Check_MK stable release 1.4.0p9

The following information has been provided by the Check_MK announce mailing list.

Dear friends of Check_MK,

the new stable release 1.4.0p9 of Check_MK is ready for download.

This maintenance release ships with 33 changes affecing all editions of Check_MK,
7 Enterprise Edition specific changes and 2 Managed Service Edition specific changes.

Changes in all Check_MK Editions:

WATO:
* 4954 FIX: Host/Folder properties: fixed displaying of inherited checkbox tag group values
* 4953 FIX: Fixed possible exception during activation when files are modified while activating
* 4995 FIX: Fixed broken link from contact group list page to rulesets
* 4996 FIX: Backup targets: Fixed possible MemoryError exception when editing a target
* 4994 FIX: Analyze host rulesets: Fixed rendering of some values (e.g. Count, size and age of files)

User interface:
* 4950 FIX: Virtual host tree: Fixed navigating back to root of tree
* 4969 FIX: Service discovery view: Fixed sorting service descriptions
* 4988 FIX: LDAP: Improve error handling in case of authentication failures
* 4992 FIX: Fixed sending fake DOWN states for hosts when using Nagios core
* 5002 FIX: Fixed possible exception related to multisite_user_connectors on login failures
* 4949 FIX: Fixed grouping by host-/servicegroup in availability views
* 4952 FIX: Fixed broken alert statistics view (regression since 1.4.0p8)

Livestatus:
* 4852 FIX: Livestatus connections: fixed bug where data from previous connection got reused

Event console:
* 4993 FIX: Fixed visibility of events for users with limited access to events
* 5003 FIX: Fixed missing filtering by effective contact groups of events
* 4951 FIX: Added missing host custom variables to notifications created by the EC

Checks & agents:
* 4973 FIX: zpool: Fixed missing include statement which causes undefined ‘df_inventory’ error if using Nagios core
* 4976 FIX: wmi_cpuload: Fixed UNKNOWN service state due to werk #4742
* 4914 FIX: statgrab_mem: Plugin is now prioritized over solaris_mem if both is available
* 4915 FIX: solaris_mem: Unified graphs and Per-O-Meter with common memory checks
* 4884 FIX: oracle_logswitches: Fixed missing oracle.include
* 4980 FIX: mssql_counters.file_sizes: Added readable titles of related metrics
* 4972 FIX: mk_inventory.aix: Use MK_VARDIR instead of MK_CONFDIR for the state file
* 4978 FIX: ipmi: Ignore sensors with state ‘na’
* 4968 FIX: f5_bigip_cluster_status_v11_2: Now has its own check plugin file; This updates werk #4819
NOTE: Please refer to the migration notes!
* 4801 FIX: emc_datadomain_fs: Fix broken filesystem graph
* 4849 FIX: Windows mrpe scripts: strip leading whitespaces in mrpe command
* 4848 FIX: Windows Agent / fileinfo: fixed another issue, where meta information (size,age) was not accessible
* 4844 FIX: Windows Agent / Fileinfo: now able to read files meta information (size, age) even when file is locked
* 5021 FIX: Make sure that the output of the event console active check is valid
* 4850 FIX: Improved WATO service discovery performance
* 4846 FIX: ESX monitoring: fixed incomplete data, when the xml response from the esx server includes newlines

Changes in the Check_MK Enterprise Edition:

Reporting & availability:
* 5001 FIX: PDF exports: Default graph layout options were not applied
* 4957 FIX: Group headers of views are now displayed in PDF reports

Metrics system:
* 4997 FIX: Fixed visibility of metric toggle switch in graph designer
* 4563 FIX: Fix issue with @ in metric title

Livestatus:
* 5018 FIX: Handle vanished service groups correctly

Core & setup:
* 4956 FIX: Fixed possible exception in cmc.log when working with piggyback data

Agent bakery:
* 4991 FIX: Fixed the Installed-Size header of baked deb packages

Changes in the Check_MK Managed Service Edition:

WATO:
* 4959 FIX: Web-API: Fixed calls related to groups when using CME
* 4958 FIX: Group changes are added only to affected sites

You can download Check_MK from our download page:
* http://mathias-kettner.de/check_mk_download.html

Please mail bug reports and qualified feedback to feedback@check-mk.org.
We greatly thank you for using Check_MK and wish you a successful monitoring,

Your Check_MK Team

openSUSE-SU-2017:1948-1: important: Security update for rubygem-puppet I

The following information has been provided by the opensuse security announce mailing lIST

openSUSE Security Update: Security update for rubygem-puppet
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2017:1948-1
Rating:             important
References:         #1040151
Cross-References:   CVE-2017-2295
Affected Products:
openSUSE Leap 42.3
openSUSE Leap 42.2
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for rubygem-puppet fixes the following issues:

– CVE-2017-2295: A remote attacker could have forced unsafe YAML
deserialization which could have led to code execution (bsc#1040151)

Patch Instructions:

To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

– openSUSE Leap 42.3:

zypper in -t patch openSUSE-2017-835=1

– openSUSE Leap 42.2:

zypper in -t patch openSUSE-2017-835=1

To bring your system up-to-date, use “zypper patch”.

Package List:

– openSUSE Leap 42.3 (i586 x86_64):

ruby2.1-rubygem-puppet-3.8.7-20.1
ruby2.1-rubygem-puppet-doc-3.8.7-20.1
ruby2.1-rubygem-puppet-testsuite-3.8.7-20.1
ruby2.2-rubygem-puppet-3.8.7-20.1
ruby2.2-rubygem-puppet-doc-3.8.7-20.1
ruby2.2-rubygem-puppet-testsuite-3.8.7-20.1
ruby2.3-rubygem-puppet-3.8.7-20.1
ruby2.3-rubygem-puppet-doc-3.8.7-20.1
ruby2.3-rubygem-puppet-testsuite-3.8.7-20.1
ruby2.4-rubygem-puppet-3.8.7-20.1
ruby2.4-rubygem-puppet-doc-3.8.7-20.1
ruby2.4-rubygem-puppet-testsuite-3.8.7-20.1
rubygem-puppet-3.8.7-20.1
rubygem-puppet-master-3.8.7-20.1

– openSUSE Leap 42.3 (noarch):

rubygem-puppet-emacs-3.8.7-20.1
rubygem-puppet-master-unicorn-3.8.7-20.1
rubygem-puppet-vim-3.8.7-20.1

– openSUSE Leap 42.2 (i586 x86_64):

ruby2.1-rubygem-puppet-3.8.7-17.3.1
ruby2.1-rubygem-puppet-doc-3.8.7-17.3.1
ruby2.1-rubygem-puppet-testsuite-3.8.7-17.3.1
rubygem-puppet-3.8.7-17.3.1
rubygem-puppet-master-3.8.7-17.3.1

