SUSE 5109 Published by

The following updates has been released for openSUSE:

openSUSE-SU-2018:2488-2: moderate: Security update for python-Django
openSUSE-SU-2018:2516-2: important: Security update for GraphicsMagick
openSUSE-SU-2018:2521-2: moderate: Security update for nextcloud
openSUSE-SU-2018:2525-2: moderate: Security update for phpMyAdmin
openSUSE-SU-2018:2664-2: important: Security update for chromium
openSUSE-SU-2018:2728-2: moderate: Security update for chromium
openSUSE-SU-2018:2733-2: moderate: Security update for okular
openSUSE-SU-2018:2742-2: Security update for GraphicsMagick
openSUSE-SU-2018:2754-2: moderate: Security update for chromium
openSUSE-SU-2018:2781-1: moderate: Security update for webkit2gtk3
openSUSE-SU-2018:2790-1: moderate: Security update for pango
openSUSE-SU-2018:2797-1: critical: Security update for hylafax+
openSUSE-SU-2018:2801-1: moderate: Security update for obs-service-refresh_patches
openSUSE-SU-2018:2806-1: important: Security update for nemo-extensions
openSUSE-SU-2018:2807-1: important: Security update for seamonkey



openSUSE-SU-2018:2488-2: moderate: Security update for python-Django

openSUSE Security Update: Security update for python-Django
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2488-2
Rating: moderate
References: #1102680
Cross-References: CVE-2018-14574
Affected Products:
openSUSE Backports SLE-15
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for python-Django to version 2.08 fixes the following issues:

The following security vulnerability was fixed:

- CVE-2018-14574: Fixed an redirection vulnerability in CommonMiddleware
(boo#1102680)

The following other bugs were fixed:

- Fixed a regression in Django 2.0.7 that broke the regex lookup on MariaDB
- Fixed a regression where django.template.Template crashed if the
template_string argument is lazy
- Fixed __regex and __iregex lookups with MySQL
- Fixed admin check crash when using a query expression in
ModelAdmin.ordering
- Fixed admin changelist crash when using a query expression without asc()
or desc() in the page’s ordering
- Fixed a regression that broke custom template filters that use decorators
- Fixed detection of custom URL converters in included pattern
- Fixed a regression that added an unnecessary subquery to the GROUP BY
clause
on MySQL when using a RawSQL annotation
- Fixed WKBWriter.write() and write_hex() for empty polygons on GEOS 3.6.1+
- Fixed a regression in Django 1.10 that could result in large memory
usage when making edits using ModelAdmin.list_editable
- Corrected the import paths that inspectdb generates for
django.contrib.postgres fields
- Fixed crashes in django.contrib.admindocs when a view is a callable
object, such as django.contrib.syndication.views.Feed
- Fixed a regression in Django 1.11.12 where QuerySet.values() or
values_list() after combining an annotated and unannotated queryset with
union(), difference(), or intersection() crashed due to mismatching
columns


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15:

zypper in -t patch openSUSE-2018-914=1



Package List:

- openSUSE Backports SLE-15 (noarch):

python3-Django-2.0.8-bp150.3.3.1


References:

https://www.suse.com/security/cve/CVE-2018-14574.html
https://bugzilla.suse.com/1102680

--


openSUSE-SU-2018:2516-2: important: Security update for GraphicsMagick

openSUSE Security Update: Security update for GraphicsMagick
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2516-2
Rating: important
References: #1105592
Affected Products:
openSUSE Backports SLE-15
______________________________________________________________________________

An update that contains security fixes can now be installed.

Description:

This update for GraphicsMagick fixes the following issues:

Security issue fixed:

- Disable PS, PS2, PS3 and PDF coders by default, remove gs calls from
delegates.mgk (boo#1105592)


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15:

zypper in -t patch openSUSE-2018-937=1



Package List:

- openSUSE Backports SLE-15 (x86_64):

