SUSE 5172 Published by

SUSE Linux has received multiple security updates, featuring significant updates for Mozilla Firefox, moderate updates for ovmf, and minor updates for hplip. Additionally, there are important updates for frr, python-virtualenv, qemu, seamonkey, cobbler, libuv, libjxl-devel, postgresql, tomcat, and python-waitress.

SUSE-SU-2024:4086-1: important: Security update for MozillaFirefox
SUSE-SU-2024:4088-1: moderate: Security update for ovmf
SUSE-SU-2024:4089-1: low: Security update for hplip
SUSE-SU-2024:4090-1: important: Security update for frr
SUSE-SU-2024:4093-1: important: Security update for python-virtualenv
SUSE-SU-2024:4094-1: important: Security update for qemu
openSUSE-SU-2024:0381-1: important: Security update for seamonkey
openSUSE-SU-2024:0382-1: important: Security update for cobbler
SUSE-SU-2024:4109-1: moderate: Security update for libuv
openSUSE-SU-2024:14531-1: moderate: libjxl-devel-0.11.1-1.1 on GA media
SUSE-SU-2024:4099-1: important: Security update for postgresql12
SUSE-SU-2024:4098-1: important: Security update for postgresql15
SUSE-SU-2024:4105-1: critical: Security update for tomcat10
SUSE-SU-2024:4106-1: critical: Security update for tomcat
SUSE-SU-2024:4107-1: important: Security update for python-waitress




SUSE-SU-2024:4086-1: important: Security update for MozillaFirefox


# Security update for MozillaFirefox

Announcement ID: SUSE-SU-2024:4086-1
Release Date: 2024-11-28T06:37:36Z
Rating: important
References:

* bsc#1233695

Cross-References:

* CVE-2024-11691
* CVE-2024-11692
* CVE-2024-11693
* CVE-2024-11694
* CVE-2024-11695
* CVE-2024-11696
* CVE-2024-11697
* CVE-2024-11698
* CVE-2024-11699

CVSS scores:

* CVE-2024-11691 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2024-11692 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
* CVE-2024-11693 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2024-11694 ( NVD ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
* CVE-2024-11695 ( NVD ): 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
* CVE-2024-11697 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2024-11698 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2024-11699 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products:

* Desktop Applications Module 15-SP5
* Desktop Applications Module 15-SP6
* openSUSE Leap 15.5
* openSUSE Leap 15.6
* SUSE Enterprise Storage 7.1
* SUSE Linux Enterprise Desktop 15 SP4 LTSS
* SUSE Linux Enterprise Desktop 15 SP5
* SUSE Linux Enterprise Desktop 15 SP6
* SUSE Linux Enterprise High Performance Computing 15 SP2
* SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS
* SUSE Linux Enterprise High Performance Computing 15 SP3
* SUSE Linux Enterprise High Performance Computing 15 SP4
* SUSE Linux Enterprise High Performance Computing 15 SP5
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP3
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
* SUSE Linux Enterprise Real Time 15 SP5
* SUSE Linux Enterprise Real Time 15 SP6
* SUSE Linux Enterprise Server 15 SP2
* SUSE Linux Enterprise Server 15 SP2 LTSS
* SUSE Linux Enterprise Server 15 SP3
* SUSE Linux Enterprise Server 15 SP3 LTSS
* SUSE Linux Enterprise Server 15 SP4
* SUSE Linux Enterprise Server 15 SP4 LTSS
* SUSE Linux Enterprise Server 15 SP5
* SUSE Linux Enterprise Server 15 SP6
* SUSE Linux Enterprise Server for SAP Applications 15 SP2
* SUSE Linux Enterprise Server for SAP Applications 15 SP3
* SUSE Linux Enterprise Server for SAP Applications 15 SP4
* SUSE Linux Enterprise Server for SAP Applications 15 SP5
* SUSE Linux Enterprise Server for SAP Applications 15 SP6

An update that solves nine vulnerabilities can now be installed.

## Description:

This update for MozillaFirefox fixes the following issues:

Firefox Extended Support Release 128.5.0 ESR, fixed various security fixes and
other quality improvements, MFSA 2024-64 (bsc#1233695):

* CVE-2024-11691: Memory corruption in Apple GPU drivers
* CVE-2024-11692: Select list elements could be shown over another site
* CVE-2024-11693: Download Protections were bypassed by .library-ms files on
Windows
* CVE-2024-11694: CSP Bypass and XSS Exposure via Web Compatibility Shims
* CVE-2024-11695: URL Bar Spoofing via Manipulated Punycode and Whitespace
Characters
* CVE-2024-11696: Unhandled Exception in Add-on Signature Verification
* CVE-2024-11697: Inproper Keypress Handling in Executable File Confirmation
Dialog
* CVE-2024-11698: Fullscreen Lock-Up When Modal Dialog Interrupts Transition
on macOS
* CVE-2024-11699: Memory safety bugs fixed in Firefox 133, Firefox ESR 128.5,
and Thunderbird 128.5

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* SUSE Linux Enterprise Server for SAP Applications 15 SP4
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2024-4086=1

* SUSE Enterprise Storage 7.1
zypper in -t patch SUSE-Storage-7.1-2024-4086=1

* openSUSE Leap 15.5
zypper in -t patch openSUSE-SLE-15.5-2024-4086=1

* openSUSE Leap 15.6
zypper in -t patch openSUSE-SLE-15.6-2024-4086=1

* Desktop Applications Module 15-SP5
zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP5-2024-4086=1

* Desktop Applications Module 15-SP6
zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP6-2024-4086=1

* SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS
zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2024-4086=1

* SUSE Linux Enterprise High Performance Computing LTSS 15 SP3
zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-LTSS-2024-4086=1

* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2024-4086=1

* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2024-4086=1

* SUSE Linux Enterprise Desktop 15 SP4 LTSS
zypper in -t patch SUSE-SLE-Product-SLED-15-SP4-LTSS-2024-4086=1

* SUSE Linux Enterprise Server 15 SP2 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2024-4086=1

* SUSE Linux Enterprise Server 15 SP3 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP3-LTSS-2024-4086=1

* SUSE Linux Enterprise Server 15 SP4 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2024-4086=1

* SUSE Linux Enterprise Server for SAP Applications 15 SP2
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2024-4086=1

* SUSE Linux Enterprise Server for SAP Applications 15 SP3
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP3-2024-4086=1

## Package List:

* SUSE Linux Enterprise Server for SAP Applications 15 SP4 (ppc64le x86_64)
* MozillaFirefox-debuginfo-128.5.0-150200.152.161.1
* MozillaFirefox-translations-other-128.5.0-150200.152.161.1
* MozillaFirefox-translations-common-128.5.0-150200.152.161.1
* MozillaFirefox-128.5.0-150200.152.161.1
* MozillaFirefox-debugsource-128.5.0-150200.152.161.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP4 (noarch)
* MozillaFirefox-devel-128.5.0-150200.152.161.1
* SUSE Enterprise Storage 7.1 (aarch64 x86_64)
* MozillaFirefox-debuginfo-128.5.0-150200.152.161.1
* MozillaFirefox-translations-other-128.5.0-150200.152.161.1
* MozillaFirefox-translations-common-128.5.0-150200.152.161.1
* MozillaFirefox-128.5.0-150200.152.161.1
* MozillaFirefox-debugsource-128.5.0-150200.152.161.1
* SUSE Enterprise Storage 7.1 (noarch)
* MozillaFirefox-devel-128.5.0-150200.152.161.1
* openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)
* MozillaFirefox-debuginfo-128.5.0-150200.152.161.1
* MozillaFirefox-translations-other-128.5.0-150200.152.161.1
* MozillaFirefox-translations-common-128.5.0-150200.152.161.1
* MozillaFirefox-128.5.0-150200.152.161.1
* MozillaFirefox-debugsource-128.5.0-150200.152.161.1
* MozillaFirefox-branding-upstream-128.5.0-150200.152.161.1
* openSUSE Leap 15.5 (noarch)
* MozillaFirefox-devel-128.5.0-150200.152.161.1
* openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64)
* MozillaFirefox-debuginfo-128.5.0-150200.152.161.1
* MozillaFirefox-translations-other-128.5.0-150200.152.161.1
* MozillaFirefox-translations-common-128.5.0-150200.152.161.1
* MozillaFirefox-128.5.0-150200.152.161.1
* MozillaFirefox-debugsource-128.5.0-150200.152.161.1
* MozillaFirefox-branding-upstream-128.5.0-150200.152.161.1
* openSUSE Leap 15.6 (noarch)
* MozillaFirefox-devel-128.5.0-150200.152.161.1
* Desktop Applications Module 15-SP5 (aarch64 ppc64le s390x x86_64)
* MozillaFirefox-debuginfo-128.5.0-150200.152.161.1
* MozillaFirefox-translations-other-128.5.0-150200.152.161.1
* MozillaFirefox-translations-common-128.5.0-150200.152.161.1
* MozillaFirefox-128.5.0-150200.152.161.1
* MozillaFirefox-debugsource-128.5.0-150200.152.161.1
* Desktop Applications Module 15-SP5 (noarch)
* MozillaFirefox-devel-128.5.0-150200.152.161.1
* Desktop Applications Module 15-SP6 (aarch64 ppc64le s390x x86_64)
* MozillaFirefox-debuginfo-128.5.0-150200.152.161.1
* MozillaFirefox-translations-other-128.5.0-150200.152.161.1
* MozillaFirefox-translations-common-128.5.0-150200.152.161.1
* MozillaFirefox-128.5.0-150200.152.161.1
* MozillaFirefox-debugsource-128.5.0-150200.152.161.1
* Desktop Applications Module 15-SP6 (noarch)
* MozillaFirefox-devel-128.5.0-150200.152.161.1
* SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS (aarch64
x86_64)
* MozillaFirefox-debuginfo-128.5.0-150200.152.161.1
* MozillaFirefox-translations-other-128.5.0-150200.152.161.1
* MozillaFirefox-translations-common-128.5.0-150200.152.161.1
* MozillaFirefox-128.5.0-150200.152.161.1
* MozillaFirefox-debugsource-128.5.0-150200.152.161.1
* SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS (noarch)
* MozillaFirefox-devel-128.5.0-150200.152.161.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (aarch64
x86_64)
* MozillaFirefox-debuginfo-128.5.0-150200.152.161.1
* MozillaFirefox-translations-other-128.5.0-150200.152.161.1
* MozillaFirefox-translations-common-128.5.0-150200.152.161.1
* MozillaFirefox-128.5.0-150200.152.161.1
* MozillaFirefox-debugsource-128.5.0-150200.152.161.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (noarch)
* MozillaFirefox-devel-128.5.0-150200.152.161.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (aarch64
x86_64)
* MozillaFirefox-debuginfo-128.5.0-150200.152.161.1
* MozillaFirefox-translations-other-128.5.0-150200.152.161.1
* MozillaFirefox-translations-common-128.5.0-150200.152.161.1
* MozillaFirefox-128.5.0-150200.152.161.1
* MozillaFirefox-debugsource-128.5.0-150200.152.161.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (noarch)
* MozillaFirefox-devel-128.5.0-150200.152.161.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (aarch64
x86_64)
* MozillaFirefox-debuginfo-128.5.0-150200.152.161.1
* MozillaFirefox-translations-other-128.5.0-150200.152.161.1
* MozillaFirefox-translations-common-128.5.0-150200.152.161.1
* MozillaFirefox-128.5.0-150200.152.161.1
* MozillaFirefox-debugsource-128.5.0-150200.152.161.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (noarch)
* MozillaFirefox-devel-128.5.0-150200.152.161.1
* SUSE Linux Enterprise Desktop 15 SP4 LTSS (x86_64)
* MozillaFirefox-debuginfo-128.5.0-150200.152.161.1
* MozillaFirefox-translations-other-128.5.0-150200.152.161.1
* MozillaFirefox-translations-common-128.5.0-150200.152.161.1
* MozillaFirefox-128.5.0-150200.152.161.1
* MozillaFirefox-debugsource-128.5.0-150200.152.161.1
* SUSE Linux Enterprise Desktop 15 SP4 LTSS (noarch)
* MozillaFirefox-devel-128.5.0-150200.152.161.1
* SUSE Linux Enterprise Server 15 SP2 LTSS (aarch64 ppc64le s390x x86_64)
* MozillaFirefox-debuginfo-128.5.0-150200.152.161.1
* MozillaFirefox-translations-other-128.5.0-150200.152.161.1
* MozillaFirefox-translations-common-128.5.0-150200.152.161.1
* MozillaFirefox-128.5.0-150200.152.161.1
* MozillaFirefox-debugsource-128.5.0-150200.152.161.1
* SUSE Linux Enterprise Server 15 SP2 LTSS (noarch)
* MozillaFirefox-devel-128.5.0-150200.152.161.1
* SUSE Linux Enterprise Server 15 SP3 LTSS (aarch64 ppc64le s390x x86_64)
* MozillaFirefox-debuginfo-128.5.0-150200.152.161.1
* MozillaFirefox-translations-other-128.5.0-150200.152.161.1
* MozillaFirefox-translations-common-128.5.0-150200.152.161.1
* MozillaFirefox-128.5.0-150200.152.161.1
* MozillaFirefox-debugsource-128.5.0-150200.152.161.1
* SUSE Linux Enterprise Server 15 SP3 LTSS (noarch)
* MozillaFirefox-devel-128.5.0-150200.152.161.1
* SUSE Linux Enterprise Server 15 SP4 LTSS (aarch64 ppc64le s390x x86_64)
* MozillaFirefox-debuginfo-128.5.0-150200.152.161.1
* MozillaFirefox-translations-other-128.5.0-150200.152.161.1
* MozillaFirefox-translations-common-128.5.0-150200.152.161.1
* MozillaFirefox-128.5.0-150200.152.161.1
* MozillaFirefox-debugsource-128.5.0-150200.152.161.1
* SUSE Linux Enterprise Server 15 SP4 LTSS (noarch)
* MozillaFirefox-devel-128.5.0-150200.152.161.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP2 (ppc64le x86_64)
* MozillaFirefox-debuginfo-128.5.0-150200.152.161.1
* MozillaFirefox-translations-other-128.5.0-150200.152.161.1
* MozillaFirefox-translations-common-128.5.0-150200.152.161.1
* MozillaFirefox-128.5.0-150200.152.161.1
* MozillaFirefox-debugsource-128.5.0-150200.152.161.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP2 (noarch)
* MozillaFirefox-devel-128.5.0-150200.152.161.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP3 (ppc64le x86_64)
* MozillaFirefox-debuginfo-128.5.0-150200.152.161.1
* MozillaFirefox-translations-other-128.5.0-150200.152.161.1
* MozillaFirefox-translations-common-128.5.0-150200.152.161.1
* MozillaFirefox-128.5.0-150200.152.161.1
* MozillaFirefox-debugsource-128.5.0-150200.152.161.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP3 (noarch)
* MozillaFirefox-devel-128.5.0-150200.152.161.1

## References:

* https://www.suse.com/security/cve/CVE-2024-11691.html
* https://www.suse.com/security/cve/CVE-2024-11692.html
* https://www.suse.com/security/cve/CVE-2024-11693.html
* https://www.suse.com/security/cve/CVE-2024-11694.html
* https://www.suse.com/security/cve/CVE-2024-11695.html
* https://www.suse.com/security/cve/CVE-2024-11696.html
* https://www.suse.com/security/cve/CVE-2024-11697.html
* https://www.suse.com/security/cve/CVE-2024-11698.html
* https://www.suse.com/security/cve/CVE-2024-11699.html
* https://bugzilla.suse.com/show_bug.cgi?id=1233695



SUSE-SU-2024:4088-1: moderate: Security update for ovmf


# Security update for ovmf

Announcement ID: SUSE-SU-2024:4088-1
Release Date: 2024-11-28T07:57:20Z
Rating: moderate
References:

* bsc#1225889

Cross-References:

* CVE-2024-1298

CVSS scores:

* CVE-2024-1298 ( SUSE ): 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H

Affected Products:

* openSUSE Leap 15.5
* openSUSE Leap Micro 5.5
* Server Applications Module 15-SP5
* SUSE Linux Enterprise Desktop 15 SP5
* SUSE Linux Enterprise High Performance Computing 15 SP5
* SUSE Linux Enterprise Micro 5.5
* SUSE Linux Enterprise Real Time 15 SP5
* SUSE Linux Enterprise Server 15 SP5
* SUSE Linux Enterprise Server for SAP Applications 15 SP5
* SUSE Package Hub 15 15-SP5

An update that solves one vulnerability can now be installed.

## Description:

This update for ovmf fixes the following issues:

* CVE-2024-1298: Fixed potential UINT32 overflow in S3 ResumeCount
(bsc#1225889).

