to the latest 19.10 firmware
* linux-firmware: update fw for qat devices
* Mellanox: Add new mlxsw_spectrum firmware 13.2000.1122
* drm/i915/firmware: Add ICL HuC v8.4.3238
* drm/i915/firmware: Add ICL GuC v32.0.3
* drm/i915/firmware: Add GLK HuC v03.01.2893
* drm/i915/firmware: Add GLK GuC v32.0.3
* drm/i915/firmware: Add KBL GuC v32.0.3
* drm/i915/firmware: Add SKL GuC v32.0.3
* drm/i915/firmware: Add BXT GuC v32.0.3
* linux-firmware: Add firmware file for Intel Bluetooth 22161
* cxgb4: update firmware to revision 1.23.4.0 (bsc#1136334)
* linux-firmware: Update NXP Management Complex firmware to version 10.14.3
* linux-firmware: add firmware for MT7615E
* mediatek: update MT8173 VPU firmware to v1.1.2 [decoder] Enlarge struct
vdec_pic_info to support more capture buffer plane and capture buffer
format change.
* linux-firmware: update Marvell 8797/8997 firmware images
* nfp: update Agilio SmartNIC flower firmware to rev AOTC-2.10.A.23

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.1:

zypper in -t patch openSUSE-2019-1770=1

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1770=1



Package List:

- openSUSE Leap 15.1 (noarch):

kernel-firmware-20190618-lp151.2.6.1
ucode-amd-20190618-lp151.2.6.1

- openSUSE Leap 15.0 (noarch):

kernel-firmware-20190618-lp150.2.19.1
ucode-amd-20190618-lp150.2.19.1


References:

https://www.suse.com/security/cve/CVE-2019-9836.html
https://bugzilla.suse.com/1136334
https://bugzilla.suse.com/1136498
https://bugzilla.suse.com/1139383

--



openSUSE-SU-2019:1771-1: important: Security update for ruby-bundled-gems-rpmhelper, ruby2.5
openSUSE Security Update: Security update for ruby-bundled-gems-rpmhelper, ruby2.5
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1771-1
Rating: important
References: #1082007 #1082008 #1082009 #1082010 #1082011
#1082014 #1082058 #1087433 #1087434 #1087436
#1087437 #1087440 #1087441 #1112530 #1112532
#1130028 #1130611 #1130617 #1130620 #1130622
#1130623 #1130627 #1133790
Cross-References: CVE-2017-17742 CVE-2018-1000073 CVE-2018-1000074
CVE-2018-1000075 CVE-2018-1000076 CVE-2018-1000077
CVE-2018-1000078 CVE-2018-1000079 CVE-2018-16395
CVE-2018-16396 CVE-2018-6914 CVE-2018-8777
CVE-2018-8778 CVE-2018-8779 CVE-2018-8780
CVE-2019-8320 CVE-2019-8321 CVE-2019-8322
CVE-2019-8323 CVE-2019-8324 CVE-2019-8325

Affected Products:
openSUSE Leap 15.1
openSUSE Leap 15.0
______________________________________________________________________________

An update that solves 21 vulnerabilities and has two fixes
is now available.

Description:

This update for ruby2.5 and ruby-bundled-gems-rpmhelper fixes the
following issues:

Changes in ruby2.5:

Update to 2.5.5 and 2.5.4:

https://www.ruby-lang.org/en/news/2019/03/15/ruby-2-5-5-released/
https://www.ruby-lang.org/en/news/2019/03/13/ruby-2-5-4-released/

Security issues fixed:

- CVE-2019-8320: Delete directory using symlink when decompressing tar
(bsc#1130627)
- CVE-2019-8321: Escape sequence injection vulnerability in verbose
(bsc#1130623)
- CVE-2019-8322: Escape sequence injection vulnerability in gem
owner (bsc#1130622)
- CVE-2019-8323: Escape sequence injection vulnerability in API response
handling (bsc#1130620)
- CVE-2019-8324: Installing a malicious gem may lead to arbitrary code
execution (bsc#1130617)
- CVE-2019-8325: Escape sequence injection vulnerability in errors
(bsc#1130611)


Ruby 2.5 was updated to 2.5.3:

This release includes some bug fixes and some security fixes.

Security issues fixed:

- CVE-2018-16396: Tainted flags are not propagated in Array#pack and
String#unpack with some directives (bsc#1112532)
- CVE-2018-16395: OpenSSL::X509::Name equality check does not work
correctly (bsc#1112530)

Ruby 2.5 was updated to 2.5.1:

This release includes some bug fixes and some security fixes.

Security issues fixed:

- CVE-2017-17742: HTTP response splitting in WEBrick (bsc#1087434)
- CVE-2018-6914: Unintentional file and directory creation with directory
traversal in tempfile and tmpdir (bsc#1087441)
- CVE-2018-8777: DoS by large request in WEBrick (bsc#1087436)
- CVE-2018-8778: Buffer under-read in String#unpack (bsc#1087433)
- CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in
UNIXServer and UNIXSocket (bsc#1087440)
- CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte in
Dir (bsc#1087437)

- Multiple vulnerabilities in RubyGems were fixed:

- CVE-2018-1000079: Fixed path traversal issue during gem installation
allows to write to arbitrary filesystem locations (bsc#1082058)
- CVE-2018-1000075: Fixed infinite loop vulnerability due to negative
size in tar header causes Denial of Service (bsc#1082014)
- CVE-2018-1000078: Fixed XSS vulnerability in homepage attribute when
displayed via gem server (bsc#1082011)
- CVE-2018-1000077: Fixed that missing URL validation on spec home
attribute allows malicious gem to set an invalid homepage URL
(bsc#1082010)
- CVE-2018-1000076: Fixed improper verification of signatures in tarball
allows to install mis-signed gem (bsc#1082009)
- CVE-2018-1000074: Fixed unsafe Object Deserialization Vulnerability in
gem owner allowing arbitrary code execution on specially crafted YAML
(bsc#1082008)
- CVE-2018-1000073: Fixed path traversal when writing to a symlinked
basedir outside of the root (bsc#1082007)

Other changes:

- Fixed Net::POPMail methods modify frozen literal when using default arg
- ruby: change over of the Japanese Era to the new emperor May 1st 2019
(bsc#1133790)
- build with PIE support (bsc#1130028)


Changes in ruby-bundled-gems-rpmhelper:

- Add a new helper for bundled ruby gems.