GraphicsMagick-1.3.29-bp150.2.3.1
GraphicsMagick-debuginfo-1.3.29-bp150.2.3.1
GraphicsMagick-debugsource-1.3.29-bp150.2.3.1
GraphicsMagick-devel-1.3.29-bp150.2.3.1
libGraphicsMagick++-Q16-12-1.3.29-bp150.2.3.1
libGraphicsMagick++-Q16-12-debuginfo-1.3.29-bp150.2.3.1
libGraphicsMagick++-devel-1.3.29-bp150.2.3.1
libGraphicsMagick-Q16-3-1.3.29-bp150.2.3.1
libGraphicsMagick-Q16-3-debuginfo-1.3.29-bp150.2.3.1
libGraphicsMagick3-config-1.3.29-bp150.2.3.1
libGraphicsMagickWand-Q16-2-1.3.29-bp150.2.3.1
libGraphicsMagickWand-Q16-2-debuginfo-1.3.29-bp150.2.3.1
perl-GraphicsMagick-1.3.29-bp150.2.3.1
perl-GraphicsMagick-debuginfo-1.3.29-bp150.2.3.1


References:

https://bugzilla.suse.com/1105592

--


openSUSE-SU-2018:2521-2: moderate: Security update for nextcloud

openSUSE Security Update: Security update for nextcloud
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2521-2
Rating: moderate
References: #1105598
Cross-References: CVE-2018-3780
Affected Products:
openSUSE Backports SLE-15
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for nextcloud to version 13.0.5 fixes the following issues:

Security issues fixed:

- CVE-2018-3780: Fixed a missing sanitization of search results for an
autocomplete field that could lead to a stored XSS requiring
user-interaction. The missing sanitization only affected user names,
hence malicious search results could only be crafted by authenticated
users. (boo#1105598)


Other bugs fixed:

- Fix highlighting of the upload drop zone
- Apply ldapUserFilter on members of group
- Make the DELETION of groups match greedy on the groupID
- Add parent index to share table
- Log full exception in cron instead of only the message
- Properly lock the target file on dav upload when not using part files
- LDAP backup server should not be queried when auth fails
- Fix filenames in sharing integration tests
- Lower log level for quota manipulation cases
- Let user set avatar in nextcloud if LDAP provides invalid image data
- Improved logging of smb connection errors
- Allow admin to disable fetching of avatars as well as a specific
attribute
- Allow to disable encryption
- Update message shown when unsharing a file
- Fixed English grammatical error on Settings page.
- Request a valid property for DAV opendir
- Allow updating the token on session regeneration
- Prevent lock values from going negative with memcache backend
- Correctly handle users with numeric user ids
- Correctly parse the subject parameters for link (un)shares of calendars
- Fix "parsing" of email-addresses in comments and chat messages
- Sanitize parameters in createSessionToken() while logging
- Also retry rename operation on InvalidArgumentException
- Improve url detection in comments
- Only bind to ldap if configuration for the first server is set
- Use download manager from PDF.js to download the file
- Fix trying to load removed scripts
- Only pull for new messages if the session is allowed to be kept alive
- Always push object data
- Add prioritization for Talk


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15:

zypper in -t patch openSUSE-2018-936=1



Package List:

- openSUSE Backports SLE-15 (noarch):

nextcloud-13.0.5-bp150.2.3.1


References:

https://www.suse.com/security/cve/CVE-2018-3780.html
https://bugzilla.suse.com/1105598

--


openSUSE-SU-2018:2525-2: moderate: Security update for phpMyAdmin

openSUSE Security Update: Security update for phpMyAdmin
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2525-2
Rating: moderate
References: #1105726
Cross-References: CVE-2018-15605
Affected Products:
openSUSE Backports SLE-15
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for phpMyAdmin to version 4.8.3 addresses multiple issues.

Security issues fixed:

- CVE-2018-15605: vulnerability in the file import feature allowed
cross-site scripting via importing a specially-crafted file
(PMASA-2018-5, boo#1105726)

This update also contains a number of upstream bug fixes in the UI and
behavior.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15:

zypper in -t patch openSUSE-2018-939=1



Package List:

- openSUSE Backports SLE-15 (noarch):

phpMyAdmin-4.8.3-bp150.3.3.1


References:

https://www.suse.com/security/cve/CVE-2018-15605.html
https://bugzilla.suse.com/1105726