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* openSUSE Leap 15.5
zypper in -t patch SUSE-2024-4088=1 openSUSE-SLE-15.5-2024-4088=1

* openSUSE Leap Micro 5.5
zypper in -t patch openSUSE-Leap-Micro-5.5-2024-4088=1

* SUSE Linux Enterprise Micro 5.5
zypper in -t patch SUSE-SLE-Micro-5.5-2024-4088=1

* SUSE Package Hub 15 15-SP5
zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP5-2024-4088=1

* Server Applications Module 15-SP5
zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP5-2024-4088=1

## Package List:

* openSUSE Leap 15.5 (aarch64 x86_64)
* ovmf-tools-202208-150500.6.3.1
* ovmf-202208-150500.6.3.1
* openSUSE Leap 15.5 (noarch)
* qemu-ovmf-x86_64-202208-150500.6.3.1
* qemu-ovmf-ia32-202208-150500.6.3.1
* qemu-uefi-aarch64-202208-150500.6.3.1
* qemu-uefi-aarch32-202208-150500.6.3.1
* openSUSE Leap 15.5 (x86_64)
* qemu-ovmf-x86_64-debug-202208-150500.6.3.1
* openSUSE Leap Micro 5.5 (noarch)
* qemu-ovmf-x86_64-202208-150500.6.3.1
* qemu-uefi-aarch64-202208-150500.6.3.1
* SUSE Linux Enterprise Micro 5.5 (noarch)
* qemu-ovmf-x86_64-202208-150500.6.3.1
* qemu-uefi-aarch64-202208-150500.6.3.1
* SUSE Package Hub 15 15-SP5 (noarch)
* qemu-ovmf-x86_64-202208-150500.6.3.1
* qemu-uefi-aarch32-202208-150500.6.3.1
* qemu-uefi-aarch64-202208-150500.6.3.1
* SUSE Package Hub 15 15-SP5 (x86_64)
* qemu-ovmf-x86_64-debug-202208-150500.6.3.1
* Server Applications Module 15-SP5 (aarch64 x86_64)
* ovmf-tools-202208-150500.6.3.1
* ovmf-202208-150500.6.3.1
* Server Applications Module 15-SP5 (noarch)
* qemu-ovmf-x86_64-202208-150500.6.3.1
* qemu-uefi-aarch64-202208-150500.6.3.1

## References:

* https://www.suse.com/security/cve/CVE-2024-1298.html
* https://bugzilla.suse.com/show_bug.cgi?id=1225889



SUSE-SU-2024:4089-1: low: Security update for hplip


# Security update for hplip

Announcement ID: SUSE-SU-2024:4089-1
Release Date: 2024-11-28T07:57:43Z
Rating: low
References:

* bsc#1209401

Affected Products:

* Basesystem Module 15-SP6
* Desktop Applications Module 15-SP6
* openSUSE Leap 15.6
* SUSE Linux Enterprise Desktop 15 SP6
* SUSE Linux Enterprise Real Time 15 SP6
* SUSE Linux Enterprise Server 15 SP6
* SUSE Linux Enterprise Server for SAP Applications 15 SP6

An update that has one security fix can now be installed.

## Description:

This update for hplip fixes the following issues:

* hpmud: sanitize printer serial number (bsc#1209401)

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* openSUSE Leap 15.6
zypper in -t patch SUSE-2024-4089=1 openSUSE-SLE-15.6-2024-4089=1

* Basesystem Module 15-SP6
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP6-2024-4089=1

* Desktop Applications Module 15-SP6
zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP6-2024-4089=1

## Package List:

* openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64 i586)
* hplip-sane-3.23.8-150600.4.3.1
* hplip-3.23.8-150600.4.3.1
* hplip-scan-utils-3.23.8-150600.4.3.1
* hplip-debuginfo-3.23.8-150600.4.3.1
* hplip-scan-utils-debuginfo-3.23.8-150600.4.3.1
* hplip-sane-debuginfo-3.23.8-150600.4.3.1
* hplip-hpijs-debuginfo-3.23.8-150600.4.3.1
* hplip-devel-3.23.8-150600.4.3.1
* hplip-debugsource-3.23.8-150600.4.3.1
* hplip-udev-rules-3.23.8-150600.4.3.1
* hplip-hpijs-3.23.8-150600.4.3.1
* Basesystem Module 15-SP6 (aarch64 ppc64le s390x x86_64)
* hplip-sane-3.23.8-150600.4.3.1
* hplip-debuginfo-3.23.8-150600.4.3.1
* hplip-sane-debuginfo-3.23.8-150600.4.3.1
* hplip-hpijs-debuginfo-3.23.8-150600.4.3.1
* hplip-devel-3.23.8-150600.4.3.1
* hplip-debugsource-3.23.8-150600.4.3.1
* hplip-udev-rules-3.23.8-150600.4.3.1
* hplip-hpijs-3.23.8-150600.4.3.1
* Desktop Applications Module 15-SP6 (aarch64 ppc64le s390x x86_64)
* hplip-debuginfo-3.23.8-150600.4.3.1
* hplip-debugsource-3.23.8-150600.4.3.1
* hplip-3.23.8-150600.4.3.1

## References:

* https://bugzilla.suse.com/show_bug.cgi?id=1209401



SUSE-SU-2024:4090-1: important: Security update for frr


# Security update for frr

Announcement ID: SUSE-SU-2024:4090-1
Release Date: 2024-11-28T07:58:02Z
Rating: important
References:

* jsc#PED-11092

Cross-References:

* CVE-2023-31489
* CVE-2023-31490
* CVE-2023-3748
* CVE-2023-38406
* CVE-2023-38407
* CVE-2023-38802
* CVE-2023-41358
* CVE-2023-41360
* CVE-2023-41909
* CVE-2023-46752
* CVE-2023-46753
* CVE-2023-47234
* CVE-2023-47235
* CVE-2024-27913
* CVE-2024-31948
* CVE-2024-31950
* CVE-2024-31951
* CVE-2024-34088
* CVE-2024-44070

CVSS scores:

* CVE-2023-31489 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2023-31489 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2023-31490 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
* CVE-2023-31490 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2023-3748 ( SUSE ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2023-3748 ( NVD ): 3.5 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
* CVE-2023-38406 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2023-38406 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2023-38407 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2023-38407 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2023-38802 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2023-38802 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2023-41358 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2023-41358 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2023-41360 ( SUSE ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
* CVE-2023-41360 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
* CVE-2023-41360 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
* CVE-2023-41909 ( SUSE ): 3.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
* CVE-2023-41909 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2023-46752 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2023-46752 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2023-46753 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2023-46753 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2023-47234 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2023-47234 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2023-47235 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2023-47235 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2024-27913 ( SUSE ): 6.5 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2024-31948 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2024-31950 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2024-31951 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2024-31951 ( NVD ): 6.5 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2024-34088 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2024-34088 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2024-44070 ( SUSE ): 8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2024-44070 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2024-44070 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products:

* openSUSE Leap 15.5
* openSUSE Leap 15.6
* Server Applications Module 15-SP5
* Server Applications Module 15-SP6
* SUSE Linux Enterprise High Performance Computing 15 SP5
* SUSE Linux Enterprise Real Time 15 SP5
* SUSE Linux Enterprise Real Time 15 SP6
* SUSE Linux Enterprise Server 15 SP5
* SUSE Linux Enterprise Server 15 SP6
* SUSE Linux Enterprise Server for SAP Applications 15 SP5
* SUSE Linux Enterprise Server for SAP Applications 15 SP6

An update that solves 19 vulnerabilities and contains one feature can now be
installed.

## Description:

This update for frr fixes the following issues:

Update to frr 8.5.6 (jsc#PED-PED-11092) including fixes for:

* CVE-2024-44070,CVE-2024-34088,CVE-2024-31951,CVE-2024-31950,
CVE-2024-31948,CVE-2024-27913,CVE-2023-47235,CVE-2023-47234,
CVE-2023-46753,CVE-2023-46752,CVE-2023-41909,CVE-2023-41360,
CVE-2023-41358,CVE-2023-38802,CVE-2023-38407,CVE-2023-38406,
CVE-2023-3748,CVE-2023-31490,CVE-2023-31489 and other bugfixes. See
https://frrouting.org/release/8.5.6/ for details.

The most recent frr 8.x series provides several new features, improvements and
bug fixes for various protocols and daemons, especially for PIM/PIMv6/BGP and
VRF support.

See https://frrouting.org/release/8.5/ for details and links.

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* openSUSE Leap 15.5
zypper in -t patch SUSE-2024-4090=1 openSUSE-SLE-15.5-2024-4090=1

* openSUSE Leap 15.6
zypper in -t patch openSUSE-SLE-15.6-2024-4090=1

* Server Applications Module 15-SP5
zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP5-2024-4090=1

* Server Applications Module 15-SP6
zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP6-2024-4090=1

## Package List:

* openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64 i586)
* libfrrzmq0-debuginfo-8.5.6-150500.4.30.1
* libfrrospfapiclient0-8.5.6-150500.4.30.1
* libfrrsnmp0-8.5.6-150500.4.30.1
* libfrrzmq0-8.5.6-150500.4.30.1
* libfrrfpm_pb0-8.5.6-150500.4.30.1
* libfrrcares0-8.5.6-150500.4.30.1
* libfrrsnmp0-debuginfo-8.5.6-150500.4.30.1
* libfrr0-8.5.6-150500.4.30.1
* frr-devel-8.5.6-150500.4.30.1
* libfrrospfapiclient0-debuginfo-8.5.6-150500.4.30.1
* libfrrfpm_pb0-debuginfo-8.5.6-150500.4.30.1
* libfrr0-debuginfo-8.5.6-150500.4.30.1
* libfrr_pb0-8.5.6-150500.4.30.1
* frr-8.5.6-150500.4.30.1
* libmlag_pb0-debuginfo-8.5.6-150500.4.30.1
* libfrrcares0-debuginfo-8.5.6-150500.4.30.1
* frr-debugsource-8.5.6-150500.4.30.1
* frr-debuginfo-8.5.6-150500.4.30.1
* libmlag_pb0-8.5.6-150500.4.30.1
* libfrr_pb0-debuginfo-8.5.6-150500.4.30.1
* openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64)
* libfrrzmq0-debuginfo-8.5.6-150500.4.30.1
* libfrrospfapiclient0-8.5.6-150500.4.30.1
* libfrrsnmp0-8.5.6-150500.4.30.1
* libfrrzmq0-8.5.6-150500.4.30.1
* libfrrfpm_pb0-8.5.6-150500.4.30.1
* libfrrcares0-8.5.6-150500.4.30.1
* libfrrsnmp0-debuginfo-8.5.6-150500.4.30.1
* libfrr0-8.5.6-150500.4.30.1
* frr-devel-8.5.6-150500.4.30.1
* libfrrospfapiclient0-debuginfo-8.5.6-150500.4.30.1
* libfrrfpm_pb0-debuginfo-8.5.6-150500.4.30.1
* libfrr0-debuginfo-8.5.6-150500.4.30.1
* libfrr_pb0-8.5.6-150500.4.30.1
* frr-8.5.6-150500.4.30.1
* libmlag_pb0-debuginfo-8.5.6-150500.4.30.1
* libfrrcares0-debuginfo-8.5.6-150500.4.30.1
* frr-debugsource-8.5.6-150500.4.30.1
* frr-debuginfo-8.5.6-150500.4.30.1
* libmlag_pb0-8.5.6-150500.4.30.1
* libfrr_pb0-debuginfo-8.5.6-150500.4.30.1
* Server Applications Module 15-SP5 (aarch64 ppc64le s390x x86_64)
* libfrrzmq0-debuginfo-8.5.6-150500.4.30.1
* libfrrospfapiclient0-8.5.6-150500.4.30.1
* libfrrsnmp0-8.5.6-150500.4.30.1
* libfrrzmq0-8.5.6-150500.4.30.1
* libfrrfpm_pb0-8.5.6-150500.4.30.1
* libfrrcares0-8.5.6-150500.4.30.1
* libfrrsnmp0-debuginfo-8.5.6-150500.4.30.1
* libfrr0-8.5.6-150500.4.30.1
* frr-devel-8.5.6-150500.4.30.1
* libfrrospfapiclient0-debuginfo-8.5.6-150500.4.30.1
* libfrrfpm_pb0-debuginfo-8.5.6-150500.4.30.1
* libfrr0-debuginfo-8.5.6-150500.4.30.1
* libfrr_pb0-8.5.6-150500.4.30.1
* frr-8.5.6-150500.4.30.1
* libmlag_pb0-debuginfo-8.5.6-150500.4.30.1
* libfrrcares0-debuginfo-8.5.6-150500.4.30.1
* frr-debugsource-8.5.6-150500.4.30.1
* frr-debuginfo-8.5.6-150500.4.30.1
* libmlag_pb0-8.5.6-150500.4.30.1
* libfrr_pb0-debuginfo-8.5.6-150500.4.30.1
* Server Applications Module 15-SP6 (aarch64 ppc64le s390x x86_64)
* libfrrzmq0-debuginfo-8.5.6-150500.4.30.1
* libfrrospfapiclient0-8.5.6-150500.4.30.1
* libfrrsnmp0-8.5.6-150500.4.30.1
* libfrrzmq0-8.5.6-150500.4.30.1
* libfrrfpm_pb0-8.5.6-150500.4.30.1
* libfrrcares0-8.5.6-150500.4.30.1
* libfrrsnmp0-debuginfo-8.5.6-150500.4.30.1
* libfrr0-8.5.6-150500.4.30.1
* frr-devel-8.5.6-150500.4.30.1
* libfrrospfapiclient0-debuginfo-8.5.6-150500.4.30.1
* libfrrfpm_pb0-debuginfo-8.5.6-150500.4.30.1
* libfrr0-debuginfo-8.5.6-150500.4.30.1
* libfrr_pb0-8.5.6-150500.4.30.1
* frr-8.5.6-150500.4.30.1
* libmlag_pb0-debuginfo-8.5.6-150500.4.30.1
* libfrrcares0-debuginfo-8.5.6-150500.4.30.1
* frr-debugsource-8.5.6-150500.4.30.1
* frr-debuginfo-8.5.6-150500.4.30.1
* libmlag_pb0-8.5.6-150500.4.30.1
* libfrr_pb0-debuginfo-8.5.6-150500.4.30.1

## References:

* https://www.suse.com/security/cve/CVE-2023-31489.html
* https://www.suse.com/security/cve/CVE-2023-31490.html
* https://www.suse.com/security/cve/CVE-2023-3748.html
* https://www.suse.com/security/cve/CVE-2023-38406.html
* https://www.suse.com/security/cve/CVE-2023-38407.html
* https://www.suse.com/security/cve/CVE-2023-38802.html
* https://www.suse.com/security/cve/CVE-2023-41358.html
* https://www.suse.com/security/cve/CVE-2023-41360.html
* https://www.suse.com/security/cve/CVE-2023-41909.html
* https://www.suse.com/security/cve/CVE-2023-46752.html
* https://www.suse.com/security/cve/CVE-2023-46753.html
* https://www.suse.com/security/cve/CVE-2023-47234.html
* https://www.suse.com/security/cve/CVE-2023-47235.html
* https://www.suse.com/security/cve/CVE-2024-27913.html
* https://www.suse.com/security/cve/CVE-2024-31948.html
* https://www.suse.com/security/cve/CVE-2024-31950.html
* https://www.suse.com/security/cve/CVE-2024-31951.html
* https://www.suse.com/security/cve/CVE-2024-34088.html
* https://www.suse.com/security/cve/CVE-2024-44070.html
* https://jira.suse.com/browse/PED-11092



SUSE-SU-2024:4093-1: important: Security update for python-virtualenv


# Security update for python-virtualenv

Announcement ID: SUSE-SU-2024:4093-1
Release Date: 2024-11-28T10:57:24Z
Rating: important
References:

* bsc#1233706

Cross-References:

* CVE-2024-53899

CVSS scores:

* CVE-2024-53899 ( SUSE ): 7.1
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2024-53899 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2024-53899 ( NVD ): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2024-53899 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products:

* openSUSE Leap 15.4
* openSUSE Leap 15.5
* openSUSE Leap 15.6
* Python 3 Module 15-SP5
* Python 3 Module 15-SP6
* SUSE Linux Enterprise Desktop 15 SP4 LTSS
* SUSE Linux Enterprise Desktop 15 SP5
* SUSE Linux Enterprise Desktop 15 SP6
* SUSE Linux Enterprise High Performance Computing 15 SP4
* SUSE Linux Enterprise High Performance Computing 15 SP5
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
* SUSE Linux Enterprise Server 15 SP4
* SUSE Linux Enterprise Server 15 SP4 LTSS
* SUSE Linux Enterprise Server 15 SP5
* SUSE Linux Enterprise Server 15 SP6
* SUSE Linux Enterprise Server for SAP Applications 15 SP4
* SUSE Linux Enterprise Server for SAP Applications 15 SP5
* SUSE Linux Enterprise Server for SAP Applications 15 SP6

An update that solves one vulnerability can now be installed.

## Description:

This update for python-virtualenv fixes the following issues:

* CVE-2024-53899: Fixed a command injection through activation scripts
(bsc#1233706)

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* openSUSE Leap 15.4
zypper in -t patch SUSE-2024-4093=1

* openSUSE Leap 15.5
zypper in -t patch openSUSE-SLE-15.5-2024-4093=1

* openSUSE Leap 15.6
zypper in -t patch openSUSE-SLE-15.6-2024-4093=1

* Python 3 Module 15-SP5
zypper in -t patch SUSE-SLE-Module-Python3-15-SP5-2024-4093=1

* Python 3 Module 15-SP6
zypper in -t patch SUSE-SLE-Module-Python3-15-SP6-2024-4093=1

* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2024-4093=1

* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2024-4093=1

* SUSE Linux Enterprise Desktop 15 SP4 LTSS
zypper in -t patch SUSE-SLE-Product-SLED-15-SP4-LTSS-2024-4093=1

* SUSE Linux Enterprise Server 15 SP4 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2024-4093=1

* SUSE Linux Enterprise Server for SAP Applications 15 SP4
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2024-4093=1

## Package List:

* openSUSE Leap 15.4 (noarch)
* python311-virtualenv-20.22.0-150400.9.6.1
* openSUSE Leap 15.5 (noarch)
* python311-virtualenv-20.22.0-150400.9.6.1
* openSUSE Leap 15.6 (noarch)
* python311-virtualenv-20.22.0-150400.9.6.1
* Python 3 Module 15-SP5 (noarch)
* python311-virtualenv-20.22.0-150400.9.6.1
* Python 3 Module 15-SP6 (noarch)
* python311-virtualenv-20.22.0-150400.9.6.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (noarch)
* python311-virtualenv-20.22.0-150400.9.6.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (noarch)
* python311-virtualenv-20.22.0-150400.9.6.1
* SUSE Linux Enterprise Desktop 15 SP4 LTSS (noarch)
* python311-virtualenv-20.22.0-150400.9.6.1
* SUSE Linux Enterprise Server 15 SP4 LTSS (noarch)
* python311-virtualenv-20.22.0-150400.9.6.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP4 (noarch)
* python311-virtualenv-20.22.0-150400.9.6.1

## References:

* https://www.suse.com/security/cve/CVE-2024-53899.html
* https://bugzilla.suse.com/show_bug.cgi?id=1233706



SUSE-SU-2024:4094-1: important: Security update for qemu


# Security update for qemu

Announcement ID: SUSE-SU-2024:4094-1
Release Date: 2024-11-28T11:57:02Z
Rating: important
References:

* bsc#1224132
* bsc#1229007
* bsc#1229929
* bsc#1230140
* bsc#1230834
* bsc#1230915
* bsc#1231519

Cross-References:

* CVE-2024-4693
* CVE-2024-7409
* CVE-2024-8354
* CVE-2024-8612

CVSS scores:

* CVE-2024-4693 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
* CVE-2024-7409 ( SUSE ): 8.2
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2024-7409 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2024-7409 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2024-8354 ( SUSE ): 5.7
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2024-8354 ( SUSE ): 4.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
* CVE-2024-8354 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
* CVE-2024-8354 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
* CVE-2024-8612 ( SUSE ): 2.0
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
* CVE-2024-8612 ( SUSE ): 3.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
* CVE-2024-8612 ( NVD ): 3.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Affected Products:

* Basesystem Module 15-SP6
* openSUSE Leap 15.6
* Server Applications Module 15-SP6
* SUSE Linux Enterprise Desktop 15 SP6
* SUSE Linux Enterprise Real Time 15 SP6
* SUSE Linux Enterprise Server 15 SP6
* SUSE Linux Enterprise Server for SAP Applications 15 SP6
* SUSE Package Hub 15 15-SP6

An update that solves four vulnerabilities and has three security fixes can now
be installed.

