SUSE 5009 Published by

The following updates has been released for openSUSE:

openSUSE-SU-2018:2203-1: moderate: Security update for util-linux
openSUSE-SU-2018:2205-1: moderate: Security update for util-linux
openSUSE-SU-2018:2206-1: important: Security update for java-10-openjdk
openSUSE-SU-2018:2208-1: moderate: Security update for ovmf
openSUSE-SU-2018:2209-1: moderate: Security update for libsndfile
openSUSE-SU-2018:2210-1: Security update for nautilus
openSUSE-SU-2018:2211-1: moderate: Security update for xen
openSUSE-SU-2018:2212-1: important: Security update for mutt
openSUSE-SU-2018:2213-1: moderate: Security update for python-dulwich
openSUSE-SU-2018:2214-1: moderate: Security update for libsndfile
openSUSE-SU-2018:2215-1: moderate: Security update for rpm



openSUSE-SU-2018:2203-1: moderate: Security update for util-linux

openSUSE Security Update: Security update for util-linux
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2203-1
Rating: moderate
References: #1072947 #1078662 #1080740 #1084300
Cross-References: CVE-2018-7738
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________

An update that solves one vulnerability and has three fixes
is now available.

Description:

This update for util-linux fixes the following issues:

This non-security issue was fixed:

- CVE-2018-7738: bash-completion/umount allowed local users to gain
privileges by embedding shell commands in a mountpoint name, which was
mishandled during a umount command by a different user (bsc#1084300).

These non-security issues were fixed:

- Fixed crash loop in lscpu (bsc#1072947).
- Fixed possible segfault of umount -a
- Fixed mount -a on NFS bind mounts (bsc#1080740).
- Fixed lsblk on NVMe (bsc#1078662).

This update was imported from the SUSE:SLE-12-SP3:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-805=1



Package List:

- openSUSE Leap 42.3 (i586 x86_64):

libblkid-devel-2.29.2-8.1
libblkid-devel-static-2.29.2-8.1
libblkid1-2.29.2-8.1
libblkid1-debuginfo-2.29.2-8.1
libfdisk-devel-2.29.2-8.1
libfdisk-devel-static-2.29.2-8.1
libfdisk1-2.29.2-8.1
libfdisk1-debuginfo-2.29.2-8.1
libmount-devel-2.29.2-8.1
libmount-devel-static-2.29.2-8.1
libmount1-2.29.2-8.1
libmount1-debuginfo-2.29.2-8.1
libsmartcols-devel-2.29.2-8.1
libsmartcols-devel-static-2.29.2-8.1
libsmartcols1-2.29.2-8.1
libsmartcols1-debuginfo-2.29.2-8.1
libuuid-devel-2.29.2-8.1
libuuid-devel-static-2.29.2-8.1
libuuid1-2.29.2-8.1
libuuid1-debuginfo-2.29.2-8.1
python-libmount-2.29.2-8.1
python-libmount-debuginfo-2.29.2-8.1
python-libmount-debugsource-2.29.2-8.1
util-linux-2.29.2-8.1
util-linux-debuginfo-2.29.2-8.1
util-linux-debugsource-2.29.2-8.1
util-linux-systemd-2.29.2-8.1
util-linux-systemd-debuginfo-2.29.2-8.1
util-linux-systemd-debugsource-2.29.2-8.1
uuidd-2.29.2-8.1
uuidd-debuginfo-2.29.2-8.1

- openSUSE Leap 42.3 (x86_64):

libblkid-devel-32bit-2.29.2-8.1
libblkid1-32bit-2.29.2-8.1
libblkid1-debuginfo-32bit-2.29.2-8.1
libmount-devel-32bit-2.29.2-8.1
libmount1-32bit-2.29.2-8.1
libmount1-debuginfo-32bit-2.29.2-8.1
libuuid-devel-32bit-2.29.2-8.1
libuuid1-32bit-2.29.2-8.1
libuuid1-debuginfo-32bit-2.29.2-8.1

