Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.2458 Security update for ardana-barbican, grafana, openstack-barbican, openstack-cinder, openstack-heat-gbp, openstack-horizon-plugin-gbp-ui, openstack-ironic, openstack-keystone, openstack-neutron-gbp, python-lxml, release-notes-suse-openstack-cloud 20 May 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: SUSE OpenStack Cloud 9 SUSE OpenStack Cloud Crowbar 9 Publisher: SUSE Operating System: SUSE Resolution: Patch/Upgrade CVE Names: CVE-2022-29970 CVE-2022-23452 CVE-2022-23451 CVE-2022-22817 CVE-2022-22816 CVE-2022-22815 CVE-2021-44716 CVE-2021-43818 CVE-2021-43813 CVE-2021-41184 CVE-2021-41183 CVE-2021-41182 CVE-2021-40085 CVE-2021-38155 CVE-2021-28957 CVE-2020-27783 CVE-2018-19787 CVE-2014-3146 Original Bulletin: https://www.suse.com/support/update/announcement/2022/suse-su-20221729-1 Comment: CVSS (Max): 8.0 CVE-2021-40085 (CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) CVSS Source: SUSE Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- SUSE Security Update: Security update for ardana-barbican, grafana, openstack-barbican, openstack-cinder, openstack-heat-gbp, openstack-horizon-plugin-gbp-ui, openstack-ironic, openstack-keystone, openstack-neutron-gbp, python-lxml, release-not ______________________________________________________________________________ Announcement ID: SUSE-SU-2022:1729-1 Rating: important References: #1118088 #1179534 #1184177 #1186380 #1189390 #1189794 #1192070 #1192073 #1192075 #1193597 #1193688 #1193752 #1194521 #1194551 #1194552 #1194952 #1194954 #1199138 Cross-References: CVE-2018-19787 CVE-2020-27783 CVE-2021-28957 CVE-2021-38155 CVE-2021-40085 CVE-2021-41182 CVE-2021-41183 CVE-2021-41184 CVE-2021-43813 CVE-2021-43818 CVE-2021-44716 CVE-2022-22815 CVE-2022-22816 CVE-2022-22817 CVE-2022-23451 CVE-2022-23452 CVE-2022-29970 Affected Products: SUSE OpenStack Cloud 9 SUSE OpenStack Cloud Crowbar 9 ______________________________________________________________________________ es-suse-openstack-cloud An update that solves 17 vulnerabilities, contains two features and has one errata is now available. Description: This update for ardana-barbican, grafana, openstack-barbican, openstack-cinder, openstack-heat-gbp, openstack-horizon-plugin-gbp-ui, openstack-ironic, openstack-keystone, openstack-neutron-gbp, python-lxml, release-notes-suse-openstack-cloud fixes the following issues: Security fixes included on the update: ardana-barbican: o Update policies to protect container secret access (SOC-11621) o Update policies to protect secret metadata access (SOC-11620) openstack-neutron: o CVE-2021-40085: Fixed arbitrary dnsmasq reconfiguration via extra_dhcp_opts (bsc#1189794). rubygem-sinatra: o CVE-2022-29970: Fixed path traversal possible outside of public_dir when serving static files (bsc#1199138). python-XStatic-jquery-ui: o CVE-2021-41182: Fixed XSS in the `altField` option of the Datepicker widget (bsc#1192070) o CVE-2021-41183: Fixed XSS in the `of` option of the `.position()` util (bsc #1192073) o CVE-2021-41184: Fixed XSS in `*Text` options of the Datepicker widget (bsc# 1192075) python-lxml: o CVE-2018-19787: Fixed that the lxml.html.clean module does remove javascript in lxml/html/clean.py (bsc#1118088). o CVE-2020-27783: Fixed mXSS due to the use of improper parser (bsc#1179534). o CVE-2021-28957: Fixed missing input sanitization for formaction HTML5 attributes that may have led to XSS (bsc#1184177). o CVE-2021-43818: Fixed HTML Cleaner that allowed crafted and SVG embedded scripts to pass through (bsc#1193752). openstack-barbican: o CVE-2022-23451: Disallows