36 updates has been released for openSUSE. The is part 2:
openSUSE-SU-2019:1851-2: important: Security update for kconfig, kdelibs4
openSUSE-SU-2019:1854-1: moderate: Security update for GraphicsMagick
openSUSE-SU-2019:1855-1: important: Security update for kconfig, kdelibs4
openSUSE-SU-2019:1858-1: moderate: Security update for ansible
openSUSE-SU-2019:1859-1: important: Security update for znc
openSUSE-SU-2019:1861-1: moderate: Security update for phpMyAdmin
openSUSE-SU-2019:1870-1: important: Security update for proftpd
openSUSE-SU-2019:1872-1: moderate: Security update for python-Django
openSUSE-SU-2019:1876-1: moderate: Security update for mumble
openSUSE-SU-2019:1880-1: moderate: Security update for live555
openSUSE-SU-2019:1891-1: moderate: Security update for libqb
openSUSE-SU-2019:1851-2: important: Security update for kconfig, kdelibs4
openSUSE-SU-2019:1854-1: moderate: Security update for GraphicsMagick
openSUSE-SU-2019:1855-1: important: Security update for kconfig, kdelibs4
openSUSE-SU-2019:1858-1: moderate: Security update for ansible
openSUSE-SU-2019:1859-1: important: Security update for znc
openSUSE-SU-2019:1861-1: moderate: Security update for phpMyAdmin
openSUSE-SU-2019:1870-1: important: Security update for proftpd
openSUSE-SU-2019:1872-1: moderate: Security update for python-Django
openSUSE-SU-2019:1876-1: moderate: Security update for mumble
openSUSE-SU-2019:1880-1: moderate: Security update for live555
openSUSE-SU-2019:1891-1: moderate: Security update for libqb
openSUSE-SU-2019:1851-2: important: Security update for kconfig, kdelibs4
openSUSE Security Update: Security update for kconfig, kdelibs4
______________________________________________________________________________
Announcement ID: openSUSE-SU-2019:1851-2
Rating: important
References: #1144600
Cross-References: CVE-2019-14744
Affected Products:
openSUSE Backports SLE-15-SP1
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for kconfig, kdelibs4 fixes the following issues:
- CVE-2019-14744: Fixed a command execution by an shell expansion
(boo#1144600).
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15-SP1:
zypper in -t patch openSUSE-2019-1851=1
Package List:
- openSUSE Backports SLE-15-SP1 (aarch64 ppc64le s390x x86_64):
kconf_update5-5.55.0-bp151.3.5.1
kconf_update5-debuginfo-5.55.0-bp151.3.5.1
kconfig-debugsource-5.55.0-bp151.3.5.1
kconfig-devel-5.55.0-bp151.3.5.1
kconfig-devel-debuginfo-5.55.0-bp151.3.5.1
kdelibs4-4.14.38-bp151.9.5.1
kdelibs4-branding-upstream-4.14.38-bp151.9.5.1
kdelibs4-core-4.14.38-bp151.9.5.1
kdelibs4-core-debuginfo-4.14.38-bp151.9.5.1
kdelibs4-debuginfo-4.14.38-bp151.9.5.1
kdelibs4-debugsource-4.14.38-bp151.9.5.1
kdelibs4-doc-4.14.38-bp151.9.5.1
kdelibs4-doc-debuginfo-4.14.38-bp151.9.5.1
libKF5ConfigCore5-5.55.0-bp151.3.5.1
libKF5ConfigCore5-debuginfo-5.55.0-bp151.3.5.1
libKF5ConfigGui5-5.55.0-bp151.3.5.1
libKF5ConfigGui5-debuginfo-5.55.0-bp151.3.5.1
libkde4-4.14.38-bp151.9.5.1
libkde4-debuginfo-4.14.38-bp151.9.5.1
