Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -4 articles for you...
100
security advisoryimportantsuseSUSE Linux 12 SP2: 2021:4011-1 Important Security Fix for Docker Image
An update that fixes one vulnerability is now available. . SUSE Security Update: Security update for sles12sp2-docker-image ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:4011-1 Rating: important References: #1134524 Cross-References: CVE-2019-5021 CVSS scores: CVE-2019-5021 (NVD) : 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-5021 (SUSE): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Module for Containers 12 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for sles12sp2-docker-image fixes the following issues: - Invalidate the root password (was empty before) (bsc#1134524 CVE-2019-5021) Note that SUSE does not recommend use of this image anymore, please use newer versions from the registry. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Containers 12: zypper in -t patch SUSE-SLE-Module-Containers-12-2021-4011=1 Package List: - SUSE Linux Enterprise Module for Containers 12 (ppc64le s390x x86_64): sles12sp2-docker-image-1.0.2-20211211 References: https://www.suse.com/security/cve/CVE-2019-5021.html https://bugzilla.suse.com/1134524 . SUSE Security Announcement: Update regarding sles12sp2-docker-image Security Update ID: SUSE-SU-2021:4012-2. SUSE Security,Docker Image Update,Linux Container Security. . Severity: Important. LinuxSecurity.com Team
Dec 13, 2021
•Important
SuSE
202
security advisoryupdatesecurity fixopenSUSE: 2019:1495-1 Important: sles12sp3 Docker Image Security Fix
An update that fixes one vulnerability is now available.. openSUSE Security Update: Recommended update for sles12sp3-docker-image, sles12sp4-image, system-user-root ______________________________________________________________________________ Announcement ID: openSUSE-SU-2019:1495-1 Rating: important References: #1134524 Cross-References: CVE-2019-5021 Affected Products: openSUSE Leap 15.1 openSUSE Leap 15.0 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for sles12sp3-docker-image, sles12sp4-image, system-user-root fixes the following issues: - CVE-2019-5021: Include an invalidated root password by default, not an empty one (bsc#1134524) This update was imported from the SUSE:SLE-15:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.1: zypper in -t patch openSUSE-2019-1495=1 - openSUSE Leap 15.0: zypper in -t patch openSUSE-2019-1495=1 Package List: - openSUSE Leap 15.1 (noarch): system-user-root-20190513-lp151.3.3.1 - openSUSE Leap 15.0 (noarch): system-user-root-20190513-lp150.2.3.1 References: https://www.suse.com/security/cve/CVE-2019-5021.html https://bugzilla.suse.com/1134524 -- . A critical vulnerability affecting the sles12sp3-docker-image and sles12sp4-image has been resolved in the recent security update concerning root password management.. openSUSE Security Update, SLES Update, Docker Image Vulnerability. . Severity: Important. LinuxSecurity.com Team
Jun 03, 2019
•Important
OpenSUSE
100
security advisorysecurity issueupdateSUSE: 2017:2800-1 Critical: SLES 12-SP2 Docker Image Vulnerability Patch
An update that fixes 143 vulnerabilities is now available. An update that fixes 143 vulnerabilities is now available. An update that fixes 143 vulnerabilities is now available.. SUSE Security Update: Security update for SLES 12-SP1 Docker image ______________________________________________________________________________ Announcement ID: SUSE-SU-2017:2700-1 Rating: important References: #1056193 #975726 Cross-References: CVE-2012-6702 CVE-2014-0191 CVE-2014-6271 CVE-2014-6277 CVE-2014-6278 CVE-2014-7169 CVE-2014-7187 CVE-2014-7824 CVE-2014-8964 CVE-2014-9770 CVE-2015-0245 CVE-2015-0860 CVE-2015-1283 CVE-2015-2059 CVE-2015-2325 CVE-2015-2327 CVE-2015-2328 CVE-2015-3210 CVE-2015-3217 CVE-2015-3238 CVE-2015-3622 CVE-2015-5073 CVE-2015-5276 CVE-2015-7511 CVE-2015-8380 CVE-2015-8381 CVE-2015-8382 CVE-2015-8383 CVE-2015-8384 CVE-2015-8385 CVE-2015-8386 CVE-2015-8387 CVE-2015-8388 CVE-2015-8389 CVE-2015-8390 CVE-2015-8391 CVE-2015-8392 CVE-2015-8393 CVE-2015-8394 CVE-2015-8395 CVE-2015-8806 CVE-2015-8842 CVE-2015-8853 CVE-2015-8948 CVE-2016-0634 CVE-2016-0718 CVE-2016-0787 CVE-2016-1234 CVE-2016-1238 CVE-2016-1283 CVE-2016-1762 CVE-2016-1833 CVE-2016-1834 CVE-2016-1835 CVE-2016-1837 CVE-2016-1838 CVE-2016-1839 CVE-2016-1840 CVE-2016-2037 CVE-2016-2073 CVE-2016-2105 CVE-2016-2106 CVE-2016-2107 CVE-2016-2108 CVE-2016-2109 CVE-2016-2177 CVE-2016-2178 CVE-2016-2179 CVE-2016-2180 CVE-2016-2181 CVE-2016-2182 CVE-2016-2183 CVE-2016-2381 CVE-2016-3075 CVE-2016-3191 