SUSE 5112 Published by

The following SUSE updates has been released:

openSUSE-SU-2019:0242-1: moderate: Security update for kauth
openSUSE-SU-2019:0243-1: moderate: Security update for dovecot23
openSUSE-SU-2019:0244-1: moderate: Security update for python-Jinja2
openSUSE-SU-2019:0245-1: important: Security update for python-numpy



openSUSE-SU-2019:0242-1: moderate: Security update for kauth

openSUSE Security Update: Security update for kauth
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:0242-1
Rating: moderate
References: #1124863
Cross-References: CVE-2019-7443
Affected Products:
openSUSE Leap 42.3
openSUSE Leap 15.0
openSUSE Backports SLE-15
SUSE Package Hub for SUSE Linux Enterprise 12
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for kauth fixes the following issues:

Security issue fixed:

- CVE-2019-7443: Fixed an insecure handling of arguments in helpers by
removing the support of passing gui variants (bsc#1124863).


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2019-242=1

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-242=1

- openSUSE Backports SLE-15:

zypper in -t patch openSUSE-2019-242=1

- SUSE Package Hub for SUSE Linux Enterprise 12:

zypper in -t patch openSUSE-2019-242=1



Package List:

- openSUSE Leap 42.3 (i586 x86_64):

kauth-debugsource-5.32.0-3.3.1
kauth-devel-5.32.0-3.3.1
libKF5Auth5-5.32.0-3.3.1
libKF5Auth5-debuginfo-5.32.0-3.3.1

- openSUSE Leap 42.3 (noarch):

libKF5Auth5-lang-5.32.0-3.3.1

- openSUSE Leap 42.3 (x86_64):

kauth-devel-32bit-5.32.0-3.3.1
libKF5Auth5-32bit-5.32.0-3.3.1
libKF5Auth5-debuginfo-32bit-5.32.0-3.3.1

- openSUSE Leap 15.0 (i586 x86_64):

kauth-debugsource-5.45.0-lp150.3.3.1
kauth-devel-5.45.0-lp150.3.3.1
libKF5Auth5-5.45.0-lp150.3.3.1
libKF5Auth5-debuginfo-5.45.0-lp150.3.3.1

- openSUSE Leap 15.0 (noarch):

libKF5Auth5-lang-5.45.0-lp150.3.3.1

- openSUSE Leap 15.0 (x86_64):

kauth-devel-32bit-5.45.0-lp150.3.3.1
libKF5Auth5-32bit-5.45.0-lp150.3.3.1
libKF5Auth5-32bit-debuginfo-5.45.0-lp150.3.3.1

- openSUSE Backports SLE-15 (aarch64 ppc64le s390x x86_64):

kauth-debugsource-5.45.0-bp150.3.3.1
kauth-devel-5.45.0-bp150.3.3.1
libKF5Auth5-5.45.0-bp150.3.3.1
libKF5Auth5-debuginfo-5.45.0-bp150.3.3.1

- openSUSE Backports SLE-15 (aarch64_ilp32):

kauth-devel-64bit-5.45.0-bp150.3.3.1
libKF5Auth5-64bit-5.45.0-bp150.3.3.1
libKF5Auth5-64bit-debuginfo-5.45.0-bp150.3.3.1

- openSUSE Backports SLE-15 (noarch):

libKF5Auth5-lang-5.45.0-bp150.3.3.1

- SUSE Package Hub for SUSE Linux Enterprise 12 (aarch64 ppc64le s390x x86_64):