authenticated users to add/modify/delete arbitrary metadata on any secret (bsc#1194952). o CVE-2022-23452: Disallows anyone with an admin role to add their secrets to a different project's containers (bsc#1194954). grafana: o CVE-2021-44716: Fixed net/http: limit growth of header canonicalization cache (bsc#1193597). openstack-keystone: o CVE-2021-38155: Fixed information disclosure during account locking (bsc# 1189390). Non-security fixes included on the update: Changes in ardana-barbican: o Update to version 9.0+git.1644879908.8a641c1: * Update policies to protect container secret access (SOC-11621) o Update to version 9.0+git.1643052417.9a3348e: * update policies to protect secret metadata access (SOC-11620) Changes in grafana: o Add CVE-2021-43813.patch (bsc#1193688, CVE-2021-43813) * directory traversal vulnerability for .md files o Bump Go to 1.16 (bsc#1193597, CVE-2021-44716) * Fix Go net/http: limit growth of header canonicalization cache Changes in openstack-barbican: o Add patches (0001-Fix-RBAC-and-ACL-access-for-managing-secret-containe.patch and 0001-Fix-policy-for-adding-a-secret-to-a-container.patch) to fix the legacy policy rules for adding a secret to a container and removing a secret from a container. bsc#1194954,CVE-2022-23452 o Add patch (0001-Fix-secret-metadata-access-rules.patch) to fix the legacy policy rules for accessing secret metadata by checking that the user making the request is authenticated for the project that owns the secret. bsc# 1194952,CVE-2022-23451 Changes in openstack-cinder: o Update to version cinder-13.0.10.dev24: * Correct group:reset\_group\ _snapshot\_status policy Changes in openstack-cinder: o Update to version cinder-13.0.10.dev24: * Correct group:reset\_group\ _snapshot\_status policy Changes in openstack-heat-gbp: o Update to version group-based-policy-automation-14.0.1.dev4: * Add support for yoga o Update to version group-based-policy-automation-14.0.1.dev3: * Python2/3 compatibility fixes o Update to version group-based-policy-automation-14.0.1.dev2: * Add support for xena o Update to version group-based-policy-automation-14.0.1.dev1: * Remove py27 from gate jobs 14.0.0 Changes in openstack-horizon-plugin-gbp-ui: o Update to version group-based-policy-ui-14.0.1.dev3: * Add support for yoga o Update to version group-based-policy-ui-14.0.1.dev2: * Python2/3 compatibility changes o Update to version group-based-policy-ui-14.0.1.dev1: * Add support for xena 14.0.0 Changes in openstack-ironic: o Update to version ironic-11.1.5.dev18: * Cleanup stable/rocky legacy jobs Changes in openstack-ironic: o Update to version ironic-11.1.5.dev18: * Cleanup stable/rocky legacy jobs Changes in openstack-keystone: o Update to version keystone-14.2.1.dev9: * Delete system role assignments from system\_assignment table Changes in openstack-keystone: o Add patch (0001-Hide-AccountLocked-exception-from-end-users.patch) to fix the problem where AccountLocked exception discloses sensitive information. bsc#1189390,CVE-2021-38155 o Update to version keystone-14.2.1.dev9: * Delete system role assignments from system\_assignment table Changes in openstack-neutron-gbp: o Update to version group-based-policy-14.0.1.dev33: * Populate network mtu for erspan o Update to version group-based-policy-14.0.1.dev32: * ERSPAN config error when Openstack port is created in a different project than network it belongs to 2014.2.rc1 o Update to version group-based-policy-14.0.1.dev31: * Python2/3 compatibility fixes 2014.2.0rc1 o Update to version group-based-policy-14.0.1.dev29: * Fix oslo\_i18n usage o Update to version group-based-policy-14.0.1.dev27: * Update mechanism\ _driver cache 2014.2.rc1 o Update to version group-based-policy-14.0.1.dev26: * Add support for xena o Update to version group-based-policy-14.0.1.dev24: * update\_floatingip\ _status\_while\_deleting\_the\_vm o Update to version group-based-policy-14.0.1.dev22: * Updating host id by appending pid in existing host id 2014.2.0rc1 o Update to version group-based-policy-14.0.1.dev20: * Revert "Add workaround to get\_subnets" Changes in python-lxml: o Fix bsc#1179534 (CVE-2020-27783) mXSS due to the use of improper parser Patch files: 0001-CVE-2020-27783.patch 0002-CVE-2020-27783.patch o Fix bsc#1118088 (CVE-2018-19787) lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks Patch file: 0001-CVE-2018-19787.patch o Fix bsc#1184177 (CVE-2021-28957) missing input sanitization for formaction HTML5 attributes may lead to XSS Patch file: 0001-CVE-2021-28957.patch o Fix bsc#1193752 (CVE-2021-43818) Cleaner: Remove SVG image data URLs since they can embed script content. Reported as GHSL-2021-1037 and GHSL-2021-1038 Patch files 0001-CVE-2021-43818.patch 0002-CVE-2021-43818.patch Changes in openstack-neutron-doc: o Update to version neutron-13.0.8.dev206: * Wait longer before deleting DPDK vhu trunk bridges o Update to version neutron-13.0.8.dev205: * Do no use "--strict" for OF deletion in TRANSIENT\_TABLE o Update to version neutron-13.0.8.dev203: * Populate self.floating\_ips\ _dict using "ip rule" information o Update to version neutron-13.0.8.dev201: * [Functional] Wait for the initial state of ha router before test * Don't setup bridge controller if it is already set o Update to version neutron-13.0.8.dev198: * Remove dhcp\_extra\_opt name after first newline character o Update to version neutron-13.0.8.dev196: * [L3] Use processing queue for network update events * Add extra logs to the network update callback in L3 agent o Update to version neutron-13.0.8.dev192: * Remove dhcp\_extra\_opt value after first newline character o Update to version neutron-13.0.8.dev190: * Don't use singleton in routes.middleware.RoutesMiddleware o Update to version neutron-13.0.8.dev189: * Fix notify listener syntax for SEGMENT\_HOST\_MAPPING o Update to version neutron-13.0.8.dev188: * Clean port forwarding cache when router is DOWN o Update to version neutron-13.0.8.dev186: * Remove FIP agent's gw port when L3 agent is deleted o Update to version neutron-13.0.8.dev184: * Force to close http connection after notify about HA router status o Update to version neutron-13.0.8.dev183: * Don't configure dnsmasq entries for "network" ports o Update to version neutron-13.0.8.dev181: * Exclude fallback tunnel devices from netns cleanup o Update to version neutron-13.0.8.dev180: * [DVR] Send allowed address pairs info to the L3 agents * designate: allow PTR zone creation to fail * Don't try to create default SG when security groups are disabled o Update to version neutron-13.0.8.dev174: * Fix update of trunk subports during live migration o Update to version neutron-13.0.8.dev172: * [ovs fw] Restrict IPv6 NA and DHCP(v6) IP and MAC source addresses o Update to version neutron-13.0.8.dev170: * Call install\_ingress\_direct\ _goto\_flows() when ovs restarts o Update to version neutron-13.0.8.dev168: * Fix multicast traffic with IGMP snooping enabled o Update to version neutron-13.0.8.dev166: * Fix OVS conjunctive IP flows cleanup Changes in openstack-neutron: o Update to version neutron-13.0.8.dev206: * Wait longer before deleting DPDK vhu trunk bridges o Update to version neutron-13.0.8.dev205: * Do no use "--strict" for OF deletion in TRANSIENT\_TABLE o Update to