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.1:

zypper in -t patch openSUSE-2019-1771=1

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1771=1



Package List:

- openSUSE Leap 15.1 (noarch):

ruby-bundled-gems-rpmhelper-0.0.2-lp151.2.1
ruby2.5-doc-ri-2.5.5-lp151.4.3.1

- openSUSE Leap 15.1 (x86_64):

libruby2_5-2_5-2.5.5-lp151.4.3.1
libruby2_5-2_5-debuginfo-2.5.5-lp151.4.3.1
ruby2.5-2.5.5-lp151.4.3.1
ruby2.5-debuginfo-2.5.5-lp151.4.3.1
ruby2.5-debugsource-2.5.5-lp151.4.3.1
ruby2.5-devel-2.5.5-lp151.4.3.1
ruby2.5-devel-extra-2.5.5-lp151.4.3.1
ruby2.5-doc-2.5.5-lp151.4.3.1
ruby2.5-stdlib-2.5.5-lp151.4.3.1
ruby2.5-stdlib-debuginfo-2.5.5-lp151.4.3.1

- openSUSE Leap 15.0 (noarch):

ruby-bundled-gems-rpmhelper-0.0.2-lp150.2.1
ruby2.5-doc-ri-2.5.5-lp150.3.3.1

- openSUSE Leap 15.0 (x86_64):

libruby2_5-2_5-2.5.5-lp150.3.3.1
libruby2_5-2_5-debuginfo-2.5.5-lp150.3.3.1
ruby2.5-2.5.5-lp150.3.3.1
ruby2.5-debuginfo-2.5.5-lp150.3.3.1
ruby2.5-debugsource-2.5.5-lp150.3.3.1
ruby2.5-devel-2.5.5-lp150.3.3.1
ruby2.5-devel-extra-2.5.5-lp150.3.3.1
ruby2.5-doc-2.5.5-lp150.3.3.1
ruby2.5-stdlib-2.5.5-lp150.3.3.1
ruby2.5-stdlib-debuginfo-2.5.5-lp150.3.3.1


References:

https://www.suse.com/security/cve/CVE-2017-17742.html
https://www.suse.com/security/cve/CVE-2018-1000073.html
https://www.suse.com/security/cve/CVE-2018-1000074.html
https://www.suse.com/security/cve/CVE-2018-1000075.html
https://www.suse.com/security/cve/CVE-2018-1000076.html
https://www.suse.com/security/cve/CVE-2018-1000077.html
https://www.suse.com/security/cve/CVE-2018-1000078.html
https://www.suse.com/security/cve/CVE-2018-1000079.html
https://www.suse.com/security/cve/CVE-2018-16395.html
https://www.suse.com/security/cve/CVE-2018-16396.html
https://www.suse.com/security/cve/CVE-2018-6914.html
https://www.suse.com/security/cve/CVE-2018-8777.html
https://www.suse.com/security/cve/CVE-2018-8778.html
https://www.suse.com/security/cve/CVE-2018-8779.html
https://www.suse.com/security/cve/CVE-2018-8780.html
https://www.suse.com/security/cve/CVE-2019-8320.html
https://www.suse.com/security/cve/CVE-2019-8321.html
https://www.suse.com/security/cve/CVE-2019-8322.html
https://www.suse.com/security/cve/CVE-2019-8323.html
https://www.suse.com/security/cve/CVE-2019-8324.html
https://www.suse.com/security/cve/CVE-2019-8325.html
https://bugzilla.suse.com/1082007
https://bugzilla.suse.com/1082008
https://bugzilla.suse.com/1082009
https://bugzilla.suse.com/1082010
https://bugzilla.suse.com/1082011
https://bugzilla.suse.com/1082014
https://bugzilla.suse.com/1082058
https://bugzilla.suse.com/1087433
https://bugzilla.suse.com/1087434
https://bugzilla.suse.com/1087436
https://bugzilla.suse.com/1087437
https://bugzilla.suse.com/1087440
https://bugzilla.suse.com/1087441
https://bugzilla.suse.com/1112530
https://bugzilla.suse.com/1112532
https://bugzilla.suse.com/1130028
https://bugzilla.suse.com/1130611
https://bugzilla.suse.com/1130617
https://bugzilla.suse.com/1130620
https://bugzilla.suse.com/1130622
https://bugzilla.suse.com/1130623
https://bugzilla.suse.com/1130627
https://bugzilla.suse.com/1133790

--



openSUSE-SU-2019:1773-1: moderate: Security update for postgresql10
openSUSE Security Update: Security update for postgresql10
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1773-1
Rating: moderate
References: #1134689 #1138034
Cross-References: CVE-2019-10130 CVE-2019-10164
Affected Products:
openSUSE Leap 15.1
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes two vulnerabilities is now available.

Description:

This update for postgresql10 fixes the following issues:

Security issue fixed:

- CVE-2019-10164: Fixed buffer-overflow vulnerabilities in SCRAM verifier
parsing (bsc#1138034).
- CVE-2019-10130: Prevent row-level security policies from being bypassed
via selectivity estimators (bsc#1134689).

Bug fixes:

- For a complete list of fixes check the release notes.