- openSUSE Leap 42.3 (noarch):

util-linux-lang-2.29.2-8.1


References:

https://www.suse.com/security/cve/CVE-2018-7738.html
https://bugzilla.suse.com/1072947
https://bugzilla.suse.com/1078662
https://bugzilla.suse.com/1080740
https://bugzilla.suse.com/1084300

--


openSUSE-SU-2018:2205-1: moderate: Security update for util-linux

openSUSE Security Update: Security update for util-linux
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2205-1
Rating: moderate
References: #1084300
Cross-References: CVE-2018-7738
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for util-linux fixes the following security issue:

- CVE-2018-7738: Fix local vulnerability using embedded shell commands in
a mountpoint name (bsc#1084300)

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-811=1



Package List:

- openSUSE Leap 15.0 (i586 x86_64):

libblkid-devel-2.31.1-lp150.7.6.1
libblkid-devel-static-2.31.1-lp150.7.6.1
libblkid1-2.31.1-lp150.7.6.1
libblkid1-debuginfo-2.31.1-lp150.7.6.1
libfdisk-devel-2.31.1-lp150.7.6.1
libfdisk-devel-static-2.31.1-lp150.7.6.1
libfdisk1-2.31.1-lp150.7.6.1
libfdisk1-debuginfo-2.31.1-lp150.7.6.1
libmount-devel-2.31.1-lp150.7.6.1
libmount-devel-static-2.31.1-lp150.7.6.1
libmount1-2.31.1-lp150.7.6.1
libmount1-debuginfo-2.31.1-lp150.7.6.1
libsmartcols-devel-2.31.1-lp150.7.6.1
libsmartcols-devel-static-2.31.1-lp150.7.6.1
libsmartcols1-2.31.1-lp150.7.6.1
libsmartcols1-debuginfo-2.31.1-lp150.7.6.1
libuuid-devel-2.31.1-lp150.7.6.1
libuuid-devel-static-2.31.1-lp150.7.6.1
libuuid1-2.31.1-lp150.7.6.1
libuuid1-debuginfo-2.31.1-lp150.7.6.1
util-linux-2.31.1-lp150.7.6.1
util-linux-debuginfo-2.31.1-lp150.7.6.1
util-linux-debugsource-2.31.1-lp150.7.6.1
util-linux-systemd-2.31.1-lp150.7.6.1
util-linux-systemd-debuginfo-2.31.1-lp150.7.6.1
util-linux-systemd-debugsource-2.31.1-lp150.7.6.1
uuidd-2.31.1-lp150.7.6.1
uuidd-debuginfo-2.31.1-lp150.7.6.1

- openSUSE Leap 15.0 (noarch):

util-linux-lang-2.31.1-lp150.7.6.1

- openSUSE Leap 15.0 (x86_64):

libblkid-devel-32bit-2.31.1-lp150.7.6.1
libblkid1-32bit-2.31.1-lp150.7.6.1
libblkid1-32bit-debuginfo-2.31.1-lp150.7.6.1
libmount-devel-32bit-2.31.1-lp150.7.6.1
libmount1-32bit-2.31.1-lp150.7.6.1
libmount1-32bit-debuginfo-2.31.1-lp150.7.6.1
libuuid-devel-32bit-2.31.1-lp150.7.6.1
libuuid1-32bit-2.31.1-lp150.7.6.1
libuuid1-32bit-debuginfo-2.31.1-lp150.7.6.1
python-libmount-2.31.1-lp150.7.6.1
python-libmount-debuginfo-2.31.1-lp150.7.6.1
python-libmount-debugsource-2.31.1-lp150.7.6.1


References:

https://www.suse.com/security/cve/CVE-2018-7738.html
https://bugzilla.suse.com/1084300

--


openSUSE-SU-2018:2206-1: important: Security update for java-10-openjdk

openSUSE Security Update: Security update for java-10-openjdk
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2206-1
Rating: important
References: #1096420 #1101645 #1101651 #1101655 #1101656

Cross-References: CVE-2018-2940 CVE-2018-2952 CVE-2018-2972
CVE-2018-2973
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that solves four vulnerabilities and has one
errata is now available.