--


openSUSE-SU-2018:2664-2: important: Security update for chromium

openSUSE Security Update: Security update for chromium
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2664-2
Rating: important
References: #1106341 #1107235
Cross-References: CVE-2017-15430 CVE-2018-16065 CVE-2018-16066
CVE-2018-16067 CVE-2018-16068 CVE-2018-16069
CVE-2018-16070 CVE-2018-16071 CVE-2018-16073
CVE-2018-16074 CVE-2018-16075 CVE-2018-16076
CVE-2018-16077 CVE-2018-16078 CVE-2018-16079
CVE-2018-16080 CVE-2018-16081 CVE-2018-16082
CVE-2018-16083 CVE-2018-16084 CVE-2018-16085
CVE-2018-16086 CVE-2018-16087 CVE-2018-16088

Affected Products:
openSUSE Backports SLE-15
______________________________________________________________________________

An update that fixes 24 vulnerabilities is now available.

Description:

This update for Chromium to version 69.0.3497.81 fixes multiple issues.

Security issues fixed (boo#1107235):

- CVE-2018-16065: Out of bounds write in V8
- CVE-2018-16066:Out of bounds read in Blink
- CVE-2018-16067: Out of bounds read in WebAudio
- CVE-2018-16068: Out of bounds write in Mojo
- CVE-2018-16069:Out of bounds read in SwiftShader
- CVE-2018-16070: Integer overflow in Skia
- CVE-2018-16071: Use after free in WebRTC
- CVE-2018-16073: Site Isolation bypass after tab restore
- CVE-2018-16074: Site Isolation bypass using Blob URLS
- Out of bounds read in Little-CMS
- CVE-2018-16075: Local file access in Blink
- CVE-2018-16076: Out of bounds read in PDFium
- CVE-2018-16077: Content security policy bypass in Blink
- CVE-2018-16078: Credit card information leak in Autofill
- CVE-2018-16079: URL spoof in permission dialogs
- CVE-2018-16080: URL spoof in full screen mode
- CVE-2018-16081: Local file access in DevTools
- CVE-2018-16082: Stack buffer overflow in SwiftShader
- CVE-2018-16083: Out of bounds read in WebRTC
- CVE-2018-16084: User confirmation bypass in external protocol handling
- CVE-2018-16085: Use after free in Memory Instrumentation
- CVE-2017-15430: Unsafe navigation in Chromecast (boo#1106341)
- CVE-2018-16086: Script injection in New Tab Page
- CVE-2018-16087: Multiple download restriction bypass
- CVE-2018-16088: User gesture requirement bypass

The re2 regular expression library was updated to the current version
2018-09-01.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15:

zypper in -t patch openSUSE-2018-979=1



Package List:

- openSUSE Backports SLE-15 (aarch64 ppc64le s390x x86_64):

libre2-0-20180901-bp150.3.3.1
libre2-0-debuginfo-20180901-bp150.3.3.1
re2-debugsource-20180901-bp150.3.3.1
re2-devel-20180901-bp150.3.3.1

- openSUSE Backports SLE-15 (aarch64 x86_64):

chromedriver-69.0.3497.81-bp150.2.4.1
chromedriver-debuginfo-69.0.3497.81-bp150.2.4.1
chromium-69.0.3497.81-bp150.2.4.1
chromium-debuginfo-69.0.3497.81-bp150.2.4.1
chromium-debugsource-69.0.3497.81-bp150.2.4.1

- openSUSE Backports SLE-15 (aarch64_ilp32):

libre2-0-64bit-20180901-bp150.3.3.1
libre2-0-64bit-debuginfo-20180901-bp150.3.3.1


References:

https://www.suse.com/security/cve/CVE-2017-15430.html
https://www.suse.com/security/cve/CVE-2018-16065.html
https://www.suse.com/security/cve/CVE-2018-16066.html
https://www.suse.com/security/cve/CVE-2018-16067.html
https://www.suse.com/security/cve/CVE-2018-16068.html
https://www.suse.com/security/cve/CVE-2018-16069.html
https://www.suse.com/security/cve/CVE-2018-16070.html
https://www.suse.com/security/cve/CVE-2018-16071.html
https://www.suse.com/security/cve/CVE-2018-16073.html
https://www.suse.com/security/cve/CVE-2018-16074.html
https://www.suse.com/security/cve/CVE-2018-16075.html
https://www.suse.com/security/cve/CVE-2018-16076.html
https://www.suse.com/security/cve/CVE-2018-16077.html
https://www.suse.com/security/cve/CVE-2018-16078.html
https://www.suse.com/security/cve/CVE-2018-16079.html
https://www.suse.com/security/cve/CVE-2018-16080.html
https://www.suse.com/security/cve/CVE-2018-16081.html
https://www.suse.com/security/cve/CVE-2018-16082.html
https://www.suse.com/security/cve/CVE-2018-16083.html
https://www.suse.com/security/cve/CVE-2018-16084.html
https://www.suse.com/security/cve/CVE-2018-16085.html
https://www.suse.com/security/cve/CVE-2018-16086.html
https://www.suse.com/security/cve/CVE-2018-16087.html
https://www.suse.com/security/cve/CVE-2018-16088.html
https://bugzilla.suse.com/1106341
https://bugzilla.suse.com/1107235