* https://www.postgresql.org/docs/10/release-10-9.html
* https://www.postgresql.org/docs/10/release-10-8.html
* https://www.postgresql.org/docs/10/release-10-7.html

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.1:

zypper in -t patch openSUSE-2019-1773=1

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1773=1



Package List:

- openSUSE Leap 15.1 (i586 x86_64):

libecpg6-10.9-lp151.2.3.1
libecpg6-debuginfo-10.9-lp151.2.3.1
libpq5-10.9-lp151.2.3.1
libpq5-debuginfo-10.9-lp151.2.3.1
postgresql10-10.9-lp151.2.3.1
postgresql10-contrib-10.9-lp151.2.3.1
postgresql10-contrib-debuginfo-10.9-lp151.2.3.1
postgresql10-debuginfo-10.9-lp151.2.3.1
postgresql10-debugsource-10.9-lp151.2.3.1
postgresql10-devel-10.9-lp151.2.3.1
postgresql10-devel-debuginfo-10.9-lp151.2.3.1
postgresql10-plperl-10.9-lp151.2.3.1
postgresql10-plperl-debuginfo-10.9-lp151.2.3.1
postgresql10-plpython-10.9-lp151.2.3.1
postgresql10-plpython-debuginfo-10.9-lp151.2.3.1
postgresql10-pltcl-10.9-lp151.2.3.1
postgresql10-pltcl-debuginfo-10.9-lp151.2.3.1
postgresql10-server-10.9-lp151.2.3.1
postgresql10-server-debuginfo-10.9-lp151.2.3.1
postgresql10-test-10.9-lp151.2.3.1

- openSUSE Leap 15.1 (noarch):

postgresql10-docs-10.9-lp151.2.3.1

- openSUSE Leap 15.1 (x86_64):

libecpg6-32bit-10.9-lp151.2.3.1
libecpg6-32bit-debuginfo-10.9-lp151.2.3.1
libpq5-32bit-10.9-lp151.2.3.1
libpq5-32bit-debuginfo-10.9-lp151.2.3.1

- openSUSE Leap 15.0 (i586 x86_64):

libecpg6-10.9-lp150.3.10.1
libecpg6-debuginfo-10.9-lp150.3.10.1
libpq5-10.9-lp150.3.10.1
libpq5-debuginfo-10.9-lp150.3.10.1
postgresql10-10.9-lp150.3.10.1
postgresql10-contrib-10.9-lp150.3.10.1
postgresql10-contrib-debuginfo-10.9-lp150.3.10.1
postgresql10-debuginfo-10.9-lp150.3.10.1
postgresql10-debugsource-10.9-lp150.3.10.1
postgresql10-devel-10.9-lp150.3.10.1
postgresql10-devel-debuginfo-10.9-lp150.3.10.1
postgresql10-plperl-10.9-lp150.3.10.1
postgresql10-plperl-debuginfo-10.9-lp150.3.10.1
postgresql10-plpython-10.9-lp150.3.10.1
postgresql10-plpython-debuginfo-10.9-lp150.3.10.1
postgresql10-pltcl-10.9-lp150.3.10.1
postgresql10-pltcl-debuginfo-10.9-lp150.3.10.1
postgresql10-server-10.9-lp150.3.10.1
postgresql10-server-debuginfo-10.9-lp150.3.10.1
postgresql10-test-10.9-lp150.3.10.1

- openSUSE Leap 15.0 (noarch):

postgresql10-docs-10.9-lp150.3.10.1

- openSUSE Leap 15.0 (x86_64):

libecpg6-32bit-10.9-lp150.3.10.1
libecpg6-32bit-debuginfo-10.9-lp150.3.10.1
libpq5-32bit-10.9-lp150.3.10.1
libpq5-32bit-debuginfo-10.9-lp150.3.10.1


References:

https://www.suse.com/security/cve/CVE-2019-10130.html
https://www.suse.com/security/cve/CVE-2019-10164.html
https://bugzilla.suse.com/1134689
https://bugzilla.suse.com/1138034

--



openSUSE-SU-2019:1775-1: important: Security update for znc
openSUSE Security Update: Security update for znc
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1775-1
Rating: important
References: #1130360 #1138572
Cross-References: CVE-2019-12816 CVE-2019-9917
Affected Products:
openSUSE Leap 15.1
openSUSE Leap 15.0
openSUSE Backports SLE-15
______________________________________________________________________________

An update that fixes two vulnerabilities is now available.

Description:

This update for znc to version 1.7.4 fixes the following issues:

Security issues fixed:

- CVE-2019-12816: Fixed a remote code execution in Modules.cpp
(boo#1138572).
- CVE-2019-9917: Fixed a denial of service on invalid encoding
(boo#1130360).


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.1:

zypper in -t patch openSUSE-2019-1775=1

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1775=1

- openSUSE Backports SLE-15:

zypper in -t patch openSUSE-2019-1775=1



Package List:

- openSUSE Leap 15.1 (x86_64):

znc-1.7.4-lp151.2.3.1
znc-debuginfo-1.7.4-lp151.2.3.1
znc-debugsource-1.7.4-lp151.2.3.1
znc-devel-1.7.4-lp151.2.3.1
znc-perl-1.7.4-lp151.2.3.1
znc-perl-debuginfo-1.7.4-lp151.2.3.1
znc-python3-1.7.4-lp151.2.3.1
znc-python3-debuginfo-1.7.4-lp151.2.3.1
znc-tcl-1.7.4-lp151.2.3.1
znc-tcl-debuginfo-1.7.4-lp151.2.3.1

- openSUSE Leap 15.1 (noarch):

znc-lang-1.7.4-lp151.2.3.1

- openSUSE Leap 15.0 (noarch):

znc-lang-1.7.4-lp150.28.1

- openSUSE Leap 15.0 (x86_64):

znc-1.7.4-lp150.28.1
znc-debuginfo-1.7.4-lp150.28.1
znc-debugsource-1.7.4-lp150.28.1
znc-devel-1.7.4-lp150.28.1
znc-perl-1.7.4-lp150.28.1
znc-perl-debuginfo-1.7.4-lp150.28.1
znc-python3-1.7.4-lp150.28.1
znc-python3-debuginfo-1.7.4-lp150.28.1
znc-tcl-1.7.4-lp150.28.1
znc-tcl-debuginfo-1.7.4-lp150.28.1

- openSUSE Backports SLE-15 (aarch64 ppc64le s390x x86_64):

znc-1.7.4-bp150.2.6.1
znc-devel-1.7.4-bp150.2.6.1
znc-perl-1.7.4-bp150.2.6.1
znc-python3-1.7.4-bp150.2.6.1
znc-tcl-1.7.4-bp150.2.6.1

- openSUSE Backports SLE-15 (noarch):

znc-lang-1.7.4-bp150.2.6.1


References:

https://www.suse.com/security/cve/CVE-2019-12816.html
https://www.suse.com/security/cve/CVE-2019-9917.html
https://bugzilla.suse.com/1130360
https://bugzilla.suse.com/1138572

--



openSUSE-SU-2019:1777-1: moderate: Security update for expat
openSUSE Security Update: Security update for expat
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1777-1
Rating: moderate
References: #1139937
Cross-References: CVE-2018-20843
Affected Products:
openSUSE Leap 15.1
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for expat fixes the following issues:

Security issue fixed:

- CVE-2018-20843: Fixed a denial of service triggered by high resource
consumption in the XML parser when XML names contain a large amount of
colons (bsc#1139937).

