Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -2 articles for you...
202
security advisorymoderatesecurity issueopenSUSE Tumbleweed OpenSC Security Advisory - Moderate Issues Found
An update that solves 5 vulnerabilities can now be installed.. # opensc-0.27.1-1.1 on GA media Announcement ID: openSUSE-SU-2026:10475-1 Rating: moderate Cross-References: * CVE-2025-13763 * CVE-2025-49010 * CVE-2025-66037 * CVE-2025-66038 * CVE-2025-66215 CVSS scores: * CVE-2025-49010 ( SUSE ): 3.8 CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L * CVE-2025-49010 ( SUSE ): 1 CVSS:4.0/AV:P/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N * CVE-2025-66037 ( SUSE ): 3.9 CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L * CVE-2025-66037 ( SUSE ): 1 CVSS:4.0/AV:P/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N * CVE-2025-66038 ( SUSE ): 3.9 CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L * CVE-2025-66038 ( SUSE ): 1 CVSS:4.0/AV:P/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N * CVE-2025-66215 ( SUSE ): 3.8 CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L * CVE-2025-66215 ( SUSE ): 1 CVSS:4.0/AV:P/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N Affected Products: * openSUSE Tumbleweed An update that solves 5 vulnerabilities can now be installed. ## Description: These are all security issues fixed in the opensc-0.27.1-1.1 package on the GA media of openSUSE Tumbleweed. ## Package List: * openSUSE Tumbleweed: * opensc 0.27.1-1.1 * opensc-bash-completion 0.27.1-1.1 ## References: * https://www.suse.com/security/cve/CVE-2025-13763.html * https://www.suse.com/security/cve/CVE-2025-49010.html * https://www.suse.com/security/cve/CVE-2025-66037.html * https://www.suse.com/security/cve/CVE-2025-66038.html * https://www.suse.com/security/cve/CVE-2025-66215.html . Security advisory for openSUSE Tumbleweed addressing multiple moderate vulnerabilities in opensc update. Immediate action recommended.. opensc update, openSUSE vulnerabilities, openSUSE security advisory, opensc package, moderate security issue. . LinuxSecurity.com Team
Apr 02, 2026
OpenSUSE
100
security advisorysoftware updatesecurity fixSUSE: 2024:0936-1 Important: Go Memory Issues and Security Fixes
* bsc#1218424 * bsc#1219988 * bsc#1220999 * bsc#1221000 * bsc#1221001 . # Security update for go1.22 Announcement ID: SUSE-SU-2024:0936-1 Rating: important References: * bsc#1218424 * bsc#1219988 * bsc#1220999 * bsc#1221000 * bsc#1221001 * bsc#1221002 * bsc#1221003 Cross-References: * CVE-2023-45289 * CVE-2023-45290 * CVE-2024-24783 * CVE-2024-24784 * CVE-2024-24785 CVSS scores: * CVE-2023-45289 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N * CVE-2023-45290 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2024-24783 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2024-24784 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N * CVE-2024-24785 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Affected Products: * SUSE Linux Enterprise High Performance Computing 12 SP5 * SUSE Linux Enterprise Server 12 SP5 * SUSE Linux Enterprise Server for SAP Applications 12 SP5 * SUSE Linux Enterprise Software Development Kit 12 SP5 An update that solves five vulnerabilities and has two security fixes can now be installed. ## Description: This update for go1.22 fixes the following issues: * go1.22.1 (released 2024-03-05) includes security fixes to the crypto/x509, html/template, net/http, net/http/cookiejar, and net/mail packages, as well as bug fixes to the compiler, the go command, the runtime, the trace command, and the go/types and net/http packages. (bsc#1218424) CVE-2023-45289 CVE-2023-45290 CVE-2024-24783 CVE-2024-24784 CVE-2024-24785 * go#65831 go#65390 bsc#1220999 security: fix CVE-2024-24783 crypto/x509: Verify panics on certificates with an unknown public key algorithm * go#65849 go#65083 bsc#1221002 security: fix CVE-2024-24784 net/mail: comments in display names are incorrectly handled * go#65850 go#65383 bsc#1221001 security: fix CVE-2023-45290 net/http: memory exhaustion in Request.ParseMultipartForm * go#65859 go#65065 bsc#1221000security: fix CVE-2023-45289 net/http, net/http/cookiejar: incorrect forwarding of sensitive headers and cookies on HTTP redirect * go#65969 go#65697 bsc#1221003 security: fix CVE-2024-24785 html/template: errors returned from MarshalJSON methods may break template escaping * go#65352 cmd/go: go generate fails silently when run on a package in a nested workspace module * go#65471 internal/testenv: TestHasGoBuild failures on the LUCI noopt builders * go#65474 internal/testenv: support LUCI mobile builders in testenv tests * go#65577 cmd/trace/v2: goroutine analysis page doesn't identify goroutines consistently * go#65618 cmd/compile: Go 1.22 build fails with 1.21 PGO profile on internal/saferio change * go#65619 cmd/compile: Go 1.22 changes support for modules that declare go 1.0 * go#65641 cmd/cgo/internal/testsanitizers,x/build: LUCI clang15 builders failing * go#65644 runtime: crash in race detector when execution tracer reads from CPU profile buffer * go#65728 go/types: nil pointer dereference in Alias.Underlying() * go#65759 net/http: context cancellation can leave HTTP client with deadlocked HTTP/1.1 connections in Go1.22 * go#65760 runtime: Go 1.22.0 fails to build from source on armv7 Alpine Linux * go#65818 runtime: go1.22.0 test with -race will SIGSEGV or SIGBUS or Bad Pointer * go#65852 cmd/go: "missing ziphash" error with go.work * go#65883 runtime: scheduler sometimes starves a runnable goroutine on wasm platforms * Packaging improvements: * bsc#1219988 ensure VERSION file is present in GOROOT as required by go tool dist and go tool distpack * go1.22 (released 2024-02-06) is a major release of Go. go1.22.x minor releases will be provided through February 2024. https://github.com/golang/go/wiki/Go-Release-Cycle go1.22 arrives six months after go1.21. Most of its changes are in the implementation of the toolchain, runtime, and libraries. As always, the release maintains the Go 1 promise ofcompatibility. We expect almost all Go programs to continue to compile and run as before. (bsc#1218424) * Language change: go1.22 makes two changes to for loops. Previously, the variables declared by a for loop were created once and updated by each iteration. In go1.22, each iteration of the loop creates new variables, to avoid accidental sharing bugs. The transition support tooling described in the proposal continues to work in the same way it did in Go 1.21. * Language change: For loops may now range over integers * Language change: go1.22 includes a preview of a language change we are considering for a future version of Go: range-over-function iterators. Building with GOEXPERIMENT=rangefunc enables this feature. * go command: Commands in workspaces can now use a vendor directory containing the dependencies of the workspace. The directory is created by go work vendor, and used by build commands when the -mod