– openSUSE Leap 42.2 (noarch):

rubygem-puppet-emacs-3.8.7-17.3.1
rubygem-puppet-master-unicorn-3.8.7-17.3.1
rubygem-puppet-vim-3.8.7-17.3.1

References:

https://www.suse.com/security/cve/CVE-2017-2295.html
https://bugzilla.suse.com/1040151

SUSE-SU-2017:1946-1: important: Security update for Linux Kernel Live Patch 10 for SLE 12 SP1

The following information has been provided by the opensuse security announce mailing lIST

SUSE Security Update: Security update for Linux Kernel Live Patch 10 for SLE 12 SP1
______________________________________________________________________________

Announcement ID:    SUSE-SU-2017:1946-1
Rating:             important
References:         #1013543 #1014271 #1021417 #1025013 #1025254
#1030575 #1031481 #1031660 #1039496
Cross-References:   CVE-2017-1000364
Affected Products:
SUSE Linux Enterprise Server for SAP 12-SP1
SUSE Linux Enterprise Server 12-SP1-LTSS
______________________________________________________________________________

An update that solves one vulnerability and has 8 fixes is
now available.

Description:

This update for the Linux Kernel 3.12.67-60_64_21 fixes several issues.

The following security bugs were fixed:

– CVE-2017-1000364: An issue was discovered in the size of the stack guard
page on Linux, specifically a 4k stack guard page is not sufficiently
large and can be “jumped” over (the stack guard page is bypassed)
(bsc#1039496).

Patch Instructions:

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

– SUSE Linux Enterprise Server for SAP 12-SP1:

zypper in -t patch SUSE-SLE-SAP-12-SP1-2017-1212=1

– SUSE Linux Enterprise Server 12-SP1-LTSS:

zypper in -t patch SUSE-SLE-SERVER-12-SP1-2017-1212=1

To bring your system up-to-date, use “zypper patch”.

Package List:

– SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64):

kgraft-patch-3_12_67-60_64_21-default-7-3.1
kgraft-patch-3_12_67-60_64_21-xen-7-3.1

– SUSE Linux Enterprise Server 12-SP1-LTSS (x86_64):

kgraft-patch-3_12_67-60_64_21-default-7-3.1
kgraft-patch-3_12_67-60_64_21-xen-7-3.1

References:

https://www.suse.com/security/cve/CVE-2017-1000364.html
https://bugzilla.suse.com/1013543
https://bugzilla.suse.com/1014271
https://bugzilla.suse.com/1021417
https://bugzilla.suse.com/1025013
https://bugzilla.suse.com/1025254
https://bugzilla.suse.com/1030575
https://bugzilla.suse.com/1031481
https://bugzilla.suse.com/1031660
https://bugzilla.suse.com/1039496

SUSE-SU-2017:1945-1: important: Security update for Linux Kernel Live Patch 20 for SLE 12

The following information has been provided by the opensuse security announce mailing lIST

SUSE Security Update: Security update for Linux Kernel Live Patch 20 for SLE 12
______________________________________________________________________________

Announcement ID:    SUSE-SU-2017:1945-1
Rating:             important
References:         #1025013 #1031660 #1039496
Cross-References:   CVE-2017-1000364
Affected Products:
SUSE Linux Enterprise Server for SAP 12
SUSE Linux Enterprise Server 12-LTSS
______________________________________________________________________________

An update that solves one vulnerability and has two fixes
is now available.

Description:

This update for the Linux Kernel 3.12.61-52_69 fixes several issues.

The following security bugs were fixed:

– CVE-2017-1000364: An issue was discovered in the size of the stack guard
page on Linux, specifically a 4k stack guard page is not sufficiently
large and can be “jumped” over (the stack guard page is bypassed)
(bsc#1039496).

Patch Instructions:

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

– SUSE Linux Enterprise Server for SAP 12:

zypper in -t patch SUSE-SLE-SAP-12-2017-1205=1

– SUSE Linux Enterprise Server 12-LTSS:

zypper in -t patch SUSE-SLE-SERVER-12-2017-1205=1

To bring your system up-to-date, use “zypper patch”.

Package List:

– SUSE Linux Enterprise Server for SAP 12 (x86_64):

kgraft-patch-3_12_61-52_69-default-3-3.1
kgraft-patch-3_12_61-52_69-xen-3-3.1

– SUSE Linux Enterprise Server 12-LTSS (x86_64):

kgraft-patch-3_12_61-52_69-default-3-3.1
kgraft-patch-3_12_61-52_69-xen-3-3.1

References:

https://www.suse.com/security/cve/CVE-2017-1000364.html
https://bugzilla.suse.com/1025013
https://bugzilla.suse.com/1031660
https://bugzilla.suse.com/1039496

SUSE-SU-2017:1944-1: important: Security update for Linux Kernel Live Patch 14 for SLE 12 SP1

The following information has been provided by the opensuse security announce mailing lIST

SUSE Security Update: Security update for Linux Kernel Live Patch 14 for SLE 12 SP1
______________________________________________________________________________

Announcement ID:    SUSE-SU-2017:1944-1
Rating:             important
References:         #1031481 #1031660 #1039496
Cross-References:   CVE-2017-1000364
Affected Products:
SUSE Linux Enterprise Server for SAP 12-SP1
SUSE Linux Enterprise Server 12-SP1-LTSS
______________________________________________________________________________

An update that solves one vulnerability and has two fixes
is now available.

Description:

This update for the Linux Kernel 3.12.69-60_64_35 fixes several issues.

The following security bugs were fixed:

– CVE-2017-1000364: An issue was discovered in the size of the stack guard
page on Linux, specifically a 4k stack guard page is not sufficiently
large and can be “jumped” over (the stack guard page is bypassed)
(bsc#1039496).

Patch Instructions:

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

– SUSE Linux Enterprise Server for SAP 12-SP1:

zypper in -t patch SUSE-SLE-SAP-12-SP1-2017-1210=1

– SUSE Linux Enterprise Server 12-SP1-LTSS:

zypper in -t patch SUSE-SLE-SERVER-12-SP1-2017-1210=1

To bring your system up-to-date, use “zypper patch”.

Package List:

– SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64):

kgraft-patch-3_12_69-60_64_35-default-3-3.1
kgraft-patch-3_12_69-60_64_35-xen-3-3.1

– SUSE Linux Enterprise Server 12-SP1-LTSS (x86_64):

kgraft-patch-3_12_69-60_64_35-default-3-3.1
kgraft-patch-3_12_69-60_64_35-xen-3-3.1

References:

https://www.suse.com/security/cve/CVE-2017-1000364.html
https://bugzilla.suse.com/1031481
https://bugzilla.suse.com/1031660
https://bugzilla.suse.com/1039496

SUSE-SU-2017:1943-1: important: Security update for Linux Kernel Live Patch 15 for SLE 12 SP1

The following information has been provided by the opensuse security announce mailing lIST

SUSE Security Update: Security update for Linux Kernel Live Patch 15 for SLE 12 SP1
______________________________________________________________________________

Announcement ID:    SUSE-SU-2017:1943-1
Rating:             important
References:         #1039496
Cross-References:   CVE-2017-1000364
Affected Products:
SUSE Linux Enterprise Server for SAP 12-SP1
SUSE Linux Enterprise Server 12-SP1-LTSS
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for the Linux Kernel 3.12.74-60_64_40 fixes one issue.