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.1:

zypper in -t patch openSUSE-2019-1777=1

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1777=1



Package List:

- openSUSE Leap 15.1 (i586 x86_64):

expat-2.2.5-lp151.3.3.1
expat-debuginfo-2.2.5-lp151.3.3.1
expat-debugsource-2.2.5-lp151.3.3.1
libexpat-devel-2.2.5-lp151.3.3.1
libexpat1-2.2.5-lp151.3.3.1
libexpat1-debuginfo-2.2.5-lp151.3.3.1

- openSUSE Leap 15.1 (x86_64):

expat-32bit-debuginfo-2.2.5-lp151.3.3.1
libexpat-devel-32bit-2.2.5-lp151.3.3.1
libexpat1-32bit-2.2.5-lp151.3.3.1
libexpat1-32bit-debuginfo-2.2.5-lp151.3.3.1

- openSUSE Leap 15.0 (i586 x86_64):

expat-2.2.5-lp150.2.3.1
expat-debuginfo-2.2.5-lp150.2.3.1
expat-debugsource-2.2.5-lp150.2.3.1
libexpat-devel-2.2.5-lp150.2.3.1
libexpat1-2.2.5-lp150.2.3.1
libexpat1-debuginfo-2.2.5-lp150.2.3.1

- openSUSE Leap 15.0 (x86_64):

expat-32bit-debuginfo-2.2.5-lp150.2.3.1
libexpat-devel-32bit-2.2.5-lp150.2.3.1
libexpat1-32bit-2.2.5-lp150.2.3.1
libexpat1-32bit-debuginfo-2.2.5-lp150.2.3.1


References:

https://www.suse.com/security/cve/CVE-2018-20843.html
https://bugzilla.suse.com/1139937

--



openSUSE-SU-2019:1778-1: moderate: Security update for php7
openSUSE Security Update: Security update for php7
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1778-1
Rating: moderate
References: #1138172 #1138173
Cross-References: CVE-2019-11039 CVE-2019-11040
Affected Products:
openSUSE Leap 15.1
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes two vulnerabilities is now available.

Description:

This update for php7 fixes the following issues:

Security issues fixed:

- CVE-2019-11039: Fixed a heap-buffer-overflow on php_jpg_get16
(bsc#1138173).
- CVE-2019-11040: Fixed an out-of-bounds read due to an integer overflow
in iconv.c:_php_iconv_mime_decode() (bsc#1138172).

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.1:

zypper in -t patch openSUSE-2019-1778=1

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1778=1



Package List:

- openSUSE Leap 15.1 (i586 x86_64):