## Description:

This update for qemu fixes the following issues:

Security fixes:

* CVE-2024-8354: Fixed assertion failure in usb_ep_get() (bsc#1230834)
* CVE-2024-8612: Fixed information leak in virtio devices (bsc#1230915)

Update version to 8.2.7:

Security fixes:

* CVE-2024-7409: Fixed denial of service via improper synchronization in QEMU
NBD Server during socket closure (bsc#1229007)
* CVE-2024-4693: Fixed improper release of configure vector in virtio-pci that
lead to guest triggerable crash (bsc#1224132)

Other fixes:

* added missing fix for ppc64 emulation that caused corruption in userspace
(bsc#1230140)
* target/ppc: Fix lxvx/stxvx facility check (bsc#1229929)
* accel/kvm: check for KVM_CAP_READONLY_MEM on VM (bsc#1231519)

Full changelog here:

https://lore.kernel.org/qemu-
devel/d9ff276f-f1ba-4e90-8343-a7a0dc2bf305@tls.msk.ru/

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* openSUSE Leap 15.6
zypper in -t patch SUSE-2024-4094=1 openSUSE-SLE-15.6-2024-4094=1

* Basesystem Module 15-SP6
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP6-2024-4094=1

* SUSE Package Hub 15 15-SP6
zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP6-2024-4094=1

* Server Applications Module 15-SP6
zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP6-2024-4094=1

## Package List:

* openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64 i586)
* qemu-ui-spice-core-debuginfo-8.2.7-150600.3.20.1
* qemu-pr-helper-8.2.7-150600.3.20.1
* qemu-ui-curses-8.2.7-150600.3.20.1
* qemu-extra-debuginfo-8.2.7-150600.3.20.1
* qemu-chardev-spice-debuginfo-8.2.7-150600.3.20.1
* qemu-audio-dbus-8.2.7-150600.3.20.1
* qemu-audio-oss-8.2.7-150600.3.20.1
* qemu-hw-display-virtio-gpu-pci-8.2.7-150600.3.20.1
* qemu-audio-pipewire-debuginfo-8.2.7-150600.3.20.1
* qemu-block-ssh-debuginfo-8.2.7-150600.3.20.1
* qemu-block-curl-debuginfo-8.2.7-150600.3.20.1
* qemu-hw-usb-smartcard-8.2.7-150600.3.20.1
* qemu-block-nfs-8.2.7-150600.3.20.1
* qemu-hw-display-virtio-gpu-8.2.7-150600.3.20.1
* qemu-audio-jack-8.2.7-150600.3.20.1
* qemu-x86-8.2.7-150600.3.20.1
* qemu-ui-spice-app-debuginfo-8.2.7-150600.3.20.1
* qemu-accel-tcg-x86-8.2.7-150600.3.20.1
* qemu-hw-display-qxl-8.2.7-150600.3.20.1
* qemu-hw-usb-smartcard-debuginfo-8.2.7-150600.3.20.1
* qemu-ui-dbus-8.2.7-150600.3.20.1
* qemu-ui-opengl-debuginfo-8.2.7-150600.3.20.1
* qemu-block-gluster-8.2.7-150600.3.20.1
* qemu-extra-8.2.7-150600.3.20.1
* qemu-hw-s390x-virtio-gpu-ccw-8.2.7-150600.3.20.1
* qemu-hw-display-virtio-vga-debuginfo-8.2.7-150600.3.20.1
* qemu-ui-opengl-8.2.7-150600.3.20.1
* qemu-hw-display-virtio-gpu-pci-debuginfo-8.2.7-150600.3.20.1
* qemu-ui-dbus-debuginfo-8.2.7-150600.3.20.1
* qemu-guest-agent-8.2.7-150600.3.20.1
* qemu-accel-tcg-x86-debuginfo-8.2.7-150600.3.20.1
* qemu-ui-spice-app-8.2.7-150600.3.20.1
* qemu-ivshmem-tools-8.2.7-150600.3.20.1
* qemu-audio-pipewire-8.2.7-150600.3.20.1
* qemu-ppc-8.2.7-150600.3.20.1
* qemu-block-iscsi-debuginfo-8.2.7-150600.3.20.1
* qemu-accel-qtest-debuginfo-8.2.7-150600.3.20.1
* qemu-chardev-baum-debuginfo-8.2.7-150600.3.20.1
* qemu-debugsource-8.2.7-150600.3.20.1
* qemu-ppc-debuginfo-8.2.7-150600.3.20.1
* qemu-hw-usb-redirect-8.2.7-150600.3.20.1
* qemu-audio-jack-debuginfo-8.2.7-150600.3.20.1
* qemu-block-ssh-8.2.7-150600.3.20.1
* qemu-audio-pa-debuginfo-8.2.7-150600.3.20.1
* qemu-8.2.7-150600.3.20.1
* qemu-img-8.2.7-150600.3.20.1
* qemu-block-dmg-debuginfo-8.2.7-150600.3.20.1
* qemu-chardev-baum-8.2.7-150600.3.20.1
* qemu-block-curl-8.2.7-150600.3.20.1
* qemu-chardev-spice-8.2.7-150600.3.20.1
* qemu-hw-usb-host-8.2.7-150600.3.20.1
* qemu-arm-debuginfo-8.2.7-150600.3.20.1
* qemu-hw-usb-redirect-debuginfo-8.2.7-150600.3.20.1
* qemu-headless-8.2.7-150600.3.20.1
* qemu-audio-alsa-debuginfo-8.2.7-150600.3.20.1
* qemu-block-iscsi-8.2.7-150600.3.20.1
* qemu-vhost-user-gpu-debuginfo-8.2.7-150600.3.20.1
* qemu-ksm-8.2.7-150600.3.20.1
* qemu-block-nfs-debuginfo-8.2.7-150600.3.20.1
* qemu-audio-spice-debuginfo-8.2.7-150600.3.20.1
* qemu-ivshmem-tools-debuginfo-8.2.7-150600.3.20.1
* qemu-ui-gtk-8.2.7-150600.3.20.1
* qemu-x86-debuginfo-8.2.7-150600.3.20.1
* qemu-linux-user-8.2.7-150600.3.20.1
* qemu-tools-debuginfo-8.2.7-150600.3.20.1
* qemu-ui-spice-core-8.2.7-150600.3.20.1
* qemu-ui-gtk-debuginfo-8.2.7-150600.3.20.1
* qemu-vhost-user-gpu-8.2.7-150600.3.20.1
* qemu-block-dmg-8.2.7-150600.3.20.1
* qemu-hw-s390x-virtio-gpu-ccw-debuginfo-8.2.7-150600.3.20.1
* qemu-ui-curses-debuginfo-8.2.7-150600.3.20.1
* qemu-s390x-debuginfo-8.2.7-150600.3.20.1
* qemu-hw-display-virtio-gpu-debuginfo-8.2.7-150600.3.20.1
* qemu-hw-display-qxl-debuginfo-8.2.7-150600.3.20.1
* qemu-linux-user-debugsource-8.2.7-150600.3.20.1
* qemu-audio-oss-debuginfo-8.2.7-150600.3.20.1
* qemu-hw-display-virtio-vga-8.2.7-150600.3.20.1
* qemu-block-gluster-debuginfo-8.2.7-150600.3.20.1
* qemu-img-debuginfo-8.2.7-150600.3.20.1
* qemu-s390x-8.2.7-150600.3.20.1
* qemu-audio-pa-8.2.7-150600.3.20.1
* qemu-audio-alsa-8.2.7-150600.3.20.1
* qemu-audio-spice-8.2.7-150600.3.20.1
* qemu-tools-8.2.7-150600.3.20.1
* qemu-arm-8.2.7-150600.3.20.1
* qemu-hw-usb-host-debuginfo-8.2.7-150600.3.20.1
* qemu-accel-qtest-8.2.7-150600.3.20.1
* qemu-pr-helper-debuginfo-8.2.7-150600.3.20.1
* qemu-debuginfo-8.2.7-150600.3.20.1
* qemu-linux-user-debuginfo-8.2.7-150600.3.20.1
* qemu-lang-8.2.7-150600.3.20.1
* qemu-spice-8.2.7-150600.3.20.1
* qemu-guest-agent-debuginfo-8.2.7-150600.3.20.1
* qemu-audio-dbus-debuginfo-8.2.7-150600.3.20.1
* openSUSE Leap 15.6 (noarch)
* qemu-ipxe-8.2.7-150600.3.20.1
* qemu-doc-8.2.7-150600.3.20.1
* qemu-SLOF-8.2.7-150600.3.20.1
* qemu-seabios-8.2.71.16.3_3_ga95067eb-150600.3.20.1
* qemu-skiboot-8.2.7-150600.3.20.1
* qemu-microvm-8.2.7-150600.3.20.1
* qemu-vgabios-8.2.71.16.3_3_ga95067eb-150600.3.20.1
* openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64)
* qemu-block-rbd-8.2.7-150600.3.20.1
* qemu-block-rbd-debuginfo-8.2.7-150600.3.20.1
* Basesystem Module 15-SP6 (aarch64 ppc64le s390x x86_64)
* qemu-tools-8.2.7-150600.3.20.1
* qemu-pr-helper-8.2.7-150600.3.20.1
* qemu-tools-debuginfo-8.2.7-150600.3.20.1
* qemu-img-debuginfo-8.2.7-150600.3.20.1
* qemu-pr-helper-debuginfo-8.2.7-150600.3.20.1
* qemu-debuginfo-8.2.7-150600.3.20.1
* qemu-debugsource-8.2.7-150600.3.20.1
* qemu-img-8.2.7-150600.3.20.1
* SUSE Package Hub 15 15-SP6 (noarch)
* qemu-SLOF-8.2.7-150600.3.20.1
* qemu-seabios-8.2.71.16.3_3_ga95067eb-150600.3.20.1
* qemu-skiboot-8.2.7-150600.3.20.1
* qemu-microvm-8.2.7-150600.3.20.1
* qemu-vgabios-8.2.71.16.3_3_ga95067eb-150600.3.20.1
* SUSE Package Hub 15 15-SP6 (aarch64 ppc64le s390x x86_64)
* qemu-ui-spice-app-debuginfo-8.2.7-150600.3.20.1
* qemu-accel-tcg-x86-8.2.7-150600.3.20.1
* qemu-audio-pa-debuginfo-8.2.7-150600.3.20.1
* qemu-s390x-debuginfo-8.2.7-150600.3.20.1
* qemu-hw-display-qxl-8.2.7-150600.3.20.1
* qemu-hw-usb-smartcard-debuginfo-8.2.7-150600.3.20.1
* qemu-ui-opengl-debuginfo-8.2.7-150600.3.20.1
* qemu-ui-spice-core-debuginfo-8.2.7-150600.3.20.1
* qemu-block-gluster-8.2.7-150600.3.20.1
* qemu-extra-8.2.7-150600.3.20.1
* qemu-hw-display-virtio-gpu-debuginfo-8.2.7-150600.3.20.1
* qemu-extra-debuginfo-8.2.7-150600.3.20.1
* qemu-hw-display-qxl-debuginfo-8.2.7-150600.3.20.1
* qemu-block-dmg-debuginfo-8.2.7-150600.3.20.1
* qemu-chardev-spice-8.2.7-150600.3.20.1
* qemu-chardev-spice-debuginfo-8.2.7-150600.3.20.1
* qemu-audio-oss-debuginfo-8.2.7-150600.3.20.1
* qemu-hw-s390x-virtio-gpu-ccw-8.2.7-150600.3.20.1
* qemu-hw-display-virtio-vga-debuginfo-8.2.7-150600.3.20.1
* qemu-linux-user-debugsource-8.2.7-150600.3.20.1
* qemu-audio-oss-8.2.7-150600.3.20.1
* qemu-hw-display-virtio-vga-8.2.7-150600.3.20.1
* qemu-block-gluster-debuginfo-8.2.7-150600.3.20.1
* qemu-ui-opengl-8.2.7-150600.3.20.1
* qemu-s390x-8.2.7-150600.3.20.1
* qemu-audio-pa-8.2.7-150600.3.20.1
* qemu-audio-alsa-8.2.7-150600.3.20.1
* qemu-arm-debuginfo-8.2.7-150600.3.20.1
* qemu-hw-display-virtio-gpu-pci-debuginfo-8.2.7-150600.3.20.1
* qemu-hw-usb-redirect-debuginfo-8.2.7-150600.3.20.1
* qemu-accel-tcg-x86-debuginfo-8.2.7-150600.3.20.1
* qemu-ui-spice-app-8.2.7-150600.3.20.1
* qemu-audio-alsa-debuginfo-8.2.7-150600.3.20.1
* qemu-hw-display-virtio-gpu-pci-8.2.7-150600.3.20.1
* qemu-audio-spice-8.2.7-150600.3.20.1
* qemu-x86-8.2.7-150600.3.20.1
* qemu-arm-8.2.7-150600.3.20.1
* qemu-accel-qtest-8.2.7-150600.3.20.1
* qemu-ivshmem-tools-8.2.7-150600.3.20.1
* qemu-vhost-user-gpu-debuginfo-8.2.7-150600.3.20.1
* qemu-ppc-8.2.7-150600.3.20.1
* qemu-block-nfs-debuginfo-8.2.7-150600.3.20.1
* qemu-audio-spice-debuginfo-8.2.7-150600.3.20.1
* qemu-debuginfo-8.2.7-150600.3.20.1
* qemu-ivshmem-tools-debuginfo-8.2.7-150600.3.20.1
* qemu-linux-user-debuginfo-8.2.7-150600.3.20.1
* qemu-ui-gtk-8.2.7-150600.3.20.1
* qemu-hw-usb-smartcard-8.2.7-150600.3.20.1
* qemu-accel-qtest-debuginfo-8.2.7-150600.3.20.1
* qemu-debugsource-8.2.7-150600.3.20.1
* qemu-block-nfs-8.2.7-150600.3.20.1
* qemu-x86-debuginfo-8.2.7-150600.3.20.1
* qemu-hw-display-virtio-gpu-8.2.7-150600.3.20.1
* qemu-ppc-debuginfo-8.2.7-150600.3.20.1
* qemu-hw-usb-redirect-8.2.7-150600.3.20.1
* qemu-linux-user-8.2.7-150600.3.20.1
* qemu-audio-jack-debuginfo-8.2.7-150600.3.20.1
* qemu-ui-spice-core-8.2.7-150600.3.20.1
* qemu-ui-gtk-debuginfo-8.2.7-150600.3.20.1
* qemu-vhost-user-gpu-8.2.7-150600.3.20.1
* qemu-block-dmg-8.2.7-150600.3.20.1
* qemu-audio-jack-8.2.7-150600.3.20.1
* qemu-hw-s390x-virtio-gpu-ccw-debuginfo-8.2.7-150600.3.20.1
* Server Applications Module 15-SP6 (aarch64 ppc64le s390x x86_64)
* qemu-ui-curses-debuginfo-8.2.7-150600.3.20.1
* qemu-block-ssh-8.2.7-150600.3.20.1
* qemu-hw-display-qxl-8.2.7-150600.3.20.1
* qemu-ui-spice-core-debuginfo-8.2.7-150600.3.20.1
* qemu-ui-dbus-8.2.7-150600.3.20.1
* qemu-ui-opengl-debuginfo-8.2.7-150600.3.20.1
* qemu-8.2.7-150600.3.20.1
* qemu-ui-curses-8.2.7-150600.3.20.1
* qemu-hw-display-qxl-debuginfo-8.2.7-150600.3.20.1
* qemu-chardev-baum-8.2.7-150600.3.20.1
* qemu-chardev-spice-8.2.7-150600.3.20.1
* qemu-block-curl-8.2.7-150600.3.20.1
* qemu-chardev-spice-debuginfo-8.2.7-150600.3.20.1
* qemu-audio-dbus-8.2.7-150600.3.20.1
* qemu-hw-display-virtio-vga-debuginfo-8.2.7-150600.3.20.1
* qemu-hw-display-virtio-vga-8.2.7-150600.3.20.1
* qemu-ui-opengl-8.2.7-150600.3.20.1
* qemu-hw-usb-host-8.2.7-150600.3.20.1
* qemu-ui-dbus-debuginfo-8.2.7-150600.3.20.1
* qemu-guest-agent-8.2.7-150600.3.20.1
* qemu-hw-usb-redirect-debuginfo-8.2.7-150600.3.20.1
* qemu-headless-8.2.7-150600.3.20.1
* qemu-audio-spice-8.2.7-150600.3.20.1
* qemu-hw-usb-host-debuginfo-8.2.7-150600.3.20.1
* qemu-block-rbd-8.2.7-150600.3.20.1
* qemu-audio-pipewire-debuginfo-8.2.7-150600.3.20.1
* qemu-block-iscsi-8.2.7-150600.3.20.1
* qemu-audio-pipewire-8.2.7-150600.3.20.1
* qemu-block-ssh-debuginfo-8.2.7-150600.3.20.1
* qemu-block-nfs-debuginfo-8.2.7-150600.3.20.1
* qemu-audio-spice-debuginfo-8.2.7-150600.3.20.1
* qemu-debuginfo-8.2.7-150600.3.20.1
* qemu-ksm-8.2.7-150600.3.20.1
* qemu-block-iscsi-debuginfo-8.2.7-150600.3.20.1
* qemu-block-curl-debuginfo-8.2.7-150600.3.20.1
* qemu-chardev-baum-debuginfo-8.2.7-150600.3.20.1
* qemu-block-rbd-debuginfo-8.2.7-150600.3.20.1
* qemu-debugsource-8.2.7-150600.3.20.1
* qemu-block-nfs-8.2.7-150600.3.20.1
* qemu-lang-8.2.7-150600.3.20.1
* qemu-spice-8.2.7-150600.3.20.1
* qemu-guest-agent-debuginfo-8.2.7-150600.3.20.1
* qemu-hw-usb-redirect-8.2.7-150600.3.20.1
* qemu-ui-spice-core-8.2.7-150600.3.20.1
* qemu-audio-dbus-debuginfo-8.2.7-150600.3.20.1
* Server Applications Module 15-SP6 (aarch64)
* qemu-arm-debuginfo-8.2.7-150600.3.20.1
* qemu-arm-8.2.7-150600.3.20.1
* Server Applications Module 15-SP6 (noarch)
* qemu-ipxe-8.2.7-150600.3.20.1
* qemu-seabios-8.2.71.16.3_3_ga95067eb-150600.3.20.1
* qemu-SLOF-8.2.7-150600.3.20.1
* qemu-skiboot-8.2.7-150600.3.20.1
* qemu-vgabios-8.2.71.16.3_3_ga95067eb-150600.3.20.1
* Server Applications Module 15-SP6 (aarch64 ppc64le x86_64)
* qemu-ui-spice-app-8.2.7-150600.3.20.1
* qemu-ui-gtk-8.2.7-150600.3.20.1
* qemu-ui-gtk-debuginfo-8.2.7-150600.3.20.1
* qemu-ui-spice-app-debuginfo-8.2.7-150600.3.20.1
* Server Applications Module 15-SP6 (ppc64le)
* qemu-ppc-debuginfo-8.2.7-150600.3.20.1
* qemu-ppc-8.2.7-150600.3.20.1
* Server Applications Module 15-SP6 (s390x x86_64)
* qemu-hw-display-virtio-gpu-8.2.7-150600.3.20.1
* qemu-hw-display-virtio-gpu-pci-debuginfo-8.2.7-150600.3.20.1
* qemu-hw-display-virtio-gpu-pci-8.2.7-150600.3.20.1
* qemu-hw-display-virtio-gpu-debuginfo-8.2.7-150600.3.20.1
* Server Applications Module 15-SP6 (s390x)
* qemu-hw-s390x-virtio-gpu-ccw-8.2.7-150600.3.20.1
* qemu-s390x-8.2.7-150600.3.20.1
* qemu-s390x-debuginfo-8.2.7-150600.3.20.1
* qemu-hw-s390x-virtio-gpu-ccw-debuginfo-8.2.7-150600.3.20.1
* Server Applications Module 15-SP6 (x86_64)
* qemu-accel-tcg-x86-debuginfo-8.2.7-150600.3.20.1
* qemu-accel-tcg-x86-8.2.7-150600.3.20.1
* qemu-audio-pa-debuginfo-8.2.7-150600.3.20.1
* qemu-audio-alsa-debuginfo-8.2.7-150600.3.20.1
* qemu-x86-debuginfo-8.2.7-150600.3.20.1
* qemu-audio-pa-8.2.7-150600.3.20.1
* qemu-audio-alsa-8.2.7-150600.3.20.1
* qemu-x86-8.2.7-150600.3.20.1