Description:


This update for OpenJDK 10.0.2 fixes the following security issues:

- CVE-2018-2940: the libraries sub-component contained an easily
exploitable vulnerability that allowed attackers to compromise Java SE
or Java SE Embedded over the network, potentially gaining unauthorized
read access to data that's accessible to the server. [bsc#1101645]

- CVE-2018-2952: the concurrency sub-component contained a difficult to
exploit vulnerability that allowed attackers to compromise Java SE, Java
SE Embedded,
or JRockit over the network. This issue could have been abused to mount
a partial denial-of-service attack on the server. [bsc#1101651]

- CVE-2018-2972: the security sub-component contained a difficult to
exploit vulnerability that allowed attackers to compromise Java SE over
the network, potentially gaining unauthorized access to critical data or
complete access to all Java SE accessible data. [bsc#1101655)

- CVE-2018-2973: the JSSE sub-component contained a difficult to exploit
vulnerability allowed attackers to compromise Java SE or Java SE Embedded
over the network, potentially gaining the ability to create, delete or
modify critical data or all Java SE, Java SE Embedded accessible data
without authorization. [bsc#1101656]

Furthemore, the following bugs were fixed:

- Properly remove the existing alternative for java before reinstalling
it. [bsc#1096420]

- idlj was moved to the *-devel package. [bsc#1096420]

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-810=1



Package List:

- openSUSE Leap 15.0 (i586 x86_64):

java-10-openjdk-10.0.2.0-lp150.2.3.2
java-10-openjdk-accessibility-10.0.2.0-lp150.2.3.2
java-10-openjdk-accessibility-debuginfo-10.0.2.0-lp150.2.3.2
java-10-openjdk-debuginfo-10.0.2.0-lp150.2.3.2
java-10-openjdk-debugsource-10.0.2.0-lp150.2.3.2
java-10-openjdk-demo-10.0.2.0-lp150.2.3.2
java-10-openjdk-devel-10.0.2.0-lp150.2.3.2
java-10-openjdk-headless-10.0.2.0-lp150.2.3.2
java-10-openjdk-jmods-10.0.2.0-lp150.2.3.2
java-10-openjdk-src-10.0.2.0-lp150.2.3.2

- openSUSE Leap 15.0 (noarch):

java-10-openjdk-javadoc-10.0.2.0-lp150.2.3.2


References:

https://www.suse.com/security/cve/CVE-2018-2940.html
https://www.suse.com/security/cve/CVE-2018-2952.html
https://www.suse.com/security/cve/CVE-2018-2972.html
https://www.suse.com/security/cve/CVE-2018-2973.html
https://bugzilla.suse.com/1096420
https://bugzilla.suse.com/1101645
https://bugzilla.suse.com/1101651
https://bugzilla.suse.com/1101655
https://bugzilla.suse.com/1101656

--


openSUSE-SU-2018:2208-1: moderate: Security update for ovmf

openSUSE Security Update: Security update for ovmf
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2208-1
Rating: moderate
References: #1094289
Cross-References: CVE-2018-0739
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for ovmf fixes the following issues:

Security issues fixed:

- CVE-2018-0739: Update openssl to 1.0.2o to limit ASN.1 constructed types
recursive definition depth (bsc#1094289).

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-807=1



Package List:

- openSUSE Leap 15.0 (i586 x86_64):

ovmf-2017+git1510945757.b2662641d5-lp150.4.3.1
ovmf-tools-2017+git1510945757.b2662641d5-lp150.4.3.1

- openSUSE Leap 15.0 (x86_64):

qemu-ovmf-x86_64-debug-2017+git1510945757.b2662641d5-lp150.4.3.1

- openSUSE Leap 15.0 (noarch):

qemu-ovmf-ia32-2017+git1510945757.b2662641d5-lp150.4.3.1
qemu-ovmf-x86_64-2017+git1510945757.b2662641d5-lp150.4.3.1


References:

https://www.suse.com/security/cve/CVE-2018-0739.html
https://bugzilla.suse.com/1094289

--


openSUSE-SU-2018:2209-1: moderate: Security update for libsndfile

openSUSE Security Update: Security update for libsndfile
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2209-1
Rating: moderate
References: #1071767 #1071777 #1100167
Cross-References: CVE-2017-17456 CVE-2017-17457 CVE-2018-13139

Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes three vulnerabilities is now available.