apache2-mod_php7-7.2.5-lp151.6.6.1
apache2-mod_php7-debuginfo-7.2.5-lp151.6.6.1
php7-7.2.5-lp151.6.6.1
php7-bcmath-7.2.5-lp151.6.6.1
php7-bcmath-debuginfo-7.2.5-lp151.6.6.1
php7-bz2-7.2.5-lp151.6.6.1
php7-bz2-debuginfo-7.2.5-lp151.6.6.1
php7-calendar-7.2.5-lp151.6.6.1
php7-calendar-debuginfo-7.2.5-lp151.6.6.1
php7-ctype-7.2.5-lp151.6.6.1
php7-ctype-debuginfo-7.2.5-lp151.6.6.1
php7-curl-7.2.5-lp151.6.6.1
php7-curl-debuginfo-7.2.5-lp151.6.6.1
php7-dba-7.2.5-lp151.6.6.1
php7-dba-debuginfo-7.2.5-lp151.6.6.1
php7-debuginfo-7.2.5-lp151.6.6.1
php7-debugsource-7.2.5-lp151.6.6.1
php7-devel-7.2.5-lp151.6.6.1
php7-dom-7.2.5-lp151.6.6.1
php7-dom-debuginfo-7.2.5-lp151.6.6.1
php7-embed-7.2.5-lp151.6.6.1
php7-embed-debuginfo-7.2.5-lp151.6.6.1
php7-enchant-7.2.5-lp151.6.6.1
php7-enchant-debuginfo-7.2.5-lp151.6.6.1
php7-exif-7.2.5-lp151.6.6.1
php7-exif-debuginfo-7.2.5-lp151.6.6.1
php7-fastcgi-7.2.5-lp151.6.6.1
php7-fastcgi-debuginfo-7.2.5-lp151.6.6.1
php7-fileinfo-7.2.5-lp151.6.6.1
php7-fileinfo-debuginfo-7.2.5-lp151.6.6.1
php7-firebird-7.2.5-lp151.6.6.1
php7-firebird-debuginfo-7.2.5-lp151.6.6.1
php7-fpm-7.2.5-lp151.6.6.1
php7-fpm-debuginfo-7.2.5-lp151.6.6.1
php7-ftp-7.2.5-lp151.6.6.1
php7-ftp-debuginfo-7.2.5-lp151.6.6.1
php7-gd-7.2.5-lp151.6.6.1
php7-gd-debuginfo-7.2.5-lp151.6.6.1
php7-gettext-7.2.5-lp151.6.6.1
php7-gettext-debuginfo-7.2.5-lp151.6.6.1
php7-gmp-7.2.5-lp151.6.6.1
php7-gmp-debuginfo-7.2.5-lp151.6.6.1
php7-iconv-7.2.5-lp151.6.6.1
php7-iconv-debuginfo-7.2.5-lp151.6.6.1
php7-intl-7.2.5-lp151.6.6.1
php7-intl-debuginfo-7.2.5-lp151.6.6.1
php7-json-7.2.5-lp151.6.6.1
php7-json-debuginfo-7.2.5-lp151.6.6.1
php7-ldap-7.2.5-lp151.6.6.1
php7-ldap-debuginfo-7.2.5-lp151.6.6.1
php7-mbstring-7.2.5-lp151.6.6.1
php7-mbstring-debuginfo-7.2.5-lp151.6.6.1
php7-mysql-7.2.5-lp151.6.6.1
php7-mysql-debuginfo-7.2.5-lp151.6.6.1
php7-odbc-7.2.5-lp151.6.6.1
php7-odbc-debuginfo-7.2.5-lp151.6.6.1
php7-opcache-7.2.5-lp151.6.6.1
php7-opcache-debuginfo-7.2.5-lp151.6.6.1
php7-openssl-7.2.5-lp151.6.6.1
php7-openssl-debuginfo-7.2.5-lp151.6.6.1
php7-pcntl-7.2.5-lp151.6.6.1
php7-pcntl-debuginfo-7.2.5-lp151.6.6.1
php7-pdo-7.2.5-lp151.6.6.1
php7-pdo-debuginfo-7.2.5-lp151.6.6.1
php7-pgsql-7.2.5-lp151.6.6.1
php7-pgsql-debuginfo-7.2.5-lp151.6.6.1
php7-phar-7.2.5-lp151.6.6.1
php7-phar-debuginfo-7.2.5-lp151.6.6.1
php7-posix-7.2.5-lp151.6.6.1
php7-posix-debuginfo-7.2.5-lp151.6.6.1
php7-readline-7.2.5-lp151.6.6.1
php7-readline-debuginfo-7.2.5-lp151.6.6.1
php7-shmop-7.2.5-lp151.6.6.1
php7-shmop-debuginfo-7.2.5-lp151.6.6.1
php7-snmp-7.2.5-lp151.6.6.1
php7-snmp-debuginfo-7.2.5-lp151.6.6.1
php7-soap-7.2.5-lp151.6.6.1
php7-soap-debuginfo-7.2.5-lp151.6.6.1
php7-sockets-7.2.5-lp151.6.6.1
php7-sockets-debuginfo-7.2.5-lp151.6.6.1
php7-sodium-7.2.5-lp151.6.6.1
php7-sodium-debuginfo-7.2.5-lp151.6.6.1
php7-sqlite-7.2.5-lp151.6.6.1
php7-sqlite-debuginfo-7.2.5-lp151.6.6.1
php7-sysvmsg-7.2.5-lp151.6.6.1
php7-sysvmsg-debuginfo-7.2.5-lp151.6.6.1
php7-sysvsem-7.2.5-lp151.6.6.1
php7-sysvsem-debuginfo-7.2.5-lp151.6.6.1
php7-sysvshm-7.2.5-lp151.6.6.1
php7-sysvshm-debuginfo-7.2.5-lp151.6.6.1
php7-testresults-7.2.5-lp151.6.6.1
php7-tidy-7.2.5-lp151.6.6.1
php7-tidy-debuginfo-7.2.5-lp151.6.6.1
php7-tokenizer-7.2.5-lp151.6.6.1
php7-tokenizer-debuginfo-7.2.5-lp151.6.6.1
php7-wddx-7.2.5-lp151.6.6.1
php7-wddx-debuginfo-7.2.5-lp151.6.6.1
php7-xmlreader-7.2.5-lp151.6.6.1
php7-xmlreader-debuginfo-7.2.5-lp151.6.6.1
php7-xmlrpc-7.2.5-lp151.6.6.1
php7-xmlrpc-debuginfo-7.2.5-lp151.6.6.1
php7-xmlwriter-7.2.5-lp151.6.6.1
php7-xmlwriter-debuginfo-7.2.5-lp151.6.6.1
php7-xsl-7.2.5-lp151.6.6.1
php7-xsl-debuginfo-7.2.5-lp151.6.6.1
php7-zip-7.2.5-lp151.6.6.1
php7-zip-debuginfo-7.2.5-lp151.6.6.1
php7-zlib-7.2.5-lp151.6.6.1
php7-zlib-debuginfo-7.2.5-lp151.6.6.1

- openSUSE Leap 15.1 (noarch):

php7-pear-7.2.5-lp151.6.6.1
php7-pear-Archive_Tar-7.2.5-lp151.6.6.1

- openSUSE Leap 15.0 (i586 x86_64):