flag is set to vendor, which is the default when a workspace vendor directory is present. Note that the vendor directory's contents for a workspace are different from those of a single module: if the directory at the root of a workspace also contains one of the modules in the workspace, its vendor directory can contain the dependencies of either the workspace or of the module, but not both. * go get is no longer supported outside of a module in the legacy GOPATH mode (that is, with GO111MODULE=off). Other build commands, such as go build and go test, will continue to work indefinitely for legacy GOPATH programs. * go mod init no longer attempts to import module requirements from configuration files for other vendoring tools (such as Gopkg.lock). * go test -cover now prints coverage summaries for covered packages that do not have their own test files. Prior to Go 1.22 a go test -cover run for such a package would report: ? mymod/mypack [no test files] and now with go1.22, functions in the package are treated asuncovered: mymod/mypack coverage: 0.0% of statements Note that if a package contains no executable code at all, we can't report a meaningful coverage percentage; for such packages the go tool will continue to report that there are no test files. * trace: The trace tool's web UI has been gently refreshed as part of the work to support the new tracer, resolving several issues and improving the readability of various sub-pages. The web UI now supports exploring traces in a thread-oriented view. The trace viewer also now displays the full duration of all system calls. These improvements only apply for viewing traces produced by programs built with go1.22 or newer. A future release will bring some of these improvements to traces produced by older version of Go. * vet: References to loop variables The behavior of the vet tool has changed to match the new semantics (see above) of loop variables in go1.22. When analyzing a file that requires go1.22 or newer (due to its go.mod file or a per-file build constraint), vetcode> no longer reports references to loop variables from within a function literal that might outlive the iteration of the loop. In Go 1.22, loop variables are created anew for each iteration, so such references are no longer at risk of using a variable after it has been updated by the loop. * vet: New warnings for missing values after append The vet tool now reports calls to append that pass no values to be appended to the slice, such as slice = append(slice). Such a statement has no effect, and experience has shown that is nearly always a mistake. * vet: New warnings for deferring time.Since The vet tool now reports a non- deferred call to time.Since(t) within a defer statement. This is equivalent to calling time.Now().Sub(t) before the defer statement, not when the deferred function is called. In nearly all cases, the correct code requires deferring the time.Since call. * vet: New warnings formismatched key-value pairs in log/slog calls The vet tool now reports invalid arguments in calls to functions and methods in the structured logging package, log/slog, that accept alternating key/value pairs. It reports calls where an argument in a key position is neither a string nor a slog.Attr, and where a final key is missing its value. * runtime: The runtime now keeps type-based garbage collection metadata nearer to each heap object, improving the CPU performance (latency or throughput) of Go programs by 1-3%. This change also reduces the memory overhead of the majority Go programs by approximately 1% by deduplicating redundant metadata. Some programs may see a smaller improvement because this change adjusts the size class boundaries of the memory allocator, so some objects may be moved up a size class. A consequence of this change is that some objects' addresses that were previously always aligned to a 16 byte (or higher) boundary will now only be aligned to an 8 byte boundary. Some programs that use assembly instructions that require memory addresses to be more than 8-byte aligned and rely on the memory allocator's previous alignment behavior may break, but we expect such programs to be rare. Such programs may be built with GOEXPERIMENT=noallocheaders to revert to the old metadata layout and restore the previous alignment behavior, but package owners should update their assembly code to avoid the alignment assumption, as this workaround will be removed in a future release. * runtime: On the windows/amd64 port, programs linking or loading Go libraries built with -buildmode=c-archive or -buildmode=c-shared can now use the SetUnhandledExceptionFilter Win32 function to catch exceptions not handled by the Go runtime. Note that this was already supported on the windows/386 port. * compiler: Profile-guided Optimization (PGO) builds can now devirtualize a higher proportion of calls than previously possible. Mostprograms from a representative set of Go programs now see between 2 and 14% improvement from enabling PGO. * compiler: The compiler now interleaves devirtualization and inlining, so interface method calls are better optimized. * compiler: go1.22 also includes a preview of an enhanced implementation of the compiler's inlining phase that uses heuristics to boost inlinability at call sites deemed "important" (for example, in loops) and discourage inlining at call sites deemed "unimportant" (for example, on panic paths). Building with GOEXPERIMENT=newinliner enables the new call-site heuristics; see issue #61502 for more info and to provide feedback. * linker: The linker's -s and -w flags are now behave more consistently across all platforms. The -w flag suppresses DWARF debug information generation. The -s flag suppresses symbol table generation. The -s flag also implies the -w flag, which can be negated with -w=0. That is, -s -w=0 will generate a binary with DWARF debug information generation but without the symbol table. * linker: On ELF platforms, the -B linker flag now accepts a special form: with -B gobuildid, the linker will generate a GNU build ID (the ELF NT_GNU_BUILD_ID note) derived from the Go build ID. * linker: On Windows, when building with -linkmode=internal, the linker now preserves SEH information from C object files by copying the .pdata and .xdata sections into the final binary. This helps with debugging and profiling binaries using native tools, such as WinDbg. Note that until now, C functions' SEH exception handlers were not being honored, so this change may cause some programs to behave differently. -linkmode=external is not affected by this change, as external linkers already preserve SEH information. * bootstrap: As mentioned in the Go 1.20 release notes, go1.22 now requires the final point release of Go 1.20 or later for bootstrap. We expect that Go 1.24 will require the final pointrelease of go1.22 or later for bootstrap. * core library: New math/rand/v2 package: go1.22 includes the first âv2â package in