version neutron-13.0.8.dev203: * Populate self.floating\_ips\ _dict using "ip rule" information o Update to version neutron-13.0.8.dev201: * [Functional] Wait for the initial state of ha router before test * Don't setup bridge controller if it is already set o Update to version neutron-13.0.8.dev198: * Remove dhcp\_extra\_opt name after first newline character o Update to version neutron-13.0.8.dev196: * [L3] Use processing queue for network update events * Add extra logs to the network update callback in L3 agent o Remove cve-2021-40085-stable-rocky.patch (merged upstream) o Update to version neutron-13.0.8.dev192: * Remove dhcp\_extra\_opt value after first newline character o Update to version neutron-13.0.8.dev190: * Don't use singleton in routes.middleware.RoutesMiddleware o Update to version neutron-13.0.8.dev189: * Fix notify listener syntax for SEGMENT\_HOST\_MAPPING o Add cve-2021-40085-stable-rocky.patch (bsc#1189794, CVE-2021-40085) * Remove dhcp_extra_opt value after first newline character o Update to version neutron-13.0.8.dev188: * Clean port forwarding cache when router is DOWN o Update to version neutron-13.0.8.dev186: * Remove FIP agent's gw port when L3 agent is deleted o Update to version neutron-13.0.8.dev184: * Force to close http connection after notify about HA router status o Update to version neutron-13.0.8.dev183: * Don't configure dnsmasq entries for "network" ports o Update to version neutron-13.0.8.dev181: * Exclude fallback tunnel devices from netns cleanup o Update to version neutron-13.0.8.dev180: * [DVR] Send allowed address pairs info to the L3 agents * designate: allow PTR zone creation to fail * Don't try to create default SG when security groups are disabled o Update to version neutron-13.0.8.dev174: * Fix update of trunk subports during live migration o Update to version neutron-13.0.8.dev172: * [ovs fw] Restrict IPv6 NA and DHCP(v6) IP and MAC source addresses o Update to version neutron-13.0.8.dev170: * Call install\_ingress\_direct\ _goto\_flows() when ovs restarts o Update to version neutron-13.0.8.dev168: * Fix multicast traffic with IGMP snooping enabled o Update to version neutron-13.0.8.dev166: * Fix OVS conjunctive IP flows cleanup Changes in python-Pillow: o Add 030-CVE-2022-22817.patch * From upstream, backported * Fixes CVE-2022-22817, bsc#1194521 * test from upstream updated for python2 o Add 028-CVE-2022-22815.patch * From upstream, backported * Fixes CVE-2022-22815, bsc#1194552 o Add 029-CVE-2022-22816.patch * From upstream, backported * Fixes CVE-2022-22816, bsc#1194551 Changes in python-XStatic-jquery-ui: o Update to version 1.13.0.1 (bsc#1192070, CVE-2021-41182, bsc#1192073, CVE-2021-41184, bsc#1192075, CVE-2021-41183) * Fix XSS in the altField option of the Datepicker widget (CVE-2021-41182) * Fix XSS in *Text options of the Datepicker widget (CVE-2021-41183) * Fix XSS in the of option of the .position() util (CVE-2021-41184) * Drop support for Query 1.7 * Accordion: allow function parameter for selecting header elements * Datepicker: add optional onUpdateDatepicker callback Changes in release-notes-suse-openstack-cloud: o Update to version 9.20220413: * Update release notes to indicate support for SES7 o Update to version 9.20220112: * Add reference to keystone bcrypt issue to known limitations (bsc#1186380) Changes in rubygem-sinatra: o Add CVE-2022-29970.patch (bsc#1199138, CVE-2022-29970) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: o SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2022-1729=1 o SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2022-1729=1 Package List: o SUSE