libkde4-devel-4.14.38-bp151.9.5.1
libkde4-devel-debuginfo-4.14.38-bp151.9.5.1
libkdecore4-4.14.38-bp151.9.5.1
libkdecore4-debuginfo-4.14.38-bp151.9.5.1
libkdecore4-devel-4.14.38-bp151.9.5.1
libkdecore4-devel-debuginfo-4.14.38-bp151.9.5.1
libksuseinstall-devel-4.14.38-bp151.9.5.1
libksuseinstall1-4.14.38-bp151.9.5.1
libksuseinstall1-debuginfo-4.14.38-bp151.9.5.1
- openSUSE Backports SLE-15-SP1 (aarch64_ilp32):
kconfig-devel-64bit-5.55.0-bp151.3.5.1
kconfig-devel-64bit-debuginfo-5.55.0-bp151.3.5.1
libKF5ConfigCore5-64bit-5.55.0-bp151.3.5.1
libKF5ConfigCore5-64bit-debuginfo-5.55.0-bp151.3.5.1
libKF5ConfigGui5-64bit-5.55.0-bp151.3.5.1
libKF5ConfigGui5-64bit-debuginfo-5.55.0-bp151.3.5.1
libkde4-64bit-4.14.38-bp151.9.5.1
libkde4-64bit-debuginfo-4.14.38-bp151.9.5.1
libkdecore4-64bit-4.14.38-bp151.9.5.1
libkdecore4-64bit-debuginfo-4.14.38-bp151.9.5.1
libksuseinstall1-64bit-4.14.38-bp151.9.5.1
libksuseinstall1-64bit-debuginfo-4.14.38-bp151.9.5.1
- openSUSE Backports SLE-15-SP1 (noarch):
kdelibs4-apidocs-4.14.38-bp151.9.5.1
libKF5ConfigCore5-lang-5.55.0-bp151.3.5.1
References:
https://www.suse.com/security/cve/CVE-2019-14744.html
https://bugzilla.suse.com/1144600
--
openSUSE-SU-2019:1854-1: moderate: Security update for GraphicsMagick
openSUSE Security Update: Security update for GraphicsMagick
______________________________________________________________________________
Announcement ID: openSUSE-SU-2019:1854-1
Rating: moderate
References: #1138425
Affected Products:
openSUSE Backports SLE-15-SP1
______________________________________________________________________________
An update that contains security fixes can now be installed.
Description:
This update for GraphicsMagick fixes the following issues:
- disable indirect reads that disclosed file contents from the local
system (boo#1138425)
This update was imported from the openSUSE:Leap:15.0:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15-SP1:
zypper in -t patch openSUSE-2019-1854=1
Package List:
- openSUSE Backports SLE-15-SP1 (x86_64):
GraphicsMagick-1.3.29-bp151.5.3.1
GraphicsMagick-devel-1.3.29-bp151.5.3.1
libGraphicsMagick++-Q16-12-1.3.29-bp151.5.3.1
libGraphicsMagick++-devel-1.3.29-bp151.5.3.1
libGraphicsMagick-Q16-3-1.3.29-bp151.5.3.1
libGraphicsMagick3-config-1.3.29-bp151.5.3.1
libGraphicsMagickWand-Q16-2-1.3.29-bp151.5.3.1
perl-GraphicsMagick-1.3.29-bp151.5.3.1
References:
https://bugzilla.suse.com/1138425
--
openSUSE-SU-2019:1855-1: important: Security update for kconfig, kdelibs4
openSUSE Security Update: Security update for kconfig, kdelibs4
______________________________________________________________________________
Announcement ID: openSUSE-SU-2019:1855-1
Rating: important
References: #1144600
Cross-References: CVE-2019-14744
Affected Products:
openSUSE Backports SLE-15
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for kconfig, kdelibs4 fixes the following issues:
- CVE-2019-14744: Fixed a command execution by an shell expansion
(boo#1144600).