the standard library, math/rand/v2. The changes compared to math/rand are detailed in proposal go#61716. The most important changes are: * The Read method, deprecated in math/rand, was not carried forward for math/rand/v2. (It remains available in math/rand.) The vast majority of calls to Read should use crypto/randâs Read instead. Otherwise a custom Read can be constructed using the Uint64 method. * The global generator accessed by top-level functions is unconditionally randomly seeded. Because the API guarantees no fixed sequence of results, optimizations like per-thread random generator states are now possible. * The Source interface now has a single Uint64 method; there is no Source64 interface. * Many methods now use faster algorithms that were not possible to adopt in math/rand because they changed the output streams. * The Intn, Int31, Int31n, Int63, and Int64n top-level functions and methods from math/rand are spelled more idiomatically in math/rand/v2: IntN, Int32, Int32N, Int64, and Int64N. There are also new top-level functions and methods Uint32, Uint32N, Uint64, Uint64N, Uint, and UintN. * The new generic function N is like Int64N or Uint64N but works for any integer type. For example a random duration from 0 up to 5 minutes is rand.N(5*time.Minute). * The Mitchell & Reeds LFSR generator provided by math/randâs Source has been replaced by two more modern pseudo-random generator sources: ChaCha8 PCG. ChaCha8 is a new, cryptographically strong random number generator roughly similar to PCG in efficiency. ChaCha8 is the algorithm used for the top-level functions in math/rand/v2. As of go1.22, math/rand's top-level functions (when not explicitly seeded) and the Go runtime also use ChaCha8 for randomness. * We plan to include an API migration tool in a future release, likely Go 1.23. * core library: New go/versionpackage: The new go/version package implements functions for validating and comparing Go version strings. * core library: Enhanced routing patterns: HTTP routing in the standard library is now more expressive. The patterns used by net/http.ServeMux have been enhanced to accept methods and wildcards. This change breaks backwards compatibility in small ways, some obviousâpatterns with "{" and "}" behave differentlyâ and some less soâtreatment of escaped paths has been improved. The change is controlled by a GODEBUG field named httpmuxgo121. Set httpmuxgo121=1 to restore the old behavior. * Minor changes to the library As always, there are various minor changes and updates to the library, made with the Go 1 promise of compatibility in mind. There are also various performance improvements, not enumerated here. * archive/tar: The new method Writer.AddFS adds all of the files from an fs.FS to the archive. * archive/zip: The new method Writer.AddFS adds all of the files from an fs.FS to the archive. * bufio: When a SplitFunc returns ErrFinalToken with a nil token, Scanner will now stop immediately. Previously, it would report a final empty token before stopping, which was usually not desired. Callers that do want to report a final empty token can do so by returning []byte{} rather than nil. * cmp: The new function Or returns the first in a sequence of values that is not the zero value. * crypto/tls: ConnectionState.ExportKeyingMaterial will now return an error unless TLS 1.3 is in use, or the extended_master_secret extension is supported by both the server and client. crypto/tls has supported this extension since Go 1.20. This can be disabled with the tlsunsafeekm=1 GODEBUG setting. * crypto/tls: By default, the minimum version offered by crypto/tls servers is now TLS 1.2 if not specified with config.MinimumVersion, matching the behavior of crypto/tls clients. This change can be reverted with the tls10server=1 GODEBUG setting. * crypto/tls: By default, cipher suites without ECDHE support are no longer offered by either clients or servers during pre-TLS 1.3 handshakes. This change can be reverted with the tlsrsakex=1 GODEBUG setting. * crypto/x509: The new CertPool.AddCertWithConstraint method can be used to add customized constraints to root certificates to be applied during chain building. * crypto/x509: On Android, root certificates will now be loaded from /data/misc/keychain/certs-added as well as /system/etc/security/cacerts. * crypto/x509: A new type, OID, supports ASN.1 Object Identifiers with individual components larger than 31 bits. A new field which uses this type, Policies, is added to the Certificate struct, and is now populated during parsing. Any OIDs which cannot be represented using a asn1.ObjectIdentifier will appear in Policies, but not in the old PolicyIdentifiers field. When calling CreateCertificate, the Policies field is ignored, and policies are taken from the PolicyIdentifiers field. Using the x509usepolicies=1 GODEBUG setting inverts this, populating certificate policies from the Policies field, and ignoring the PolicyIdentifiers field. We may change the default value of x509usepolicies in Go 1.23, making Policies the default field for marshaling. * database/sql: The new Null[T] type provide a way to scan nullable columns for any column types. * debug/elf: Constant R_MIPS_PC32 is defined for use with MIPS64 systems. Additional R_LARCH_* constants are defined for use with LoongArch systems. * encoding: The new methods AppendEncode and AppendDecode added to each of the Encoding types in the packages encoding/base32, encoding/base64, and encoding/hex simplify encoding and decoding from and to byte slices by taking care of byte slice buffer management. * encoding: The methods base32.Encoding.WithPadding and base64.Encoding.WithPadding now panic if the padding argument is a negative value other than NoPadding. * encoding/json: Marshaling and encoding functionality now escapes '\b' and '\f' characters as \b and \f instead of \u0008 and \u000c. * go/ast: The following declarations related to syntactic identifier resolution are now deprecated: Ident.Obj, Object, Scope, File.Scope, File.Unresolved, Importer, Package, NewPackage. In general, identifiers cannot be accurately resolved without type information. Consider, for example, the identifier K in T{K: ""}: it could be the name of a local variable if T is a map type, or the name of a field if T is a struct type. New programs should use the go/types package to resolve identifiers; see Object, Info.Uses, and Info.Defs for details. * go/ast: The new ast.Unparen function removes any enclosing parentheses from an expression. * go/types: The new Alias type represents type aliases. Previously, type aliases were not represented explicitly, so a reference to a type alias was equivalent to spelling out the aliased type, and the name of the alias was lost. The new representation retains the intermediate Alias. This enables improved error reporting (the name of a type alias can be reported), and allows for better handling of cyclic type declarations involving type