--


openSUSE-SU-2018:2728-2: moderate: Security update for chromium

openSUSE Security Update: Security update for chromium
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2728-2
Rating: moderate
References: #1108114 #1108175
Affected Products:
openSUSE Backports SLE-15
______________________________________________________________________________

An update that contains security fixes can now be installed.

Description:

This update for Chromium to version 69.0.3497.92 fixes the following
issues:

Security issues fixed ((boo#1108114):

- Function signature mismatch in WebAssembly
- URL Spoofing in Omnibox

The following tracked packaging issues were fixed:

- the chromium package incorrectly provied swiftshader resolvables
(boo#1108175)


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15:

zypper in -t patch openSUSE-2018-1005=1



Package List:

- openSUSE Backports SLE-15 (aarch64 x86_64):

chromedriver-69.0.3497.92-bp150.2.7.1
chromedriver-debuginfo-69.0.3497.92-bp150.2.7.1
chromium-69.0.3497.92-bp150.2.7.1
chromium-debuginfo-69.0.3497.92-bp150.2.7.1
chromium-debugsource-69.0.3497.92-bp150.2.7.1


References:

https://bugzilla.suse.com/1108114
https://bugzilla.suse.com/1108175

--


openSUSE-SU-2018:2733-2: moderate: Security update for okular

openSUSE Security Update: Security update for okular
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2733-2
Rating: moderate
References: #1107591
Cross-References: CVE-2018-1000801
Affected Products:
openSUSE Backports SLE-15
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for okular fixes the following security issue:

- CVE-2018-1000801: Prevent directory traversal vulnerability in function
unpackDocumentArchive could have resulted in arbitrary file creation via
a specially crafted Okular archive (bsc#1107591).


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15:

zypper in -t patch openSUSE-2018-1006=1



Package List:

- openSUSE Backports SLE-15 (aarch64 ppc64le s390x x86_64):

okular-17.12.3-bp150.3.3.1
okular-debuginfo-17.12.3-bp150.3.3.1
okular-debugsource-17.12.3-bp150.3.3.1
okular-devel-17.12.3-bp150.3.3.1

- openSUSE Backports SLE-15 (noarch):

okular-lang-17.12.3-bp150.3.3.1


References:

https://www.suse.com/security/cve/CVE-2018-1000801.html
https://bugzilla.suse.com/1107591

--


openSUSE-SU-2018:2742-2: Security update for GraphicsMagick

openSUSE Security Update: Security update for GraphicsMagick
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2742-2
Rating: low
References: #1107604 #1107609
Cross-References: CVE-2018-16644 CVE-2018-16645
Affected Products:
openSUSE Backports SLE-15
______________________________________________________________________________

An update that fixes two vulnerabilities is now available.

Description:

This update for GraphicsMagick fixes the following issues:

- CVE-2018-16644: Added missing check for length in the functions
ReadDCMImage and ReadPICTImage, which allowed remote attackers to cause
a denial of service via a crafted image (bsc#1107609)
- CVE-2018-16645: Prevent excessive memory allocation issue in the
functions ReadBMPImage and ReadDIBImage, which allowed remote attackers
to cause a denial
of service via a crafted image file (bsc#1107604)


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15:

zypper in -t patch openSUSE-2018-1020=1



Package List:

- openSUSE Backports SLE-15 (x86_64):