apache2-mod_php7-7.2.5-lp150.2.22.1
apache2-mod_php7-debuginfo-7.2.5-lp150.2.22.1
php7-7.2.5-lp150.2.22.1
php7-bcmath-7.2.5-lp150.2.22.1
php7-bcmath-debuginfo-7.2.5-lp150.2.22.1
php7-bz2-7.2.5-lp150.2.22.1
php7-bz2-debuginfo-7.2.5-lp150.2.22.1
php7-calendar-7.2.5-lp150.2.22.1
php7-calendar-debuginfo-7.2.5-lp150.2.22.1
php7-ctype-7.2.5-lp150.2.22.1
php7-ctype-debuginfo-7.2.5-lp150.2.22.1
php7-curl-7.2.5-lp150.2.22.1
php7-curl-debuginfo-7.2.5-lp150.2.22.1
php7-dba-7.2.5-lp150.2.22.1
php7-dba-debuginfo-7.2.5-lp150.2.22.1
php7-debuginfo-7.2.5-lp150.2.22.1
php7-debugsource-7.2.5-lp150.2.22.1
php7-devel-7.2.5-lp150.2.22.1
php7-dom-7.2.5-lp150.2.22.1
php7-dom-debuginfo-7.2.5-lp150.2.22.1
php7-embed-7.2.5-lp150.2.22.1
php7-embed-debuginfo-7.2.5-lp150.2.22.1
php7-enchant-7.2.5-lp150.2.22.1
php7-enchant-debuginfo-7.2.5-lp150.2.22.1
php7-exif-7.2.5-lp150.2.22.1
php7-exif-debuginfo-7.2.5-lp150.2.22.1
php7-fastcgi-7.2.5-lp150.2.22.1
php7-fastcgi-debuginfo-7.2.5-lp150.2.22.1
php7-fileinfo-7.2.5-lp150.2.22.1
php7-fileinfo-debuginfo-7.2.5-lp150.2.22.1
php7-firebird-7.2.5-lp150.2.22.1
php7-firebird-debuginfo-7.2.5-lp150.2.22.1
php7-fpm-7.2.5-lp150.2.22.1
php7-fpm-debuginfo-7.2.5-lp150.2.22.1
php7-ftp-7.2.5-lp150.2.22.1
php7-ftp-debuginfo-7.2.5-lp150.2.22.1
php7-gd-7.2.5-lp150.2.22.1
php7-gd-debuginfo-7.2.5-lp150.2.22.1
php7-gettext-7.2.5-lp150.2.22.1
php7-gettext-debuginfo-7.2.5-lp150.2.22.1
php7-gmp-7.2.5-lp150.2.22.1
php7-gmp-debuginfo-7.2.5-lp150.2.22.1
php7-iconv-7.2.5-lp150.2.22.1
php7-iconv-debuginfo-7.2.5-lp150.2.22.1
php7-intl-7.2.5-lp150.2.22.1
php7-intl-debuginfo-7.2.5-lp150.2.22.1
php7-json-7.2.5-lp150.2.22.1
php7-json-debuginfo-7.2.5-lp150.2.22.1
php7-ldap-7.2.5-lp150.2.22.1
php7-ldap-debuginfo-7.2.5-lp150.2.22.1
php7-mbstring-7.2.5-lp150.2.22.1
php7-mbstring-debuginfo-7.2.5-lp150.2.22.1
php7-mysql-7.2.5-lp150.2.22.1
php7-mysql-debuginfo-7.2.5-lp150.2.22.1
php7-odbc-7.2.5-lp150.2.22.1
php7-odbc-debuginfo-7.2.5-lp150.2.22.1
php7-opcache-7.2.5-lp150.2.22.1
php7-opcache-debuginfo-7.2.5-lp150.2.22.1
php7-openssl-7.2.5-lp150.2.22.1
php7-openssl-debuginfo-7.2.5-lp150.2.22.1
php7-pcntl-7.2.5-lp150.2.22.1
php7-pcntl-debuginfo-7.2.5-lp150.2.22.1
php7-pdo-7.2.5-lp150.2.22.1
php7-pdo-debuginfo-7.2.5-lp150.2.22.1
php7-pgsql-7.2.5-lp150.2.22.1
php7-pgsql-debuginfo-7.2.5-lp150.2.22.1
php7-phar-7.2.5-lp150.2.22.1
php7-phar-debuginfo-7.2.5-lp150.2.22.1
php7-posix-7.2.5-lp150.2.22.1
php7-posix-debuginfo-7.2.5-lp150.2.22.1
php7-readline-7.2.5-lp150.2.22.1
php7-readline-debuginfo-7.2.5-lp150.2.22.1
php7-shmop-7.2.5-lp150.2.22.1
php7-shmop-debuginfo-7.2.5-lp150.2.22.1
php7-snmp-7.2.5-lp150.2.22.1
php7-snmp-debuginfo-7.2.5-lp150.2.22.1
php7-soap-7.2.5-lp150.2.22.1
php7-soap-debuginfo-7.2.5-lp150.2.22.1
php7-sockets-7.2.5-lp150.2.22.1
php7-sockets-debuginfo-7.2.5-lp150.2.22.1
php7-sodium-7.2.5-lp150.2.22.1
php7-sodium-debuginfo-7.2.5-lp150.2.22.1
php7-sqlite-7.2.5-lp150.2.22.1
php7-sqlite-debuginfo-7.2.5-lp150.2.22.1
php7-sysvmsg-7.2.5-lp150.2.22.1
php7-sysvmsg-debuginfo-7.2.5-lp150.2.22.1
php7-sysvsem-7.2.5-lp150.2.22.1
php7-sysvsem-debuginfo-7.2.5-lp150.2.22.1
php7-sysvshm-7.2.5-lp150.2.22.1
php7-sysvshm-debuginfo-7.2.5-lp150.2.22.1
php7-testresults-7.2.5-lp150.2.22.1
php7-tidy-7.2.5-lp150.2.22.1
php7-tidy-debuginfo-7.2.5-lp150.2.22.1
php7-tokenizer-7.2.5-lp150.2.22.1
php7-tokenizer-debuginfo-7.2.5-lp150.2.22.1
php7-wddx-7.2.5-lp150.2.22.1
php7-wddx-debuginfo-7.2.5-lp150.2.22.1
php7-xmlreader-7.2.5-lp150.2.22.1
php7-xmlreader-debuginfo-7.2.5-lp150.2.22.1
php7-xmlrpc-7.2.5-lp150.2.22.1
php7-xmlrpc-debuginfo-7.2.5-lp150.2.22.1
php7-xmlwriter-7.2.5-lp150.2.22.1
php7-xmlwriter-debuginfo-7.2.5-lp150.2.22.1
php7-xsl-7.2.5-lp150.2.22.1
php7-xsl-debuginfo-7.2.5-lp150.2.22.1
php7-zip-7.2.5-lp150.2.22.1
php7-zip-debuginfo-7.2.5-lp150.2.22.1
php7-zlib-7.2.5-lp150.2.22.1
php7-zlib-debuginfo-7.2.5-lp150.2.22.1

- openSUSE Leap 15.0 (noarch):

php7-pear-7.2.5-lp150.2.22.1
php7-pear-Archive_Tar-7.2.5-lp150.2.22.1


References:

https://www.suse.com/security/cve/CVE-2019-11039.html
https://www.suse.com/security/cve/CVE-2019-11040.html
https://bugzilla.suse.com/1138172
https://bugzilla.suse.com/1138173

--



openSUSE-SU-2019:1779-1: moderate: Security update for ledger
openSUSE Security Update: Security update for ledger
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1779-1
Rating: moderate
References: #1052478 #1052484 #1105084
Cross-References: CVE-2017-12481 CVE-2017-12482 CVE-2017-2807
CVE-2017-2808
Affected Products:
openSUSE Leap 15.1
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes four vulnerabilities is now available.