aliases. In a future release, Alias types will also carry type parameter information. The new function Unalias returns the actual type denoted by an Alias type (or any other Type for that matter). * go/types: Because Alias types may break existing type switches that do not know to check for them, this functionality is controlled by a GODEBUG field named gotypesalias. With gotypesalias=0, everything behaves as before, and Alias types are never created. With gotypesalias=1, Alias types are created and clients must expect them. The default is gotypesalias=0. In a future release, the default will be changed to gotypesalias=1. Clients of go/types are urged to adjust their code as soon as possible towork with gotypesalias=1 to eliminate problems early. * go/types: The Info struct now exports the FileVersions map which provides per-file Go version information. * go/types: The new helper method PkgNameOf returns the local package name for the given import declaration. * go/types: The implementation of SizesFor has been adjusted to compute the same type sizes as the compiler when the compiler argument for SizesFor is "gc". The default Sizes implementation used by the type checker is now types.SizesFor("gc", "amd64"). * go/types: The start position (Pos) of the lexical environment block (Scope) that represents a function body has changed: it used to start at the opening curly brace of the function body, but now starts at the function's func token. * html/template: Javascript template literals may now contain Go template actions, and parsing a template containing one will no longer return ErrJSTemplate. Similarly the GODEBUG setting jstmpllitinterp no longer has any effect. * io: The new SectionReader.Outer method returns the ReaderAt, offset, and size passed to NewSectionReader. * log/slog: The new SetLogLoggerLevel function controls the level for the bridge between the `slog` and `log` packages. It sets the minimum level for calls to the top-level `slog` logging functions, and it sets the level for calls to `log.Logger` that go through `slog`. * math/big: The new method Rat.FloatPrec computes the number of fractional decimal digits required to represent a rational number accurately as a floating-point number, and whether accurate decimal representation is possible in the first place. * net: When io.Copy copies from a TCPConn to a UnixConn, it will now use Linux's splice(2) system call if possible, using the new method TCPConn.WriteTo. * net: The Go DNS Resolver, used when building with "-tags=netgo", now searches for a matching name in the Windows hosts file, located at %SystemRoot%\System32\drivers\etc\hosts, before making a DNS query. * net/http: The new functions ServeFileFS, FileServerFS, and NewFileTransportFS are versions of the existing ServeFile, FileServer, and NewFileTransport, operating on an fs.FS. * net/http: The HTTP server and client now reject requests and responses containing an invalid empty Content-Length header. The previous behavior may be restored by setting GODEBUG field httplaxcontentlength=1. * net/http: The new method Request.PathValue returns path wildcard values from a request and the new method Request.SetPathValue sets path wildcard values on a request. * net/http/cgi: When executing a CGI process, the PATH_INFO variable is now always set to the empty string or a value starting with a / character, as required by RFC 3875. It was previously possible for some combinations of Handler.Root and request URL to violate this requirement. * net/netip: The new AddrPort.Compare method compares two AddrPorts. * os: On Windows, the Stat function now follows all reparse points that link to another named entity in the system. It was previously only following IO_REPARSE_TAG_SYMLINK and IO_REPARSE_TAG_MOUNT_POINT reparse points. * os: On Windows, passing O_SYNC to OpenFile now causes write operations to go directly to disk, equivalent to O_SYNC on Unix platforms. * os: On Windows, the ReadDir, File.ReadDir, File.Readdir, and File.Readdirnames functions now read directory entries in batches to reduce the number of system calls, improving performance up to 30%. * os: When io.Copy copies from a File to a net.UnixConn, it will now use Linux's sendfile(2) system call if possible, using the new method File.WriteTo. * os/exec: On Windows, LookPath now ignores empty entries in %PATH%, and returns ErrNotFound (instead of ErrNotExist) if no executable file extension is found to resolve an otherwise-unambiguous name. * os/exec: On Windows, Command and Cmd.Start no longer callLookPath if the path to the executable is already absolute and has an executable file extension. In addition, Cmd.Start no longer writes the resolved extension back to the Path field, so it is now safe to call the String method concurrently with a call to Start. * reflect: The Value.IsZero method will now return true for a floating-point or complex negative zero, and will return true for a struct value if a blank field (a field named _) somehow has a non-zero value. These changes make IsZero consistent with comparing a value to zero using the language == operator. * reflect: The PtrTo function is deprecated, in favor of PointerTo. * reflect: The new function TypeFor returns the Type that represents the type argument T. Previously, to get the reflect.Type value for a type, one had to use reflect.TypeOf((*T)(nil)).Elem(). This may now be written as reflect.TypeForT. * runtime/metrics: Four new histogram metrics /sched/pauses/stopping/gc:seconds, /sched/pauses/stopping/other:seconds, /sched/pauses/total/gc:seconds, and /sched/pauses/total/other:seconds provide additional details about stop-the-world pauses. The "stopping" metrics report the time taken from deciding to stop the world until all goroutines are stopped. The "total" metrics report the time taken from deciding to stop the world until it is started again. * runtime/metrics: The /gc/pauses:seconds metric is deprecated, as it is equivalent to the new /sched/pauses/total/gc:seconds metric. * runtime/metrics: /sync/mutex/wait/total:seconds now includes contention on runtime-internal locks in addition to sync.Mutex and sync.RWMutex. * runtime/pprof: Mutex profiles now scale contention by the number of goroutines blocked on the mutex. This provides a more accurate representation of the degree to which a mutex is a bottleneck in a Go program. For instance, if 100 goroutines are blocked on a mutex for 10 milliseconds, a mutex profile will now record 1 secondof delay instead of 10 milliseconds of delay. * runtime/pprof: Mutex profiles also now include contention on runtime- internal locks in addition to sync.Mutex and sync.RWMutex. Contention on runtime-internal locks is always reported at runtime._LostContendedRuntimeLock. A future release will add complete stack traces in these cases. * runtime/pprof: CPU profiles on Darwin platforms now contain the process's memory map, enabling the disassembly view in the pprof