## References:

* https://www.suse.com/security/cve/CVE-2024-4693.html
* https://www.suse.com/security/cve/CVE-2024-7409.html
* https://www.suse.com/security/cve/CVE-2024-8354.html
* https://www.suse.com/security/cve/CVE-2024-8612.html
* https://bugzilla.suse.com/show_bug.cgi?id=1224132
* https://bugzilla.suse.com/show_bug.cgi?id=1229007
* https://bugzilla.suse.com/show_bug.cgi?id=1229929
* https://bugzilla.suse.com/show_bug.cgi?id=1230140
* https://bugzilla.suse.com/show_bug.cgi?id=1230834
* https://bugzilla.suse.com/show_bug.cgi?id=1230915
* https://bugzilla.suse.com/show_bug.cgi?id=1231519



openSUSE-SU-2024:0381-1: important: Security update for seamonkey


openSUSE Security Update: Security update for seamonkey
_______________________________

Announcement ID: openSUSE-SU-2024:0381-1
Rating: important
References: #1230257
Affected Products:
openSUSE Backports SLE-15-SP5
_______________________________

An update that contains security fixes can now be installed.

Description:

This update for seamonkey fixes the following issues:

Update to SeaMonkey 2.53.19:

* Cancel button in SeaMonkey bookmarking star ui not working bug 1872623.
* Remove OfflineAppCacheHelper.jsm copy from SeaMonkey and use the
one in toolkit bug 1896292.
* Remove obsolete registerFactoryLocation calls from cZ bug 1870930.
* Remove needless implements='nsIDOMEventListener' and QI bug 1611010.
* Replace use of nsIStandardURL::Init bug 1864355.
* Switch SeaMonkey website from hg.mozilla.org to heptapod. bug 1870934.
* Allow view-image to open a data: URI by setting a flag on the loadinfo
bug 1877001.
* Save-link-as feature should use the loading principal and context menu
using nsIContentPolicy.TYPE_SAVE_AS_DOWNLOAD bug 1879726.
* Use punycode in SeaMonkey JS bug 1864287.
* Font lists in preferences are no longer grouped by font type, port
asynchronous handling like Bug 1399206 bug 1437393.
* SeaMonkey broken tab after undo closed tab with invalid protocol bug
1885748.
* SeaMonkey session restore is missing the checkboxes in the Classic
theme bug 1896174.
* Implement about:credits on seamonkey-project.org website bug 1898467.
* Fix for the 0.0.0.0 day vulnerability oligo summary.
* Link in update notification does not open Browser bug 1888364.
* Update ReadExtensionPrefs in Preferences.cpp bug 1890196.
* Add about:seamonkey page to SeaMonkey bug 1897801.
* SeaMonkey 2.53.19 uses the same backend as Firefox and contains the
relevant Firefox 60.8 security fixes.
* SeaMonkey 2.53.19 shares most parts of the mail and news code with
Thunderbird. Please read the Thunderbird 60.8.0 release notes for
specific security fixes in this release.
* Additional important security fixes up to Current Firefox 115.14 and
Thunderbird 115.14 ESR plus many enhancements have been backported. We
will continue to enhance SeaMonkey security in subsequent 2.53.x beta
and release versions as fast as we are able to.

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP5:

zypper in -t patch openSUSE-2024-381=1

Package List:

- openSUSE Backports SLE-15-SP5 (i586 x86_64):

seamonkey-2.53.19-bp155.2.23.1
seamonkey-debuginfo-2.53.19-bp155.2.23.1
seamonkey-debugsource-2.53.19-bp155.2.23.1
seamonkey-dom-inspector-2.53.19-bp155.2.23.1
seamonkey-irc-2.53.19-bp155.2.23.1

References:

https://bugzilla.suse.com/1230257



openSUSE-SU-2024:0382-1: important: Security update for cobbler


openSUSE Security Update: Security update for cobbler
_______________________________

Announcement ID: openSUSE-SU-2024:0382-1
Rating: important
References: #1203478 #1204900 #1205489 #1205749 #1206060
#1206160 #1206520 #1207595 #1209149 #1219933
#1231332
Cross-References: CVE-2024-47533
CVSS scores:
CVE-2024-47533 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products:
openSUSE Backports SLE-15-SP5
_______________________________

An update that solves one vulnerability and has 10 fixes is
now available.

Description:

This update for cobbler fixes the following issues:

Update to 3.3.7:

* Security: Fix issue that allowed anyone to connect to the API as admin
(CVE-2024-47533, boo#1231332)

* bind - Fix bug that prevents cname entries from being generated
successfully
* Fix build on RHEL9 based distributions (fence-agents-all split)
* Fix for Windows systems
* Docs: Add missing dependencies for source installation
* Fix issue that prevented systems from being synced when the profile
was edited

Update to 3.3.6:

* Upstream all openSUSE specific patches that were maintained in Git
* Fix rename of items that had uppercase letters
* Skip inconsistent collections instead of crashing the daemon

- Update to 3.3.5:
* Added collection indicies for UUID's, MAC's, IP addresses and
hostnames boo#1219933
* Re-added to_dict() caching
* Added lazy loading for the daemon (off by default)

- Update to 3.3.4:

* Added cobbler-tests-containers subpackage
* Updated the distro_signatures.json database
* The default name for grub2-efi changed to grubx64.efi to match the
DHCP template

- Do generate boot menus even if no profiles or systems - only local boot
- Avoid crashing running buildiso in certain conditions.
- Fix settings migration schema to work while upgrading on existing
running Uyuni and SUSE Manager servers running with old Cobbler settings
(boo#1203478)
- Consider case of "next_server" being a hostname during migration
of Cobbler collections.
- Fix problem with "proxy_url_ext" setting being None type.
- Update v2 to v3 migration script to allow migration of collections that
contains settings from Cobbler 2. (boo#1203478)
- Fix problem for the migration of "autoinstall" collection attribute.
- Fix failing Cobbler tests after upgrading to 3.3.3.
- Fix regression: allow empty string as interface_type value (boo#1203478)
- Avoid possible override of existing values during migration
of collections to 3.0.0 (boo#1206160)
- Add missing code for previous patch file around boot_loaders migration.
- Improve Cobbler performance with item cache and threadpool (boo#1205489)
- Skip collections that are inconsistent instead of crashing (boo#1205749)
- Items: Fix creation of "default" NetworkInterface (boo#1206520)
- S390X systems require their kernel options to have a linebreak at 79
characters (boo#1207595)
- settings-migration-v1-to-v2.sh will now handle paths with whitespace
correct
- Fix renaming Cobbler items (boo#1204900, boo#1209149)
- Fix cobbler buildiso so that the artifact can be booted by EFI firmware.
(boo#1206060)
- Add input_string_*, input_boolean, input_int functiont to public API

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP5:

zypper in -t patch openSUSE-2024-382=1

Package List:

- openSUSE Backports SLE-15-SP5 (noarch):

cobbler-3.3.7-bp155.2.3.2
cobbler-tests-3.3.7-bp155.2.3.2
cobbler-tests-containers-3.3.7-bp155.2.3.2

References:

https://www.suse.com/security/cve/CVE-2024-47533.html
https://bugzilla.suse.com/1203478
https://bugzilla.suse.com/1204900
https://bugzilla.suse.com/1205489
https://bugzilla.suse.com/1205749
https://bugzilla.suse.com/1206060
https://bugzilla.suse.com/1206160
https://bugzilla.suse.com/1206520
https://bugzilla.suse.com/1207595
https://bugzilla.suse.com/1209149
https://bugzilla.suse.com/1219933
https://bugzilla.suse.com/1231332



SUSE-SU-2024:4109-1: moderate: Security update for libuv


# Security update for libuv

Announcement ID: SUSE-SU-2024:4109-1
Release Date: 2024-11-28T16:15:50Z
Rating: moderate
References:

* bsc#1219724

Cross-References:

* CVE-2024-24806

CVSS scores:

* CVE-2024-24806 ( SUSE ): 5.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
* CVE-2024-24806 ( NVD ): 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Affected Products:

* Basesystem Module 15-SP5
* Basesystem Module 15-SP6
* openSUSE Leap 15.5
* openSUSE Leap 15.6
* SUSE Linux Enterprise Desktop 15 SP5
* SUSE Linux Enterprise Desktop 15 SP6
* SUSE Linux Enterprise High Performance Computing 15 SP5
* SUSE Linux Enterprise Micro 5.5
* SUSE Linux Enterprise Real Time 15 SP5
* SUSE Linux Enterprise Real Time 15 SP6
* SUSE Linux Enterprise Server 15 SP5
* SUSE Linux Enterprise Server 15 SP6
* SUSE Linux Enterprise Server for SAP Applications 15 SP5
* SUSE Linux Enterprise Server for SAP Applications 15 SP6

An update that solves one vulnerability can now be installed.

## Description:

This update for libuv fixes the following issues:

* CVE-2024-24806: Fixed improper Domain Lookup that potentially leads to SSRF
attacks (bsc#1219724)

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* openSUSE Leap 15.5
zypper in -t patch SUSE-2024-4109=1 openSUSE-SLE-15.5-2024-4109=1

* openSUSE Leap 15.6
zypper in -t patch openSUSE-SLE-15.6-2024-4109=1

* SUSE Linux Enterprise Micro 5.5
zypper in -t patch SUSE-SLE-Micro-5.5-2024-4109=1

* Basesystem Module 15-SP5
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP5-2024-4109=1

* Basesystem Module 15-SP6
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP6-2024-4109=1

## Package List:

* openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64 i586)
* libuv1-debuginfo-1.44.2-150500.3.5.1
* libuv1-1.44.2-150500.3.5.1
* libuv-debugsource-1.44.2-150500.3.5.1
* libuv-devel-1.44.2-150500.3.5.1
* openSUSE Leap 15.5 (x86_64)
* libuv1-32bit-1.44.2-150500.3.5.1
* libuv1-32bit-debuginfo-1.44.2-150500.3.5.1
* openSUSE Leap 15.5 (aarch64_ilp32)
* libuv1-64bit-debuginfo-1.44.2-150500.3.5.1
* libuv1-64bit-1.44.2-150500.3.5.1
* openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64)
* libuv1-debuginfo-1.44.2-150500.3.5.1
* libuv1-1.44.2-150500.3.5.1
* libuv-debugsource-1.44.2-150500.3.5.1
* libuv-devel-1.44.2-150500.3.5.1
* openSUSE Leap 15.6 (x86_64)
* libuv1-32bit-1.44.2-150500.3.5.1
* libuv1-32bit-debuginfo-1.44.2-150500.3.5.1
* SUSE Linux Enterprise Micro 5.5 (aarch64)
* libuv-debugsource-1.44.2-150500.3.5.1
* libuv-devel-1.44.2-150500.3.5.1
* SUSE Linux Enterprise Micro 5.5 (aarch64 ppc64le s390x x86_64)
* libuv1-debuginfo-1.44.2-150500.3.5.1
* libuv1-1.44.2-150500.3.5.1
* Basesystem Module 15-SP5 (aarch64 ppc64le s390x x86_64)
* libuv1-debuginfo-1.44.2-150500.3.5.1
* libuv1-1.44.2-150500.3.5.1
* libuv-debugsource-1.44.2-150500.3.5.1
* libuv-devel-1.44.2-150500.3.5.1
* Basesystem Module 15-SP6 (aarch64 ppc64le s390x x86_64)
* libuv1-debuginfo-1.44.2-150500.3.5.1
* libuv1-1.44.2-150500.3.5.1
* libuv-debugsource-1.44.2-150500.3.5.1
* libuv-devel-1.44.2-150500.3.5.1

## References:

* https://www.suse.com/security/cve/CVE-2024-24806.html
* https://bugzilla.suse.com/show_bug.cgi?id=1219724



openSUSE-SU-2024:14531-1: moderate: libjxl-devel-0.11.1-1.1 on GA media


# libjxl-devel-0.11.1-1.1 on GA media

Announcement ID: openSUSE-SU-2024:14531-1
Rating: moderate

Cross-References:

* CVE-2024-11403
* CVE-2024-11498

CVSS scores:

* CVE-2024-11403 ( SUSE ): 6.7 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L
* CVE-2024-11498 ( SUSE ): 5.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

Affected Products:

* openSUSE Tumbleweed

An update that solves 2 vulnerabilities can now be installed.

## Description:

These are all security issues fixed in the libjxl-devel-0.11.1-1.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* libjxl-devel 0.11.1-1.1
* libjxl-tools 0.11.1-1.1
* libjxl0_11 0.11.1-1.1
* libjxl0_11-32bit 0.11.1-1.1
* libjxl0_11-x86-64-v3 0.11.1-1.1

## References:

* https://www.suse.com/security/cve/CVE-2024-11403.html
* https://www.suse.com/security/cve/CVE-2024-11498.html



SUSE-SU-2024:4099-1: important: Security update for postgresql12


# Security update for postgresql12

Announcement ID: SUSE-SU-2024:4099-1
Release Date: 2024-11-28T12:25:29Z
Rating: important
References:

* bsc#1233323
* bsc#1233325
* bsc#1233326
* bsc#1233327

Cross-References:

* CVE-2024-10976
* CVE-2024-10977
* CVE-2024-10978
* CVE-2024-10979

CVSS scores:

* CVE-2024-10976 ( SUSE ): 4.2 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
* CVE-2024-10976 ( NVD ): 4.2 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
* CVE-2024-10977 ( SUSE ): 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
* CVE-2024-10977 ( NVD ): 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
* CVE-2024-10978 ( SUSE ): 4.2 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
* CVE-2024-10978 ( NVD ): 4.2 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
* CVE-2024-10979 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2024-10979 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Products:

* openSUSE Leap 15.5
* openSUSE Leap 15.6
* SUSE Enterprise Storage 7.1
* SUSE Linux Enterprise High Performance Computing 15 SP2
* SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS
* SUSE Linux Enterprise High Performance Computing 15 SP3
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP3
* SUSE Linux Enterprise Server 15 SP2
* SUSE Linux Enterprise Server 15 SP2 LTSS
* SUSE Linux Enterprise Server 15 SP3
* SUSE Linux Enterprise Server 15 SP3 LTSS
* SUSE Linux Enterprise Server for SAP Applications 15 SP2
* SUSE Linux Enterprise Server for SAP Applications 15 SP3

An update that solves four vulnerabilities can now be installed.

