SUSE 5009 Published by

The following updates has been released for openSUSE:

openSUSE-SU-2019:1159-1: moderate: Security update for sqlite3
openSUSE-SU-2019:1160-1: moderate: Security update for liblouis
openSUSE-SU-2019:1161-1: moderate: Security update for tiff
openSUSE-SU-2019:1162-1: important: Security update for MozillaThunderbird
openSUSE-SU-2019:1164-1: moderate: Security update for go1.11



openSUSE-SU-2019:1159-1: moderate: Security update for sqlite3

openSUSE Security Update: Security update for sqlite3
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1159-1
Rating: moderate
References: #1119687
Cross-References: CVE-2018-20346
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for sqlite3 to version 3.27.2 fixes the following issue:

Security issue fixed:

- CVE-2018-20346: Fixed a remote code execution vulnerability in FTS3
(Magellan) (bsc#1119687).

Release notes: https://www.sqlite.org/releaselog/3_27_2.html

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1159=1



Package List:

- openSUSE Leap 15.0 (i586 x86_64):

libsqlite3-0-3.27.2-lp150.2.3.1
libsqlite3-0-debuginfo-3.27.2-lp150.2.3.1
sqlite3-3.27.2-lp150.2.3.1
sqlite3-debuginfo-3.27.2-lp150.2.3.1
sqlite3-debugsource-3.27.2-lp150.2.3.1
sqlite3-devel-3.27.2-lp150.2.3.1

- openSUSE Leap 15.0 (x86_64):

libsqlite3-0-32bit-3.27.2-lp150.2.3.1
libsqlite3-0-32bit-debuginfo-3.27.2-lp150.2.3.1

- openSUSE Leap 15.0 (noarch):

sqlite3-doc-3.27.2-lp150.2.3.1


References:

https://www.suse.com/security/cve/CVE-2018-20346.html
https://bugzilla.suse.com/1119687

--


openSUSE-SU-2019:1160-1: moderate: Security update for liblouis

openSUSE Security Update: Security update for liblouis
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1160-1
Rating: moderate
References: #1094685 #1095189 #1095825 #1095826 #1095827
#1095945 #1097103 #1109319
Cross-References: CVE-2018-11410 CVE-2018-11440 CVE-2018-11577
CVE-2018-11683 CVE-2018-11684 CVE-2018-11685
CVE-2018-12085 CVE-2018-17294
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes 8 vulnerabilities is now available.

Description:

This update for liblouis fixes the following issues:

Security issues fixed:

- CVE-2018-17294: Fixed an out of bounds read in matchCurrentInput
function which could allow a remote attacker to cause Denail of Service
(bsc#1109319).
- CVE-2018-11410: Fixed an invalid free in the compileRule function in
compileTranslationTable.c (bsc#1094685)
- CVE-2018-11440: Fixed a stack-based buffer overflow in the function
parseChars() in compileTranslationTable.c (bsc#1095189)
- CVE-2018-11577: Fixed a segmentation fault in lou_logPrint in logging.c
(bsc#1095945)
- CVE-2018-11683: Fixed a stack-based buffer overflow in the function
parseChars() in compileTranslationTable.c (different vulnerability than
CVE-2018-11440) (bsc#1095827)
- CVE-2018-11684: Fixed stack-based buffer overflow in the function
includeFile() in compileTranslationTable.c (bsc#1095826)
- CVE-2018-11685: Fixed a stack-based buffer overflow in the function
compileHyphenation() in compileTranslationTable.c (bsc#1095825)
- CVE-2018-12085: Fixed a stack-based buffer overflow in the function
parseChars() in compileTranslationTable.c (different vulnerability than
CVE-2018-11440) (bsc#1097103)

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1160=1



Package List:

- openSUSE Leap 15.0 (x86_64):

liblouis-data-3.3.0-lp150.3.3.1
liblouis-debuginfo-3.3.0-lp150.3.3.1
liblouis-debugsource-3.3.0-lp150.3.3.1
liblouis-devel-3.3.0-lp150.3.3.1
liblouis-doc-3.3.0-lp150.3.3.1
liblouis-tools-3.3.0-lp150.3.3.1
liblouis-tools-debuginfo-3.3.0-lp150.3.3.1
liblouis14-3.3.0-lp150.3.3.1
liblouis14-debuginfo-3.3.0-lp150.3.3.1
python3-louis-3.3.0-lp150.3.3.1