tool. * runtime/trace: The execution tracer has been completely overhauled in this release, resolving several long-standing issues and paving the way for new use-cases for execution traces. * runtime/trace: Execution traces now use the operating system's clock on most platforms (Windows excluded) so it is possible to correlate them with traces produced by lower-level components. Execution traces no longer depend on the reliability of the platform's clock to produce a correct trace. Execution traces are now partitioned regularly on-the-fly and as a result may be processed in a streamable way. Execution traces now contain complete durations for all system calls. Execution traces now contain information about the operating system threads that goroutines executed on. The latency impact of starting and stopping execution traces has been dramatically reduced. Execution traces may now begin or end during the garbage collection mark phase. * runtime/trace: To allow Go developers to take advantage of these improvements, an experimental trace reading package is available at golang.org/x/exp/trace. Note that this package only works on traces produced by programs built with go1.22 at the moment. Please try out the package and provide feedback on the corresponding proposal issue. * runtime/trace: If you experience any issues with the new execution tracer implementation, you may switch back to the old implementation by building your Go program withGOEXPERIMENT=noexectracer2. If you do, please file an issue, otherwise this option will be removed in a future release. * slices: The new function Concat concatenates multiple slices. * slices: Functions that shrink the size of a slice (Delete, DeleteFunc, Compact, CompactFunc, and Replace) now zero the elements between the new length and the old length. * slices: Insert now always panics if the argument i is out of range. Previously it did not panic in this situation if there were no elements to be inserted. * syscall: The syscall package has been frozen since Go 1.4 and was marked as deprecated in Go 1.11, causing many editors to warn about any use of the package. However, some non-deprecated functionality requires use of the syscall package, such as the os/exec.Cmd.SysProcAttr field. To avoid unnecessary complaints on such code, the syscall package is no longer marked as deprecated. The package remains frozen to most new functionality, and new code remains encouraged to use golang.org/x/sys/unix or golang.org/x/sys/windows where possible. * syscall: On Linux, the new SysProcAttr.PidFD field allows obtaining a PID FD when starting a child process via StartProcess or os/exec. * syscall: On Windows, passing O_SYNC to Open now causes write operations to go directly to disk, equivalent to O_SYNC on Unix platforms. * testing/slogtest: The new Run function uses sub-tests to run test cases, providing finer-grained control. * Ports: Darwin: On macOS on 64-bit x86 architecture (the darwin/amd64 port), the Go toolchain now generates position-independent executables (PIE) by default. Non-PIE binaries can be generated by specifying the -buildmode=exe build flag. On 64-bit ARM-based macOS (the darwin/arm64 port), the Go toolchain already generates PIE by default. go1.22 is the last release that will run on macOS 10.15 Catalina. Go 1.23 will require macOS 11 Big Sur or later. * Ports: Arm: The GOARM environment variable nowallows you to select whether to use software or hardware floating point. Previously, valid GOARM values were 5, 6, or 7. Now those same values can be optionally followed by ,softfloat or ,hardfloat to select the floating-point implementation. This new option defaults to softfloat for version 5 and hardfloat for versions 6 and 7. * Ports: Loong64: The loong64 port now supports passing function arguments and results using registers. The linux/loong64 port now supports the address sanitizer, memory sanitizer, new-style linker relocations, and the plugin build mode. ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Linux Enterprise Software Development Kit 12 SP5 zypper in -t patch SUSE-SLE-SDK-12-SP5-2024-936=1 ## Package List: * SUSE Linux Enterprise Software Development Kit 12 SP5 (aarch64 ppc64le s390x x86_64) * go1.22-doc-1.22.1-1.3.1 * go1.22-1.22.1-1.3.1 ## References: * https://www.suse.com/security/cve/CVE-2023-45289.html * https://www.suse.com/security/cve/CVE-2023-45290.html * https://www.suse.com/security/cve/CVE-2024-24783.html * https://www.suse.com/security/cve/CVE-2024-24784.html * https://www.suse.com/security/cve/CVE-2024-24785.html * https://bugzilla.suse.com/show_bug.cgi?id=1218424 * https://bugzilla.suse.com/show_bug.cgi?id=1219988 * https://bugzilla.suse.com/show_bug.cgi?id=1220999 * https://bugzilla.suse.com/show_bug.cgi?id=1221000 * https://bugzilla.suse.com/show_bug.cgi?id=1221001 * https://bugzilla.suse.com/show_bug.cgi?id=1221002 * https://bugzilla.suse.com/show_bug.cgi?id=1221003 . Crucial patch release for go1.22 on SUSE Linux tackling security flaws and memory concerns. Update immediately!. Go Security Update, SUSE Advisory, Go Memory Issues, Linux Security Patch. . Severity: Important. LinuxSecurity.com Team
Mar 22, 2024
•Important
SuSE
202
security advisorymoderateupdateopenSUSE 15.4: 2023:3384-1 Moderate: PostgreSQL15 SQL Injection Advisory
This update for postgresql15 fixes the following issues: Update to 12.16 CVE-2023-39417: Fixed potential SQL injection for trusted extensions.. # Security update for postgresql15 Announcement ID: SUSE-SU-2023:3384-1 Rating: moderate References: * #1214059 Cross-References: * CVE-2023-39417 CVSS scores: * CVE-2023-39417 ( SUSE ): 6.3 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N * CVE-2023-39417 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: * openSUSE Leap 15.4 * openSUSE Leap 15.5 An update that solves one vulnerability can now be installed. ## Description: This update for postgresql15 fixes the following issues: * Update to 12.16 * CVE-2023-39417: Fixed potential SQL injection for trusted extensions. (bsc#1214059) ## Patch Instructions: To install this SUSE Moderate update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.4 zypper in -t patch openSUSE-SLE-15.4-2023-3384=1 * openSUSE Leap 15.5 zypper in -t patch openSUSE-SLE-15.5-2023-3384=1 ## Package List: * openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64) * postgresql12-pltcl-debuginfo-12.16-150200.8.47.1 * postgresql12-plperl-debuginfo-12.16-150200.8.47.1 * postgresql12-devel-12.16-150200.8.47.1 * postgresql12-llvmjit-devel-12.16-150200.8.47.1 * postgresql12-plperl-12.16-150200.8.47.1 * postgresql12-llvmjit-debuginfo-12.16-150200.8.47.1 * postgresql12-plpython-12.16-150200.8.47.1 * postgresql12-llvmjit-12.16-150200.8.47.1 * postgresql12-12.16-150200.8.47.1 * postgresql12-devel-debuginfo-12.16-150200.8.47.1 * postgresql12-pltcl-12.16-150200.8.47.1 * postgresql12-contrib-debuginfo-12.16-150200.8.47.1 * postgresql12-server-devel-12.16-150200.8.47.1 * postgresql12-test-12.16-150200.8.47.1 * postgresql12-contrib-12.16-150200.8.47.1 *postgresql12-plpython-debuginfo-12.16-150200.8.47.1 * postgresql12-debuginfo-12.16-150200.8.47.1 * postgresql12-server-devel-debuginfo-12.16-150200.8.47.1 * postgresql12-server-12.16-150200.8.47.1 * postgresql12-debugsource-12.16-150200.8.47.1 * postgresql12-server-debuginfo-12.16-150200.8.47.1 * openSUSE Leap 15.4 (noarch) * postgresql12-docs-12.16-150200.8.47.1 * openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64) * postgresql12-pltcl-debuginfo-12.16-150200.8.47.1 * postgresql12-plperl-debuginfo-12.16-150200.8.47.1 * postgresql12-devel-12.16-150200.8.47.1 * postgresql12-llvmjit-devel-12.16-150200.8.47.1 * postgresql12-plperl-12.16-150200.8.47.1 * postgresql12-llvmjit-debuginfo-12.16-150200.8.47.1 * postgresql12-plpython-12.16-150200.8.47.1 * postgresql12-llvmjit-12.16-150200.8.47.1 * postgresql12-12.16-150200.8.47.1 * postgresql12-devel-debuginfo-12.16-150200.8.47.1 * postgresql12-pltcl-12.16-150200.8.47.1 * postgresql12-contrib-debuginfo-12.16-150200.8.47.1 * postgresql12-server-devel-12.16-150200.8.47.1 * postgresql12-test-12.16-150200.8.47.1 * postgresql12-contrib-12.16-150200.8.47.1 * postgresql12-plpython-debuginfo-12.16-150200.8.47.1 * postgresql12-debuginfo-12.16-150200.8.47.1 * postgresql12-server-devel-debuginfo-12.16-150200.8.47.1 * postgresql12-server-12.16-150200.8.47.1 * postgresql12-debugsource-12.16-150200.8.47.1 * postgresql12-server-debuginfo-12.16-150200.8.47.1 * openSUSE Leap 15.5 (noarch) * postgresql12-docs-12.16-150200.8.47.1 ## References: * https://www.suse.com/security/cve/CVE-2023-39417.html * https://bugzilla.suse.com/show_bug.cgi?id=1214059 . PostgreSQL 15 security patch addresses a significant SQL injection flaw in openSUSE, providing crucial update recommendations.. PostgreSQL Security Update, SQL Injection Patch, openSUSE Update. . LinuxSecurity.com Team
Aug 23, 2023
OpenSUSE
100
security advisorysecurity issuesoftware updateSUSE MicroOS 5.1: 2021:3445-1 Important: RPM Security Fix
An update that contains security fixes can now be installed. . SUSE Security Update: Security update for rpm ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3445-1 Rating: important References: #1183659 #1185299 #1187670 #1188548 Affected Products: SUSE MicroOS 5.1 SUSE Linux Enterprise Module for SUSE Manager Server 4.2 SUSE Linux Enterprise Module for SUSE Manager Proxy 4.2 SUSE Linux Enterprise Module for Python2 15-SP3 SUSE Linux Enterprise Module for Public Cloud 15-SP3 SUSE Linux Enterprise Module for Development Tools 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP3 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update for rpm fixes the following issues: Security issues fixed: - PGP hardening changes (bsc#1185299) Maintaince issues fixed: - Fixed zstd detection (bsc#1187670) - Added ndb rofs support (bsc#1188548) - Fixed deadlock when multiple rpm processes try tp acquire the database lock (bsc#1183659) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE MicroOS 5.1: zypper in -t patch SUSE-SUSE-MicroOS-5.1-2021-3445=1 - SUSE Linux Enterprise Module for SUSE Manager Server 4.2: zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.2-2021-3445=1 - SUSE Linux Enterprise Module for SUSE Manager Proxy 4.2: zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Proxy-4.2-2021-3445=1 - SUSE Linux Enterprise Module for Python2 15-SP3: zypper in -t patch SUSE-SLE-Module-Python2-15-SP3-2021-3445=1 - SUSE LinuxEnterprise Module for Public Cloud 15-SP3: zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP3-2021-3445=1 - SUSE Linux Enterprise Module for Development Tools 15-SP3: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP3-2021-3445=1 - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-3445=1 Package List: - SUSE MicroOS 5.1 (aarch64 s390x x86_64): python-rpm-debugsource-4.14.3-40.1 python3-rpm-4.14.3-40.1 python3-rpm-debuginfo-4.14.3-40.1 rpm-4.14.3-40.1 rpm-debuginfo-4.14.3-40.1 rpm-debugsource-4.14.3-40.1 - SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (aarch64 ppc64le s390x x86_64): rpm-build-4.14.3-40.1 rpm-build-debuginfo-4.14.3-40.1 rpm-debuginfo-4.14.3-40.1 rpm-debugsource-4.14.3-40.1 - SUSE Linux Enterprise Module for SUSE Manager Proxy 4.2 (aarch64 ppc64le s390x x86_64): rpm-build-4.14.3-40.1 rpm-build-debuginfo-4.14.3-40.1 rpm-debuginfo-4.14.3-40.1 rpm-debugsource-4.14.3-40.1 - SUSE Linux Enterprise Module for Python2 15-SP3 (aarch64 ppc64le s390x x86_64): python-rpm-debugsource-4.14.3-40.1 python2-rpm-4.14.3-40.1 python2-rpm-debuginfo-4.14.3-40.1 - SUSE Linux Enterprise Module for Public Cloud 15-SP3 (aarch64 ppc64le s390x x86_64): rpm-ndb-4.14.3-40.1 rpm-ndb-debuginfo-4.14.3-40.1 rpm-ndb-debugsource-4.14.3-40.1 - SUSE Linux Enterprise Module for Development Tools 15-SP3 (aarch64 ppc64le s390x x86_64): rpm-build-4.14.3-40.1 rpm-build-debuginfo-4.14.3-40.1 rpm-debuginfo-4.14.3-40.1 rpm-debugsource-4.14.3-40.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): python-rpm-debugsource-4.14.3-40.1 python3-rpm-4.14.3-40.1 python3-rpm-debuginfo-4.14.3-40.1 rpm-4.14.3-40.1 rpm-debuginfo-4.14.3-40.1 rpm-debugsource-4.14.3-40.1 rpm-devel-4.14.3-40.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (x86_64): rpm-32bit-4.14.3-40.1 rpm-32bit-debuginfo-4.14.3-40.1 References: https://bugzilla.suse.com/1183659 https://bugzilla.suse.com/1185299 https://bugzilla.suse.com/1187670 https://bugzilla.suse.com/1188548 . A crucial security patch has been released for rpm on SUSE MicroOS and SUSE Linux Enterprise. Please apply the update at your earliest convenience.. SUSE Security Update,rpm security fix,SUSE MicroOS,Linux Enterprise,important patch. . Severity: Important. LinuxSecurity.com Team
Oct 15, 2021
•Important
SuSE
100
security advisoryimportantinfinite loopSUSE: 2021:1189-1 Important: Clamav Update Addressing Security Issues
An update that solves three vulnerabilities and has one errata is now available. . SUSE Security Update: Security update for clamav ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1189-1 Rating: important References: #1181256 #1184532 #1184533 #1184534 Cross-References: CVE-2021-1252 CVE-2021-1404 CVE-2021-1405 CVSS scores: CVE-2021-1252 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-1404 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-1405 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS-SAP SUSE Linux Enterprise Server 12-SP2-LTSS-ERICSSON SUSE Linux Enterprise Server 12-SP2-BCL HPE Helion Openstack 8 ______________________________________________________________________________ An update that solves three vulnerabilities and has one errata is now available. Description: This update for clamav fixes the following issues: - CVE-2021-1252: Fix for Excel XLM parser infinite loop. (bsc#1184532) - CVE-2021-1404: Fix for PDF parser buffer over-read; possible crash. (bsc#1184533) - CVE-2021-1405: Fix for mail parser NULL-dereference crash. (bsc#1184534) - Fix