## Description:

This update for postgresql12 fixes the following issues:

* CVE-2024-10976: Ensure cached plans are marked as dependent on the calling
role when RLS applies to a non-top-level table reference (bsc#1233323).
* CVE-2024-10977: Make libpq discard error messages received during SSL or GSS
protocol negotiation (bsc#1233325).
* CVE-2024-10978: Fix unintended interactions between SET SESSION
AUTHORIZATION and SET ROLE (bsc#1233326).
* CVE-2024-10979: Prevent trusted PL/Perl code from changing environment
variables (bsc#1233327).

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS
zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2024-4099=1

* SUSE Linux Enterprise High Performance Computing LTSS 15 SP3
zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-LTSS-2024-4099=1

* SUSE Linux Enterprise Server 15 SP2 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2024-4099=1

* SUSE Linux Enterprise Server 15 SP3 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP3-LTSS-2024-4099=1

* SUSE Linux Enterprise Server for SAP Applications 15 SP2
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2024-4099=1

* SUSE Linux Enterprise Server for SAP Applications 15 SP3
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP3-2024-4099=1

* SUSE Enterprise Storage 7.1
zypper in -t patch SUSE-Storage-7.1-2024-4099=1

* openSUSE Leap 15.5
zypper in -t patch openSUSE-SLE-15.5-2024-4099=1

* openSUSE Leap 15.6
zypper in -t patch openSUSE-SLE-15.6-2024-4099=1

## Package List:

* SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS (aarch64
x86_64)
* postgresql12-plpython-12.22-150200.8.66.1
* postgresql12-debuginfo-12.22-150200.8.66.1
* postgresql12-devel-12.22-150200.8.66.1
* postgresql12-contrib-12.22-150200.8.66.1
* postgresql12-plperl-debuginfo-12.22-150200.8.66.1
* postgresql12-plpython-debuginfo-12.22-150200.8.66.1
* postgresql12-12.22-150200.8.66.1
* postgresql12-server-12.22-150200.8.66.1
* postgresql12-plperl-12.22-150200.8.66.1
* postgresql12-server-devel-debuginfo-12.22-150200.8.66.1
* postgresql12-pltcl-debuginfo-12.22-150200.8.66.1
* postgresql12-devel-debuginfo-12.22-150200.8.66.1
* postgresql12-server-devel-12.22-150200.8.66.1
* postgresql12-debugsource-12.22-150200.8.66.1
* postgresql12-contrib-debuginfo-12.22-150200.8.66.1
* postgresql12-server-debuginfo-12.22-150200.8.66.1
* postgresql12-pltcl-12.22-150200.8.66.1
* SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS (noarch)
* postgresql12-docs-12.22-150200.8.66.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (aarch64
x86_64)
* postgresql12-plpython-12.22-150200.8.66.1
* postgresql12-debuginfo-12.22-150200.8.66.1
* postgresql12-devel-12.22-150200.8.66.1
* postgresql12-contrib-12.22-150200.8.66.1
* postgresql12-plperl-debuginfo-12.22-150200.8.66.1
* postgresql12-plpython-debuginfo-12.22-150200.8.66.1
* postgresql12-12.22-150200.8.66.1
* postgresql12-server-12.22-150200.8.66.1
* postgresql12-plperl-12.22-150200.8.66.1
* postgresql12-server-devel-debuginfo-12.22-150200.8.66.1
* postgresql12-pltcl-debuginfo-12.22-150200.8.66.1
* postgresql12-devel-debuginfo-12.22-150200.8.66.1
* postgresql12-server-devel-12.22-150200.8.66.1
* postgresql12-debugsource-12.22-150200.8.66.1
* postgresql12-contrib-debuginfo-12.22-150200.8.66.1
* postgresql12-server-debuginfo-12.22-150200.8.66.1
* postgresql12-pltcl-12.22-150200.8.66.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (noarch)
* postgresql12-docs-12.22-150200.8.66.1
* SUSE Linux Enterprise Server 15 SP2 LTSS (aarch64 ppc64le s390x x86_64)
* postgresql12-plpython-12.22-150200.8.66.1
* postgresql12-debuginfo-12.22-150200.8.66.1
* postgresql12-devel-12.22-150200.8.66.1
* postgresql12-contrib-12.22-150200.8.66.1
* postgresql12-plperl-debuginfo-12.22-150200.8.66.1
* postgresql12-plpython-debuginfo-12.22-150200.8.66.1
* postgresql12-12.22-150200.8.66.1
* postgresql12-server-12.22-150200.8.66.1
* postgresql12-plperl-12.22-150200.8.66.1
* postgresql12-server-devel-debuginfo-12.22-150200.8.66.1
* postgresql12-pltcl-debuginfo-12.22-150200.8.66.1
* postgresql12-devel-debuginfo-12.22-150200.8.66.1
* postgresql12-server-devel-12.22-150200.8.66.1
* postgresql12-debugsource-12.22-150200.8.66.1
* postgresql12-contrib-debuginfo-12.22-150200.8.66.1
* postgresql12-server-debuginfo-12.22-150200.8.66.1
* postgresql12-pltcl-12.22-150200.8.66.1
* SUSE Linux Enterprise Server 15 SP2 LTSS (noarch)
* postgresql12-docs-12.22-150200.8.66.1
* SUSE Linux Enterprise Server 15 SP3 LTSS (aarch64 ppc64le s390x x86_64)
* postgresql12-plpython-12.22-150200.8.66.1
* postgresql12-debuginfo-12.22-150200.8.66.1
* postgresql12-devel-12.22-150200.8.66.1
* postgresql12-contrib-12.22-150200.8.66.1
* postgresql12-plperl-debuginfo-12.22-150200.8.66.1
* postgresql12-plpython-debuginfo-12.22-150200.8.66.1
* postgresql12-12.22-150200.8.66.1
* postgresql12-server-12.22-150200.8.66.1
* postgresql12-plperl-12.22-150200.8.66.1
* postgresql12-server-devel-debuginfo-12.22-150200.8.66.1
* postgresql12-pltcl-debuginfo-12.22-150200.8.66.1
* postgresql12-devel-debuginfo-12.22-150200.8.66.1
* postgresql12-server-devel-12.22-150200.8.66.1
* postgresql12-debugsource-12.22-150200.8.66.1
* postgresql12-contrib-debuginfo-12.22-150200.8.66.1
* postgresql12-server-debuginfo-12.22-150200.8.66.1
* postgresql12-pltcl-12.22-150200.8.66.1
* SUSE Linux Enterprise Server 15 SP3 LTSS (noarch)
* postgresql12-docs-12.22-150200.8.66.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP2 (ppc64le x86_64)
* postgresql12-plpython-12.22-150200.8.66.1
* postgresql12-debuginfo-12.22-150200.8.66.1
* postgresql12-devel-12.22-150200.8.66.1
* postgresql12-contrib-12.22-150200.8.66.1
* postgresql12-plperl-debuginfo-12.22-150200.8.66.1
* postgresql12-plpython-debuginfo-12.22-150200.8.66.1
* postgresql12-12.22-150200.8.66.1
* postgresql12-server-12.22-150200.8.66.1
* postgresql12-plperl-12.22-150200.8.66.1
* postgresql12-server-devel-debuginfo-12.22-150200.8.66.1
* postgresql12-pltcl-debuginfo-12.22-150200.8.66.1
* postgresql12-devel-debuginfo-12.22-150200.8.66.1
* postgresql12-server-devel-12.22-150200.8.66.1
* postgresql12-debugsource-12.22-150200.8.66.1
* postgresql12-contrib-debuginfo-12.22-150200.8.66.1
* postgresql12-server-debuginfo-12.22-150200.8.66.1
* postgresql12-pltcl-12.22-150200.8.66.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP2 (noarch)
* postgresql12-docs-12.22-150200.8.66.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP3 (ppc64le x86_64)
* postgresql12-plpython-12.22-150200.8.66.1
* postgresql12-debuginfo-12.22-150200.8.66.1
* postgresql12-devel-12.22-150200.8.66.1
* postgresql12-contrib-12.22-150200.8.66.1
* postgresql12-plperl-debuginfo-12.22-150200.8.66.1
* postgresql12-plpython-debuginfo-12.22-150200.8.66.1
* postgresql12-12.22-150200.8.66.1
* postgresql12-server-12.22-150200.8.66.1
* postgresql12-plperl-12.22-150200.8.66.1
* postgresql12-server-devel-debuginfo-12.22-150200.8.66.1
* postgresql12-pltcl-debuginfo-12.22-150200.8.66.1
* postgresql12-devel-debuginfo-12.22-150200.8.66.1
* postgresql12-server-devel-12.22-150200.8.66.1
* postgresql12-debugsource-12.22-150200.8.66.1
* postgresql12-contrib-debuginfo-12.22-150200.8.66.1
* postgresql12-server-debuginfo-12.22-150200.8.66.1
* postgresql12-pltcl-12.22-150200.8.66.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP3 (noarch)
* postgresql12-docs-12.22-150200.8.66.1
* SUSE Enterprise Storage 7.1 (aarch64 x86_64)
* postgresql12-plpython-12.22-150200.8.66.1
* postgresql12-debuginfo-12.22-150200.8.66.1
* postgresql12-devel-12.22-150200.8.66.1
* postgresql12-contrib-12.22-150200.8.66.1
* postgresql12-plperl-debuginfo-12.22-150200.8.66.1
* postgresql12-plpython-debuginfo-12.22-150200.8.66.1
* postgresql12-12.22-150200.8.66.1
* postgresql12-server-12.22-150200.8.66.1
* postgresql12-plperl-12.22-150200.8.66.1
* postgresql12-server-devel-debuginfo-12.22-150200.8.66.1
* postgresql12-pltcl-debuginfo-12.22-150200.8.66.1
* postgresql12-devel-debuginfo-12.22-150200.8.66.1
* postgresql12-server-devel-12.22-150200.8.66.1
* postgresql12-debugsource-12.22-150200.8.66.1
* postgresql12-contrib-debuginfo-12.22-150200.8.66.1
* postgresql12-server-debuginfo-12.22-150200.8.66.1
* postgresql12-pltcl-12.22-150200.8.66.1
* SUSE Enterprise Storage 7.1 (noarch)
* postgresql12-docs-12.22-150200.8.66.1
* openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)
* postgresql12-plpython-12.22-150200.8.66.1
* postgresql12-pltcl-debuginfo-12.22-150200.8.66.1
* postgresql12-server-devel-12.22-150200.8.66.1
* postgresql12-server-debuginfo-12.22-150200.8.66.1
* postgresql12-debuginfo-12.22-150200.8.66.1
* postgresql12-devel-12.22-150200.8.66.1
* postgresql12-plperl-debuginfo-12.22-150200.8.66.1
* postgresql12-server-12.22-150200.8.66.1
* postgresql12-llvmjit-debuginfo-12.22-150200.8.66.1
* postgresql12-contrib-debuginfo-12.22-150200.8.66.1
* postgresql12-pltcl-12.22-150200.8.66.1
* postgresql12-contrib-12.22-150200.8.66.1
* postgresql12-llvmjit-devel-12.22-150200.8.66.1
* postgresql12-plpython-debuginfo-12.22-150200.8.66.1
* postgresql12-12.22-150200.8.66.1
* postgresql12-plperl-12.22-150200.8.66.1
* postgresql12-llvmjit-12.22-150200.8.66.1
* postgresql12-devel-debuginfo-12.22-150200.8.66.1
* postgresql12-debugsource-12.22-150200.8.66.1
* postgresql12-test-12.22-150200.8.66.1
* postgresql12-server-devel-debuginfo-12.22-150200.8.66.1
* openSUSE Leap 15.5 (noarch)
* postgresql12-docs-12.22-150200.8.66.1
* openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64)
* postgresql12-plpython-12.22-150200.8.66.1
* postgresql12-pltcl-debuginfo-12.22-150200.8.66.1
* postgresql12-server-devel-12.22-150200.8.66.1
* postgresql12-server-debuginfo-12.22-150200.8.66.1
* postgresql12-debuginfo-12.22-150200.8.66.1
* postgresql12-devel-12.22-150200.8.66.1
* postgresql12-plperl-debuginfo-12.22-150200.8.66.1
* postgresql12-server-12.22-150200.8.66.1
* postgresql12-llvmjit-debuginfo-12.22-150200.8.66.1
* postgresql12-contrib-debuginfo-12.22-150200.8.66.1
* postgresql12-pltcl-12.22-150200.8.66.1
* postgresql12-contrib-12.22-150200.8.66.1
* postgresql12-llvmjit-devel-12.22-150200.8.66.1
* postgresql12-plpython-debuginfo-12.22-150200.8.66.1
* postgresql12-12.22-150200.8.66.1
* postgresql12-plperl-12.22-150200.8.66.1
* postgresql12-llvmjit-12.22-150200.8.66.1
* postgresql12-devel-debuginfo-12.22-150200.8.66.1
* postgresql12-debugsource-12.22-150200.8.66.1
* postgresql12-test-12.22-150200.8.66.1
* postgresql12-server-devel-debuginfo-12.22-150200.8.66.1
* openSUSE Leap 15.6 (noarch)
* postgresql12-docs-12.22-150200.8.66.1

## References:

* https://www.suse.com/security/cve/CVE-2024-10976.html
* https://www.suse.com/security/cve/CVE-2024-10977.html
* https://www.suse.com/security/cve/CVE-2024-10978.html
* https://www.suse.com/security/cve/CVE-2024-10979.html
* https://bugzilla.suse.com/show_bug.cgi?id=1233323
* https://bugzilla.suse.com/show_bug.cgi?id=1233325
* https://bugzilla.suse.com/show_bug.cgi?id=1233326
* https://bugzilla.suse.com/show_bug.cgi?id=1233327



SUSE-SU-2024:4098-1: important: Security update for postgresql15


# Security update for postgresql15

Announcement ID: SUSE-SU-2024:4098-1
Release Date: 2024-11-28T12:24:37Z
Rating: important
References:

* bsc#1233323
* bsc#1233325
* bsc#1233326
* bsc#1233327

Cross-References:

* CVE-2024-10976
* CVE-2024-10977
* CVE-2024-10978
* CVE-2024-10979

CVSS scores:

* CVE-2024-10976 ( SUSE ): 4.2 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
* CVE-2024-10976 ( NVD ): 4.2 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
* CVE-2024-10977 ( SUSE ): 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
* CVE-2024-10977 ( NVD ): 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
* CVE-2024-10978 ( SUSE ): 4.2 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
* CVE-2024-10978 ( NVD ): 4.2 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
* CVE-2024-10979 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2024-10979 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Products:

* Legacy Module 15-SP6
* openSUSE Leap 15.6
* SUSE Linux Enterprise Server 15 SP6
* SUSE Linux Enterprise Server for SAP Applications 15 SP6

An update that solves four vulnerabilities can now be installed.

## Description:

This update for postgresql15 fixes the following issues:

* CVE-2024-10976: Ensure cached plans are marked as dependent on the calling
role when RLS applies to a non-top-level table reference (bsc#1233323).
* CVE-2024-10977: Make libpq discard error messages received during SSL or GSS
protocol negotiation (bsc#1233325).
* CVE-2024-10978: Fix unintended interactions between SET SESSION
AUTHORIZATION and SET ROLE (bsc#1233326).
* CVE-2024-10979: Prevent trusted PL/Perl code from changing environment
variables (bsc#1233327).

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* openSUSE Leap 15.6
zypper in -t patch SUSE-2024-4098=1 openSUSE-SLE-15.6-2024-4098=1

* Legacy Module 15-SP6
zypper in -t patch SUSE-SLE-Module-Legacy-15-SP6-2024-4098=1

## Package List:

* openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64 i586)
* postgresql15-debuginfo-15.10-150600.16.9.1
* postgresql15-llvmjit-debuginfo-15.10-150600.16.9.1
* postgresql15-plpython-debuginfo-15.10-150600.16.9.1
* postgresql15-plperl-15.10-150600.16.9.1
* postgresql15-server-devel-15.10-150600.16.9.1
* postgresql15-15.10-150600.16.9.1
* postgresql15-contrib-debuginfo-15.10-150600.16.9.1
* postgresql15-devel-15.10-150600.16.9.1
* postgresql15-llvmjit-15.10-150600.16.9.1
* postgresql15-plperl-debuginfo-15.10-150600.16.9.1
* postgresql15-server-devel-debuginfo-15.10-150600.16.9.1
* postgresql15-contrib-15.10-150600.16.9.1
* postgresql15-pltcl-debuginfo-15.10-150600.16.9.1
* postgresql15-plpython-15.10-150600.16.9.1
* postgresql15-server-15.10-150600.16.9.1
* postgresql15-debugsource-15.10-150600.16.9.1
* postgresql15-pltcl-15.10-150600.16.9.1
* postgresql15-llvmjit-devel-15.10-150600.16.9.1
* postgresql15-test-15.10-150600.16.9.1
* postgresql15-devel-debuginfo-15.10-150600.16.9.1
* postgresql15-server-debuginfo-15.10-150600.16.9.1
* openSUSE Leap 15.6 (noarch)
* postgresql15-docs-15.10-150600.16.9.1
* Legacy Module 15-SP6 (aarch64 ppc64le s390x x86_64)
* postgresql15-debuginfo-15.10-150600.16.9.1
* postgresql15-plperl-debuginfo-15.10-150600.16.9.1
* postgresql15-server-devel-15.10-150600.16.9.1
* postgresql15-devel-15.10-150600.16.9.1
* postgresql15-devel-debuginfo-15.10-150600.16.9.1
* postgresql15-server-devel-debuginfo-15.10-150600.16.9.1
* postgresql15-contrib-15.10-150600.16.9.1
* postgresql15-plperl-15.10-150600.16.9.1
* postgresql15-server-debuginfo-15.10-150600.16.9.1
* postgresql15-15.10-150600.16.9.1
* postgresql15-plpython-debuginfo-15.10-150600.16.9.1
* postgresql15-pltcl-debuginfo-15.10-150600.16.9.1
* postgresql15-plpython-15.10-150600.16.9.1
* postgresql15-server-15.10-150600.16.9.1
* postgresql15-contrib-debuginfo-15.10-150600.16.9.1
* postgresql15-debugsource-15.10-150600.16.9.1
* postgresql15-pltcl-15.10-150600.16.9.1
* Legacy Module 15-SP6 (noarch)
* postgresql15-docs-15.10-150600.16.9.1

## References:

* https://www.suse.com/security/cve/CVE-2024-10976.html
* https://www.suse.com/security/cve/CVE-2024-10977.html
* https://www.suse.com/security/cve/CVE-2024-10978.html
* https://www.suse.com/security/cve/CVE-2024-10979.html
* https://bugzilla.suse.com/show_bug.cgi?id=1233323
* https://bugzilla.suse.com/show_bug.cgi?id=1233325
* https://bugzilla.suse.com/show_bug.cgi?id=1233326
* https://bugzilla.suse.com/show_bug.cgi?id=1233327



SUSE-SU-2024:4105-1: critical: Security update for tomcat10


# Security update for tomcat10

Announcement ID: SUSE-SU-2024:4105-1
Release Date: 2024-11-28T15:09:20Z
Rating: critical
References:

* bsc#1233434

Cross-References:

* CVE-2024-52316

CVSS scores:

* CVE-2024-52316 ( SUSE ): 10.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
* CVE-2024-52316 ( SUSE ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2024-52316 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products:

* openSUSE Leap 15.5
* openSUSE Leap 15.6
* SUSE Linux Enterprise High Performance Computing 15 SP5
* SUSE Linux Enterprise Server 15 SP5
* SUSE Linux Enterprise Server 15 SP6
* SUSE Linux Enterprise Server for SAP Applications 15 SP5
* SUSE Linux Enterprise Server for SAP Applications 15 SP6
* Web and Scripting Module 15-SP5
* Web and Scripting Module 15-SP6

An update that solves one vulnerability can now be installed.