References:

https://www.suse.com/security/cve/CVE-2018-11410.html
https://www.suse.com/security/cve/CVE-2018-11440.html
https://www.suse.com/security/cve/CVE-2018-11577.html
https://www.suse.com/security/cve/CVE-2018-11683.html
https://www.suse.com/security/cve/CVE-2018-11684.html
https://www.suse.com/security/cve/CVE-2018-11685.html
https://www.suse.com/security/cve/CVE-2018-12085.html
https://www.suse.com/security/cve/CVE-2018-17294.html
https://bugzilla.suse.com/1094685
https://bugzilla.suse.com/1095189
https://bugzilla.suse.com/1095825
https://bugzilla.suse.com/1095826
https://bugzilla.suse.com/1095827
https://bugzilla.suse.com/1095945
https://bugzilla.suse.com/1097103
https://bugzilla.suse.com/1109319

--


openSUSE-SU-2019:1161-1: moderate: Security update for tiff

openSUSE Security Update: Security update for tiff
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1161-1
Rating: moderate
References: #1108606 #1115717 #1121626 #1125113
Cross-References: CVE-2018-17000 CVE-2018-19210 CVE-2019-6128
CVE-2019-7663
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes four vulnerabilities is now available.

Description:

This update for tiff fixes the following issues:

Security issues fixed:

- CVE-2018-19210: Fixed a NULL pointer dereference in
TIFFWriteDirectorySec function (bsc#1115717).
- CVE-2018-17000: Fixed a NULL pointer dereference in the _TIFFmemcmp
function (bsc#1108606).
- CVE-2019-6128: Fixed a memory leak in the TIFFFdOpen function in
tif_unix.c (bsc#1121626).
- CVE-2019-7663: Fixed an invalid address dereference in the
TIFFWriteDirectoryTagTransfer function in libtiff/tif_dirwrite.c
(bsc#1125113)

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1161=1



Package List:

- openSUSE Leap 15.0 (i586 x86_64):

libtiff-devel-4.0.9-lp150.4.16.1
libtiff5-4.0.9-lp150.4.16.1
libtiff5-debuginfo-4.0.9-lp150.4.16.1
tiff-4.0.9-lp150.4.16.1
tiff-debuginfo-4.0.9-lp150.4.16.1
tiff-debugsource-4.0.9-lp150.4.16.1

- openSUSE Leap 15.0 (x86_64):

libtiff-devel-32bit-4.0.9-lp150.4.16.1
libtiff5-32bit-4.0.9-lp150.4.16.1
libtiff5-32bit-debuginfo-4.0.9-lp150.4.16.1


References:

https://www.suse.com/security/cve/CVE-2018-17000.html
https://www.suse.com/security/cve/CVE-2018-19210.html
https://www.suse.com/security/cve/CVE-2019-6128.html
https://www.suse.com/security/cve/CVE-2019-7663.html
https://bugzilla.suse.com/1108606
https://bugzilla.suse.com/1115717
https://bugzilla.suse.com/1121626
https://bugzilla.suse.com/1125113

--


openSUSE-SU-2019:1162-1: important: Security update for MozillaThunderbird

openSUSE Security Update: Security update for MozillaThunderbird
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1162-1
Rating: important
References: #1125330 #1129821 #1130262
Cross-References: CVE-2018-18335 CVE-2018-18356 CVE-2018-18506
CVE-2018-18509 CVE-2019-5785 CVE-2019-9788
CVE-2019-9790 CVE-2019-9791 CVE-2019-9792
CVE-2019-9793 CVE-2019-9794 CVE-2019-9795
CVE-2019-9796 CVE-2019-9801 CVE-2019-9810
CVE-2019-9813
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes 16 vulnerabilities is now available.

Description:

This update for MozillaThunderbird to version 60.5.1 fixes the following
issues:

Security issues fixed:

- Update to MozillaThunderbird 60.6.1 (bsc#1130262):

- CVE-2019-9813: Fixed Ionmonkey type confusion with __proto__ mutations
- CVE-2019-9810: Fixed IonMonkey MArraySlice incorrect alias information

- Update to MozillaThunderbird 60.6 (bsc#1129821):