OpenStack Cloud Crowbar 9 (x86_64): grafana-6.7.4-3.26.1 grafana-debuginfo-6.7.4-3.26.1 python-Pillow-5.2.0-3.17.1 python-Pillow-debuginfo-5.2.0-3.17.1 python-Pillow-debugsource-5.2.0-3.17.1 python-lxml-4.2.4-3.3.1 python-lxml-debuginfo-4.2.4-3.3.1 python-lxml-debugsource-4.2.4-3.3.1 ruby2.1-rubygem-sinatra-1.4.6-4.3.1 o SUSE OpenStack Cloud Crowbar 9 (noarch): openstack-barbican-7.0.1~dev24-3.14.1 openstack-barbican-api-7.0.1~dev24-3.14.1 openstack-barbican-keystone-listener-7.0.1~dev24-3.14.1 openstack-barbican-retry-7.0.1~dev24-3.14.1 openstack-barbican-worker-7.0.1~dev24-3.14.1 openstack-cinder-13.0.10~dev24-3.34.2 openstack-cinder-api-13.0.10~dev24-3.34.2 openstack-cinder-backup-13.0.10~dev24-3.34.2 openstack-cinder-scheduler-13.0.10~dev24-3.34.2 openstack-cinder-volume-13.0.10~dev24-3.34.2 openstack-heat-gbp-14.0.1~dev4-3.9.1 openstack-horizon-plugin-gbp-ui-14.0.1~dev3-3.9.1 openstack-ironic-11.1.5~dev18-3.28.2 openstack-ironic-api-11.1.5~dev18-3.28.2 openstack-ironic-conductor-11.1.5~dev18-3.28.2 openstack-keystone-14.2.1~dev9-3.28.2 openstack-neutron-13.0.8~dev206-3.40.1 openstack-neutron-dhcp-agent-13.0.8~dev206-3.40.1 openstack-neutron-gbp-14.0.1~dev33-3.31.1 openstack-neutron-ha-tool-13.0.8~dev206-3.40.1 openstack-neutron-l3-agent-13.0.8~dev206-3.40.1 openstack-neutron-linuxbridge-agent-13.0.8~dev206-3.40.1 openstack-neutron-macvtap-agent-13.0.8~dev206-3.40.1 openstack-neutron-metadata-agent-13.0.8~dev206-3.40.1 openstack-neutron-metering-agent-13.0.8~dev206-3.40.1 openstack-neutron-openvswitch-agent-13.0.8~dev206-3.40.1 openstack-neutron-server-13.0.8~dev206-3.40.1 python-XStatic-jquery-ui-1.13.0.1-4.3.1 python-barbican-7.0.1~dev24-3.14.1 python-cinder-13.0.10~dev24-3.34.2 python-heat-gbp-14.0.1~dev4-3.9.1 python-horizon-plugin-gbp-ui-14.0.1~dev3-3.9.1 python-ironic-11.1.5~dev18-3.28.2 python-keystone-14.2.1~dev9-3.28.2 python-neutron-13.0.8~dev206-3.40.1 python-neutron-gbp-14.0.1~dev33-3.31.1 release-notes-suse-openstack-cloud-9.20220413-3.30.1 o SUSE OpenStack Cloud 9 (noarch): ardana-barbican-9.0+git.1644879908.8a641c1-3.13.1 openstack-barbican-7.0.1~dev24-3.14.1 openstack-barbican-api-7.0.1~dev24-3.14.1 openstack-barbican-keystone-listener-7.0.1~dev24-3.14.1 openstack-barbican-retry-7.0.1~dev24-3.14.1 openstack-barbican-worker-7.0.1~dev24-3.14.1 openstack-cinder-13.0.10~dev24-3.34.2 openstack-cinder-api-13.0.10~dev24-3.34.2 openstack-cinder-backup-13.0.10~dev24-3.34.2 openstack-cinder-scheduler-13.0.10~dev24-3.34.2 openstack-cinder-volume-13.0.10~dev24-3.34.2 openstack-heat-gbp-14.0.1~dev4-3.9.1 openstack-horizon-plugin-gbp-ui-14.0.1~dev3-3.9.1 openstack-ironic-11.1.5~dev18-3.28.2 openstack-ironic-api-11.1.5~dev18-3.28.2 openstack-ironic-conductor-11.1.5~dev18-3.28.2 openstack-keystone-14.2.1~dev9-3.28.2 openstack-neutron-13.0.8~dev206-3.40.1 openstack-neutron-dhcp-agent-13.0.8~dev206-3.40.1 openstack-neutron-gbp-14.0.1~dev33-3.31.1 openstack-neutron-ha-tool-13.0.8~dev206-3.40.1 openstack-neutron-l3-agent-13.0.8~dev206-3.40.1 openstack-neutron-linuxbridge-agent-13.0.8~dev206-3.40.1 openstack-neutron-macvtap-agent-13.0.8~dev206-3.40.1 openstack-neutron-metadata-agent-13.0.8~dev206-3.40.1 openstack-neutron-metering-agent-13.0.8~dev206-3.40.1 openstack-neutron-openvswitch-agent-13.0.8~dev206-3.40.1 openstack-neutron-server-13.0.8~dev206-3.40.1 python-XStatic-jquery-ui-1.13.0.1-4.3.1 python-barbican-7.0.1~dev24-3.14.1 python-cinder-13.0.10~dev24-3.34.2 python-heat-gbp-14.0.1~dev4-3.9.1 python-horizon-plugin-gbp-ui-14.0.1~dev3-3.9.1 python-ironic-11.1.5~dev18-3.28.2 python-keystone-14.2.1~dev9-3.28.2 python-neutron-13.0.8~dev206-3.40.1 