This update was imported from the openSUSE:Leap:15.0:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15:
zypper in -t patch openSUSE-2019-1855=1
Package List:
- openSUSE Backports SLE-15 (aarch64 ppc64le s390x x86_64):
kconf_update5-5.45.0-bp150.3.8.2
kconf_update5-debuginfo-5.45.0-bp150.3.8.2
kconfig-debugsource-5.45.0-bp150.3.8.2
kconfig-devel-5.45.0-bp150.3.8.2
kconfig-devel-debuginfo-5.45.0-bp150.3.8.2
kdelibs4-4.14.38-bp150.3.8.1
kdelibs4-branding-upstream-4.14.38-bp150.3.8.1
kdelibs4-core-4.14.38-bp150.3.8.1
kdelibs4-doc-4.14.38-bp150.3.8.1
libKF5ConfigCore5-5.45.0-bp150.3.8.2
libKF5ConfigCore5-debuginfo-5.45.0-bp150.3.8.2
libKF5ConfigGui5-5.45.0-bp150.3.8.2
libKF5ConfigGui5-debuginfo-5.45.0-bp150.3.8.2
libkde4-4.14.38-bp150.3.8.1
libkde4-devel-4.14.38-bp150.3.8.1
libkdecore4-4.14.38-bp150.3.8.1
libkdecore4-devel-4.14.38-bp150.3.8.1
libksuseinstall-devel-4.14.38-bp150.3.8.1
libksuseinstall1-4.14.38-bp150.3.8.1
- openSUSE Backports SLE-15 (aarch64_ilp32):
kconfig-devel-64bit-5.45.0-bp150.3.8.2
kconfig-devel-64bit-debuginfo-5.45.0-bp150.3.8.2
libKF5ConfigCore5-64bit-5.45.0-bp150.3.8.2
libKF5ConfigCore5-64bit-debuginfo-5.45.0-bp150.3.8.2
libKF5ConfigGui5-64bit-5.45.0-bp150.3.8.2
libKF5ConfigGui5-64bit-debuginfo-5.45.0-bp150.3.8.2
libkde4-64bit-4.14.38-bp150.3.8.1
libkdecore4-64bit-4.14.38-bp150.3.8.1
libksuseinstall1-64bit-4.14.38-bp150.3.8.1
- openSUSE Backports SLE-15 (noarch):
kdelibs4-apidocs-4.14.38-bp150.3.8.1
libKF5ConfigCore5-lang-5.45.0-bp150.3.8.2
References:
https://www.suse.com/security/cve/CVE-2019-14744.html
https://bugzilla.suse.com/1144600
--
openSUSE-SU-2019:1858-1: moderate: Security update for ansible
openSUSE Security Update: Security update for ansible
______________________________________________________________________________
Announcement ID: openSUSE-SU-2019:1858-1
Rating: moderate
References: #1109957 #1112959 #1118896 #1126503
Cross-References: CVE-2018-16837 CVE-2018-16859 CVE-2018-16876
CVE-2019-3828
Affected Products:
openSUSE Backports SLE-15-SP1
______________________________________________________________________________
An update that fixes four vulnerabilities is now available.
Description:
This update for ansible fixes the following issues:
Ansible was updated to version 2.8.1:
Full changelog is at /usr/share/doc/packages/ansible/changelogs/
- Bugfixes
- ACI - DO not encode query_string
- ACI modules - Fix non-signature authentication
- Add missing directory provided via ``--playbook-dir`` to adjacent
collection loading
- Fix "Interface not found" errors when using eos_l2_interface with
nonexistant interfaces configured
- Fix cannot get credential when `source_auth` set to `credential_file`.
- Fix netconf_config backup string issue
- Fix privilege escalation support for the docker connection plugin when
credentials need to be supplied (e.g. sudo with password).
- Fix vyos cli prompt inspection
- Fixed loading namespaced documentation fragments from collections.
- Fixing bug came up after running cnos_vrf module against coverity.
- Properly handle data importer failures on PVC creation, instead of
timing out.
- To fix the ios static route TC failure in CI
- To fix the nios member module params
- To fix the nios_zone module idempotency failure
- add terminal initial prompt for initial connection
- allow include_role to work with ansible command
- allow python_requirements_facts to report on dependencies containing
dashes
- asa_config fix
- azure_rm_roledefinition - fix a small error in build scope.