Description:

This update for ledger fixes the following issues:

ledger was updated to 3.1.3:

+ Properly reject postings with a comment right after the flag (bug #1753)
+ Make sorting order of lot information deterministic (bug #1747)
+ Fix bug in tag value parsing (bug #1702)
+ Remove the org command, which was always a hack to begin with (bug #1706)
+ Provide Docker information in README
+ Various small documentation improvements

This also includes the update to 3.1.2:

+ Increase maximum length for regex from 255 to 4095 (bug #981)
+ Initialize periods from from/since clause rather than earliest
transaction date (bug #1159)
+ Check balance assertions against the amount after the posting (bug #1147)
+ Allow balance assertions with multiple posts to same account (bug #1187)
+ Fix period duration of "every X days" and similar statements (bug #370)
+ Make option --force-color not require --color anymore (bug #1109)
+ Add quoted_rfc4180 to allow CVS output with RFC 4180 compliant quoting.
+ Add support for --prepend-format in accounts command
+ Fix handling of edge cases in trim function (bug #520)
+ Fix auto xact posts not getting applied to account total during journal
parse (bug #552)
+ Transfer null_post flags to generated postings
+ Fix segfault when using --market with --group-by
+ Use amount_width variable for budget report
+ Keep pending items in budgets until the last day they apply
+ Fix bug where .total used in value expressions breaks totals
+ Make automated transactions work with assertions (bug #1127)
+ Improve parsing of date tokens (bug #1626)
+ Don't attempt to invert a value if it's already zero (bug #1703)
+ Do not parse user-specified init-file twice
+ Fix parsing issue of effective dates (bug #1722, TALOS-2017-0303,
CVE-2017-2807)
+ Fix use-after-free issue with deferred postings (bug #1723,
TALOS-2017-0304, CVE-2017-2808)
+ Fix possible stack overflow in option parsing routine (bug #1222,
CVE-2017-12481)
+ Fix possible stack overflow in date parsing routine (bug #1224,
CVE-2017-12482)
+ Fix use-after-free when using --gain (bug #541)
+ Python: Removed double quotes from Unicode values.
+ Python: Ensure that parse errors produce useful RuntimeErrors
+ Python: Expose journal expand_aliases
+ Python: Expose journal_t::register_account
+ Improve bash completion
+ Emacs Lisp files have been moved to https://github.com/ledger/ledger-mode
+ Various documentation improvements


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.1:

zypper in -t patch openSUSE-2019-1779=1

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1779=1



Package List:

- openSUSE Leap 15.1 (x86_64):

ledger-3.1.3-lp151.3.3.1
ledger-debuginfo-3.1.3-lp151.3.3.1
ledger-debugsource-3.1.3-lp151.3.3.1

- openSUSE Leap 15.0 (x86_64):

ledger-3.1.3-lp150.2.3.1
ledger-debuginfo-3.1.3-lp150.2.3.1
ledger-debugsource-3.1.3-lp150.2.3.1


References:

https://www.suse.com/security/cve/CVE-2017-12481.html
https://www.suse.com/security/cve/CVE-2017-12482.html
https://www.suse.com/security/cve/CVE-2017-2807.html
https://www.suse.com/security/cve/CVE-2017-2808.html
https://bugzilla.suse.com/1052478
https://bugzilla.suse.com/1052484
https://bugzilla.suse.com/1105084

--



openSUSE-SU-2019:1780-1: moderate: Security update for clementine
openSUSE Security Update: Security update for clementine
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1780-1
Rating: moderate
References: #1103041
Cross-References: CVE-2018-14332
Affected Products:
openSUSE Leap 15.1
openSUSE Leap 15.0
openSUSE Backports SLE-15
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for clementine fixes the following issues:

- CVE-2018-14332: Fixed a NULL ptr dereference (crash) in the moodbar
pipeline (boo#1103041)


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.1:

zypper in -t patch openSUSE-2019-1780=1

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1780=1

- openSUSE Backports SLE-15:

zypper in -t patch openSUSE-2019-1780=1



Package List:

- openSUSE Leap 15.1 (x86_64):

clementine-1.3.1-lp151.3.3.1
clementine-debuginfo-1.3.1-lp151.3.3.1
clementine-debugsource-1.3.1-lp151.3.3.1

- openSUSE Leap 15.0 (x86_64):

clementine-1.3.1-lp150.2.3.1
clementine-debuginfo-1.3.1-lp150.2.3.1
clementine-debugsource-1.3.1-lp150.2.3.1

- openSUSE Backports SLE-15 (x86_64):

clementine-1.3.1-bp150.2.3.1


References:

https://www.suse.com/security/cve/CVE-2018-14332.html
https://bugzilla.suse.com/1103041

--



openSUSE-SU-2019:1781-1: important: Security update for bzip2
openSUSE Security Update: Security update for bzip2
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1781-1
Rating: important
References: #1139083
Cross-References: CVE-2019-12900
Affected Products:
openSUSE Leap 15.1
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for bzip2 fixes the following issues:

Security issue fixed:

- CVE-2019-12900: Fixed an out-of-bounds write in decompress.c with many
selectors (bsc#1139083).

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.1:

zypper in -t patch openSUSE-2019-1781=1

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1781=1



Package List:

- openSUSE Leap 15.1 (i586 x86_64):

bzip2-1.0.6-lp151.5.6.1
bzip2-debuginfo-1.0.6-lp151.5.6.1
bzip2-debugsource-1.0.6-lp151.5.6.1
libbz2-1-1.0.6-lp151.5.6.1
libbz2-1-debuginfo-1.0.6-lp151.5.6.1
libbz2-devel-1.0.6-lp151.5.6.1

- openSUSE Leap 15.1 (x86_64):

libbz2-1-32bit-1.0.6-lp151.5.6.1
libbz2-1-32bit-debuginfo-1.0.6-lp151.5.6.1
libbz2-devel-32bit-1.0.6-lp151.5.6.1

- openSUSE Leap 15.1 (noarch):

bzip2-doc-1.0.6-lp151.5.6.1

- openSUSE Leap 15.0 (i586 x86_64):

bzip2-1.0.6-lp150.4.6.1
bzip2-debuginfo-1.0.6-lp150.4.6.1
bzip2-debugsource-1.0.6-lp150.4.6.1
libbz2-1-1.0.6-lp150.4.6.1
libbz2-1-debuginfo-1.0.6-lp150.4.6.1
libbz2-devel-1.0.6-lp150.4.6.1