CVE-2016-3627 CVE-2016-3705CVE-2016-3706 CVE-2016-4008 CVE-2016-4429 CVE-2016-4447 CVE-2016-4448 CVE-2016-4449 CVE-2016-4483 CVE-2016-4574 CVE-2016-4579 CVE-2016-4658 CVE-2016-5011 CVE-2016-5300 CVE-2016-5419 CVE-2016-5420 CVE-2016-5421 CVE-2016-6185 CVE-2016-6261 CVE-2016-6262 CVE-2016-6263 CVE-2016-6302 CVE-2016-6303 CVE-2016-6304 CVE-2016-6306 CVE-2016-6313 CVE-2016-6318 CVE-2016-7056 CVE-2016-7141 CVE-2016-7167 CVE-2016-7543 CVE-2016-7796 CVE-2016-8610 CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618 CVE-2016-8619 CVE-2016-8620 CVE-2016-8621 CVE-2016-8622 CVE-2016-8623 CVE-2016-8624 CVE-2016-9063 CVE-2016-9318 CVE-2016-9586 CVE-2016-9597 CVE-2016-9840 CVE-2016-9841 CVE-2016-9842 CVE-2016-9843 CVE-2017-1000100 CVE-2017-1000101 CVE-2017-1000366 CVE-2017-10684 CVE-2017-10685 CVE-2017-11112 CVE-2017-11113 CVE-2017-2616 CVE-2017-3731 CVE-2017-6507 CVE-2017-7407 CVE-2017-7526 CVE-2017-9047 CVE-2017-9048 CVE-2017-9049 CVE-2017-9050 CVE-2017-9233 Affected Products: SUSE Linux Enterprise Module for Containers 12 ______________________________________________________________________________ An update that fixes 143 vulnerabilities is now available. Description: The SUSE Linux Enterprise Server 12 SP1 container image has been updated to include security and stability fixes. The following issues related to building of the container images have been fixed: - Included krb5 package to avoid the inclusion of krb5-mini which gets selected as a dependency by the Build Service solver. (bsc#1056193) - Do not install recommended packages when building containerimages. (bsc#975726) A number of security issues that have been already fixed by updates released for SUSE Linux Enterprise Server 12 SP1 are now included in the base image. A package/CVE cross-reference is available below. pam: - CVE-2015-3238 libtasn1: - CVE-2015-3622 - CVE-2016-4008 expat: expat: - CVE-2012-6702 - CVE-2015-1283 - CVE-2016-0718 - CVE-2016-5300 - CVE-2016-9063 - CVE-2017-9233 libidn: - CVE-2015-2059 - CVE-2015-8948 - CVE-2016-6261 - CVE-2016-6262 - CVE-2016-6263 zlib: - CVE-2016-9840 - CVE-2016-9841 - CVE-2016-9842 - CVE-2016-9843 curl: - CVE-2016-5419 - CVE-2016-5420 - CVE-2016-5421 - CVE-2016-7141 - CVE-2016-7167 - CVE-2016-8615 - CVE-2016-8616 - CVE-2016-8617 - CVE-2016-8618 - CVE-2016-8619 - CVE-2016-8620 - CVE-2016-8621 - CVE-2016-8622 - CVE-2016-8623 - CVE-2016-8624 - CVE-2016-9586 - CVE-2017-1000100 - CVE-2017-1000101 - CVE-2017-7407 openssl: - CVE-2016-2105 - CVE-2016-2106 - CVE-2016-2107 - CVE-2016-2108 - CVE-2016-2109 - CVE-2016-2177 - CVE-2016-2178 - CVE-2016-2179 - CVE-2016-2180 - CVE-2016-2181 - CVE-2016-2182 - CVE-2016-2183 - CVE-2016-6302 - CVE-2016-6303 - CVE-2016-6304 - CVE-2016-6306 - CVE-2016-7056 - CVE-2016-8610 - CVE-2017-3731 cracklib: - CVE-2016-6318 pcre: - CVE-2014-8964 - CVE-2015-2325 - CVE-2015-2327 - CVE-2015-2328 - CVE-2015-3210 - CVE-2015-3217 - CVE-2015-5073 - CVE-2015-8380 - CVE-2015-8381 - CVE-2015-8382 - CVE-2015-8383 - CVE-2015-8384 - CVE-2015-8385 - CVE-2015-8386 - CVE-2015-8387 - CVE-2015-8388 - CVE-2015-8389 - CVE-2015-8390 - CVE-2015-8391 - CVE-2015-8392 - CVE-2015-8393 - CVE-2015-8394 - CVE-2015-8395 - CVE-2016-1283 - CVE-2016-3191 appamor: - CVE-2017-6507 bash: - CVE-2014-6277 - CVE-2014-6278 - CVE-2016-0634 -CVE-2016-7543 cpio: - CVE-2016-2037 glibc: - CVE-2016-1234 - CVE-2016-3075 - CVE-2016-3706 - CVE-2016-4429 - CVE-2017-1000366 perl: - CVE-2015-8853 - CVE-2016-1238 - CVE-2016-2381 - CVE-2016-6185 libssh2_org: - CVE-2016-0787 util-linux: - CVE-2016-5011 - CVE-2017-2616 ncurses: - CVE-2017-10684 - CVE-2017-10685 - CVE-2017-11112 - CVE-2017-11113 libksba: - CVE-2016-4574 - CVE-2016-4579 libxml2: - CVE-2014-0191 - CVE-2015-8806 - CVE-2016-1762 - CVE-2016-1833 - CVE-2016-1834 - CVE-2016-1835 - CVE-2016-1837 - CVE-2016-1838 - CVE-2016-1839 - CVE-2016-1840 - CVE-2016-2073 - CVE-2016-3627 - CVE-2016-3705 - CVE-2016-4447 - CVE-2016-4448 - CVE-2016-4449 - CVE-2016-4483 - CVE-2016-4658 - CVE-2016-9318 - CVE-2016-9597 - CVE-2017-9047 - CVE-2017-9048 - CVE-2017-9049 - CVE-2017-9050 libgcrypt: - CVE-2015-7511 - CVE-2016-6313 - CVE-2017-7526 update-alternatives: - CVE-2015-0860 systemd: - CVE-2014-9770 - CVE-2015-8842 - CVE-2016-7796 dbus-1: - CVE-2014-7824 - CVE-2015-0245 Finally, the following packages received non-security fixes: - augeas - bzip2 - ca-certificates-mozilla - coreutils - cryptsetup - cyrus-sasl - dirmngr - e2fsprogs - findutils - gpg2 - insserv-compat - kmod - libcap - libsolv - libzypp - lua51 - lvm2 - netcfg - p11-kit - permissions - procps - rpm - sed - sg3_utils - shadow - zypper Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Containers 