The following security bugs were fixed:

– CVE-2017-1000364: An issue was discovered in the size of the stack guard
page on Linux, specifically a 4k stack guard page is not sufficiently
large and can be “jumped” over (the stack guard page is bypassed)
(bsc#1039496).

Patch Instructions:

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

– SUSE Linux Enterprise Server for SAP 12-SP1:

zypper in -t patch SUSE-SLE-SAP-12-SP1-2017-1209=1

– SUSE Linux Enterprise Server 12-SP1-LTSS:

zypper in -t patch SUSE-SLE-SERVER-12-SP1-2017-1209=1

To bring your system up-to-date, use “zypper patch”.

Package List:

– SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64):

kgraft-patch-3_12_74-60_64_40-default-2-3.1
kgraft-patch-3_12_74-60_64_40-xen-2-3.1

– SUSE Linux Enterprise Server 12-SP1-LTSS (x86_64):

kgraft-patch-3_12_74-60_64_40-default-2-3.1
kgraft-patch-3_12_74-60_64_40-xen-2-3.1

References:

https://www.suse.com/security/cve/CVE-2017-1000364.html
https://bugzilla.suse.com/1039496

SUSE-SU-2017:1941-1: important: Security update for Linux Kernel Live Patch 13 for SLE 12 SP1

The following information has been provided by the opensuse security announce mailing lIST

SUSE Security Update: Security update for Linux Kernel Live Patch 13 for SLE 12 SP1
______________________________________________________________________________

Announcement ID:    SUSE-SU-2017:1941-1
Rating:             important
References:         #1030575 #1031481 #1031660 #1039496
Cross-References:   CVE-2017-1000364
Affected Products:
SUSE Linux Enterprise Server for SAP 12-SP1
SUSE Linux Enterprise Server 12-SP1-LTSS
______________________________________________________________________________

An update that solves one vulnerability and has three fixes
is now available.

Description:

This update for the Linux Kernel 3.12.69-60_64_32 fixes several issues.

The following security bugs were fixed:

– CVE-2017-1000364: An issue was discovered in the size of the stack guard
page on Linux, specifically a 4k stack guard page is not sufficiently
large and can be “jumped” over (the stack guard page is bypassed)
(bsc#1039496).

Patch Instructions:

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

– SUSE Linux Enterprise Server for SAP 12-SP1:

zypper in -t patch SUSE-SLE-SAP-12-SP1-2017-1208=1

– SUSE Linux Enterprise Server 12-SP1-LTSS:

zypper in -t patch SUSE-SLE-SERVER-12-SP1-2017-1208=1

To bring your system up-to-date, use “zypper patch”.

Package List:

– SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64):

kgraft-patch-3_12_69-60_64_32-default-4-3.1
kgraft-patch-3_12_69-60_64_32-xen-4-3.1

– SUSE Linux Enterprise Server 12-SP1-LTSS (x86_64):

kgraft-patch-3_12_69-60_64_32-default-4-3.1
kgraft-patch-3_12_69-60_64_32-xen-4-3.1

References:

https://www.suse.com/security/cve/CVE-2017-1000364.html
https://bugzilla.suse.com/1030575
https://bugzilla.suse.com/1031481
https://bugzilla.suse.com/1031660
https://bugzilla.suse.com/1039496

SUSE-SU-2017:1939-1: important: Security update for Linux Kernel Live Patch 21 for SLE 12

The following information has been provided by the opensuse security announce mailing lIST

SUSE Security Update: Security update for Linux Kernel Live Patch 21 for SLE 12
______________________________________________________________________________

Announcement ID:    SUSE-SU-2017:1939-1
Rating:             important
References:         #1039496
Cross-References:   CVE-2017-1000364
Affected Products:
SUSE Linux Enterprise Server for SAP 12
SUSE Linux Enterprise Server 12-LTSS
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for the Linux Kernel 3.12.61-52_72 fixes one issue.

The following security bugs were fixed:

– CVE-2017-1000364: An issue was discovered in the size of the stack guard
page on Linux, specifically a 4k stack guard page is not sufficiently
large and can be “jumped” over (the stack guard page is bypassed)
(bsc#1039496).

Patch Instructions:

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

– SUSE Linux Enterprise Server for SAP 12:

zypper in -t patch SUSE-SLE-SAP-12-2017-1206=1

– SUSE Linux Enterprise Server 12-LTSS:

zypper in -t patch SUSE-SLE-SERVER-12-2017-1206=1

To bring your system up-to-date, use “zypper patch”.

Package List:

– SUSE Linux Enterprise Server for SAP 12 (x86_64):

kgraft-patch-3_12_61-52_72-default-2-3.1
kgraft-patch-3_12_61-52_72-xen-2-3.1

– SUSE Linux Enterprise Server 12-LTSS (x86_64):

kgraft-patch-3_12_61-52_72-default-2-3.1
kgraft-patch-3_12_61-52_72-xen-2-3.1

References:

https://www.suse.com/security/cve/CVE-2017-1000364.html
https://bugzilla.suse.com/1039496

SUSE-SU-2017:1937-1: important: Security update for Linux Kernel Live Patch 12 for SLE 12 SP1

The following information has been provided by the opensuse security announce mailing lIST

SUSE Security Update: Security update for Linux Kernel Live Patch 12 for SLE 12 SP1
______________________________________________________________________________

Announcement ID:    SUSE-SU-2017:1937-1
Rating:             important
References:         #1025013 #1025254 #1030575 #1031481 #1031660
#1039496
Cross-References:   CVE-2017-1000364
Affected Products:
SUSE Linux Enterprise Server for SAP 12-SP1
SUSE Linux Enterprise Server 12-SP1-LTSS
______________________________________________________________________________

An update that solves one vulnerability and has 5 fixes is
now available.

Description:

This update for the Linux Kernel 3.12.69-60_64_29 fixes several issues.

The following security bugs were fixed:

– CVE-2017-1000364: An issue was discovered in the size of the stack guard
page on Linux, specifically a 4k stack guard page is not sufficiently
large and can be “jumped” over (the stack guard page is bypassed)
(bsc#1039496).

Patch Instructions:

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

– SUSE Linux Enterprise Server for SAP 12-SP1:

zypper in -t patch SUSE-SLE-SAP-12-SP1-2017-1207=1

– SUSE Linux Enterprise Server 12-SP1-LTSS:

zypper in -t patch SUSE-SLE-SERVER-12-SP1-2017-1207=1

To bring your system up-to-date, use “zypper patch”.