- openSUSE Leap 15.0 (x86_64):

libbz2-1-32bit-1.0.6-lp150.4.6.1
libbz2-1-32bit-debuginfo-1.0.6-lp150.4.6.1
libbz2-devel-32bit-1.0.6-lp150.4.6.1

- openSUSE Leap 15.0 (noarch):

bzip2-doc-1.0.6-lp150.4.6.1


References:

https://www.suse.com/security/cve/CVE-2019-12900.html
https://bugzilla.suse.com/1139083

--



openSUSE-SU-2019:1782-1: important: Security update for MozillaFirefox
openSUSE Security Update: Security update for MozillaFirefox
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1782-1
Rating: important
References: #1140868
Cross-References: CVE-2019-11709 CVE-2019-11711 CVE-2019-11712
CVE-2019-11713 CVE-2019-11715 CVE-2019-11717
CVE-2019-11719 CVE-2019-11729 CVE-2019-11730
CVE-2019-9811
Affected Products:
openSUSE Leap 15.1
______________________________________________________________________________

An update that fixes 10 vulnerabilities is now available.

Description:

This update for MozillaFirefox, mozilla-nss fixes the following issues:

MozillaFirefox to version ESR 60.8:

- CVE-2019-9811: Sandbox escape via installation of malicious language
pack (bsc#1140868).
- CVE-2019-11711: Script injection within domain through inner window
reuse (bsc#1140868).
- CVE-2019-11712: Cross-origin POST requests can be made with NPAPI
plugins by following 308 redirects (bsc#1140868).
- CVE-2019-11713: Use-after-free with HTTP/2 cached stream (bsc#1140868).
- CVE-2019-11729: Empty or malformed p256-ECDH public keys may trigger a
segmentation fault (bsc#1140868).
- CVE-2019-11715: HTML parsing error can contribute to content XSS
(bsc#1140868).
- CVE-2019-11717: Caret character improperly escaped in origins
(bsc#1140868).
- CVE-2019-11719: Out-of-bounds read when importing curve25519 private key
(bsc#1140868).
- CVE-2019-11730: Same-origin policy treats all files in a directory as
having the same-origin (bsc#1140868).
- CVE-2019-11709: Multiple Memory safety bugs fixed (bsc#1140868).

mozilla-nss to version 3.44.1:

* Added IPSEC IKE support to softoken
* Many new FIPS test cases

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.1:

zypper in -t patch openSUSE-2019-1782=1



Package List:

- openSUSE Leap 15.1 (i586 x86_64):

libfreebl3-3.44.1-lp151.2.3.1
libfreebl3-debuginfo-3.44.1-lp151.2.3.1
libfreebl3-hmac-3.44.1-lp151.2.3.1
libsoftokn3-3.44.1-lp151.2.3.1
libsoftokn3-debuginfo-3.44.1-lp151.2.3.1
libsoftokn3-hmac-3.44.1-lp151.2.3.1
mozilla-nss-3.44.1-lp151.2.3.1
mozilla-nss-certs-3.44.1-lp151.2.3.1
mozilla-nss-certs-debuginfo-3.44.1-lp151.2.3.1
mozilla-nss-debuginfo-3.44.1-lp151.2.3.1
mozilla-nss-debugsource-3.44.1-lp151.2.3.1
mozilla-nss-devel-3.44.1-lp151.2.3.1
mozilla-nss-sysinit-3.44.1-lp151.2.3.1
mozilla-nss-sysinit-debuginfo-3.44.1-lp151.2.3.1
mozilla-nss-tools-3.44.1-lp151.2.3.1
mozilla-nss-tools-debuginfo-3.44.1-lp151.2.3.1

- openSUSE Leap 15.1 (x86_64):

MozillaFirefox-60.8.0-lp151.2.10.1
MozillaFirefox-branding-upstream-60.8.0-lp151.2.10.1
MozillaFirefox-buildsymbols-60.8.0-lp151.2.10.1
MozillaFirefox-debuginfo-60.8.0-lp151.2.10.1
MozillaFirefox-debugsource-60.8.0-lp151.2.10.1
MozillaFirefox-devel-60.8.0-lp151.2.10.1
MozillaFirefox-translations-common-60.8.0-lp151.2.10.1
MozillaFirefox-translations-other-60.8.0-lp151.2.10.1
libfreebl3-32bit-3.44.1-lp151.2.3.1
libfreebl3-32bit-debuginfo-3.44.1-lp151.2.3.1
libfreebl3-hmac-32bit-3.44.1-lp151.2.3.1
libsoftokn3-32bit-3.44.1-lp151.2.3.1
libsoftokn3-32bit-debuginfo-3.44.1-lp151.2.3.1
libsoftokn3-hmac-32bit-3.44.1-lp151.2.3.1
mozilla-nss-32bit-3.44.1-lp151.2.3.1
mozilla-nss-32bit-debuginfo-3.44.1-lp151.2.3.1
mozilla-nss-certs-32bit-3.44.1-lp151.2.3.1
mozilla-nss-certs-32bit-debuginfo-3.44.1-lp151.2.3.1
mozilla-nss-sysinit-32bit-3.44.1-lp151.2.3.1
mozilla-nss-sysinit-32bit-debuginfo-3.44.1-lp151.2.3.1


References:

https://www.suse.com/security/cve/CVE-2019-11709.html
https://www.suse.com/security/cve/CVE-2019-11711.html
https://www.suse.com/security/cve/CVE-2019-11712.html
https://www.suse.com/security/cve/CVE-2019-11713.html
https://www.suse.com/security/cve/CVE-2019-11715.html
https://www.suse.com/security/cve/CVE-2019-11717.html
https://www.suse.com/security/cve/CVE-2019-11719.html
https://www.suse.com/security/cve/CVE-2019-11729.html
https://www.suse.com/security/cve/CVE-2019-11730.html
https://www.suse.com/security/cve/CVE-2019-9811.html
https://bugzilla.suse.com/1140868

--






Printed from Linux Compatible (https://www.linuxcompatible.org/news/story/14_security_updates_for_opensuse.html)