GraphicsMagick-1.3.29-bp150.2.6.1
GraphicsMagick-debuginfo-1.3.29-bp150.2.6.1
GraphicsMagick-debugsource-1.3.29-bp150.2.6.1
GraphicsMagick-devel-1.3.29-bp150.2.6.1
libGraphicsMagick++-Q16-12-1.3.29-bp150.2.6.1
libGraphicsMagick++-Q16-12-debuginfo-1.3.29-bp150.2.6.1
libGraphicsMagick++-devel-1.3.29-bp150.2.6.1
libGraphicsMagick-Q16-3-1.3.29-bp150.2.6.1
libGraphicsMagick-Q16-3-debuginfo-1.3.29-bp150.2.6.1
libGraphicsMagick3-config-1.3.29-bp150.2.6.1
libGraphicsMagickWand-Q16-2-1.3.29-bp150.2.6.1
libGraphicsMagickWand-Q16-2-debuginfo-1.3.29-bp150.2.6.1
perl-GraphicsMagick-1.3.29-bp150.2.6.1
perl-GraphicsMagick-debuginfo-1.3.29-bp150.2.6.1


References:

https://www.suse.com/security/cve/CVE-2018-16644.html
https://www.suse.com/security/cve/CVE-2018-16645.html
https://bugzilla.suse.com/1107604
https://bugzilla.suse.com/1107609

--


openSUSE-SU-2018:2754-2: moderate: Security update for chromium

openSUSE Security Update: Security update for chromium
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2754-2
Rating: moderate
References: #1108774
Affected Products:
openSUSE Backports SLE-15
______________________________________________________________________________

An update that contains security fixes can now be installed.

Description:

This update for Chromium to version 69.0.3497.100 fixes the following
issues:

- Security relevant fixes from internal audits, fuzzing and other
initiatives (boo#boo#1108774)


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15:

zypper in -t patch openSUSE-2018-1021=1



Package List:

- openSUSE Backports SLE-15 (aarch64 x86_64):

chromedriver-69.0.3497.100-bp150.2.10.1
chromedriver-debuginfo-69.0.3497.100-bp150.2.10.1
chromium-69.0.3497.100-bp150.2.10.1
chromium-debuginfo-69.0.3497.100-bp150.2.10.1
chromium-debugsource-69.0.3497.100-bp150.2.10.1


References:

https://bugzilla.suse.com/1108774

--


openSUSE-SU-2018:2781-1: moderate: Security update for webkit2gtk3

openSUSE Security Update: Security update for webkit2gtk3
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2781-1
Rating: moderate
References: #1101999 #1104169
Cross-References: CVE-2018-12911 CVE-2018-4261 CVE-2018-4262
CVE-2018-4263 CVE-2018-4264 CVE-2018-4265
CVE-2018-4266 CVE-2018-4267 CVE-2018-4270
CVE-2018-4271 CVE-2018-4272 CVE-2018-4273
CVE-2018-4278 CVE-2018-4284
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes 14 vulnerabilities is now available.

Description:

This update for webkit2gtk3 to version 2.20.5 fixes the following issues:

Security issue fixed:

- CVE-2018-12911: Fix off-by-one in xdg_mime_get_simple_globs
(bsc#1101999).
- CVE-2018-4261, CVE-2018-4262, CVE-2018-4263, CVE-2018-4264,
CVE-2018-4265, CVE-2018-4267, CVE-2018-4272, CVE-2018-4284: Processing
maliciously crafted web content may lead to arbitrary code execution. A
memory corruption issue was addressed with improved memory handling.
- CVE-2018-4266: A malicious website may be able to cause a denial of
service. A race condition was addressed with additional validation.
- CVE-2018-4270, CVE-2018-4271, CVE-2018-4273: Processing maliciously
crafted web content may lead to an unexpected application crash. A
memory corruption issue was addressed with improved input validation.
- CVE-2018-4278: A malicious website may exfiltrate audio data
cross-origin. Sound fetched through audio elements may be exfiltrated
cross-origin. This issue was addressed with improved audio taint
tracking.

Other bugs fixed:

- Fix rendering artifacts in some web sites due to a bug introduced in
2.20.4.
- Fix a crash when leaving accelerated compositing mode.
- Fix non-deterministic build failure due to missing
JavaScriptCore/JSContextRef.h.