Package List:

– SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64):

kgraft-patch-3_12_69-60_64_29-default-5-3.1
kgraft-patch-3_12_69-60_64_29-xen-5-3.1

– SUSE Linux Enterprise Server 12-SP1-LTSS (x86_64):

kgraft-patch-3_12_69-60_64_29-default-5-3.1
kgraft-patch-3_12_69-60_64_29-xen-5-3.1

References:

https://www.suse.com/security/cve/CVE-2017-1000364.html
https://bugzilla.suse.com/1025013
https://bugzilla.suse.com/1025254
https://bugzilla.suse.com/1030575
https://bugzilla.suse.com/1031481
https://bugzilla.suse.com/1031660
https://bugzilla.suse.com/1039496

openSUSE-SU-2017:1933-1: important: Security update for evince

The following information has been provided by the opensuse security announce mailing lIST

openSUSE Security Update: Security update for evince
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2017:1933-1
Rating:             important
References:         #1046856
Cross-References:   CVE-2017-1000083
Affected Products:
openSUSE Leap 42.2
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for evince fixes the following issues:

– CVE-2017-1000083: Remote attackers could have used the comicbook mode of
evince to inject shell code. (bsc#1046856, bgo#784630)

This update was imported from the SUSE:SLE-12-SP2:Update update project.

Patch Instructions:

To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

– openSUSE Leap 42.2:

zypper in -t patch openSUSE-2017-834=1

To bring your system up-to-date, use “zypper patch”.

Package List:

– openSUSE Leap 42.2 (x86_64):

evince-3.20.1-2.3.1
evince-browser-plugin-3.20.1-2.3.1
evince-browser-plugin-debuginfo-3.20.1-2.3.1
evince-debuginfo-3.20.1-2.3.1
evince-debugsource-3.20.1-2.3.1
evince-devel-3.20.1-2.3.1
evince-plugin-comicsdocument-3.20.1-2.3.1
evince-plugin-comicsdocument-debuginfo-3.20.1-2.3.1
evince-plugin-djvudocument-3.20.1-2.3.1
evince-plugin-djvudocument-debuginfo-3.20.1-2.3.1
evince-plugin-dvidocument-3.20.1-2.3.1
evince-plugin-dvidocument-debuginfo-3.20.1-2.3.1
evince-plugin-pdfdocument-3.20.1-2.3.1
evince-plugin-pdfdocument-debuginfo-3.20.1-2.3.1
evince-plugin-psdocument-3.20.1-2.3.1
evince-plugin-psdocument-debuginfo-3.20.1-2.3.1
evince-plugin-tiffdocument-3.20.1-2.3.1
evince-plugin-tiffdocument-debuginfo-3.20.1-2.3.1
evince-plugin-xpsdocument-3.20.1-2.3.1
evince-plugin-xpsdocument-debuginfo-3.20.1-2.3.1
libevdocument3-4-3.20.1-2.3.1
libevdocument3-4-debuginfo-3.20.1-2.3.1
libevview3-3-3.20.1-2.3.1
libevview3-3-debuginfo-3.20.1-2.3.1
nautilus-evince-3.20.1-2.3.1
nautilus-evince-debuginfo-3.20.1-2.3.1
typelib-1_0-EvinceDocument-3_0-3.20.1-2.3.1
typelib-1_0-EvinceView-3_0-3.20.1-2.3.1

– openSUSE Leap 42.2 (noarch):

evince-lang-3.20.1-2.3.1

RHSA-2017:1793 – Security Advisory

Synopsis

Important: graphite2 security update

Type/Severity

Security Advisory: Important

Topic

An update for graphite2 is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Graphite2 is a project within SIL’s Non-Roman Script Initiative and Language Software Development groups to provide rendering capabilities for complex non-Roman writing systems. Graphite can be used to create “smart fonts” capable of displaying writing systems with various complex behaviors. With respect to the Text Encoding Model, Graphite handles the “Rendering” aspect of writing system implementation.

The following packages have been upgraded to a newer upstream version: graphite2 (1.3.10).

Security Fix(es):

  • Various vulnerabilities have been discovered in Graphite2. An attacker able to trick an unsuspecting user into opening specially crafted font files in an application using Graphite2 could exploit these flaws to disclose potentially sensitive memory, cause an application crash, or, possibly, execute arbitrary code. (CVE-2017-7771, CVE-2017-7772, CVE-2017-7773, CVE-2017-7774, CVE-2017-7775, CVE-2017-7776, CVE-2017-7777, CVE-2017-7778)

Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Holger Fuhrmannek and Tyson Smith as the original reporters of these issues.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Enterprise Linux Server 7 x86_64
  • Red Hat Enterprise Linux Server – Extended Update Support 7.3 x86_64
  • Red Hat Enterprise Linux Server – AUS 7.3 x86_64
  • Red Hat Enterprise Linux Workstation 7 x86_64
  • Red Hat Enterprise Linux Desktop 7 x86_64
  • Red Hat Enterprise Linux for IBM z Systems 7 s390x
  • Red Hat Enterprise Linux for IBM z Systems – Extended Update Support 7.3 s390x
  • Red Hat Enterprise Linux for Power, big endian 7 ppc64
  • Red Hat Enterprise Linux for Power, big endian – Extended Update Support 7.3 ppc64
  • Red Hat Enterprise Linux for Scientific Computing 7 x86_64
  • Red Hat Enterprise Linux EUS Compute Node 7.3 x86_64
  • Red Hat Enterprise Linux for Power, little endian 7 ppc64le
  • Red Hat Enterprise Linux for Power, little endian – Extended Update Support 7.3 ppc64le
  • Red Hat Enterprise Linux Server for ARM 7 aarch64
  • Red Hat Enterprise Linux Server – TUS 7.3 x86_64

Fixes

  • BZ – 1461260 – CVE-2017-7778 Mozilla: Vulnerabilities in the Graphite 2 library (MFSA 2017-16)
  • BZ – 1472212 – CVE-2017-7771 graphite2: out of bounds read in “graphite2::Pass::readPass”
  • BZ – 1472213 – CVE-2017-7772 graphite2: heap-buffer-overflow write “lz4::decompress” (CVE-2017-7772)
  • BZ – 1472215 – CVE-2017-7773 graphite2: heap-buffer-overflow write “lz4::decompress” (src/Decompressor)
  • BZ – 1472219 – CVE-2017-7774 graphite2: out of bounds read “graphite2::Silf::readGraphite”
  • BZ – 1472221 – CVE-2017-7775 graphite2: assertion error “size() > n”
  • BZ – 1472223 – CVE-2017-7776 graphite2: heap-buffer-overflow read “graphite2::Silf::getClassGlyph”
  • BZ – 1472225 – CVE-2017-7777 graphite2: use of uninitialized memory “graphite2::GlyphCache::Loader::read_glyph”

CVEs

References

RHSA-2017:1793 – Security Advisory

Source: RHSA-2017:1793 – Security Advisory – Red Hat Customer Portal

CESA-2017:1793 Important CentOS 7 graphite2 Security Update

The following information has been provided by the CENTOS announce mailing list.