Description:

This update for libsndfile fixes the following issues:

Security issues fixed:

- CVE-2018-13139: Fix a stack-based buffer overflow in psf_memset in
common.c that allows remote attackers to cause a denial of service
(bsc#1100167).
- CVE-2017-17456: Prevent segmentation fault in the function
d2alaw_array() that may have lead to a remote DoS (bsc#1071777)
- CVE-2017-17457: Prevent segmentation fault in the function
d2ulaw_array() that may have lead to a remote DoS, a different
vulnerability than CVE-2017-14246 (bsc#1071767)

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-806=1



Package List:

- openSUSE Leap 15.0 (i586 x86_64):

libsndfile-debugsource-1.0.28-lp150.3.3.1
libsndfile-devel-1.0.28-lp150.3.3.1
libsndfile1-1.0.28-lp150.3.3.1
libsndfile1-debuginfo-1.0.28-lp150.3.3.1

- openSUSE Leap 15.0 (x86_64):

libsndfile-progs-1.0.28-lp150.3.3.1
libsndfile-progs-debuginfo-1.0.28-lp150.3.3.1
libsndfile-progs-debugsource-1.0.28-lp150.3.3.1
libsndfile1-32bit-1.0.28-lp150.3.3.1
libsndfile1-32bit-debuginfo-1.0.28-lp150.3.3.1


References:

https://www.suse.com/security/cve/CVE-2017-17456.html
https://www.suse.com/security/cve/CVE-2017-17457.html
https://www.suse.com/security/cve/CVE-2018-13139.html
https://bugzilla.suse.com/1071767
https://bugzilla.suse.com/1071777
https://bugzilla.suse.com/1100167

--


openSUSE-SU-2018:2210-1: Security update for nautilus

openSUSE Security Update: Security update for nautilus
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2210-1
Rating: low
References: #1060031
Cross-References: CVE-2017-14604
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for nautilus fixes the following issues:

Security issue fixed:

- CVE-2017-14604: Add a metadata::trusted metadata to the file once the
user acknowledges the file as trusted, and also remove the "trusted"
content in the desktop file (bsc#1060031).

This update was imported from the SUSE:SLE-12-SP2:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-802=1



Package List:

- openSUSE Leap 42.3 (i586 x86_64):

gnome-shell-search-provider-nautilus-3.20.3-8.3.1
libnautilus-extension1-3.20.3-8.3.1
libnautilus-extension1-debuginfo-3.20.3-8.3.1
nautilus-3.20.3-8.3.1
nautilus-debuginfo-3.20.3-8.3.1
nautilus-debugsource-3.20.3-8.3.1
nautilus-devel-3.20.3-8.3.1
typelib-1_0-Nautilus-3_0-3.20.3-8.3.1

- openSUSE Leap 42.3 (x86_64):

libnautilus-extension1-32bit-3.20.3-8.3.1
libnautilus-extension1-debuginfo-32bit-3.20.3-8.3.1

- openSUSE Leap 42.3 (noarch):

nautilus-lang-3.20.3-8.3.1


References:

https://www.suse.com/security/cve/CVE-2017-14604.html
https://bugzilla.suse.com/1060031

--


openSUSE-SU-2018:2211-1: moderate: Security update for xen

openSUSE Security Update: Security update for xen
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2211-1
Rating: moderate
References: #1027519 #1087289 #1095242 #1096224 #1097521
#1097522 #1097523
Cross-References: CVE-2018-11806 CVE-2018-12891 CVE-2018-12892
CVE-2018-12893 CVE-2018-3665
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________

An update that solves 5 vulnerabilities and has two fixes
is now available.