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-1025=1



Package List:

- openSUSE Leap 15.0 (i586 x86_64):

libjavascriptcoregtk-4_0-18-2.20.5-lp150.2.6.1
libjavascriptcoregtk-4_0-18-debuginfo-2.20.5-lp150.2.6.1
libwebkit2gtk-4_0-37-2.20.5-lp150.2.6.1
libwebkit2gtk-4_0-37-debuginfo-2.20.5-lp150.2.6.1
typelib-1_0-JavaScriptCore-4_0-2.20.5-lp150.2.6.1
typelib-1_0-WebKit2-4_0-2.20.5-lp150.2.6.1
typelib-1_0-WebKit2WebExtension-4_0-2.20.5-lp150.2.6.1
webkit-jsc-4-2.20.5-lp150.2.6.1
webkit-jsc-4-debuginfo-2.20.5-lp150.2.6.1
webkit2gtk-4_0-injected-bundles-2.20.5-lp150.2.6.1
webkit2gtk-4_0-injected-bundles-debuginfo-2.20.5-lp150.2.6.1
webkit2gtk3-debugsource-2.20.5-lp150.2.6.1
webkit2gtk3-devel-2.20.5-lp150.2.6.1
webkit2gtk3-plugin-process-gtk2-2.20.5-lp150.2.6.1
webkit2gtk3-plugin-process-gtk2-debuginfo-2.20.5-lp150.2.6.1

- openSUSE Leap 15.0 (x86_64):

libjavascriptcoregtk-4_0-18-32bit-2.20.5-lp150.2.6.1
libjavascriptcoregtk-4_0-18-32bit-debuginfo-2.20.5-lp150.2.6.1
libwebkit2gtk-4_0-37-32bit-2.20.5-lp150.2.6.1
libwebkit2gtk-4_0-37-32bit-debuginfo-2.20.5-lp150.2.6.1

- openSUSE Leap 15.0 (noarch):

libwebkit2gtk3-lang-2.20.5-lp150.2.6.1


References:

https://www.suse.com/security/cve/CVE-2018-12911.html
https://www.suse.com/security/cve/CVE-2018-4261.html
https://www.suse.com/security/cve/CVE-2018-4262.html
https://www.suse.com/security/cve/CVE-2018-4263.html
https://www.suse.com/security/cve/CVE-2018-4264.html
https://www.suse.com/security/cve/CVE-2018-4265.html
https://www.suse.com/security/cve/CVE-2018-4266.html
https://www.suse.com/security/cve/CVE-2018-4267.html
https://www.suse.com/security/cve/CVE-2018-4270.html
https://www.suse.com/security/cve/CVE-2018-4271.html
https://www.suse.com/security/cve/CVE-2018-4272.html
https://www.suse.com/security/cve/CVE-2018-4273.html
https://www.suse.com/security/cve/CVE-2018-4278.html
https://www.suse.com/security/cve/CVE-2018-4284.html
https://bugzilla.suse.com/1101999
https://bugzilla.suse.com/1104169

--


openSUSE-SU-2018:2790-1: moderate: Security update for pango

openSUSE Security Update: Security update for pango
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2790-1
Rating: moderate
References: #1103877
Cross-References: CVE-2018-15120
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for pango fixes the following issue:

Security issue fixed:

- CVE-2018-15120: Fixed a denial of service when parsing emoji
(bsc#1103877)

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-1026=1



Package List:

- openSUSE Leap 15.0 (i586 x86_64):

libpango-1_0-0-1.40.14-lp150.2.3.1
libpango-1_0-0-debuginfo-1.40.14-lp150.2.3.1
pango-debugsource-1.40.14-lp150.2.3.1
pango-devel-1.40.14-lp150.2.3.1
pango-tools-1.40.14-lp150.2.3.1
pango-tools-debuginfo-1.40.14-lp150.2.3.1
typelib-1_0-Pango-1_0-1.40.14-lp150.2.3.1

- openSUSE Leap 15.0 (x86_64):

libpango-1_0-0-32bit-1.40.14-lp150.2.3.1
libpango-1_0-0-32bit-debuginfo-1.40.14-lp150.2.3.1
pango-devel-32bit-1.40.14-lp150.2.3.1


References:

https://www.suse.com/security/cve/CVE-2018-15120.html
https://bugzilla.suse.com/1103877