CentOS Errata and Security Advisory 2017:1793 Important

Upstream details at : https://access.redhat.com/errata/RHSA-2017:1793

The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )

x86_64:
c3e6a22ff94cc8f2dff08a00f4fb2bdf24dad7c113f2e92e57ab2d58f2395b0c  graphite2-1.3.10-1.el7_3.i686.rpm
06cc9092a8016778f4708c4d6443e76e4bc628b047dc83af8155ee694e6035df  graphite2-1.3.10-1.el7_3.x86_64.rpm
9b929a1b6f97f17de020928bc2d58db1d98a975bcbd49eccbc9e14ac240c061e  graphite2-devel-1.3.10-1.el7_3.i686.rpm
0f0ffdc164dc72b02f7de2147b50b1db15f3c5597d6cd34de7788a4804c8da30  graphite2-devel-1.3.10-1.el7_3.x86_64.rpm

Source:
346757f69f162461ef4a26d2e08994c53837f4858c5a64fc46d0e483f522f2b5  graphite2-1.3.10-1.el7_3.src.rpm

RHSA-2017:1789 – Security Advisory

Synopsis

Critical: java-1.8.0-openjdk security update

Type/Severity

Security Advisory: Critical

Topic

An update for java-1.8.0-openjdk is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.

Security Fix(es):

  • It was discovered that the DCG implementation in the RMI component of OpenJDK failed to correctly handle references. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of RMI registry or a Java RMI application. (CVE-2017-10102)
  • Multiple flaws were discovered in the RMI, JAXP, ImageIO, Libraries, AWT, Hotspot, and Security components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. (CVE-2017-10107, CVE-2017-10096, CVE-2017-10101, CVE-2017-10089, CVE-2017-10090, CVE-2017-10087, CVE-2017-10111, CVE-2017-10110, CVE-2017-10074, CVE-2017-10067)
  • It was discovered that the LDAPCertStore class in the Security component of OpenJDK followed LDAP referrals to arbitrary URLs. A specially crafted LDAP referral URL could cause LDAPCertStore to communicate with non-LDAP servers. (CVE-2017-10116)
  • It was discovered that the Nashorn JavaScript engine in the Scripting component of OpenJDK could allow scripts to access Java APIs even when access to Java APIs was disabled. An untrusted JavaScript executed by Nashorn could use this flaw to bypass intended restrictions. (CVE-2017-10078)
  • It was discovered that the Security component of OpenJDK could fail to properly enforce restrictions defined for processing of X.509 certificate chains. A remote attacker could possibly use this flaw to make Java accept certificate using one of the disabled algorithms. (CVE-2017-10198)
  • A covert timing channel flaw was found in the DSA implementation in the JCE component of OpenJDK. A remote attacker able to make a Java application generate DSA signatures on demand could possibly use this flaw to extract certain information about the used key via a timing side channel. (CVE-2017-10115)
  • A covert timing channel flaw was found in the PKCS#8 implementation in the JCE component of OpenJDK. A remote attacker able to make a Java application repeatedly compare PKCS#8 key against an attacker controlled value could possibly use this flaw to determine the key via a timing side channel. (CVE-2017-10135)
  • It was discovered that the BasicAttribute and CodeSource classes in OpenJDK did not limit the amount of memory allocated when creating object instances from a serialized form. A specially crafted serialized input stream could cause Java to consume an excessive amount of memory. (CVE-2017-10108, CVE-2017-10109)
  • Multiple flaws were found in the Hotspot and Security components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2017-10081, CVE-2017-10193)
  • It was discovered that the JPEGImageReader implementation in the 2D component of OpenJDK would, in certain cases, read all image data even if it was not used later. A specially crafted image could cause a Java application to temporarily use an excessive amount of CPU and memory. (CVE-2017-10053)

Note: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of OpenJDK Java must be restarted for this update to take effect.

Affected Products

  • Red Hat Enterprise Linux Server 7 x86_64
  • Red Hat Enterprise Linux Server 6 x86_64
  • Red Hat Enterprise Linux Server 6 i386
  • Red Hat Enterprise Linux Server – Extended Update Support 7.3 x86_64
  • Red Hat Enterprise Linux Workstation 6 x86_64
  • Red Hat Enterprise Linux Workstation 6 i386
  • Red Hat Enterprise Linux Desktop 7 x86_64
  • Red Hat Enterprise Linux Desktop 6 x86_64
  • Red Hat Enterprise Linux Desktop 6 i386
  • Red Hat Enterprise Linux for IBM z Systems 7 s390x
  • Red Hat Enterprise Linux for IBM z Systems – Extended Update Support 7.3 s390x
  • Red Hat Enterprise Linux for Power, big endian 7 ppc64
  • Red Hat Enterprise Linux for Power, big endian – Extended Update Support 7.3 ppc64
  • Red Hat Enterprise Linux for Scientific Computing 7 x86_64
  • Red Hat Enterprise Linux for Scientific Computing 6 x86_64
  • Red Hat Enterprise Linux EUS Compute Node 7.3 x86_64
  • Red Hat Enterprise Linux Server – AUS 7.3 x86_64
  • Red Hat Enterprise Linux Workstation 7 x86_64
  • Red Hat Enterprise Linux for Power, little endian 7 ppc64le
  • Red Hat Enterprise Linux for Power, little endian – Extended Update Support 7.3 ppc64le
  • Red Hat Enterprise Linux Server for ARM 7 aarch64
  • Red Hat Enterprise Linux Server – TUS 7.3 x86_64