Description:

This update for xen fixes the following issues:

Security issues fixed:

- CVE-2018-3665: Fix Lazy FP Save/Restore issue (XSA-267) (bsc#1095242).
- CVE-2018-12891: Fix possible Denial of Service (DoS) via certain PV MMU
operations that affect the entire host (XSA-264) (bsc#1097521).
- CVE-2018-12892: Fix libxl to honour the readonly flag on HVM emulated
SCSI disks (XSA-266) (bsc#1097523).
- CVE-2018-12893: Fix crash/Denial of Service (DoS) via safety check
(XSA-265) (bsc#1097522).
- CVE-2018-11806: Fix heap buffer overflow while reassembling fragmented
datagrams (bsc#1096224).

Bug fixes:

- bsc#1027519: Add upstream patches from January.
- bsc#1087289: Fix xen scheduler crash.

This update was imported from the SUSE:SLE-12-SP3:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-803=1



Package List:

- openSUSE Leap 42.3 (x86_64):

xen-4.9.2_08-25.2
xen-debugsource-4.9.2_08-25.2
xen-devel-4.9.2_08-25.2
xen-doc-html-4.9.2_08-25.2
xen-libs-4.9.2_08-25.2
xen-libs-debuginfo-4.9.2_08-25.2
xen-tools-4.9.2_08-25.2
xen-tools-debuginfo-4.9.2_08-25.2
xen-tools-domU-4.9.2_08-25.2
xen-tools-domU-debuginfo-4.9.2_08-25.2


References:

https://www.suse.com/security/cve/CVE-2018-11806.html
https://www.suse.com/security/cve/CVE-2018-12891.html
https://www.suse.com/security/cve/CVE-2018-12892.html
https://www.suse.com/security/cve/CVE-2018-12893.html
https://www.suse.com/security/cve/CVE-2018-3665.html
https://bugzilla.suse.com/1027519
https://bugzilla.suse.com/1087289
https://bugzilla.suse.com/1095242
https://bugzilla.suse.com/1096224
https://bugzilla.suse.com/1097521
https://bugzilla.suse.com/1097522
https://bugzilla.suse.com/1097523

--


openSUSE-SU-2018:2212-1: important: Security update for mutt

openSUSE Security Update: Security update for mutt
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2212-1
Rating: important
References: #1094717 #1101428 #1101566 #1101567 #1101568
#1101569 #1101570 #1101571 #1101573 #1101576
#1101577 #1101578 #1101581 #1101582 #1101583
#1101588 #1101589
Cross-References: CVE-2014-9116 CVE-2018-14349 CVE-2018-14350
CVE-2018-14351 CVE-2018-14352 CVE-2018-14353
CVE-2018-14354 CVE-2018-14355 CVE-2018-14356
CVE-2018-14357 CVE-2018-14358 CVE-2018-14359
CVE-2018-14360 CVE-2018-14361 CVE-2018-14362
CVE-2018-14363
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that solves 16 vulnerabilities and has one errata
is now available.

Description:

This update for mutt fixes the following issues:

Security issues fixed:

- bsc#1101428: Mutt 1.10.1 security release update.
- CVE-2018-14351: Fix imap/command.c that mishandles long IMAP status
mailbox literal count size (bsc#1101583).
- CVE-2018-14353: Fix imap_quote_string in imap/util.c that has an integer
underflow (bsc#1101581).
- CVE-2018-14362: Fix pop.c that does not forbid characters that may have
unsafe interaction with message-cache pathnames (bsc#1101567).
- CVE-2018-14354: Fix arbitrary command execution from remote IMAP servers
via backquote characters (bsc#1101578).
- CVE-2018-14352: Fix imap_quote_string in imap/util.c that does not leave
room for quote characters (bsc#1101582).
- CVE-2018-14356: Fix pop.c that mishandles a zero-length UID
(bsc#1101576).
- CVE-2018-14355: Fix imap/util.c that mishandles ".." directory traversal
in a mailbox name (bsc#1101577).
- CVE-2018-14349: Fix imap/command.c that mishandles a NO response without
a message (bsc#1101589).
- CVE-2018-14350: Fix imap/message.c that has a stack-based buffer
overflow for a FETCH response with along INTERNALDATE field
(bsc#1101588).
- CVE-2018-14363: Fix newsrc.c that does not properlyrestrict '/'
characters that may have unsafe interaction with cache pathnames
(bsc#1101566).
- CVE-2018-14359: Fix buffer overflow via base64 data (bsc#1101570).
- CVE-2018-14358: Fix imap/message.c that has a stack-based buffer
overflow for a FETCH response with along RFC822.SIZE field (bsc#1101571).
- CVE-2018-14360: Fix nntp_add_group in newsrc.c that has a stack-based
buffer overflow because of incorrect sscanf usage (bsc#1101569).
- CVE-2018-14357: Fix that remote IMAP servers are allowed to execute
arbitrary commands via backquote characters (bsc#1101573).
- CVE-2018-14361: Fix that nntp.c proceeds even if memory allocation fails
for messages data (bsc#1101568).

Bug fixes:

- mutt reports as neomutt and incorrect version (bsc#1094717)

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-809=1



Package List:

- openSUSE Leap 15.0 (noarch):

mutt-doc-1.10.1-lp150.2.3.1
mutt-lang-1.10.1-lp150.2.3.1

- openSUSE Leap 15.0 (x86_64):

mutt-1.10.1-lp150.2.3.1
mutt-debuginfo-1.10.1-lp150.2.3.1
mutt-debugsource-1.10.1-lp150.2.3.1


References:

https://www.suse.com/security/cve/CVE-2014-9116.html
https://www.suse.com/security/cve/CVE-2018-14349.html
https://www.suse.com/security/cve/CVE-2018-14350.html
https://www.suse.com/security/cve/CVE-2018-14351.html
https://www.suse.com/security/cve/CVE-2018-14352.html
https://www.suse.com/security/cve/CVE-2018-14353.html
https://www.suse.com/security/cve/CVE-2018-14354.html
https://www.suse.com/security/cve/CVE-2018-14355.html
https://www.suse.com/security/cve/CVE-2018-14356.html
https://www.suse.com/security/cve/CVE-2018-14357.html
https://www.suse.com/security/cve/CVE-2018-14358.html
https://www.suse.com/security/cve/CVE-2018-14359.html
https://www.suse.com/security/cve/CVE-2018-14360.html
https://www.suse.com/security/cve/CVE-2018-14361.html
https://www.suse.com/security/cve/CVE-2018-14362.html
https://www.suse.com/security/cve/CVE-2018-14363.html
https://bugzilla.suse.com/1094717
https://bugzilla.suse.com/1101428
https://bugzilla.suse.com/1101566
https://bugzilla.suse.com/1101567
https://bugzilla.suse.com/1101568
https://bugzilla.suse.com/1101569
https://bugzilla.suse.com/1101570
https://bugzilla.suse.com/1101571
https://bugzilla.suse.com/1101573
https://bugzilla.suse.com/1101576
https://bugzilla.suse.com/1101577
https://bugzilla.suse.com/1101578
https://bugzilla.suse.com/1101581
https://bugzilla.suse.com/1101582
https://bugzilla.suse.com/1101583
https://bugzilla.suse.com/1101588
https://bugzilla.suse.com/1101589

--


openSUSE-SU-2018:2213-1: moderate: Security update for python-dulwich

openSUSE Security Update: Security update for python-dulwich
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2213-1
Rating: moderate
References: #1066430
Cross-References: CVE-2017-16228
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for python-dulwich to version 0.18.5 fixes this security issue:

- CVE-2017-16228: Dulwich, when an SSH subprocess is used, allowed remote
attackers to execute arbitrary commands via an ssh URL with an initial
dash character in the hostname (bsc#1066430).