12: zypper in -t patch SUSE-SLE-Module-Containers-12-2017-1673=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Module for Containers 12 (ppc64le s390x x86_64): sles12sp1-docker-image-1.0.7-20171002 References: https://www.suse.com/security/cve/CVE-2012-6702.html https://www.suse.com/security/cve/CVE-2014-0191.html https://www.suse.com/security/cve/CVE-2014-6271.html https://www.suse.com/security/cve/CVE-2014-6277.html https://www.suse.com/security/cve/CVE-2014-6278.html https://www.suse.com/security/cve/CVE-2014-7169.html https://www.suse.com/security/cve/CVE-2014-7187.html https://www.suse.com/security/cve/CVE-2014-7824.html https://www.suse.com/security/cve/CVE-2014-8964.html https://www.suse.com/security/cve/CVE-2014-9770.html https://www.suse.com/security/cve/CVE-2015-0245.html https://www.suse.com/security/cve/CVE-2015-0860.html https://www.suse.com/security/cve/CVE-2015-1283.html https://www.suse.com/security/cve/CVE-2015-2059.html https://www.suse.com/security/cve/CVE-2015-2325.html https://www.suse.com/security/cve/CVE-2015-2327.html https://www.suse.com/security/cve/CVE-2015-2328.html https://www.suse.com/security/cve/CVE-2015-3210.html https://www.suse.com/security/cve/CVE-2015-3217.html https://www.suse.com/security/cve/CVE-2015-3238.html https://www.suse.com/security/cve/CVE-2015-3622.html https://www.suse.com/security/cve/CVE-2015-5073.html https://www.suse.com/security/cve/CVE-2015-5276.html https://www.suse.com/security/cve/CVE-2015-7511.html https://www.suse.com/security/cve/CVE-2015-8380.html https://www.suse.com/security/cve/CVE-2015-8381.html https://www.suse.com/security/cve/CVE-2015-8382.html https://www.suse.com/security/cve/CVE-2015-8383.html https://www.suse.com/security/cve/CVE-2015-8384.html https://www.suse.com/security/cve/CVE-2015-8385.html https://www.suse.com/security/cve/CVE-2015-8386.html https://www.suse.com/security/cve/CVE-2015-8387.html https://www.suse.com/security/cve/CVE-2015-8388.html https://www.suse.com/security/cve/CVE-2015-8389.html https://www.suse.com/security/cve/CVE-2015-8390.html https://www.suse.com/security/cve/CVE-2015-8391.html https://www.suse.com/security/cve/CVE-2015-8392.html https://www.suse.com/security/cve/CVE-2015-8393.html https://www.suse.com/security/cve/CVE-2015-8394.html https://www.suse.com/security/cve/CVE-2015-8395.html https://www.suse.com/security/cve/CVE-2015-8806.html https://www.suse.com/security/cve/CVE-2015-8842.html https://www.suse.com/security/cve/CVE-2015-8853.html https://www.suse.com/security/cve/CVE-2015-8948.html https://www.suse.com/security/cve/CVE-2016-0634.html https://www.suse.com/security/cve/CVE-2016-0718.html https://www.suse.com/security/cve/CVE-2016-0787.html https://www.suse.com/security/cve/CVE-2016-1234.html https://www.suse.com/security/cve/CVE-2016-1238.html https://www.suse.com/security/cve/CVE-2016-1283.html https://www.suse.com/security/cve/CVE-2016-1762.html https://www.suse.com/security/cve/CVE-2016-1833.html https://www.suse.com/security/cve/CVE-2016-1834.html https://www.suse.com/security/cve/CVE-2016-1835.html https://www.suse.com/security/cve/CVE-2016-1837.html https://www.suse.com/security/cve/CVE-2016-1838.html https://www.suse.com/security/cve/CVE-2016-1839.html https://www.suse.com/security/cve/CVE-2016-1840.html https://www.suse.com/security/cve/CVE-2016-2037.html https://www.suse.com/security/cve/CVE-2016-2073.html https://www.suse.com/security/cve/CVE-2016-2105.html https://www.suse.com/security/cve/CVE-2016-2106.html https://www.suse.com/security/cve/CVE-2016-2107.html https://www.suse.com/security/cve/CVE-2016-2108.html https://www.suse.com/security/cve/CVE-2016-2109.html https://www.suse.com/security/cve/CVE-2016-2177.html https://www.suse.com/security/cve/CVE-2016-2178.html https://www.suse.com/security/cve/CVE-2016-2179.html https://www.suse.com/security/cve/CVE-2016-2180.html https://www.suse.com/security/cve/CVE-2016-2181.html https://www.suse.com/security/cve/CVE-2016-2182.html https://www.suse.com/security/cve/CVE-2016-2183.html https://www.suse.com/security/cve/CVE-2016-2381.html https://www.suse.com/security/cve/CVE-2016-3075.html https://www.suse.com/security/cve/CVE-2016-3191.html https://www.suse.com/security/cve/CVE-2016-3627.html https://www.suse.com/security/cve/CVE-2016-3705.html https://www.suse.com/security/cve/CVE-2016-3706.html https://www.suse.com/security/cve/CVE-2016-4008.html https://www.suse.com/security/cve/CVE-2016-4429.html https://www.suse.com/security/cve/CVE-2016-4447.html https://www.suse.com/security/cve/CVE-2016-4448.html https://www.suse.com/security/cve/CVE-2016-4449.html