Fixes

  • BZ – 1471266 – CVE-2017-10107 OpenJDK: insufficient access control checks in ActivationID (RMI, 8173697)
  • BZ – 1471270 – CVE-2017-10089 OpenJDK: insufficient access control checks in ServiceRegistry (ImageIO, 8172461)
  • BZ – 1471517 – CVE-2017-10090 OpenJDK: insufficient access control checks in AsynchronousChannelGroupImpl (8172465, Libraries)
  • BZ – 1471521 – CVE-2017-10087 OpenJDK: insufficient access control checks in ThreadPoolExecutor (Libraries, 8172204)
  • BZ – 1471523 – CVE-2017-10110 OpenJDK: insufficient access control checks in ImageWatched (AWT, 8174098)
  • BZ – 1471526 – CVE-2017-10111 OpenJDK: incorrect range checks in LambdaFormEditor (Libraries, 8184185)
  • BZ – 1471527 – CVE-2017-10101 OpenJDK: unrestricted access to com.sun.org.apache.xml.internal.resolver (JAXP, 8173286)
  • BZ – 1471528 – CVE-2017-10096 OpenJDK: insufficient access control checks in XML transformations (JAXP, 8172469)
  • BZ – 1471534 – CVE-2017-10074 OpenJDK: integer overflows in range check loop predicates (Hotspot, 8173770)
  • BZ – 1471535 – CVE-2017-10067 OpenJDK: JAR verifier incorrect handling of missing digest (Security, 8169392)
  • BZ – 1471670 – CVE-2017-10109 OpenJDK: unbounded memory allocation in CodeSource deserialization (Serialization, 8174113)
  • BZ – 1471711 – CVE-2017-10081 OpenJDK: incorrect bracket processing in function signature handling (Hotspot, 8170966)
  • BZ – 1471715 – CVE-2017-10193 OpenJDK: incorrect key size constraint check (Security, 8179101)
  • BZ – 1471738 – CVE-2017-10116 OpenJDK: LDAPCertStore following referrals to non-LDAP URLs (Security, 8176067)
  • BZ – 1471851 – CVE-2017-10115 OpenJDK: DSA implementation timing attack (JCE, 8175106)
  • BZ – 1471871 – CVE-2017-10135 OpenJDK: PKCS#8 implementation timing attack (JCE, 8176760)
  • BZ – 1471888 – CVE-2017-10108 OpenJDK: unbounded memory allocation in BasicAttribute deserialization (Serialization, 8174105)
  • BZ – 1471889 – CVE-2017-10053 OpenJDK: reading of unprocessed image data in JPEGImageReader (2D, 8169209)
  • BZ – 1471898 – CVE-2017-10078 OpenJDK: Nashorn incompletely blocking access to Java APIs (Scripting, 8171539)
  • BZ – 1472320 – CVE-2017-10198 OpenJDK: incorrect enforcement of certificate path restrictions (Security, 8179998)
  • BZ – 1472345 – CVE-2017-10102 OpenJDK: incorrect handling of references in DGC (RMI, 8163958)

CVEs

References

RHSA-2017:1789 – Security Advisory

Source: RHSA-2017:1789 – Security Advisory – Red Hat Customer Portal

CESA-2017:1789 Critical CentOS 7 java-1.8.0-openjdk Security Update

The following information has been provided by the CENTOS announce mailing list.

CentOS Errata and Security Advisory 2017:1789 Critical

Upstream details at : https://access.redhat.com/errata/RHSA-2017:1789

The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )

x86_64:
edb8077e58e41caaa199362bc57724007cc15952b2dea1bb35f120aa61400698  java-1.8.0-openjdk-1.8.0.141-1.b16.el7_3.i686.rpm
6717ac7dc584e61c8bf68171b322331d6eac8c8a7d9a4a5fd662a4bf4efa794f  java-1.8.0-openjdk-1.8.0.141-1.b16.el7_3.x86_64.rpm
ad904ba554b4ebaf47a8c9e1087513cadba468e1c225cc1bb02990e5643208b1  java-1.8.0-openjdk-accessibility-1.8.0.141-1.b16.el7_3.x86_64.rpm
d7eb40e252335322f7678b561e6e11d41c85a9e469d42801007f9b4e617a4d34  java-1.8.0-openjdk-accessibility-debug-1.8.0.141-1.b16.el7_3.x86_64.rpm
716ef81de6147878ea1ff9c8dd9ea324f2de4b65216df9c95db9319cf51c230c  java-1.8.0-openjdk-debug-1.8.0.141-1.b16.el7_3.i686.rpm
b5d1c62ed70d1c1cb960e9896e876a6a27e5429cf2f8c41f603e7d57f8a9f42f  java-1.8.0-openjdk-debug-1.8.0.141-1.b16.el7_3.x86_64.rpm
6c6722f43edf530ad67c0778c866491c0aef703e26dbefc9ddc1f6857ecb1600  java-1.8.0-openjdk-demo-1.8.0.141-1.b16.el7_3.x86_64.rpm
00eaae7219cab8370c36f50b799786ca01cfbf299a34ce7d307ef1ee120768ab  java-1.8.0-openjdk-demo-debug-1.8.0.141-1.b16.el7_3.x86_64.rpm
ca56200f35f8228bbfb29a0d9c89ad9e580e275b30c3b228e512d703b6a272dd  java-1.8.0-openjdk-devel-1.8.0.141-1.b16.el7_3.i686.rpm
995f62425703a173bea32d04971507b042d0d36eeb6fdb032c695f8a471d5c4a  java-1.8.0-openjdk-devel-1.8.0.141-1.b16.el7_3.x86_64.rpm
eca771e28f8e82bbffe0c740fd6be956be157380643d0959fc2dfd44f858b794  java-1.8.0-openjdk-devel-debug-1.8.0.141-1.b16.el7_3.i686.rpm
eb8c47a56da6401ccaac6096dee2748f37fe74f3b7ae39bac69de3495aa5c56a  java-1.8.0-openjdk-devel-debug-1.8.0.141-1.b16.el7_3.x86_64.rpm
360abe6e43018ff4964fb71cb9b1fbf4dd9b9944ea9d2bfbd4ecbe9bdc00608a  java-1.8.0-openjdk-headless-1.8.0.141-1.b16.el7_3.i686.rpm
53e7df3b218f9522fb054774b66a44b050fee2389249c1c9c03004fa7b02a173  java-1.8.0-openjdk-headless-1.8.0.141-1.b16.el7_3.x86_64.rpm
c2299a3f9ad8bfe12774793563da01e076e5c98a74de81b49cbe8a55f80aa413  java-1.8.0-openjdk-headless-debug-1.8.0.141-1.b16.el7_3.i686.rpm
10cebec92938e045f77848abd64225cddab79966794dc026a3d58d5e373deafa  java-1.8.0-openjdk-headless-debug-1.8.0.141-1.b16.el7_3.x86_64.rpm
473b0bdcdbaf70deb36b34808a6eb81968c3997d60d78d6f761acfa0deb4d719  java-1.8.0-openjdk-javadoc-1.8.0.141-1.b16.el7_3.noarch.rpm
8df058a609ea6e8a7d660c0c9dce9f260e0fa5040de9f375081e1116e8963843  java-1.8.0-openjdk-javadoc-debug-1.8.0.141-1.b16.el7_3.noarch.rpm
c6170ee7c3056c116eb1ac878f989455b087edfdf1f00afa150bbd1dd80c142d  java-1.8.0-openjdk-javadoc-zip-1.8.0.141-1.b16.el7_3.noarch.rpm
3a6f2679d7b1c51c8a5f8d497ada36914fab880311eef66ed384b0947ee1146d  java-1.8.0-openjdk-javadoc-zip-debug-1.8.0.141-1.b16.el7_3.noarch.rpm
cc08abb15e61118c147cf42febd1d7b759680b6a3726fc4e1017a8d4fa106176  java-1.8.0-openjdk-src-1.8.0.141-1.b16.el7_3.x86_64.rpm
4244b40b9d9d104764454e1f9f1346528e8a6c1b64734e97513c1f88b3d50b2b  java-1.8.0-openjdk-src-debug-1.8.0.141-1.b16.el7_3.x86_64.rpm

Source:
3648961c8cb07f0426f5cb9b688737664afd5188095ee5630008c207a7f23274  java-1.8.0-openjdk-1.8.0.141-1.b16.el7_3.src.rpm

CESA-2017:1789 Critical CentOS 6 java-1.8.0-openjdk Security Update

The following information has been provided by the CENTOS announce mailing list.