errors when scanning files > 4G (bsc#1181256) - Update clamav.keyring - Update to0.103.2 Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-1189=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-1189=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-1189=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-1189=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-1189=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-1189=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-1189=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-1189=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-1189=1 - SUSE Linux Enterprise Server 12-SP2-LTSS-SAP: zypper in -t patch SUSE-SLE-SERVER-12-SP2-LTSS-SAP-2021-1189=1 - SUSE Linux Enterprise Server 12-SP2-LTSS-ERICSSON: zypper in -t patch SUSE-SLE-SERVER-12-SP2-LTSS-ERICSSON-2021-1189=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-1189=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-1189=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): clamav-0.103.2-33.35.1 clamav-debuginfo-0.103.2-33.35.1 clamav-debugsource-0.103.2-33.35.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): clamav-0.103.2-33.35.1 clamav-debuginfo-0.103.2-33.35.1 clamav-debugsource-0.103.2-33.35.1 - SUSE OpenStack Cloud 9 (x86_64): clamav-0.103.2-33.35.1 clamav-debuginfo-0.103.2-33.35.1 clamav-debugsource-0.103.2-33.35.1 - SUSE OpenStack Cloud 8 (x86_64): clamav-0.103.2-33.35.1 clamav-debuginfo-0.103.2-33.35.1 clamav-debugsource-0.103.2-33.35.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): clamav-0.103.2-33.35.1 clamav-debuginfo-0.103.2-33.35.1 clamav-debugsource-0.103.2-33.35.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): clamav-0.103.2-33.35.1 clamav-debuginfo-0.103.2-33.35.1 clamav-debugsource-0.103.2-33.35.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): clamav-0.103.2-33.35.1 clamav-debuginfo-0.103.2-33.35.1 clamav-debugsource-0.103.2-33.35.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): clamav-0.103.2-33.35.1 clamav-debuginfo-0.103.2-33.35.1 clamav-debugsource-0.103.2-33.35.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): clamav-0.103.2-33.35.1 clamav-debuginfo-0.103.2-33.35.1 clamav-debugsource-0.103.2-33.35.1 - SUSE Linux Enterprise Server 12-SP2-LTSS-SAP (x86_64): clamav-0.103.2-33.35.1 clamav-debuginfo-0.103.2-33.35.1 clamav-debugsource-0.103.2-33.35.1 - SUSE Linux Enterprise Server 12-SP2-LTSS-ERICSSON (x86_64): clamav-0.103.2-33.35.1 clamav-debuginfo-0.103.2-33.35.1 clamav-debugsource-0.103.2-33.35.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): clamav-0.103.2-33.35.1 clamav-debuginfo-0.103.2-33.35.1 clamav-debugsource-0.103.2-33.35.1 - HPE Helion Openstack 8 (x86_64): clamav-0.103.2-33.35.1 clamav-debuginfo-0.103.2-33.35.1 clamav-debugsource-0.103.2-33.35.1 References: https://www.suse.com/security/cve/CVE-2021-1252.html https://www.suse.com/security/cve/CVE-2021-1404.html https://www.suse.com/security/cve/CVE-2021-1405.html https://bugzilla.suse.com/1181256 https://bugzilla.suse.com/1184532 https://bugzilla.suse.com/1184533 https://bugzilla.suse.com/1184534 . SUSE has issued a critical clamav security update addressing several vulnerabilities posing high risk for system compromise, urging users to update immediately. clamav update, SUSE Linux, security patch, malware detection, software update. . Severity: Important. LinuxSecurity.com Team
Apr 14, 2021
•Important
SuSE
100
security advisoryupdateimportantSUSE: 2015:0593-1 Critical: Mozilla Firefox Arbitrary Code Execution
An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available. It includes one version update. It includes one version update.. SUSE Security Update: Security update for Mozilla Firefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0593-1 Rating: important References: #923534 Cross-References: CVE-2015-0817 CVE-2015-0818 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. It includes one version update. Description: MozillaFirefox was updated to the 31.5.3ESR release to fix two security vulnerabilities: * MFSA 2015-29 / CVE-2015-0817: Security researcher ilxu1a reported, through HP Zero Day Initiative's Pwn2Own contest, a flaw in Mozilla's implementation of typed array bounds checking in JavaScript just-in-time compilation (JIT) and its management of bounds checking for heap access. This flaw can be leveraged into the reading and writing of memory allowing for arbitary code execution on the local system. * MFSA 2015-28 / CVE-2015-0818: Security researcher Mariusz Mlynski reported, through HP Zero Day Initiative's Pwn2Own contest, a method to run arbitrary scripts in a privileged context. This bypassed the same-origin policy protections by using a flaw in the processing of SVG format content navigation. Security Issues: * CVE-2015-0817 * CVE-2015-0818 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-firefox-20150323=10524 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-firefox-20150323=10524 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-firefox-20150323=10524 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-firefox-20150323=10524 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64): MozillaFirefox-devel-31.5.3esr-0.8.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64) [New Version: 31.5.3esr]: MozillaFirefox-31.5.3esr-0.8.1 MozillaFirefox-translations-31.5.3esr-0.8.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New Version: 31.5.3esr]: MozillaFirefox-31.5.3esr-0.8.1 MozillaFirefox-translations-31.5.3esr-0.8.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64) [New Version: 31.5.3esr]: MozillaFirefox-31.5.3esr-0.8.1 MozillaFirefox-translations-31.5.3esr-0.8.1 References: https://www.suse.com/security/cve/CVE-2015-0817.html https://www.suse.com/security/cve/CVE-2015-0818.html https://bugzilla.suse.com/show_bug.cgi?id=923534 https://scc.suse.com:443/patches/ . SUSE has issued a security patch for Mozilla Firefox addressing urgent vulnerabilities. For more information on the issues and the corresponding fixes, click here.. Mozilla Firefox Update, SUSE Linux Patch, Critical Security Fix. . Severity: Important. LinuxSecurity.com Team
Mar 25, 2015
•Important
SuSE
98
security advisorykernel updateprivilege escalationRed Hat Enterprise Linux 6.4 RHSA-2014:2030-01 Important: Kernel Escalation