- azure_rm_virtualnetworkpeering - fix cross subscriptions virtual
network peering.
- cgroup_perf_recap - When not using file_per_task, make sure we don't
prematurely close the perf files
- display underlying error when reporting an invalid ``tasks:`` block.
- dnf - fix wildcard matching for state: absent
- docker connection plugin - accept version ``dev`` as 'newest version'
and print warning.
- docker_container - ``oom_killer`` and ``oom_score_adj`` options are
available since docker-py 1.8.0, not 2.0.0 as assumed by the version
check.
- docker_container - fix network creation when
``networks_cli_compatible`` is enabled.
- docker_container - use docker API's ``restart`` instead of
``stop``/``start`` to restart a container.
- docker_image - if ``build`` was not specified, the wrong default for
``build.rm`` is used.
- docker_image - if ``nocache`` set to ``yes`` but not
``build.nocache``, the module failed.
- docker_image - module failed when ``source: build`` was set but
``build.path`` options not specified.
- docker_network module - fix idempotency when using ``aux_addresses``
in ``ipam_config``.
- ec2_instance - make Name tag idempotent
- eos: don't fail modules without become set, instead show message and
continue
- eos_config: check for session support when asked to 'diff_against:
session'
- eos_eapi: fix idempotency issues when vrf was unspecified.
- fix bugs for ce - more info see
- fix incorrect uses of to_native that should be to_text instead.
- hcloud_volume - Fix idempotency when attaching a server to a volume.
- ibm_storage - Added a check for null fields in ibm_storage utils
module.
- include_tasks - whitelist ``listen`` as a valid keyword
- k8s - resource updates applied with force work correctly now
- keep results subset also when not no_log.
- meraki_switchport - improve reliability with native VLAN functionality.
- netapp_e_iscsi_target - fix netapp_e_iscsi_target chap secret size and
clearing functionality
- netapp_e_volumes - fix workload profileId indexing when no previous
workload tags exist on the storage array.
- nxos_acl some platforms/versions raise when no ACLs are present
- nxos_facts fix https://github.com/ansible/ansible/pull/57009
- nxos_file_copy fix passwordless workflow
- nxos_interface Fix admin_state check for n6k
- nxos_snmp_traps fix group all for N35 platforms
- nxos_snmp_user fix platform fixes for get_snmp_user
- nxos_vlan mode idempotence bug
- nxos_vlan vlan names containing regex ctl chars should be escaped
- nxos_vtp_* modules fix n6k issues
- openssl_certificate - fix private key passphrase handling for
``cryptography`` backend.
- openssl_pkcs12 - fixes crash when private key has a passphrase and the
module is run a second time.
- os_stack - Apply tags conditionally so that the module does not throw
up an error when using an older distro of openstacksdk
- pass correct loading context to persistent connections other than local
- pkg_mgr - Ansible 2.8.0 failing to install yum packages on Amazon Linux
- postgresql - added initial SSL related tests
- postgresql - added missing_required_libs, removed excess param mapping
- postgresql - move connect_to_db and get_pg_version into
module_utils/postgres.py
(https://github.com/ansible/ansible/pull/55514)
- postgresql_db - add note to the documentation about state dump and the
incorrect rc (https://github.com/ansible/ansible/pull/57297)
- postgresql_db - fix for postgresql_db fails if stderr contains output
- postgresql_ping - fixed a typo in the module documentation
- preserve actual ssh error when we cannot connect.
- route53_facts - the module did not advertise check mode support,
causing it not to be run in check mode.
- sysctl: the module now also checks the output of STDERR to report if
values are correctly set
(https://github.com/ansible/ansible/pull/55695)
- ufw - correctly check status when logging is off
- uri - always return a value for status even during failure
- urls - Handle redirects properly for IPv6 address by not splitting on
``:`` and rely on already parsed hostname and port values
- vmware_vm_facts - fix the support with regular ESXi
- vyos_interface fix https://github.com/ansible/ansible/pull/57169
- we don't really need to template vars on definition as we do this on
demand in templating.