kcoreaddons-5.20.0-8.1
kcoreaddons-5.32.0-7.1
kcoreaddons-debugsource-5.20.0-8.1
kcoreaddons-debugsource-5.32.0-7.1
kcoreaddons-devel-5.20.0-8.1
kcoreaddons-devel-5.32.0-7.1
kcoreaddons-devel-debuginfo-5.20.0-8.1
kcoreaddons-devel-debuginfo-5.32.0-7.1
libKF5CoreAddons5-5.20.0-8.1
libKF5CoreAddons5-5.32.0-7.1
libKF5CoreAddons5-debuginfo-5.20.0-8.1
libKF5CoreAddons5-debuginfo-5.32.0-7.1
libpolkit-qt5-1-1-0.112.0-4.1
libpolkit-qt5-1-1-0.112.0-5.1
libpolkit-qt5-1-1-debuginfo-0.112.0-4.1
libpolkit-qt5-1-1-debuginfo-0.112.0-5.1
libpolkit-qt5-1-devel-0.112.0-4.1
libpolkit-qt5-1-devel-0.112.0-5.1
polkit-qt5-1-debugsource-0.112.0-4.1
polkit-qt5-1-debugsource-0.112.0-5.1

- SUSE Package Hub for SUSE Linux Enterprise 12 (aarch64 ppc64le x86_64):

libpolkit-qt5-1-1-0.112.0-2.1
libpolkit-qt5-1-1-debuginfo-0.112.0-2.1
libpolkit-qt5-1-devel-0.112.0-2.1
polkit-qt5-1-debugsource-0.112.0-2.1

- SUSE Package Hub for SUSE Linux Enterprise 12 (aarch64 ppc64le):

kcoreaddons-5.26.0-5.2
kcoreaddons-debugsource-5.26.0-5.2
kcoreaddons-devel-5.26.0-5.2
kcoreaddons-devel-debuginfo-5.26.0-5.2
libKF5CoreAddons5-5.26.0-5.2
libKF5CoreAddons5-debuginfo-5.26.0-5.2

- SUSE Package Hub for SUSE Linux Enterprise 12 (ppc64le x86_64):

kauth-debugsource-5.26.0-9.2
kauth-debugsource-5.32.0-5.1
kauth-devel-5.20.0-10.1
kauth-devel-5.26.0-9.2
kauth-devel-5.32.0-5.1
libKF5Auth5-5.20.0-10.1
libKF5Auth5-5.26.0-9.2
libKF5Auth5-5.32.0-5.1
libKF5Auth5-debuginfo-5.26.0-9.2
libKF5Auth5-debuginfo-5.32.0-5.1

- SUSE Package Hub for SUSE Linux Enterprise 12 (aarch64_ilp32):

kauth-devel-64bit-5.32.0-5.2
kcoreaddons-devel-64bit-5.32.0-7.1
kcoreaddons-devel-debuginfo-64bit-5.32.0-7.1
libKF5Auth5-64bit-5.32.0-5.2
libKF5Auth5-debuginfo-64bit-5.32.0-5.2
libKF5CoreAddons5-64bit-5.32.0-7.1
libKF5CoreAddons5-debuginfo-64bit-5.32.0-7.1
libpolkit-qt5-1-1-64bit-0.112.0-4.1
libpolkit-qt5-1-1-debuginfo-64bit-0.112.0-4.1
libpolkit-qt5-1-devel-64bit-0.112.0-4.1

- SUSE Package Hub for SUSE Linux Enterprise 12 (aarch64 s390x):

kauth-debugsource-5.26.0-9.3
kauth-debugsource-5.32.0-5.2
kauth-devel-5.20.0-10.2
kauth-devel-5.26.0-9.3
kauth-devel-5.32.0-5.2
libKF5Auth5-5.20.0-10.2
libKF5Auth5-5.26.0-9.3
libKF5Auth5-5.32.0-5.2
libKF5Auth5-debuginfo-5.26.0-9.3
libKF5Auth5-debuginfo-5.32.0-5.2

- SUSE Package Hub for SUSE Linux Enterprise 12 (s390x x86_64):

kcoreaddons-5.26.0-5.4
kcoreaddons-debugsource-5.26.0-5.4
kcoreaddons-devel-5.26.0-5.4
kcoreaddons-devel-debuginfo-5.26.0-5.4
libKF5CoreAddons5-5.26.0-5.4
libKF5CoreAddons5-debuginfo-5.26.0-5.4