python-neutron-gbp-14.0.1~dev33-3.31.1 release-notes-suse-openstack-cloud-9.20220413-3.30.1 venv-openstack-barbican-x86_64-7.0.1~dev24-3.35.2 venv-openstack-cinder-x86_64-13.0.10~dev24-3.38.1 venv-openstack-designate-x86_64-7.0.2~dev2-3.35.1 venv-openstack-glance-x86_64-17.0.1~dev30-3.33.1 venv-openstack-heat-x86_64-11.0.4~dev4-3.35.1 venv-openstack-horizon-x86_64-14.1.1~dev11-4.39.1 venv-openstack-ironic-x86_64-11.1.5~dev18-4.33.1 venv-openstack-keystone-x86_64-14.2.1~dev9-3.36.1 venv-openstack-magnum-x86_64-7.2.1~dev1-4.35.1 venv-openstack-manila-x86_64-7.4.2~dev60-3.41.1 venv-openstack-monasca-ceilometer-x86_64-1.8.2~dev3-3.35.1 venv-openstack-monasca-x86_64-2.7.1~dev10-3.37.1 venv-openstack-neutron-x86_64-13.0.8~dev206-6.39.1 venv-openstack-nova-x86_64-18.3.1~dev91-3.39.1 venv-openstack-octavia-x86_64-3.2.3~dev7-4.35.1 venv-openstack-sahara-x86_64-9.0.2~dev15-3.35.1 venv-openstack-swift-x86_64-2.19.2~dev48-2.30.1 o SUSE OpenStack Cloud 9 (x86_64): grafana-6.7.4-3.26.1 grafana-debuginfo-6.7.4-3.26.1 python-Pillow-5.2.0-3.17.1 python-Pillow-debuginfo-5.2.0-3.17.1 python-Pillow-debugsource-5.2.0-3.17.1 python-lxml-4.2.4-3.3.1 python-lxml-debuginfo-4.2.4-3.3.1 python-lxml-debugsource-4.2.4-3.3.1 References: o https://www.suse.com/security/cve/CVE-2018-19787.html o https://www.suse.com/security/cve/CVE-2020-27783.html o https://www.suse.com/security/cve/CVE-2021-28957.html o https://www.suse.com/security/cve/CVE-2021-38155.html o https://www.suse.com/security/cve/CVE-2021-40085.html o https://www.suse.com/security/cve/CVE-2021-41182.html o https://www.suse.com/security/cve/CVE-2021-41183.html o https://www.suse.com/security/cve/CVE-2021-41184.html o https://www.suse.com/security/cve/CVE-2021-43813.html o https://www.suse.com/security/cve/CVE-2021-43818.html o https://www.suse.com/security/cve/CVE-2021-44716.html o https://www.suse.com/security/cve/CVE-2022-22815.html o https://www.suse.com/security/cve/CVE-2022-22816.html o https://www.suse.com/security/cve/CVE-2022-22817.html o https://www.suse.com/security/cve/CVE-2022-23451.html o https://www.suse.com/security/cve/CVE-2022-23452.html o https://www.suse.com/security/cve/CVE-2022-29970.html o https://bugzilla.suse.com/1118088 o https://bugzilla.suse.com/1179534 o https://bugzilla.suse.com/1184177 o https://bugzilla.suse.com/1186380 o https://bugzilla.suse.com/1189390 o https://bugzilla.suse.com/1189794 o https://bugzilla.suse.com/1192070 o https://bugzilla.suse.com/1192073 o https://bugzilla.suse.com/1192075 o https://bugzilla.suse.com/1193597 o https://bugzilla.suse.com/1193688 o https://bugzilla.suse.com/1193752 o https://bugzilla.suse.com/1194521 o https://bugzilla.suse.com/1194551 o https://bugzilla.suse.com/1194552 o https://bugzilla.suse.com/1194952 o https://bugzilla.suse.com/1194954 o https://bugzilla.suse.com/1199138 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBYobRSckNZI30y1K9AQiEYw//Ua28W/gdiSnLYWnzcEFp4S3GWJTvPbg6 w9yDxwDWKD4EjZG4e0UdZwttbpt2tcy9GnhPbN67nYQEWAdSMP+qn/Uk9g7S3ha2 GGlQzZFCLuotYLRtp8dYC1qxIQP4kOQ0BIQfpCA3dHZR4oIFIfInnx6zSt1akepk Oy6srbA048Pg46eoxl8GxJBz/jr8ldg9+hdgOnxrp06FxHsl2EbrYfqi+UtyWr/0 /XxKYeQ0YIOYcUMm+YLijoNXe0qyQo1ZZXmm2UoaXV9Cd9VPbFpLZ9AtILfPORGC CYvtJYDg0573axzrZq8zKJYjln3pUeZn1XhKdsoZI5boUmoPWlgFs4AuUSx3aMNN WmQVYRBT2vkPYGdFUL+/oTD8ypmti6N6WtgSnYmD4YrBBvyNsTCbBEO6C+Q04MN+ JTRuF2g1zEiwa6hWw2MdbAZMLO9qmvCv/I5ZmcEq2SN73GNsYx//DOiN6Y4d5nXj RAddgavGtIltIGAOp92dGujwng42y8w/icW9xecky4IWY/fBpd7JWjbZgN4gdurl 1hmTvycAFziPrYG0/iQsezT223WsO1uVBLE2hMfZ6OOcYkfy5TPI0djt91A+byh1 GCLtKqE7Yz1DYHUgF4BI610EbFW8f12Y7EOfssHnK6D0I1Lcxtzamsy1jkZcrL+V ACulcNoJS3E= =6lxX -----END PGP SIGNATURE-----