- win_acl - Fix qualifier parser when using UNC paths -
- win_hostname - Fix non netbios compliant name handling
- winrm - Fix issue when attempting to parse CLIXML on send input failure
- xenserver_guest - fixed an issue where VM whould be powered off even
though check mode is used if reconfiguration requires VM to be powered
off.
- xenserver_guest - proper error message is shown when maximum number of
network interfaces is reached and multiple network interfaces are
added at
once.
- yum - Fix false error message about autoremove not being supported
- yum - fix failure when using ``update_cache`` standalone
- yum - handle special "_none_" value for proxy in yum.conf and .repo
files
Update to version 2.8.0
Major changes:
* Experimental support for Ansible Collections and content namespacing -
Ansible content can now be packaged in a collection and addressed via
namespaces. This allows for easier sharing, distribution, and
installation
of bundled modules/roles/plugins, and consistent rules for accessing
specific content via namespaces.
* Python interpreter discovery - The first time a Python module runs on
a target, Ansible will attempt to discover the proper default Python
interpreter to use for the target platform/version (instead of
immediately defaulting to /usr/bin/python). You can override this
behavior by setting ansible_python_interpreter or via config. (see
https://github.com/ansible/ansible/pull/50163)
* become - The deprecated CLI arguments for --sudo, --sudo-user,
--ask-sudo-pass, -su, --su-user, and --ask-su-pass have been removed,
in favor of the more generic --become, --become-user,
--become-method, and
--ask-become-pass.
* become - become functionality has been migrated to a plugin
architecture, to allow customization of become functionality and 3rd
party become methods (https://github.com/ansible/ansible/pull/50991)
- addresses CVE-2018-16859, CVE-2018-16876, CVE-2019-3828, CVE-2018-16837
For the full changelog see /usr/share/doc/packages/ansible/changelogs or
online:
https://github.com/ansible/ansible/blob/stable-2.8/changelogs/CHANGELOG-v2.
8.rst
This update was imported from the openSUSE:Leap:15.1:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15-SP1:
zypper in -t patch openSUSE-2019-1858=1
Package List:
- openSUSE Backports SLE-15-SP1 (noarch):
ansible-2.8.1-bp151.3.3.1
References:
https://www.suse.com/security/cve/CVE-2018-16837.html
https://www.suse.com/security/cve/CVE-2018-16859.html
https://www.suse.com/security/cve/CVE-2018-16876.html
https://www.suse.com/security/cve/CVE-2019-3828.html
https://bugzilla.suse.com/1109957
https://bugzilla.suse.com/1112959
https://bugzilla.suse.com/1118896
https://bugzilla.suse.com/1126503
--
openSUSE-SU-2019:1859-1: important: Security update for znc
openSUSE Security Update: Security update for znc
______________________________________________________________________________
Announcement ID: openSUSE-SU-2019:1859-1
Rating: important
References: #1130360 #1138572
Cross-References: CVE-2019-12816 CVE-2019-9917
Affected Products:
openSUSE Backports SLE-15-SP1
______________________________________________________________________________
An update that fixes two vulnerabilities is now available.
Description:
This update for znc to version 1.7.4 fixes the following issues:
Security issues fixed:
- CVE-2019-12816: Fixed a remote code execution in Modules.cpp
(boo#1138572).
- CVE-2019-9917: Fixed a denial of service on invalid encoding
(boo#1130360).