- SUSE Package Hub for SUSE Linux Enterprise 12 (noarch):

kcoreaddons-lang-5.20.0-8.1
kcoreaddons-lang-5.26.0-5.2
kcoreaddons-lang-5.26.0-5.4
kcoreaddons-lang-5.32.0-7.1
libKF5Auth5-lang-5.20.0-10.1
libKF5Auth5-lang-5.20.0-10.2
libKF5Auth5-lang-5.26.0-9.2
libKF5Auth5-lang-5.26.0-9.3
libKF5Auth5-lang-5.32.0-5.1
libKF5Auth5-lang-5.32.0-5.2

- SUSE Package Hub for SUSE Linux Enterprise 12 (s390x):

libpolkit-qt5-1-1-0.112.0-2.2
libpolkit-qt5-1-1-debuginfo-0.112.0-2.2
libpolkit-qt5-1-devel-0.112.0-2.2
polkit-qt5-1-debugsource-0.112.0-2.2


References:

https://www.suse.com/security/cve/CVE-2019-7443.html
https://bugzilla.suse.com/1124863

--


openSUSE-SU-2019:0243-1: moderate: Security update for dovecot23

openSUSE Security Update: Security update for dovecot23
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:0243-1
Rating: moderate
References: #1119850 #1123022 #1124356
Cross-References: CVE-2019-3814
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that solves one vulnerability and has two fixes
is now available.

Description:


This update for dovecot23 fixes the following issues:

dovecot was updated to 2.3.3 release, bringing lots of bugfixes
(bsc#1124356).

Also the following security issue was fixed:

- CVE-2019-3814: A vulnerability in Dovecot related to SSL client
certificate authentication was fixed (bsc#1123022)

The package changes:

Updated pigeonhole to 0.5.3:

- Fix assertion panic occurring when managesieve service fails to
open INBOX while saving a Sieve script. This was caused by a lack of
cleanup after failure.
- Fix specific messages causing an assert panic with actions that compose
a reply (e.g. vacation). With some rather weird input from the original
message, the header folding algorithm (as used for composing the
References header for the reply) got confused, causing the panic.
- IMAP FILTER=SIEVE capability: Fix FILTER SIEVE SCRIPT command parsing.
After finishing reading the Sieve script, the command parsing sometimes
didn't continue with the search arguments. This is a time- critical bug
that likely only occurs when the Sieve script is sent in the next TCP
frame.

dovecot23 was updated to 2.3.3:

- doveconf hides more secrets now in the default output.
- ssl_dh setting is no longer enforced at startup. If it's not set and
non-ECC DH key exchange happens, error is logged and client is
disconnected.
- Added log_debug= setting.
- Added log_core_filter= setting.
- quota-clone: Write to dict asynchronously
- --enable-hardening attempts to use retpoline Spectre 2 mitigations
- lmtp proxy: Support source_ip passdb extra field.
- doveadm stats dump: Support more fields and output stddev by default.
- push-notification: Add SSL support for OX backend.
- NUL bytes in mail headers can cause truncated replies when fetched.
- director: Conflicting host up/down state changes may in some rare
situations ended up in a loop of two directors constantly
overwriting each others' changes.
- director: Fix hang/crash when multiple doveadm commands are being
handled concurrently.
- director: Fix assert-crash if doveadm disconnects too early
- virtual plugin: Some searches used 100% CPU for many seconds
- dsync assert-crashed with acl plugin in some situations. (bsc#1119850)
- mail_attachment_detection_options=add-flags-on-save assert-crashed with
some specific Sieve scripts.
- Mail snippet generation crashed with mails containing invalid
Content-Type:multipart header.
- Log prefix ordering was different for some log lines.
- quota: With noenforcing option current quota usage wasn't updated.
- auth: Kerberos authentication against Samba assert-crashed.
- stats clients were unnecessarily chatty with the stats server.
- imapc: Fixed various assert-crashes when reconnecting to server.
- lmtp, submission: Fix potential crash if client disconnects while
handling a command.
- quota: Fixed compiling with glibc-2.26 / support libtirpc.
- fts-solr: Empty search values resulted in 400 Bad Request errors
- fts-solr: default_ns parameter couldn't be used
- submission server crashed if relay server returned over 7 lines in a
reply (e.g. to EHLO)

dovecot was updated to 2.3.2.1:

- SSL/TLS servers may have crashed during client disconnection
- lmtp: With lmtp_rcpt_check_quota=yes mail deliveries may have sometimes
assert-crashed.
- v2.3.2: "make check" may have crashed with 32bit systems

dovecot was updated to 2.3.2:

- old-stats plugin: Don't temporarily enable PR_SET_DUMPABLE while opening
/proc/self/io. This may still cause security problems if the process is
ptrace()d at the same time. Instead, open it while still running as root.
- doveadm: Added mailbox cache decision&remove commands. See
doveadm-mailbox(1) man page for details.
- doveadm: Added rebuild attachments command for rebuilding $HasAttachment
or $HasNoAttachment flags for matching mails. See doveadm-rebuild(1) man
page for details.
- cassandra: Use fallback_consistency on more types of errors
- lmtp proxy: Support outgoing SSL/TLS connections
- lmtp: Add lmtp_rawlog_dir and lmtp_proxy_rawlog_dir settings.
- submission: Add support for rawlog_dir
- submission: Add submission_client_workarounds setting.
- lua auth: Add password_verify() function and additional fields in auth
request.
- doveadm-server: TCP connections are hanging when there is a lot
of network output. This especially caused hangs in dsync-replication.
- Using multiple type=shared mdbox namespaces crashed
- mail_fsync setting was ignored. It was always set to "optimized".
- lua auth: Fix potential crash at deinit
- SSL/TLS servers may have crashed if client disconnected during handshake.
- SSL/TLS servers: Don't send extraneous certificates to client when alt
certs are used.
- lda, lmtp: Return-Path header without '


openSUSE-SU-2019:0244-1: moderate: Security update for python-Jinja2

openSUSE Security Update: Security update for python-Jinja2
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:0244-1
Rating: moderate
References: #858239
Cross-References: CVE-2014-0012
Affected Products:
SUSE Package Hub for SUSE Linux Enterprise 12
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for python-Jinja2 fixes the following issues:

- Update to 2.8
- Added `target` parameter to urlize function.
- Added support for `followsymlinks` to the file system loader.
- The truncate filter now counts the length.
- Added equalto filter that helps with select filters.
- Changed cache keys to use absolute file names if available instead of
load names.
- Fixed loop length calculation for some iterators.
- Changed how Jinja2 enforces strings to be native strings in Python 2
to work when people break their default encoding.
- Added :func:`make_logging_undefined` which returns an undefined
object that logs failures into a logger.
- If unmarshalling of cached data fails the template will be reloaded
now.
- Implemented a block ``set`` tag.
- Default cache size was incrased to 400 from a low 50.
- Fixed ``is number`` test to accept long integers in all Python
versions.
- Changed ``is number`` to accept Decimal as a number.
- Added a check for default arguments followed by non-default arguments.
This change makes ``{% macro m(x, y=1, z) %}...{% endmacro %}`` a
syntax error. The previous behavior for this code was broken anyway
(resulting in the default value being applied to `y`).
- Add ability to use custom subclasses of
``jinja2.compiler.CodeGenerator`` and ``jinja2.runtime.Context`` by
adding two new attributes to the environment (`code_generator_class`
and `context_class`) (pull request ``#404``).
- added support for context/environment/evalctx decorator functions on
the finalize callback of the environment.
- escape query strings for urlencode properly. Previously slashes were
not escaped in that place.
- Add 'base' parameter to 'int' filter.
- Tests are removed from the package (not distributed in the tar.gz)

- Use %python_version over %py_ver: better portability to RHEL

- run testsuite during build

- adjust dependency to use up to date package name for python-MarkupSafe

- Update to 2.7.3 (boo#858239, CVE-2014-0012)
- Security issue: Corrected the security fix for the cache folder. This
fix was provided by RedHat.