## Description:

This update for tomcat10 fixes the following issues:

* Update to Tomcat 10.1.33
* Fixed CVEs:
* CVE-2024-52316: If the Jakarta Authentication fails with an exception, set a 500 status (bsc#1233434)
* Catalina
* Add: Add support for the new Servlet API method HttpServletResponse.sendEarlyHints(). (markt)
* Add: 55470: Add debug logging that reports the class path when a ClassNotFoundException occurs in the digester or the web application class loader. Based on a patch by Ralf Hauser. (markt)
* Update: 69374: Properly separate between table header and body in DefaultServlet's listing. (michaelo)
* Update: 69373: Make DefaultServlet's HTML listing file last modified rendering better (flexible). (michaelo)
* Update: Improve HTML output of DefaultServlet. (michaelo)
* Code: Refactor RateLimitFilter to use FilterBase as the base class. The primary advantage is less code to process init-param values. (markt)
* Update: 69370: DefaultServlet's HTML listing uses incorrect labels. (michaelo)
* Fix: Avoid NPE in CrawlerSessionManagerValve for partially mapped requests. (remm)
* Fix: Add missing WebDAV Lock-Token header in the response when locking a folder. (remm)
* Fix: Invalid WebDAV lock requests should be rejected with 400. (remm)
* Fix: Fix regression in WebDAV when attempting to unlock a collection. (remm)
* Fix: Verify that destination is not locked for a WebDAV copy operation. (remm)
* Fix: Send 415 response to WebDAV MKCOL operations that include a request body since this is optional and unsupported. (remm)
* Fix: Enforce DAV: namespace on WebDAV XML elements. (remm)
* Fix: Do not allow a new WebDAV lock on a child resource if a parent collection is locked (RFC 4918 section 6.1). (remm)
* Fix: WebDAV DELETE should remove any existing lock on successfully deleted resources. (remm)
* Update: Remove WebDAV lock null support in accordance with RFC 4918 section 7.3 and annex D. Instead, a lock on a non-existing resource will create an empty file locked with a regular lock. (remm)
* Update: Rewrite implementation of WebDAV shared locks to comply with RFC 4918. (remm)
* Update: Implement WebDAV If header using code from the Apache Jackrabbit project. (remm)
* Add: Add PropertyStore interface in the WebDAV Servlet, to allow implementation of dead properties storage. The store used can be configured using the propertyStore init parameter of the WebDAV servlet by specifying the class name of the store. A simple non-persistent implementation is used if no custom store is configured. (remm)
* Update: Implement WebDAV PROPPATCH method using the newly added PropertyStore, and update PROPFIND to support it. (remm)
* Fix: Cache not found results when searching for web application class loader resources. This addresses performance problems caused by components such as java.sql.DriverManager, which in some circumstances will search for the same class repeatedly. The size of the cache can be controlled via the new notFoundClassResourceCacheSize on the StandardContext. (markt)
* Fix: Stop after INITIALIZED state should be a noop since it is possible for subcomponents to be in FAILED after init. (remm)
* Fix: Fix incorrect web resource cache size calculations when there are concurrent PUT and DELETE requests for the same resource. (markt)
* Add: Add debug logging for the web resource cache so the current size can be tracked as resources are added and removed. (markt)
* Update: Replace legacy WebDAV opaquelocktoken: scheme for lock tokens with urn:uuid: as recommended by RFC 4918, and remove secret init parameter. (remm)
* Fix: Concurrent reads and writes (e.g. GET and PUT / DELETE) for the same path caused corruption of the FileResource where some of the fields were set as if the file exists and some as set as if it does not. This resulted in inconsistent metadata. (markt)
* Fix: 69415: Ensure that the ExpiresFilter only sets cache headers on GET and HEAD requests. Also, skip requests where the application has set Cache-Control: no-store. (markt)
* Fix: 69419: Improve the performance of ServletRequest.getAttribute() when there are multiple levels of nested includes. Based on a patch provided by John Engebretson. (markt)
* Add: All applications to send an early hints informational response by calling HttpServletResponse.sendError() with a status code of 103. (schultz)
* Fix: Ensure that ServerAuthModule.initialize() is called when a Jakarta Authentication module is configured via registerServerAuthModule(). (markt)
* Fix: Ensure that the Jakarta Authentication CallbackHandler only creates one GenericPrincipal in the Subject. (markt)
* Fix: If the Jakarta Authentication process fails with an Exception, explicitly set the HTTP response status to 500 as the ServerAuthContext may not have set it. (markt)
* Fix: When persisting the Jakarta Authentication provider configuration, create any necessary parent directories that don't already exist. (markt)
* Fix: Correct the logic used to detect errors when deleting temporary files associated with persisting the Jakarta Authentication provider configuration. (markt)
* Fix: When processing Jakarta Authentication callbacks, don't overwrite a Principal obtained from the PasswordValidationCallback with null if the CallerPrincipalCallback does not provide a Principal. (markt)
* Fix: Avoid store config backup loss when storing one configuration more than once per second. (remm)
* Fix: 69359: WebdavServlet duplicates getRelativePath() method from super class with incorrect Javadoc. (michaelo)
* Fix: 69360: Inconsistent DELETE behavior between WebdavServlet and DefaultServlet. (michaelo)
* Fix: Make WebdavServlet properly return the Allow header when deletion of a resource is not allowed. (michaelo)
* Fix: Add log warning if non-wildcard mappings are used with the WebdavServlet. (remm)
* Fix: 69361: Ensure that the order of entries in a multi-status response to a WebDAV is consistent with the order in which resources were processed. (markt)
* Fix: 69362: Provide a better multi-status response when deleting a collection via WebDAV fails. Empty directories that cannot be deleted will now be included in the response. (markt)
* Fix: 69363: Use getPathPrefix() consistently in the WebDAV servlet to ensure that the correct path is used when the WebDAV servlet is mounted at a sub-path within the web application. (markt)
* Fix 69320, a regression in the fix for 69302 that meant the HTTP/2 processing was likely to be broken for all clients once any client sent an HTTP/2 reset frame. (markt)
* Fix: Improve performance of ApplicationHttpRequest.parseParameters(). Based on sample code and test cases provided by John Engebretson. (markt)
* Fix: Correct regressions in the refactoring that added recycling of the coyote request and response to the HTTP/2 processing. (markt)
* Add: Add support for RFC 8297 (Early Hints). Applications can use this feature by casting the HttpServletResponse to org.apache.catalina.connector. Response and then calling the method void sendEarlyHints(). This method will be added to the Servlet API (removing the need for the cast) in Servlet 6.2 onwards. (markt)
* Fix: 69214: Do not reject a CORS request that uses POST but does not include a content-type header. Tomcat now correctly processes this as a simple CORS request. Based on a patch suggested by thebluemountain. (markt)
* Fix: Refactor SpnegoAuthenticator so it uses Subject.callAs() rather than Subject.doAs() when available. (markt)
* Fix: Allow JAASRealm to use the configuration source to load a configured configFile, for easier use with testing. (remm)
* Fix: Add missing algorithm callback to the JAASCallbackHandler. (remm)
* Fix: Add the OpenSSL version number on the APR and OpenSSL status classes. (remm)
* Fix: 69131: Expand the implementation of the filter value of the Authenticator attribute allowCorsPreflight, so that it applies to all requests that match the configured URL patterns for the CORS filter, rather than only applying if the CORS filter is mapped to /*. (markt)
* Fix: Using the OpenSSLListener will now cause the connector to use OpenSSL if available. (remm)
* Coyote
* Fix: Return null SSL session id on zero-length byte array returned from the SSL implementation. (remm)
* Fix: Skip OpenSSLConf with BoringSSL since it is unsupported. (remm)
* Fix: Create the HttpParser in Http11Processor if it is not present on the AbstractHttp11Protocol to provide better lifecycle robustness for regular HTTP/1.1. The new behavior was introduced in a previous refactoring to improve HTTP/2 performance. (remm)
* Fix: OpenSSLContext will now throw a KeyManagementException if something is known to have gone wrong in the init method, which is the behavior documented by javax.net.ssl.SSLContext.init. This makes error handling more consistent. (remm)
* Fix: 69379: The default HEAD response no longer includes the payload HTTP header fields as per section 9.3.2 of RFC 9110. (markt)
* Fix: 69316: Ensure that FastHttpDateFormat#getCurrentDate() (used to generate Date headers for HTTP responses) generates the correct string for the given input. Prior to this change, the output may have been wrong by one second in some cases. Pull request #751 provided by Chenjp. (markt)
* Fix: Request start time may not have been accurately recorded for HTTP/1.1 requests preceded by a large number of blank lines. (markt)
* Add: Add server and serverRemoveAppProvidedValues to the list of attributes the HTTP/2 protocol will inherit from the HTTP/1.1 connector it is nested within. (markt)
* Fix: Avoid possible crashes when using Apache Tomcat Native, caused by destroying SSLContext objects through GC after APR has been terminated. (remm)
* Fix: Improve HTTP/2 handling of trailer fields for requests. Trailer fields no longer need to be received before the headers of the subsequent stream, nor are trailer fields for an in-progress stream swallowed if the Connector is paused before the trailer fields are received. (markt)
* Fix: Ensure the request and response are not recycled too soon for an HTTP/2 stream when a stream-level error is detected during the processing of incoming HTTP/2 frames. This could lead to incorrect processing times appearing in the access log. (markt)
* Fix: Correct a regression in the fix for non-blocking reads of chunked request bodies that caused InputStream.available() to return a non-zero value when there was no data to read. In some circumstances this could cause a blocking read to block waiting for more data rather than return the data it had already received. (markt)
* Add: Add a new attribute cookiesWithoutEquals to the Rfc6265CookieProcessor. The default behaviour is unchanged. (markt)
* Fix: Ensure that Tomcat sends a TLS close_notify message after receiving one from the client when using the OpenSSLImplementation. (markt)
* Fix: 69301: Fix trailer headers replacing non-trailer headers when writing response headers to the access log. Based on a patch and test case provided by hypnoce. (markt)
* Fix: 69302: If an HTTP/2 client resets a stream before the request body is fully written, ensure that any ReadListener is notified via a call to ReadListener.onError(). (markt)
* Fix: Ensure that HTTP/2 stream input buffers are only created when there is a request body to be read. (markt)
* Code: Refactor creation of HttpParser instances from the Processor level to the Protocol level since the parser configuration depends on the protocol and the parser is, otherwise, stateless. (markt)
* Add: Align HTTP/2 with HTTP/1.1 and recycle the container internal request and response processing objects by default. This behaviour can be controlled via the new discardRequestsAndResponses attribute on the HTTP/2 upgrade protocol. (markt)
* Fix: Clean and log OpenSSL errors before processing of OpenSSL conf commands in the FFM code. (remm)
* Fix: 69121: Ensure that the onComplete() event is triggered if AsyncListener. onError() dispatches to a target that throws an exception. (markt)
* Fix: Following the trailer header field refactoring, -1 is no longer an allowed value for maxTrailerSize. Adjust documentation accordingly. (remm)
* Update: Move OpenSSL support using FFM to a separate JAR named tomcat-coyote-ffm. jar that advertises Java 22 in its manifest. (remm)
* Fix: Fix search for OpenSSL library for FFM on Mac OS so that java.library.path is searched. (markt)
* Update: Add FFM compatibility methods for LibreSSL support. Renegotiation is not supported at the moment. (remm)
* Update: Add org.apache.tomcat.util.openssl.LIBRARY_NAME (specifies the name of the library to load) and org.apache.tomcat.util.openssl.USE_SYSTEM_LOAD_LIBRARY (set to true to use System.loadLibrary rather than the FFM library loading code) to configure the OpenSSL library loading using FFM. (remm)
* Update: Add FFM compatibility methods for BoringSSL support. Renegotiation is not supported in many cases. (remm)
* Jasper
* Fix: Add back tag release method as deprecated in the runtime for compatibility with old generated code. (remm)
* Fix: 69399: Fix regression caused by improvement 69333, which caused the tag release to be called when using tag pooling, and to be skipped when not using it. Patch submitted by Michal Sobkiewicz. (remm)
* Fix: 69381: Improve method lookup performance in expression language. When the required method has no arguments, there is no need to consider casting or coercion, and the method lookup process can be simplified. Based on a pull request by John Engebretson. (markt)
* Fix: 69382: Improve the performance of the JSP include action by re-using results of relatively expensive method calls in the generated code rather than repeating them. Patch provided by John Engebretson. (markt)
* Fix: 69398: Avoid unnecessary object allocation in PageContextImpl. Based on a suggestion by John Engebretson. (markt)
* Fix: 69406: When using StringInterpreterEnum, do not throw an IllegalArgumentException when an invalid Enum is encountered. Instead, resolve the value at runtime. Patch provided by John Engebretson. (markt)
* Fix: 69429: Optimize EL evaluation of method parameters for methods that do not accept any parameters. Patch provided by John Engebretson. (markt)
* Fix: Further optimize EL evaluation of method parameters. Patch provided by Paolo B. (markt)
* Fix: 69333: Remove unnecessary code from generated JSPs. (markt)
* Fix: 69338: Improve the performance of processing expressions that include AND or OR operations with more than two operands and expressions that use not empty. (markt)
* Fix: 69348: Reduce memory consumption in ELContext by using lazy initialization for the data structure used to track lambda arguments. (markt)
* Fix: Switch the TldScanner back to logging detailed scan results at debug level rather than trace level. (markt)
* Fix: Update the optimisation in jakarta.el.ImportHandler so it is aware of new classes added to the java.lang package in Java 23. (markt)
* Fix: Ensure that an exception in toString() still results in an ELException when an object is coerced to a String using ExpressionFactory.coerceToType(). (markt)
* Add: Add support for specifying Java 24 (with the value 24) as the compiler source and/or compiler target for JSP compilation. If used with an Eclipse JDT compiler version that does not support these values, a warning will be logged and the default will be used. (markt)
* Fix: 69135: When using include directives in a tag file packaged in a JAR file, ensure that context relative includes are processed correctly. (markt)
* Fix: 69135: When using include directives in a tag file packaged in a JAR file, ensure that file relative includes are processed correctly. (markt)
* Fix: 69135: When using include directives in a tag file packaged in a JAR file, ensure that file relative includes are not permitted to access files outside of the /META_INF/tags/ directory nor outside of the JAR file. (markt)
* WebSocket
* Fix: If a blocking message write exceeds the timeout, don't attempt the write again before throwing the exception. (markt)
* Fix: An EncodeException being thrown during a message write should not automatically cause the connection to close. The application should handle the exception and make the decision whether or not to close the connection. (markt)
* Web applications
* Fix: The manager webapp will now be able to access certificates again when OpenSSL is used. (remm)
* Fix: Documentation. Align the logging configuration documentation with the current defaults. (markt)
* Fix: Fix status servlet detailed view of the connectors when using automatic port. (remm)
* jdbc-pool
* Fix: 69255: Correct a regression in the fix for 69206 that meant exceptions executing statements were wrapped in a java.lang.reflect.UndeclaredThrowableException rather than the application seeing the original SQLException. Fixed by pull request #744 provided by Michael Clarke. (markt)
* Fix: 69279: Correct a regression in the fix for 69206 that meant that methods that previously returned a null ResultSet were returning a proxy with a null delegate. Fixed by pull request #745 provided by Huub de Beer. (markt)
* Fix: 69206: Ensure statements returned from Statement methods executeQuery(), getResultSet() and getGeneratedKeys() are correctly wrapped before being returned to the caller. Based on pull request #742 provided by Michael Clarke. (markt)
* Other
* Update: Switch from DigiCert ONE to ssl.com eSigner for code signing. (markt)
* Update: Update Byte Buddy to 1.15.10. (markt)
* Update: Update CheckStyle to 10.20.0. (markt)
* Add: Improvements to German translations. (remm)
* Update: Update Byte Buddy to 1.15.3. (markt)
* Update: Update CheckStyle to 10.18.2. (markt)
* Add: Improvements to French translations. (remm)
* Add: Improvements to Japanese translations by tak7iji. (markt)
* Add: Improvements to Chinese translations by Ch_jp. (markt)
* Add: Exclude the tomcat-coyote-ffm.jar from JAR scanning by default. (markt)
* Fix: Change the default log handler level to ALL so log messages are not dropped by default if a logger is configured to use trace (FINEST) level logging. (markt)
* Update: Update Hamcrest to 3.0. (markt)
* Update: Update EasyMock to 5.4.0. (markt)
* Update: Update Byte Buddy to 1.15.0. (markt)
* Update: Update CheckStyle to 10.18.0. (markt)
* Update: Update the internal fork of Apache Commons BCEL to 6.10.0. (markt)
* Add: Improvements to Spanish translations by Fernando. (markt)
* Add: Improvements to French translations. (remm)
* Add: Improvements to Japanese translations by tak7iji. (markt)
* Fix: Fix packaging regression with missing osgi information following addition of the test-only build target. (remm)
* Update: Update Tomcat Native to 2.0.8. (markt)
* Update: Update Byte Buddy to 1.14.18. (markt)
* Add: Improvements to French translations. (remm)
* Add: Improvements to Japanese translations by tak7iji. (markt)
* Update: Add test-only build target to allow running only the testsuite, supporting Java versions down to the minimum supported to run Tomcat. (rjung)
* Update: Update UnboundID to 7.0.1. (markt)
* Update: Update to SpotBugs 4.8.6. (markt)
* Update: Remove cglib dependency as it is not required by the version of EasyMock used by the unit tests. (markt)
* Update: Update EasyMock to 5.3.0. This adds a test dependency on Byte-Buddy 1.14.17. (markt)
* Add: Improvements to Czech translations by VladimĆ­r Chlup. (markt)
* Add: Improvements to French translations. (remm)
* Add: Improvements to Japanese translations by tak7iji. (markt)
* Add: Improvements to Chinese translations by fangzheng. (markt)