This update was imported from the openSUSE:Leap:15.0:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15-SP1:
zypper in -t patch openSUSE-2019-1859=1
Package List:
- openSUSE Backports SLE-15-SP1 (aarch64 ppc64le s390x x86_64):
znc-1.7.4-bp151.4.3.1
znc-devel-1.7.4-bp151.4.3.1
znc-perl-1.7.4-bp151.4.3.1
znc-python3-1.7.4-bp151.4.3.1
znc-tcl-1.7.4-bp151.4.3.1
- openSUSE Backports SLE-15-SP1 (noarch):
znc-lang-1.7.4-bp151.4.3.1
References:
https://www.suse.com/security/cve/CVE-2019-12816.html
https://www.suse.com/security/cve/CVE-2019-9917.html
https://bugzilla.suse.com/1130360
https://bugzilla.suse.com/1138572
--
openSUSE-SU-2019:1861-1: moderate: Security update for phpMyAdmin
openSUSE Security Update: Security update for phpMyAdmin
______________________________________________________________________________
Announcement ID: openSUSE-SU-2019:1861-1
Rating: moderate
References: #1137496 #1137497
Cross-References: CVE-2019-11768 CVE-2019-12616
Affected Products:
openSUSE Backports SLE-15-SP1
______________________________________________________________________________
An update that fixes two vulnerabilities is now available.
Description:
This update for phpMyAdmin fixes the following issues:
phpMyAdmin was updated to 4.9.0.1:
* Several issues with SYSTEM VERSIONING tables
* Fixed json encode error in export
* Fixed JavaScript events not activating on input (sql bookmark issue)
* Show Designer combo boxes when adding a constraint
* Fix edit view
* Fixed invalid default value for bit field
* Fix several errors relating to GIS data types
* Fixed javascript error PMA_messages is not defined
* Fixed import XML data with leading zeros
* Fixed php notice, added support for 'DELETE HISTORY' table privilege
(MariaDB >= 10.3.4)
* Fixed MySQL 8.0.0 issues with GIS display
* Fixed "Server charset" in "Database server" tab showing wrong information
* Fixed can not copy user on Percona Server 5.7
* Updated sql-parser to version 4.3.2, which fixes several parsing and
linting problems
- boo#1137497 / PMASA-2019-4 / CVE-2019-12616 / CWE-661: Fixed CSRF
vulnerability in login form
https://www.phpmyadmin.net/security/PMASA-2019-4/
- boo#1137496 / PMASA-2019-3 / CVE-2019-11768 / CWE-661: Fixed SQL
injection in Designer feature
https://www.phpmyadmin.net/security/PMASA-2019-3/
This update was imported from the openSUSE:Leap:15.0:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15-SP1:
zypper in -t patch openSUSE-2019-1861=1
Package List:
- openSUSE Backports SLE-15-SP1 (noarch):
phpMyAdmin-4.9.0.1-bp151.3.3.1
References:
https://www.suse.com/security/cve/CVE-2019-11768.html
https://www.suse.com/security/cve/CVE-2019-12616.html
https://bugzilla.suse.com/1137496
https://bugzilla.suse.com/1137497
--
openSUSE-SU-2019:1870-1: important: Security update for proftpd
openSUSE Security Update: Security update for proftpd
______________________________________________________________________________
Announcement ID: openSUSE-SU-2019:1870-1
Rating: important
References: #1142281
Cross-References: CVE-2017-7418 CVE-2019-12815
Affected Products:
openSUSE Backports SLE-15-SP1
______________________________________________________________________________
An update that fixes two vulnerabilities is now available.
Description:
This update for proftpd fixes the following issues:
Security issues fixed:
- CVE-2019-12815: Fixed arbitrary file copy in mod_copy that allowed for
remote code execution and information disclosure without authentication
(bnc#1142281).