- fix package build (file selection missing)

- avoid rebuildcycle with vim

- update to 2.7.2:
- Prefix loader was not forwarding the locals properly to inner
loaders. This is now fixed.
- Security issue: Changed the default folder for the filesystem cache to
be user specific and read and write protected on UNIX systems. See
`Debian bug 734747`_ for more information.

- Require python-setuptools instead of distribute (upstreams merged)

- Avoid "Recommends:" on old rpm distros

- update to 2.7.1:
- Fixed a bug with ``call_filter`` not working properly on environment
and context filters.
- Fixed lack of Python 3 support for bytecode caches.
- Reverted support for defining blocks in included templates as this
broke existing templates for users.
- Fixed some warnings with hashing of undefineds and nodes if Python is
run with warnings for Python 3.
- Added support for properly hashing undefined objects.
- Fixed a bug with the title filter not working on already uppercase
strings.

- update to 2.7:
- Choice and prefix loaders now dispatch source and template lookup
separately in order to work in combination with module loaders as
advertised.
- Fixed filesizeformat.
- Added a non-silent option for babel extraction.
- Added `urlencode` filter that automatically quotes values for URL safe
usage with utf-8 as only supported encoding. If applications want to
change this encoding they can override the filter.
- Added `keep-trailing-newline` configuration to environments and
templates to optionally preserve the final trailing newline.
- Accessing `last` on the loop context no longer causes the iterator to
be consumed into a list.
- Python requirement changed: 2.6, 2.7 or >= 3.3 are required now,
supported by same source code, using the "six" compatibility library.
- Allow `contextfunction` and other decorators to be applied to
`__call__`.
- Added support for changing from newline to different signs in the
`wordwrap` filter.
- Added support for ignoring memcache errors silently.
- Added support for keeping the trailing newline in templates.
- Added finer grained support for stripping whitespace on the left side
of blocks.
- Added `map`, `select`, `reject`, `selectattr` and `rejectattr` filters.
- Added support for `loop.depth` to figure out how deep inside a
recursive loop the code is.
- Disabled py_compile for pypy and python 3.

- Fix building python 3 package on openSUSE 11.4 x86_64

- Add 2to3 buildrequires to allow for proper conversion of python 3 version

- Add python 3 package
- Simplify vim plugin packaging
- Add suggests for vim and emacs in their respective packages
- Removed test for obsolete openSUSE version

- Simplified macro usage

- Split of 'vim' and 'emacs' sub-packages that contain syntax highlighting
support for both editors

- Set license to BSD-3-Clause (SPDX style)
- Require python-distribute instead of python-setuptools

- Update to version 2.6:
* internal attributes now raise an internal attribute error now instead
of returning an undefined. This fixes problems when passing undefined
objects to Python semantics expecting APIs.
* traceback support now works properly for PyPy. (Tested with 1.4)
* implemented operator intercepting for sandboxed environments. This
allows application developers to disable builtin operators for better
security. (For instance limit the mathematical operators to actual
integers instead of longs)
* groupby filter now supports dotted notation for grouping by attributes
of attributes.
* scoped blocks not properly treat toplevel assignments and imports.
Previously an import suddenly "disappeared" in a scoped block.
* automatically detect newer Python interpreter versions before loading
code from bytecode caches to prevent segfaults on invalid opcodes.
The segfault in earlier Jinja2 versions here was not a Jinja2 bug but
a limitation in the underlying Python interpreter. If you notice
Jinja2 segfaulting in earlier versions after an upgrade of the Python
interpreter you don't have to upgrade, it's enough to flush the
bytecode cache. This just no longer makes this necessary, Jinja2 will
automatically detect these cases now.
* the sum filter can now sum up values by attribute. This is a
backwards incompatible change. The argument to the filter previously
was the
optional starting index which defaultes to zero. This now became the
second argument to the function because it's rarely used.
* like sum, sort now also makes it possible to order items by attribute.
* like sum and sort, join now also is able to join attributes of objects
as string.
* the internal eval context now has a reference to the environment.
* added a mapping test to see if an object is a dict or an object with a
similar interface.