https://www.suse.com/security/cve/CVE-2016-4483.html https://www.suse.com/security/cve/CVE-2016-4574.html https://www.suse.com/security/cve/CVE-2016-4579.html https://www.suse.com/security/cve/CVE-2016-4658.html https://www.suse.com/security/cve/CVE-2016-5011.html https://www.suse.com/security/cve/CVE-2016-5300.html https://www.suse.com/security/cve/CVE-2016-5419.html https://www.suse.com/security/cve/CVE-2016-5420.html https://www.suse.com/security/cve/CVE-2016-5421.html https://www.suse.com/security/cve/CVE-2016-6185.html https://www.suse.com/security/cve/CVE-2016-6261.html https://www.suse.com/security/cve/CVE-2016-6262.html https://www.suse.com/security/cve/CVE-2016-6263.html https://www.suse.com/security/cve/CVE-2016-6302.html https://www.suse.com/security/cve/CVE-2016-6303.html https://www.suse.com/security/cve/CVE-2016-6304.html https://www.suse.com/security/cve/CVE-2016-6306.html https://www.suse.com/security/cve/CVE-2016-6313.html https://www.suse.com/security/cve/CVE-2016-6318.html https://www.suse.com/security/cve/CVE-2016-7056.html https://www.suse.com/security/cve/CVE-2016-7141.html https://www.suse.com/security/cve/CVE-2016-7167.html https://www.suse.com/security/cve/CVE-2016-7543.html https://www.suse.com/security/cve/CVE-2016-7796.html https://www.suse.com/security/cve/CVE-2016-8610.html https://www.suse.com/security/cve/CVE-2016-8615.html https://www.suse.com/security/cve/CVE-2016-8616.html https://www.suse.com/security/cve/CVE-2016-8617.html https://www.suse.com/security/cve/CVE-2016-8618.html https://www.suse.com/security/cve/CVE-2016-8619.html https://www.suse.com/security/cve/CVE-2016-8620.html https://www.suse.com/security/cve/CVE-2016-8621.html https://www.suse.com/security/cve/CVE-2016-8622.html https://www.suse.com/security/cve/CVE-2016-8623.html https://www.suse.com/security/cve/CVE-2016-8624.html https://www.suse.com/security/cve/CVE-2016-9063.html https://www.suse.com/security/cve/CVE-2016-9318.html https://www.suse.com/security/cve/CVE-2016-9586.html https://www.suse.com/security/cve/CVE-2016-9597.html https://www.suse.com/security/cve/CVE-2016-9840.html https://www.suse.com/security/cve/CVE-2016-9841.html https://www.suse.com/security/cve/CVE-2016-9842.html https://www.suse.com/security/cve/CVE-2016-9843.html https://www.suse.com/security/cve/CVE-2017-1000100.html https://www.suse.com/security/cve/CVE-2017-1000101.html https://www.suse.com/security/cve/CVE-2017-1000366.html https://www.suse.com/security/cve/CVE-2017-10684.html https://www.suse.com/security/cve/CVE-2017-10685.html https://www.suse.com/security/cve/CVE-2017-11112.html https://www.suse.com/security/cve/CVE-2017-11113.html https://www.suse.com/security/cve/CVE-2017-2616.html https://www.suse.com/security/cve/CVE-2017-3731.html https://www.suse.com/security/cve/CVE-2017-6507.html https://www.suse.com/security/cve/CVE-2017-7407.html https://www.suse.com/security/cve/CVE-2017-7526.html https://www.suse.com/security/cve/CVE-2017-9047.html https://www.suse.com/security/cve/CVE-2017-9048.html https://www.suse.com/security/cve/CVE-2017-9049.html https://www.suse.com/security/cve/CVE-2017-9050.html https://www.suse.com/security/cve/CVE-2017-9233.html https://bugzilla.suse.com/1056193 https://bugzilla.suse.com/975726 . New security patch issued for SLES 12-SP1 Docker container, addressing 143 vulnerabilities with critical enhancements provided.. SLES 12-SP1 Docker Image Update,SUSE Security Advisory,Docker Container Security,Fixes and Updates,Important Security Patches. . Severity: Important. LinuxSecurity.com Team
Oct 11, 2017
•Important
SuSE
100
security advisoryupdatebuffer overflowSUSE: 2016:0786-1 Critical: sles12-docker-image Buffer Overflow DoS Flaws
An update that fixes 31 vulnerabilities is now available. An update that fixes 31 vulnerabilities is now available. An update that fixes 31 vulnerabilities is now available.. SUSE Security Update: Security update for sles12-docker-image ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:0786-1 Rating: important References: #969591 Cross-References: CVE-2014-9761 CVE-2015-1819 CVE-2015-3194 CVE-2015-3195 CVE-2015-3196 CVE-2015-3197 CVE-2015-5312 CVE-2015-7497 CVE-2015-7498 CVE-2015-7499 CVE-2015-7500 CVE-2015-7547 CVE-2015-7941 CVE-2015-7942 CVE-2015-8035 CVE-2015-8241 CVE-2015-8242 CVE-2015-8317 CVE-2015-8710 CVE-2015-8776 CVE-2015-8777 CVE-2015-8778 CVE-2015-8779 CVE-2016-0702 CVE-2016-0703 CVE-2016-0704 CVE-2016-0705 CVE-2016-0797 CVE-2016-0798 CVE-2016-0799 CVE-2016-0800 Affected Products: SUSE Linux Enterprise Module for Containers 12 ______________________________________________________________________________ An update that