CentOS Errata and Security Advisory 2017:1789 Critical

Upstream details at : https://access.redhat.com/errata/RHSA-2017:1789

The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )

i386:
f52e4ad097d13678088a4e75b78f77b16ca66c046c5783abcba212654dc36970  java-1.8.0-openjdk-1.8.0.141-2.b16.el6_9.i686.rpm
3a6e22d84f5abeec393247fc3cb1530ab93da5f068a002ba92ee861ae258d0e0  java-1.8.0-openjdk-debug-1.8.0.141-2.b16.el6_9.i686.rpm
bffa9cb71ea43f4753a846b9450da2e8b7b81bd94e4484d809934cd17268e375  java-1.8.0-openjdk-demo-1.8.0.141-2.b16.el6_9.i686.rpm
4cce6815f6360c532d491d52e4b142a3309e8b57468609d597102b6d9e5cc7a6  java-1.8.0-openjdk-demo-debug-1.8.0.141-2.b16.el6_9.i686.rpm
54f92980aefab61f850923cf91d3f17fdc69e987d4ad84b3c490e2cd83ea31a6  java-1.8.0-openjdk-devel-1.8.0.141-2.b16.el6_9.i686.rpm
fa7bb77a495ee1401e9951cb704a8660e86a374e67547173e4a07f16260a1285  java-1.8.0-openjdk-devel-debug-1.8.0.141-2.b16.el6_9.i686.rpm
a4d3a7d676b3a1150eccb624eaf132094109ae644645b5e9fadf08a948f9dc97  java-1.8.0-openjdk-headless-1.8.0.141-2.b16.el6_9.i686.rpm
9ec95b88d7c6964e769e666451636934daa62a06a4de02dd979601f41d90bd0d  java-1.8.0-openjdk-headless-debug-1.8.0.141-2.b16.el6_9.i686.rpm
4dba092ad163f12f2baa26b8df729a0ef48042290a0c4bb0820d0705a64615c7  java-1.8.0-openjdk-javadoc-1.8.0.141-2.b16.el6_9.noarch.rpm
b2f21bbd6e97ad285088cdf254ae3bd3e80bc1fef92f53622852a35aaee625e3  java-1.8.0-openjdk-javadoc-debug-1.8.0.141-2.b16.el6_9.noarch.rpm
9ad05542df8705ca50458b913f87bf00d0e614e7fa4f61cafd2ef926b024bbe2  java-1.8.0-openjdk-src-1.8.0.141-2.b16.el6_9.i686.rpm
0a46d8e8f5f6ccd3423d6a88b806dbd9bba65cc8dae4afa0734a74e90c56fce8  java-1.8.0-openjdk-src-debug-1.8.0.141-2.b16.el6_9.i686.rpm

x86_64:
d6f873e3cf402ec86b6787e47d048f16ee0e46c479183c4a3ed91686e8dd3283  java-1.8.0-openjdk-1.8.0.141-2.b16.el6_9.x86_64.rpm
5cd11249fdfd267fe826a81e2f72db50f773874408a265654d24442f3567e5da  java-1.8.0-openjdk-debug-1.8.0.141-2.b16.el6_9.x86_64.rpm
c007905d767920d1cd312a08b034abf1aae58e33a2ccb87f880e73ddb35f0a5e  java-1.8.0-openjdk-demo-1.8.0.141-2.b16.el6_9.x86_64.rpm
0930f7131581917e8d038db37fa4f567ee2054729a201da3793c543efa9d5440  java-1.8.0-openjdk-demo-debug-1.8.0.141-2.b16.el6_9.x86_64.rpm
8d86dc26bc1dbccc86f68facefac5a528c4471d69ab984f696f40e08a03e4f97  java-1.8.0-openjdk-devel-1.8.0.141-2.b16.el6_9.x86_64.rpm
aaa7c5cc5b260277e471b65f26b5dfba40dc408091d5b35c8e1961907bc05da0  java-1.8.0-openjdk-devel-debug-1.8.0.141-2.b16.el6_9.x86_64.rpm
fb8f39171b2825b3c02ca0b3dd1933c20044fe43192db05125de3d487176ad4d  java-1.8.0-openjdk-headless-1.8.0.141-2.b16.el6_9.x86_64.rpm
fb65ce188c11cb677cab4c268511a648a065ea0aa74c319c519229a1ef8496c0  java-1.8.0-openjdk-headless-debug-1.8.0.141-2.b16.el6_9.x86_64.rpm
4dba092ad163f12f2baa26b8df729a0ef48042290a0c4bb0820d0705a64615c7  java-1.8.0-openjdk-javadoc-1.8.0.141-2.b16.el6_9.noarch.rpm
b2f21bbd6e97ad285088cdf254ae3bd3e80bc1fef92f53622852a35aaee625e3  java-1.8.0-openjdk-javadoc-debug-1.8.0.141-2.b16.el6_9.noarch.rpm
9168f6aa93be930be869f7f1eabb39fb5ff26768c4e70a6b7be73d2e43a4f1bb  java-1.8.0-openjdk-src-1.8.0.141-2.b16.el6_9.x86_64.rpm
b226fb799e77db44bcd875043d385a0863f027e98036bf05318ba68567a54a48  java-1.8.0-openjdk-src-debug-1.8.0.141-2.b16.el6_9.x86_64.rpm

Source:
8661435a6023919fb61977e19566d75143a782482866ab55114873a83a1982dc  java-1.8.0-openjdk-1.8.0.141-2.b16.el6_9.src.rpm

SUSE-SU-2017:1925-1: important: Security update for Linux Kernel Live Patch 6 for SLE 12 SP2

The following information has been provided by the opensuse security announce mailing list

SUSE Security Update: Security update for Linux Kernel Live Patch 6 for SLE 12 SP2
______________________________________________________________________________

Announcement ID:    SUSE-SU-2017:1925-1
Rating:             important
References:         #1031481 #1031660 #1039496
Cross-References:   CVE-2017-1000364
Affected Products:
SUSE Linux Enterprise Live Patching 12
______________________________________________________________________________

An update that solves one vulnerability and has two fixes
is now available.