--


openSUSE-SU-2018:2797-1: critical: Security update for hylafax+

openSUSE Security Update: Security update for hylafax+
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2797-1
Rating: critical
References: #1109084
Cross-References: CVE-2018-17141
Affected Products:
openSUSE Leap 42.3
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for hylafax+ fixes the following issues:

Security issues fixed in 5.6.1:

- CVE-2018-17141: multiple vulnerabilities affecting fax page reception in
JPEG format Specially crafted input may have allowed remote execution of
arbitrary code (boo#1109084)

Additionally, this update also contains all upstream corrections and
bugfixes in the 5.6.1 version, including:

- fix RFC2047 encoding by notify
- add jobcontrol PageSize feature
- don't wait forever after +FRH:3
- fix faxmail transition between a message and external types
- avoid pagehandling from introducing some unnecessary EOM signals
- improve proxy connection error handling and logging
- add initial ModemGroup limits feature
- pass the user's uid onto the session log file for sent faxes
- improve job waits to minimize triggers
- add ProxyTaglineFormat and ProxyTSI features


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-1027=1

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-1027=1



Package List:

- openSUSE Leap 42.3 (i586 x86_64):

hylafax+-5.6.1-15.1
hylafax+-client-5.6.1-15.1
hylafax+-client-debuginfo-5.6.1-15.1
hylafax+-debuginfo-5.6.1-15.1
hylafax+-debugsource-5.6.1-15.1
libfaxutil5_6_1-5.6.1-15.1
libfaxutil5_6_1-debuginfo-5.6.1-15.1

- openSUSE Leap 15.0 (x86_64):

hylafax+-5.6.1-lp150.5.6.1
hylafax+-client-5.6.1-lp150.5.6.1
hylafax+-client-debuginfo-5.6.1-lp150.5.6.1
hylafax+-debuginfo-5.6.1-lp150.5.6.1
hylafax+-debugsource-5.6.1-lp150.5.6.1
libfaxutil5_6_1-5.6.1-lp150.5.6.1
libfaxutil5_6_1-debuginfo-5.6.1-lp150.5.6.1


References:

https://www.suse.com/security/cve/CVE-2018-17141.html
https://bugzilla.suse.com/1109084

--


openSUSE-SU-2018:2801-1: moderate: Security update for obs-service-refresh_patches

openSUSE Security Update: Security update for obs-service-refresh_patches
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2801-1
Rating: moderate
References: #1108189
Affected Products:
openSUSE Leap 42.3
openSUSE Leap 15.0
______________________________________________________________________________

An update that contains security fixes can now be installed.

Description:

This update for obs-service-refresh_patches fixes the following security
issue:

- An attacker creating a specially formated archive could have tricked the
service in deleting directories that shouldn't be deleted (boo#1108189)


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-1029=1

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-1029=1



Package List:

- openSUSE Leap 42.3 (noarch):

obs-service-refresh_patches-0.3.9+git.1537184752.d624424-9.3.1

- openSUSE Leap 15.0 (noarch):

obs-service-refresh_patches-0.3.9+git.1537184752.d624424-lp150.2.3.1


References:

https://bugzilla.suse.com/1108189

--


openSUSE-SU-2018:2806-1: important: Security update for nemo-extensions

openSUSE Security Update: Security update for nemo-extensions
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2806-1
Rating: important
References: #1084703
Affected Products:
openSUSE Backports SLE-15
______________________________________________________________________________

An update that contains security fixes can now be installed.

Description:

This update for nemo-extensions fixes the following issues:

The following security vulnerability was fixed:

- Prevent unprivileged users from adding other users to sambashare
(boo#1084703)

This update was imported from the openSUSE:Leap:15.0:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15:

zypper in -t patch openSUSE-2018-882=1



Package List:

- openSUSE Backports SLE-15 (x86_64):

nemo-extension-dropbox-3.6.0-bp150.2.3.1
nemo-extension-fileroller-3.6.0-bp150.2.3.1
nemo-extension-gtkhash-3.6.0-bp150.2.3.1
nemo-extension-image-converter-3.6.0-bp150.2.3.1
nemo-extension-preview-3.6.0-bp150.2.3.1
nemo-extension-repairer-3.6.0-bp150.2.3.1
nemo-extension-seahorse-3.6.0-bp150.2.3.1
nemo-extension-share-3.6.0-bp150.2.3.1
python-nemo-3.6.0-bp150.2.3.1