fixes 31 vulnerabilities is now available. Description: This update for sles12-docker-image fixes issues with binaries and libraries included in the image where security updates have been made available in the last weeks. glibc security issues fixed: - CVE-2015-7547: A stack-based buffer overflow in getaddrinfo allowed remote attackers to cause a crash or execute arbitrary code via crafted and timed DNS responses (bsc#961721) - CVE-2015-8777: Insufficient checking of LD_POINTER_GUARD environment variable allowed local attackers to bypass the pointer guarding protection of the dynamic loader on set-user-ID and set-group-ID programs (bsc#950944) - CVE-2015-8776: Out-of-range time values passed to the strftime function maycause it to crash, leading to a denial of service, or potentially disclosure information (bsc#962736) - CVE-2015-8778: Integer overflow in hcreate and hcreate_r could have caused an out-of-bound memory access. leading to application crashes or, potentially, arbitrary code execution (bsc#962737) - CVE-2014-9761: A stack overflow (unbounded alloca) could have caused applications which process long strings with the nan function to crash or, potentially, execute arbitrary code. (bsc#962738) - CVE-2015-8779: A stack overflow (unbounded alloca) in the catopen function could have caused applications which pass long strings to the catopen function to crash or, potentially execute arbitrary code. (bsc#962739) glibc bugs fixed: - bsc#955647: Resource leak in resolver - bsc#956716: Don't do lock elision on an error checking mutex - bsc#958315: Reinitialize dl_load_write_lock on fork openssl security bugs fixed: Security issues fixed: - CVE-2016-0800 aka the "DROWN" attack (bsc#968046): OpenSSL was vulnerable to a cross-protocol attack that could lead to decryption of TLS sessions by using a server supporting SSLv2 and EXPORT cipher suites as a Bleichenbacher RSA padding oracle. This update changes the openssl library to: * Disable SSLv2 protocol support by default. This can be overridden by setting the environment variable "OPENSSL_ALLOW_SSL2" or by using SSL_CTX_clear_options using the SSL_OP_NO_SSLv2 flag. Note that various services and clients had already disabled SSL protocol 2 by default previously. * Disable all weak EXPORT ciphers by default. These can be reenabled if required by old legacy software using the environment variable "OPENSSL_ALLOW_EXPORT". - CVE-2016-0702 aka the "CacheBleed" attack. (bsc#968050) Various changes in the modular exponentation code were added that make sure that it is not possible to recover RSA secret keys by analyzing cache-bank conflicts on the Intel Sandy-Bridge microarchitecture. Note that this was only exploitable if the malicious code was running on the same hyper threaded Intel Sandy Bridge processor as the victim thread performing decryptions. - CVE-2016-0705 (bnc#968047): A double free() bug in the DSA ASN1 parser code was fixed that could be abused to facilitate a denial-of-service attack. - CVE-2016-0797 (bnc#968048): The BN_hex2bn() and BN_dec2bn() functions had a bug that could result in an attempt to de-reference a NULL pointer leading to crashes. This could have security consequences if these functions were ever called by user applications with large untrusted hex/decimal data. Also, internal usage of these functions in OpenSSL uses data from config files or application command line arguments. If user developed applications generated config file data based on untrusted data, then this could have had security consequences as well. - CVE-2016-0798 (bnc#968265) The SRP user database lookup method SRP_VBASE_get_by_user() had a memory leak that attackers could abuse to facility DoS attacks. To mitigate the issue, the seed handling in SRP_VBASE_get_by_user() was disabled even if the user has configured a seed. Applications are advised to migrate to SRP_VBASE_get1_by_user(). - CVE-2016-0799 (bnc#968374) On many 64 bit systems, the internal fmtstr() and doapr_outch() functions could miscalculate the length of a string and attempt to access out-of-bounds memory locations. These problems could have enabled attacks where large amounts of untrusted data is passed to the BIO_*printf functions. If applications use these functions in this way then they could have been vulnerable. OpenSSL itself uses these functions when printing out human-readable dumps of ASN.1 data. Therefore applications that print this data could have been vulnerable if the data is from untrusted sources. OpenSSL commandline applications could also have been vulnerable when they print out ASN.1 data, or if untrusted data is passed as command