Updated kernel packages that fix one security issue are now available for Red Hat Enterprise Linux 6.4 Extended Update Support. Red Hat Product Security has rated this update as having Important security [More...]. ==================================================================== Red Hat Security Advisory Synopsis: Important: kernel security update Advisory ID: RHSA-2014:2030-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2014:2030.html Issue date: 2014-12-22 CVE Names: CVE-2014-9322 ==================================================================== 1. Summary: Updated kernel packages that fix one security issue are now available for Red Hat Enterprise Linux 6.4 Extended Update Support. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Compute Node Optional EUS (v. 6.4) - x86_64 Red Hat Enterprise Linux HPC Node EUS (v. 6.4) - noarch, x86_64 Red Hat Enterprise Linux Server EUS (v. 6.4) - i386, noarch, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional EUS (v. 6.4) - i386, ppc64, s390x, x86_64 3. Description: The kernel packages contain the Linux kernel, the core of any Linux operating system. * A flaw was found in the way the Linux kernel handled GS segment register base switching when recovering from a #SS (stack segment) fault on an erroneous return to user space. A local, unprivileged user could use this flaw to escalate their privileges on the system. (CVE-2014-9322, Important) Red Hat would like to thank Andy Lutomirski for reporting this issue. All kernel users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. The system must be rebooted for this update to take effect. 4.Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258 To install kernel packages manually, use "rpm -ivh [package]". Do not use "rpm -Uvh" as that will remove the running kernel binaries from your system. You may use "rpm -e" to remove old kernels after determining that the new kernel functions properly on your system. 5. Bugs fixed (https://bugzilla.redhat.com/): 1172806 - CVE-2014-9322 kernel: x86: local privesc due to bad_iret and paranoid entry incompatibility 6. Package List: Red Hat Enterprise Linux HPC Node EUS (v. 6.4): Source: kernel-2.6.32-358.51.2.el6.src.rpm noarch: kernel-doc-2.6.32-358.51.2.el6.noarch.rpm kernel-firmware-2.6.32-358.51.2.el6.noarch.rpm x86_64: kernel-2.6.32-358.51.2.el6.x86_64.rpm kernel-debug-2.6.32-358.51.2.el6.x86_64.rpm kernel-debug-debuginfo-2.6.32-358.51.2.el6.x86_64.rpm kernel-debug-devel-2.6.32-358.51.2.el6.x86_64.rpm kernel-debuginfo-2.6.32-358.51.2.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-358.51.2.el6.x86_64.rpm kernel-devel-2.6.32-358.51.2.el6.x86_64.rpm kernel-headers-2.6.32-358.51.2.el6.x86_64.rpm perf-2.6.32-358.51.2.el6.x86_64.rpm perf-debuginfo-2.6.32-358.51.2.el6.x86_64.rpm python-perf-debuginfo-2.6.32-358.51.2.el6.x86_64.rpm Red Hat Enterprise Linux Compute Node Optional EUS (v. 6.4): Source: kernel-2.6.32-358.51.2.el6.src.rpm x86_64: kernel-debug-debuginfo-2.6.32-358.51.2.el6.x86_64.rpm kernel-debuginfo-2.6.32-358.51.2.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-358.51.2.el6.x86_64.rpm perf-debuginfo-2.6.32-358.51.2.el6.x86_64.rpm python-perf-2.6.32-358.51.2.el6.x86_64.rpm python-perf-debuginfo-2.6.32-358.51.2.el6.x86_64.rpm Red Hat Enterprise Linux Server EUS (v.6.4): Source: kernel-2.6.32-358.51.2.el6.src.rpm i386: kernel-2.6.32-358.51.2.el6.i686.rpm kernel-debug-2.6.32-358.51.2.el6.i686.rpm kernel-debug-debuginfo-2.6.32-358.51.2.el6.i686.rpm kernel-debug-devel-2.6.32-358.51.2.el6.i686.rpm kernel-debuginfo-2.6.32-358.51.2.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-358.51.2.el6.i686.rpm kernel-devel-2.6.32-358.51.2.el6.i686.rpm kernel-headers-2.6.32-358.51.2.el6.i686.rpm perf-2.6.32-358.51.2.el6.i686.rpm perf-debuginfo-2.6.32-358.51.2.el6.i686.rpm python-perf-debuginfo-2.6.32-358.51.2.el6.i686.rpm noarch: kernel-doc-2.6.32-358.51.2.el6.noarch.rpm kernel-firmware-2.6.32-358.51.2.el6.noarch.rpm ppc64: kernel-2.6.32-358.51.2.el6.ppc64.rpm kernel-bootwrapper-2.6.32-358.51.2.el6.ppc64.rpm kernel-debug-2.6.32-358.51.2.el6.ppc64.rpm kernel-debug-debuginfo-2.6.32-358.51.2.el6.ppc64.rpm kernel-debug-devel-2.6.32-358.51.2.el6.ppc64.rpm kernel-debuginfo-2.6.32-358.51.2.el6.ppc64.rpm kernel-debuginfo-common-ppc64-2.6.32-358.51.2.el6.ppc64.rpm kernel-devel-2.6.32-358.51.2.el6.ppc64.rpm kernel-headers-2.6.32-358.51.2.el6.ppc64.rpm perf-2.6.32-358.51.2.el6.ppc64.rpm perf-debuginfo-2.6.32-358.51.2.el6.ppc64.rpm python-perf-debuginfo-2.6.32-358.51.2.el6.ppc64.rpm s390x: kernel-2.6.32-358.51.2.el6.s390x.rpm kernel-debug-2.6.32-358.51.2.el6.s390x.rpm kernel-debug-debuginfo-2.6.32-358.51.2.el6.s390x.rpm kernel-debug-devel-2.6.32-358.51.2.el6.s390x.rpm kernel-debuginfo-2.6.32-358.51.2.el6.s390x.rpm kernel-debuginfo-common-s390x-2.6.32-358.51.2.el6.s390x.rpm kernel-devel-2.6.32-358.51.2.el6.s390x.rpm kernel-headers-2.6.32-358.51.2.el6.s390x.rpm kernel-kdump-2.6.32-358.51.2.el6.s390x.rpm kernel-kdump-debuginfo-2.6.32-358.51.2.el6.s390x.rpm kernel-kdump-devel-2.6.32-358.51.2.el6.s390x.rpm perf-2.6.32-358.51.2.el6.s390x.rpm perf-debuginfo-2.6.32-358.51.2.el6.s390x.rpm python-perf-debuginfo-2.6.32-358.51.2.el6.s390x.rpm x86_64: kernel-2.6.32-358.51.2.el6.x86_64.rpm kernel-debug-2.6.32-358.51.2.el6.x86_64.rpm kernel-debug-debuginfo-2.6.32-358.51.2.el6.x86_64.rpm kernel-debug-devel-2.6.32-358.51.2.el6.x86_64.rpm kernel-debuginfo-2.6.32-358.51.2.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-358.51.2.el6.x86_64.rpm kernel-devel-2.6.32-358.51.2.el6.x86_64.rpm kernel-headers-2.6.32-358.51.2.el6.x86_64.rpm perf-2.6.32-358.51.2.el6.x86_64.rpm perf-debuginfo-2.6.32-358.51.2.el6.x86_64.rpm python-perf-debuginfo-2.6.32-358.51.2.el6.x86_64.rpm Red Hat Enterprise Linux Server Optional EUS (v. 6.4): Source: kernel-2.6.32-358.51.2.el6.src.rpm i386: kernel-debug-debuginfo-2.6.32-358.51.2.el6.i686.rpm kernel-debuginfo-2.6.32-358.51.2.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-358.51.2.el6.i686.rpm perf-debuginfo-2.6.32-358.51.2.el6.i686.rpm python-perf-2.6.32-358.51.2.el6.i686.rpm python-perf-debuginfo-2.6.32-358.51.2.el6.i686.rpm ppc64: kernel-debug-debuginfo-2.6.32-358.51.2.el6.ppc64.rpm kernel-debuginfo-2.6.32-358.51.2.el6.ppc64.rpm kernel-debuginfo-common-ppc64-2.6.32-358.51.2.el6.ppc64.rpm perf-debuginfo-2.6.32-358.51.2.el6.ppc64.rpm python-perf-2.6.32-358.51.2.el6.ppc64.rpm python-perf-debuginfo-2.6.32-358.51.2.el6.ppc64.rpm s390x: kernel-debug-debuginfo-2.6.32-358.51.2.el6.s390x.rpm kernel-debuginfo-2.6.32-358.51.2.el6.s390x.rpm kernel-debuginfo-common-s390x-2.6.32-358.51.2.el6.s390x.rpm kernel-kdump-debuginfo-2.6.32-358.51.2.el6.s390x.rpm perf-debuginfo-2.6.32-358.51.2.el6.s390x.rpm python-perf-2.6.32-358.51.2.el6.s390x.rpm python-perf-debuginfo-2.6.32-358.51.2.el6.s390x.rpm x86_64: kernel-debug-debuginfo-2.6.32-358.51.2.el6.x86_64.rpm kernel-debuginfo-2.6.32-358.51.2.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-358.51.2.el6.x86_64.rpm perf-debuginfo-2.6.32-358.51.2.el6.x86_64.rpm python-perf-2.6.32-358.51.2.el6.x86_64.rpm python-perf-debuginfo-2.6.32-358.51.2.el6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7.References: https://access.redhat.com/security/cve/CVE-2014-9322 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. . A significant security enhancement for Red Hat Enterprise Linux 6.4 has been issued to resolve a critical privilege escalation vulnerability through an official patch.. Red Hat Kernel, Security Update, Privilege Escalation. . Severity: Important. LinuxSecurity.com Team
Dec 22, 2014
•Important
Red Hat
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!