- openSUSE Backports SLE-15 (noarch):

nemo-extension-audio-tab-3.6.0-bp150.2.3.1
nemo-extension-compare-3.6.0-bp150.2.3.1
nemo-extension-emblems-3.6.0-bp150.2.3.1
nemo-extension-pastebin-3.6.0-bp150.2.3.1
nemo-extension-rabbitvcs-3.6.0-bp150.2.3.1
nemo-extension-terminal-3.6.0-bp150.2.3.1


References:

https://bugzilla.suse.com/1084703

--


openSUSE-SU-2018:2807-1: important: Security update for seamonkey

openSUSE Security Update: Security update for seamonkey
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2807-1
Rating: important
References: #1020631 #1062195 #1076907 #1077291 #1098998

Cross-References: CVE-2018-12359 CVE-2018-12360 CVE-2018-12362
CVE-2018-12363 CVE-2018-12364 CVE-2018-12365
CVE-2018-12366 CVE-2018-5156 CVE-2018-5188

Affected Products:
openSUSE Backports SLE-15
______________________________________________________________________________

An update that fixes 9 vulnerabilities is now available.

Description:

This update for seamonkey fixes the following issues:

Mozilla Seamonkey was updated to 2.49.4:

Now uses Gecko 52.9.1esr (boo#1098998).

Security issues fixed with MFSA 2018-16 (boo#1098998):

* CVE-2018-12359: Buffer overflow using computed size of canvas element
* CVE-2018-12360: Use-after-free when using focus()
* CVE-2018-12362: Integer overflow in SSSE3 scaler
* CVE-2018-5156: Media recorder segmentation fault when track type is
changed during capture
* CVE-2018-12363: Use-after-free when appending DOM nodes
* CVE-2018-12364: CSRF attacks through 307 redirects and NPAPI plugins
* CVE-2018-12365: Compromised IPC child process can list local filenames
* CVE-2018-12366: Invalid data handling during QCMS transformations
* CVE-2018-5188: Memory safety bugs fixed in Firefox 60, Firefox ESR 60.1,
and Firefox ESR 52.9

Localizations finally included again (boo#1062195)

Updated summary and description to more accurately reflect what SeaMonkey
is, giving less prominence to the long- discontinued Mozilla Application
Suite that many users may no longer be familiar with

Update to Seamonkey 2.49.2

* Gecko 52.6esr (including security relevant fixes) (boo#1077291)
* fix issue in Composer
* With some themes, the menulist- and history-dropmarker didn't show
* Scrollbars didn't show the buttons
* WebRTC has been disabled by default. It needs an add-on to enable it per
site
* The active title bar was not visually emphasized

Correct requires and provides handling (boo#1076907)

This update was imported from the openSUSE:Leap:15.0:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15:

zypper in -t patch openSUSE-2018-873=1



Package List:

- openSUSE Backports SLE-15 (aarch64 x86_64):

seamonkey-2.49.4-bp150.3.3.1
seamonkey-debuginfo-2.49.4-bp150.3.3.1
seamonkey-debugsource-2.49.4-bp150.3.3.1
seamonkey-translations-common-2.49.4-bp150.3.3.1
seamonkey-translations-other-2.49.4-bp150.3.3.1


References:

https://www.suse.com/security/cve/CVE-2018-12359.html
https://www.suse.com/security/cve/CVE-2018-12360.html
https://www.suse.com/security/cve/CVE-2018-12362.html
https://www.suse.com/security/cve/CVE-2018-12363.html
https://www.suse.com/security/cve/CVE-2018-12364.html
https://www.suse.com/security/cve/CVE-2018-12365.html
https://www.suse.com/security/cve/CVE-2018-12366.html
https://www.suse.com/security/cve/CVE-2018-5156.html
https://www.suse.com/security/cve/CVE-2018-5188.html
https://bugzilla.suse.com/1020631
https://bugzilla.suse.com/1062195
https://bugzilla.suse.com/1076907
https://bugzilla.suse.com/1077291
https://bugzilla.suse.com/1098998

--