This update was imported from the openSUSE:Leap:15.0:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15-SP1:
zypper in -t patch openSUSE-2019-1870=1
Package List:
- openSUSE Backports SLE-15-SP1 (aarch64 ppc64le s390x x86_64):
proftpd-1.3.5e-bp151.4.3.1
proftpd-devel-1.3.5e-bp151.4.3.1
proftpd-doc-1.3.5e-bp151.4.3.1
proftpd-ldap-1.3.5e-bp151.4.3.1
proftpd-mysql-1.3.5e-bp151.4.3.1
proftpd-pgsql-1.3.5e-bp151.4.3.1
proftpd-radius-1.3.5e-bp151.4.3.1
proftpd-sqlite-1.3.5e-bp151.4.3.1
- openSUSE Backports SLE-15-SP1 (noarch):
proftpd-lang-1.3.5e-bp151.4.3.1
References:
https://www.suse.com/security/cve/CVE-2017-7418.html
https://www.suse.com/security/cve/CVE-2019-12815.html
https://bugzilla.suse.com/1142281
--
openSUSE-SU-2019:1872-1: moderate: Security update for python-Django
openSUSE Security Update: Security update for python-Django
______________________________________________________________________________
Announcement ID: openSUSE-SU-2019:1872-1
Rating: moderate
References: #1136468 #1139945 #1142880 #1142882 #1142883
#1142885
Cross-References: CVE-2019-11358 CVE-2019-12308 CVE-2019-12781
CVE-2019-14232 CVE-2019-14233 CVE-2019-14234
CVE-2019-14235
Affected Products:
openSUSE Backports SLE-15-SP1
______________________________________________________________________________
An update that fixes 7 vulnerabilities is now available.
Description:
This update for python-Django fixes the following issues:
Security issues fixed:
- CVE-2019-11358: Fixed prototype pollution.
- CVE-2019-12308: Fixed XSS in AdminURLFieldWidget (bsc#1136468)
- CVE-2019-12781: Fixed incorrect HTTP detection with reverse-proxy
connecting via HTTPS (bsc#1139945).
- CVE-2019-14232: Fixed denial-of-service possibility in
``django.utils.text.Truncator`` (bsc#1142880).
- CVE-2019-14233: Fixed denial-of-service possibility in ``strip_tags()``
(bsc#1142882).
- CVE-2019-14234: Fixed SQL injection possibility in key and index lookups
for ``JSONField``/``HStoreField`` (bsc#1142883).
- CVE-2019-14235: Fixed potential memory exhaustion in
``django.utils.encoding.uri_to_iri()`` (bsc#1142885).
Non-security issues fixed:
- Fixed a migration crash on PostgreSQL when adding a check constraint
with a contains lookup on DateRangeField or DateTimeRangeField, if the
right hand side of an expression is the same type.
This update was imported from the openSUSE:Leap:15.1:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15-SP1:
zypper in -t patch openSUSE-2019-1872=1
Package List:
- openSUSE Backports SLE-15-SP1 (noarch):
python3-Django-2.2.4-bp151.3.3.1
References:
https://www.suse.com/security/cve/CVE-2019-11358.html
https://www.suse.com/security/cve/CVE-2019-12308.html
https://www.suse.com/security/cve/CVE-2019-12781.html
https://www.suse.com/security/cve/CVE-2019-14232.html
https://www.suse.com/security/cve/CVE-2019-14233.html
https://www.suse.com/security/cve/CVE-2019-14234.html
https://www.suse.com/security/cve/CVE-2019-14235.html
https://bugzilla.suse.com/1136468
https://bugzilla.suse.com/1139945
https://bugzilla.suse.com/1142880
https://bugzilla.suse.com/1142882
https://bugzilla.suse.com/1142883
https://bugzilla.suse.com/1142885
--
openSUSE-SU-2019:1876-1: moderate: Security update for mumble
openSUSE Security Update: Security update for mumble
______________________________________________________________________________
Announcement ID: openSUSE-SU-2019:1876-1
Rating: moderate
References: #1123334
Cross-References: CVE-2018-20743
Affected Products:
openSUSE Backports SLE-15-SP1
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for mumble fixes the following issues:
CVE-2018-20743: murmur mishandled multiple concurrent requests that were
persisted in the database, which allowed remote attackers to cause a
denial of service (daemon hang or crash) via a message flood. (boo#1123334)
This update was imported from the openSUSE:Leap:15.0:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15-SP1:
zypper in -t patch openSUSE-2019-1876=1
Package List:
- openSUSE Backports SLE-15-SP1 (aarch64 ppc64le s390x x86_64):
mumble-1.2.19-bp151.6.3.1
mumble-server-1.2.19-bp151.6.3.1
- openSUSE Backports SLE-15-SP1 (aarch64_ilp32):
mumble-64bit-1.2.19-bp151.6.3.1
References:
https://www.suse.com/security/cve/CVE-2018-20743.html
https://bugzilla.suse.com/1123334
--
openSUSE-SU-2019:1880-1: moderate: Security update for live555
openSUSE Security Update: Security update for live555
______________________________________________________________________________
Announcement ID: openSUSE-SU-2019:1880-1
Rating: moderate
References: #1121995 #1124159 #1127341
Cross-References: CVE-2019-7314 CVE-2019-9215
Affected Products:
openSUSE Backports SLE-15-SP1
______________________________________________________________________________
An update that solves two vulnerabilities and has one
errata is now available.