line arguments. Libssl is not considered directly vulnerable. - CVE-2015-3197 (bsc#963415): The SSLv2 protocol did not block disabled ciphers. Note that the March 1st 2016 release also references following CVEs that were fixed by us with CVE-2015-0293 in 2015: - CVE-2016-0703 (bsc#968051): This issue only affected versions of OpenSSL prior to March 19th 2015 at which time the code was refactored to address vulnerability CVE-2015-0293. It would have made the above "DROWN" attack much easier. - CVE-2016-0704 (bsc#968053): "Bleichenbacher oracle in SSLv2" This issue only affected versions of OpenSSL prior to March 19th 2015 at which time the code was refactored to address vulnerability CVE-2015-0293. It would have made the above "DROWN" attack much easier. - CVE-2015-3194: The signature verification routines will crash with a NULL pointer dereference if presented with an ASN.1 signature using the RSA PSS algorithm and absent mask generation function parameter. Since these routines are used to verify certificate signature algorithms this can be used to crash any certificate verification operation and exploited in a DoS attack. Any application which performs certificate verification is vulnerable including OpenSSL clients and servers which enable client authentication. (bsc#957815) - CVE-2015-3195: When presented with a malformed X509_ATTRIBUTE structure OpenSSL would leak memory. This structure is used by the PKCS#7 and CMS routines so any application which reads PKCS#7 or CMS data from untrusted sources is affected. SSL/TLS is not affected. (bsc#957812) - CVE-2015-3196: If PSK identity hints are received by a multi-threaded client then the values were wrongly updated in the parent SSL_CTX structure. This could result in a race condition potentially leadingto a double free of the identify hint data. (bsc#957813) openssl bugs fixed: - Avoid running OPENSSL_config twice. This avoids breaking engine loading. (bsc#952871) - Ensure that OpenSSL doesn't fall back to the default digest algorithm (SHA1) in case a non-FIPS algorithm was negotiated while running in FIPS mode. Instead, OpenSSL will refuse the digest. (bnc#958501) - Clear the error after setting non-fips mode (bsc#947104) - Improve S/390 performance on IBM z196 and z13 (bsc#954256) - Add support for "ciphers" providing no encryption (bsc#937085) libxml2 security issues fixed: - CVE-2015-8710: Parsing short unclosed HTML comment could cause uninitialized memory access, which allowed remote attackers to read contents from previous HTTP requests depending on the application [bsc#960674] - CVE-2015-1819 Enforce the reader to run in constant memory [bnc#928193] - CVE-2015-7941 Fix out of bound read with crafted xml input by stopping parsing on entities boundaries errors [bnc#951734] - CVE-2015-7942 Fix another variation of overflow in Conditional sections [bnc#951735] - CVE-2015-8241 Avoid extra processing of MarkupDecl when EOF [bnc#956018] - CVE-2015-8242 Buffer overead with HTML parser in push mode [bnc#956021] - CVE-2015-8317 Return if the encoding declaration is broken or encoding conversion failed [bnc#956260] - CVE-2015-5312 Fix another entity expansion issue [bnc#957105] - CVE-2015-7497 Avoid an heap buffer overflow in xmlDictComputeFastQKey [bnc#957106] - CVE-2015-7498 Processes entities after encoding conversion failures [bnc#957107] - CVE-2015-7499 Add xmlHaltParser() to stop the parser / Detect incoherency on GROW [bnc#957109] - CVE-2015-8317 Multiple out-of-bound read could lead to denial of service [bnc#956260] - CVE-2015-8035 DoS when parsing specially crafted XML document if XZ support is enabled [bnc#954429] - CVE-2015-7500 Fix memory access error due toincorrect entities boundaries [bnc#957110] And other security and non-security updates found in the SUSE Linux Enterprise 12 GA line. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Containers 12: zypper in -t patch SUSE-SLE-Module-Containers-12-2016-459=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Module for Containers 12 (ppc64le): sles12-docker-image-1.1.1-20160307081810 - SUSE Linux Enterprise Module for Containers 12 (x86_64): sles12-docker-image-1.1.1-20160307082632 - SUSE Linux Enterprise Module for Containers 12 (s390x): sles12-docker-image-1.1.1-20160307082130 References: https://www.suse.com/security/cve/CVE-2014-9761.html https://www.suse.com/security/cve/CVE-2015-1819.html https://www.suse.com/security/cve/CVE-2015-3194.html https://www.suse.com/security/cve/CVE-2015-3195.html https://www.suse.com/security/cve/CVE-2015-3196.html https://www.suse.com/security/cve/CVE-2015-3197.html https://www.suse.com/security/cve/CVE-2015-5312.html