- Renamed to python-Jinja2
- Fix wrong EOL encodings

- Do not require python-setuptools, buildrequires is sufficient
- Removed authors from description
- Changed license to BSD3c

- rpmlint issues cleanup
* fdupes, tar.bz2 tarball, ...
- package docs again (lost with last revision)

- re-generated spec file with py2pack
* now builds for Fedora and Mandriva

- Update to 2.2.1;
- Fixed changes file name.

- initial package (2.1.1)


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- SUSE Package Hub for SUSE Linux Enterprise 12:

zypper in -t patch openSUSE-2019-244=1



Package List:

- SUSE Package Hub for SUSE Linux Enterprise 12 (noarch):

python-Jinja2-2.8-2.1
python-Jinja2-emacs-2.8-2.1
python-Jinja2-vim-2.8-2.1


References:

https://www.suse.com/security/cve/CVE-2014-0012.html
https://bugzilla.suse.com/858239

--


openSUSE-SU-2019:0245-1: important: Security update for python-numpy

openSUSE Security Update: Security update for python-numpy
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:0245-1
Rating: important
References: #1122208
Cross-References: CVE-2019-6446
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for python-numpy fixes the following issue:

Security issue fixed:

- CVE-2019-6446: Set allow_pickle to false by default to restrict loading
untrusted content (bsc#1122208). With this update we decrease the
possibility of allowing remote attackers to execute arbitrary code by
misusing numpy.load(). A warning during runtime will show-up when the
allow_pickle is not explicitly set.

NOTE: By applying this update the behavior of python-numpy changes, which
might break your application. In order to get the old behaviour back, you
have to explicitly set `allow_pickle` to True. Be aware that this should
only be done for trusted input, as loading untrusted input might lead to
arbitrary code execution.

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-245=1



Package List:

- openSUSE Leap 15.0 (x86_64):

python-numpy-debuginfo-1.14.0-lp150.3.3.1
python-numpy-debugsource-1.14.0-lp150.3.3.1
python-numpy_1_14_0-gnu-hpc-debuginfo-1.14.0-lp150.3.3.1
python-numpy_1_14_0-gnu-hpc-debugsource-1.14.0-lp150.3.3.1
python2-numpy-1.14.0-lp150.3.3.1
python2-numpy-debuginfo-1.14.0-lp150.3.3.1
python2-numpy-devel-1.14.0-lp150.3.3.1
python2-numpy-gnu-hpc-1.14.0-lp150.3.3.1
python2-numpy-gnu-hpc-devel-1.14.0-lp150.3.3.1
python2-numpy_1_14_0-gnu-hpc-1.14.0-lp150.3.3.1
python2-numpy_1_14_0-gnu-hpc-debuginfo-1.14.0-lp150.3.3.1
python2-numpy_1_14_0-gnu-hpc-devel-1.14.0-lp150.3.3.1
python3-numpy-1.14.0-lp150.3.3.1
python3-numpy-debuginfo-1.14.0-lp150.3.3.1
python3-numpy-devel-1.14.0-lp150.3.3.1
python3-numpy-gnu-hpc-1.14.0-lp150.3.3.1
python3-numpy-gnu-hpc-devel-1.14.0-lp150.3.3.1
python3-numpy_1_14_0-gnu-hpc-1.14.0-lp150.3.3.1
python3-numpy_1_14_0-gnu-hpc-debuginfo-1.14.0-lp150.3.3.1
python3-numpy_1_14_0-gnu-hpc-devel-1.14.0-lp150.3.3.1


References:

https://www.suse.com/security/cve/CVE-2019-6446.html
https://bugzilla.suse.com/1122208

--