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* openSUSE Leap 15.5
zypper in -t patch openSUSE-SLE-15.5-2024-4105=1

* openSUSE Leap 15.6
zypper in -t patch openSUSE-SLE-15.6-2024-4105=1

* Web and Scripting Module 15-SP5
zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-SP5-2024-4105=1

* Web and Scripting Module 15-SP6
zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-SP6-2024-4105=1

## Package List:

* openSUSE Leap 15.5 (noarch)
* tomcat10-docs-webapp-10.1.33-150200.5.28.1
* tomcat10-lib-10.1.33-150200.5.28.1
* tomcat10-jsvc-10.1.33-150200.5.28.1
* tomcat10-jsp-3_1-api-10.1.33-150200.5.28.1
* tomcat10-el-5_0-api-10.1.33-150200.5.28.1
* tomcat10-servlet-6_0-api-10.1.33-150200.5.28.1
* tomcat10-10.1.33-150200.5.28.1
* tomcat10-webapps-10.1.33-150200.5.28.1
* tomcat10-admin-webapps-10.1.33-150200.5.28.1
* tomcat10-embed-10.1.33-150200.5.28.1
* openSUSE Leap 15.6 (noarch)
* tomcat10-docs-webapp-10.1.33-150200.5.28.1
* tomcat10-lib-10.1.33-150200.5.28.1
* tomcat10-doc-10.1.33-150200.5.28.1
* tomcat10-jsvc-10.1.33-150200.5.28.1
* tomcat10-jsp-3_1-api-10.1.33-150200.5.28.1
* tomcat10-el-5_0-api-10.1.33-150200.5.28.1
* tomcat10-servlet-6_0-api-10.1.33-150200.5.28.1
* tomcat10-10.1.33-150200.5.28.1
* tomcat10-webapps-10.1.33-150200.5.28.1
* tomcat10-admin-webapps-10.1.33-150200.5.28.1
* tomcat10-embed-10.1.33-150200.5.28.1
* Web and Scripting Module 15-SP5 (noarch)
* tomcat10-lib-10.1.33-150200.5.28.1
* tomcat10-jsp-3_1-api-10.1.33-150200.5.28.1
* tomcat10-el-5_0-api-10.1.33-150200.5.28.1
* tomcat10-servlet-6_0-api-10.1.33-150200.5.28.1
* tomcat10-10.1.33-150200.5.28.1
* tomcat10-webapps-10.1.33-150200.5.28.1
* tomcat10-admin-webapps-10.1.33-150200.5.28.1
* Web and Scripting Module 15-SP6 (noarch)
* tomcat10-lib-10.1.33-150200.5.28.1
* tomcat10-jsp-3_1-api-10.1.33-150200.5.28.1
* tomcat10-el-5_0-api-10.1.33-150200.5.28.1
* tomcat10-servlet-6_0-api-10.1.33-150200.5.28.1
* tomcat10-10.1.33-150200.5.28.1
* tomcat10-webapps-10.1.33-150200.5.28.1
* tomcat10-admin-webapps-10.1.33-150200.5.28.1

## References:

* https://www.suse.com/security/cve/CVE-2024-52316.html
* https://bugzilla.suse.com/show_bug.cgi?id=1233434



SUSE-SU-2024:4106-1: critical: Security update for tomcat


# Security update for tomcat

Announcement ID: SUSE-SU-2024:4106-1
Release Date: 2024-11-28T15:11:06Z
Rating: critical
References:

* bsc#1233434

Cross-References:

* CVE-2024-52316

CVSS scores:

* CVE-2024-52316 ( SUSE ): 10.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
* CVE-2024-52316 ( SUSE ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2024-52316 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products:

* openSUSE Leap 15.5
* openSUSE Leap 15.6
* SUSE Enterprise Storage 7.1
* SUSE Linux Enterprise High Performance Computing 15 SP2
* SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS
* SUSE Linux Enterprise High Performance Computing 15 SP3
* SUSE Linux Enterprise High Performance Computing 15 SP4
* SUSE Linux Enterprise High Performance Computing 15 SP5
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP3
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
* SUSE Linux Enterprise Server 15 SP2
* SUSE Linux Enterprise Server 15 SP2 LTSS
* SUSE Linux Enterprise Server 15 SP3
* SUSE Linux Enterprise Server 15 SP3 LTSS
* SUSE Linux Enterprise Server 15 SP4
* SUSE Linux Enterprise Server 15 SP4 LTSS
* SUSE Linux Enterprise Server 15 SP5
* SUSE Linux Enterprise Server 15 SP6
* SUSE Linux Enterprise Server for SAP Applications 15 SP2
* SUSE Linux Enterprise Server for SAP Applications 15 SP3
* SUSE Linux Enterprise Server for SAP Applications 15 SP4
* SUSE Linux Enterprise Server for SAP Applications 15 SP5
* SUSE Linux Enterprise Server for SAP Applications 15 SP6
* SUSE Manager Server 4.3
* Web and Scripting Module 15-SP5
* Web and Scripting Module 15-SP6

An update that solves one vulnerability can now be installed.

## Description:

This update for tomcat fixes the following issues:

* Update to Tomcat 9.0.97
* Fixed CVEs:
* CVE-2024-52316: If the Jakarta Authentication fails with an exception, set a 500 status (bsc#1233434)
* Catalina
* Add: Add support for the new Servlet API method HttpServletResponse.sendEarlyHints(). (markt)
* Add: 55470: Add debug logging that reports the class path when a ClassNotFoundException occurs in the digester or the web application class loader. Based on a patch by Ralf Hauser. (markt)
* Update: 69374: Properly separate between table header and body in DefaultServlet's listing. (michaelo)
* Update: 69373: Make DefaultServlet's HTML listing file last modified rendering better (flexible). (michaelo)
* Update: Improve HTML output of DefaultServlet. (michaelo)
* Code: Refactor RateLimitFilter to use FilterBase as the base class. The primary advantage for doing this is less code to process init-param values. (markt)
* Update: 69370: DefaultServlet's HTML listing uses incorrect labels. (michaelo)
* Fix: Avoid NPE in CrawlerSessionManagerValve for partially mapped requests. (remm)
* Fix: Add missing WebDAV Lock-Token header in the response when locking a folder. (remm)
* Fix: Invalid WebDAV lock requests should be rejected with 400. (remm)
* Fix: Fix regression in WebDAV when attempting to unlock a collection. (remm)
* Fix: Verify that destination is not locked for a WebDAV copy operation. (remm)
* Fix: Send 415 response to WebDAV MKCOL operations that include a request body since this is optional and unsupported. (remm)
* Fix: Enforce DAV: namespace on WebDAV XML elements. (remm)
* Fix: Do not allow a new WebDAV lock on a child resource if a parent collection is locked (RFC 4918 section 6.1). (remm)
* Fix: WebDAV Delete should remove any existing lock on successfully deleted resources. (remm)
* Update: Remove WebDAV lock null support in accordance with RFC 4918 section 7.3 and annex D. Instead, a lock on a non-existing resource will create an empty file locked with a regular lock. (remm)
* Update: Rewrite implementation of WebDAV shared locks to comply with RFC 4918. (remm)
* Update: Implement WebDAV If header using code from the Apache Jackrabbit project. (remm)
* Add: Add PropertyStore interface in the WebDAV Servlet, to allow implementation of dead properties storage. The store used can be configured using the 'propertyStore' init parameter of the WebDAV servlet. A simple non-persistent implementation is used if no custom store is configured. (remm)
* Update: Implement WebDAV PROPPATCH method using the newly added PropertyStore. (remm)
* Fix: Cache not found results when searching for web application class loader resources. This addresses performance problems caused by components such as java.sql.DriverManager which, in some circumstances, will search for the same class repeatedly. In a large web application this can cause performance problems. The size of the cache can be controlled via the new notFoundClassResourceCacheSize on the StandardContext. (markt)
* Fix: Stop after INITIALIZED state should be a noop since it is possible for subcomponents to be in FAILED after init. (remm)
* Fix: Fix incorrect web resource cache size calculations when there are concurrent PUT and DELETE requests for the same resource. (markt)
* Add: Add debug logging for the web resource cache so the current size can be tracked as resources are added and removed. (markt)
* Update: Replace legacy WebDAV opaquelocktoken: scheme for lock tokens with urn:uuid: as recommended by RFC 4918, and remove secret init parameter. (remm)
* Fix: Concurrent reads and writes (e.g. GET and PUT / DELETE) for the same path caused corruption of the FileResource where some of the fields were set as if the file exists and some as set as if it does not. This resulted in inconsistent metadata. (markt)
* Fix: 69415: Ensure that the ExpiresFilter only sets cache headers on GET and HEAD requests. Also skip requests where the application has set Cache-Control: no-store. (markt)
* Fix: 69419: Improve the performance of ServletRequest.getAttribute() when there are multiple levels of nested includes. Based on a patch provided by John Engebretson. (markt)
* Add: All applications to send an early hints informational response by calling HttpServletResponse.sendError() with a status code of 103. (schultz)
* Fix: Ensure that the Jakarta Authentication CallbackHandler only creates one GenericPrincipal in the Subject. (markt)
* Fix: If the Jakarta Authentication process fails with an Exception, explicitly set the HTTP response status to 500 as the ServerAuthContext may not have set it. (markt)
* Fix: When persisting the Jakarta Authentication provider configuration, create any necessary parent directories that don't already exist. (markt)
* Fix: Correct the logic used to detect errors when deleting temporary files associated with persisting the Jakarta Authentication provider configuration. (markt)
* Fix: When processing Jakarta Authentication callbacks, don't overwrite a Principal obtained from the PasswordValidationCallback with null if the CallerPrincipalCallback does not provide a Principal. (markt)
* Fix: Avoid store config backup loss when storing one configuration more than once per second. (remm)
* Fix: 69359: WebdavServlet duplicates getRelativePath() method from super class with incorrect Javadoc. (michaelo)
* Fix: 69360: Inconsistent DELETE behavior between WebdavServlet and DefaultServlet. (michaelo)
* Fix: Make WebdavServlet properly return the Allow header when deletion of a resource is not allowed. (michaelo)
* Fix: Add log warning if non wildcard mappings are used with the WebdavServlet. (remm)
* Fix: 69361: Ensure that the order of entries in a multi-status response to a WebDAV is consistent with the order in which resources were processed. (markt)
* Fix: 69362: Provide a better multi-status response when deleting a collection via WebDAV fails. Empty directories that cannot be deleted will now be included in the response. (markt)
* Fix: 69363: Use getPathPrefix() consistently in the WebDAV servlet to ensure that the correct path is used when the WebDAV servlet is mounted at a sub-path within the web application. (markt)
* Fix: Improve performance of ApplicationHttpRequest.parseParameters(). Based on sample code and test cases provided by John Engebretson. (markt)
* Add: Add support for RFC 8297 (Early Hints). Applications can use this feature by casting the HttpServletResponse to org.apache.catalina.connector.Reponse and then calling the method void sendEarlyHints(). This method will be added to the Servlet API (removing the need for the cast) in Servlet 6.2 onwards. (markt)
* Fix: 69214: Do not reject a CORS request that uses POST but does not include a content-type header. Tomcat now correctly processes this as a simple CORS request. Based on a patch suggested by thebluemountain. (markt)
* Fix: Refactor SpnegoAuthenticator so it uses Subject.callAs() rather than Subject.doAs() when available. (markt)
* Coyote
* Fix: Return null SSL session id on zero length byte array returned from the SSL implementation. (remm)
* Fix: Skip OpenSSLConf with BoringSSL since it is unsupported. (remm)
* Fix: Create the HttpParser in Http11Processor if it is not present on the AbstractHttp11Protocol to provide better lifecycle robustness for regular HTTP/1.1. The new behavior was introduced on a previous refactoring to improve HTTP/2 performance. (remm)
* Fix: OpenSSLContext will now throw a KeyManagementException if something is known to have gone wrong in the init method, which is the behavior documented by javax.net.ssl.SSLContext.init. This makes error handling more consistent. (remm)
* Fix: 69316: Ensure that FastHttpDateFormat#getCurrentDate() (used to generate Date headers for HTTP responses) generates the correct string for the given input. Prior to this change, the output may have been wrong by one second in some cases. Pull request #751 provided by Chenjp. (markt)
* Add: Add server and serverRemoveAppProvidedValues to the list of attributes the HTTP/2 protocol will inherit from the HTTP/1.1 connector it is nested within. (markt)
* Fix: Avoid possible crashes when using Apache Tomcat Native, caused by destroying SSLContext objects through GC after APR has been terminated. (remm)
* Fix: Improve HTTP/2 handling of trailer fields for requests. Trailer fields no longer need to be received before the headers of the subsequent stream nor are trailer fields for an in-progress stream swallowed if the Connector is paused before the trailer fields are received. (markt)
* Fix: Ensure the request and response are not recycled too soon for an HTTP/2 stream when a stream level error is detected during the processing of incoming HTTP/2 frames. This could lead to incorrect processing times appearing in the access log. (markt)
* Fix: Fix 69320, a regression in the fix for 69302 that meant the HTTP/2 processing was likely to be broken for all clients once any client sent an HTTP/2 reset frame. (markt)
* Fix: Correct a regression in the fix for non-blocking reads of chunked request bodies that caused InputStream.available() to return a non-zero value when there was no data to read. In some circumstances this could cause a blocking read to block waiting for more data rather than return the data it had already received. (markt)
* Add: Add a new attribute cookiesWithoutEquals to the Rfc6265CookieProcessor. The default behaviour is unchanged. (markt)
* Fix: Ensure that Tomcat sends a TLS close_notify message after receiving one from the client when using the OpenSSLImplementation. (markt)
* Fix: 69301: Fix trailer headers replacing non-trailer headers when writing response headers to the access log. Based on a patch and test case provided by hypnoce. (markt)
* Fix: 69302: If an HTTP/2 client resets a stream before the request body is fully written, ensure that any ReadListener is notified via a call to ReadListener.onErrror(). (markt)
* Fix: Correct regressions in the refactoring that added recycling of the coyote request and response to the HTTP/2 processing. (markt)
* Add: Add OpenSSL integration using the FFM API rather than Tomcat Native. OpenSSL support may be enabled by adding the org.apache.catalina.core.OpenSSLLifecycleListener listener on the Server element when using Java 22 or later. (remm)
* Fix: Ensure that HTTP/2 stream input buffers are only created when there is a request body to be read. (markt)
* Code: Refactor creation of HttpParser instances from the Processor level to the Protocol level since the parser configuration depends on the protocol and the parser is, otherwise, stateless. (markt)
* Add: Align HTTP/2 with HTTP/1.1 and recycle the container internal request and response processing objects by default. This behaviour can be controlled via the new discardRequestsAndResponses attribute on the HTTP/2 upgrade protocol. (markt)
* Jasper
* Fix: Add back tag release method as deprecated in the runtime for compatibility with old generated code. (remm)
* Fix: 69399: Fix regression caused by the improvement 69333 which caused the tag release to be called when using tag pooling, and to be skipped when not using it. Patch submitted by Michal Sobkiewicz. (remm)
* Fix: 69381: Improve method lookup performance in expression language. When the required method has no arguments there is no need to consider casting or coercion and the method lookup process can be simplified. Based on pull request #770 by John Engebretson.
* Fix: 69382: Improve the performance of the JSP include action by re-using results of relatively expensive method calls in the generated code rather than repeating them. Patch provided by John Engebretson. (markt)
* Fix: 69398: Avoid unnecessary object allocation in PageContextImpl. Based on a suggestion by John Engebretson. (markt)
* Fix: 69406: When using StringInterpreterEnum, do not throw an IllegalArgumentException when an invalid Enum is encountered. Instead, resolve the value at runtime. Patch provided by John Engebretson. (markt)
* Fix: 69429: Optimise EL evaluation of method parameters for methods that do not accept any parameters. Patch provided by John Engebretson. (markt)
* Fix: 69333: Remove unnecessary code from generated JSPs. (markt)
* Fix: 69338: Improve the performance of processing expressions that include AND or OR operations with more than two operands and expressions that use not empty. (markt)
* Fix: 69348: Reduce memory consumption in ELContext by using lazy initialization for the data structure used to track lambda arguments. (markt)
* Fix: Switch the TldScanner back to logging detailed scan results at debug level rather than trace level. (markt)
* Web applications
* Fix: The manager webapp will now be able to access certificates again when OpenSSL is used. (remm)
* Fix: Documentation. Align the logging configuration documentation with the current defaults. (markt)
* WebSocket
* Fix: If a blocking message write exceeds the timeout, don't attempt the write again before throwing the exception. (markt)
* Fix: An EncodeException being thrown during a message write should not automatically cause the connection to close. The application should handle the exception and make the decision whether or not to close the connection. (markt)
* jdbc-pool
* Fix: 69255: Correct a regression in the fix for 69206 that meant exceptions executing statements were wrapped in a java.lang.reflect.UndeclaredThrowableException rather than the application seeing the original SQLException. Fixed by pull request #744 provided by Michael Clarke. (markt)
* Fix: 69279: Correct a regression in the fix for 69206 that meant that methods that previously returned a null ResultSet were returning a proxy with a null delegate. Fixed by pull request #745 provided by Huub de Beer. (markt)
* Fix: 69206: Ensure statements returned from Statement methods executeQuery(), getResultSet() and getGeneratedKeys() are correctly wrapped before being returned to the caller. Based on pull request #742 provided by Michael Clarke.
* Other
* Update: Switch from DigiCert ONE to ssl.com eSigner for code signing. (markt)
* Update: Update Byte Buddy to 1.15.10. (markt)
* Update: Update CheckStyle to 10.20.0. (markt)
* Add: Improvements to German translations. (remm)
* Add: Improvements to French translations. (remm)
* Add: Improvements to Japanese translations by tak7iji. (markt)
* Add: Improvements to Chinese translations by Ch_jp. (markt)
* Add: Exclude the tomcat-coyote-ffm.jar from JAR scanning by default. (markt)
* Fix: Change the default log handler level to ALL so log messages are not dropped by default if a logger is configured to use trace (FINEST) level logging. (markt)
* Update: Update Hamcrest to 3.0. (markt)
* Update: Update EasyMock to 5.4.0. (markt)
* Update: Update Byte Buddy to 1.15.0. (markt)
* Update: Update CheckStyle to 10.18.0. (markt)
* Update: Update the internal fork of Apache Commons BCEL to 6.10.0. (markt)
* Add: Improvements to Spanish translations by Fernando. (markt)
* Add: Improvements to French translations. (remm)
* Add: Improvements to Japanese translations by tak7iji. (markt)
* Fix: Fix packaging regression with missing osgi information following addition of the test-only build target. (remm)
* Update: Update Tomcat Native to 1.3.1. (markt)
* Update: Update Byte Buddy to 1.14.18. (markt)
* Add: Improvements to French translations. (remm)
* Add: Improvements to Japanese translations by tak7iji. (markt)