https://www.suse.com/security/cve/CVE-2015-7497.html https://www.suse.com/security/cve/CVE-2015-7498.html https://www.suse.com/security/cve/CVE-2015-7499.html https://www.suse.com/security/cve/CVE-2015-7500.html https://www.suse.com/security/cve/CVE-2015-7547.html https://www.suse.com/security/cve/CVE-2015-7941.html https://www.suse.com/security/cve/CVE-2015-7942.html https://www.suse.com/security/cve/CVE-2015-8035.html https://www.suse.com/security/cve/CVE-2015-8241.html https://www.suse.com/security/cve/CVE-2015-8242.html https://www.suse.com/security/cve/CVE-2015-8317.html https://www.suse.com/security/cve/CVE-2015-8710.html https://www.suse.com/security/cve/CVE-2015-8776.html https://www.suse.com/security/cve/CVE-2015-8777.html https://www.suse.com/security/cve/CVE-2015-8778.html https://www.suse.com/security/cve/CVE-2015-8779.html https://www.suse.com/security/cve/CVE-2016-0702.html https://www.suse.com/security/cve/CVE-2016-0703.html https://www.suse.com/security/cve/CVE-2016-0704.html https://www.suse.com/security/cve/CVE-2016-0705.html https://www.suse.com/security/cve/CVE-2016-0797.html https://www.suse.com/security/cve/CVE-2016-0798.html https://www.suse.com/security/cve/CVE-2016-0799.html https://www.suse.com/security/cve/CVE-2016-0800.html https://bugzilla.suse.com/969591 . Crucial Oracle Security Patch fixes 27 vulnerabilities for rhel8-container-image. Keep your systems fortified and up-to-date!. sles12 docker updates security patches. . Severity: Important. LinuxSecurity.com Team
Mar 16, 2016
•Important
SuSE
100
security advisorydenial of serviceimportantSUSE: 2016:0778-1 Important: sles11sp4-docker-image DoS and Library Issues
An update that fixes 16 vulnerabilities is now available. An update that fixes 16 vulnerabilities is now available. An update that fixes 16 vulnerabilities is now available.. SUSE Security Update: Security update for sles11sp4-docker-image ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:0778-1 Rating: important References: #969591 Cross-References: CVE-2014-9761 CVE-2015-3197 CVE-2015-6908 CVE-2015-7547 CVE-2015-8776 CVE-2015-8777 CVE-2015-8778 CVE-2015-8779 CVE-2016-0702 CVE-2016-0703 CVE-2016-0704 CVE-2016-0705 CVE-2016-0755 CVE-2016-0797 CVE-2016-0799 CVE-2016-0800 Affected Products: SUSE Linux Enterprise Module for Containers 12 ______________________________________________________________________________ An update that fixes 16 vulnerabilities is now available. Description: This rebuild for sles11sp4-docker-image fixes several important security issues done in libraries contained inside, for glibc, openssl, curl and openldap2. glibc security fixes: - CVE-2015-7547: A stack-based buffer overflow in getaddrinfo allowed remote attackers to cause a crash or execute arbitrary code via crafted and timed DNS responses (bsc#961721) - CVE-2015-8777: Insufficient checking of LD_POINTER_GUARD environment variable allowed local attackers to bypass the pointer guarding protection of the dynamic loader on set-user-ID and set-group-ID programs (bsc#950944) - CVE-2015-8776: Out-of-range time values passed to the strftime function may cause it to crash, leading to a denial of service, or potentially disclosure information (bsc#962736) - CVE-2015-8778: Integer overflow in hcreate and hcreate_r could have caused an out-of-bound memory access. leading to application crashes or, potentially, arbitrary code execution (bsc#962737) -CVE-2014-9761: A stack overflow (unbounded alloca) could have caused applications which process long strings with the nan function to crash or, potentially, execute arbitrary code. (bsc#962738) - CVE-2015-8779: A stack overflow (unbounded alloca) in the catopen function could have caused applications which pass long strings to the catopen function to crash or, potentially execute arbitrary code. (bsc#962739) glibc non-security bugfixes: - bsc#930721: Accept leading and trailing spaces in getdate input string - bsc#942317: Recognize power8 platform - bsc#950944: Always enable pointer guard - bsc#956988: Fix deadlock in __dl_iterate_phdr openssl security issues fixed: - CVE-2016-0800 aka the "DROWN" attack (bsc#968046): OpenSSL was vulnerable to a cross-protocol attack that could lead to decryption of TLS sessions by using a server supporting SSLv2 and EXPORT cipher suites as a Bleichenbacher RSA padding oracle. This update changes the openssl library to: * Disable SSLv2 protocol support by default. This can be overridden by setting the environment variable "OPENSSL_ALLOW_SSL2" or by using SSL_CTX_clear_options using the SSL_OP_NO_SSLv2 flag. Note that various services and clients