For detailed changes please see https://www.dulwich.io/code/dulwich/

This update was imported from the SUSE:SLE-12:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-801=1



Package List:

- openSUSE Leap 42.3 (i586 x86_64):

python-dulwich-0.18.5-11.1
python-dulwich-debuginfo-0.18.5-11.1
python-dulwich-debugsource-0.18.5-11.1


References:

https://www.suse.com/security/cve/CVE-2017-16228.html
https://bugzilla.suse.com/1066430

--


openSUSE-SU-2018:2214-1: moderate: Security update for libsndfile

openSUSE Security Update: Security update for libsndfile
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2214-1
Rating: moderate
References: #1071767 #1071777 #1100167
Cross-References: CVE-2017-17456 CVE-2017-17457 CVE-2018-13139

Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________

An update that fixes three vulnerabilities is now available.

Description:

This update for libsndfile fixes the following issues:

Security issues fixed:

- CVE-2018-13139: Fix a stack-based buffer overflow in psf_memset in
common.c that allows remote attackers to cause a denial of service
(bsc#1100167).
- CVE-2017-17456: Prevent segmentation fault in the function
d2alaw_array() that may have lead to a remote DoS (bsc#1071777)
- CVE-2017-17457: Prevent segmentation fault in the function
d2ulaw_array() that may have lead to a remote DoS, a different
vulnerability than CVE-2017-14246 (bsc#1071767)

This update was imported from the SUSE:SLE-12:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-804=1



Package List:

- openSUSE Leap 42.3 (i586 x86_64):

libsndfile-debugsource-1.0.25-34.1
libsndfile-devel-1.0.25-34.1
libsndfile-progs-1.0.25-34.1
libsndfile-progs-debuginfo-1.0.25-34.1
libsndfile-progs-debugsource-1.0.25-34.1
libsndfile1-1.0.25-34.1
libsndfile1-debuginfo-1.0.25-34.1

- openSUSE Leap 42.3 (x86_64):

libsndfile1-32bit-1.0.25-34.1
libsndfile1-debuginfo-32bit-1.0.25-34.1


References:

https://www.suse.com/security/cve/CVE-2017-17456.html
https://www.suse.com/security/cve/CVE-2017-17457.html
https://www.suse.com/security/cve/CVE-2018-13139.html
https://bugzilla.suse.com/1071767
https://bugzilla.suse.com/1071777
https://bugzilla.suse.com/1100167

--


openSUSE-SU-2018:2215-1: moderate: Security update for rpm

openSUSE Security Update: Security update for rpm
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2215-1
Rating: moderate
References: #1094735 #1095148 #943457
Cross-References: CVE-2017-7500
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that solves one vulnerability and has two fixes
is now available.

Description:

This update for rpm fixes the following issues:

This security vulnerability was fixed:

- CVE-2017-7500: Fixed symlink attacks during RPM installation (bsc#943457)


This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-808=1



Package List:

- openSUSE Leap 15.0 (i586 x86_64):

python-rpm-debugsource-4.14.1-lp150.9.3.1
python2-rpm-4.14.1-lp150.9.3.1
python2-rpm-debuginfo-4.14.1-lp150.9.3.1
python3-rpm-4.14.1-lp150.9.3.1
python3-rpm-debuginfo-4.14.1-lp150.9.3.1
rpm-4.14.1-lp150.9.3.1
rpm-build-4.14.1-lp150.9.3.1
rpm-build-debuginfo-4.14.1-lp150.9.3.1
rpm-debuginfo-4.14.1-lp150.9.3.1
rpm-debugsource-4.14.1-lp150.9.3.1
rpm-devel-4.14.1-lp150.9.3.1

- openSUSE Leap 15.0 (x86_64):

rpm-32bit-4.14.1-lp150.9.3.1
rpm-32bit-debuginfo-4.14.1-lp150.9.3.1


References:

https://www.suse.com/security/cve/CVE-2017-7500.html
https://bugzilla.suse.com/1094735
https://bugzilla.suse.com/1095148
https://bugzilla.suse.com/943457

--