Description:
This update for live555 fixes the following issues:
- CVE-2019-9215: Malformed headers could have lead to invalid memory
access in the parseAuthorizationHeader function. (boo#1127341)
- CVE-2019-7314: Mishandled termination of an RTSP stream after
RTP/RTCP-over-RTSP has been set up could have lead to a Use-After-Free
error causing the RTSP server to crash or possibly have unspecified
other impact. (boo#1124159)
- Update to version 2019.06.28,
- Convert to dynamic libraries (boo#1121995):
+ Use make ilinux-with-shared-libraries: build the dynamic libs instead
of the static one.
+ Use make install instead of a manual file copy script: this also
reveals that we missed quite a bit of code to be installed before.
+ Split out shared library packages according the SLPP.
- Use FAT LTO objects in order to provide proper static library.
This update was imported from the openSUSE:Leap:15.1:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15-SP1:
zypper in -t patch openSUSE-2019-1880=1
Package List:
- openSUSE Backports SLE-15-SP1 (aarch64 ppc64le s390x x86_64):
libBasicUsageEnvironment1-2019.06.28-bp151.3.3.1
libUsageEnvironment3-2019.06.28-bp151.3.3.1
libgroupsock8-2019.06.28-bp151.3.3.1
libliveMedia66-2019.06.28-bp151.3.3.1
live555-2019.06.28-bp151.3.3.1
live555-devel-2019.06.28-bp151.3.3.1
References:
https://www.suse.com/security/cve/CVE-2019-7314.html
https://www.suse.com/security/cve/CVE-2019-9215.html
https://bugzilla.suse.com/1121995
https://bugzilla.suse.com/1124159
https://bugzilla.suse.com/1127341
--
openSUSE-SU-2019:1891-1: moderate: Security update for libqb
openSUSE Security Update: Security update for libqb
______________________________________________________________________________
Announcement ID: openSUSE-SU-2019:1891-1
Rating: moderate
References: #1137835
Cross-References: CVE-2019-12779
Affected Products:
openSUSE Backports SLE-15-SP1
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for libqb fixes the following issue:
Security issue fixed:
- CVE-2019-12779: Fixed an insecure treatment of IPC temporary files which
could have allowed a local attacker to overwrite privileged system files
(bsc#1137835).
This update was imported from the SUSE:SLE-15-SP1:Update update project.
This update was imported from the openSUSE:Leap:15.1:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15-SP1:
zypper in -t patch openSUSE-2019-1891=1
Package List:
- openSUSE Backports SLE-15-SP1 (aarch64 ppc64le s390x x86_64):
libqb-devel-1.0.3+20190326.a521604-bp151.2.3.1
libqb-tests-1.0.3+20190326.a521604-bp151.2.3.1
libqb-tools-1.0.3+20190326.a521604-bp151.2.3.1
libqb20-1.0.3+20190326.a521604-bp151.2.3.1
- openSUSE Backports SLE-15-SP1 (aarch64_ilp32):
libqb-devel-64bit-1.0.3+20190326.a521604-bp151.2.3.1
libqb20-64bit-1.0.3+20190326.a521604-bp151.2.3.1
References:
https://www.suse.com/security/cve/CVE-2019-12779.html
https://bugzilla.suse.com/1137835
--