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* Web and Scripting Module 15-SP6
zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-SP6-2024-4106=1

* SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS
zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2024-4106=1

* SUSE Linux Enterprise High Performance Computing LTSS 15 SP3
zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-LTSS-2024-4106=1

* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2024-4106=1

* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2024-4106=1

* SUSE Linux Enterprise Server 15 SP2 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2024-4106=1

* SUSE Linux Enterprise Server 15 SP3 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP3-LTSS-2024-4106=1

* SUSE Linux Enterprise Server 15 SP4 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2024-4106=1

* SUSE Linux Enterprise Server for SAP Applications 15 SP2
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2024-4106=1

* SUSE Linux Enterprise Server for SAP Applications 15 SP3
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP3-2024-4106=1

* SUSE Linux Enterprise Server for SAP Applications 15 SP4
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2024-4106=1

* SUSE Manager Server 4.3
zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.3-2024-4106=1

* SUSE Enterprise Storage 7.1
zypper in -t patch SUSE-Storage-7.1-2024-4106=1

* openSUSE Leap 15.5
zypper in -t patch openSUSE-SLE-15.5-2024-4106=1

* openSUSE Leap 15.6
zypper in -t patch openSUSE-SLE-15.6-2024-4106=1

* Web and Scripting Module 15-SP5
zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-SP5-2024-4106=1

## Package List:

* Web and Scripting Module 15-SP6 (noarch)
* tomcat-webapps-9.0.97-150200.71.1
* tomcat-el-3_0-api-9.0.97-150200.71.1
* tomcat-9.0.97-150200.71.1
* tomcat-servlet-4_0-api-9.0.97-150200.71.1
* tomcat-jsp-2_3-api-9.0.97-150200.71.1
* tomcat-lib-9.0.97-150200.71.1
* tomcat-admin-webapps-9.0.97-150200.71.1
* SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS (noarch)
* tomcat-webapps-9.0.97-150200.71.1
* tomcat-el-3_0-api-9.0.97-150200.71.1
* tomcat-9.0.97-150200.71.1
* tomcat-servlet-4_0-api-9.0.97-150200.71.1
* tomcat-jsp-2_3-api-9.0.97-150200.71.1
* tomcat-lib-9.0.97-150200.71.1
* tomcat-admin-webapps-9.0.97-150200.71.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (noarch)
* tomcat-webapps-9.0.97-150200.71.1
* tomcat-el-3_0-api-9.0.97-150200.71.1
* tomcat-9.0.97-150200.71.1
* tomcat-servlet-4_0-api-9.0.97-150200.71.1
* tomcat-jsp-2_3-api-9.0.97-150200.71.1
* tomcat-lib-9.0.97-150200.71.1
* tomcat-admin-webapps-9.0.97-150200.71.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (noarch)
* tomcat-webapps-9.0.97-150200.71.1
* tomcat-el-3_0-api-9.0.97-150200.71.1
* tomcat-9.0.97-150200.71.1
* tomcat-servlet-4_0-api-9.0.97-150200.71.1
* tomcat-jsp-2_3-api-9.0.97-150200.71.1
* tomcat-lib-9.0.97-150200.71.1
* tomcat-admin-webapps-9.0.97-150200.71.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (noarch)
* tomcat-webapps-9.0.97-150200.71.1
* tomcat-el-3_0-api-9.0.97-150200.71.1
* tomcat-9.0.97-150200.71.1
* tomcat-servlet-4_0-api-9.0.97-150200.71.1
* tomcat-jsp-2_3-api-9.0.97-150200.71.1
* tomcat-lib-9.0.97-150200.71.1
* tomcat-admin-webapps-9.0.97-150200.71.1
* SUSE Linux Enterprise Server 15 SP2 LTSS (noarch)
* tomcat-webapps-9.0.97-150200.71.1
* tomcat-el-3_0-api-9.0.97-150200.71.1
* tomcat-9.0.97-150200.71.1
* tomcat-servlet-4_0-api-9.0.97-150200.71.1
* tomcat-jsp-2_3-api-9.0.97-150200.71.1
* tomcat-lib-9.0.97-150200.71.1
* tomcat-admin-webapps-9.0.97-150200.71.1
* SUSE Linux Enterprise Server 15 SP3 LTSS (noarch)
* tomcat-webapps-9.0.97-150200.71.1
* tomcat-el-3_0-api-9.0.97-150200.71.1
* tomcat-9.0.97-150200.71.1
* tomcat-servlet-4_0-api-9.0.97-150200.71.1
* tomcat-jsp-2_3-api-9.0.97-150200.71.1
* tomcat-lib-9.0.97-150200.71.1
* tomcat-admin-webapps-9.0.97-150200.71.1
* SUSE Linux Enterprise Server 15 SP4 LTSS (noarch)
* tomcat-webapps-9.0.97-150200.71.1
* tomcat-el-3_0-api-9.0.97-150200.71.1
* tomcat-9.0.97-150200.71.1
* tomcat-servlet-4_0-api-9.0.97-150200.71.1
* tomcat-jsp-2_3-api-9.0.97-150200.71.1
* tomcat-lib-9.0.97-150200.71.1
* tomcat-admin-webapps-9.0.97-150200.71.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP2 (noarch)
* tomcat-webapps-9.0.97-150200.71.1
* tomcat-el-3_0-api-9.0.97-150200.71.1
* tomcat-9.0.97-150200.71.1
* tomcat-servlet-4_0-api-9.0.97-150200.71.1
* tomcat-jsp-2_3-api-9.0.97-150200.71.1
* tomcat-lib-9.0.97-150200.71.1
* tomcat-admin-webapps-9.0.97-150200.71.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP3 (noarch)
* tomcat-webapps-9.0.97-150200.71.1
* tomcat-el-3_0-api-9.0.97-150200.71.1
* tomcat-9.0.97-150200.71.1
* tomcat-servlet-4_0-api-9.0.97-150200.71.1
* tomcat-jsp-2_3-api-9.0.97-150200.71.1
* tomcat-lib-9.0.97-150200.71.1
* tomcat-admin-webapps-9.0.97-150200.71.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP4 (noarch)
* tomcat-webapps-9.0.97-150200.71.1
* tomcat-el-3_0-api-9.0.97-150200.71.1
* tomcat-9.0.97-150200.71.1
* tomcat-servlet-4_0-api-9.0.97-150200.71.1
* tomcat-jsp-2_3-api-9.0.97-150200.71.1
* tomcat-lib-9.0.97-150200.71.1
* tomcat-admin-webapps-9.0.97-150200.71.1
* SUSE Manager Server 4.3 (noarch)
* tomcat-webapps-9.0.97-150200.71.1
* tomcat-el-3_0-api-9.0.97-150200.71.1
* tomcat-9.0.97-150200.71.1
* tomcat-servlet-4_0-api-9.0.97-150200.71.1
* tomcat-jsp-2_3-api-9.0.97-150200.71.1
* tomcat-lib-9.0.97-150200.71.1
* tomcat-admin-webapps-9.0.97-150200.71.1
* SUSE Enterprise Storage 7.1 (noarch)
* tomcat-webapps-9.0.97-150200.71.1
* tomcat-el-3_0-api-9.0.97-150200.71.1
* tomcat-9.0.97-150200.71.1
* tomcat-servlet-4_0-api-9.0.97-150200.71.1
* tomcat-jsp-2_3-api-9.0.97-150200.71.1
* tomcat-lib-9.0.97-150200.71.1
* tomcat-admin-webapps-9.0.97-150200.71.1
* openSUSE Leap 15.5 (noarch)
* tomcat-javadoc-9.0.97-150200.71.1
* tomcat-jsvc-9.0.97-150200.71.1
* tomcat-docs-webapp-9.0.97-150200.71.1
* tomcat-el-3_0-api-9.0.97-150200.71.1
* tomcat-webapps-9.0.97-150200.71.1
* tomcat-9.0.97-150200.71.1
* tomcat-servlet-4_0-api-9.0.97-150200.71.1
* tomcat-embed-9.0.97-150200.71.1
* tomcat-jsp-2_3-api-9.0.97-150200.71.1
* tomcat-lib-9.0.97-150200.71.1
* tomcat-admin-webapps-9.0.97-150200.71.1
* openSUSE Leap 15.6 (noarch)
* tomcat-javadoc-9.0.97-150200.71.1
* tomcat-jsvc-9.0.97-150200.71.1
* tomcat-docs-webapp-9.0.97-150200.71.1
* tomcat-el-3_0-api-9.0.97-150200.71.1
* tomcat-webapps-9.0.97-150200.71.1
* tomcat-9.0.97-150200.71.1
* tomcat-servlet-4_0-api-9.0.97-150200.71.1
* tomcat-embed-9.0.97-150200.71.1
* tomcat-jsp-2_3-api-9.0.97-150200.71.1
* tomcat-lib-9.0.97-150200.71.1
* tomcat-admin-webapps-9.0.97-150200.71.1
* Web and Scripting Module 15-SP5 (noarch)
* tomcat-webapps-9.0.97-150200.71.1
* tomcat-el-3_0-api-9.0.97-150200.71.1
* tomcat-9.0.97-150200.71.1
* tomcat-servlet-4_0-api-9.0.97-150200.71.1
* tomcat-jsp-2_3-api-9.0.97-150200.71.1
* tomcat-lib-9.0.97-150200.71.1
* tomcat-admin-webapps-9.0.97-150200.71.1

## References:

* https://www.suse.com/security/cve/CVE-2024-52316.html
* https://bugzilla.suse.com/show_bug.cgi?id=1233434



SUSE-SU-2024:4107-1: important: Security update for python-waitress


# Security update for python-waitress

Announcement ID: SUSE-SU-2024:4107-1
Release Date: 2024-11-28T15:13:29Z
Rating: important
References:

* bsc#1232554

Cross-References:

* CVE-2024-49769

CVSS scores:

* CVE-2024-49769 ( SUSE ): 8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2024-49769 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2024-49769 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2024-49769 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products:

* Basesystem Module 15-SP5
* Basesystem Module 15-SP6
* openSUSE Leap 15.5
* SUSE Enterprise Storage 7.1
* SUSE Linux Enterprise Desktop 15 SP4 LTSS
* SUSE Linux Enterprise Desktop 15 SP5
* SUSE Linux Enterprise Desktop 15 SP6
* SUSE Linux Enterprise High Performance Computing 15 SP2
* SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS
* SUSE Linux Enterprise High Performance Computing 15 SP3
* SUSE Linux Enterprise High Performance Computing 15 SP4
* SUSE Linux Enterprise High Performance Computing 15 SP5
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP3
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
* SUSE Linux Enterprise Micro 5.5
* SUSE Linux Enterprise Real Time 15 SP5
* SUSE Linux Enterprise Real Time 15 SP6
* SUSE Linux Enterprise Server 15 SP2
* SUSE Linux Enterprise Server 15 SP2 LTSS
* SUSE Linux Enterprise Server 15 SP3
* SUSE Linux Enterprise Server 15 SP3 LTSS
* SUSE Linux Enterprise Server 15 SP4
* SUSE Linux Enterprise Server 15 SP4 LTSS
* SUSE Linux Enterprise Server 15 SP5
* SUSE Linux Enterprise Server 15 SP6
* SUSE Linux Enterprise Server for SAP Applications 15 SP2
* SUSE Linux Enterprise Server for SAP Applications 15 SP3
* SUSE Linux Enterprise Server for SAP Applications 15 SP4
* SUSE Linux Enterprise Server for SAP Applications 15 SP5
* SUSE Linux Enterprise Server for SAP Applications 15 SP6
* SUSE Manager Proxy 4.3
* SUSE Manager Retail Branch Server 4.3
* SUSE Manager Server 4.3
* SUSE Package Hub 15 15-SP5
* SUSE Package Hub 15 15-SP6

An update that solves one vulnerability can now be installed.

## Description:

This update for python-waitress fixes the following issues:

* CVE-2024-49769: Fixed a denial of service caused by incorrect connection
clean up (bsc#1232554)

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* SUSE Enterprise Storage 7.1
zypper in -t patch SUSE-Storage-7.1-2024-4107=1

* openSUSE Leap 15.5
zypper in -t patch openSUSE-SLE-15.5-2024-4107=1

* Basesystem Module 15-SP5
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP5-2024-4107=1

* Basesystem Module 15-SP6
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP6-2024-4107=1

* SUSE Package Hub 15 15-SP5
zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP5-2024-4107=1

* SUSE Package Hub 15 15-SP6
zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP6-2024-4107=1

* SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS
zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2024-4107=1

* SUSE Linux Enterprise High Performance Computing LTSS 15 SP3
zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-LTSS-2024-4107=1

* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2024-4107=1

* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2024-4107=1

* SUSE Linux Enterprise Desktop 15 SP4 LTSS
zypper in -t patch SUSE-SLE-Product-SLED-15-SP4-LTSS-2024-4107=1

* SUSE Linux Enterprise Server 15 SP2 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2024-4107=1

* SUSE Linux Enterprise Server 15 SP3 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP3-LTSS-2024-4107=1

* SUSE Linux Enterprise Server 15 SP4 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2024-4107=1

* SUSE Linux Enterprise Server for SAP Applications 15 SP2
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2024-4107=1

* SUSE Linux Enterprise Server for SAP Applications 15 SP3
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP3-2024-4107=1

* SUSE Linux Enterprise Server for SAP Applications 15 SP4
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2024-4107=1

* SUSE Manager Proxy 4.3
zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.3-2024-4107=1

* SUSE Manager Retail Branch Server 4.3
zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-
Server-4.3-2024-4107=1

* SUSE Manager Server 4.3
zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.3-2024-4107=1

## Package List:

* SUSE Enterprise Storage 7.1 (noarch)
* python3-waitress-1.4.3-150000.3.9.1
* openSUSE Leap 15.5 (noarch)
* python3-waitress-1.4.3-150000.3.9.1
* Basesystem Module 15-SP5 (noarch)
* python3-waitress-1.4.3-150000.3.9.1
* Basesystem Module 15-SP6 (noarch)
* python3-waitress-1.4.3-150000.3.9.1
* SUSE Package Hub 15 15-SP5 (noarch)
* python2-waitress-1.4.3-150000.3.9.1
* SUSE Package Hub 15 15-SP6 (noarch)
* python2-waitress-1.4.3-150000.3.9.1
* SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS (noarch)
* python3-waitress-1.4.3-150000.3.9.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (noarch)
* python3-waitress-1.4.3-150000.3.9.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (noarch)
* python3-waitress-1.4.3-150000.3.9.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (noarch)
* python3-waitress-1.4.3-150000.3.9.1
* SUSE Linux Enterprise Desktop 15 SP4 LTSS (noarch)
* python3-waitress-1.4.3-150000.3.9.1
* SUSE Linux Enterprise Server 15 SP2 LTSS (noarch)
* python3-waitress-1.4.3-150000.3.9.1
* SUSE Linux Enterprise Server 15 SP3 LTSS (noarch)
* python3-waitress-1.4.3-150000.3.9.1
* SUSE Linux Enterprise Server 15 SP4 LTSS (noarch)
* python3-waitress-1.4.3-150000.3.9.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP2 (noarch)
* python3-waitress-1.4.3-150000.3.9.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP3 (noarch)
* python3-waitress-1.4.3-150000.3.9.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP4 (noarch)
* python3-waitress-1.4.3-150000.3.9.1
* SUSE Manager Proxy 4.3 (noarch)
* python3-waitress-1.4.3-150000.3.9.1
* SUSE Manager Retail Branch Server 4.3 (noarch)
* python3-waitress-1.4.3-150000.3.9.1
* SUSE Manager Server 4.3 (noarch)
* python3-waitress-1.4.3-150000.3.9.1

## References:

* https://www.suse.com/security/cve/CVE-2024-49769.html
* https://bugzilla.suse.com/show_bug.cgi?id=1232554