Description:

This update for the Linux Kernel 4.4.49-92_14 fixes several issues.

The following security bugs were fixed:

– CVE-2017-1000364: An issue was discovered in the size of the stack guard
page on Linux, specifically a 4k stack guard page is not sufficiently
large and can be “jumped” over (the stack guard page is bypassed)
(bsc#1039496).

Patch Instructions:

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

– SUSE Linux Enterprise Live Patching 12:

zypper in -t patch SUSE-SLE-Live-Patching-12-2017-1196=1

To bring your system up-to-date, use “zypper patch”.

Package List:

– SUSE Linux Enterprise Live Patching 12 (x86_64):

kgraft-patch-4_4_49-92_14-default-3-3.1

References:

https://www.suse.com/security/cve/CVE-2017-1000364.html
https://bugzilla.suse.com/1031481
https://bugzilla.suse.com/1031660
https://bugzilla.suse.com/1039496

SUSE-SU-2017:1924-1: important: Security update for Linux Kernel Live Patch 19 for SLE 12

The following information has been provided by the opensuse security announce mailing list

SUSE Security Update: Security update for Linux Kernel Live Patch 19 for SLE 12
______________________________________________________________________________

Announcement ID:    SUSE-SU-2017:1924-1
Rating:             important
References:         #1025013 #1030575 #1031660 #1039496
Cross-References:   CVE-2017-1000364
Affected Products:
SUSE Linux Enterprise Server for SAP 12
SUSE Linux Enterprise Server 12-LTSS
______________________________________________________________________________

An update that solves one vulnerability and has three fixes
is now available.

Description:

This update for the Linux Kernel 3.12.61-52_66 fixes several issues.

The following security bugs were fixed:

– CVE-2017-1000364: An issue was discovered in the size of the stack guard
page on Linux, specifically a 4k stack guard page is not sufficiently
large and can be “jumped” over (the stack guard page is bypassed)
(bsc#1039496).

Patch Instructions:

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

– SUSE Linux Enterprise Server for SAP 12:

zypper in -t patch SUSE-SLE-SAP-12-2017-1195=1

– SUSE Linux Enterprise Server 12-LTSS:

zypper in -t patch SUSE-SLE-SERVER-12-2017-1195=1

To bring your system up-to-date, use “zypper patch”.

Package List:

– SUSE Linux Enterprise Server for SAP 12 (x86_64):

kgraft-patch-3_12_61-52_66-default-5-3.1
kgraft-patch-3_12_61-52_66-xen-5-3.1

– SUSE Linux Enterprise Server 12-LTSS (x86_64):

kgraft-patch-3_12_61-52_66-default-5-3.1
kgraft-patch-3_12_61-52_66-xen-5-3.1

References:

https://www.suse.com/security/cve/CVE-2017-1000364.html
https://bugzilla.suse.com/1025013
https://bugzilla.suse.com/1030575
https://bugzilla.suse.com/1031660
https://bugzilla.suse.com/1039496

SUSE-SU-2017:1923-1: important: Security update for Linux Kernel Live Patch 4 for SLE 12 SP2

The following information has been provided by the opensuse security announce mailing list

SUSE Security Update: Security update for Linux Kernel Live Patch 4 for SLE 12 SP2
______________________________________________________________________________

Announcement ID:    SUSE-SU-2017:1923-1
Rating:             important
References:         #1019079 #1025013 #1025254 #1030575 #1031481
#1031660 #1039496
Cross-References:   CVE-2017-1000364
Affected Products:
SUSE Linux Enterprise Live Patching 12
______________________________________________________________________________

An update that solves one vulnerability and has 6 fixes is
now available.

Description:

This update for the Linux Kernel 4.4.38-93 fixes several issues.

The following security bugs were fixed:

– CVE-2017-1000364: An issue was discovered in the size of the stack guard
page on Linux, specifically a 4k stack guard page is not sufficiently
large and can be “jumped” over (the stack guard page is bypassed)
(bsc#1039496).

Patch Instructions:

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

– SUSE Linux Enterprise Live Patching 12:

zypper in -t patch SUSE-SLE-Live-Patching-12-2017-1197=1

To bring your system up-to-date, use “zypper patch”.

Package List:

– SUSE Linux Enterprise Live Patching 12 (x86_64):

kgraft-patch-4_4_38-93-default-6-3.1

References:

https://www.suse.com/security/cve/CVE-2017-1000364.html
https://bugzilla.suse.com/1019079
https://bugzilla.suse.com/1025013
https://bugzilla.suse.com/1025254
https://bugzilla.suse.com/1030575
https://bugzilla.suse.com/1031481
https://bugzilla.suse.com/1031660
https://bugzilla.suse.com/1039496

SUSE-SU-2017:1922-1: important: Security update for Linux Kernel Live Patch 18 for SLE 12

The following information has been provided by the opensuse security announce mailing list

SUSE Security Update: Security update for Linux Kernel Live Patch 18 for SLE 12
______________________________________________________________________________

Announcement ID:    SUSE-SU-2017:1922-1
Rating:             important
References:         #1017589 #1025013 #1030575 #1031660 #1039496

Cross-References:   CVE-2017-1000364
Affected Products:
SUSE Linux Enterprise Server for SAP 12
SUSE Linux Enterprise Server 12-LTSS
______________________________________________________________________________

An update that solves one vulnerability and has four fixes
is now available.

Description:

This update for the Linux Kernel 3.12.60-52_63 fixes several issues.

The following security bugs were fixed:

– CVE-2017-1000364: An issue was discovered in the size of the stack guard
page on Linux, specifically a 4k stack guard page is not sufficiently
large and can be “jumped” over (the stack guard page is bypassed)
(bsc#1039496).

Patch Instructions:

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

– SUSE Linux Enterprise Server for SAP 12:

zypper in -t patch SUSE-SLE-SAP-12-2017-1194=1

– SUSE Linux Enterprise Server 12-LTSS:

zypper in -t patch SUSE-SLE-SERVER-12-2017-1194=1

To bring your system up-to-date, use “zypper patch”.

Package List:

– SUSE Linux Enterprise Server for SAP 12 (x86_64):

kgraft-patch-3_12_60-52_63-default-6-3.1
kgraft-patch-3_12_60-52_63-xen-6-3.1

– SUSE Linux Enterprise Server 12-LTSS (x86_64):

kgraft-patch-3_12_60-52_63-default-6-3.1
kgraft-patch-3_12_60-52_63-xen-6-3.1

References:

https://www.suse.com/security/cve/CVE-2017-1000364.html
https://bugzilla.suse.com/1017589
https://bugzilla.suse.com/1025013
https://bugzilla.suse.com/1030575
https://bugzilla.suse.com/1031660
https://bugzilla.suse.com/1039496