- CVE-2018-18506: Fixed an issue with Proxy Auto-Configuration file
- CVE-2019-9801: Fixed an issue which could allow Windows programs to be
exposed to web content
- CVE-2019-9788: Fixed multiple memory safety bugs
- CVE-2019-9790: Fixed a Use-after-free vulnerability when removing in-use
DOM elements
- CVE-2019-9791: Fixed an incorrect Type inference for constructors
entered through on-stack replacement with IonMonkey
- CVE-2019-9792: Fixed an issue where IonMonkey leaks JS_OPTIMIZED_OUT
magic value to script
- CVE-2019-9793: Fixed multiple improper bounds checks when Spectre
mitigations are disabled
- CVE-2019-9794: Fixed an issue where command line arguments not discarded
during execution
- CVE-2019-9795: Fixed a Type-confusion vulnerability in IonMonkey JIT
compiler
- CVE-2019-9796: Fixed a Use-after-free vulnerability in SMIL animation
controller

- Update to MozillaThunderbird 60.5.1 (bsc#1125330):

- CVE-2018-18356: Fixed a use-after-free vulnerability in the Skia library
which can occur when creating a path, leading to a potentially
exploitable crash.
- CVE-2019-5785: Fixed an integer overflow vulnerability in the Skia
library which can occur after specific transform operations, leading to
a potentially exploitable crash.
- CVE-2018-18335: Fixed a buffer overflow vulnerability in the Skia
library which can occur with Canvas 2D acceleration on macOS. This issue
was addressed by disabling Canvas 2D acceleration in Firefox ESR. Note:
this does not affect other versions and platforms where Canvas 2D
acceleration is already disabled by default.
- CVE-2018-18509: Fixed a flaw which during verification of certain S/MIME
signatures showing mistakenly that emails bring a valid sugnature.
Release notes:
https://www.mozilla.org/en-US/security/advisories/mfsa2019-12/
https://www.mozilla.org/en-US/security/advisories/mfsa2019-11/
https://www.mozilla.org/en-US/security/advisories/mfsa2019-06/


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1162=1



Package List:

- openSUSE Leap 15.0 (x86_64):

MozillaThunderbird-60.6.1-lp150.3.37.1
MozillaThunderbird-buildsymbols-60.6.1-lp150.3.37.1
MozillaThunderbird-debuginfo-60.6.1-lp150.3.37.1
MozillaThunderbird-debugsource-60.6.1-lp150.3.37.1
MozillaThunderbird-translations-common-60.6.1-lp150.3.37.1
MozillaThunderbird-translations-other-60.6.1-lp150.3.37.1


References:

https://www.suse.com/security/cve/CVE-2018-18335.html
https://www.suse.com/security/cve/CVE-2018-18356.html
https://www.suse.com/security/cve/CVE-2018-18506.html
https://www.suse.com/security/cve/CVE-2018-18509.html
https://www.suse.com/security/cve/CVE-2019-5785.html
https://www.suse.com/security/cve/CVE-2019-9788.html
https://www.suse.com/security/cve/CVE-2019-9790.html
https://www.suse.com/security/cve/CVE-2019-9791.html
https://www.suse.com/security/cve/CVE-2019-9792.html
https://www.suse.com/security/cve/CVE-2019-9793.html
https://www.suse.com/security/cve/CVE-2019-9794.html
https://www.suse.com/security/cve/CVE-2019-9795.html
https://www.suse.com/security/cve/CVE-2019-9796.html
https://www.suse.com/security/cve/CVE-2019-9801.html
https://www.suse.com/security/cve/CVE-2019-9810.html
https://www.suse.com/security/cve/CVE-2019-9813.html
https://bugzilla.suse.com/1125330
https://bugzilla.suse.com/1129821
https://bugzilla.suse.com/1130262

--


openSUSE-SU-2019:1164-1: moderate: Security update for go1.11

openSUSE Security Update: Security update for go1.11
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1164-1
Rating: moderate
References: #1123013
Cross-References: CVE-2019-6486
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for go1.11 to version 1.11.5 fixes the following issues:

Security issue fixed:

- CVE-2019-6486: Fixed a CPU Denial-of-Service vulnerability affecting
crypto/ellpitic related to P-521 and P-384 (bsc#1123013 go#29903).

Other bug fixes and changes made:

- Fix erroneous trailing backslash in %post script.
- Use better forms of -exec \; in some places.

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1164=1



Package List:

- openSUSE Leap 15.0 (x86_64):

go1.11-1.11.5-lp150.6.4
go1.11-doc-1.11.5-lp150.6.4
go1.11-race-1.11.5-lp150.6.4


References:

https://www.suse.com/security/cve/CVE-2019-6486.html
https://bugzilla.suse.com/1123013

--