had already disabled SSL protocol 2 by default previously. * Disable all weak EXPORT ciphers by default. These can be reenabled if required by old legacy software using the environment variable "OPENSSL_ALLOW_EXPORT". - CVE-2016-0705 (bnc#968047): A double free() bug in the DSA ASN1 parser code was fixed that could be abused to facilitate a denial-of-service attack. - CVE-2016-0797 (bnc#968048): The BN_hex2bn() and BN_dec2bn() functions had a bug that could result in an attempt to de-reference a NULL pointer leading to crashes. This could have security consequences if these functions were ever called by user applications with large untrusted hex/decimal data. Also, internalusage of these functions in OpenSSL uses data from config files or application command line arguments. If user developed applications generated config file data based on untrusted data, then this could have had security consequences as well. - CVE-2016-0799 (bnc#968374) On many 64 bit systems, the internal fmtstr() and doapr_outch() functions could miscalculate the length of a string and attempt to access out-of-bounds memory locations. These problems could have enabled attacks where large amounts of untrusted data is passed to the BIO_*printf functions. If applications use these functions in this way then they could have been vulnerable. OpenSSL itself uses these functions when printing out human-readable dumps of ASN.1 data. Therefore applications that print this data could have been vulnerable if the data is from untrusted sources. OpenSSL command line applications could also have been vulnerable when they print out ASN.1 data, or if untrusted data is passed as command line arguments. Libssl is not considered directly vulnerable. - CVE-2015-3197 (bsc#963415): The SSLv2 protocol did not block disabled ciphers. Note that the March 1st 2016 release also references following CVEs that were fixed by us with CVE-2015-0293 in 2015: - CVE-2016-0703 (bsc#968051): This issue only affected versions of OpenSSL prior to March 19th 2015 at which time the code was refactored to address vulnerability CVE-2015-0293. It would have made the above "DROWN" attack much easier. - CVE-2016-0704 (bsc#968053): "Bleichenbacher oracle in SSLv2" This issue only affected versions of OpenSSL prior to March 19th 2015 at which time the code was refactored to address vulnerability CVE-2015-0293. It would have made the above "DROWN" attack much easier. openssl non-security bugs fixed: - Avoid running OPENSSL_config twice. This avoids breaking engine loading and also fixes a memory leak in libssl.(bsc#952871 bsc#967787) curl security issues fixed: - CVE-2016-0755: libcurl would reuse NTLM-authenticated proxy connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer (bsc#962983) curl non-security bugs fixed: - bsc#926511: Check for errors on the control connection during FTP transfers openldap2 security issue fixed: - CVE-2015-6908. Passing a crafted packet to the function ber_get_next(), an attacker may cause a remote denial of service, crashing the OpenLDAP server (bsc#945582). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Containers 12: zypper in -t patch SUSE-SLE-Module-Containers-12-2016-457=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Module for Containers 12 (x86_64): sles11sp4-docker-image-1.1.1-20160304104123 - SUSE Linux Enterprise Module for Containers 12 (s390x): sles11sp4-docker-image-1.1.1-20160304104143 References: https://www.suse.com/security/cve/CVE-2014-9761.html https://www.suse.com/security/cve/CVE-2015-3197.html https://www.suse.com/security/cve/CVE-2015-6908.html https://www.suse.com/security/cve/CVE-2015-7547.html https://www.suse.com/security/cve/CVE-2015-8776.html https://www.suse.com/security/cve/CVE-2015-8777.html https://www.suse.com/security/cve/CVE-2015-8778.html https://www.suse.com/security/cve/CVE-2015-8779.html https://www.suse.com/security/cve/CVE-2016-0702.html https://www.suse.com/security/cve/CVE-2016-0703.html https://www.suse.com/security/cve/CVE-2016-0704.html https://www.suse.com/security/cve/CVE-2016-0705.html https://www.suse.com/security/cve/CVE-2016-0755.html https://www.suse.com/security/cve/CVE-2016-0797.html https://www.suse.com/security/cve/CVE-2016-0799.html https://www.suse.com/security/cve/CVE-2016-0800.html https://bugzilla.suse.com/969591 . SUSE Security Bulletin: Security patch for sles11sp4-docker-container Announcement ID: SUSE-SU-2016:0780-2. SUSE Linux Update,Docker Security Fixes,Library Exploits,Security Patch. . Severity: Important. LinuxSecurity.com Team
Mar 15, 2016
•Important
SuSE
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!